This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

confirming false positives

Hello, Im using Fortify SCA, new to the community. I would like to get the community's thoughts on best practices for confirming that SAST scan findings are false positives. I know its a team effort, and there is trust involved between the sec team and dev team. But what resources are recommended when neither team know how to fix a finding, multiple solutions are thrown in the code to mitigate but the finding still shows up and suspected to be false positive? What can we do besides say "its probably a false positive" and move on? 

I found OWASP cheatsheets that show what a specific vulnerability might look like in code, it wasnt quite specific enough to help in my current needs, but its the closest ive gotten. 

Can the community chime in with some best practices or how to progress in this arena or other related advice?

Ideally im looking for a resource/cheatsheet that I can match up a CWE to a method that fixes it, but im sure thats over simplified. 

Any help is much appreciated. 

Thanks all.

  • I look forward to the other responses your question may bring!

    For initial Issue Auditing, we would recommend enabling the Audit Assistant feature with your SSC Server.  This permits you to submit the metadata of your Issues to our Scan analytics portal for comparison and calculation.  the turn-around time is very fast, and this submission can also be set to an Automated Submission with each scan upload.  This feature will add several "AA_" tags to your Issues, such as AA_Prediction, which is the Audit Status the Scan analytics AI would have assigned to the Issue.  If you also enabled the Auto-Apply option, then the Audit Status would be set to that AA_Prediction value automatically after the AA review.  While this feature applies to only two (rather noisy) Analysis Engines out of the 7+ used by SCA, the Audit Assistant feature can help pre-Audit a good number of Issues for you.  Also, there are plans to revamp and improve the Audit Assistant this Fall/Winter ("Audit Assistant 2.0").


    There are also several scan configuration and Filtering features you might utilize to minimize the number of Issues you are facing.


    Don't neglect the basics!, such as:

    - never neglecting the product documentation!

    - leveraging the Scan Wizard where needed to minimize human error in configuring your SCA scans, or just reverse-engineering the output script to learn more.

    - leveraging Audit Workbench (AWB) for review and mark-up.

  • very interesting - I didnt know about this. I know we have NEVER turned on AA - which is bordering on insane IMHO. To be fair we have a single SSC with a 12TB Database ... so even turning the SSC on is a challenge!

    In our company we publish Corporate Standards. The tools is tailored to highlight issues according to our standard (but we really should use CWE).

    We have a validation team to sample projects. BUT it is the team's responsibility to comply - and they are generally pretty good at this.