How to filter LOW Fortify Priority issues during scan
Looking for option to filter out LOW Fortify Priority issues duing scan. With this approach fpr generated from scan will not contain LOW Severity issues. Please suggest how to configure scan for this purpose. I am using command line scan. There is quick scan mode but it is not usuful as requirment for scan is to report all Critical, High and Medium issues that would appear in normal scan mode. Just need to exclude Low issues.
C:\DIR>c:\fortify\jre\bin\java -d64 -Xmx2000M -jar "c:\\fortify\\Core\\lib\\exe\\fpr-utility-exe.jar" -project "FILE.fpr" -information -search -query "[OWASP Top 10 2013]:A [fortify priority order]:!low [fortify priority order]:!medium file:!/*.plist file:!/node_modules/ file:!/Pods/ file:!/Pods.build/ file:!/dojo/" -categoryIssueCounts -listIssues
1 issues of 9 matched search query.
Issue counts by category:
"Cross-Site Scripting: Reflected" => 1 Issues
welcome/src/main/java/foo/MyServlet.java:34 (Data Flow)
Total for all categories => 1 Issues
I know this post is a little old but found it while digging around and wanted to provided a response for future forum searchers.
For reducing the FPR size and eliminating some of the findings you can use the following at scan time.
This allows for Category, rule or instance IDs to be specified. For instance you could eliminate a low category like "Poor logging Practice" and a few others via a file input.
More details here: https://www.microfocus.com/documentation/fortify-static-code-analyzer-and-tools/1720/HPE_SCA_Help_17.20/index.htm#FilterFiles/AboutFilterFiles.htm
and here: https://www.microfocus.com/documentation/fortify-static-code-analyzer-and-tools/1720/HPE_SCA_Help_17.20/index.htm#FilterFiles/FilterFileExamples.htm
Using a FilterSet at scan time will take all hidden issues and discard them. This will not reduce scan time as they will still be scanned/discovered but will be discarded at the end, thus not ending up in the FPR file. So you could create a custom filter set that hides all LOW issues and apply it at scan time.
You can find more information about this here:
Thanks for the insight into the filters. The issues template stores the defenition of the filter set. Is there an option to import an Issue template via command line?
Trigger scan on remote machine and import issues template with filter set defined before the scan is initiated. I need to do this so when scan runs it understands the filter set defenition passed via -Dcom.fortify.sca.FilterSet (scan is run remotely on different machine)