Micro Focus Fortify Audit Workbench

Software Version: 22.1.0

User Guide

Document Release Date: June 2022

Software Release Date: June 2022

User Guide

Legal Notices

Micro Focus

The Lawn

22-30 Old Bath Road

Newbury, Berkshire RG14 1QN

UK

https://www.microfocus.com

Warranty

The only warranties for products and services of Micro Focus and its affiliates and licensors (“Micro Focus”) are set forth in the

express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an

additional warranty. Micro Focus shall not be liable for technical or editorial errors or omissions contained herein. The

information contained herein is subject to change without notice.

Restricted Rights Legend

Confidential computer software. Except as specifically indicated otherwise, a valid license from Micro Focus is required for

possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software

Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard

commercial license.

Copyright Notice

Trademark Notices

All trademarks, service marks, product names, and logos included in this document are the property of their respective owners.

Documentation Updates

The title page of this document contains the following identifying information:

l

Software Version number

l

Document Release Date, which changes each time the document is updated

l

Software Release Date, which indicates the release date of this version of the software

This document was produced on May 17, 2022. To check for recent updates or to verify that you are using the most recent

edition of a document, go to:

https://www.microfocus.com/support/documentation

Micro Focus Fortify Audit Workbench (22.1.0)

Page 2 of 156

User Guide

Contents

Preface

9

Contacting Micro Focus Fortify Customer Support

For More Information

About the Documentation Set

Fortify Product Feature Videos

Change Log

10

Chapter 1: Introduction

12

About Micro Focus Fortify Audit Workbench

Audit Projects and Issue Templates

Hybrid 2.0 Technology

12

Integration with Fortify Software Security Center

13

Category

Groups issues by vulnerability category. This is the default setting.

A custom group that groups issues by category and then by analyzer.

Groups issues by custom tag.

Category Analyzer

<custom_tagname>

File Name

Groups issues by file name.

Fortify Priority Order

Groups issues as Critical, High, Medium, and Low based on the

analyzer's combined values of impact and likelihood.

Kingdom

Manual

Groups issues by the Seven Pernicious Kingdoms classification.

Groups issues by whether they were manually created by penetration

test tools, and not automatically produced by a web crawler such as

Fortify WebInspect.

<metadata_listname>

Groups issues by the alternative metadata external list names (for

example, OWASP Top 10 <year>, CWE, PCI SSF <version>, STIG

<version>, and others).

New Issue

Shows which issues are new since the last scan. For example, if you

run a new scan, any issues that are new are displayed in the tree

under the Issue New group and the others are displayed in the Issue

Updated group. Issues not found in the latest scan are displayed in

the Issue Removed group.

Package

Groups issues by package or namespace. Does not appear for projects

to which this option does not apply, such as C projects.

Micro Focus Fortify Audit Workbench (22.1.0)

Page 63 of 156

User Guide

Chapter 4: Viewing Scan Results

Option

Description

Priority by Category

A custom group that groups issues by Fortify Priority Order and then

by category.

Shared Trace Node

Groups issues by the most common paths determined by the

Dataflow Analyzer. This grouping helps to maximize the number of

issues that you can address by updating one location in the code.

Sink

Groups issues that share the same dataflow sink function.

SmartView

Groups issues with a multiple-level grouping based on the last setting

applied in SmartView. By default, groups issues by category, and then

by Shared Trace Nodes.

Source

Groups issues that share the same dataflow source functions.

Source File Type

Groups issues by file type. For dataflow issues, the file contains the

sink function.

Note: Issues in files with different file extensions that are the

same source file type are grouped together (for example, issues

in files with the extensions: html, htm, and xhtml are grouped

under html).

Taint Flag

<none>

Edit

Groups issues by the taint flags that they contain.

Displays a flat view without any grouping.

Select Edit to create a custom Group By option.

The following table describes additional grouping options that are available when you create a

custom Group By option (see "Creating a Custom Group By Option" on the next page).

Option

Description

Issue State

Groups audited issues by whether the issue is an open issue or not an issue

based on the level of analysis set for the primary tag. Values equivalent to

suspicious and exploitable are considered open issue states.

Primary Context

Groups issues where the primary location or sink node function call occurs in

the same code context.

Micro Focus Fortify Audit Workbench (22.1.0)

Page 64 of 156

User Guide

Chapter 4: Viewing Scan Results

Option

Description

Source Context

Groups dataflow issues that have the source function call contained in the

same code context.

Source File

Status

Groups dataflow issues by the source code file where the taint originated.

Groups issues by the audit status (Reviewed, Unreviewed, or Under

Review)

URL

Groups dynamic issues by the request URL.

Creating a Custom Group By Option

You can create a custom Group By option that groups issues in a hierarchical format in sequential

order based on specific attributes.

To create a new grouping option:

1. In the Group By list, select Edit.

The Edit Custom Groupings dialog box opens.

2. To create a custom group by option, do the following:

a. Select Create New from the Custom Group Name list.

b. In the Enter Value dialog box, type a name for the new custom group.

c. Click OK.

Micro Focus Fortify Audit Workbench (22.1.0)

Page 65 of 156

User Guide

Chapter 4: Viewing Scan Results

3. From the Grouping Types list on the left, select a grouping type, and then click the right arrow

to move the option to the Grouping Order column.

For example, selecting Category and then Analyzer creates a list that has top-level nodes that

contain the category of the issue, such as SQL Injection, with the issues grouped below by

analyzer (such as Dataflow or Semantic).

4. Repeat step 3 to select additional grouping types.

5. To change the order of the grouping types:

a. In the Grouping Order list, select the grouping type that you want to move up or down in the

grouping order.

b. Right-click the selected grouping type, and then select Move Up or Move Down.

6. To delete a custom grouping, click Delete

.

Using Smart View

Smart View provides a visual representation of the dataflow issues in your code so that you can

quickly identify optimal remediation or triage strategies for multiple issues at once.

1. Select Tools > Smart View.

Note: Smart View uses the currently selected folder and grouping option.

The number of issues for the currently selected folder and grouping selection determines the

relative size of the Smart View tiles.

Micro Focus Fortify Audit Workbench (22.1.0)

Page 66 of 156

User Guide

Chapter 4: Viewing Scan Results

Note: You can adjust the opacity of the parent tile. For instructions, see "Customizing the

Issues View" on page 58.

2. To filter the issues that are displayed, you can:

l

Select a grouping from the Folder list (for example, Critical, High, Medium, Low, or All)

This list includes any custom folders and folders specific to the current filter set.

l

Select a subfolder in the Group By list to further sort the issues.

l

From the Then By list, select whether you are interested in viewing data by Source, Sink, or

Shared Trace Node.

Shared Trace Node is a node (or function) in the code that multiple dataflows pass through.

Note: To reset the display to the default Smart View settings, click Reset. This resets

Folder to Critical, Group By to Category, and Then By to Shared Trace Node.

Micro Focus Fortify Audit Workbench (22.1.0)

Page 67 of 156

User Guide

Chapter 4: Viewing Scan Results

3. Click a tile to see the issues in each grouping.

Note: To return to the initial grouping level at any time, click Zoom out

.

4. To see the issues in the auditing interface that share a common dataflow trace node, source, or

sink, move your cursor over the tile you are interested in, and then click View Issues.

This closes Smart View and returns you to the auditing interface and displays the issues for the

selected grouping. The Group By category is set to SmartView to indicate that you are viewing

the results filtered by the Smart View selection. The search box contains the Smart View icon and

the Smart View search criteria:

.

To return to the primary auditing interface at any time, click Exit Smart View

.

Selectively Displaying Issues Assigned to You

To display only issues assigned to you in the Issues view, do one of the following:

l

Select the My Issues check box.

l

Select Options > Show Only My Issues.

Micro Focus Fortify Audit Workbench (22.1.0)

Page 68 of 156

User Guide

Chapter 4: Viewing Scan Results

About Suppressed, Removed, and Hidden Issues

You can control whether the Issues view lists the following types of issues:

l

Suppressed issues—As you assess successive scans of an application version, you might want to

completely suppress some exposed issues. It is useful to mark an issue as suppressed if you are

sure that the specific vulnerability is not, and will never be, an issue of concern. You might also

want to suppress warnings for specific types of issues that are not a high priority or of immediate

concern. For example, you can suppress issues that are fixed, or issues that you plan not to fix.

Suppressed issues are not included in the group totals shown in the Issues view.

l

Removed issues—As multiple scans are run on a project over time, issues are often remediated or

become obsolete. As it merges scan results, Fortify Static Code Analyzer marks issues that were

uncovered in a previous scan, but are no longer evident in the most recent Fortify Static Code

Analyzer analysis results as Removed. Removed issues are not included in the group totals shown

in the Issues view.

l

Hidden issues—You typically hide a group of issues temporarily so that you can focus on other

issues. For example, you could hide all issues except those assigned to you. The individuals

assigned to address the issues you have hidden in your view can still access them. The group totals

displayed in the Issues view include hidden issues.

To hide or show suppressed, removed, or hidden issues in the Issues view, from the Options menu,

select (or deselect) one or more of the following:

l

Show Suppressed Issues

l

Show Removed Issues

l

Show Hidden Issues

Creating Attribute Summary Tables for Multiple Issues

You can create a summary table of attributes (for example, in spreadsheet software such as Excel or

Google Sheets) for any number of issues that you select from the Issues view. You specify the format

options, select the issues, and then paste the comma-delimited data into a spreadsheet program to

create the summary table.

The table can contain an attributes column followed by a single values column for every issue

selected or, the table can display one row per attribute and its corresponding values. Alternatively,

you can specify a customized table layout for the values that you copy to your spreadsheet program.

To create a spreadsheet table that contains an attributes column followed by a single values column

for each selected issue:

1. Select Options > Options.

2. In the left pane, select Audit Configuration, and then select the Configuration tab.

3. Under Multiple Issues Copy Format, leave the [h] List issues in columns option selected.

4. Select the attributes you want to include from the Include immutable attributes, Include

mutable attributes, and Include custom tags check boxes.

Micro Focus Fortify Audit Workbench (22.1.0)

Page 69 of 156

User Guide

Chapter 4: Viewing Scan Results

5. Click OK.

6. From the Issues view, use the Ctrl or Shift key and select all the issues you want to include in a

table.

7. With the issues selected, press Ctrl + Alt + Shift + C.

8. Start the spreadsheet software, and then paste (Ctrl + V) the copied data into a single column.

To create a spreadsheet table that displays one row per attribute and its values:

1. Select Options > Options.

2. In the left pane, select Audit Configuration, and then select the Configuration tab.

3. Under Multiple Issues Copy Format, select the [v] List issues in rows option.

4. Select the attributes you want to include from the Include immutable attributes, Include

mutable attributes, and Include custom tags check boxes.

5. Click OK.

6. From the Issues view, use the Ctrl or Shift key and select all the issues you want to include in a

table.

7. With the issues selected, press Ctrl + Alt + Shift + C.

8. Start the spreadsheet software, and then paste (Ctrl + V) the copied data into a single column.

To create a customized table layout for the values that you copy to a spreadsheet program:

1. Select Options > Options.

2. In the left pane, select Audit Configuration, and then select the Configuration tab.

3. Under Multiple Issues Copy Format, select the Format manually option.

4. In the Attribute value format box, use the string described in the following table to specify the

data layout, format, and separators for the values you want to copy.

String

Function

Columnar format - Attributes are inserted in a single column and the spreadsheet

table expands to the right (horizontally) with a new column added for each issue

copied in.

[h]

Row format - Attributes are inserted in a single row (table header) and a new row

populated with values is added for each issue added (table expands vertically).

[v]

%s

Textual data (you can use the complete java.util.Formatter syntax). See the

java.util.Formatter documentation at

https://docs.oracle.com/en/java/index.html.

Separator symbol - To import the copied value into most spreadsheet programs,

you must specify the separator to use in the format field.

,

; or tab

Micro Focus Fortify Audit Workbench (22.1.0)

Page 70 of 156

User Guide

Chapter 4: Viewing Scan Results

String

Function

Apply the preceding format string to all elements in the selection. This is only valid

'…'

if the format specification starts with [h] or [v].

Line separator (platform independent), whether it is the last value for an issue in a

%n

row formatted table [v] or it is the last value of a given attribute in a columnar

formatted table [h].

For example, to specify which specific attributes you want to copy with the row format ([v]), use

[v]%file$s,%category$s,%fortify priority order$s%n. This copies the three

attributes for each selected issue.

5. To see the result of your syntax, look under Result example.

The example shown changes as you change the value in the Attribute Value Format box.

Note: Examples are not available for complex manual formats.

6. Select the attributes you want to include from the Include immutable attributes, Include

mutable attributes, and Include custom tags check boxes.

7. Click OK.

Searching for Issues

You can use the search box below the issues list to search for issues. After you type a search term, the

label next to the folder name changes to indicate the number of issues that match the search as a

subset of the total.

To indicate the type of comparison to perform, wrap search terms with delimiters. The following table

describes the syntax to use for the search string.

Comparison

contains

equals

Description

Searches for a term without any special qualifying delimiters

Searches for an exact match when the term is wrapped in quotation marks ("")

regex

Searches for values that match a Java-style regular expression delimited by a

forward slash (/)

Example: /eas.+?/

Micro Focus Fortify Audit Workbench (22.1.0)

Page 71 of 156

User Guide

Chapter 4: Viewing Scan Results

Comparison

Description

number range Searches for a range of numbers using the standard mathematical interval

notation of parentheses and/or brackets to indicate whether the endpoints are

excluded or included respectively

Example: (2,4] indicates greater than two and less than or equal to four

not equal

Excludes issues specified by the string when you precede the string with the

exclamation character (!)

Example: file:!Main.java returns all issues that are not in Main.java

You can further qualify search terms with modifiers. The syntax for using a modifier is

modifier:<search_term>.

A search string can contain multiple modifiers and search terms. If you specify more than one

modifier, the search returns only issues that match all the modified search terms. For example,

file:ApplicationContext.java category:SQL Injection returns only SQL injection issues

found in ApplicationContext.java.

If you use the same modifier more than once in a search string, then the search terms qualified by

those modifiers are treated as an OR comparison. For example, file:ApplicationContext.java

category:SQL Injection category:Cross-Site Scripting returns SQL injection issues and

cross-site scripting issues found in ApplicationContext.java.

For complex searches, you can also insert the AND or the OR keyword between your search queries.

Note that AND and OR operations have the same priority in searches.

For more information, see "Search Modifiers" below.

Search Modifiers

You can use a search modifier to specify to which attribute of an issue the search term applies.

Note: To use a modifier that contains a space in the name, such as the name of the custom tag,

you must enclose the modifier in brackets. For example, to search for issues that are new, type

[issue age]:new.

