I'm hoping to get some design advice ...
I have four multi-site configurations, each with hundreds of web application configurations.
The multi-site configurations run separately, one each weekend (we scan each website once a month). The scheduled multi-site configuration can run for days.
My requirement is to identify any web application configuration vulnerability scan that completes with a 'High' severity. I also need to get a list of the vulnerability findings that resulted in the 'High' severity level.
My plan is to run a daily process utilizing the WAS API.
From the portal, if I go to the Scan List tab and search using the name of a multi-site configuration I get a list of all executions for that multi-site configuration. See below:
If I select one of the dates and click 'View Scans', I get a list of all the web application scans in that multi-site configuration along with the severity. See below:
Is there a way to get that list using the APIs? If so, I could try to do something like:
- get the list of web application scans that completed since the last time i ran (i'll keep a date/timestamp and use it to only get the most recently completed scans)
- check if the scan severity is 'high' (how can i determine this ... i don't see this as an element returned by any of the APIs).
- if high, use the search/was/finding API to identify the vulnerabilities
Use the search/was/finding API to get a list of all vulnerabilities found with severity level of 4 or 5.
Use some date/time logic to only get findings identified since the last time process run.
This approach is causing me some issues ... if a vulnerability was detected at one point but can no longer be tested, it still shows up in the list. I will need some way to filter these out ....
Anyone have any other suggestions??
On a related note ... is there a way to find out when a web application configuration was last scanned? Can't seem to find this data returned by an API....
thanks in advance....