search

denimgroup / threadfix

ThreadFix is a software vulnerability management platform. This GitHub site is far out of date. Please go to www.threadfix.it for up-to-date information.
340 stars 127 forks source link

Vulnerability Import From Qualys Results In Total Vulnerability Mismatch #1738

Closed cristiano-corrado closed 8 years ago

cristiano-corrado commented 8 years ago

Hello,

I am noticing that there is a mismatch of count of vulnerabilties between the report from Qualys and the report count in the Dashboard and details of the web application scanned. Also, what is Unmapped Findings? ThreadFix Version 2.2.7.2. Thanks a lot for the info.

Regards,

d-maldonado commented 8 years ago

The discrepancy you are observing is more than likely ThreadFix de-duplicating results from an imported report. In an effort to provide the most accurate vulnerability count duplicate findings are consolidated into a single finding.

Is the difference in number of vulnerabilities large?

Every finding is matched to a generic severity type. If a match cannot be determined the finding is "unmapped". Any mappings saved in the ThreadFix database will be applied to any future findings.

Let me know if you have any questions. Daniel Maldonado

cristiano-corrado commented 8 years ago

Hello Thanks for the prompt reply, Thanks for the explanation around the mappings. But the consolidation shouldn't happen if I select the option to disalbe the vulnerability merging?

Regards,

d-maldonado commented 8 years ago

Not a problem.

The "disable vulnerability merging" description in ThreadFix is not as accurate as it should be. I have submitted an internal ticket to have the description corrected.

The option currently disables merging across report types but not de-duplication from a single scan.

Daniel Maldonado