Retest always shows "Vulnerability Not Detected"
Everytime I run WebInspect on my application, it reports some vulnerabilities.
However, I always get "Vulnerability Not Detected" whenever I run a retest on those vulnerabilities.
Does that mean I can mark it as False Positive, if yes then why does it report as vulnerability in every run?
Re: Retest always shows "Vulnerability Not Detected"
The Retest should re-run the Steps associated with that finding, as listed in the GUI under the Issue's detailed information panes. Once the Retest runs, the GUI should split and show you the Original vs. the Current Requests, and this allows you to use your human intuition to compare them, beyond the simple Thumbs Up/Down icon.
Is the Retest run having something different occur during its replay Steps, such as not successfully logging in, or another obvious issue?
I believe that if you change the Proxy setting for the WebInspect Default Scan Settings, to run through an intercept proxy (included Web Proxy, BURP, et al), then the Retest should run its Request traffic through that proxy, giving you an additional way to monitor it. You may need to address the details of the differences with Fortify Support (https://softwaresupport.softwaregrp.com), and that sort of capture can be very helpful to compare with the normal scan traffic.
-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify