Highlighted
Regular Contributor.. Regular Contributor..
Regular Contributor..
388 views

Can I prevent SCA scan merge?

Jump to solution

After Fortify Static Code Analyzer completes the scan, SCA merges the analysis results with those from the previous scan to determine which issues are new, which have been removed, and which were uncovered in both scans.

What Audit Workbench fails to do is to identify issues that have been resolved but which have been
reintroduced. These issues are presented in the Analysis Results pane with the "(Resolved)" tag.

Fortify is keeping a copy of the fpr in C:\Users\<user>\AppData\Local\Fortify\VS16.0-19.2.0\updt-mon
bug deleting that or the fpr file in my project does not seem to prevent the merge.

I would like to prevent this merge so that SCA presents errors that have been reintroduced as new issues.
How can this be done?

Tags (1)
0 Likes
1 Solution

Accepted Solutions
Highlighted
Micro Focus Expert
Micro Focus Expert

What do you exactly mean by the "(Resolved)" tag. Fortify normally flags issues as "removed" issues which are hidden in the normal UI and you need to make them visible explicitly

So as long as you see an issue in a normal UI Fortify still identifies the issue, Only if a subsequent scan does not find the issue the "Removed" flag will be set and the issue is not visible anymore, unless you set the option "Show removed issues"

Still deleting the FPRs should remove all previous audits, comments and similar

Ho do you run the scan exactly? (cmd line, AWB, IDE?)

in AWB or IDE do you have the previous results open?

Where do you see the merged results? (AWB, IDE, SSC?)

There is a merge happening during upload into SSC as well

On the other site if you prevent the merge you will loose all audit information, not only the information for reintroduced isse.

View solution in original post

0 Likes
4 Replies
Highlighted
Micro Focus Expert
Micro Focus Expert

What do you exactly mean by the "(Resolved)" tag. Fortify normally flags issues as "removed" issues which are hidden in the normal UI and you need to make them visible explicitly

So as long as you see an issue in a normal UI Fortify still identifies the issue, Only if a subsequent scan does not find the issue the "Removed" flag will be set and the issue is not visible anymore, unless you set the option "Show removed issues"

Still deleting the FPRs should remove all previous audits, comments and similar

Ho do you run the scan exactly? (cmd line, AWB, IDE?)

in AWB or IDE do you have the previous results open?

Where do you see the merged results? (AWB, IDE, SSC?)

There is a merge happening during upload into SSC as well

On the other site if you prevent the merge you will loose all audit information, not only the information for reintroduced isse.

View solution in original post

0 Likes
Highlighted
Regular Contributor.. Regular Contributor..
Regular Contributor..

Ivan,

Thank you for taking the time to respond to my query about removed (not resolved like I said) issues.  Your comment that deleting the FPRs should remove all previous audits motivated me to revisit my FPR deletion.  I learned that to remove previous audits one needs to delete BOTH the FPR in the AppData directory as well as the FPR in the project or solution directory. (I am using fortify on a local windows computer).

There is an issue with issues presented as removed in the analysis pane, however it could not be reproduced with a simple demo program!! When I deleted the FPRs for a  actual, complex piece of code, issues that had been noted as removed, that were actually still unresolved vulnerabilities, were presented as active vulnerabilities.

 

To complete this thread here are the answers your questions.  I and am working on a windows box with Visual Studio 2019 and the Fortify extension 19.2.  Scans are run within from the VS extension.  Results are viewed both in VS and in AWB and they are the same.  I am not using SSC.

Again, thanks for your help Ivan.

This might belong in another thread, you probably know the answer.  I have been unable to find documentation of the meaning of the numbers in braces in the Analysis pane, ie Path Manipulation - [0/7].  The 7 is the number of instances of path manipulation, but what is the 0?

 

--

0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

Hi Peter

great you got a working solution for you and found the FPR to delete

Path Manipulation - [0/7]

As you said - 7 is the number of found issues

0 issues of those have been audited

If you change the analysis tag of one of the issues you should see 1/7 and so on

Highlighted
Regular Contributor.. Regular Contributor..
Regular Contributor..

And again, thank you.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.