How to include upstream SSC results in local SCA scans?

I would like to include upstream SSC results in local SCA scans to address the following issue,

1. We use Fortify SCA to scan for source code vulnerabilities and upload the report to SSC.
2. SSC processes the artifact and uses our custom issue template and categorizes critical/high vulnerabilities.
3. For example, if we there are 3 high vulnerabilities, our issue templates decides one of them is not a high vulnerability and downgrades it to a Low one.
4. We mark one of the high vulnerability as "Not an issue" and now only once high vulnerability needs to be fixed.
5. We scan the codebase locally next time and when we look for high vulnerabilities, the local fpr reports them as 3.
6. We have already marked 2 of them accordingly as not High in SSC and would like to include the upstream SSC results with the local artifact.
7. When upstream SSC results are included in local fpr, we would like to see only high vulnerability in local fpr as the other 2 are downgraded/marked in SSC.

I am interested to know this can be achieved.

  • Verified Answer

    +2  

    This can be done. First, you need to download the latest application file from the Artifacts section of the app version in SSC. (Click on either the "Application File" or "Application & Sources" button.) This file will include the results from the last scan, custom issue template assigned to the app version, and audits. When you run the next local scan, make the filename specified in the argument of the "-f" option in the sourceanalyzer scan command the same as the FPR you downloaded from SSC.

    To automate the download, I recommend you use the fcli tool. With fcli, the command you need is:

    fcli ssc av download-state -f sample.fpr 10068

    (Note: "10068" is a sample app version ID. Replace it with the ID from your own app version.)

    Once the FPR has been downloaded, run the sourceanalyzer scan command. For example:

    sourceanalyzer -b build_id -logfile scan.log -scan -f sample.fpr

    Hope this helps.

  • 0 in reply to   

    Thank you very much.

    I tried this and it works as expected. One question though is how I can have FPRUtility ignore issues with tags like "Not an issue". At present, I have 6 critical issues and have suppressed one and marked another one as "Not an issue". I would like to see FPRUtility report only 4 critical issues locally but it is reporting 5.

    Also out of curiosity, it seems like we can use -merge option in FPRUtiity to achieve the same result but wondering what the difference between fcli and merge option and which would be best suited for this approach.

  • Suggested Answer

    0   in reply to 

    To help you formulate the correct search string, I recommend you use Audit Workbench (AWB). Here's an animated GIF that shows you how:

    Formulate Search String in AWB

    (You may want to open the image in new tab to view the full resolution.) Once you have the search string, copy/paste it into your FPRUtility command:

    FPRUtility -information -search -query "[fortify priority order]:critical AND Analysis:!not an issue" -project WebGoat_v2023.8_2024-09-04.fpr

    Regarding your last question, yes, you can use the FPRUtility -merge option to "merge" two FPR files. The sourceanalyzer command in my last reply does the same thing (if the FPR file specified in the argument of the "-f" option already exists). You could have specified a different filename in the sourceanalyzer scan command, and then followed it up with an FPRUtility -merge command. Note that the fcli command in my last reply only downloaded the FPR file from SSC; fcli does not possess merge functionality.

    Hope this helps.