What to do when a false positive is encountered in scan results.
Fortify Technical Support cannot advise customers whether a vulnerability is in fact a threat or not. We are able to check previously reported findings and report new challenges to the SSR team with the proper documentation. However, it is up to your developers and security team to consider whether vulnerabilities are false positives or not in the specific context of your environment.
After investigating, if your team finds WebInspect identified false vulnerabilities, they can be marked as such in the scan. Then the scan can be used to compare and eliminate the finding from future scans.
Read Full Support Article here.
Support Article Reference Number (URL Name)