Appending WebInspect fpr file


We run DAST scans of a deployed application through a workflow drive scan using WebInspect. There are two entry points to the application so we have two Webinspects scan jobs for Workflow1 & Workflow2 WI. Currently, we upload the fpr files of the two scans into separate projects in Fortify SSC, however, our development team would like to see the result of the two workflow scans in a single project on Fortify SSC.  Is it feasible to combine (append, not merge) the two fpr files into one fpr file? I am aware that the FPRUtility merges fpr files but in this case, the fpr files are from different codebases (workflows). Does FPRutility support the 'append' option?  Any other suggestion on how to achieve this?

Thanks in advance!

  • just throwing it out there ... if you merge two same FPRs I would expect to get one singular ~ 50% smaller result right?

    So what if you merge two independent FPRs ... I might expect to get the union? And that sounds like exactly what you want.

    Have you tried it? I ask because it is a VERY good idea you gave me - so thanks. Normally on normal SAST FPRs we make multiple builds then scan the aggregate. But I never thought about stitching independent parts in a quilted style. Sure it will miss data flows (your DAST wont).

  • What is the reason for two different SC DAST scans? For a workflow drive scan, you can add multiple workflow macros. Is the login process the same for each entry point? If yes, you can use the same login macro but may need to add an additional logout condition in your login macro.

    Keep in mind the merge function in the fprutility will combine all analysis information resolving conflicts using the values set in the primary project. The merging action will produce an output project file that will contain the analysis information from the primary project.