Micro Focus  
Fortify Remediation Plugin for IntelliJ  
IDEA and Android Studio  
Software Version: 22.2.0  
User Guide  
Document Release Date: November 2022  
Software Release Date: November 2022  
User Guide  
Legal Notices  
Micro Focus  
The Lawn  
22-30 Old Bath Road  
Newbury, Berkshire RG14 1QN  
UK  
https://www.microfocus.com  
Warranty  
The only warranties for products and services of Micro Focus and its affiliates and licensors (“Micro Focus”) are set forth in the  
express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an  
additional warranty. Micro Focus shall not be liable for technical or editorial errors or omissions contained herein. The  
information contained herein is subject to change without notice.  
Restricted Rights Legend  
Confidential computer software. Except as specifically indicated otherwise, a valid license from Micro Focus is required for  
possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software  
Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard  
commercial license.  
Copyright Notice  
© Copyright 2012 - 2022 Micro Focus or one of its affiliates  
Trademark Notices  
All trademarks, service marks, product names, and logos included in this document are the property of their respective owners.  
Documentation Updates  
The title page of this document contains the following identifying information:  
l
Software Version number  
l
Document Release Date, which changes each time the document is updated  
l
Software Release Date, which indicates the release date of this version of the software  
This document was produced on November 08, 2022. To check for recent updates or to verify that you are using the most  
recent edition of a document, go to:  
https://www.microfocus.com/support/documentation  
Micro Focus Fortify Remediation Plugin for IntelliJ IDEA and Android Studio  
Page 2 of 32  
User Guide  
Contents  
Preface  
5
5
5
5
5
Contacting Micro Focus Fortify Customer Support  
For More Information  
About the Documentation Set  
Fortify Product Feature Videos  
Change Log  
6
Getting Started  
7
7
7
7
8
About the Fortify Remediation Plugin  
Requirements for Using the Fortify Remediation Plugin  
Installing the Fortify Remediation Plugin  
Uninstalling the Fortify Remediation Plugin  
Related Documents  
8
9
Micro Focus Fortify Software Security Center  
Viewing Analysis Results  
9
10  
11  
13  
15  
Opening Fortify Software Security Center Application Versions  
Viewing and Selecting Issues  
Grouping Issues  
Customizing Issue Visibility  
Searching for Issues  
Search Modifiers  
15  
16  
22  
23  
Search Query Examples  
Performing Searches  
Viewing Issue Information  
Audit Tab  
23  
23  
25  
27  
Analysis Trace  
Recommendations Tab  
Micro Focus Fortify Remediation Plugin for IntelliJ IDEA and Android Studio (22.2.0)  
Page 3 of 32  
User Guide  
Details Tab  
27  
28  
History Tab  
Locating Issues in your Source Code  
28  
Adding Audit Information  
Assigning Users to Issues  
Assigning Tags to Issues  
Adding Comments to Issues  
28  
28  
29  
29  
Configuration Options  
Locating Log Files  
30  
31  
32  
Send Documentation Feedback  
Micro Focus Fortify Remediation Plugin for IntelliJ IDEA and Android Studio (22.2.0)  
Page 4 of 32  
User Guide  
Preface  
Preface  
Contacting Micro Focus Fortify Customer Support  
Visit the Support website to:  
l
Manage licenses and entitlements  
l
Create and manage technical assistance requests  
l
Browse documentation and knowledge articles  
l
Download software  
l
Explore the Community  
https://www.microfocus.com/support  
For More Information  
For more information about Fortify software products:  
https://www.microfocus.com/cyberres/application-security  
About the Documentation Set  
The Fortify Software documentation set contains installation, user, and deployment guides for all  
Fortify Software products and components. In addition, you will find technical notes and release notes  
that describe new features, known issues, and last-minute updates. You can access the latest versions  
of these documents from the following Micro Focus Product Documentation website:  
https://www.microfocus.com/support/documentation  
To be notified of documentation updates between releases, subscribe to Fortify Product  
Announcements on the Micro Focus Community:  
https://community.microfocus.com/cyberres/fortify/w/fortify-product-announcements  
Fortify Product Feature Videos  
You can find videos that highlight Fortify products and features on the Fortify Unplugged YouTube  
channel:  
https://www.youtube.com/c/FortifyUnplugged  
Micro Focus Fortify Remediation Plugin for IntelliJ IDEA and Android Studio (22.2.0)  
Page 5 of 32  
 
 
 
 
 
User Guide  
Change Log  
Change Log  
The following table lists changes made to this document. Revisions to this document are published  
between software releases only if the changes made affect product functionality.  
Software Release /  
Document Version  
Change  
22.2.0  
This is a new document that contains the Fortify Remediation Plugin  
content that was previously covered in the Micro Focus Fortify Plugins for  
JetBrains IDEs and Android Studio User Guide.  
Added:  
l
"Configuration Options" on page 30  
Updated:  
l
Added the Engine Priority grouping attribute (see "Grouping Issues" on  
page 13)  
l
Added the engine priority search modifier (see "Search Modifiers"  
on page 16)  
l
Added how to search for issues based on whether a custom tag is  
empty (see "Search Modifiers" on page 16)  
Micro Focus Fortify Remediation Plugin for IntelliJ IDEA and Android Studio (22.2.0)  
Page 6 of 32  
 
