Importing issues from an internal or a third-party scanner

Import issues from an internal or a third-party scanner or from manual pen testing so that you can triage them. These issues are marked as 'New' so that you can easily identify them in the list of issues that you must address.

Before you begin

  • If you are importing issues from a CSV file, you must prepare the file so that the issues are successfully imported. Read Preparing a CSV file for import.
  • If you are importing reports results from another AppScan Enterprise instance, you must export the report results first to an XML file. For more information, see Importing DAST issues from another AppScan Enterprise instance.
  • If you are importing reports results from AppScan Standard, you must export the report results first to an XML file. Read Importing issues from an exported report from AppScan Standard.
  • You can import component issues from AppScan Enterprise and AppScan Standard.
  • You can import issues from these third-party scanners:
    • Black Duck
    • Burp Suite Professional
    • HP Fortify
    • HP WebInspect
    • IBM Security Guardium
    • Nessus Vulnerability Scanner
    • Veracode

Procedure

  1. From an application tab in the Monitor view of AppScan® Enterprise, click Import Issues.
  2. Select an existing scan or create a new one. Follow the wizard instructions to complete the process. Make sure you give the scan a unique name; don't use the default name of the scan as the name.
  3. Check the log file to investigate whether any issues weren't imported.
    Note:
    1. If the attribute contributes to the issue uniqueness, but has an error in the file, the issue is not imported.
    2. If the attribute does not contribute to issue uniqueness and has an error:
      • For dropdown attributes, AppScan® Enterprise replaces the error with the default value specified in the scanner profile, and imports the issue.
      • For all other attribute types, AppScan® Enterprise does not import the attribute value that has the error, but does import the issue.
    These behaviors are then logged in the import log file.
  4. To see a list of issue imports for an application, click View details in the sidebar, and scroll down the Application Attributes window to the Issue Imports section. If a scanner is deleted from AppScan Enterprise, the imports for that scanner are deleted from the list, although the import issues are still available in the application grid.
    Note:
    v9.0.3.5

    You can delete selected issue imports from the application. Depending on the number of issues being removed from this application, this operation might take a while.

Results

If any imported issues appear in the Undetermined category, it means that the CVSS score cannot be calculated because required attributes are not defined.
Imported issues as undetermined