SecByte
New Member.
5738 views

How to filter LOW Fortify Priority issues during scan

Looking for option to filter out LOW Fortify Priority issues duing scan. With this approach fpr generated from scan will not contain LOW Severity issues. Please suggest how to configure scan for this purpose. I am using command line scan.  There is quick scan mode but it is not usuful as requirment for scan is to report all Critical, High and Medium issues that would appear in normal scan mode. Just need to exclude Low issues.

Thank you.

 

0 Likes
3 Replies
Super Contributor.. eelgheez Super Contributor..
Super Contributor..

Re: How to filter LOW Fortify Priority issues during scan

C:\DIR>c:\fortify\jre\bin\java -d64 -Xmx2000M -jar "c:\\fortify\\Core\\lib\\exe\\fpr-utility-exe.jar" -project "FILE.fpr" -information -search -query "[OWASP Top 10 2013]:A [fortify priority order]:!low [fortify priority order]:!medium file:!/*.plist file:!/node_modules/ file:!/Pods/ file:!/Pods.build/ file:!/dojo/" -categoryIssueCounts -listIssues

1 issues of 9 matched search query.

 

Issue counts by category:

 "Cross-Site Scripting: Reflected" => 1 Issues

     welcome/src/main/java/foo/MyServlet.java:34 (Data Flow)

 

Total for all categories => 1 Issues

0 Likes
Highlighted
mlacasse Super Contributor.
Super Contributor.

Re: How to filter LOW Fortify Priority issues during scan

I know this post is a little old but found it while digging around and wanted to provided a response for future forum searchers.

For reducing the FPR size and eliminating some of the findings you can use the following at scan time.
-filter
This allows for Category, rule or instance IDs to be specified.  For instance you could eliminate a low category like "Poor logging Practice" and a few others via a file input.
More details here: https://www.microfocus.com/documentation/fortify-static-code-analyzer-and-tools/1720/HPE_SCA_Help_17.20/index.htm#FilterFiles/AboutFilterFiles.htm
and here: https://www.microfocus.com/documentation/fortify-static-code-analyzer-and-tools/1720/HPE_SCA_Help_17.20/index.htm#FilterFiles/FilterFileExamples.htm

-Dcom.fortify.sca.FilterSet
Using a FilterSet at scan time will take all hidden issues and discard them.  This will not reduce scan time as they will still be scanned/discovered but will be discarded at the end, thus not ending up in the FPR file.   So you could create a custom filter set that hides all LOW issues and apply it at scan time.
You can find more information about this here:
https://www.microfocus.com/documentation/fortify-static-code-analyzer-and-tools/1720/HPE_SCA_Perf_Guide_17.20.pdf

-Mark

Fortify Support 

 

Maci
New Member.

Re: How to filter LOW Fortify Priority issues during scan

Hi,

Thanks for the insight into the filters. The issues template stores the defenition of the filter set.  Is there an option to import an Issue template via command line? 

Trigger scan on remote machine and import issues template with filter set defined before the scan is initiated. I need to do this so when scan runs it understands the filter set defenition passed via  -Dcom.fortify.sca.FilterSet (scan is run remotely on different machine)

V/r,

Mac

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.