bhargavi.g@hpe. Contributor.
Contributor.
11792 views

In fortify auditworkbench, what is the difference between hiding issue and suppressing issue?

Jump to solution

I am using fortify to scan static code. When i encounter false positives, i suppress them and the issues count reduces. The same can be achieved by using hide issue option also. So what is the difference between hiding and suppressing issue? Thanks for the help in advance 

Labels (1)
0 Likes
1 Solution

Accepted Solutions
Jaime Rojas Super Contributor.
Super Contributor.

Re: In fortify auditworkbench, what is the difference bet...

Jump to solution

Hi bhargavi.g@hpe.,

Hiding an issue could be interpreted as an issue that exists, but you dont care about it. An example of this is the "Audit Guide" feature. When you apply Audit Guide Options telling AuditWorkbech "Don't show Code Quality Issues" those issues goes to Hide Status, but they are are not discarded and will be reported again on the next fpr after the merge process.

On other hand, Supressing an Issue is often used as a Final Status in the "Issue Lifecycle". For example, in the #{n} Scan you verified that an Issue is a "False Positive" and marked it as "Not an Issue" on its FPR as evidence with your audit comments. As you know thta it is not an issue and you want not to see it anymore, on the Scan #{N+1} you can Suppress the issue and it will remain hide on further fpr after merges, without need of applying audit guide filters or hiding each issue on every scan.

Hope this be useful.

Regards.

3 Replies
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

Re: In fortify auditworkbench, what is the difference between hiding issue and suppressing issue?

Jump to solution
Maybe this will help (from the Audit Workbench User Guide):
0 Likes
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

Re: In fortify auditworkbench, what is the difference between hiding issue and suppressing issue?

Jump to solution

Maybe this will help (from the Audit Workbench User Guide):

About Suppressed, Removed, and Hidden Issues

You can control whether the Issues view lists the following types of issues: l

Suppressed issues. As you assess successive scans of an application version, you might want to completely suppress some exposed issues. It is useful to mark an issue as suppressed if you are sure that the specific vulnerability is not, and will never be, an issue of concern. You might also want to User Guide Chapter 4: Scan Results HPE Security Fortify Audit Workbench (17.20) Page 57 of 134 suppress warnings for specific types of issues that might not be high priority or of immediate concern. For example, you can suppress issues that are fixed, or issues that you plan not to fix. Suppressed issues are not included in the group totals shown in the Issues view.

Removed issues. As multiple scans are run on a project over time, issues are often remediated or become obsolete. As it merges scan results, Fortify Static Code Analyzer marks issues that were uncovered in a previous scan, but are no longer evident in the most recent Fortify Static Code Analyzer analysis results as Removed. Removed issues are not included in the group totals shown in the Issues view.

Hidden issues. You typically hide a group of issues temporarily so that you can focus on other issues. For example, you could hide all issues except those assigned to you. The individuals assigned to address the issues you have hidden in your view can still access them. The group totals displayed in the Issues view include hidden issues.

Jaime Rojas Super Contributor.
Super Contributor.

Re: In fortify auditworkbench, what is the difference bet...

Jump to solution

Hi bhargavi.g@hpe.,

Hiding an issue could be interpreted as an issue that exists, but you dont care about it. An example of this is the "Audit Guide" feature. When you apply Audit Guide Options telling AuditWorkbech "Don't show Code Quality Issues" those issues goes to Hide Status, but they are are not discarded and will be reported again on the next fpr after the merge process.

On other hand, Supressing an Issue is often used as a Final Status in the "Issue Lifecycle". For example, in the #{n} Scan you verified that an Issue is a "False Positive" and marked it as "Not an Issue" on its FPR as evidence with your audit comments. As you know thta it is not an issue and you want not to see it anymore, on the Scan #{N+1} you can Suppress the issue and it will remain hide on further fpr after merges, without need of applying audit guide filters or hiding each issue on every scan.

Hope this be useful.

Regards.

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.