Filtering false positives in Fortify

What is the best way to filter out false positives in fotrtify to ensure they never come up again for the current and all future versions of a project folder. I found a video on fortifyunplugged where this was done via audit workbench. However it appeared it was limited to just that project folder version. Is filtering via AWB the best method? Is there a way to do filtering directly in fortify SSC? I can suppress vulnerabilties but they often re-appear in future scans.

  • Verified Answer

    Thank you for your question, there are two methods you can use to filter or remove items that are considered false positives.  You can use issue templates or custom rules.

     

    Issue Templates are what is used in Software Security Center, however it is called an Audit Template in Audit Workbench.  There are two types of filters that can be used folder filters or visibility filters. 

    Using folder filters you can move an issue from one criticality to another ie..(move a critical issue to the low folder).

    Using visibility filters you can hide an issue.

    It is easiest to create these filters using Audit Workbench(per the video) and then export the project template.  Once the project template is created, you can upload the template to Software Security Center as an Issue Template.  To use that template on an application, you apply that template in the application profile settings.

  • Thank you. Are there any future plans to have this filter creation functionality directly in fortify on-prem SSC?