Filtering Analysis -Filtering out vulnerabilities from the analysis results (FPR) during the scan phase.

 
0 Likes


Fortify Static Code Analyzer has two methods of filtering out vulnerabilities


The first method is we can use a filter file to remove issues based on specific vulnerability instances, rules, and vulnerability categories.
second method is we can also use a filter sets, which is created in Fortify Audit Workbench to remove issues that are hidden from view in an issue template.

In this example we will talk about filter file method.

Caution! Fortify recommends to use filter files only if you are an advanced user.
General users should not use filter files for standard audits, mainly because auditors want to see and evaluate all issues that Fortify SCA finds.

lets now take a look at how to Exclude Issues with Filter Files 
for this we need create a filter file to filter out by instances ID, rules ID, and vulnerability category
we can then specify this filter file with the -filter switch

Please refer to SCA document guide under [Filtering the Analysis] section - for the various filter types available with SCA and examples for each type.

https://www.microfocus.com/documentation/fortify-static-code-analyzer-and-tools/2320/SCA_Help_23.2.0/index.htm#filtering/UsingFilterFiles.htm?TocPath=Filtering%2520the%2520Analysis%257CExcluding%2520Issues%2520with%2520Filter%2520Files%257C_____0

so, A filter file is basically a text file that we can create with any text editor, here we specify only the filter elements that we do not want listed in FPR through this file.

First step is to Create a filter file which defines the items you want to disable from scan.


in this example we will look at sample eightball project FPR file - in this we can see all the issues listed after the last eightball project scan in AWB

lets look at the sample filter file
here we have Unreleased Resource based on category and Path Manipulation issue based on Instance ID and Path Manipulation issue based on rule ID


in order to accomplish this via CLI lets launch command prompt 

Execute the sourceanalyzer command line with the -filter analysis option please refer to the below syntax


C:\Program Files\Fortify\Fortify_SCA_23.2.0\bin\sourceanalyzer.exe" -b Eightball -scan -filter test_filter.txt -f Eightball.fpr

this generates the Eightball.FPR file, verify FPR file by launching Audit work Bench

We can now see the items defined in filter file issue type Unreleased Resource Streams and Path Manipulation issues are now disabled

Labels:

Support Tip
Comment List
Related
Recommended