I'm playing with the "Report Designer" tool but I can't get out of it.
A costumer is asking for a report in which the findings (vulnerabilities) are aggregated by page, instead of by criticality (as it seems to be a common practice). It would be useful, for instance, to select, let's say, the top ten affected pages. In some cases one can think to rewrite from scratch a web page instead of remediate its issues if these are too many.
For this sort of detailed solution, you will want to open a support case for a couple of reasons:
1. It will probably take a developer to fully understand and create this.
2. If the HP ASC team finds the report request to be useful, we may be able to include it in the product permanently.
I find that while the ActiveReports engine built into the Report Designer is very powerful, it also is rather complex and involves raw data to a level that most users are not prepared to use for their dynamic scanner. It also does not help that HP/SPI management has never produced a schema, even just for a particular product version, to the user or support community, so you are essentially driving with the headlights off. We would prefer to see these sorts of Reports requests come in from the user community, and then we could put them into a form of "enhancement bucket". I definitely see the value of your idea, but cannot figure out the ways to modify the current report(s) to match it.
- Call us: Dial 1-800-633-3600 , option 2 for "Software Support", enter your Service Agreement ID number (SAID), choose option 1 for "Enterprise Application Software Assistance", and then option 5 for "Former SPI Dynamics products".
If you are missing your SAID#, they can open a "Trust Case" and probably locate your SAID over the phone. Submitting the case via the web portal and then calling in with the Case# appears to be the fastest method to start.
If you are not a customer and have no SAID, then you should contact your HP Sales representative to have a Sales Engineer assist you directly during your product evaluation.
-- Habeas Data Micro Focus Fortify Customers-Only Forums – https://community.saas.hpe.com/t5/Fortify/ct-p/fortify
If you have to rewrite a page to fix a vulnerability in only that page, yet the same vulnerability exists in other pages still - then it seems there's a big problem in terms of code reuse! Spaghetti code is a good way to ensure vulnerabilities remain, so once you've identified that the web app as a whole is poorly put together it might be wiser to overhaul everything rather than fight fires by fixing on a per page basis.
As you said, Report Designer tool is really complex to use (exspecially without documentation) and we tried the "brute force" method to understand it.
We also tried to directly access to the DB behind it, but there're so many flags that the numbers are never consistent with the automatic reports.
We opened a case, but for the short term we can't get an automatic solution for the customer. We are trying to do it manually, but it's a quite time consuming task! Without considering that making evidences consistent requires an extra effort and a lot of "luck"...