Lieutenant Commander
Lieutenant Commander
11275 views

Webinspect: Exporting Vulnerabilities in CSV Automatically

Jump to solution

Is there any way to export WebInspect's vulnerabilities to CSV format automatically, either via command line or other means.  Currently, we are forced to export manually via the vulnerabilties context menu and selecting Export > All Items to CSV.  There has to be a better way.

I've already looked through the command line documentation and searched everywhere I can think of.

Labels (1)
0 Likes
1 Solution

Accepted Solutions
Micro Focus Expert
Micro Focus Expert

I also looked into this, and there is not an automated option to deliver CSV output from WebInspect.

  • The WebInspect API offers these formats for the Reports option:
  • pdf
  • html
  • raw
  • rtf
  • txt - Raw TXT, not CSV
  • excel - I will warn you that this format will be collated with footers and headers and logos and various extra entries that may prevent you from converting this easily to CSV format.

 

If you are collecting your scans into SSC Server, either directly or via WebInspect Enterprise, there should be CSV exports of the Issues available in SSC.  Furthermore, SSC uses BIRT Reporting, which offers full customization options for the user/admin to build their own reports.  However, that may not apply to your scenario with WebInspect alone.   😕

 

Your best option may be to use the "Full Export" which dumps the entire scan (Vulnerabilities, Site Tree, Remediation Details) to XML format.  You may be able to create a transformation process to extract the relevant portions of this XML to the CSV format you are seeking.


-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify

View solution in original post

0 Likes
3 Replies
Micro Focus Expert
Micro Focus Expert

I also looked into this, and there is not an automated option to deliver CSV output from WebInspect.

  • The WebInspect API offers these formats for the Reports option:
  • pdf
  • html
  • raw
  • rtf
  • txt - Raw TXT, not CSV
  • excel - I will warn you that this format will be collated with footers and headers and logos and various extra entries that may prevent you from converting this easily to CSV format.

 

If you are collecting your scans into SSC Server, either directly or via WebInspect Enterprise, there should be CSV exports of the Issues available in SSC.  Furthermore, SSC uses BIRT Reporting, which offers full customization options for the user/admin to build their own reports.  However, that may not apply to your scenario with WebInspect alone.   😕

 

Your best option may be to use the "Full Export" which dumps the entire scan (Vulnerabilities, Site Tree, Remediation Details) to XML format.  You may be able to create a transformation process to extract the relevant portions of this XML to the CSV format you are seeking.


-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify

View solution in original post

0 Likes
Lieutenant Commander
Lieutenant Commander
Thanks for the info.
0 Likes
Lieutenant Commander
Lieutenant Commander

HP support confirmed your findings. Unfortunately, SSC is not an option. I ended up using the API to return the vulns in JSON format and parsing using powershell.
Some caveats:
- The API does not see scheduled scans
- There are some data differences between the CSV manual export and the JSON API export:
- The latter does not have the "Parameters" field which encompasses all the parameters for a given hit. Example value: "(Post)c0000000AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=&"
- And other not so important differences

REST API to get the vulnerabilities in JSON format:
http://webinspect:8083/webinspect/scanner/scans/<scanid>.issue?detailType=vulnerabilities

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.