Reviewing Audit Assistant Results

After you submit scan results to Audit AssistantAn optional tool used to connect Fortify Software Security Center to Fortify Scan Analytics. Audit Assistant (through Fortify Scan Analytics) helps determine whether the issues returned from Fortify Static Code Analyzer scan results represent true vulnerabilities, or are false positives. and Audit Assistant finishes its assessmentThe overall process of reviewing, triaging, and acting on a particular scan or analysis. (same as scan) of the issues, you can examine the results.

To view Audit Assistant results:

1. Navigate to the AUDIT page for the application versionA particular iteration of the analysis of a codebase as it applies to Fortify Software Security Center. An application always begins with a first version. An administrator adds new versions, as needed..

2. Use the Fortify Priority risk links, the Group by list, and Filter by lists to display the issues you want to auditThe process of assessing an application or program for security vulnerabilities.. (SeeViewing Issues Based on Fortify Priority and Filtering Issues for Display on the OVERVIEW and AUDIT Pages.)

3. To selectively display the issues you want to view, apply filters to the issues list. (See Filtering Issues for Display on the OVERVIEW and AUDIT Pages.)
4. In the issues table, if you have selected a grouping, expand a group to view the issues it contains.

5. To expand an issue and view its details, click its row in the table.

   

6. In addition to the Analysis tag and any other custom tagsDuring audits, users assign values to custom tags to indicate which issues to address and in what order. The system supplies the default Analysis tag. Administrators and security leads can add custom tags to the system. To be considered audited, an issue must have a value assigned to its primary custom tag. associated with the applicationA customer codebase evaluated by Fortify software. The top-level container for one or more application versions. When you work with a new codebase, the application and first application version are automatically created. An application includes one or more application versions that users create and configure. version, the right panel displays:

   • AA_PREDICTION - Exploitability level that Audit Assistant assigned to the issue.
   • AA_CONFIDENCE - Audit Assistant's level of confidenceThe degree of certainty that rules and Fortify Static Code Analyzer's capabilities can find an issue’s true vulnerability. in the accuracyA measure of how closely the rules used in scanning and analysis come to uncovering an application’s actual vulnerabilities. of its AA_PREDICTION value. This is a percentage, expressed in values that range from 0.000 to 1.000. For example, the value 0.982 Indicates a confidence level of 98.2 percent.
7. If your exploitability assessment agrees with the AA_Prediction value displayed, you can select the value that corresponds to the AA assessment from the list of custom tag values. Otherwise, select a different custom tag value.
8. Click SAVE.

See Also

About Audit Assistant

Auditing Issues