I used this python library: https://github.com/mpicard/pyvas
to retrieve all threats with the severity of five or above. Then I tried marking the following threat as “False Positiv” and again retrieved all threats with the severity of five or above.
But the threat hasn’t changed. Following is the threat after I applied the override.
{
'name':'Missing `httpOnly` Cookie Attribute',
'owner':{
'name':'user'
},
'comment':None,
'creation_time':'2020-02-10T11:50:28Z',
'modification_time':'2020-02-10T11:50:28Z',
'user_tags':{
'count':'1'
},
'host':{
'asset':{
'@asset_id':'b59h48ea-e846-40e4-affc-04a4ffb64f1a'
},
'#text':'10.4.100.208'
},
'port':'9080/tcp',
'nvt':{
'type':'nvt',
'name':'Missing `httpOnly` Cookie Attribute',
'family':'Web application abuses',
'cvss_base':'5.0',
'cve':'NOCVE',
'bid':'NOBID',
'xref':'URL:https://www.owasp.org/index.php/HttpOnly, URL:https://www.owasp.org/index.php/Testing_for_cookies_attributes_(OTG-SESS-002)',
'tags':"cvss_base_vector=AV:N/AC:L/Au:N/C:P/I:N/A:N|summary=The application is missing the 'httpOnly' cookie attribute|vuldetect=Check all cookies sent by the application for a missing 'httpOnly' attribute|insight=The flaw is due to a cookie is not using the 'httpOnly' attribute. This\n allows a cookie to be accessed by JavaScript which could lead to session hijacking attacks.|affected=Application with session handling in cookies.|solution=Set the 'httpOnly' attribute for any session cookie.|solution_type=Mitigation|qod_type=remote_banner",
'cert':None,
'@oid':'1.3.6.1.4.1.25623.1.0.105925'
},
'scan_nvt_version':'2019-11-21T13:29:18+0000',
'threat':'Medium',
'severity':'5.0',
'qod':{
'value':'80',
'type':'remote_banner'
},
'description':'The cookies:\n\nSet-Cookie: Domain=10.4.200.53;Domain=10.4.100.40;Path=/;Secure \n\nare missing the "httpOnly" attribute.',
'original_threat':'Medium',
'original_severity':'5.0',
'notes':None,
'overrides':None,
'@id':'80f2186b-27f2-4d0a-0f02-17e748a73034'
}
In the web GUI the threats is displayed as “False Positiv” and not counted but the API output is still showing “‘overrides’:None” and “‘severity’:‘5.0’” as if there were no override.
Could this be a bug of the OpenVAS API?