Setting Analysis Results Processing Rules for Application Versions

Analysis results processing rules enable management approval and oversight of code scans. You can specify the rules to be followed when analysis results for an application version are processed during scan artifact uploads.

1. Log in to Fortify Software Security Center as an administrator, and then, on the Dashboard, click the link for the application version for which you want to configure the processing rules for analysis results.

2. On the application version toolbar of the AUDIT page, click PROFILE.

3. In the APPLICATION PROFILE - <Application_Version> dialog box, select the PROCESSING RULES tab, and then review the listed processing rules.

4. Select or clear the check boxes for the processing rules you want to apply to the application version. These rules are described in the following table.

   Rule	Description
   Require approval if the Build Project is different between scans	Fortify Software Security Center compares the Build Project for the scan and the scan that preceded it. If the Build Projects differ, management approval is required before the scan can be uploaded.
   Check external metadata file versions in scan against versions on server	If a user attempts to upload an FPR file, Fortify Software Security Center compares the external metadata version for the file with the external metadata version on the Fortify Software Security Center server. If the external metadata version for the FPR file is later (higher) than the external metadata file version on the server, Fortify Software Security Center requires approval for the file upload. If the external metadata version for the FPR file is earlier (lower) than, or the same as, the external metadata file version on the server, then Fortify Software Security Center allows the FPR file upload.
   Require approval if file count differs by more than 10%	Fortify Software Security Center compares the file count for the scan and the scan that preceded it. If the count differs by more than ten percent, management approval is required before the scan can be uploaded.
   Perform Force Instance ID migration on upload	A newer version of Fortify Static Code Analyzer or of a Rulepack can change an instance ID from one created in a previous scan by an older version of Fortify Static Code Analyzer (or a Rulepack). Both instance IDs identify the same issue. When enabled, this rule migrates old instance IDs to the corresponding new instance IDs, even if the Fortify Static Code Analyzer version (or Rulepack) versions are the same. For detailed information about how this rule works, see About Processing Rules that Affect Instance ID Migration.
   Require approval if result has Fortify Java Annotations	Fortify Software Security Center checks the results to determine whether they include Fortify Java annotations. If Fortify Software Security Center finds any of the annotations, management approval is required before the scan can be uploaded.
   Require approval if line count differs by more than 10%	Fortify Software Security Center compares the line count for the scan and the scan that preceded it. If the count differs by more than ten percent, management approval is required before the scan can be uploaded.
   Automatically perform Instance ID migration on upload	A newer version of Fortify Static Code Analyzer or of a Rulepack can change an instance ID from one that was created in a previous scan by an older version of Fortify Static Code Analyzer or a Rulepack. Both instance IDs identify the same issue. When enabled, this rule automatically migrates old instance IDs to the corresponding new instance IDs to preserve the history of the issues. (It is sometimes useful to disable this rule as a troubleshooting measure for customer support.) For detailed information about how this rule works, see About Processing Rules that Affect Instance ID Migration.
   Require approval if the engine version of a scan is newer than the engine version of the previous scan	Fortify Software Security Center checks to determine whether any scan engine (Fortify Static Code Analyzer, Fortify WebInspect, Fortify WebInspect Agent) version is newer than the one already used in the application. If it detects newer versions, it flags the upload for management approval.
   Ignore SCA quick scan results and SCA speed dial results performed with a setting of less than four.	Blocks the processing of Fortify Static Code Analyzer scans done in quick can mode, which searches for high‑confidence, high‑severity issues. This rule also prevents the upload of speed dial analysis results performed at a level of less than four. To enable the uploading speed dial analysis results, clear this check box. Caution! After you choose between uploading a full scan or uploading speed dial analysis results, Fortify recommends that future scan results uploaded for the application version be of the same type.
   Require approval if the Rulepacks used in the scan do not match the Rulepacks used in the previous scan	Fortify Software Security Center checks to determine whether you have added or removed a Rulepack, and whether a Rulepack version has changed. If it detects that a Rulepack has been added, removed, or updated, it flags the upload for management approval.
   Require approval if Fortify SCA or Fortify WebInspect Agent scan does not have valid certification	Fortify Software Security Center checks to see that a Fortify Static Code Analyzer or WebInspect Agent scan has valid certification. If the certification is not valid, then someone may have tampered with the results in the upload. If the certification is missing, it is not possible to detect tampering. If certification is missing or is not valid, the rule requires management approval.
   Require approval if result has analysis warnings	Fortify Software Security Center checks to see whether a Fortify Static Code Analyzer or Fortify WebInspect Agent scan contains analysis warnings. If it detects analysis warnings, the rule requires management approval. Note: This rule applies only to the first upload of a given results file, and does not apply to subsequent uploads of the file. For example, if audit Information is added to a previously-uploaded FPR file that contains analysis warnings, Fortify Software Security Center does not require management approval when the changed file is again uploaded.
   Warn if audit information includes unknown custom tag	If audit information includes an unknown custom tag, the rule requires management approval.
   Require the issue audit permission to upload audited analysis files	If a user attempts to upload audited analysis files, but does not have the permissions required to audit issues (edit custom tag values for issues, add comments to issues, and suppress and unsuppress issues), this rule blocks the upload.
   Disallow upload of analysis results if there is one pending approval	If an analysis result still requires approval, this rule blocks its upload.
   Disallow approval for processing if an earlier artifact requires approval	If an earlier scan artifact requires approval, and was not approved, this rule blocks the user from approving the current scan artifact. If this processing rule is not selected, then when a user approves the current FPR, all previous FPRs are automatically approved.

