Commodore Commodore
Commodore
9237 views

SSC Upload best practices regarding project versions

Jump to solution

There's two approaches to uploading fpr files to SSC.  The first is to use the same project version and continually upload fpr files to that version.  The other is to create a new project version.  What is the preferred way to get the most out of metrics etc...  I've noticed things like issue trending don't work well when you're using a new version for each uploaded fpr file.

0 Likes
1 Solution

Accepted Solutions
Absent Member.
Absent Member.

Hi Mike, the recommended approach is to use the same Project Version when uploading results from the same code base. When you upload an FPR to a Project Version this is merged with the existing results on that PV. This merge will carry across any audit data and will also mark issues as New, Removed, Updated or Reintroduced. Over time the metrics for the Project Version will show how the security stance of the code base has changed - with hopefully the total number of issues being reduced as they're audited and remediated.

If the code branches you can create a new Project Version and use the Copy From functionality when creating the new PV to copy the latest Project State. This means that the new PV will begin with the issue counts and audit data from the original, so any subsequent uploads will maintain that data. Saving you from having to re-audit everything again.

So basically, the idea is that each separate code base has it's own Project and then each branch of that code base has it's own Project Version beneath it's Project.

I hope that doesn't sound too convoluted. Just let me know if anything needs clarifying.

View solution in original post

0 Likes
5 Replies
Absent Member.
Absent Member.

Hi Mike, the recommended approach is to use the same Project Version when uploading results from the same code base. When you upload an FPR to a Project Version this is merged with the existing results on that PV. This merge will carry across any audit data and will also mark issues as New, Removed, Updated or Reintroduced. Over time the metrics for the Project Version will show how the security stance of the code base has changed - with hopefully the total number of issues being reduced as they're audited and remediated.

If the code branches you can create a new Project Version and use the Copy From functionality when creating the new PV to copy the latest Project State. This means that the new PV will begin with the issue counts and audit data from the original, so any subsequent uploads will maintain that data. Saving you from having to re-audit everything again.

So basically, the idea is that each separate code base has it's own Project and then each branch of that code base has it's own Project Version beneath it's Project.

I hope that doesn't sound too convoluted. Just let me know if anything needs clarifying.

View solution in original post

0 Likes
Commodore Commodore
Commodore

Ok that's kind of what I suspected and makes complete sense.  I appreciate your answer.  Also thanks for the information on the copy.  I wasn't aware of that capability.

0 Likes
Captain Captain
Captain

Hi Simon,

I have a related query (though I suspect I may be doing something silly!). I am trying to scan a set of source files and few related third-party jars. The scan results will be in two separate fpr files - one from the source scan and the other from the jar scan. Does it make sense to upload these two fpr files into the same Project version?

Thanks in advance.

0 Likes
Vice Admiral
Vice Admiral

That is not a good idea.

If you were to do that, since the two FPRs contain results from a different set of files, the latest upload would cause SSC to mark all issues from files not in the latest upload as REMOVED since they were not scanned.

Uploads to a project version should be scans of the same set of files.

If for some reason you have to do two or more scans to cover everything for one project, you might want to append the results of the latter scans into the original FPR file.

You can do that several times, and it's as simple as adding "-append <filename of existing FPR>" to the scan command.

See page 57 here (SCA user guide) for further details.

-Josh

Fortify L3 support engineer

0 Likes
Captain Captain
Captain

Thanks much Josh!  You confirmed my suspicion.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.