A search that is not qualified by a modifier tries to match the search string on the following attributes:

kingdom, primary rule id, analyzer, filename, severity, class name, function name, instance id, package,

confidence, type, subtype, taint flags, category, sink, and source.

l

To apply the search to all modifiers, type a string such as control flow. This searches all the

modifiers and returns any results that contain the "control flow" string.

l

To apply the search to a specific modifier, type the modifier name and the string as follows:

analyzer:control flow. This returns all results detected by the Control Flow Analyzer.

Micro Focus Fortify Audit Workbench (22.1.0)

Page 72 of 156

User Guide

Chapter 4: Viewing Scan Results

The following table describes the search modifiers. A few modifiers have a shortened modifier name

indicated in parentheses. You can use either modifier string.

Search Modifier

Description

Searches for issues based on the accuracy value specified (0.1

through 5.0).

accuracy

Searches for issues that have the specified audit analysis value

analysis

such as exploitable, not an issue, and so on.

[analysis type]

analyzer

Searches for issues by analyzer product such as SCA and

WEBINSPECT.

Searches the issues for the specified analyzer such as control

flow, data flow, structural, and so on.

Searches for issues based on whether Application Defender

[app defender protected]

(def)

can protect the vulnerability category (protected or not

protected).

Searches for issues that contain the search term in the part of

the request that caused the vulnerability for penetration test

results.

[attack payload]

Searches for issues based on the type of penetration test

attack conducted (URL, parameter, header, or cookie).

[attack type]

audience

Searches for issues based on intended audience such as dev,

targeted, medium, broad, and so on.

Note: This metadata is legacy information that is no longer

used and will be removed in a future release. Fortify

recommends that you do not use this search modifier.

audited

body

Searches the issues to find true if the primary tag is set and

false if the primary tag is not set. The default primary tag is

the Analysis tag.

Searches for issues that contain the search term in the HTTP

message body in penetration test results, which is all the data

that is transmitted immediately following the headers.

Micro Focus Fortify Audit Workbench (22.1.0)

Page 73 of 156

User Guide

Chapter 4: Viewing Scan Results

Search Modifier

Description

Searches for issues that contain the search term in the

information for the filed bug.

bug

Note: This information is discarded each time you restart

Fortify Audit Workbench.

Searches for the specified category or category substring.

Searches for issues based on the specified class name.

category(cat)

class

Searches for the specified string within the few lines of code

that are stored for each vulnerability by default. If code

snippets were excluded from the scan results during the

analysis, then the search will not return any results.

codesnippet

Searches for issues that contain the search term in the

comments that have been submitted on the issue.

comments

(comment, com)

Searches for issues with comments from a specified user.

commentuser

Searches for issues that have the specified confidence value

(legacy metadata).

confidence (con)

Searches for issues that contain the search term in the cookie

from the HTTP query for penetration test results.

cookies

Searches for issues based on whether the issues are correlated

with another analyzer.

correlated

Searches for issues based on whether the issues are in the

same correlation group.

[correlation group]

<custom_tagname>

Searches for issues based on the value of the specified custom

tag.

You can search a list-type custom tag using a range of values.

The values of a list-type custom tag are an enumerated list

where the first value is 0, the second is 1, and so on. You can

use the search syntax for a range of numbers to search for

ranges of list-type custom tag values. For example, analysis:

[0,2] returns the issues that have the values of the first three

Analysis values, 0, 1, and 2 (Not an Issue, Reliability Issue, and

Micro Focus Fortify Audit Workbench (22.1.0)

Page 74 of 156

User Guide

Chapter 4: Viewing Scan Results

Search Modifier

Description

Bad Practice).

To search a date-type custom tag, specify the date in the

format: yyyy-mm-dd.

Searches for issues that have the specified dynamic hot spot

ranking value.

dynamic

Searches for issues where the primary location or sink node

function call occurs in the specified file path.

file

filetype

Searches for issues based on the file type such as asp, csharp,

java, jsp, xml, and so on.

Searches for issues that have a priority level that matches the

specified priority determined by Micro Focus Fortify Static

[fortify priority order]

Code Analyzer. Valid values are critical, high, medium, and

low, based on the expected impact and likelihood of

exploitation.

The impact value indicates the potential damage that might

result if an issue is successfully exploited. The likelihood value

is a combination of confidence, accuracy of the rule, and

probability that an attacker can exploit the issue.

Searches for issues that contain the search term in the request

header for penetration test results.

headers

Searches for issues that have audit data modified by the

specified user.

historyuser

[http version]

impact

Searches for issues based on the specified HTTP version such

as HTTP/1.1.

Searches for issues based on the impact value specified (0.1

through 5.0).

Searches for an issue based on the specified instance ID.

[instance id]

[issue age]

Searches for the issue age, which is new, updated,

reintroduced, or removed.

Micro Focus Fortify Audit Workbench (22.1.0)

Page 75 of 156

User Guide

Chapter 4: Viewing Scan Results

Search Modifier

Description

Searches for audited issues based on whether the issue is an

open issue or not an issue (determined by the level of analysis

set for the primary tag).

[issue state]

Searches for all issues in the specified kingdom.

kingdom

Searches for issues based on the specified likelihood value (0.1

through 5.0).

likelihood

Searches for issues on the primary location line number. For

dataflow issues, the value is the sink line number. Also see

"sourceline" on page 78.

line

Searches for issues based on whether they were manually

created by penetration test tools, and not automatically

produced by a web crawler such as Fortify WebInspect.

manual

Searches for issues based on the specified category that is

mapped across the various analyzers (Fortify Static Code

Analyzer, Fortify WebInspect, and Fortify WebInspect Agent).

[mapped category]

Searches for all issues that have a confidence value equal to or

less than the number specified as the search term.

maxconf

Searches for dataflow issues that have a virtual call confidence

value equal to or less than the number specified as the search

term.

maxVirtConf

Searches for issues based on the value of the specified

<metadata_listname>

metadata external list. Metadata external lists include [owasp

top ten <year>], [cwe top 25 <version>],

[pci ssf <version>], [stig <version>], and others.

method

Searches for issues based on the method, such as GET, POST,

DELETE, and so on.

Searches for all issues that have a confidence value equal to or

greater than the number specified as the search term.

minconf

Searches for dataflow issues that have a virtual call confidence

value equal to or greater than the number specified as the

search term.

min_virtual_call_

confidence (virtconf,

minVirtConf)

Micro Focus Fortify Audit Workbench (22.1.0)

Page 76 of 156

User Guide

Chapter 4: Viewing Scan Results

Search Modifier

Description

Searches for issues where the primary location occurs in the

specified package or namespace. For dataflow issues, the

primary location is the sink function.

package

Searches for issues that contain the search term in the HTTP

query parameters.

parameters

Searches for issues that have the specified primary tag value.

By default, the primary tag is the Analysis tag.

primary

Searches for issues where the primary location or sink node

function call occurs in the specified code context. Also see

"sink" below and "[source context]" on the next page.

[primary context]

Searches for all issues related to the specified sink rule.

primaryrule (rule)

probability

Searches for issues based on the probability value specified

(1.0 through 5.0).

Searches for issues based on the remediation effort value

specified. The valid values are whole numbers from 1.0 to 12.0.

[remediation effort]

This attribute is not currently used.

[request id]

response

Searches for issues that contain the search term in the

response from the protocol used in penetration test results.

Searches for all issues reported by the specified rule IDs used

to generate the issue source, sink and all passthroughs.

ruleid

This attribute is not currently used.

[secondary requests]

severity (sev)

Searches for issues based on the specified severity value

(legacy metadata).

Searches for issues where the primary location or sink node

function call occurs in file names that contain the specified

search term, but not anywhere in its full path. For full path

matches, use the modifier "file" on page 75.

shortfilename

Searches for issues that have the specified sink function name.

Also see "[primary context]" above.

sink

Micro Focus Fortify Audit Workbench (22.1.0)

Page 77 of 156

User Guide

Chapter 4: Viewing Scan Results

Search Modifier

Description

Searches for dataflow issues that have the specified source

function name. Also see "[source context]" below.

source

Searches for dataflow issues that have the source function call

contained in the specified code context. Also see "source"

above and "[primary context]" on the previous pa ge .

[source context]

Searches for dataflow issues with the source function call that

the specified file contains. Also see "file" on page 75.

sourcefile

sourceline

status

Searches for dataflow issues having taint source entering the

flow on the specified line. Also see "line" on page 76.

Searches issues that have the status reviewed, not reviewed, or

under review.

Searches for issues based on whether they are suppressed.

Searches for issues that have the specified taint flag.

suppressed

taint

Searches for issues that have the specified string in the

dataflow trace.

trace

Enables you to search on the nodes within an issue’s analysis

trace. Each tracenode search value is a concatenation of the

tracenode’s file path, line number, and additional information.

tracenode

Searches for the specified value in all the steps of analysis

trace.

tracenodeAllPaths

trigger

Searches for issues that contain the search term in the part of

the response that shows that a vulnerability occurred for

penetration test results.

Searches for issues based on the specified URL.

Searches for issues assigned to the specified user.

url

user

Search Query Examples

The following are search query examples that use search modifiers.

Micro Focus Fortify Audit Workbench (22.1.0)

Page 78 of 156

User Guide

Chapter 4: Viewing Scan Results

l

To search for all privacy violations in file names that contain jsp with getSSN() as a source, type:

category:"privacy violation" source:getssn file:jsp

l

To search for all file names that contain com/fortify/awb, type:

file:com/fortify/awb

l

To search for all paths that contain traces with mydbcode.sqlcleanse as part of the name, type:

trace:mydbcode.sqlcleanse

l

To search for all paths that contain traces with cleanse as part of the name, type:

trace:cleanse

l

To search for all issues that contain cleanse as part of any modifier, type:

cleanse

l

To search for all suppressed vulnerabilities with asdf in the comments, type:

suppressed:true comments:asdf

l

To search for all categories except for SQL Injection, type:

category:!SQL Injection

Performing Simple Searches

To use the search box to perform a simple search, do one of the following:

l

Type a search string in the box and press Enter.

l

To select a search term you used before, click the arrow in the search box, and then select a search

term from the list.

To get assistance to compose the comparison for your search string, do the following:

1. Click your cursor in the search box, and then press Ctrl + Space.

2. From the displayed list, double-click an issue attribute to begin your search string.

Micro Focus Fortify Audit Workbench (22.1.0)

Page 79 of 156

User Guide

Chapter 4: Viewing Scan Results

3. To get assistance to specify the comparison, with your cursor placed after the modifier in the

search box, press Ctrl + Space.

4. From the displayed list, double-click the comparison to add to your search string.

5. Type the rest of the search term.

The Issues view lists all the issues that match your search string.

Fortify Audit Workbench saves all the search terms you type for the current session. To select a

search term you used previously, click the arrow in the search box, and then select a search term.

(After you close Fortify Audit Workbench, the saved search terms are discarded.)

To create complex search strings can involve several steps. If you type an invalid search string, the

magnifying glass icon in the text field changes to a warning icon to notify you of the error. Click the

warning sign to view information about the search term error.

The advanced search feature makes it easier to build complex search strings. For a description of this

feature and instructions on how to use it, see "Performing Advanced Searches" below.

Performing Advanced Searches

You can use the advanced search feature to build complex search strings.

Micro Focus Fortify Audit Workbench (22.1.0)

Page 80 of 156

User Guide

Chapter 4: Viewing Scan Results

To use the advanced search feature:

1. To the right of the search box, click Advanced.

2. To create your search query:

a. From the list of the left, select the modifier.

b. From the middle list, select the comparison and type.

c. From the list on the right, select the search term.

The list for the search term includes the known values in the current scan for the specified

attribute. However, you can type any value into this field. To specify an unqualified search term,

select Any Attribute from the bottom of the modifier list.

3. To add another query row, do one of the following:

l

To add an AND query row, in the top right corner of the dialog box, click AND ( ).

l

To add an OR query row, in the top right corner of the dialog box, click OR ( ).

4. Add as many query rows as you need for the search.

5.

To delete a row, to the right of the row, click Delete . To remove all rows, click Clear.

6. To change a query row condition, double-click the current (underlined) query row operator AND

or OR.

In the following example, you can double-click AND to change the query operator to OR.

7. Click Find.

Note: As you build your search string, the Advanced Search dialog box displays any errors in the

status below the search string builder. Find is only enabled after you resolve all errors.

Micro Focus Fortify Audit Workbench (22.1.0)

Page 81 of 156

User Guide

Chapter 4: Viewing Scan Results

About Issue Templates

Micro Focus Fortify Static Code Analyzer produces comprehensive results for source code analysis.

On large codebases, these results can be overwhelming. The issue template assigned to your projects

enables you to sort and filter the results to best suit your needs. The filtering and sorting mechanisms

appropriate during a given phase in the development process can change depending on the phase of

development. Similarly, the filtering and sorting mechanisms might vary depending on the role of the

user.

You can sort issues by grouping them into folders, which are logically defined sets of issues presented

in the tabs on the Issues. You can further customize the sorting to provide custom definitions for the

folders into which the issues are sorted. You can provide definitions for any number of folders, whose

contents are then defined by filters. Filters can either alter the visibility of an issue or place it into a

folder. When used to sort issues into folders, you define the nature of the issues that appear in the

customized folders.

You group filters into filter sets and then use the filter sets to sort and filter the issues displayed. An

issue template can contain definitions for multiple filter sets. Using multiple filter sets in an audit

project enables you to quickly change the sorting and visibility of the issues you are auditing. For

example, the default issue template used in the interface provides two filter sets. These filter sets

provide an increasingly restrictive view of security-related issues. Defining multiple filter sets for an

audit project enables different views for different users, and a customized view does not affect any

other views.

In addition to providing sorting and filtering mechanisms, you can customize the auditing process by

defining custom tags in the issue template. Auditors associate custom tags with issues during

auditing. For example, you can use custom tags to track impact, severity, or priority of an issue using

the same names and values used to track these attributes in other systems, such as a bug tracker

application.

Issue templates contain the following settings:

l

Folder filters—Control how issues are sorted into the folders

l

Visibility filters—Control which issues are shown and hidden

l

Filter sets—Group folder and/or visibility filters

l

Folder properties—Name, color, and the filter set in which it is active

l

Custom tags—Specify which audit fields are displayed and the values for each

The issue template applied to an audit project is determined using the following preference order:

1. Template that exists in the audit project

2.

3.

Template in <sca_install_dir>/Core/config/filters/defaulttemplate.xml

Template in <sca_install_dir>/Core/config/rules/defaulttemplate.xml or

projecttemplate.xml

4. Embedded Fortify default template

Micro Focus Fortify Audit Workbench (22.1.0)

Page 82 of 156

User Guide

Chapter 4: Viewing Scan Results

Configuring Custom Filter Sets and Filters

If the filter sets available in Audit Workbench do not exactly suit your needs, you can create your own,

either by using the filter wizard, or by copying and then modifying an existing filter set.