   Fortify Software Security Center prompts you to confirm that you want to save the settings for analysis result processing rules.

5. Click APPLY.

About Processing Rules that Affect Instance ID Migration

Two processing rules affect instance ID migration; Perform Force Instance ID migration on upload, and Automatically perform Instance ID migration on upload. It is useful to understand how these are used.

An issue instance ID can mutate for any one of the following reasons:

• The IID-generation algorithm changes with a new Fortify Static Code Analyzer version

• Use of a new Rulepack versions

• Changes to scan settings (For example, using extra rules are specified for a scan.)

• Vulnerable code is duplicated (For example, the same vulnerable code is copied and pasted multiple times in an application version. In this case, Fortify Static Code Analyzer generates a unique instance ID for the first duplicate fragment, and then increments this generated instance ID for all remaining duplicated fragments. So, two separate scans can produce different instance IDs for the same code fragments, depending on the order in which the two scans uncover them.)

The Automatically perform Instance ID migration on upload rule addresses issue instance ID mutation that results either from an IID-generation algorithm change with a new Fortify Static Code Analyzer version, or from a change in Rulepack version. For example, Fortify Software Security Center detects that the Fortify Static Code Analyzer version used in the latest scan is newer than the version used for previous scans. With "Automatically perform Instance ID migration on upload" selected, Fortify Software Security Center runs the migration. If Fortify Software Security Center detects no changes in the Fortify Static Code Analyzer version used, it does not run the migration (even if "Automatically perform Instance ID migration on upload" is selected).

The Perform Force Instance ID migration on upload rule addresses instance ID mutation that results from changes in scan settings or from vulnerable code duplication. Fortify Software Security Center can easily determine whether the Fortify Static Code Analyzer version or Rulepack version has changed. If Fortify Software Security Center detects such a change, it performs the migration automatically. However, in other cases (duplicate code, scan settings), Fortify Software Security Center cannot make this determination. You can use this processing rule to force Fortify Software Security Center to perform the migration in such cases.

If you suspect that the issue instance ID changed as a result of either changes in scan settings or vulnerable code duplication, Fortify recommends that you select the Perform Force Instance ID migration on upload processing rule.

See Also

Uploading Scan Artifacts

Approving Analysis Results for an Application Version