Managing the Status of Application Security Module Findings

There are two ways that Cisco Vulnerability Management manages information for applications. Using the first way, when you import the application data, it displays under the Vulnerabilities tab on the VM Explore page. Using the second way, Application Security Module (formerly Kenna.AppSec) data is managed on the AppSec Explore page. This article deals with the findings that display on the AppSec Explore page.

When you import findings, the Application Security Module applies the following statuses:

  • Closed
    • False Positive
    • Resolved
    • Not a Security Issue
    • Duplicate
  • Open
    • New
    • Triaged
    • In Progress (This state signifies a finding that is being worked on).
  • Risk Accepted

When you use the Data Importer to import findings with a JSON file, the Application Security Module will only use the triage_state field from the file if any of the following conditions are true when the import occurs:

  • The finding does not exist in the Application Security Module.
  • The finding exists in the Application Security Module and its status is new.
  • The finding exists in the Application Security Module and its status is resolved.

In the JSON file:

  • If the skip_autoclose field is set to false, open findings that already exist in the Application Security Module will be closed.
  • The status of this field will be changed to Resolved if the finding is not in the JSON file.
  • The status of this field defaults to "New" if no status is provided in the file.

For more information about using the Data Importer, refer to the article here.

For more information about using the API to upload data, refer to the Upload Data File API endpoint documentation.

Closing Findings

  • To close findings with a status of "new" in the Application Security Module, in the JSON file you can set the triage_state to one of the Closed statuses. Or ensure the finding is not in the file and use the skip_autoclose field to close it.
  • On the Overview page for findings, you can manually close findings with a status of "in_progress" or any other open status except for "new". Or you can ensure the finding is not in the file and use the skip_autoclose field in the file to close it.

Use the UI to Close Findings

  1. In Cisco Vulnerability Management, click AppSec > Explore.
  2. Search for and click on the Finding that you want to close.
  3. On the right-hand side of the page, click the Closed drop-down list.
    Closed-screenshot.png
  4. Select one of the Closed options.

Use the skip_autoclose field in a JSON File to Close Findings

When you use the skip_autoclose field in the Data Importer JSON file to close findings, all the following conditions must be true:

  • The asset is present.
  • The skip_autoclose field is set to false.
  • The finding is not included in the findings section of the asset when the Data Importer performs the import.

Data Importer JSON file example

{

  "skip_autoclose": false,

  "version": 2,

  "assets": [

    {

      "file": "app/models/data_access/asset.rb",

      "application": "conduit",

      "priority": 0,

      "vulns": [

        {

          "scanner_identifier": 16,

          "vuln_def_name": "File Access",

          "external_unique_id": 105,

          "scanner_type": "Brakeman",

          "created_at": "2018-05-03T00:00:00+00:00",

          "last_seen_at": "2018-05-03T00:00:00+00:00",

          "due_date": "2018-06-02T00:00:00+00:00",

          "status": "open",

          "details": "foobar",

          "last_fixed_on": "2018-05-03T00:00:00+00:00",

          "scanner_score": 2,

          "override_score": 3

        }

      ],

      "findings": [

        {

          "scanner_identifier": 16,

          "vuln_def_name": "File Access",

          "external_unique_id": 105,

          "scanner_type": "Brakeman",

          "created_at": "2018-05-03T00:00:00+00:00",

          "last_seen_at": "2018-05-03T00:00:00+00:00",

          "due_date": "2018-06-02T00:00:00+00:00",

          "triage_state": "new",

          "last_fixed_on": "2018-05-03T00:00:00+00:00",

          "severity": 2,

          "override_score": 3,

          "additional_fields": {

            "test_field": "test data"

          }

        }

      ]

    },

    {

      "file": "app/controllers/clients_controller.rb",

      "application": "conduit",

      "vulns": [

        {

          "scanner_identifier": 10,

          "vuln_def_name": "Auth Blacklist",

          "external_unique_id": 2,

          "scanner_type": "Qualsys",

          "created_at": "2018-05-03T00:00:00+00:00",

          "last_seen_at": "2018-05-03T00:00:00+00:00",

          "last_fixed_on": "2018-05-03T00:00:00+00:00",

          "scanner_score": 2,

          "override_score": 3,

          "status": "open"

        }

      ],

      "findings": [

        {

          "scanner_identifier": 10,

          "vuln_def_name": "Auth Blacklist",

          "external_unique_id": 2,

          "scanner_type": "Qualsys",

          "created_at": "2018-05-03T00:00:00+00:00",

          "last_seen_at": "2018-05-03T00:00:00+00:00",

          "last_fixed_on": "2018-05-03T00:00:00+00:00",

          "scanner_score": 2,

          "override_score": 3,

          "status": "false_positive",

          "additional_fields": {

            "test_field": "test data"

          }

        }

      ]

    }

  ],

  "vuln_defs": [

    {

      "name": "File Access",

      "scanner_type": "Brakeman",

      "wasc_identifiers": "WASC-17",

      "solution": "Fix it!"

    },

    {

      "name": "Auth Blacklist",

      "scanner_type": "Qualsys",

      "wasc_identifiers": "WASC-15"

    }

  ]

}

 

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.