Auditing Scan Results

Note: The following procedure describes how to audit scan results from the AUDIT page. If you are working with open source results, you can audit these from either the AUDIT page or from the OPENSOURCE page.

To display the issues you want to audit:

  1. Upload scan results for the application version you want to audit. For instructions, see Uploading Scan Artifacts.

  2. Open the AUDIT view for the application version.

    The table in the AUDIT view lists issues based on their assigned folders (by default, critical to low).

  3. To selectively display the issues you want to audit, apply filters to the issues list. (See Filtering Issues for Display on the OVERVIEW and AUDIT Pages and Viewing Issues Based on Folders.)

  4. In the issues table, if you have selected an attribute to group by, expand a group to view the issues it contains.

To audit an issue:

  1. To expand an issue and view its details, click its row in the table.

    The following screen capture shows the details for an issue uncovered during a Fortify Static Code Analyzer scan. For information about viewing Fortify WebInspect results, see Viewing Fortify WebInspect Scan Results in Fortify Software Security Center.

    Tip: To view the details for the issue in a new browser window, click the Open in a new tab button (). To copy the issue link so that you can easily access it later, click the Copy issue link to clipboard button ().

    The CODE tab displays the path the tainted data have taken in the source code associated with the issue.

  2. To view summary details about a step along the course that tainted data has taken, under Analysis Trace, move your cursor to that step.

  3. To view code associated with a step, click the step under Analysis Trace.

    The corresponding line of code is highlighted on the CODE tab.

  4. To search for a specific string in the code associated with the issue:

    1. Click the search icon .

    2. In the text box displayed, type a character string. Use the next and previous icons to move through the search results.

  5. To view any audit history available for the issue, in the right pane, select the HISTORY tab.

  6. To see an issue overview, details about the finding, recommendations for remediation, issue metadata, references to additional resources, and implications for your application version, in the right pane, select the INFO tab.

  7. To expand a row and view a class of information, select the corresponding arrow ( ).

  8. When you have enough information to start your audit, in the right pane, select the AUDIT tab.

  9. (Optional) To exclude an issue from display because you know it is fixed or it is not of immediate concern, click SUPPRESS.

  10. (Optional) If your administrator has configured application security training in Fortify Software Security Center (see Configuring Application Security Training) you can click GET TRAINING to get contextually-appropriate guidance on how to mediate the selected issue. A message advises you that you are about to leave Fortify Software Security Center. Click OK.

    Fortify Software Security Center opens the application security training website in a new browser tab that displays training content based on the category, subcategory, and language of the selected issue.

    Note: After a file is attached to an issue, you can modify only its description.

  11. To attach a file to the issue:

    1. In the left pane, click ATTACHMENTS.

    2. Click CLICK HERE TO ADD.

    3. In the UPLOAD ATTACHMENT dialog box, click BROWSE, and then navigate to and select the file to upload.

      Supported file formats are TXT, LOG, DOC, DOCX, PDF, PPT, PPTX, JPG, JPEG, BMP, PNG, TIFF, GIF, ZIP, GZIP, TAR, and 7ZIP. (Documents in XML format are not supported.)

      Note: The file size must not exceed 3 MB.

    4. (Optional) In the Description box, type a description of the file.

    5. Click SAVE.

      If you attached an image file, Fortify Software Security Center displays a preview of the image on the right, under Image Preview.

  12. Click CODE, and then, in the right pane, select the AUDIT tab.

  13. To assign a user to the issue:

    1. Under USER, click the Edit assigned user icon .

    2. To locate a user to assign to the issue from the SELECT USER dialog box, in the Find user box, type part or all of a user's name, and then click FIND.

    3. In the list of returned names, click the name of the user to assign to the issue.

    4. Click DONE.

    The AUDIT tab now displays the selected user name and avatar (if available).

  14. From the <Primary_Tag_Name> list, select a value that reflects your assessment of this issue. Fortify Software Security Center treats the issue as unaudited.

  15. If additional custom tags are associated with the application version, specify the values for those tags.

    Note: If an administrator specified that a comment is required for a custom tag you assign, then you must type a comment in the box outlined in red, which appears under the custom tag value list.

    Note: If Audit Assistant assessed the issues, the right pane displays additional fields AA_Prediction, AA_Confidence, and AA_Training). For information about how to use these fields, see Reviewing Audit Assistant Results.

  16. In the COMMENTS box, type a comment about this issue audit. (After you save your audit settings, the COMMENTS section lists your comment, as well as any other comments previously saved.)

  17. At the bottom of the AUDIT tab, click SAVE.

Auditing Correlated Issues

If the artifacts uploaded for the application version include results from both static (Fortify Static Code Analyzer) and dynamic (WebInspect) analyses, some issues may be correlated with one another.

If an issue is correlated with one or more other issues uncovered using a different analysis engine, the Has correlated issues icon is displayed, along with the number of correlated issues that either target or originate from the selected issue.

To list issues that are correlated with other issues at the top of the table, click the Has correlated issues icon twice.

The number shown in the blue circle indicates how many issues are correlated with an issue.

To list the correlated issue or issues:

You can audit the listed issues as described in Auditing Scan Results.

Note: If, following an audit, a developer fixes the root problem uncovered in one issue, the remaining correlated issues may also be fixed.

To return to the complete issues table, to the right of the Filter by list, click CLEAR ALL.

See Also

Auditing a Batch of Issues

About Audit Assistant