Setting Analysis Results Processing Rules for Application Versions

Analysis results processing rules enable management approval and oversight of code scans. You can configure the rules to be followed when analysis resultsClosedThe information reported by Fortify Software Security Center. Analysis results are viewed, uploaded, and managed from the Analysis Results tab of the Artifacts page. for an application versionClosedA particular iteration of the analysis of a codebase as it applies to Fortify Software Security Center. An application always begins with a first version. An administrator adds new versions, as needed. are processed during scan artifactClosedAny type of file containing information or tasks pertinent to the secure development of an application version. Scan artifacts are used only in Fortify Software Security Center applications. uploads.

To configure the analysis results processing rules for an applicationClosedA customer codebase evaluated by Fortify software. The top-level container for one or more application versions. When you work with a new codebase, the application and first application version are automatically created. An application includes one or more application versions that users create and configure. version:

  1. Log in to Fortify Software Security Center as an administrator, and then, on the Dashboard, click the link for the application version for which you want to configure the processing rules for analysis results.

    The AUDIT page for the application version opens.

  2. On the application version toolbar, click PROFILE.

    The APPLICATION PROFILE - <Application_Version> dialog box opens.

  3. Select the PROCESSING RULES tab, and then review the listed processing rules.

  4. Select or clear the check boxes for the processing rule you want to apply to the application version. The processing rules are described in the following table.

    Rule

    Description

    Require approval if the Build Project is different between scans

    Fortify Software Security Center compares the Build Project for the scan and the scan that preceded it. If the Build Projects differ, management approval is required before the scan can be uploaded.

    Check external metadataClosedExternal metadata includes mappings from the Fortify categories to alternative categories (such as OWASP Top 10, PCI, and CWE). Fortify security content includes external metadata. file versions in scan against versions on server

    If a user attempts to upload an FPR file, Fortify Software Security Center compares the external metadata version for the file with the external metadata version on the Fortify Software Security Center server. If the external metadata version for the FPR file is later (higher) than the external metadata file version on the server, Fortify Software Security Center requires approval for the file upload. If the external metadata version for the FPR file is earlier (lower) than, or the same as, the external metadata file version on the server, then Fortify Software Security Center allows the FPR file upload.

    Require approval if file count differs by more than 10%

    Fortify Software Security Center compares the file count for the scan and the scan that preceded it. If the count differs by more than ten percent, management approval is required before the scan can be uploaded.
    Perform Force Instance ID migration on upload

    A newer version of Fortify Static Code Analyzer or a Rulepack can change an instance ID from one created in a previous scan by an older version of Fortify Static Code Analyzer (or a Rulepack). In reality, both instance IDs identify the same issue. When enabled, this rule migrates old instance IDs to the corresponding new instance IDs even if the Fortify Static Code Analyzer version (or Rulepack) versions are the same. (Also see Automatically perform Instance ID migration on upload.)

    Require approval if result has Fortify Java Annotations

    Fortify Software Security Center checks the results to determine whether they include Fortify Java annotations. If Fortify Software Security Center finds any of the annotations, management approval is required before the scan can be uploaded.

    Require approval if line count differs by more than 10%

    Fortify Software Security Center compares the line count for the scan and the scan that preceded it. If the count differs by more than ten percent, management approval is required before the scan can be uploaded.

    Automatically perform Instance ID migration on upload

    A newer version of Fortify Static Code Analyzer or a Rulepack can change an instance ID from an instance ID created in a previous scan by an older version of Fortify Static Code Analyzer or a Rulepack. In reality, both instance IDs identify the same issue. When enabled, this rule automatically migrates old instance IDs to the corresponding new instance IDs to preserve the history of the issues. It is sometimes useful to disable this rule as a troubleshooting measure for customer support. (Also see Perform Force Instance ID migration on upload

    Require approval if the engine version of a scan is newer than the engine version of the previous scan

    Fortify Software Security Center checks to determine whether any scan engine (Fortify Static Code Analyzer, Fortify WebInspect, Fortify WebInspect AgentClosedFortify WebInspect Agent (named SecurityScope in Software Security Center 4.00 and earlier versions) runs atop the Fortify Runtime platform, allowing it to monitor your code for software vulnerabilities as it runs. When used in conjunction with Fortify Static Code Analyzer and Fortify WebInspect. Fortify WebInspect Agent provides Runtime technology to help connect your dynamic results to your static results.) version is newer than the one already used in the application. If it detects newer versions, it flags the upload for management approval.

    Ignore SCA scans performed in Quick Scan mode

    Blocks the processing of Fortify Static Code Analyzer scans done in Quick Scan Mode, which searches for high‑confidenceClosedThe degree of certainty that rules and Fortify Static Code Analyzer's capabilities can find an issue’s true vulnerability., high‑severityClosedThe hierarchy of vulnerability seriousness (Critical, High, Medium, Low). (Same as Fortify Priority Order) issues.

    Require approval if the Rulepacks used in the scan do not match the Rulepacks used in the previous scan

    Fortify Software Security Center checks to determine whether you have added or removed a Rulepack, and whether a Rulepack version has changed. If it detects that a Rulepack has been added, removed, or updated, it flags the upload for management approval.

    Require approval if Fortify SCA or Fortify WebInspect Agent scan does not have valid certification

    Fortify Software Security Center checks to see that a Fortify Static Code Analyzer or WebInspect Agent scan has valid certification. If the certification is not valid, then someone may have tampered with the results in the upload. If the certification is missing, it is not possible to detect tampering. If certification is missing or is not valid, the rule requires management approval.

    Require approval if result has analysis warnings

    Fortify Software Security Center checks to see whether a Fortify Static Code Analyzer or Fortify WebInspect Agent scan contains analysis warnings. If it detects analysis warnings, the rule requires management approval.

    Note: This rule applies only to the first upload of a given results file, and does not apply to subsequent uploads of the file. For example, if auditClosedThe process of assessing an application or program for security vulnerabilities. Information is added to a previously-uploaded FPR file that contains analysis warnings, Fortify Software Security Center does not require management approval when the changed file is again uploaded.

    Warn if audit information includes unknown custom tagClosedDuring audits, users assign values to custom tags to indicate which issues to address and in what order. The system supplies the default Analysis tag. Administrators and security leads can add custom tags to the system. To be considered audited, an issue must have a value assigned to its primary custom tag.

    If audit information includes an unknown custom tag, the rule requires management approval.
    Require the issue audit permission to upload audited analysis files

    If a user attempts to upload audited analysis files, but does not have the permissions required to audit issues (edit custom tag values for issues, add comments to issues, and suppress and unsuppress issues), this rule blocks the upload.

    Disallow upload of analysis results if there is one pending approval

    If an analysis result still requires approval, this rule blocks its upload.
    Disallow approval for processing if an earlier artifact requires approval

    If an earlier scan artifact requires approval, and was not approved, this rule blocks the user from approving the current scan artifact.

    If this processing rule is not selected, then when a user approves the current FPR, all previous FPRs are automatically approved.

    Fortify Software Security Center prompts you to confirm that you want to save the settings for analysis result processing rules.

  5. Click APPLY.

See Also

Uploading Scan Artifacts

Approving Analysis Results for an Application Version