Importing tags / comments from previous scan.
As part of our development process, we'd like the capability of storing the tagging and comments we've made on specific findings as part of our source code. Currently, the only way this appears to be possible is to physically include the .FPR file and then perform an append on the subsequent scan (or merge using fpr utilities.) This has several drawbacks:
- The merged results may have duplicate files if scans were performed on different build servers or local developer machines.
- We're having to check in large binary blobs into source control.
- An .FPR isn't easily "differed" (although the audit XML contained within could easily be diffed it that were exposed.
Is there something I'm fundamentally missing? It seems like this would be a key piece of functionality, especially for any environment performing automated builds.
I would recommend you take a look at SSC (Software Security Center). You probably already have access to it through the SSO but it will certainly help with some points of your question. The remaining points I can't really answer without knowing more about the complete environment you're in.
I also recommend using Protect724 to ask questions because there is a larger group of people and knowledge to draw upon (https://protect724.hp.com/community/fortify). Let me know if you have any questions.
Have a good day,