Captain Captain
Captain
6489 views

Missing suppressed items in fortify scans after upgrade

Hello,

I am facing an issue with fpr files after fortify upgrade. 

Fortify scan result, fpr 1, was generated with SCA 5.10.0.0102 (Fortify 360), and contained 68 suppressed items.

We then upgraded to fortify 4.0 with SCA 6.00.0096 and used the same scripts to generate the subsequent scan result - fpr 2. Fpr 2 was generated with 39 suppressed items. Any idea what went wrong here? How did I end of missing 29 suppressed items?

To resolve the issue, I opened fpr 1 in AWB 4.10.0120 and merged fpr 2, the resultant scan shows 40 suppressed items!

Please let me know what am I doing wrong.

Thanks.

Meghendra

Labels (1)
0 Likes
1 Reply
Absent Member.
Absent Member.

Hi Meghendra, were these issues Suppressed because they were False Positives? Or just because they weren't of interest to your organisation? Each SCA release includes improvements to the analysers and part of this work focuses on the reduction in False Positives.

However if these were valid issues which were simply suppressed as they're not of interest, can you please send debug logfiles from the translation and scan with each version to fortifytechsupport@hp.com, along with the category and rule ID for some of the missing issues. If possible the analysis trace from these issues would also be useful.

If you require assistance in generating the debug logfiles please let me know how the scan is being conducted and I can advise further.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.