Lieutenant
Lieutenant
1163 views

Fortify FPR instance severity mapping to ssc priority values

Jump to solution
Hi, I'm using Fortify SCA and Fortify Web inspect products. I did see in the FortiFy SSC product, fortify is mapping each vulnerability to Critical, High, Medium and Low. I didn't see those data mapping in the FPR files and all I have is Instance Severity. Could you help me how to map the FPR instance severity with FortiFY SSC priority / friority value ?
0 Likes
1 Solution

Accepted Solutions
Micro Focus Expert
Micro Focus Expert

Friority stands for Fortify Priority OrderFriority is a designation of the seriousness of an issue to denote the impact and likelihood of exploitation. Issues are categorized into the following four risk quadrants based on whether they have a high or low impact, and high or low likelihood of being exploited:

  • Critical - High impact (>=2.5) and high likelihood (>=2.5). Critical issues are easy for the attacker to discover and exploit to result in extensive asset damage.
  • High - High impact (>=2.5) but low likelihood (<2.5). High priority issues are often difficult to discover and exploit, but can result in extensive asset damage.
  • Medium - Low impact (<2.5) but high likelihood (>=2.5). Medium priority issues are easy to discover and exploit, but often result in little asset damage.
  • Low - Low impact (<2.5) and low likelihood (<2.5). Low priority issues are difficult to discover and exploit and typically result in little asset damage.

friority_quadrant.png

For a more detailed explanation you can obtain a copy of the whitepaper Prioritizing Static Analysis Results by Brian Chess and Jacob West (January 13, 2020) from the Premium Content section of  https://support.fortify.com/ under Technical Resources. If you do not have access to the site or the Premium Content section please talk with your sales representative. A majority of this whitepaper is included in the Fortify Audit Workbench guide under the Static Analysis Prioritization section.

To calculate the Fortify Priority Order, which actually uses other metadata to place vulnerabilities into one of the four quadrants, take a look at how this project (https://github.com/gfdsa/python-fortify) breaks down the parts of the FPR to perform the calculations.

View solution in original post

8 Replies
Vice Admiral Vice Admiral
Vice Admiral

Hi Manasa,

When you say you cannot see the data mappings in the FPR file, how exactly are you viewing the FPR file outside of Fortify SSC to determine this?

Which product generated the FPR file causing you the problem, SCA or WebInspect?

Can we assume you are opening the FPR with Audit Workbench?(as the FPR is a binary/proprietary format)

When I open an FPR in Audit Workbench, I can see the attribute "Fortify Priority Order" which corresponds to Critical/High/Medium/Low. See screenshot of Audit Workbench.

 

0 Likes
Lieutenant
Lieutenant
Hi rhelsens,
I have generated the FPR from both SCA and WebInspect. As FPR is a binary, I have my own script which converts the FPR into ZIP file and I'm reading the audit.fvdl in case of SCA and webInspect.xml for WebInspect.
I need to understand on the algorithm Fortify uses for arriving Fortify Priority value from the FPR files so that I could write my own script to categorize findings into Critical, High, Medium and Low ?
Please guide the algorithm to compute the priority in fortify from the FPR files.
0 Likes
Vice Admiral Vice Admiral
Vice Admiral

I see. I'm sorry I cannot be of any help with experience there...

Perhaps instead of attempting to inspect the FPR locally, you had an approach of uploading  the FPR to SSC and then use the SSC API to uncover these aspects of the scan results?

For instance: GET/projectVersions/{parentId}/issues returns the issues list which includes the friority:

Good luck!

 

{
"count": 0,
"data": [
{
"analyzer": "string",
"audited": false,
"bugURL": "string",
"confidence": 0,
"displayEngineType": "string",
"engineCategory": "STATIC",
"engineType": "string",
"externalBugId": "string",
"folderGuid": "string",
"folderId": 0,
"foundDate": "2020-09-28T15:02:03.608Z",
"friority": "string",
"fullFileName": "string",
"hasAttachments": false,
"hasComments": false,
"hasCorrelatedIssues": false,
"hidden": false,
"id": 0,
"impact": 0,
"issueInstanceId": "string",
"issueName": "string",
"issueStatus": "string",
"kingdom": "string",
"lastScanId": 0,
"likelihood": 0,
"lineNumber": 0,
"primaryLocation": "string",
"primaryRuleGuid": "string",
"primaryTag": "string",
"primaryTagValueAutoApplied": false,
"projectName": "string",
"projectVersionId": 0,
"projectVersionName": "string",
"removed": false,
"removedDate": "2020-09-28T15:02:03.608Z",
"reviewed": "string",
"revision": 0,
"scanStatus": "string",
"severity": 0,
"suppressed": false
}
],
"errorCode": 0,
"links": {},
"message": "string",
"responseCode": 0,
"stackTrace": "string",
"successCount": 0
}