If you are performing collaborative audits on Micro Focus Fortify Software Security Center, you can

synchronize your custom filters with Fortify Software Security Center. For more information, see

"Committing Filter Sets and Folders" on page 97 and "Synchronizing Filter Sets and Folders" on

page 96 .

This section provides instructions on how to:

l

Create a new filter set

l

Create filters from the Issues view and add them to a filter set

l

Create filters on the Filters tab and add them to a filter set

l

Copy a filter to a different filter set

Creating a New Filter Set

To create a new filter set, copy an existing set and modify the settings.

To create a new filter set:

1. Select Tools > Project Configuration.

2. Select the Filter Sets tab.

3.

Next to Filter Sets, click Add Filter Set

.

The Add New Filter Set dialog box opens.

4. Type a name for the new filter set.

5. Select an existing filter set to copy.

6. Click OK.

A new filter set with the same folders, visibility filters, and folder filters as the copied filter set is

created.

Creating a Filter from the Issues View

When a folder list includes an issue that you want to hide or direct to another folder, you can create a

new filter using the filter wizard. The wizard displays all the attributes that match the conditions in

the filter.

Note: To find the filter that directed the issue to the folder, right-click the issue, and then select

Why is this issue here? To find the filter that hid an issue, right-click the issue, and then select

Why is this issue hidden?

Micro Focus Fortify Audit Workbench (22.1.0)

Page 83 of 156

User Guide

Chapter 4: Viewing Scan Results

To create a new filter from an issue:

1. In the Issues view, select a filter set from the Filter Set list.

2. Right-click an issue, and then select Create Filter.

The Create Filter dialog box lists suggested conditions.

3. To see all the conditions, select the Show all conditions check box.

4. Select the conditions you want to use in the filter.

You can fine tune the filter later by modifying it on the Filter tab.

5. Select the type of filter you want to create, as follows:

l

To create a visibility filter, select Hide Issue.

l

To create a folder filter, select Set Folder to, and then select the folder name or select Other

Folder to add an existing folder or create a new one.

A new folder is displayed in this filter set only.

6. Click Create Filter.

The wizard places the new filter at the end of the filter list. For folder filters, this gives the new

filter the highest priority. Issues that match the new folder filter appear in the targeted folder.

7. (Optional) For folder filters, drag the filter higher in the folder filter list to change the priority.

The issues are sorted with the new filter.

Note: The filter is created only in the selected filter set.

Creating a Filter from the Issue Auditing View

Use the Filters tab in the Issue Auditing view to create visibility filters and folder filters.

Folder filters are applied in order and the issue is directed to the last folder filter it matches in the list.

Micro Focus Fortify Audit Workbench (22.1.0)

Page 84 of 156

User Guide

Chapter 4: Viewing Scan Results

To create a new filter on the Filters tab:

1. From the Filter Set list, select a filter set.

2. Select the Filters tab in the Issue Auditing view.

3. Right-click Visibility Filters or Folder Filters, and then select Create New Filter.

The Create Filter dialog box opens.

4. From the first list, select an issue attribute.

The second list is automatically populated.

5. From the second list, select how to match the value.

The third list contains the possible values for the attribute.

6. Select a value or specify a range as instructed in the If line.

Micro Focus Fortify Audit Workbench (22.1.0)

Page 85 of 156

User Guide

Chapter 4: Viewing Scan Results

7. Set Then to one of the following options:

l

To create a visibility filter, select Hide Issue.

l

To create a folder filter, select Set Folder to, and then select the folder name or select Other

Folder to add a folder from another filter set or create a new folder.

8. Click Save.

The new filter is displayed at the end of the list. For folder filters, this gives the new filter the

highest priority. Issues that match the new folder filter appear in the targeted folder.

9. (Optional) For folder filters, drag the filter higher in the folder filter list to change the priority.

The issues are sorted with the new filter.

Note: The filter is created in the selected filter set only.

Copying a Filter from One Filter Set to Another

Filter settings are local to a filter set. However, you can copy the filter to another filter set in the audit

project. If you copy a folder filter to another set and that folder is not already active in the set, the

folder is automatically added.

To copy a filter:

1. In the Issues view, select a filter set from the Filter Set list.

2. Select the Filters tab in the Issue Auditing view.

3. Right-click a filter, and then select Copy Filter To.

The Select a Filter Set dialog box opens with a list of all the filter sets.

4. Select a filter set, and then click OK.

The filter is added to the filter set in the last position.

5. (Optional) For folder filters, you can adjust the order of the filter list by dragging and dropping

the filter to a different location in the list.

Setting the Default Filter Set

To specify the default filter set used to view scan findings:

1. In the Issues view, click the Filter Set list, and then select Edit.

The Project Configuration dialog box opens to the Filter Sets tab.

2. In the Filter Sets list, select the filter set you want to use as the default for the issue template.

3. Select the Default filter set check box, and then click OK.

Micro Focus Fortify Audit Workbench (22.1.0)

Page 86 of 156

User Guide

Chapter 4: Viewing Scan Results

Managing Folders

Folders are logical sets of issues that are defined by the filters in the active filter set. Even though a

folder can appear in more than one filter set, the contents might differ depending on the filters in that

filter set that target the folder. To accommodate filter sets that provide sorting mechanisms with little

overlap, you can have filter sets with different folders. Folders are defined independent of the filter

sets they may appear in. For example, a filter set might place low priority issues into a red folder that

is labeled "Hot."

Creating a Folder

You can create a new folder so that you can display a group of issues you have filtered to the folder.

Folders must have unique names.

Note: If this functionality is restricted to administrator users, and you are not an administrator,

you cannot create folders.

To create a new folder:

1. Select Tools > Project Configuration.

2. Select the Folders tab.

The Folders pane on the left lists the folders for the filter set selected in the Folder for Filter

Set list. Fields on the right show the name, color, and description of the selected folder.

Micro Focus Fortify Audit Workbench (22.1.0)

Page 87 of 156

User Guide

Chapter 4: Viewing Scan Results

3. To associate the folder with an existing filter set, select the filter set from the Filter Set list.

Select (All Folders) to create a new folder in the issue template without associating it with a

specific filter set. You can associate the folder with an existing filter set later.

Note: Selecting a filter set updates the Folders list to display the folders that are associated

with the selected filter set.

4. To add a folder:

a.

Next to Folders, click Add Folder

.

The Add Folder dialog box opens.

Note: If you have created folders in other filter sets, the Add New Folder to Filter Set

dialog box opens. Click Create New.

b. Type a unique name for the new folder, and then select a folder color.

c. Click OK.

The folder is added to the bottom of the folder list.

5. In the Description box, type a description for the new folder.

6. To change the tab position of the folder on the Issues view, drag the folder up or down in the

Folders list.

The top position is on the left and the bottom position is on the right.

7. To put all issues that do not match a folder filter into this folder, select the Default Folder check

box.

8. Click OK.

The folder is displayed as a tab with the other folders. If you selected default, all issues that do not

match a folder filter are displayed. The new folder is added to the issue template for the audit project.

Note: To display issues in this folder, create a folder filter that targets the new folder. For more

information, see "Creating a Filter from the Issues View" on page 83 and "Creating a Filter from

the Issue Auditi ng View" on page 84 .

Adding a Folder to a Filter Set

This section describes how to enable an existing folder in a filter set. Create a new folder that is only

included in the selected filter set using the instructions in "Creating a Folder" on the previous page. To

display issues in this folder, create a folder filter that targets the new folder.

To add a folder to a filter set:

1. Select Tools > Project Configuration.

The Project Configuration dialog box opens.

2. Select the Folders tab.

3. Click the Filter Set list to select the filter set where you want to add a folder.

The Folders list displays the folders in the selected filter set.

Micro Focus Fortify Audit Workbench (22.1.0)

Page 88 of 156

User Guide

Chapter 4: Viewing Scan Results

4.

Next to Folders, click Add Folder

.

The Add New Folder to Filter Set dialog box opens.

Note: If the selected filter set already includes all existing folders, the Create Folder dialog

box opens and you can create a new folder for the selected filter set.

5. Select the folder to add to the selected filter set, and then click Select.

6. Click OK.

The folder is displayed as a tab along with the other folders.

Renaming a Folder

You can rename a folder. Modifying the name of a folder is a global change reflected in all filter sets.

To rename a folder:

1. Select Tools > Project Configuration.

2. Select the Folders tab.

3. In the Filter Set list, select (All Folders).

4. Select the folder in the Folders list.

The folder properties are displayed on the right.

5. Type the new name for the folder.

The folder name changes in the Folders list as you type.

6. Click OK.

The new folder name is displayed on the tabs.

Removing a Folder

You can remove a folder from a filter set without removing it from other filter sets.

To remove a folder:

1. Select Tools > Project Configuration.

2. Select the Folders tab.

3. Select a filter set from the Filter Set list.

The Folders list displays the folders in the selected filter set.

4.

Select the folder, and then next to Folders, click Delete Folder

Note: The folder is removed only from the selected filter set.

.

Micro Focus Fortify Audit Workbench (22.1.0)

Page 89 of 156

User Guide

Chapter 4: Viewing Scan Results

If the folder is a target of a folder filter, the Conflicts Occurred Removing Folder dialog box opens.

Do one of the following:

a. To target the filter to a different folder, select a folder from the Retarget the filters list, and

then click Retarget Filters.

b. To delete the filter, click Delete Filters, and then click Yes to confirm the deletion.

5. Click OK to close the Project Configuration dialog box.

The folder is no longer displayed as a tab in the Issues view.

Configuring Custom Tags for Auditing

To audit code in Micro Focus Fortify Software Security Center, the security team examines project

analysis results (FPR) and assigns values to custom tags associated with application version issues.

The development team can then use these tag values to determine which issues to address and in

what order.

The Analysis tag is provided by default. The Analysis tag is a list-type tag and has the following valid

values: Not an Issue, Reliability Issue, Bad Practice, Suspicious, and Exploitable. You can modify the

Analysis tag attributes, change the tag values, or add new values based on your auditing needs.

To refine your auditing process, you can define your own custom tags. You can create the following

types of custom tags: list, decimal, string, and date. For example, you could create a list-type custom

tag to track the sign-off process for an issue. After a developer audits his own issues, a security expert

can review those same issues and mark each as “approved” or “not approved.”

You can also define custom tags from Fortify Software Security Center, either directly with issue

template uploads through Fortify Software Security Center, or from Fortify Audit Workbench through

issue templates in FPR files.

Note: Although you can add new custom tags from Fortify Audit Workbench as you audit a

project, if these custom tags are not defined in Fortify Software Security Center for the issue

template associated with the application version, then the new tags are lost if you upload the FPR

file to Fortify Software Security Center.

Micro Focus Fortify Audit Workbench (22.1.0)

Page 90 of 156

User Guide

Chapter 4: Viewing Scan Results

You can add the following attributes to your custom tags:

l

Extensible—This enables users to create a new value while auditing, even without the permission

to manage custom tags.

l

Restricted—This restricts who can set the tag value on an issue. Administrators, security leads, and

managers have permission to audit restricted tags.

l

Hidden (Fortify Software Security Center only)—Use this setting to hide a tag from an application

version or issue template.

After you define a custom tag, it is displayed below the Analysis tag, which enables you to specify

values as they relate to specific issues. Custom tags are also available in other areas of the interface,

such as in the Group By list to group issues in a folder, in the search field as a search modifier

(similarly available as a modifier for filters), and in the project summary graph as an attribute by

which to graphically sort issues.

Adding a Custom Tag

You can create custom tags to use in auditing results. Custom tags are project-wide and are saved as

part of an issue template.

To add a custom tag:

1. Select Tools > Project Configuration.

2. Select the Custom Tags tab.

Micro Focus Fortify Audit Workbench (22.1.0)

Page 91 of 156

User Guide

Chapter 4: Viewing Scan Results

3.

Next to Tags, click Add Tag

.

Note: Any previously hidden tags are listed, and you can re-enable them. To create a new

tag, click Create New.

The Add New Tag dialog box opens.

4. In the Name box, type a name for the new tag.

Important! Make sure that the name you specify for a custom tag is not a database reserved

word.

5. From the Type list, select one of the following tag types:

l

List—Accepts selection from a list of values that you specify for the tag

l

Date—Accepts a calendar date

l

Decimal—Accepts a number with a precision of up to 18 (up to 9 decimal places)

Micro Focus Fortify Audit Workbench (22.1.0)

Page 92 of 156

User Guide

Chapter 4: Viewing Scan Results

l

Text—Accepts a string with up to 500 characters (HTML/XML tags and newlines are not

allowed)

6. Click OK.

The Tags list now includes the new tag.

7. Configure any or all the following optional tag settings:

l

To allow users to add new values for a list-type tag in an audit, leave the Extensible check box

selected.

l

To allow only administrators, security leads, and managers to set this tag on an issue, select

the Restricted check box.

l

Type a description of the custom tag in the Description box.

l

For a list-type tag, from the Default Value list, select the default value for the tag.

If you do not specify a default value, the default is null.

8. To add a value for a list-type tag, do the following:

a. From the Tags list, select the tag name.

b.

Next to Values, click Add Value

.

c. In the Enter Value dialog box, type a value, and then click OK.

d. Type a description of the value in the Description box.

e. Repeat steps a through d for each additional value required for the new tag.

9. To make this custom tag the primary tag:

Note: You can only set a list-type tag as a primary tag.

a. Click Set Primary Tag.

b. Select the custom tag from the Primary Tag list, and then click OK.

The primary tag determines the audit status for each issue as well as the audit icon in the Issues

view. By default, the primary tag is Analysis.

The Audit tab in the Issue Auditing view now displays the new tag and its default value (if you

assigned one).

Hiding a Custom Tag

If you hide a custom tag, it is no longer available on the Issue Auditing view's Audit tab or as a search

or filter option.

Note: If you hide a custom tag that was set for any issues, that tag and values are hidden from

the issue. If you make the tag available again, the tag and values are restored.

You cannot hide the primary tag.

Micro Focus Fortify Audit Workbench (22.1.0)

Page 93 of 156

User Guide

Chapter 4: Viewing Scan Results

To hide a custom tag:

1. Select Tools > Project Configuration.

The Project Configuration dialog box opens.

2. Select the Custom Tags tab.

3. Select the tag from the Tags list.

4.

Next to Tags, click Hide Tag

.

This action hides the tag from your available custom tags. You can make this tag available again

when you add a custom tag (see "Adding a Custom Tag" on page 91).

5. Click OK.

If you hide a tag that has an associated filter, you are prompted to delete the filter.

Committing Custom Tags to Fortify Software Security Center

To commit custom tags to Micro Focus Fortify Software Security Center:

1. With an audit project open, select Tools > Project Configuration.

2. Select the Custom Tags tab.

3. Click Commit.

Note: Any list-type custom tags without values are not uploaded to Fortify Software Security

Center.

4. If prompted, type your Fortify Software Security Center credentials.

For information about logging into Fortify Software Security Center, see "Logging in to Fortify

Software Security Center" on page 24.

The Custom Tag Upload dialog box opens.

5. Do one of the following:

l

If the issue template and the application version already exist on Fortify Software Security

Center:

o

To upload the custom tags to the global pool and assign them to the application version,

click Yes.

o

To upload the custom tags to the global pool without assigning them to the application

version, click No.

o

To prevent uploading the custom tags to Fortify Software Security Center, click Cancel.

l

If the issue template does not exist on Fortify Software Security Center:

o

To upload the custom tags to the global pool only on Fortify Software Security Center, click

Yes.

o

To prevent uploading the custom tags to Fortify Software Security Center, click No.

Micro Focus Fortify Audit Workbench (22.1.0)

Page 94 of 156

User Guide

Chapter 4: Viewing Scan Results

Synchronizing Custom Tags with Fortify Software Security Center

To synchronize custom tags for an audit project that has been uploaded to Micro Focus Fortify

Software Security Center.

1. Select Tools > Project Configuration.

2. Select the Custom Tags tab.

3. Select the custom tag.

4. Click Synchronize.

5. If required, type your Fortify Software Security Center credentials.

For information about logging into Fortify Software Security Center, see "Logging in to Fortify

Software Security Center" on page 24.

The Custom Tag Download dialog box opens.

6. If the application version and the issue template both exist on Fortify Software Security Center,

select either Application Version or Issue Template to specify from where to download the

custom tags.

7. To download custom tags from the issue template, click Yes.

Issue Template Sharing

After an issue template is associated with an audit project, all changes made to that template, such as

the addition of folders, custom tags, filter sets, or filters, apply to the audit project. The issue template

is stored in the FPR when the audit project is saved. For information about how to associate the issue

template with an audit project, see "Importing an Issue Template" on the next page. With issue

templates, you can use the same project settings for another project.

Exporting an Issue Template

Exporting an issue template creates a file that contains the filter sets, folders, and custom tags for the

current project. After you export an issue template, you can import it into another audit project file.

To export an issue template:

1. Select Tools > Project Configuration.

2. Select the Filter Sets tab.

3. Click Export.

The Select a Template File Location dialog box opens.

4. Browse to the location where you want to save the file.

5. Type a file name without an extension.

6. Click Save.

The current template settings are saved to an XML file.

Micro Focus Fortify Audit Workbench (22.1.0)

Page 95 of 156

User Guide

Chapter 4: Viewing Scan Results

Importing an Issue Template

Importing an issue template overwrites the audit project configuration settings. The local filter sets

and custom tags are replaced with the filter sets and custom tags in the issue template.

To import an issue template:

1. Select Tools > Project Configuration.

2. Select the Filter Sets tab.

3. Click Import.

The Locate Template File dialog box opens.

4. Select the issue template file to import.

5. Click Open.

The filter sets, custom folders, and custom tags are updated.

Note: You can also click Reset to Default to return the settings to the default issue template.

Synchronizing Filter Sets and Folders

To download filter sets and folders configured from Micro Focus Fortify Software Security Center:

1. Select Tools > Project Configuration.

2. Select the Filter Sets tab.

3. Click Synchronize.

A message advises you that downloading filter sets and folders from Fortify Software Security

Center overwrites your local filter sets and folders.

4. To proceed with the synchronization, click Yes.

5. If required, provide your Fortify Software Security Center credentials, and then click OK.

Micro Focus Fortify Audit Workbench (22.1.0)

Page 96 of 156

User Guide

Chapter 4: Viewing Scan Results

For information about logging into Fortify Software Security Center, see "Logging in to Fortify

Software Security Center" on page 24.

If the current issue template does not exist on Fortify Software Security Center, do the following:

a. In the Issue Template column, select an issue template name.

b. Click OK.

6. Audit Workbench downloads the filter sets and folders from the selected issue template on

Fortify Software Security Center, and overwrites your current issue template.

Committing Filter Sets and Folders

If you want to upload filter sets and folders to an issue template on Micro Focus Fortify Software

Security Center, do the following:

1. Select Tools > Project Configuration.

2. Select the Filter Sets tab.

3. Select the filter set from the list.

4. Click Commit.

5. If required, provide your Fortify Software Security Center credentials.

For information about logging into Fortify Software Security Center, see "Logging in to Fortify

Software Security Center" on page 24.

The Update Existing Issue Template or Add Issue Template dialog box opens, depending on

whether the issue template already exists in Fortify Software Security Center.

Micro Focus Fortify Audit Workbench (22.1.0)

Page 97 of 156

User Guide

Chapter 4: Viewing Scan Results

6. Do one of the following:

a. To upload filter sets and folders to the issue template, click Yes.

b. To add the issue template that contains the current set of custom tags to Fortify Software

Security Center, click Yes.

Advanced Configuration

This section contains the following topics:

l

"Integrating with a Bug Tracker Application" below

l

"Public APIs" on the next page

l

"Penetration Test Schema" on the next page

Integrating with a Bug Tracker Application

Audit Workbench provides a plugin interface to integrate with bug tracker applications. This enables

you to file bugs directly from Audit Workbench. For a list of supported bug tracker applications, see

the Micro Focus Fortify Software System Requirements document.

To select the plugin to use:

1. Open an audit project.

2. Select Tools > Select Bugtracker.

3. Select a bug tracker from the list, and then click OK.

If installed with Fortify SCA and Applications, example source code for bug tracker plugins is available

in <sca_install_dir>/Samples/advanced/BugTrackerPlugin<bug_tracker>, where <bug_

tracker> is the name of the bug tracker application.

To write your own plugin, see the instructions in the README text file, which is in each bug tracker

directory. Information about the API is included in the JavaDoc located in <sca_install_

dir>/Samples/advanced/JavaDoc/public-api/index.html.

Configuring Proxy Settings for Bug Tracker Integration

If the bug tracker you use requires a proxy connection, specify the proxy settings. When you submit

an issue as a bug, select the Use proxy check box. Fortify Audit Workbench provides the proxy

settings to the bug tracker plugin.

To configure proxy settings for bug tracker integration:

1. Select Options > Options.

2. In the left pane, select Bugtracker Proxy Configuration.

Micro Focus Fortify Audit Workbench (22.1.0)

Page 98 of 156

User Guide

Chapter 4: Viewing Scan Results

3. Under HTTP Proxy, specify the proxy server, port number, and optionally credentials for proxy

authentication.

4. If the connection uses HTTPS requests, then provide the proxy settings under HTTPS Proxy.

5. Click OK to save your changes.

Public APIs

Fortify publishes public APIs so that you can create custom parsers for pentest tools and services

that are not included in the default distribution. The APIs are in (fortify-public-*.jar), and you

can use them to compile your custom parser.

Penetration Test Schema

Fortify also provides a generic penetration test schema (pentestimport.xsd) that you can view in

<sca_install_dir>/Core/config/schemas. This provides another option for importing additional

pentest results. Instead of creating a custom parser for your tool or service, you can translate the

results into the Fortify generic format (using XSLT or a similar technology). You can then open or

merge these translated results automatically. See "Penetration Test Results" on page 113 for more

information.

Micro Focus Fortify Audit Workbench (22.1.0)

Page 99 of 156

Chapter 5: Auditing Analysis Results

When Fortify Static Code Analyzer scans application source code, its discoveries are presented as

potential vulnerabilities rather than actual vulnerabilities. Every application is unique, and all

functionality runs within a context that the development team understands best. No technology can

fully determine whether a suspect behavior is considered a vulnerability without direct developer

confirmation.

For example, Fortify Static Code Analyzer might discover that a web page designed to display data to

the user (for example, a financial transaction record page) appears to allow any authenticated user to

request any data with no check of viewing permission. Whether or not this behavior is considered a

vulnerability depends entirely on the intended design of the application. If the application is supposed

to allow any user to see all data, then the auditor can mark the discovery as a non-issue; otherwise,

the auditor can mark the issue as a vulnerability for the team to address.

The topics in this section provide information about how to audit scan results opened in Fortify Audit

Workbench.

This section contains the following topics:

Working with Audit Projects

Submitting an Issue as a Bug

Correlation Justification

Penetration Test Results

Working with Audit Projects

After you scan a project, you can audit the analysis results. You can also audit the results of a

collaborative audit from Micro Focus Fortify Software Security Center.

Opening an Audit Project

To open an audit project:

1. Start Fortify Audit Workbench.

2. Select File > Open Project.

The Select Audit Project dialog box opens.

3. Browse to and select the FPR file, and then click Open.

Micro Focus Fortify Audit Workbench (22.1.0)

Page 100 of 156

User Guide

Chapter 5: Auditing Analysis Results

Opening Audit Projects Without the Default Filter Set

If you open an audit project that does not contain the filter set specified as the default filter set for

new projects (by default, this is the Quick View filter set), a message is displayed to inform you that

the filter set is not available in the audit project’s issue template.

The default filter set from the template is loaded at startup, regardless of the setting. This would also

happen, for example, with any FPR files downloaded from the Fortify on Demand Server.

To resolve this, do one of the following:

l

To apply the default filter set from the current issue template, click Cancel.

l

To update the issue template for the project, click Update Issue Template.

After you select Update Issue Template, some filter sets that were available before the update, for

example Developer View and Critical Exposure, are no longer available.

A warning is displayed to let you know that you cannot undo the update.

l

To ensure that the default filter set for the project is never overridden, click Never Override

Default Filter Set.

Performing a Collaborative Audit

You can audit a project on Fortify Software Security Center collaboratively with other Fortify Software

Security Center users.

To start a collaborative audit:

1. Start Fortify Audit Workbench.

If you already have an audit project open, close it.

2. Under Open Collaborative Audit, click Sign In.

3. Type your Fortify Software Security Center logon credentials.

For information about logging into Fortify Software Security Center, see "Logging in to Fortify

Software Security Center" on page 24.

Fortify Audit Workbench displays a list of applications that you have permission to access.

4. Select an application version to audit.

Micro Focus Fortify Audit Workbench (22.1.0)

Page 101 of 156

User Guide

Chapter 5: Auditing Analysis Results

To quickly find an application version, type the name or partial name of an application in the

Search box. The search is case insensitive. To clear the search results, clear the Search box.

If necessary, click Refresh to update the list of applications on Fortify Software Security Center.

The audit project file is downloaded from Fortify Software Security Center and opened in Fortify

Audit Workbench.

5. Audit the project as described in "Evaluating Issues" on page 104.

6. When you have completed the audit, select Tools > Upload Audit Project.

Note: If necessary, you can refresh your Fortify Software Security Center audit permission

settings. See "Refreshing Permissions from Fortify Software Security Center" below.

Refreshing Permissions from Fortify Software Security Center

The Micro Focus Fortify Software Security Center administrator assigns roles to users that determine

the actions they can perform in Fortify Software Security Center. When you work on a collaborative

audit and the administrator changes your auditing permissions, you might need to refresh the

permissions in Audit Workbench.

To refresh your permissions from Fortify Software Security Center:

1. Select Options > Options.

2. In the left pane, select Server Configuration.

3. Click Refresh Permissions for the Current Audit.

4. Click OK.

Merging Audit Data

Audit data includes the custom tags and comments that were added to an issue. You can merge the

audit data for your project with audit data from another results file. Comments are merged into a

chronological list and custom tag values are updated. If custom tag values conflict (if the same tag is

set to different values for a given issue), Fortify Audit Workbench prompts you to resolve the conflict.

Note: Issues are not merged. Merged results include only the issues found in the latest scan.

Issues uncovered in the older scan that were not uncovered in the latest scan are marked as

Removed and are hidden by default.

Make sure that the projects you merge contain the same analysis information. That is, make sure that

the scans were performed on the same source code (no missing libraries or files), the Micro Focus

Fortify Static Code Analyzer settings were the same, and the scan was performed using the same

security content.

To merge projects:

1. Open a project in Fortify Audit Workbench.

2. Select Tools > Merge Audit Projects.

Micro Focus Fortify Audit Workbench (22.1.0)

Page 102 of 156

User Guide

Chapter 5: Auditing Analysis Results

3. Select an audit project (FPR file), and then click Open.

The Progress Information dialog box opens. When complete, the Merge dialog box opens.

Note: After you select an FPR, Fortify Audit Workbench might prompt you to choose

between the issue template in the current FPR and the issue template in the FPR you are

merging in.

4. Click Yes to confirm the number of issues added or removed from the file.

Note: If the scan is identical, no issues are added or removed.

The project now contains all audit data from both result files.

Merging Audit Data Using the Command-line Utility

You can also use the FPRUtility command-line utility to merge audit data. This utility enables you to

merge an audited project, verify the signature of the FPR, or display analysis results information from

and FPR. For more information about how to use this utility, see the Micro Focus Fortify Static Code

Analyzer User Guide.

Additional Metadata

Each issue in Audit Workbench contains additional metadata that is not produced by the Fortify

internal analyzers. Examples include alternative categories (for example, OWASP, CWE, WASC), and

prioritization values that are used in the default filters (for example, impact, accuracy, probability).

You can view the metadata attributes through the standard grouping and search mechanisms.

If you open an older FPR that does not contain metadata values, the metadata values for the issues

are retrieved from legacy mapping files. These legacy mapping files exist in the <sca_install_

dir>/Core/Config/LegacyMappings directory, and are indexed by either issue category, or issue

category and analyzer. The legacy mapping files are accessed as needed, so each issue in your project

must always have metadata values, whether those values come from the FPR, the legacy mapping

files, or a combination of the two.

Uploading Audit Results to Fortify Software Security Center

When you work on a collaborative audit and you downloaded the audit project from Micro Focus

Fortify Software Security Center, Audit Workbench retains the application version for the audit

project. If you want to upload the audit project to a different application version, you need to

disconnect the audit project from Fortify Software Security Center before you upload the results. To

disconnect the current audit project from Fortify Software Security Center, select Options > Options,

click Server Configuration, and then click Disconnect the Current Audit.

Note: If you created any custom tags or filter sets for your project's issue template, you must first

commit them to Fortify Software Security Center before you upload the project so that

information is also uploaded. See "Committing Custom Tags to Fortify Software Security Center"

Micro Focus Fortify Audit Workbench (22.1.0)

Page 103 of 156

User Guide

Chapter 5: Auditing Analysis Results

on page 94 and "Committing Filter Sets and Folders" on page 97 for more information.

Note: By default, Micro Focus Fortify Software Security Center does not allow you to upload

scans performed in quick scan mode. However, you can configure your Fortify Software Security

Center application version so that uploaded audit projects scanned in quick scan mode are

processed. For more information, see analysis results processing rules in the Micro Focus Fortify

Software Security Center User Guide.

To upload results to Fortify Software Security Center:

1. Select Tools > Upload Audit Project.

2. If prompted, type your Fortify Software Security Center credentials.

For information about logging into Fortify Software Security Center, see "Logging in to Fortify

Software Security Center" on page 24.

3. If the audit project is not already associated with an application version, select an application

version, and then click OK.

Note: If you see a message that the application version is not committed or does not exist,

this indicates that you opened an audit project that was previously associated with an

application version that does not exist on Fortify Software Security Center to which Fortify

Audit Workbench is currently connected. Disconnect the audit project from Fortify Software

Security Center as described previously in this section.

A message notifies you when the upload is complete.

4. Click OK.

Updates you made to issues including comments and tag values (for tags that already exist for the

application version on Fortify Software Security Center) are uploaded.

Evaluating Issues

To evaluate and assign audit values to an issue or group of issues:

1. Select the issue or group of issues in the Issues view, see "About Viewing Analysis Results" on

page 38.

2. In the Issue Auditing view, read the abstract on the Audit tab. This abstract provides high-level

information about the issue, such as the analyzer that found the issue.

For example, Command Injection (Input Validation and Representation,

dataflow) indicates that this issue that the Dataflow Analyzer detected, is a Command Injection

issue in the Input Validation and Representation kingdom.

3. Click the More Information link to get more details about the issue.

4. On the Audit tab, specify an Analysis value for the issue to represent your evaluation.

Micro Focus Fortify Audit Workbench (22.1.0)

Page 104 of 156

User Guide

Chapter 5: Auditing Analysis Results

5. Specify values for any custom tags as your organization requires.

For text-type custom tags, you can click Edit Text to see and edit long text strings. This tag

accepts up to 500 characters (HTML/XML tags and newlines are not allowed).

For date-type custom tags, you can click

to select a date from a calendar.

6. If the audit results have been submitted to Audit Assistant in Micro Focus Fortify Software

Security Center, then you can specify whether to include or exclude the issue from Audit

Assistant training from the AA_Training list.

Note: If you select a different value for Analysis than the AA_Prediction value set by Audit

Assistant, and you select Include from the AA_Training list, then the next time the data is

submitted to Audit Assistant, it updates the information used to predict whether an issue

represents a true vulnerability. For more information about Audit Assistant, see the Micro

Focus Fortify Software Security Center User Guide.

7. (Optional) In the Comments box, type comments relevant to the issue and your evaluation.

Performing Quick Audits

As you audit issues, you can use a keyboard combination to assign an analysis value to multiple

selected issues.

To assign an analysis value to multiple issues simultaneously:

1. In the Issues view, select the issues that you want to assign the same analysis value.

2. Press Ctrl + Shift + A (Cmd + Shift + A on macOS).

Audit Workbench displays a window in the lower-right corner to indicate you are in Quick Audit

Issue mode.

Note: Do not hold this keyboard combination in the next step.

3. Press one of the following number keys:

l

To assign Not an Issue, press 1

l

To assign Reliability Issue, press 2

l

To assign Bad Practice, press 3

l

To assign Suspicious, press 4

l

To assign Exploitable, press 5

l

To assign a custom analysis value configured for your organization, press the number that

corresponds to its position in the Analysis list on the Audit tab.

Shortcuts are provided for only the first ten values in the Analysis list. (To assign the tenth value in

the list, you press Ctrl + Shift + A, and then press 0). If no value is listed for the key you press, no

value is assigned.

Micro Focus Fortify Audit Workbench (22.1.0)

Page 105 of 156

User Guide

Chapter 5: Auditing Analysis Results

Performing Quick Audits for Custom Tags

Instead of using the Analysis tag for quick audits, you can use a custom tag your organization has

created.

To use a custom tag for quick audits:

1. Select Options > Options.

2. In the left pane, select Audit Configuration, and then select the Configuration tab on the right.

3. Under Quick Audit Preference, from the Attribute to use for quick action audit list, select a

custom tag.

Note: Only list-type tags are available to use for quick audits.

If no custom tags have been created, the list only includes the Analysis tag.

4. Click OK.

The keyboard shortcut functions just as it does for the Analysis tag values. Shortcuts are provided for

only the first ten values in the list of custom tag values. (To assign the tenth value in the list, you

press Ctrl + Shift + A, and then press 0). If there is no value in the list for the key you press, no value

is assigned.

For information about custom tags, see "Configuring Custom Tags for Auditing" on page 90.

Adding Screen Captures to Issues

You can attach a screen shot or other image to an issue. Attached images are stored in the FPR file

and are accessible from Micro Focus Fortify Software Security Center. The following image formats

are supported:

l

GIF

l

JPG

l

PNG

To add an image to an issue:

1. Select the issue.

2. In the Issue Auditing pane, select the Screenshots tab.

3. Click Add.

4. In the New Screenshot dialog box, click Browse to find and select the image file.

5. (Optional) In the Description box, type a description.

6. Click Add.

Viewing Images

After you add an image to an issue, the image is displayed on the right side of the Screenshots tab.

To view a full-size version of an image added to an issue:

Micro Focus Fortify Audit Workbench (22.1.0)

Page 106 of 156

User Guide

Chapter 5: Auditing Analysis Results

1. In the Issue Auditing pane, select the Screenshots tab.

2. From the list of screenshots, click the image you want view.

3. Click Preview.

Creating Issues for Undetected Vulnerabilities

Add undetected issues that you want to identify as issues to the issues list. You can audit manually

configured issues on the Audit tab, just as you do other issues.

To create an issue:

1. Select the object in the line of code in the source code tab.

2. Right-click the line that contains the issue, and then select Create New Issue.

The Create New Issue dialog box opens.

3. Select the issue category, and then click OK.

The issues list displays the file name and source code line number for the new issue next to a blue

icon. The rule information in the Audit tab includes Custom Issue. You can edit the issue to include

audit information, just as you can other issues.

Suppressing Issues

You can suppress issues that are either fixed or that you do not plan to fix.

To suppress an issue, do one of the following:

l

In the Issues view, select the issue, and then, on the Audit tab in the Issue Auditing view, click

Suppress

.

l

In the Issues view, right-click the issue, and then click Suppress Issue.

Micro Focus Fortify Audit Workbench (22.1.0)

Page 107 of 156

User Guide

Chapter 5: Auditing Analysis Results

Note: You can select and suppress multiple issues at the same time.

Suppression marks the issue and all future discoveries of this issue as suppressed. As such, it is a

semi-permanent marking of a vulnerability.

To display issues that have been suppressed, select Options > Show Suppressed Issues.

To unsuppress an issue, first display the suppressed issues, and then do one of the following:

l

In the Issues view, select the suppressed issue, and then, on the Audit tab in the Issue Auditing

view, click Unsuppress

.

l

Right-click the issue in the Issues view, and then select Unsuppress Issue.

Note: You can select and unsuppress multiple issues at the same time.

Submitting an Issue as a Bug

You can submit issues to your bug tracker application if integration between the applications has

been configured.

To submit an issue as a bug:

1. Select the issue in the Issues view, and then, on the Audit tab, click File Bug

.

Micro Focus Fortify Audit Workbench (22.1.0)

Page 108 of 156

User Guide

Chapter 5: Auditing Analysis Results

When you submit a bug for first time, the Configure Bugtracker Integration dialog box opens.

(For information about configuring the plugin with bug tracker applications, see "Integrating with

a Bug Tracker Application" on page 98.) Select a bug tracker application, and then click OK .

2. Specify all required values and review the issue description. Depending on the integration and

your bug tracker application, the values include items such as the bug tracker application URL,

product name, severity level, summary, and version.

3. If the connection to the bug tracker requires a proxy, select the Use proxy check box.

With this option selected, Fortify Audit Workbench uses the proxy settings specified for bug

trackers. For more information, see "Configuring Proxy Settings for Bug Tracker Integration" on

page 98.

4. Click Submit.

You must already be logged in before you can file a bug through the user interface for bug tracker

applications that require a logon. The issue is submitted as a bug in the bug tracker application.

If you use Fortify Software Security Center, you can submit an issue as a bug using a bug tracker

application configured through Fortify Software Security Center.

To submit an issue as a bug through Fortify Software Security Center:

1. Select the issue in the Issues view, and then, on the Audit tab, click the File Bug icon.

When you submit a bug for first time, the Configure Bugtracker Integration dialog box opens.

Select Fortify Software Security Center, and then click OK.

2. Specify the values if changes are needed and review the issue description. Depending on the

integration and your bug tracker application, the values include items such as the bug tracker

application URL, product name, severity level, summary, and version.

3. Click Submit.

If your bug tracker application requires you to log in, you must do so before you can file a bug

through that interface.

Correlation Justification

A correlation occurs when an issue uncovered by one analyzer (Fortify WebInspect Agent, Fortify

Static Code Analyzer, or Fortify WebInspect) is related directly or indirectly to an issue uncovered by

another analyzer.

Correlated events help you identify issues that have a higher probability of being exploited. A

vulnerability that is linked to other vulnerabilities might represent an issue that has multiple points of

entry. For example, if Fortify WebInspect scan results are correlated with Fortify Static Code Analyzer

scan results, this increases the likelihood that the associated Fortify Static Code Analyzer issues are

exploitable.

Fortify Audit Workbench provides additional information to help you resolve these correlated issues

and mitigate the risks they present. In Fortify Audit Workbench, this additional information is

presented as Correlation Justification.

Micro Focus Fortify Audit Workbench (22.1.0)

Page 109 of 156

User Guide

Chapter 5: Auditing Analysis Results

Using Correlation Justification

To use correlation justification:

1. In the Issues view, select a correlated issue.

A correlated issue is identified in the issues list by a blue sphere on the issue icon, as shown

below.

2. In the Issue Auditing view, select the Correlated Issues tab.

The Correlated Issues tab lists the other issues that are correlated with the issue you first

selected.

Micro Focus Fortify Audit Workbench (22.1.0)

Page 110 of 156

User Guide

Chapter 5: Auditing Analysis Results

Because you first selected a correlated issue, the View Correlations button is available.

3. Click View Correlations.

The Correlation Justification dialog box opens and displays the following three panes:

l

The correlated issues tree on the left displays all correlated issues within a correlated group,

sorted based on analyzers.

l

The relationship pane at the top right displays the correlation chain between issues. The chain

describes any indirect or direct relationships between the two selected issues.

l

The pane at the bottom right describes each correlation rule in the correlation chain displayed

Micro Focus Fortify Audit Workbench (22.1.0)

Page 111 of 156

User Guide

Chapter 5: Auditing Analysis Results

in the relationship pane.

4. To select two issues, press Ctrl, and then click each issue.

The relationship pane displays the two issues and their relationships.

Micro Focus Fortify Audit Workbench (22.1.0)

Page 112 of 156

User Guide

Chapter 5: Auditing Analysis Results

5. To inspect the attributes that correlate the issues, move your cursor to each link in the

relationship pane.

6. Click OK.

Use correlation justification to gain insight into code vulnerabilities and understand why certain

issues are correlated. This can help to reduce the time it takes to remediate the issues.

Penetration Test Results

Fortify Audit Workbench supports import of XML for dynamic issues from Fortify WebInspect or from

your own custom parser that produces results in an XML file.

To create your own parser, write a class that implements the

com.fortify.pub.issueparsing.AnalysisFileParser interface from the Fortify public API. It

can use any of the classes and utilities from <sca_install_dir>/Core/lib/fortify-public-

Micro Focus Fortify Audit Workbench (22.1.0)

Page 113 of 156

User Guide

Chapter 5: Auditing Analysis Results

<version>.jar. See our API documentation in <sca_install_

dir>/Samples/advanced/JavaDoc/public-api/index.html. The section for parsing scans and

creating issues is in the com.fortify.pub.issueparsing package.

Viewing Penetration Test Results

Pentest issues have an analyzer attribute equal to pentest, and an analysis type attribute that

reflects the tool or service (for instance, Fortify WebInspect issues have the WEBINSPECT analysis

type. You can view these attributes through the standard grouping and search mechanisms.

After you select a pentest issue, Fortify Audit Workbench displays the penetration test details on the

Pentest Details tab. The following table lists the penetration test details.

Pentest Detail

Request

Description

Click the question mark icon to view the full request.

URL without the context and parameters.

Referer header in the request.

Path

Referer

Method

Either GET or POST.

Parameters

Cookies

Parameters included in the HTTP query.

Cookies included in the HTTP query.

Type of pentest attack conducted (URL, parameter, header, or cookie).

Part of the request that causes the vulnerability.

Attack Type

Attack Payload

Trigger

Part of the response that shows that a vulnerability occurred.

To view the full response, click the question mark icon next to the trigger.

Micro Focus Fortify Audit Workbench (22.1.0)

Page 114 of 156

Chapter 6: Generating Analysis Reports

Fortify Audit Workbench provides two types of analysis reports:

l

Reports based on the Business Intelligence and Reporting Technology (BIRT) system

l

Legacy reports based on user-configurable report templates

This section contains the following topics:

BIRT Reports

115

118

Legacy Reports and Templates

BIRT Reports

You can generate BIRT reports from Fortify Audit Workbench or from the command line. For

information on how to generate BIRT reports from the command line using the BIRTReportGenerator

utility, see the Micro Focus Fortify Static Code Analyzer User Guide.

The following table describes the BIRT reports available.

Report Template

Description

CWE Top 25

This report lists the most widespread and critical weaknesses that can lead

to serious software vulnerabilities (based on the National Vulnerability

Database).

CWE/SANS Top 25

This report details issues related to the CWE/SANS Top 25 Most

Dangerous Programming Errors and provides information about where and

how to fix the issues. It describes the technical risk posed by unremediated

issues discovered during analysis and provides an estimate of the

development effort needed to test, verify, and fix them.

Developer Workbook This report provides the information a developer needs to understand and

fix the issues discovered during an application audit.

DISA CCI 2

This report provides a standard identifier for policy-based requirements

that connect high-level policy expressions and low-level technical

implementations.

DISA STIG

This report addresses DISA compliance based on STIG violations and

provides information about where and how to fix the issues. It describes

Micro Focus Fortify Audit Workbench (22.1.0)

Page 115 of 156

User Guide

Chapter 6: Generating Analysis Reports

Report Template

Description

the technical risk posed by unremediated issues and provides an estimate

of the development effort required to test, verify, and fix them.

FISMA Compliance:

FIPS 200

This report addresses FISMA compliance related to FIPS-200 through

controls specified in NIST SP 800-53. It details policy violations and

provides information about where and how to fix the issues. It describes

the technical risks posed by unremediated violations and provides an

estimate of the development effort required to test, verify, and fix them.

GDPR

This report groups all detected issues that are relevant to privacy under

the EU General Data Protection Regulation (GDPR) legislation. Use this as a

framework to help identify and protect personal data as it relates to

application security.

MISRA

This report addresses compliance with either the Motor Industry Software

Reliability Association (MISRA) C or C++ guidelines. The results focus on

the security relevant guidelines and can be used to help create a

compliance matrix for MISRA. This report describes the technical risk posed

by the unremediated issues discovered during analysis and an provides an

estimate of the development effort needed to test, verify, and fix them.

OWASP ASVS 4.0

This report groups detected issues based the OWASP Application Security

Verification Standard security requirements for secure development.

OWASP Mobile

Top 10

This report details the top ten OWASP mobile-related issues and provides

information about where and how to fix them. It describes the technical risk

posed by the unremediated issues discovered during analysis and gives an

estimate of the development effort required to test, verify, and fix them.

OWASP Top 10

This report details the top ten OWASP-related issues and provides

information about where and how to fix them. It describes the technical

risks posed by unremediated issues discovered during analysis and gives

an estimate of the development effort required to test, verify, and fix the

issues.

PCI DSS Compliance: This report summarizes the application security portions of PCI DSS. It

Application Security includes tests for 21 application security-related requirements across

Requirements

sections 3, 4, 6, 7, 8, and 10 of PCI DSS and reports whether each

requirement is either “In Place” or “Not In Place.”

PCI SSF Compliance: This report summarizes the application security portions of PCI SSF. It

Micro Focus Fortify Audit Workbench (22.1.0)

Page 116 of 156

User Guide

Chapter 6: Generating Analysis Reports

Report Template

Description

Secure Software

Requirements

includes tests for 23 application security-related control objectives across

Control Objective sections 2, 3, 4, 5, 6, 7, 8, and A.2 of PCI SSF and reports

whether each control objective is "In Place" or "Not In Place."

Generating BIRT Reports

To generate a BIRT report:

1. Select Tools > Reports > Generate BIRT Report.

The Generate Report dialog box opens.

2. From the Report Template list, select the type of report you want.

3. From the Options list, select the template version (if multiple versions are available).

4. Select the information to include in the report.

Note: Not all options are available for all report types.

Micro Focus Fortify Audit Workbench (22.1.0)

Page 117 of 156

User Guide

Chapter 6: Generating Analysis Reports

a. To include detailed descriptions of reported issues, select the Detailed Report check box.

b. To categorize issues by Fortify Priority instead of folder names, select the Categories By

Fortify Priority check box.

c. To include descriptions of key terminology in the report, select the Key Terminology check

box.

d. To include the About Fortify Solutions section in the report, select the About Fortify

Solutions check box.

5. To filter information from the report, click Issue Filter Settings.

You can filter the issues as follows:

l

Click Removed to include removed issues in the report.

l

Click Suppressed to include suppressed issues in the report.

l

Click Hidden to include hidden issues in the report.

l

Click Collapse Issues to collapse issues of the same sink and type into a single issue.

l

Click Only My Issues to include only issues assigned to your user name.

l

Click Advanced to build a search query to further filter the issues to include in the report. For

more information about the search modifiers, see "Search Modifiers" on page 72.

6. From the Format list, select the format for the report (PDF, HTML, DOC, or XLS).

Note: When you open the XLS file in Excel, you might get a warning that the file format and

the file extension do not match. You can safely open the file in Excel.

7. To specify an alternate location to save the report, click Browse and select a directory.

8. Click Generate.

9. If a report with the same file name already exists, you are prompted to either:

l

Click Overwrite to overwrite the existing report.

l

Click Append Version Number to have the report saved to a file with a sequential number

appended to the file name (for example: buildABC CWESANSTop25(1).pdf).

Legacy Reports and Templates

The legacy reports include user-configurable report templates. Report templates provide several

optional sections and subsections that gather and present specific types of data. For detailed

descriptions of the report templates, see "Legacy Report Components" on page 149. You can

Micro Focus Fortify Audit Workbench (22.1.0)

Page 118 of 156

User Guide

Chapter 6: Generating Analysis Reports

generate legacy reports from Fortify Audit Workbench or from the command line using the

ReportGenerator utility. For information on how to generate legacy reports from the command line,

see the Micro Focus Fortify Static Code Analyzer User Guide.

The following sections provide information about the default reports and report templates,

instructions on how to modify existing reports, and how to create your own reports.

Generating Legacy Reports

After you select a report template and specify report settings, you generate the report to view the

results. You can save the report results in PDF or XML format.

To run a report:

1. Select Tools > Reports > Generate Legacy Report.

2. Select a report template from the Report list.

3. (Optional) Make changes to the report section settings.

4. Click Save Report.

The Save Report dialog box opens.

5. Make any necessary changes to the report details, including its location and format.

6. Click Save.

Fortify Audit Workbench generates the report in the format you selected.

Legacy Report Templates

This section describes how to select and edit a legacy report template. You can modify legacy report

templates from the Generate Legacy Report dialog box, or you can edit report templates directly in

XML (see "Report Template XML Files" on page 125). If you or another user have edited or created

Micro Focus Fortify Audit Workbench (22.1.0)

Page 119 of 156

User Guide

Chapter 6: Generating Analysis Reports

other default report templates, you might not see the default report templates described in this

section.

The legacy report templates include:

l

Fortify Developer Workbook—Provides a comprehensive list of all categories of issues found and

multiple examples of each issue. This report also gives a high-level summary of the number of

issues in each category.

l

Fortify Scan Summary—Provides high-level information based on the category of issues that

Micro Focus Fortify Static Code Analyzer found as well as a project summary and a detailed project

summary.

l

Fortify Security Report—A mid-level report that provides comprehensive information on the

analysis performed and the high-level details of the audit that was performed. It also provides a

high-level description and examples of categories that are of the highest priority.

l

OWASP Top Ten <year>—Provides high-level summaries of uncovered vulnerabilities organized

based on the top ten issues that the Open Web Security Project (OWASP) has identified.

The following sections describe how to view report templates and customize them to address your

reporting needs.

Selecting Legacy Report Sections

You can choose sections to include in the report.

To select the sections that you want to include in a report:

1. Click a section title to view the contents of the section.

The section details are displayed to the right of the dialog box.

2. To include a section in the report, select the section title check box in the list on the left side.

3. To remove a section from the report, clear the check box next to the section title.

For instructions on how to edit each section, see "Editing Legacy Report Subsections" on the next

page.

Opening Legacy Report Templates

To open a report template:

1. Select Tools > Reports > Generate Legacy Report.

The Generate Report dialog box opens.

Micro Focus Fortify Audit Workbench (22.1.0)

Page 120 of 156

User Guide

Chapter 6: Generating Analysis Reports

2. Select a report template from the Report list.

The Generate Report dialog box displays the report template settings.

Editing Legacy Report Subsections

When you select a section title, you can edit the contents that are displayed in the report. You can edit

text, add or change text variables, or customize the issues shown in a chart or results list.

Micro Focus Fortify Audit Workbench (22.1.0)

Page 121 of 156

User Guide

Chapter 6: Generating Analysis Reports

Editing Text Subsections

To edit a text subsection:

1. Select the check box next to the subsection title to include this text in the report.

A description of the text is displayed below the subsection title.

2. Click Edit Text.

The text box displays the text and variables to include in the report.

3. Edit the text and text variables.

As you edit text subsections, you can insert variables that are defined when you run the report. The

following table describes these variables.

Variable

Description

List of filters created with answers to Audit Guide Wizard questions

$AUDIT_GUIDE_

SUMMARY$

JAR files used in the scan, one relative path per line

Complete list of command-line options (same format as project summary)

List of scanned files, each in the format:

$CLASSPATH_

LISTING$

$COMMANDLINE_

ARGS$

$FILE_LISTING$

<relative_file_path> # Lines # kb <timestamp>

List of filters the current filter set uses

$FILTERSET_

DETAILS$

Name of the current filter set

$FILTERSET_

NAME$

Micro Focus Fortify Static Code Analyzer version

Libdirs specified for the scan, one relative path per line

$FORTIFY_SCA_

VERSION$

$LIBDIR_

LISTING$

Total lines of code

$LOC$

Total number of files scanned

$NUMBER_OF_

FILES$

Build label of project

$PROJECT_BUILD_

LABEL$

Micro Focus Fortify Audit Workbench (22.1.0)

Page 122 of 156

User Guide

Chapter 6: Generating Analysis Reports

Variable

Description

Build ID

$PROJECT_NAME$

$PROPERTIES$

Complete list of properties set for the analysis phase (same format as

project summary)

Complete certification detail with a list of validity on a per file basis (same

format as project summary)

$RESULTS_

CERTIFICATION$

Short description of certification (same format as project summary)

$RESULTS_

CERTIFICATION_

SUMMARY$

Complete list of Rulepacks used for the analysis (same format as project

summary)

$RULEPACKS$

Hostname of machine on which the scan was performed

Date of analysis with the default format style for the locale

$SCAN_COMPUTER_

ID$

$SCAN_DATE$

$SCAN_SUMMARY$

$SCAN_TIME$

$SCAN_USER$

Summary of codebase scanned in format # files, # lines of code

Time of analysis phase

Username for the user who performed the scan

Source base path of codebase

$SOURCE_BASE_

PATH$

Number of issues, not including suppressed and removed issues

$TOTAL_

FINDINGS$

Label of the scanned project (available only if the Fortify Static Code

$VERSION_LABEL$

Analyzer -build-label option was used in the scan)

Complete list of warnings that occurred

Number of warnings found in scan

$WARNINGS$

$WARNING_

SUMMARY$

Editing Results List Subsections

To edit a result list subsection:

1. Select the check box next to the subsection title to include this text in the report.

A description of the results list is displayed below the subsection title.

Micro Focus Fortify Audit Workbench (22.1.0)

Page 123 of 156

User Guide

Chapter 6: Generating Analysis Reports

2. Click the issues list heading to expand the options.

3. Select the attributes used to group the results list.

If you group by category, the recommendations, abstract, and explanation for the category are

also included in the report. For the list of attributes to group by, see "Grouping Issues" on

page 62.

4. (Optional) To refine the issues shown in this subsection with a search query, click Advanced.

For information about the search syntax, see "Searching for Issues" on page 71.

5. Select or clear the Limit number of Issues in each group check box.

6. If you selected the check box, type the number of issues to display per group.

Editing Chart Subsections

To edit a chart subsection:

1. Select the check box next to the subsection title to include this text in the report.

A chart description is displayed below the subsection title.

2. Select the attributes used to group the chart data.

For the list of attributes to group by, see "Grouping Issues" on page 62.

3. (Optional) To refine the issues shown in this subsection with a search query, click Advanced.

For information about the search syntax, see "Searching for Issues" on page 71.

4. Select the chart format (table, pie, or bar).

Saving Legacy Report Templates

You can save the current report settings as a new template that you can select later to run more

reports.

To save settings as a report template:

1. Select Tools > Generate Legacy Report.

The Generate Report dialog box opens.

2. Select the report template from the Report list.

3. Make changes to the report section and subsection settings.

4. Click Save as New Template.

When you select the report template name from the Report list, the report settings are displayed in

the Generate Report dialog box.

Saving Changes to Legacy Report Templates

You can save changes to a report template so that your new settings are displayed as the defaults for

that template.

Micro Focus Fortify Audit Workbench (22.1.0)

Page 124 of 156

User Guide

Chapter 6: Generating Analysis Reports

To save changes a report template:

1. Select Tools > Generate Legacy Report.

The Generate Report dialog box opens.

2. Select the report template to save as the default report template from the Report list.

3. (Optional) Make changes to the report section and subsection settings.

4. Click Save Settings as Default.

Report Template XML Files

Report templates are saved as XML files. You can edit the XML files to make changes or to create new

report template files. When you edit the XML files, you can choose the sections and the contents of

each section to include in the report template.

The default location for report template XML files is:

<sca_install_dir>/Core/config/reports

To customize the logos used in the reports, you can replace header.jpg and footer.jpg in this

directory.

Adding Legacy Report Sections

You can add report sections by editing the XML files. In the structure of the XML, the

ReportSection element defines a new section. It includes a Title element for the section name,

and it must include at least one Subsection element to define the contents of the section in the

report. The following XML is the Results Outline section of the Fortify Security Report:

<Title>Results Outline</Title>

<Title>Overall number of results</Title>

<Description>Results count</Description>

<Text>The scan found $TOTAL_FINDINGS$ issues.</Text>

</SubSection>

<Title>Vulnerability Examples by Category</Title>

<Description>Results summary for critical and high priority issues.

Vulnerability examples are provided by category.

</Description>

<Refinement>[fortify priority order]:critical OR

[fortify priority order]:high</Refinement>

<Axis>Category</Axis>

</Chart>

</IssueListing>

</SubSection>

</ReportSection>

Micro Focus Fortify Audit Workbench (22.1.0)

Page 125 of 156

User Guide

Chapter 6: Generating Analysis Reports

In the previous example, the Results Outline section contains two subsections. The first

subsection is a text subsection named Overall number of results. The second subsection is a

results list named Vulnerability Examples by Category. A section can contain multiple

subsections.

Adding Report Subsections

In the report sections, you can add subsections or edit subsection content. Subsections can generate

text, results lists, or charts.

Adding Text Subsections

In a text subsection, you can include the Title element, the Description element, and the Text

element. In the Text element, you can provide the default content, although you can edit the content

before you generate a report. For a description of the text variables available to use in text

subsections, see "Editing Legacy Report Subsections" on page 121. The following XML is the

Overall number of results subsection in the Results Outline section:

<Title>Overall number of results</Title>

<Description>Results count</Description>

<Text>The scan found $TOTAL_FINDINGS$ issues.</Text>

</SubSection>

In this example, the text subsection is titled Overall number of results. The text to describe the

purpose of the text is Results count. The text in the text field that the user can edit before running

a report uses one variable named $TOTAL_FINDINGS$.

Micro Focus Fortify Audit Workbench (22.1.0)

Page 126 of 156

User Guide

Chapter 6: Generating Analysis Reports

Adding Results List Subsections

In a results list subsection, you can include the Title element, the Description element, and the

IssueListing element. In the IssueListing element, you can define the default content for the

limit and set listing to true. You can include the Refinement element either with or without a

default statement, although you can edit the content before you generate a report. To generate a

results list, the Chart element attribute chartType is set to list. You can also define the Axis

element. The following XML is the Vulnerability Examples by Category subsection in the

Results Outline section:

<Title>Vulnerability Examples by Category</Title>

<Description>Results summary of the highest severity issues.

Vulnerability examples are provided by category.</Description>

<Refinement>[fortify priority order]:critical OR

[fortify priority order]:high</Refinement>

<Axis>Category</Axis>

</Chart>

</IssueListing>

</SubSection>

In this example, the results list subsection is titled Vulnerability Examples by Category. The

text to describe the purpose of the subsection is Results summary of the highest severity

issues. Vulnerability examples are provided by category. This subsection lists

(listing=true) one issue (limit="1") per Category (the Axis element value) where there are

issues that match the statement [fortify priority order]:critical OR [fortify

priority order]:high (the value of the Refinement element).

Adding Charts Subsections

In a chart subsection, you can include the Title element, the Description element, and the

IssueListing element. In the IssueListing element, you can define the default content for the

limit and set listing to false. You can include the Refinement element either with or without a

default statement, although you can edit the content before generating a report. To generate a pie

chart, the Chart element's attribute chartType is set to pie. The options are table, pie, and bar.

You can change this setting before you generate the report. You can also define the Axis element.

Micro Focus Fortify Audit Workbench (22.1.0)

Page 127 of 156

User Guide

Chapter 6: Generating Analysis Reports

The following code shows an example of a chart subsection:

<Title>New Issues</Title>

<Description>A list of issues discovered since the previous

analysis.</Description>

<Text>The following issues have been discovered since the

last scan.</Text>

<Axis>New Issue</Axis>

</Chart>

</IssueListing>

</SubSection>

In this subsection, a chart (limit="-1" listing="false") has the title New Issues and a text

section that contains the text The following issues have been discovered since the

last scan. This chart includes all issues (the Refinement element is empty) and groups the issues

on the value of New Issues (the value of the Axis element). This chart is displayed as a pie chart

(chartType="pie").

Micro Focus Fortify Audit Workbench (22.1.0)

Page 128 of 156

Chapter 7: Using the Functions View

Fortify Static Code Analyzer identifies all functions declared or called in your source code. You can use

the Functions view in Fortify Audit Workbench to determine where a function is located in the source

code, whether a security rule covered the function, and which rule IDs matched the function. You can

also list the functions that Fortify Static Code Analyzer identified as tainted source and view only the

functions not covered by rules applied in the most recent scan.

This section contains the following topics:

Opening the Functions View

Sorting and Viewing Functions

Locating Functions in Source Code

Synchronizing the Functions View with the Analysis Trace View

Locating Classes in Source Code

Determining Which Rules Matched a Function

Writing Rules for Functions

Creating Custom Cleanse Rules

Micro Focus Fortify Audit Workbench (22.1.0)

Page 129 of 156

User Guide

Chapter 7: Using the Functions View

Opening the Functions View

To open the Functions view:

1. Select Options > Show View > Functions.

Fortify Audit Workbench displays the Functions view in the top-right.

2. To view coverage information about top-level (global) functions, expand the Top-level

functions node.

3. To view descriptions of the icons displayed to the left of each function, click Legend.

l

Function Not Covered by Rules

This function does not have any rules associated with it.

Micro Focus Fortify Audit Workbench (22.1.0)

Page 130 of 156

User Guide

Chapter 7: Using the Functions View

Note: It is not necessary to have a rule for every function in an application because not all

functions have a security impact.

l

Function Covered by Rules

This function is covered by one or more rules; however, the rules are never triggered.

l

Function Covered by Rules and has Matching Rules

This function is covered by one or more rules and at least one of them triggered. This does not

necessarily mean an issue has been found. For example, a tainted data source rule matches

the source function but the tainted data that entered the function does not reach a sink.

Sorting and Viewing Functions

To change the order of, or to hide or show functions:

1. Open the Functions view.

2. From the Show list, select one of the following:

l

To display all functions, select All.

l

To display functions not covered by rules, select Not Covered by Rules.

l

To display functions that the Rulepack used in the most recent scan has identified as a source

of tainted data, select Taint Sources.

3. From the Group By list, select one of the following sorting methods:

l

To sort functions based on package, select package.

l

To sort listed functions by class, select class.

l

To sort listed functions alphabetically, select function.

4. Under Include API:

l

To show functions in external classes, select the External check box.

l

To show functions in internal classes, select the Internal check box.

l

To show functions in superclasses, select the Superclasses check box.

Fortify Audit Workbench updates the Functions view.

Micro Focus Fortify Audit Workbench (22.1.0)

Page 131 of 156

User Guide

Chapter 7: Using the Functions View

Locating Functions in Source Code

From the Functions view, you can list the file name and line number where the function occurs in the

source code.

To show where a function is located in the code:

1. In the Functions view, right-click a function, and then select Find Usages.

The Search view (at center bottom) lists the file locations and line numbers in which the function

is used.

2. To jump to a line of code where the function is used, click the corresponding row in the Search

view.

Synchronizing the Functions View with the Analysis

Trace View

You can synchronize the Functions view with the Analysis Trace view so that, after you select an

issue or a trace node from the Analysis Trace view, the Functions view automatically displays the

class that contains the selected item of evidence. This makes it easy for you to inspect other methods

in that class, other classes in that package, and so on.

To synchronize the Functions view with the Analysis Trace view:

1. In the Functions view, from the Group By list, select class.

2. In the top-right corner of the Analysis Trace view, click the Synchronize with Functions View

icon.

The Functions view displays the class that contains the item you selected in the Analysis Trace

view.

The Synchronize with Function View toggles synchronization. To turn off synchronization, click

Synchronize with Functions View

again.

Locating Classes in Source Code

To see where classes are used in the source code:

1. In the Functions view, right-click a class , and then select Find Usages.

The Search view (at center bottom) lists the file locations and line numbers in which the class is

used.

2. To jump to a line of code where the class is used, click the corresponding row in the Search view.

Micro Focus Fortify Audit Workbench (22.1.0)

Page 132 of 156

User Guide

Chapter 7: Using the Functions View

For functions defined in the source code, you can open the declaration in the Source view by

right-clicking a function and then selecting Open Declaration. The source code is displayed with the

line highlighted. Alternatively, you can double-click functions to display the declaration.

Determining Which Rules Matched a Function

You can display the Rule ID for all the rules that matched a function. When rules match a function, a

green circle icon is displayed next to it.

Micro Focus Fortify Static Code Analyzer can match a rule to functions without finding an issue

related to the rule. For example, a tainted data source rule matches the source function but the

tainted data entering at that function does not reach a sink.

Note: To use the rule ID to locate related issues, see "Searching for Issues" on page 71, or create

visibility or folder filters.

To display the rule IDs:

1. Open a project in Fortify Audit Workbench.

2. Open the Functions view.

3. Right-click a function, and then select Show Matched Rules.

The Search view (at center bottom) lists the rule IDs with the vulnerability category name (if

applicable) and the Rulepack file name.

Writing Rules for Functions

You can launch the Custom Rule Wizard from the Functions view.

To write a rule for a function:

1. Open a project in Fortify Audit Workbench.

2. Open the Functions view.

3. To create a rule:

a. Right-click a function, and then select Generate Rule for Function.

The Custom Rule Wizard opens.

b. Select the rule that best matches the behavior or vulnerability category.

c. Provide the information the wizard directs, and save the new rule to a custom Rulepack.

4. To rescan the translated files with the custom Rulepack:

a. Select Options > Options.

b. In the left pane, select Security Content Management.

c. Click Import Custom Security Content.

d. Browse to and select the custom Rulepack, and then click Open.

Micro Focus Fortify Audit Workbench (22.1.0)

Page 133 of 156

User Guide

Chapter 7: Using the Functions View

e. Click OK to close the Options dialog box.

f. Click Scan.

After the scan is completed, the project is updated.

5. Click OK.

6. To verify that the rule matched the function:

a. Right-click the function, and then select Show Matched Rules.

b. Verify that at least one rule ID matches the ID of the rule you created.

The function is now covered by a custom Rulepack and is displayed with a green circle next to it.

Creating Custom Cleanse Rules

You can create custom cleanse rules for specific functions from Fortify Audit Workbench.

To create a cleanse rule for a function:

1. Right-click the function, and then select Generate Rule for Function.

The Custom Rule Wizard opens.

2. In the templates list, expand the DataflowCleanseRule folder, and then select Generic

Validation Rule.

3. Click Next.

4. On the Rule Language step, select the source code language, and then click Next.

5. On the Validation Function Information step, type the regular expressions for the package,

class, and function.

6. Verify that the information is correct, and then click Next.

7. Select the argument to cleanse, and then click Next.

8. Select the Rulepack to which you want to add the rule, and then click Finish.

Micro Focus Fortify Audit Workbench (22.1.0)

Page 134 of 156

Chapter 8: Troubleshooting

The following topics provide information on how to troubleshoot problems you might encounter

working with Fortify Audit Workbench and how to report an issue to Micro Focus Fortify Customer

Support.

Creating Archive Logs for Micro Focus Fortify

Customer Support

You can have Fortify Audit Workbench create an archive file that you can later send to Micro Focus

Fortify Customer Support to help resolve any support issues that might arise. The file includes your

Fortify Audit Workbench logs and system properties.

To create an archive of your Fortify Audit Workbench logs and system properties:

1. In the Fortify Audit Workbench menu bar, select Help > Contact Fortify Product Support.

2. In the Create Fortify support archive? dialog box, click Yes.

3. Navigate to the folder where you want to save the archive file.

4. Accept the default file name displayed in the File name box, or change it.

5. Click Save.

The Save Successful dialog box opens.

6. To contact Micro Focus Fortify Customer Support and supply the archive file, follow the

instructions provided in the Save Successful dialog box.

7. Click OK.

Using the Debug Option

If you encounter errors, you can enable the debug option to help troubleshoot.

To enable debugging:

1.

Navigate to the <sca_install_dir>/Core/config directory and open the

fortify.properties file.

2. You can either enable debug mode for all Micro Focus Fortify Static Code Analyzer tools or for

specific tools. Remove the comment tag (#) from in front of the property and set the value to

true.

Micro Focus Fortify Audit Workbench (22.1.0)

Page 135 of 156

User Guide

Chapter 8: Troubleshooting

Property

Description

com.fortify.Debug

If set to true, all the Fortify Static Code Analyzer tools

run in debug mode.

com.fortify.awb.Debug

com.fortify.eclipse.Debug

com.fortify.VS.Debug

If set to true, Fortify Audit Workbench runs in debug

mode.

If set to true, the Eclipse Complete Plugin runs in debug

mode.

If set to true, Fortify Extension for Visual Studio runs in

debug mode.

Locating Log Files

For help diagnosing a problem, provide log files to Micro Focus Fortify Customer Support.

On Windows systems, the default Fortify log files are the following directories:

l

C:\Users\<username>\AppData\Local\Fortify\sca<version>\log

The log files in this directory are only available if you analyze the code with Micro Focus Fortify

Static Code Analyzer.

l

C:\Users\<username>\AppData\Local\Fortify\AWB-<version>\log

l

C:\Users\<username>\AppData\Local\Fortify\AWB-<version>\.metadata

On Linux and macOS systems, the default Fortify log files are the following directories:

l

<userhome>/.fortify/sca<version>/log

The log files in this directory are only available if you analyze the code with Fortify Static Code

Analyzer.

l

<userhome>/.fortify/AWB-<version>/log

l

<userhome>/.fortify/AWB-<version>/.metadata

Addressing the org.eclipse.swt.SWTError Error

On Linux systems, Fortify Audit Workbench can fail to start, resulting in the following error:

org.eclipse.swt.SWTError: No more handles [gtk_init_check() failed]

If you see this error, check to make sure that X11 is configured correctly and that your DISPLAY

variable is set.

Micro Focus Fortify Audit Workbench (22.1.0)

Page 136 of 156

User Guide

Chapter 8: Troubleshooting

Out of Memory Errors

The following two scenarios can trigger out-of-memory errors in Fortify Audit Workbench.

Scenario

More Information

Opening or auditing a large and

complex FPR file

"Allocating Additional Memory for Fortify Audit

Workbench" below

Running a scan on large and complex

project

"Allocating Additional Memory for Fortify Static Code

Analyzer" below

As a guideline, assuming no other memory-intensive processes are running, do not allocate more than

two thirds of the available system memory.

Allocating Additional Memory for Fortify Audit Workbench

To increase the memory allocated for Fortify Audit Workbench, set the environment variable AWB_

VM_OPTS. (For example, set AWB_VM_OPTS=-Xmx4G to allocate 4 GB to Fortify Audit Workbench.) If

you choose to set AWB_VM_OPTS, do not allocate more memory than is physically available. Over-

allocation degrades performance.

In Fortify Audit Workbench, issue information is persisted to disk. This persisted information is

reloaded on demand and thereby decreases the required memory footprint of Fortify Audit

Workbench. To prevent out-of-memory errors, you can set a value in the fortify.properties file

to take advantage of the information persisted to disk functionality. Set the value as follows:

com.fortify.model.PersistDataToDisk = true

Allocating Additional Memory for Fortify Static Code Analyzer

To increase the memory allocated for Fortify Static Code Analyzer, do one of the following:

l

In the Advanced Static Analysis wizard, increase the amount of memory Fortify Static Code

Analyzer uses for scanning. This passes the memory allocation option to Fortify Static Code

Analyzer. This method does not require restarting Fortify Audit Workbench. See "Scanning Large

and Complex Projects" on page 28.

l

Before your start Fortify Audit Workbench, set the environment variable SCA_VM_OPTS. For

example, to allocate 32 GB to Fortify Static Code Analyzer, set the variable to -Xmx32G.

Note: If you choose to set SCA_VM_OPTS, do not allocate more memory than is physically

available. Overallocation degrades performance.

Micro Focus Fortify Audit Workbench (22.1.0)

Page 137 of 156

User Guide

Chapter 8: Troubleshooting

Specifying the Amount of Memory used by External

Processes

You can specify how much memory external processes such as the Instance ID Migrator (iidmigrator)

use by specifying the com.fortify.model.ExecMemorySetting setting in the

fortify.properties file. The default setting is as follows:

com.fortify.model.ExecMemorySetting=600

The value for this setting, which is expressed in MB, is used to specify the maximum heap size. In this

case, 600 equates to -Xmx600M.

Saving a Project That Exceeds the Maximum

Removed Issues Limit

When you save a project that has more than the maximum number of removed issues, Fortify Audit

Workbench displays following warning message:

Your project contains more than <removed_issues_limit> removed issues.

Would you like to persist them all, or limit the number to <removed_issues_

limit>?

If you limit the number, audited removed issues will take precedence over

unaudited ones.

Choose Limit to limit the number of issues to the maximum or Save All to save all the removed

issues. The maximum number of removed issues <removed_issues_limit> is controlled by the

com.fortify.RemovedIssuePersistanceLimit property. See Micro Focus Fortify Static Code

Analyzer Tools Properties Reference Guide for more information.

To configure how Fortify Audit Workbench handles this issue for future occurrences:

1. Select Options > Options.

2. In the left pane, select Audit Configuration.

3. Select the Configuration tab.

4. Under Save Audit Project Options, specify one of the following configuration settings:

l

Limit removed issues to the maximum number

l

Save all removed issues every time

l

Prompt me next time

5. Click OK.

Micro Focus Fortify Audit Workbench (22.1.0)

Page 138 of 156

User Guide

Chapter 8: Troubleshooting

Resetting the Default Views

If you have closed or moved views, such as the Issues view or the Audit tab, you can reset the user

interface to restore the views to the default state.

To reset the user interface to the default state:

1. Select Options > Options.

2. In the left pane, click Audit Configuration.

3. On the Appearance tab, click Reset Interface.

Micro Focus Fortify Audit Workbench (22.1.0)

Page 139 of 156

Appendix A: Sample Projects

Your Fortify SCA and Applications installation might include several code samples that you can use

when learning to use Fortify Static Code Analyzer. If you installed the samples, they are in the

following directory:

<sca_install_dir>/Samples

The Samples directory contains two subdirectories: basic and advanced. Each code sample includes

a README.txt file that provides instructions on how to scan the code in Fortify Static Code Analyzer

and view the output in Fortify Audit Workbench.

The basic subdirectory includes an assortment of simple language-specific code samples. The

advanced subdirectory contains more advanced samples including source code to help you integrate

Fortify Static Code Analyzer with your bug tracker applications.

This section contains the following topics:

Basic Samples

The following table describes the sample files in the <sca_install_dir>/Samples/basic directory

and provides a list of the vulnerabilities that the samples demonstrate. Many of the samples includes a

README.txt file that provides details and instructions on its use.

Folder Name

Description

Vulnerabilities

cpp

A C++ sample file and instructions to analyze code that

has a simple dataflow vulnerability. Fortify analysis

requires a gcc or cl compiler.

Command Injection

Memory Leak

database

Access Control:

Database

A database.pks sample file. This SQL sample includes

issues in SQL code.

Micro Focus Fortify Audit Workbench (22.1.0)

Page 140 of 156

User Guide

Appendix A: Sample Projects

Folder Name

Description

Vulnerabilities

eightball

Path Manipulation

A Java application (EightBall.java) that exhibits bad

error handling. It requires an integer argument. If you

supply a file name instead of an integer, it displays the

file contents.

Unreleased

Resource: Streams

Unchecked Return

Value

J2EE Bad Practices:

Leftover Debug

Code

java13

Privacy Violation

A Java 13 Sample.java file.

Insecure

Randomness:

Hardcoded Seed

J2EE Bad Practices:

Leftover Debug

Code

java14

A Java 14

file.

Privacy Violation

Sample.java

J2EE Bad

Practices: Leftover

Debug Code

formatstring

javascript

Format String

The formatstring.c file. Fortify analysis requires a

gcc or cl compiler.

Cross Site Scripting

(XSS)

The sample.js JavaScript file.

Open Redirect

Privacy Violation

nullpointer

php

Null Dereference

The NullPointerSample.java file.

Cross Site Scripting

SQL Injection

Two PHP files: sink.php and source.php. Analyzing

source.php reveals simple dataflow vulnerabilities and

a dangerous function.

Micro Focus Fortify Audit Workbench (22.1.0)

Page 141 of 156

User Guide

Appendix A: Sample Projects

Folder Name

Description

Vulnerabilities

sampleOutput

A sample output file (WebGoat5.0.fpr) from a

WebGoat project.

stackbuffer

toctou

Buffer Overflow

The stackbuffer.cpp file. Analysis of this sample with

Fortify Static Code Analyzer requires a g++ or cl

compiler.

Time-of-

The toctou.c file. Analysis of this sample with Fortify

Static Code Analyzer requires a gcc or cl compiler.

Check/Time-of-Use

(Race Condition)

vb6

Command Injection

SQL Injection

The command-injection.bas file.

The source.asp and sink.asp files.

vbscript

SQL Injection

Advanced Samples

The following table describes the samples in the <sca_install_dir>/Samples/Advanced directory.

Many of the samples include a README.txt file that describes how to analyze the sample and the

vulnerabilities that are detected in the analysis.

Folder Name

Description

BugTrackerPlugin

Source code for supported bug tracker plugins.

<bug_tracker>

c++

A sample solution for supported versions of Visual Studio.

To use this sample, you must have the following installed:

l

A supported version of Visual Studio Visual C/C++

l

Fortify Static Code Analyzer

l

To analyze the sample from Visual Studio as described in the

README.txt file, you must have the Fortify Extension for Visual Studio

installed for your Visual Studio version

The code includes a Command Injection issue and an Unchecked Return

Value issue.

Micro Focus Fortify Audit Workbench (22.1.0)

Page 142 of 156

User Guide

Appendix A: Sample Projects

Folder Name

Description

configuration

A sample Java EE application that has vulnerabilities in its web module

deployment descriptor web.xml.

crosstier

A sample that has vulnerabilities that span multiple application technologies

(Java, PL/SQL, JSP, and struts).

The analysis results contain several issues of different types, including two

Access Control vulnerabilities. One of these is a cross-tier result. It has a

dataflow trace from user input in Java code that can affect a SELECT

statement in PL/SQL.

csharp

A simple C# program that has SQL Injection vulnerabilities. Versions are

included for each supported version of Visual Studio. Analysis of the Visual

Studio 2017 and 2019 samples reveal SQL Injection, Unreleased Resource,

Password Management: Hardcoded Password, and Path Manipulation

vulnerabilities. Analysis of the Visual Studio 2022 sample reveals Command

Injection vulnerabilities. Other vulnerability categories might also be

present, depending on the Rulepack version used in the scan.

customrules

Several simple source code samples and Rulepack files that illustrate how

four different analyzers: Semantic, Dataflow, Control Flow, and

Configuration interpret rules. This folder also includes several miscellaneous

samples of real-world rules that you can use to scan real applications.

ejb

A sample Java EE cross-tier application with Servlets and EJBs.

filters

A sample that uses the Fortify Static Code Analyzer -filter option.

javaAnnotations

A sample application that illustrates problems that might arise from its use

and how to fix the problems with the Fortify Java Annotations.

This example illustrates how the use of Fortify Annotations can result in

increased accuracy in the reported vulnerabilities. The README.txt file

describes the Fortify Java Annotations and the potential problems and

solutions associated with the sample application.

JavaDoc

javaWebApp

swift

JavaDoc directory for the public-api and WSClient.

A sample Java web application.

The iGoat-Swift folder contains the iGoat-Swift source provided by the

Open Web Application Security Project (OWASP). To analyze this project,

you must have a supported xcodebuild version installed.

Micro Focus Fortify Audit Workbench (22.1.0)

Page 143 of 156

Appendix B: Static Analysis Results

Prioritization

The following topics describe how Fortify Static Code Analyzer automatically prioritizes the scan

results displayed in Fortify Audit Workbench.

This section contains the following topics:

About Results Prioritization

Estimating Impact and Likelihood with Input from Rules and Analysis

About Results Prioritization

Fortify Static Code Analyzer divides static analysis findings into four risk quadrants: critical, high,

medium, and low. Membership in each quadrant depends on whether the finding has a high or low

impact and high or low likelihood of occurring.

When Fortify Static Code Analyzer produces a results file, automated processing and human review

can convert issues into findings. Findings, which represent specific problems with the codebase,

sometimes map one-to-one with issues. However, in other cases, multiple related issues might be

combined into a single finding. For example, every form that submits a request without including a

unique token might produce an issue related to Cross-Site Request Forgery (CSRF), but these issues

Micro Focus Fortify Audit Workbench (22.1.0)

Page 144 of 156

User Guide

Appendix B: Static Analysis Results Prioritization

are more useful when they are combined into a single finding that indicates the application is

vulnerable to CSRF attacks.

On occasion, the static analysis process goes wrong. Depending on the rules and the analysis

algorithms used, a static analysis can produce false positives (reported vulnerabilities where no

vulnerabilities exist) or false negatives (unreported vulnerabilities) or both.

Quantifying Risk

Because it is not possible to determine if or when an organization will suffer consequences related to

a vulnerability, Fortify Static Code Analyzer takes a probabilistic approach to prioritizing

vulnerabilities. Risk is defined quantitatively, as follows:

risk = impact x likelihood

The risk that a vulnerability poses is equal to the impact of the vulnerability multiplied by the

likelihood that the impact will occur. Impact is defined as the negative outcome resulting from a

vulnerability and likelihood as the probability that the impact will happen.

Impact can come in many forms. For example, an organization might lose money or reputation

because of a successful attack, or it might lose business opportunity because the presence of a

vulnerability causes a system to fail a regulatory compliance check.

Two factors contribute to the likelihood that a vulnerability will cause harm:

l

The probability that the vulnerability will be discovered (by an attacker or an auditor)

l

The conditional probability that, once found, the vulnerability will be exploited

These probabilities change as the computer security field advances. New vulnerability assessment

techniques make it easier to find vulnerabilities, and new attack techniques increase the set of

vulnerabilities that attackers can exploit. Progressively better vulnerability prevention, mitigation, and

recovery strategies help counterbalance these advances.

For example, consider Race Condition: Singleton Member Field vulnerabilities, which occur when code

assigns a value associated with a user session to a member variable of a singleton object in a web

application. Under the singleton model, the same class instance is used to service all requests,

therefore values from one user session can spill over into another user’s session. The following code

demonstrates a singleton member field race condition:

Micro Focus Fortify Audit Workbench (22.1.0)

Page 145 of 156

User Guide

Appendix B: Static Analysis Results Prioritization

public class GuestBook extends HttpServlet {

String name, password;

protected void doPost (HttpServletRequest request,

HttpServletResponse response) {

name = request.getParameter("username");

password = request.getParameter("password");

if (DBUtils.lookupUser(username, password)) {

accessSensitiveResources();

}

Although this vulnerability is simple to exploit after it is found, it can be difficult to find race

conditions because successful attacks often depend on very precise timing. Therefore, this class of

vulnerability has a low likelihood of occurring, which primarily reflects the difficulty involved in finding

the vulnerability.

For an example of a vulnerability whose likelihood is primarily governed by how difficult it is to

exploit, consider HTTP Header Manipulation, which occurs when unvalidated user input is included in

an HTTP response header and can enable cross-site scripting, HTTP response splitting, and cache

poisoning, among other attacks. The following code demonstrates a header manipulation

vulnerability:

String author = request.getParameter(AUTHOR_PARAM);

Cookie cookie = new Cookie("author", author);

cookie.setMaxAge(cookieExpiration);

response.addCookie(cookie);

In this case, identifying a vulnerable application is often quite simple because the vulnerability is

evident in web traffic returned from the server. Crafting a meaningful exploit, however, typically

involves a deep understanding of the application’s business logic, ready access to a pool of legitimate

users, and in some cases, a working knowledge of the network topography between the server and

the users. Therefore, this class of vulnerability has a low likelihood because it is difficult to exploit.

Estimating Impact and Likelihood with Input from

Rules and Analysis

Fortify Static Code Analyzer estimates the impact of a discovered vulnerability based on its type. The

impact value is associated with the static analysis rule that defines the vulnerability. In this way,

results can indicate that a category such as cross-site scripting has a higher impact than a category

such as null pointer dereference.

To compute the likelihood portion of the risk equation, Fortify Static Code Analyzer draws on values

from the rules used for analysis, the analysis process itself, and from a human auditor (if an individual

Micro Focus Fortify Audit Workbench (22.1.0)

Page 146 of 156

User Guide

Appendix B: Static Analysis Results Prioritization

has reviewed the results.) The likelihood of a finding is computed by combining the accuracy of the

rule and the confidence in the analysis with the probability that the vulnerability will be discovered

and acted upon, as follows:

likelihood = accuracy x confidence x probability

For the purpose of weighing static analysis results, an accuracy measure is associated with each rule

applied by the analysis engine. This number represents the possibility that the rule will correctly

identify a vulnerability.

For example, the rule that Fortify Static Code Analyzer uses to identify the member field race

condition has a high accuracy because it precisely identifies assignments to a member field of a

singleton object. Conversely, the rule used to identify cross-site request forgery has a low accuracy

because it identifies potentially vulnerable form submissions and relies on a human auditor to

determine whether the form submissions are susceptible to cross-site request forgery.

During static analysis, Fortify Static Code Analyzer might have to make assumptions about the way

the code behaves at runtime. The more assumptions Fortify Static Code Analyzer makes, the more

likely it is that a result is incorrect.

The term confidence is used to estimate the possibility that Fortify Static Code Analyzer correctly

applies the rule. For example, Fortify Static Code Analyzer reports reflected cross-site scripting

vulnerabilities in a JSP where data from a request parameter is echoed directly to the page with high

confidence. Conversely, Fortify Static Code Analyzer reports a persistent cross-site scripting issue

where data read from a database into a class selected at runtime using dependency injection is

rendered in the presentation tier with low confidence.

To represent the probability that the vulnerability is discovered and acted upon (with action

potentially coming the form of an exploit), Fortify Static Code Analyzer associates a probability

measure with each category of vulnerability identified by the rules. For example, cross-site scripting

vulnerabilities carry a higher probability than member field race conditions because they are more

likely to be discovered and exploited.

From a programmer’s perspective, some bugs are harder to fix than others. Modifying a single line of

code in a self-contained method is easier than modifying the result of a sequence of calls that span

the program. The term remediation effort describes the relative amount of effort required to fix and

verify a finding.

Fortify Static Code Analyzer provides a remediation effort with each finding it reports. For example,

member field race conditions have a small remediation effort, while cross-site request forgery, which

often involves major changes to a website, has a high remediation effort.

To avoid implying too much precision where little exists, Fortify Static Code Analyzer limits values of

impact, accuracy, confidence, and probability to a decimal range of from 0.1 to 5.0 and scales the

calculated likelihood value to the same range. It then defines high values for impact and likelihood as

those at 2.5 and above [2.5,5.0] and low values as those below 2.5 (0,2.5).

Fortify Static Code Analyzer does not provide units for remediation effort because the absolute cost

of remediating different vulnerabilities differs from one organization to another. Instead, remediation

effort estimates the relative cost to remediate one kind of finding versus another, thereby enabling a

comparison of the effort required to remediate different vulnerabilities or vulnerabilities across more

than one project.

Micro Focus Fortify Audit Workbench (22.1.0)

Page 147 of 156

User Guide

Appendix B: Static Analysis Results Prioritization

The following table provides sample impact, accuracy, confidence, and probability values for the four

vulnerabilities mentioned in this section along with the resulting risk calculations and corresponding

remediation effort for each vulnerability category.