Setting the Strategy for Resolving Issue Audit Conflicts

If multiple auditors are working on the same issue using different products (Fortify Software Security Center, Audit Workbench, or an IDE plugin), they might assign different values to a given custom tagClosedDuring audits, users assign values to custom tags to indicate which issues to address and in what order. The system supplies the default Analysis tag. Administrators and security leads can add custom tags to the system. To be considered audited, an issue must have a value assigned to its primary custom tag.. Previously, if Fortify Software Security Center detected an auditClosedThe process of assessing an application or program for security vulnerabilities. conflict such as this, it ignored all clientClosedScanner supported by Security Fortify WebInspect Enterprise that connects to WebInspect Enterprise to receive license permissions, updates or scan data, and which also presents a user interface through which scans may be conducted. WebInspect Enterprise controls permissions for a client and also provides the policies used by clients. A client can be configured to upload scan results to WebInspect Enterprise automatically at the completion of the scan or only when specifically instructed by the user.-side changes and resolved the conflict in favor of the existing custom tag value on Fortify Software Security Center.

Note: Conflict resolution is not necessary if these auditors work within the same Fortify Software Security Center instance.

Example of the default strategy for resolving audit conflicts:

Audit Workbench users A and B are both auditing the most recent scan results for the same application version.

User A sets custom tag values for the issues uncovered and uploads the results to Fortify Software Security Center.

Fortify Software Security Center accepts the upload and changes the custom tag values for the issues based on the values that user A set for them. Now, the tag values user A set are the current custom tag values for these issues on Fortify Software Security Center.

On a different Audit Workbench instance, user B sets custom tag values for the same issues that user A audited and uploads the results to Fortify Software Security Center. Fortify Software Security Center detects that one or more of the custom tag values that B submitted conflict with the values that user A submitted for the same issues.

Result: Fortify Software Security Center ignores the audit results from user B and retains the values set by user A.

Fortify Software Security Center applies this strategy across all applicationClosedA customer codebase evaluated by Fortify software. The top-level container for one or more application versions. When you work with a new codebase, the application and first application version are automatically created. An application includes one or more application versions that users create and configure. versions.

You can change this strategy so that Fortify Software Security Center resolves audit conflicts in favor of the most recent changes.

Note: To perform this task, you must have the "Manage issue audit settings" permission.

To set the strategy Fortify Software Security Center uses to resolve audit conflicts:

  1. Log in to Fortify Software Security Center as an administrator.

  2. On the Fortify header, select ADMINISTRATION.

  3. In the left panel, select Configuration, and then select Issue Audit.

    The Issue Audit page opens.

  4. From the Issue audit conflict resolving strategy list, select one of the following:

    • Conflicts are resolved in favor of the SSC changes

    • Conflicts are resolved in favor of the most recent changes

  5. Click SAVE.

After you change the setting, the new strategy is applied only to new uploads. All previous conflict resolution results remain unchanged.

See Also

About Current Issues State