0 Likes
Lieutenant
Lieutenant
Hi rhelsens,

Thanks for your reply. But the problem here is, we do have customers who upload fortify fpr files to Fortify ssc, where we are directly handling the 'friority' for categorizing severity.
But some customers will upload fortify fpr to our system and we are in a situation to map the values from FPR to calculate the severity of each like Critical, High, Medium or Low
0 Likes
Micro Focus Expert
Micro Focus Expert

I suggest you take a look at templates and how they are structured. You should notice that SCA FPRs correspond with the same ranking as you will see in AWB (Critical, High, Medium, Low):

SCA_FPR.png

Here I am using a different template created for WebInspect scans that are brought in. As scans from WebInspect has additional categories (Best Practices and Information) you will notice these are now split out. If you were to use the template above as you used for SCA scans the best practices and information are rolled into Low. As mentioned, this is performed by a template and is assigned to the application version via the Filter Set (as highlighted).

WI_Scan.png Here is a snip from the WebInspect template I have showing how the folders are defined:

  <FolderDefinition id="5b01faac-3e31-4ac7-b524-11bde4e5ef55" color="blue">
    <name>Best Practices</name>
    <description>This folder provides a comprehensive list of issues that relate to commonly accepted best practices for Web development. They are not vulnerabilities, but are indicators of overall site quality and site development security practices (or lack thereof).</description>
  </FolderDefinition>
  <FolderDefinition id="34b2676d-adf0-4752-83fe-4730396d6e91" color="00ffff">
    <name>Information</name>
    <description>This folder provides a comprehensive list of issues discovered that are not considered vulnerabilities. They simply identify interesting points in the site or certain applications.</description>
  </FolderDefinition>

You can find additional information about templates in the SSC (https://www.microfocus.com/documentation/fortify-software-security-center/2010/SSC_Help_20.1.0/index.htm#SSC_UG/A_Issue_Templ.htm) and AWB (https://www.microfocus.com/documentation/fortify-static-code-analyzer-and-tools/2010/AWB_Help_20.1.0/index.htm#Reports/EditRptTemplateXML.htm) guides.

DO NOT MODIFY THE DEFAULT TEMPLATES. YOU CAN USE THEM AS A BASE, BUT DO NOT OVERWRITE DEFAULT TEMPLATES.

0 Likes
Lieutenant
Lieutenant
Hi ebell,

Thanks for you response. But I'm looking for something different not in Fortify SSC. I would like to understand the Fortify logic/ algorithm they use to come up with the different categories of severity as Critical, High, Medium and Info.
My usecase is to handle the fortify FPR manually with our own scripts where I have following fields like Instance Severity, Likelihood, Default Severity and much more. Is there a way I could get the logic you use for calculating 'friority' ?
0 Likes
Micro Focus Expert
Micro Focus Expert

Friority stands for Fortify Priority OrderFriority is a designation of the seriousness of an issue to denote the impact and likelihood of exploitation. Issues are categorized into the following four risk quadrants based on whether they have a high or low impact, and high or low likelihood of being exploited:

  • Critical - High impact (>=2.5) and high likelihood (>=2.5). Critical issues are easy for the attacker to discover and exploit to result in extensive asset damage.
  • High - High impact (>=2.5) but low likelihood (<2.5). High priority issues are often difficult to discover and exploit, but can result in extensive asset damage.
  • Medium - Low impact (<2.5) but high likelihood (>=2.5). Medium priority issues are easy to discover and exploit, but often result in little asset damage.
  • Low - Low impact (<2.5) and low likelihood (<2.5). Low priority issues are difficult to discover and exploit and typically result in little asset damage.

friority_quadrant.png

For a more detailed explanation you can obtain a copy of the whitepaper Prioritizing Static Analysis Results by Brian Chess and Jacob West (January 13, 2020) from the Premium Content section of  https://support.fortify.com/ under Technical Resources. If you do not have access to the site or the Premium Content section please talk with your sales representative. A majority of this whitepaper is included in the Fortify Audit Workbench guide under the Static Analysis Prioritization section.

To calculate the Fortify Priority Order, which actually uses other metadata to place vulnerabilities into one of the four quadrants, take a look at how this project (https://github.com/gfdsa/python-fortify) breaks down the parts of the FPR to perform the calculations.

View solution in original post

Lieutenant
Lieutenant

Thanks @ebell  for your reply. It was really helpful.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.