Absent Member.
Absent Member.
4814 views

Importing tags / comments from previous scan.

As part of our development process, we'd like the capability of storing the tagging and comments we've made on specific findings as part of our source code.  Currently, the only way this appears to be possible is to physically include the .FPR file and then perform an append on the subsequent scan (or merge using fpr utilities.)  This has several drawbacks:

 

  • The merged results may have duplicate files if scans were performed on different build servers or local developer machines.
  • We're having to check in large binary blobs into source control.
  • An .FPR isn't easily "differed" (although the audit XML contained within could easily be diffed it that were exposed.

Is there something I'm fundamentally missing?  It seems like this would be a key piece of functionality, especially for any environment performing automated builds.

 

Labels (2)
0 Likes
1 Reply
Absent Member.. Absent Member..
Absent Member..

Hi Matt,

I would recommend you take a look at SSC (Software Security Center).  You probably already have access to it through the SSO but it will certainly help with some points of your question.  The remaining points I can't really answer without knowing more about the complete environment you're in.  

I also recommend using Protect724 to ask questions because there is a larger group of people and knowledge to draw upon (https://protect724.hp.com/community/fortify).  Let me know if you have any questions.

Have a good day,

Alec

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.