DAST Tools Mapping
The table below shows the triage and severity status mappings for all of the DAST tools that are supported by Software Risk Manager.
Tools are listed alphabetically. Tool results are mapped to the Software Risk Manager status shown at the top of each column. (A blank cell indicates that an equivalent status value is unavailable or undefined.)
| DAST Tool | Critical | High | Medium | Low | Info | Unspecified |
|---|---|---|---|---|---|---|
| Acunetix | high | medium | low | info | ||
| AppSpider Vulnerability Summary | 4 | 5 | 6 | 1, 0 | ||
| Arachni | high | medium | low | informational | ||
| Burp Suite | high | medium | low | informational | ||
| Defensics | fail | warning | ||||
| Dynatrace | ||||||
| HP WebInspect | 4 | 3 | 2 | 1 | 0 | |
| HCL AppScan Standard (enterprise) | Critical | High | Medium | Low | Information | |
| HCL AppScan on Cloud (ASoC) | Critical | High | Medium | Low | Information | |
| Imperva* | CRITICAL | MAJOR | MINOR | |||
| Invicti Standard (formerly Netsparker) | Critical, Important, High | Medium | Low | Information (Best Practice) | ||
| Invicti Enterprise (formerly Netsparker Enterprise) | Critical | Important, High | Medium | Low | Information (Best Practice) | |
| OWASP ZAP | 3 | 2 | 1 | 0 | ||
| Qualys WAS | 5 | 4 | 3 | 2 | 1 | |
| Rapid7 InsightAppSec | ||||||
| Rapid7 InsightVM | Critical | Severe | Moderate | |||
| Rapid7 Nexpose | 8-...-10 | 4-...-7 | 0-...-3 | |||
| Synopsys Managed Services Platform | Critical | High | Medium | Low | Minimal | |
| Tenable WAS | blocker / critical | major / high | medium | minor / low | info | |
| Tinfoil Web | critical | high | medium | low | informational | unknown |
| Trustwave App Scanner | High | Medium | Low | all other values | ||
| Veracode | 4 | 3 | 2 | 1 | ||
| WhiteHat | urgent (critical) | high | low | note (informational) | unspecified | |
| WPScan | all | |||||
| Sqlmap output | all |
| DAST Tool | Ignored | False Positive | To Be Fixed | Mitigated | Fixed | Reopened | None |
|---|---|---|---|---|---|---|---|
| Acunetix | |||||||
| AppSpider Vulnerability Summary | |||||||
| Arachni | |||||||
| Burp Suite | |||||||
| Defensics | |||||||
| Dynatrace | |||||||
| HP WebInspect | |||||||
| HCL AppScan Standard (enterprise) | noise | passed | fixed | reopened | |||
| HCL AppScan on Cloud (ASoC) | noise | passed | fixed | reopened | |||
| Imperva* | |||||||
| Invicti Enterprise (formerly Netsparker Enterprise) | Accepted Risk | False Positive | Fixed | ||||
| OWASP ZAP | |||||||
| Qualys WAS | |||||||
| Rapid7 InsightAppSec | ignored | false positive | verified | remediated | unreviewed, duplicate | ||
| Rapid7 InsightVM | |||||||
| Rapid7 Nexpose | |||||||
| Synopsys Managed Services Platform | False Positive | ||||||
| Tenable WAS | |||||||
| Tinfoil Web | |||||||
| Trustwave App Scanner | |||||||
| Veracode | Accept the Risk | Potential False Positive | Reported to Library Maintainer | Mitigate by Design, Mitigate by Network Environment, Mitigate by OS Environment | |||
| WhiteHat | Accepted | Invalid, false | open:mitigated | closed | |||
| WPScan | |||||||
| Sqlmap output |
*Imperva only produces severities for API Attack Analytics results and not for API Risks or WAF Security Events. API Risk and WAF Security Event findings will only have Unspecified severity in SRM.