User Guide  
Getting Started  
Getting Started  
This guide describes how to install the Micro Focus Fortify Remediation Plugin for IntelliJ IDEA and  
Android Studio (Fortify Remediation Plugin), and use it to review analysis results stored on a Micro  
Focus Fortify Software Security Center server.  
About the Fortify Remediation Plugin  
The Fortify Remediation Plugin works together with Micro Focus Fortify Software Security Center to  
add remediation functionality to your software security analysis. This plugin works with IntelliJ IDEA,  
Android Studio, PyCharm, and WebStorm.  
You can use the Fortify Remediation Plugin to:  
l
Review analysis results for applications in Fortify Software Security Center from within the IDE  
l
Audit the analysis results by assigning users or tags to issues, and adding comments to issues  
l
Fix and eliminate security issues in your code  
Requirements for Using the Fortify Remediation  
Plugin  
To use the Fortify Remediation Plugin, you must have the following:  
l
A Micro Focus Fortify Software Security Center URL  
l
A user account on the Fortify Software Security Center server that has permission to access  
application versions  
To log into Fortify Software Security Center, you can use a user name and password or an  
authentication token.  
l
To audit issues in the analysis results, your user account must have audit permissions  
l
To add comments to issues, your user account must have the permission to comment on issues  
Note: You do not need to specify a Fortify license file for the Fortify Remediation Plugin. Only  
Fortify Software Security Center requires a license file.  
Installing the Fortify Remediation Plugin  
You can install the Fortify Remediation Plugin on Windows, Linux, and macOS. Install the plugin either  
directly from the Marketplace in the IDE Settings dialog box or manually from a ZIP file downloaded  
Micro Focus Fortify Remediation Plugin for IntelliJ IDEA and Android Studio (22.2.0)  
Page 7 of 32  
 
 
 
 
User Guide  
Getting Started  
from the JetBrains Plugin Marketplace.  
Note: These instructions describe a third-party product and might not match the specific,  
supported version you are using. See your product documentation for the instructions for your  
version.  
To install the Fortify Remediation Plugin from a ZIP file downloaded from the JetBrains Plugin  
Marketplace:  
1. Open a project in the IDE.  
2. Open the Settings dialog box as follows:  
l
On Windows or Linux, select File > Settings.  
l
On macOS, select <IDE_Name> > Preferences.  
3. In the left pane, select Plugins.  
4.  
Select Install Plugin from Disk, and then locate and select Fortify_IntelliJ_Remediation_  
Plugin_<version>.zip.  
5. Click OK.  
6. To activate the plugin, restart the IDE.  
The menu bar now includes the Fortify menu.  
Uninstalling the Fortify Remediation Plugin  
Note: These instructions describe a third-party product and might not match the specific,  
supported version you are using. See your product documentation for the instructions for your  
version.  
To uninstall the Fortify Remediation Plugin:  
1. From the IDE, open the Settings dialog box as follows:  
l
On Windows or Linux, select File > Settings.  
l
On macOS, select <IDE_Name> > Preferences.  
2. In the left pane, select Plugins.  
3. From the Plugins list, select Fortify Remediation.  
4. In the Fortify Remediation pane on the right, click Uninstall.  
5. In the Fortify Remediation pane on the right, click Restart.  
Related Documents  
This topic describes documents that provide information about Micro Focus Fortify software  
products.  
Micro Focus Fortify Remediation Plugin for IntelliJ IDEA and Android Studio (22.2.0)  
Page 8 of 32  
 
 
User Guide  
Viewing Analysis Results  
Note: You can find the Micro Focus Fortify Product Documentation at  
https://www.microfocus.com/support/documentation.  
Micro Focus Fortify Software Security Center  
The following document provides information about Fortify Software Security Center. Unless  
otherwise noted, this document is available on the Micro Focus Product Documentation website at  
https://www.microfocus.com/documentation/fortify-software-security-center.  
Document / File Name  
Description  
Micro Focus Fortify Software  
Security Center User Guide  
This document provides Fortify Software Security Center  
users with detailed information about how to deploy and use  
Software Security Center. It provides all of the information  
you need to acquire, install, configure, and use Software  
Security Center.  
SSC_Guide_<version>.pdf  
It is intended for use by system and instance administrators,  
database administrators (DBAs), enterprise security leads,  
development team managers, and developers. Software  
Security Center provides security team leads with a high-level  
overview of the history and current status of a project.  
Viewing Analysis Results  
The Fortify Remediation Plugin displays the analysis results for the opened application version in a  
Fortify Remediation window. This window displays all security issues, organized in folders (colored  
tabs) in an issue pane. Issues are organized based on settings in Micro Focus Fortify Software Security  
Center. To the right of the issue pane are four tabs that provide information specific to the issue  
selected in the issue pane.  
Micro Focus Fortify Remediation Plugin for IntelliJ IDEA and Android Studio (22.2.0)  
Page 9 of 32  
 
 
User Guide  
Viewing Analysis Results  
Folders contain logically defined sets of issues. For example, the Critical folder contains all critical  
issues for a project. Similarly, the Low folder contains all low-priority issues.  
Filters determine which issues are visible. Filters are organized into distinct groups called filter sets.  
An issue template can contain definitions for multiple filter sets. You can use multiple filter sets to  
change the sorting and visibility of issues.  
To remediate issues, the project you have open in the IDE must correspond to the application version  
you opened from Fortify Software Security Center (see "Opening Fortify Software Security Center  
Application Versions" below).  
Opening Fortify Software Security Center Application  
Versions  
To use the Fortify Remediation Plugin, you must first connect to Micro Focus Fortify Software  
Security Center and open an application version.  
Note: To communicate with a Fortify Software Security Center server that uses HTTPS, you must  
first import a trusted certificate for the IDE.  
To open an application version in the Fortify Remediation Plugin:  
1. Select Fortify > Connect to Software Security Center.  
2. When prompted to log in to Fortify Software Security Center:  
a. If you have not already configured the URL for Fortify Software Security Center, type the  
server URL in the SSC URL box.  
b. From the Login method menu, select the login method set up for you in Fortify Software  
Security Center.  
c. Depending on the selected login method, follow the procedure described in the following  
table.  
Login Method  
Procedure  
Username/Password  
Type your Fortify Software Security Center user name and  
password.  
Authentication Token  
Specify the decoded value of a Fortify Software Security  
Center authentication token of type ToolsConnectToken.  
Note: For instructions about how to create an  
authentication token from Fortify Software Security  
Center, see the Micro Focus Fortify Software Security  
Center User Guide.  
3. Click OK to connect to Fortify Software Security Center.  
Micro Focus Fortify Remediation Plugin for IntelliJ IDEA and Android Studio (22.2.0) Page 10 of 32  
 
User Guide  
Viewing Analysis Results  
The Select Software Security Center Application Version dialog box opens and displays the  
application versions that your user account has permission to access.  
4. Select an application version to open, and then click OK.  
The Fortify Remediation Plugin displays the analysis results for the application version from Fortify  
Software Security Center.  
Note: To open a different application version on the same Fortify Software Security Center server  
to which you are already connected, select Fortify > Open Application Version. To switch to a  
different Fortify Software Security Center server, select Fortify > Disconnect from Software  
Security Center and then reconnect to Fortify Software Security Center as described in this  
topic.  
Viewing and Selecting Issues  
To view and select issues in an opened application version:  
1. Click Change View Options (  
).  
2. From Filter Set, select one of the following filter sets to apply to issues:  
l
Select Security Auditor View to list all issues relevant to a security auditor.  
l
Select Quick View to list only issues in the Critical folder (these have a potentially high  
impact and a high likelihood of occurring) and the High folder (these have a potentially high  
impact and a low likelihood of occurring).  
Note: The filter sets available depend on the issue template assigned to the application  
version you opened.  
3. From the Group By list, select an attribute for sorting issues in all visible folders into groups.  
The default grouping is Category. For a description of the available Group By attributes, see  
"Grouping Issues" on page 13.  
4. By default, issues assigned to your Micro Focus Fortify Software Security Center user name are  
shown. From the Issues for list, you can select one of the following:  
l
<All Users>  
l
A Fortify Software Security Center user name  
Micro Focus Fortify Remediation Plugin for IntelliJ IDEA and Android Studio (22.2.0) Page 11 of 32  
 
User Guide  
Viewing Analysis Results  
5. Click a color-coded tab (folder) to view the associated issues.  
Note: The tabs shown depend on your Filter Set, Group By, and Issues for selections. It is  
possible that not all tabs are shown. The tabs shown also depend on the issue template  
associated with the application version.  
l
The Critical tab contains issues that have a high impact and a high likelihood of exploitation.  
Fortify recommends that you remediate critical issues immediately.  
l
The High tab contains issues that have a high impact and a low likelihood of exploitation.  
Fortify recommends that you remediate high issues with the next patch release.  
l
The Medium tab contains issues that a have low impact and a high likelihood of exploitation.  
Fortify recommends that you remediate medium issues as time permits.  
l
The Low tab contains issues that have a low impact and a low likelihood of exploitation.  
Fortify recommends that you remediate low issues as time permits (your organization can  
customize this category).  
l
The All tab contains all issues.  
Within each color-coded tab, issues are grouped into folders. After each folder name, enclosed in  
brackets, is the number of audited issues and the total number of issues in the folder. For  
example, Command Injection - [1 / 3] indicates that one issue out of three categorized as  
Command Injection has been audited.  
6. Click to expand a folder and view the associated issues.  
The Fortify Remediation Plugin retrieves the corresponding issues from Fortify Software Security  
Center.  
Note: By default, if a folder contains more than 20 issues, the issues are grouped into  
subfolders in blocks of 20 with folder names that indicate the issues included. For example, if  
Micro Focus Fortify Remediation Plugin for IntelliJ IDEA and Android Studio (22.2.0) Page 12 of 32  
User Guide  
Viewing Analysis Results  
a folder contains 32 issues, the first 20 issues are in a subfolder labeled [1-20] and the last  
set of issues are in a subfolder labeled [21-32]. To change the default pagination setting of  
20, set the com.fortify.remediation.PaginationCount property. You can also disable  
issue pagination by setting the com.fortify.remediation.PaginateIssues property to  
false. For more information about these properties, see "Configuration Options" on page 30.  
7. Select an issue to view its details.  
Grouping Issues  
The items visible in the Fortify Remediation window issue pane vary depending on the selected  
grouping attribute. The value you select from the Group By list sorts issues in all visible folders into  
subfolders. Use the Group By attributes to group and view the issues in different ways. The following  
table describes the available Group By attributes.  
Attribute  
Description  
Analysis  
Groups issues by the audit analysis value assigned, such as  
Suspicious, Exploitable, and Not an Issue.  
Analysis Type  
Groups issues by analyzer product, such as SCA, WEBINSPECT, and  
SECURITYSCOPE (WebInspect Agent).  
Analyzer  
Groups issues by analyzer group, such as Control Flow, Data Flow,  
Pentest, and Structural.  
App Defender Protected  
Groups issues by whether Application Defender can protect the  
vulnerability category.  
Category  
Groups issues by vulnerability category. This is the default setting.  
Groups issues by the selected custom tag.  
<custom_tagname>  
Engine Priority  
Groups issues based on the original priority value determined by the  
engine that identified the issue.  
Note: This is only available in Micro Focus Fortify Software  
Security Center version 22.2.0 or later.  
File Name  
Groups issues by file name.  
Folder  
Groups issues by folders defined in the issue template.  
Groups issues by Critical, High, Medium, and Low based on the issue  
Fortify Priority Order  
Micro Focus Fortify Remediation Plugin for IntelliJ IDEA and Android Studio (22.2.0) Page 13 of 32  
 
User Guide  
Viewing Analysis Results  
Attribute  
Description  
priority.  
Introduced date  
Issue State  
Groups issues by the date the issue was first detected.  
Groups audited issues by whether the issue is an open issue or not an  
issue based on the level of analysis set for the primary tag. Values  
equivalent to Suspicious and Exploitable are considered open issue  
states.  
Kingdom  
Manual  
Groups issues by the Seven Pernicious Kingdoms classification.  
Groups issues by whether they were manually created by penetration  
test tools, and not automatically produced by a web crawler such as  
Fortify WebInspect.  
<metadata_listname>  
Groups issues using the alternative metadata external list names (for  
example, OWASP Top 10 <year>, CWE, PCI SSF <version>,  
STIG <version>, and others).  
New Issue  
Shows which issues are new since the last scan. For example, if you  
run a new scan, any issues that are new are displayed in the tree  
under the NEW group and the others are displayed in the UPDATED  
group. If removed issues are visible, issues not found in the latest scan  
are displayed in the REMOVED list.  
Package  
Groups issues by package or namespace. Nothing is shown for  
projects to which this option does not apply, such as C projects.  
Primary Context  
Groups issues where the primary location or sink node function call  
occurs in the same code context.  
Sink  
Groups issues that share the same dataflow sink function.  
Groups issues that share the same dataflow source functions.  
Source  
Source Context  
Groups dataflow issues that have the source function call contained in  
the same code context.  
Source File  
Status  
Groups dataflow issues by the source code file where the taint  
originated.  
Groups issues by the audit status (Reviewed, Unreviewed, or Under  
Review).  
Micro Focus Fortify Remediation Plugin for IntelliJ IDEA and Android Studio (22.2.0) Page 14 of 32  
User Guide  
Viewing Analysis Results  
Attribute  
Taint Flag  
URL  
Description  
Groups issues by the taint flags that they contain.  
Groups dynamic issues by the request URL.  
Customizing Issue Visibility  
You can customize the issue pane to determine which issues the Fortify Remediation Plugin displays.  
To customize the issues pane:  
1. Click Change View Options (  
).  
2. From the Issue Visibility list, select one of the following options:  
l
To display all hidden issues, select Show Hidden Issues.  
Note: The visibility filter settings in the issue template associated with the application  
version determine which issues are hidden.  
l
To display all the issues removed since the previous analysis, select Show Removed Issues.  
l
To display all suppressed issues, select Show Suppressed Issues.  
Note: Users who audit issues can suppress specific types of issues that are not considered  
high priority or of immediate concern. For example, auditors can suppress issues that are  
fixed, or issues that your organization plans not to fix.  
The Fortify Remediation Plugin displays issues based on your selection.  
Note: You can also specify the issue visibility settings from the Options dialog box (select Fortify  
> Remediation Options).  
Searching for Issues  
You can use the search box below the issues list to search for issues. After you type a search query,  
either press Enter or click Filter Issues with This Search String ( ) to start the search and filter  
Micro Focus Fortify Remediation Plugin for IntelliJ IDEA and Android Studio (22.2.0) Page 15 of 32  
 
 
User Guide  
Viewing Analysis Results  
the issues in the tree. After you type a search term, the label next to the folder name changes to  
indicate the number of issues that match the search as a subset of the total. For example, Hot (2 of 5).  
To indicate the type of comparison to perform, wrap search terms with delimiters. The following table  
describes the syntax to use for the search string.  
Comparison  
contains  
equals  
Description  
Searches for a term without any special qualifying delimiters  
Searches for an exact match when you enclose the term in quotation marks ("")  
number range Searches for a range of numbers using the standard mathematical interval  
notation of parentheses and/or brackets to indicate whether the endpoints are  
excluded or included respectively  
Example: (2,4] indicates greater than two and less than or equal to four  
not equal  
Excludes issues specified by the string when you precede the string with the  
exclamation character (!)  
Example: file:!Main.java returns all issues that are not in Main.java  
You can further qualify search terms with modifiers. The syntax to use for a modifier is  
modifier:<search_term>.  
If you specify more than one modifier, the search returns only issues that match all the modified  
search terms. For example, file:ApplicationContext.java category:SQL Injection returns  
only SQL injection issues found in ApplicationContext.java.  
If you use the same modifier more than once in a search string, then the search terms qualified by  
those modifiers are treated as an OR comparison. For example, file:ApplicationContext.java  
category:SQL Injection category:Cross-Site Scripting returns SQL injection issues and  
cross-site scripting issues found in ApplicationContext.java.  
For complex searches, you can also insert the AND or the OR keyword between your search queries.  
Note that AND and OR operations have the same priority in searches.  
See Also  
"Search Modifiers" below  
"Search Query Examples" on page 22  
"Performing Searches" on page 23  
Search Modifiers  
You can use a search modifier to specify to which attribute of an issue the search term applies. To use  
a modifier that contains a space in the name, such as the name of the custom tag, you must enclose  
the modifier in brackets. For example, to search for issues that are new, type [issue age]:new.  
Micro Focus Fortify Remediation Plugin for IntelliJ IDEA and Android Studio (22.2.0) Page 16 of 32  
 
User Guide  
Viewing Analysis Results  
A search that is not qualified by a modifier matches the search string based on the following issue  
attributes: kingdom, primary rule id, analyzer, filename, severity, class name, function name, instance  
id, package, confidence, type, subtype, taint flags, category, sink, and source.  
l
To apply the search to all modifiers, type a string such as control flow. This searches all the  
modifiers and returns any result that contains the specified string.  
l
To apply the search to a specific modifier, type the modifier name and the string as follows:  
analyzer:control flow. This returns all results detected by the Control Flow Analyzer.  
The following table describes the search modifiers. A few modifiers have a shortened modifier name  
indicated in parentheses. You can use either modifier string.  
Search Modifier  
Description  
Searches for issues based on the accuracy value specified (0.1  
through 5.0).  
accuracy  
Searches for issues that have the specified audit analysis value,  
analysis  
such as exploitable, not an issue, and so on.  
[analysis type]  
analyzer  
Searches for issues based on the analyzer product such as SCA  
and WEBINSPECT.  
Searches the issues for the specified analyzer such as control  
flow, data flow, structural, and so on.  
Searches for issues based on whether Application Defender  
[app defender protected]  
(def)  
can protect the vulnerability category (protected or not  
protected).  
Searches for issues that contain the search term in the part of  
the request that caused the vulnerability for penetration test  
results.  
[attack payload]  
Searches for issues based on the type of penetration test  
[attack type]  
audience  
attack conducted (URL, parameter, header, or cookie).  
Searches for issues based on the intended audience, such as  
dev, targeted, medium, broad, and so on.  
Caution! This metadata is legacy information that is  
no longer used and will be removed in a future release.  
Fortify recommends that you not use this search  
modifier.  
Micro Focus Fortify Remediation Plugin for IntelliJ IDEA and Android Studio (22.2.0) Page 17 of 32  
User Guide  
Viewing Analysis Results  
Search Modifier  
Description  
audited  
Searches the issues to find true if the primary tag is set and  
false if the primary tag is not set. The default primary tag is  
the Analysis tag.  
Searches for issues that contain the search term in the HTTP  
message body in penetration test results, which is all the data  
that is transmitted immediately following the headers.  
body  
Searches for the specified category or category substring.  
Searches for issues based on the specified class name.  
category (cat)  
class  
Searches for issues that contain the search term in the  
comments added to the issue.  
comments  
(comment, com)  
Searches for issues with comments from a specified user.  
commentuser  
Searches for issues that have the specified confidence value  
0.1 through 5.0 (legacy metadata).  
confidence (con)  
Searches for issues that contain the search term in the cookie  
from the HTTP query for penetration test results.  
cookies  
Searches for issues based on whether the issues are correlated  
with those detected by another analyzer.  
correlated  
Searches for issues based on whether the issues are in the  
same correlation group.  
[correlation group]  
<custom_tagname>  
Searches for issues based on the value of the specified custom  
tag.  
You can search a list-type custom tag using a range of values.  
The values of a list-type custom tag are an enumerated list  
where the first value is 0, the second is 1, and so on. You can  
use the search syntax for a range of numbers to search for  
ranges of list-type custom tag values. For example, analysis:  
[0,2] returns the issues that have the values of the first three  
analysis values, 0, 1, and 2 (Not an Issue, Reliability Issue, and  
Bad Practice).  
To search for a specific date in a date-type custom tag, specify  
the date in the format: yyyy-mm-dd.  
Micro Focus Fortify Remediation Plugin for IntelliJ IDEA and Android Studio (22.2.0) Page 18 of 32  
User Guide  
Viewing Analysis Results  
Search Modifier  
Description  
To search for issues that have no value set for a custom tag,  
use <none> as the search term. For example, to search for all  
issues that have no value set in the custom tag labeled Target  
Date, type: [Target Date]:<none>.  
Searches for issues based on the original priority value  
determined by the engine that identified the issue.  
[engine priority]  
Note: This is only available in Micro Focus Fortify Software  
Security Center version 22.2.0 or later.  
Searches for issues where the primary location or sink node  
function call occurs in the specified file path.  
file  
Searches for issues that have a priority level that matches the  
[fortify priority order]  
specified issue priority. Valid values are critical, high,  
medium, and low.  
Searches for issues that contain the search term in the request  
header for penetration test results.  
headers  
Searches for issues that have audit data modified by the  
specified user.  
historyuser  
[http version]  
impact  
Searches for issues based on the specified HTTP version such  
as HTTP/1.1.  
Searches for issues based on the impact value specified (0.1  
through 5.0).  
Searches for an issue based on the specified instance ID.  
[instance id]  
[issue age]  
Searches for the issue age, which is either new, updated,  
reintroduced, or removed.  
Searches for audited issues based on whether the issue is an  
open issue or not an issue (determined by the level of analysis  
set for the primary tag).  
[issue state]  
kingdom  
Searches for all issues in the specified kingdom.  
Micro Focus Fortify Remediation Plugin for IntelliJ IDEA and Android Studio (22.2.0) Page 19 of 32  
 
User Guide  
Viewing Analysis Results  
Search Modifier  
Description  
Searches for issues based on the specified likelihood value (0.1  
through 5.0).  
likelihood  
Searches for issues on the primary location line number. For  
dataflow issues, the value is the sink line number. Also see  
"sourceline" on the next page.  
line  
Searches for issues that were manually created by penetration  
test tools, and not automatically produced by a web crawler  
such as Fortify WebInspect.  
manual  
Searches for issues based on the specified category that is  
mapped across the various analyzers (Fortify Static Code  
Analyzer, Fortify WebInspect, and Fortify WebInspect Agent).  
[mapped category]  
Searches for all issues that have a confidence value equal to or  
less than the number specified as the search term.  
maxconf  
Searches for dataflow issues that have a virtual call confidence  
value equal to or less than the number specified as the search  
term.  
maxVirtConf  
Searches for issues based on the value of the specified  
metadata external list (for example,  
<metadata_listname>  
[owasp top 10 <year>], [cwe top 25 <year>],  
[pci ssf <version>], [stig <version>], and others).  
method  
Searches for issues based on the method, such as GET, POST,  
and so on.  
Searches for all issues that have a confidence value equal to or  
greater than the number specified as the search term.  
minconf  
Searches for dataflow issues that have a virtual call confidence  
value equal to or greater than the number specified as the  
search term.  
min_virtual_call_  
confidence (virtconf,  
minVirtConf)  
Searches for issues where the primary location occurs in the  
specified package or namespace. For dataflow issues, the  
primary location is the sink function.  
package  
Searches for issues that contain the search term in the HTTP  
parameters  
Micro Focus Fortify Remediation Plugin for IntelliJ IDEA and Android Studio (22.2.0) Page 20 of 32  
User Guide  
Viewing Analysis Results  
Search Modifier  
Description  
query parameters.  
Searches for issues that have the specified primary tag value.  
By default, the primary tag is the Analysis tag.  
primary  
Searches for issues where the primary location or sink node  
function call occurs in the specified code context. Also see  
"sink" below and "[source context]" below.  
[primary context]  
Searches for all issues related to the specified sink rule.  
primaryrule (rule)  
probability  
Searches for issues based on the probability value specified  
(1.0 through 5.0).  
Searches for issues based on the remediation effort value  
specified. The valid values are whole numbers from 1.0 to 12.0.  
remediation effort  
response  
Searches for issues that contain the search term in the  
response from the protocol used in penetration test results.  
Searches for issues based on the specified severity value  
(legacy metadata).  
severity (sev)  
sink  
Searches for issues that have the specified sink function name.  
Also see "[primary context]" above.  
Searches for dataflow issues that have the specified source  
function name. Also see "[source context]" below.  
source  
Searches for dataflow issues that have the source function call  
in the specified code context.  
[source context]  
Also see "source" above and "[primary context]" above.  
Searches for dataflow issues with the source function call that  
the specified file contains.  
sourcefile  
Also see file.  
Searches for dataflow issues having taint source entering the  
flow on the specified line.  
sourceline  
status  
Searches issues that have the status reviewed, not  
reviewed, or under review.  
Micro Focus Fortify Remediation Plugin for IntelliJ IDEA and Android Studio (22.2.0) Page 21 of 32  
 
 
 
 
 
User Guide  
Viewing Analysis Results  
Search Modifier  
Description  
Searches for suppressed issues.  
Searches for issues that have the specified taint flag.  
suppressed  
taint  
Searches for issues that contain the search term in the part of  
the response that shows that a vulnerability occurred for  
penetration test results.  
trigger  
Searches for issues based on the specified URL.  
Searches for issues assigned to the specified user.  
url  
user  
Search Query Examples  
The following table contains search query examples.  
To search for...  
Type...  
All privacy violations in file names that contain jsp  
with getSSN() as a source  
category:"privacy violation"  
source:getssn file:jsp  
All file names that contain com/test/123  
file:com/test/123  
All paths that contain traces with  
trace:mydbcode.sqlcleanse  
mydbcode.sqlcleanse as part of the name  
All paths that contain traces with cleanse as part  
trace:cleanse  
of the name  
All issues that contain cleanse as part of any  
cleanse  
modifier  
All suppressed vulnerabilities with asdf in the  
suppressed:true comments:asdf  
comments  
All categories except for SQL Injection  
category:!SQL Injection  
version:!<none>  
All issues that have a value specified for a custom  
tag labeled version  
Micro Focus Fortify Remediation Plugin for IntelliJ IDEA and Android Studio (22.2.0) Page 22 of 32  
 
User Guide  
Viewing Issue Information  
Performing Searches  
To perform a simple search, do one of the following:  
l
Type a search query in the search box and press Enter.  
l
To select a search query you used before, click the arrow in the search box, and then select a  
search query from the list.  
Viewing Issue Information  
After you select an issue, the Fortify Remediation Plugin displays the issue-specific content on the  
Audit, Recommendations, Details, and History tabs.  
Audit Tab  
The Audit tab provides a dashboard of analysis information for the selected issue.  
Note: Any changes you make on the Audit tab are automatically uploaded to the application  
version in Micro Focus Fortify Software Security Center.  
The following table describes the Audit tab features.  
Element  
Description  
User  
The user assigned to the selected issue. If the box is empty, no user is  
Micro Focus Fortify Remediation Plugin for IntelliJ IDEA and Android Studio (22.2.0) Page 23 of 32  
 
 
 
User Guide  
Viewing Issue Information  
Element  
Description  
assigned to the selected issue. For instructions on how to assign a user to an  
issue, see "Assigning Users to Issues" on page 28.  
Analysis  
Your assessment for the selected issue. To change the assessment, select an  
item from the list. This is the primary tag defined in Fortify Software Security  
Center for the application version. The default primary tag is Analysis, but  
your organization might have a different tag designated as the primary tag.  
<custom_  
tagname>  
Any custom tags your organization has defined in Fortify Software Security  
Center. If available, these are displayed below the primary tag. For  
information on how to make changes to these tags, see "Assigning Tags to  
Issues" on page 29.  
If the audit results have been submitted to Audit Assistant in Fortify  
Software Security Center, then in addition to any other custom tags, the tab  
displays the following tags:  
l
AA_Prediction—Exploitability level that Audit Assistant assigned to the  
issue. You cannot modify this tag value.  
l
AA_Confidence—Confidence level from Audit Assistant for the accuracy  
of its AA_Prediction value. This is a percentage, expressed in values that  
range from 0.000 to 1.000. For example, a value of 0.982 indicates a  
confidence level of 98.2 percent. You cannot change this tag value.  
l
AA_Training—Whether to include or exclude the issue from Audit  
Assistant training. You can modify this value.  
For more information about Audit Assistant, see the Micro Focus Fortify  
Software Security Center User Guide.  
Comments  
(bottom left)  
Any additional information added to the issue. For instructions on how to  
add comments, see "Adding Comments to Issues" on page 29.  
Issue Abstract (top A summary of the selected issue.  
right)  
Analysis Trace  
(bottom right)  
Items of evidence that the analyzer uncovered. The analysis trace evidence is  
presented in the order it was discovered. For descriptions of the analysis  
trace icons, see "Analysis Trace" on the next page.  
See Also  
"Adding Audit Information" on page 28  
Micro Focus Fortify Remediation Plugin for IntelliJ IDEA and Android Studio (22.2.0) Page 24 of 32  
User Guide  
Viewing Issue Information  
Analysis Trace  
The analysis trace on the Audit tab is presented in sequential order. For dataflow issues, this trace is  
a presentation of the path that the tainted data follows from the source function to the sink function.  
For example, when you select an issue that is related to potentially tainted dataflow, the analysis trace  
box shows the direction of the dataflow in this section of the source code.  
The analysis trace box uses the icons described in the following table to show how the dataflow  
moves in this section of the source code or execution order.  
Icon  
Description  
Data is assigned to a field or variable  
Information is read from a source external to the code (HTML form, URL, and so on)  
Data is assigned to a globally scoped field or variable  
A comparison is made  
The function call receives tainted data  
The function call returns tainted data  
Passthrough, tainted data passes from one parameter to another  
Note: This is typically shown as functionA(x : y) to indicate that data is transferred  
from x to y. The x and y values are one of the following:  
l
An argument index  
l
return—The return value of a function  
l
this—The instance of the current object  
l
A specific object field or key  
An alias is created for a memory location  
Data is read from a variable  
Micro Focus Fortify Remediation Plugin for IntelliJ IDEA and Android Studio (22.2.0) Page 25 of 32  
 
User Guide  
Viewing Issue Information  
Icon  
Description  
Data is read from a global variable  
Tainted data is returned from a function  
A pointer is created  
A pointer is dereferenced  
The scope of a variable ends  
The execution jumps  
A branch is taken in the code execution  
A branch is not taken in the code execution  
Generic  
A runtime source, sink, or validation step  
Taint change  
The analysis trace box can contain inductions. Inductions provide supporting evidence for their  
parent nodes. Inductions consist of:  
l
A text node displayed in italics as a child of the trace node. This text node is expanded by default.  
l
An induction trace, displayed as a child of the text node (a box surrounds the induction trace).  
The italics and the box distinguish the induction from a standard subtrace. To display the induction  
reference information for that induction, click it.  
Micro Focus Fortify Remediation Plugin for IntelliJ IDEA and Android Studio (22.2.0) Page 26 of 32  
User Guide  
Viewing Issue Information  
Recommendations Tab  
The Recommendations tab provides suggestions and examples on how to secure a vulnerability or  
remedy a bad practice. The following table describes the sections on this tab.  
Section  
Description  
Recommendations/Custom  
Recommendations  
Describes possible solutions for the selected issue. It can also  
include examples and recommendations defined by your  
organization.  
Tips/Custom Tips  
Provides useful information specific to the selected issue, and any  
custom tips defined by your organization.  
References/Custom  
References  
Lists references for the recommendations provided, including any  
custom references defined by your organization.  
Details Tab  
The Details tab provides an abstract of the selected issue description, a detailed explanation, and  
examples. The following table describes the sections on this tab.  
Section  
Description  
Abstract/Custom  
Abstract  
Summary of the selected issue, including any custom abstracts defined by  
your organization.  
Explanation/Custom  
Explanation  
Description of the conditions under which an issue of the selected type  
occurs. This includes a discussion of the vulnerability, the constructs  
typically associated with it, ways in which attackers can exploit it, and the  
potential ramifications of an attack. This section also includes any custom  
explanations defined by your organization.  
Instance ID  
Unique identifier for the issue.  
Primary Rule ID  
Identifier for the primary rule used to uncover the issue.  
Priority metadata values for this issue including impact and likelihood.  
Priority Metadata  
Values  
Micro Focus Fortify Remediation Plugin for IntelliJ IDEA and Android Studio (22.2.0) Page 27 of 32  
 
 
User Guide  
Locating Issues in your Source Code  
Section  
Description  
Legacy Priority  
Metadata Values  
Legacy priority metadata values for the issue including severity and  
confidence.  
Remediation Effort  
Relative amount of effort required to fix and verify the issue.  
History Tab  
The History tab displays a history of audit actions, including details such as the time and date, and  
the name of the user who modified the issue.  
Locating Issues in your Source Code  
Because the Fortify Remediation Plugin works as a plugin to IntelliJ IDEA, Android Studio, PyCharm,  
and WebStorm, you can use it to locate security-related issues in your code. You must have the same  
project open in the IDE as you selected from Micro Focus Fortify Software Security Center with the  
Fortify Remediation Plugin.  
To locate issues in the source code, do one of the following:  
l
Select an issue in the issue pane.  
l
From the Audit tab, select a line in the analysis trace box.  
The IDE places the focus on the line of code that contains the security-related issue displayed in the  
Fortify Remediation Plugin.  
Adding Audit Information  
After you select and review an issue, you can add audit information on the Audit tab. To see any  
updates to the audit results made in Micro Focus Fortify Software Security Center, click Refresh (  
).  
Assigning Users to Issues  
To assign a user to an issue:  
1. From a folder in the issue pane, select an issue.  
2. Select the Audit tab, and then, from the User list, select a user name.  
To leave the issue unassigned, select the blank value from the list.  
Micro Focus Fortify Remediation Plugin for IntelliJ IDEA and Android Studio (22.2.0) Page 28 of 32  
 
