Auditing Issues

To display the issues you want to auditThe process of assessing an application or program for security vulnerabilities.:

Upload scan results for the application versionA particular iteration of the analysis of a codebase as it applies to Fortify Software Security Center. An application always begins with a first version. An administrator adds new versions, as needed. you want to audit. For instructions, see Uploading Scan Artifacts.
Open the AUDIT page for the applicationA customer codebase evaluated by Fortify software. The top-level container for one or more application versions. When you work with a new codebase, the application and first application version are automatically created. An application includes one or more application versions that users create and configure. version.
To selectively display the issues you want to audit, apply filters to the issues list. (See Filtering Issues for Display on the OVERVIEW and AUDIT Pages and Viewing Issues Based on Fortify Priority.)
In the issues table, if you have selected a grouping, expand a group to view the issues it contains.

To audit an issue:

To expand an issue and view its details, click its row in the table.

Note: This screen capture shows the details for an issue uncovered during a Fortify Static Code Analyzer scan. For information about viewing Fortify WebInspect results, see Viewing Fortify WebInspect Scan Results in Fortify Software Security Center.

The CODE tab displays the area of sourceA place in the code where malicious data can enter. associated with the issue.
To view summary details about a step along the course that tainted data has taken, under Analysis Trace, move your cursor to that step.
To view code associated with a step, click the step under Analysis Trace.

The corresponding line of code is highlighted on the CODE tab.
To search for a specific string in the code associated with the issue:
1. Click the search icon .
2. In the text box displayed, type the character string. Use the next and previous icons to move through the search results.
To view the issue history, in the right panel, select the HISTORY tab.
To see an issue overview, details about the finding, recommendations for remediation, issue metadata, references to additional resources, and implications for your application version, in the right panel, select the INFO tab.
To expand a row and view a class of information, select the corresponding arrow symbol ( ).
When you have enough information to start your audit, in the right panel, select the AUDIT tab.
(Optional) To exclude an issue from display because you know it is fixed or it is not of immediate concern, click SUPPRESS.
(Optional) If your administrator has configured application security training in Fortify Software Security Center (see Configuring Application Security Training), you can click GET TRAINING to get contextually appropriate guidance on how to mediate the selected issue. A message advises you that you are about to leave Fortify Software Security Center. Click OK.

Fortify Software Security Center opens the application security training website in a new browser tab that displays training content based on the category, subcategory, and language of the selected issue.

Note: After a file is attached to an issue, you can modify only its description.
To attach a file to the issue:
1. Click ATTACHMENTS.
2. Click CLICK HERE TO ADD.
3. In the UPLOAD ATTACHMENT dialog box, click BROWSE, and then navigate to and select the file to upload.
  
  Supported file formats are TXT, LOG, DOC, DOCX, PDF, PPT, PPTX, JPG, JPEG, BMP, PNG, TIFF, GIF, ZIP, GZIP, TAR, and 7ZIP. (Documents in XML format are not supported.)
  
  Note: The file size cannot exceed 3 MB.
4. (Optional) In the Description box, type a description of the file.
5. Click SAVE.
  
  If you attached an image file, Fortify Software Security Center displays a preview of the image on the right, under Image Preview.
Click CODE, and then, in the right panel, select the AUDIT tab.
To assign a user to the issue:
1. Under USER, click the pencil icon .
  
  The ASSIGN dialog box opens.
2. To locate a user to assign to the issue, in the Find user box, type part or all of a user's name, and then click FIND. Alternatively, to list all users in the system, click the Find all users link.
3. In the list of returned names, click the name of the user to assign to the issue.
4. Click APPLY.
The AUDIT tab now displays the selected user name and avatar (if available).
From the ANALYSIS list in the right panel, select a value that reflects your assessmentThe overall process of reviewing, triaging, and acting on a particular scan or analysis. (same as scan) of this issue.
If additional custom tagsDuring audits, users assign values to custom tags to indicate which issues to address and in what order. The system supplies the default Analysis tag. Administrators and security leads can add custom tags to the system. To be considered audited, an issue must have a value assigned to its primary custom tag. are associated with the application version, specify the values for these tags.

Note: Make sure that you provide a value for the custom tag that is designated as the primary tag for the application version. Otherwise, Fortify Software Security Center treats the issue as unaudited.

Note: If Audit AssistantAn optional tool used to connect Fortify Software Security Center to Fortify Scan Analytics. Audit Assistant (through Fortify Scan Analytics) helps determine whether the issues returned from Fortify Static Code Analyzer scan results represent true vulnerabilities, or are false positives. assessed the issues, the right panel displays additional fields AA_Prediction, AA_Confidence, and AA_Training). For information about how to use these fields, see Reviewing Audit Assistant Results.
(Optional) In the COMMENTS box, type a comment about this issue audit. (After you save your audit settings, the COMMENTS section lists your comment, as well as any other comments previously saved.)
At the bottom of the AUDIT tab, click SAVE.

See Also

About Auditing