WebInspect Scan- No Consistency in the Scan Result
In our current sprint we are using web inspect (10.20.66 version) to scan web application. And by using basic scan we performed couple of scans. when we observed the scan report there is no consistency(crawl and audit count) across the reports. Can someone help us to find why it is showing different results for each individual scan.
Though in all the scans the application build, scenario/recorded macro, scan settings and scan policy are same, we are getting different scan results. We captured the scan comparisons(A&B) please find the attached doc for more info.
Those difference are very large and there is something wrong with the scan coverage. On a day-to-day basis, it is expected that "identical" dynamic scans will have small differences, based on the order of the Crawled sessions, alterations to the inputs, changes to the application, et al, but your scans show a 95% difference in coverage. That is not expected and I would take it to Fortify Support for a direct review of your settings, the environment, and the scans themselves.
A simple way to verify the scan settings would be to save the Current Scan Settings from both scans (to XML) and then compare the two text files with something such as Notepad++ or DiffMerge. Our staff can review these settings visually and identify key items, but such direct text comparisons of the settings can help high-light specific details quickly.
I noted that some of the target/scan names referenced what appeared to be different servers such as "Agent3" and "Agent4". Are these different servers that are assumed to be identical is all ways? Is there a traffic Load Balancer in the mix?
-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify