Missing suppressed items in fortify scans after upgrade
I am facing an issue with fpr files after fortify upgrade.
Fortify scan result, fpr 1, was generated with SCA 5.10.0.0102 (Fortify 360), and contained 68 suppressed items.
We then upgraded to fortify 4.0 with SCA 6.00.0096 and used the same scripts to generate the subsequent scan result - fpr 2. Fpr 2 was generated with 39 suppressed items. Any idea what went wrong here? How did I end of missing 29 suppressed items?
To resolve the issue, I opened fpr 1 in AWB 4.10.0120 and merged fpr 2, the resultant scan shows 40 suppressed items!
Please let me know what am I doing wrong.
Hi Meghendra, were these issues Suppressed because they were False Positives? Or just because they weren't of interest to your organisation? Each SCA release includes improvements to the analysers and part of this work focuses on the reduction in False Positives.
However if these were valid issues which were simply suppressed as they're not of interest, can you please send debug logfiles from the translation and scan with each version to email@example.com, along with the category and rule ID for some of the missing issues. If possible the analysis trace from these issues would also be useful.
If you require assistance in generating the debug logfiles please let me know how the scan is being conducted and I can advise further.