Cybersecurity
DevOps Cloud
IT Operations Cloud
Fortify Static Code Analyzer has two methods of filtering out vulnerabilities
The first method is we can use a filter file to remove issues based on specific vulnerability instances, rules, and vulnerability categories.
second method is we can also use a filter sets, which is created in Fortify Audit Workbench to remove issues that are hidden from view in an issue template.
In this example we will talk about filter file method.
Caution! Fortify recommends to use filter files only if you are an advanced user.
General users should not use filter files for standard audits, mainly because auditors want to see and evaluate all issues that Fortify SCA finds.
lets now take a look at how to Exclude Issues with Filter Files
for this we need create a filter file to filter out by instances ID, rules ID, and vulnerability category
we can then specify this filter file with the -filter switch
Please refer to SCA document guide under [Filtering the Analysis] section - for the various filter types available with SCA and examples for each type.
https://www.microfocus.com/documentation/fortify-static-code-analyzer-and-tools/2320/SCA_Help_23.2.0/index.htm#filtering/UsingFilterFiles.htm?TocPath=Filtering%2520the%2520Analysis%257CExcluding%2520Issues%2520with%2520Filter%2520Files%257C_____0
so, A filter file is basically a text file that we can create with any text editor, here we specify only the filter elements that we do not want listed in FPR through this file.
First step is to Create a filter file which defines the items you want to disable from scan.
in this example we will look at sample eightball project FPR file - in this we can see all the issues listed after the last eightball project scan in AWB
lets look at the sample filter file
here we have Unreleased Resource based on category and Path Manipulation issue based on Instance ID and Path Manipulation issue based on rule ID
in order to accomplish this via CLI lets launch command prompt
Execute the sourceanalyzer command line with the -filter analysis option please refer to the below syntax
C:\Program Files\Fortify\Fortify_SCA_23.2.0\bin\sourceanalyzer.exe" -b Eightball -scan -filter test_filter.txt -f Eightball.fpr
this generates the Eightball.FPR file, verify FPR file by launching Audit work Bench
We can now see the items defined in filter file issue type Unreleased Resource Streams and Path Manipulation issues are now disabled