Importing issues from a third-party scanner

Import issues from a third-party scanner or from manual pen testing so that you can triage them. These issues are marked as 'New' so that you can easily identify them in the list of issues that you must address.

Before you begin

  • If you are importing issues from a CSV file, you must prepare the file so that the issues are successfully imported. Read Preparing a CSV file for import.
  • If you are importing reports results from AppScan Standard v9.0.3, you must export the report results first to an XML file. Read Importing issues from an exported report from AppScan Standard.
  • You can import issues from these third-party scanners:
    • Black Duck
    • Burp Suite Professional
    • HP Fortify
    • HP WebInspect
    • IBM Security Guardium
    • Nessus Vulnerability Scanner
    • Veracode

Procedure

  1. From an application tab in the Monitor view of AppScan Enterprise, click Import Issues.
  2. Select an existing scan or create a new one. Follow the wizard instructions to complete the process. Make sure you give the scan a unique name; don't use the default name of the scan as the name.
  3. Check the log file to investigate whether any issues weren't imported.
    Note:
    1. If the attribute contributes to the issue uniqueness, but has an error in the file, the issue is not imported.
    2. If the attribute does not contribute to issue uniqueness and has an error:
      • For dropdown attributes, AppScan Enterprise replaces the error with the default value specified in the scanner profile, and imports the issue.
      • For all other attribute types, AppScan Enterprise does not import the attribute value that has the error, but does import the issue.
    These behaviors are then logged in the import log file.
  4. To see a list of issue imports for an application, click View details in the sidebar, and scroll down the Application Attributes window to the Issue Imports section. If a scanner is deleted from AppScan Enterprise, the imports for that scanner are deleted from the list, although the import issues are still available in the application grid.
    Note: v9.0.3.5

    You can delete selected issue imports from the application. Depending on the number of issues being removed from this application, this operation might take a while.

Results

If any imported issues appear in the Undetermined category, it means that the CVSS score cannot be calculated because required attributes are not defined.
Imported issues as undetermined