Suppressing Categories of Issues

As you review the issues, you might want to completely suppress some exposed issues. It is useful to suppress issues if you are sure that the vulnerabilityClosed A weakness that allows an attacker to reduce a system’s information assurance. Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness. (same as issue) category is not, and will never be, an issue of concern. You might also want to suppress warnings for specific issue categories that might not be high priority or of immediate concern.

You can suppress issue categories for the entire solution. The issue category is not reported again for the solution unless you unsuppress it (see Unsuppressing Categories of Issues).

To suppress a configuration issue category:

  1. Open the Error List window if it is not currently open.

  2. In the Error List window, right-click an issue, and then select Suppress Category.

Note: To suppress structural issues, use Visual Studio's feature of suppressing code analysis violations. For instructions, see the Visual Studio documentation.

Categories of configuration issues that you suppress are stored in a .FortifyIgnore file with your Visual Studio solution file. You can share this file with other members of your organization. For more information about this Fortify issue suppression file, see Using the Fortify Issue Suppression File.

Suppressed issues are no longer highlighted in the code as a Fortify issue. The visibility of suppressed issues in the Error List or Security Assistant window depends on the setting for the Suppression State column).