nanchun.xiang@h Absent Member.
Absent Member.
9762 views

Is it possible to merge the two scan results in SSC?

Jump to solution

Can we “merge” the results of the workflow driven scan into the results from the
previous full scan in Fortify SSC? For instance if the full scan identified 5 vulnerabilities
in application version1 and the workflow scan identifies 2 new vulnerabilities in application version2 then I’d like to have the report show all 7 vulnerabilities to not give the
false impression that 5 have been fixed in the new release.

I tried below method. Create a new version as Version2 and upload the scan file .fpr of version1 to it and then upload the workflow scan result of version2 to Artifacts module of version2. The result is that the second scan result will overwrite the first one.

Labels (1)
0 Likes
1 Solution

Accepted Solutions
Highlighted
richard.bri.smi Absent Member.
Absent Member.

Re: Is it possible to merge the two scan results in SSC?

Jump to solution

If you're not using WebInspect Enterprise, and you only have WebInspect and SSC, there is still a method for accomplishing your goal.  Please search the WebInspect Help for "Scan Merge".  The high level process would be:

1.  Create a scan merge scan target from the command line as
     wi.exe -ic {TargetScanID} {TargetScanName}

2.  Merge scan1 and scan2 into your target scan

     wi.exe -im {TargetScanID} {scan1} {scan2}

3.  Export TargetScanName to FPR

4.  Publish TargetScanName.FPR to a project version in SSC

0 Likes
8 Replies
Super Contributor.. ellerm Super Contributor..
Super Contributor..

Re: Is it possible to merge the two scan results in SSC?

Jump to solution

You can try this in Fortify SCA.  Conduct one scan as normal to generate the FPR file.  Run the second scan of the code via command line and utilize the -append flag along with the -f <fpr filename of previous scan> to append the new scan to the previous scan's FPR file, then upload the FPR file.

So if you did the first scan using Audit Workbench and your scan file was scan-results.fpr, run the next scan with something like:

sourceanalyzer -b <build_id>

sourceanalyzer -b <build_id> -scan -append -f scan-results.fpr

You can also try and run the first command with both projects then scan them together:

sourceanalyzer -b <build_id1>

sourceanalyzer -b <build_id2>

sourceanalyzer -b <build_id1> -b <build_id2> -scan -f scan-results.fpr.

0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Is it possible to merge the two scan results in SSC?

Jump to solution

I think Mike's process would only work for SCA-produced scans (SAST) and not WebInspect-produced scans (DAST).

For WebInspect scans, it is best to utilize WebInspect Enterprise (WIE) to Publish the scans into SSC Server.  This Publish action is an intelligent merge of the results, keeping all unique issues, such as with a Venn diagram.  This action should retain existing, Published findings that were not found in the second scan(s), add any New findings to the Project/Application Version, and it should not generate duplicates for findings that are already listed in that SSC Project/Application Version.

The Publish action is currently automatic for any scans produced via WIE-connected Sensors, but it is not automatic for other scans.  If you manually upload a WebInspect scan into WIE Manager's web console, then you must manually trigger it to Publish.  A smoother alternative for that is to use the Enterprise Server menu in WebInspect desktop to Connect to the WIE Manager, and then use the same menu to Publish a selected scan(s).  This will then upload the scan into WIE Manager and then Publish it for you.

Furthermore, if you choose to perform some mark-up (False Positives) in WebInspect or WIE, when the scan has already been Published to SSC, then you must re-Publish the scan in order to update those issues in SSC.  That update action is not automatic at this time (WebInspect/WIE/SSC v16.10).  Due to that process flow, it is probably preferable to perform the mark-up of FP ("Issue Audit", "Not An Issue") inside the SSC web console instead.


-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify
0 Likes
Highlighted
richard.bri.smi Absent Member.
Absent Member.

Re: Is it possible to merge the two scan results in SSC?

Jump to solution

If you're not using WebInspect Enterprise, and you only have WebInspect and SSC, there is still a method for accomplishing your goal.  Please search the WebInspect Help for "Scan Merge".  The high level process would be:

1.  Create a scan merge scan target from the command line as
     wi.exe -ic {TargetScanID} {TargetScanName}

2.  Merge scan1 and scan2 into your target scan

     wi.exe -im {TargetScanID} {scan1} {scan2}

3.  Export TargetScanName to FPR

4.  Publish TargetScanName.FPR to a project version in SSC

0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Is it possible to merge the two scan results in SSC?

Jump to solution

I totally forgot about that new-ish feature.  The CLI can be used to Merge scans in WebInspect desktop, and then you can upload that to SSC Server as a single scan for the Project/Application Version.


-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify
0 Likes
richard.bri.smi Absent Member.
Absent Member.

Re: Is it possible to merge the two scan results in SSC?

Jump to solution

Yep.  Scan merge was added in WebInspect 10.4.

0 Likes
Super Contributor.. ellerm Super Contributor..
Super Contributor..

Re: Is it possible to merge the two scan results in SSC?

Jump to solution

Yep, you're correct, this is for SCA merging.

0 Likes
nanchun.xiang@h Absent Member.
Absent Member.

Re: Is it possible to merge the two scan results in SSC?

Jump to solution

Thanks a lot, Hans. I will try the solutions you provided.

0 Likes
nanchun.xiang@h Absent Member.
Absent Member.

Re: Is it possible to merge the two scan results in SSC?

Jump to solution

Thanks a lot, Rick.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.