Hello Super Contributor.
Super Contributor.
2727 views

Custom check policy

Even though a custom policy is created with few checks enabled, the attack status report shows all checks enabled by default. How to solve this issue? Current version of WebInspect that we use: 10.1

Labels (1)
0 Likes
3 Replies
Micro Focus Expert
Micro Focus Expert

Re: Custom check policy

Your question is unclear.  Do you mean you generated a custom Policy with only a handful of enabled checks, yet when you run the Attack Status report it reports that many more checks were enabled than what you expected?   When you ran that Report, was the selected scan run using that custom Policy or some other Policy?

 

Or are you seeking to alter the Attack Status report so it shows attacks that were NOT enabled in the scan's Policy?

 

Which base Policy did you use when building your custom Policy, was it the Blank Policy or another one?  If you use the Blank Policy, you must enable the appropriate Audit Engines to support them.  A good rule I would use is to base my Policy on the Standard Policy, then disable all checks, but keep the Audit Engines enabled, and then begin enabling those checks I wanted to keep.


-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify
0 Likes
Hello Super Contributor.
Super Contributor.

Re: Custom check policy

I  used the Standard policy as the base. I disabled all the checks and enabled few which is needed and selected the same custom policy in the scan. But when I generated the attack status report after the scan, it showed up all the attacks that is in general included in a standard policy.

0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Custom check policy

There does appear to be a logic failure on that Attack Status report.  I stripped out all checks from a custom copy of Standard, leaving all the Audit Engines alone, then enabled only 5-10 checks with "apache" in their name.  Ran a scan (3 minutes, 0 issues), and the Attack Status report shows all checks are enabled.  I will submit a defect to Fortify Support.


-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.