WebInspect: aggregate by page report (282 Views)
Reply
Occasional Contributor
Alberto_Menini
Posts: 6
Registered: ‎01-10-2011
Message 1 of 5 (282 Views)

WebInspect: aggregate by page report

Hi all,

I'm playing with the "Report Designer" tool but I can't get out of it.

 

A costumer is asking for a report in which the findings (vulnerabilities) are aggregated by page, instead of by criticality (as it seems to be a common practice). It would be useful, for instance, to select, let's say, the top ten affected pages. In some cases one can think to rewrite from scratch a web page instead of remediate its issues if these are too many.

 

Does anybody know a way to get that?

Thank you in advance,

Best,

 

Alberto

Please use plain text.
Respected Contributor
HansEnders
Posts: 585
Registered: ‎07-01-2008
Message 2 of 5 (282 Views)

Re: WebInspect: aggregate by page report

For this sort of detailed solution, you will want to open a support case for a couple of reasons:

 

1. It will probably take a developer to fully understand and create this.

2. If the HP ASC team finds the report request to be useful, we may be able to include it in the product permanently.

 

I find that while the ActiveReports engine built into the Report Designer is very powerful, it also is rather complex and involves raw data to a level that most users are not prepared to use for their dynamic scanner.  It also does not help that HP/SPI management has never produced a schema, even just for a particular product version, to the user or support community, so you are essentially driving with the headlights off.  We would prefer to see these sorts of Reports requests come in from the user community, and then we could put them into a form of "enhancement bucket".  I definitely see the value of your idea, but cannot figure out the ways to modify the current report(s) to match it.

 

 

++++++++++++++++++++

Getting HP ASC Customer Support:

    - Via the Web: http://support.openview.hp.com/ (SAID Required)

     - Call us:  Dial 1-800-633-3600 , option 2 for "Software Support", enter your Service Agreement ID number (SAID), choose option 1 for "Enterprise Application Software Assistance", and then option 5 for "Former SPI Dynamics products".

- aka:   Call support: +1-800-633-3600 x2, "enter SAID" x1, x5.

If you are missing your SAID#, they can open a "Trust Case" and probably locate your SAID over the phone.  Submitting the case via the web portal and then calling in with the Case# appears to be the fastest method to start.

 

If you are not a customer and have no SAID, then you should contact your HP Sales representative to have a Sales Engineer assist you directly during your product evaluation.

++++++++++++++++++++


-- Habeas Data
Please use plain text.
Regular Advisor
whips04r
Posts: 111
Registered: ‎01-10-2008
Message 3 of 5 (282 Views)

Re: WebInspect: aggregate by page report

Just a thought on this situation:

If you have to rewrite a page to fix a vulnerability in only that page, yet the same vulnerability exists in other pages still - then it seems there's a big problem in terms of code reuse! Spaghetti code is a good way to ensure vulnerabilities remain, so once you've identified that the web app as a whole is poorly put together it might be wiser to overhaul everything rather than fight fires by fixing on a per page basis.

Please use plain text.
Occasional Contributor
Alberto_Menini
Posts: 6
Registered: ‎01-10-2011
Message 4 of 5 (282 Views)

Re: WebInspect: aggregate by page report

Thank you for your answer!

 

As you said, Report Designer tool is really complex to use (exspecially without documentation) and we tried the "brute force" method to understand it.

 

We also tried to directly access to the DB behind it, but there're so many flags that the numbers are never consistent with the automatic reports.

 

We opened a case, but for the short term we can't get an automatic solution for the customer. We are trying to do it manually, but it's a quite time consuming task! Without considering that making evidences consistent requires an extra effort and a lot of "luck"...

Please use plain text.
Occasional Contributor
Alberto_Menini
Posts: 6
Registered: ‎01-10-2011
Message 5 of 5 (282 Views)

Re: WebInspect: aggregate by page report

Thank you for your answer!

 

We tried to explain this point of view to the customer, but he still needs those kind of reports just for presentation purposes.

Please use plain text.
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation