User Guide
Chapter 6: Additional Fortify Software Security Center Configuration
Configuring Issue Stats Thresholds
The Issue Stats dashboard page shows summary information about issues for the application
versions on Fortify Software Security Center, including the number of days that it is taking to
review and fix them. To provide a visual cue as to how quickly issues are being handled, the
Issue Stats page displays colored bars next to the values for the Average Days to Review and
Average Days to Remediate. A green bar indicates that issues are being managed quickly, a
red bar indicates that issue management is too slow, and an orange bar indicates that issue
management is somewhere between these two extremes.
How Average Days to Review and Average Days to Remediate are Calculated
Before it calculates the Average Days to Review and Average Days to Remediate values,
Fortify Software Security Center applies the following rules:
l
Fortify Software Security Center excludes the following issues from its calculations:
l
All issues that were audited or removed 365 days ago or earlier
l
All suppressed issues
l
Issues that have not been either audited or removed
l
To calculate issue aging for audited issues, Fortify Software Security Center uses the date
and time on which the issue was first audited.
l
For issues that were not audited but were removed, Fortify Software Security Center uses the
removal date as the audit date.
l
To calculate issue dates, Fortify Software Security Center performs the following to clean up
dates and times:
l
Adjusts issue found dates and times to 12:00 AM of the date the issues were found.
l
Adjusts issue audited dates and issue removed dates to 12:00 am of next day.
These adjustments are required to calculate average dates correctly. For example, without
these adjustments, the calculated averages would be zero for issues that were found and
audited on the same date, which is not correct. For an issue found on March 2 and audited at
March 5, the days to review is 5 – 2 + 1, or 4 days.
After it applies all of these rules and makes time and date adjustments, Fortify Software
Security Center calculates the average of two values—(auditTime - foundDate) and
(removedDate - foundDate)—to get average number of days to audit and remediate issues
Setting the Issue Stats Thresholds
You set the thresholds that determine what users see when they review summary information
about the application versions to which they have access. By default, the Issue Stats page
displays values of fewer than 100 days (minimum) in a green bar, any values greater that 365
days (maximum) in red, and values in between as yellow.
Fortify Software Security Center (23.1.0)
Page 77 of 428