 
 
 
User Guide  
Adding Audit Information  
The Fortify Remediation Plugin makes the update to the application version in Micro Focus Fortify  
Software Security Center.  
Assigning Tags to Issues  
To assign tag values to an issue:  
1. From a folder in the issue pane, select an issue.  
2. From the Analysis list on the Audit tab, select a value that reflects your evaluation of this issue.  
This is the primary tag as defined in Micro Focus Fortify Software Security Center. The default  
primary tag is Analysis, but your organization might have a different tag designated as the  
primary tag.  
3. If custom tags defined for the project exist, provide values for them.  
The Fortify Remediation Plugin displays all custom tags assigned to the application version;  
however, you can only provide values for tags that your Fortify Software Security Center user  
account has permission to edit.  
Text-type custom tags accept up to 500 characters (HTML/XML tags and newlines are not  
allowed).  
For date-type custom tags, type a date or click Select Date (  
calendar.  
) to select a date from a  
The Fortify Remediation Plugin makes the updates to the application version in Fortify Software  
Security Center.  
Adding Comments to Issues  
The comments box below the Analysis (primary) tag displays any comments submitted for the  
selected issue.  
To add a comment to an issue:  
1. From a folder in the issue pane, select an issue.  
2. From the Audit tab, click Add Comment ( ).  
3. In the Add Comment for Issue dialog box, type your comment.  
4. Click OK.  
The Fortify Remediation Plugin makes the updates to the application version in Micro Focus Fortify  
Software Security Center.  
Micro Focus Fortify Remediation Plugin for IntelliJ IDEA and Android Studio (22.2.0) Page 29 of 32  
 
 
User Guide  
Configuration Options  
Configuration Options  
This topic describes the options you can configure for the Fortify Remediation Plugin for  
IntelliJ IDEA and Android Studio. The options are stored as properties in a plain text file with the  
name fortify.properties. In this file, each property consists of a pair of strings: the first string is  
the property name and the second string is the property value. For example, the following property  
sets the pagination count to 40:  
com.fortify.remediation.PaginationCount=40  
To specify any of these properties:  
1.  
2.  
Navigate to <IDE_product_plugins_dir>/Fortify/config.  
The following is an example location on Windows:  
C:\Users\jsmith\AppData\Roaming\JetBrains\IdeaIC2022.1\plugins\Fortify\  
config  
If the file does not already exist, use a text editor to create a fortify.properties file.  
The following table describes the properties that you can set in the fortify.properties file.  
Property Name  
Description  
com.fortify.  
AuthenticationKey  
Specifies the directory used to store the encrypted Micro Focus Fortify  
Software Security Center authentication token.  
Default:  
${com.fortify.WorkingDirectory}/config/IntelliJRemediation-  
<version>  
com.fortify.  
InstallationUserName  
Specifies the default user name for logging in to Fortify Software Security  
Center for the first time.  
Default: ${user.name}  
com.fortify.  
If set to true or if no value is specified, the Fortify Remediation Plugin uses  
remediation.PaginateIssues  
pagination during issue download.  
If set to false, the Fortify Remediation Plugin downloads all the issues at  
once.  
Default: true  
Micro Focus Fortify Remediation Plugin for IntelliJ IDEA and Android Studio (22.2.0) Page 30 of 32  
 
User Guide  
Locating Log Files  
Property Name  
Description  
com.fortify.  
If com.fortify.remediation.PaginateIssues is set to true, specifies  
remediation.PaginationCount the number of issues to display per subfolder.  
Default: 20  
com.fortify.  
Specifies the working directory that contains all user configuration and  
WorkingDirectory  
working files for the plugin. To configure this property, you must have write  
access to the directory.  
Defaults:  
l
Windows—${win32.LocalAppdata}/Fortify  
l
Non-Windows—${user.home}/.fortify  
Locating Log Files  
For help diagnosing a problem with the Fortify Remediation Plugin, provide the log file to Micro Focus  
Fortify Customer Support. The default location of the log file is:  
l
On Windows:  
C:\Users\<username>\AppData\Local\Fortify\IntelliJRemediation-<version>\log  
l
On Linux and macOS:  
<userhome>/.fortify/IntelliJRemediation-<version>/log  
Micro Focus Fortify Remediation Plugin for IntelliJ IDEA and Android Studio (22.2.0) Page 31 of 32  
 
Send Documentation Feedback  
If you have comments about this document, you can contact the documentation team by email.  
Note: If you are experiencing a technical issue with our product, do not email the documentation  
team. Instead, contact Micro Focus Fortify Customer Support at  
https://www.microfocus.com/support so they can assist you.  
If an email client is configured on this computer, click the link above to contact the documentation  
team and an email window opens with the following information in the subject line:  
Feedback on User Guide (Fortify Remediation Plugin for IntelliJ IDEA and Android Studio  
22.2.0)  
Just add your feedback to the email and click send.  
If no email client is available, copy the information above to a new message in a web mail client, and  
send your feedback to fortifydocteam@microfocus.com.  
We appreciate your feedback!  
Micro Focus Fortify Remediation Plugin for IntelliJ IDEA and Android Studio (22.2.0) Page 32 of 32