Micro Focus Fortify Audit Workbench

Software Version: 21.2.0


User Guide


Document Release Date: November 2021 Software Release Date: November 2021



Legal Notices

Micro Focus The Lawn

22-30 Old Bath Road Newbury, Berkshire RG14 1QN UK

https://www.microfocus.com

Warranty

The only warranties for products and services of Micro Focus and its affiliates and licensors (“Micro Focus”) are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Micro Focus shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice.

Restricted Rights Legend

Confidential computer software. Except as specifically indicated otherwise, a valid license from Micro Focus is required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license.


Copyright Notice

© Copyright 2004 - 2021 Micro Focus or one of its affiliates

Trademark Notices

All trademarks, service marks, product names, and logos included in this document are the property of their respective owners.

Documentation Updates

The title page of this document contains the following identifying information:


This document was produced on November 10, 2021. To check for recent updates or to verify that you are using the most recent edition of a document, go to:

https://www.microfocus.com/support/documentation


Contents


Preface                                              9 Contacting Micro Focus Fortify Customer Support                       9 For More Information                                     9 About the Documentation Set                                 9 Fortify Product Feature Videos                                 9


Change Log                                            10


Chapter 1: Introduction                                     12

About Micro Focus Fortify Audit Workbench                          12 Audit Projects and Issue Templates                             12 Hybrid 2.0 Technology                                   12

Integration with Fortify Software Security Center                    13

Related Documents                                     13 All Products                                       14 Micro Focus Fortify Software Security Center                       14 Micro Focus Fortify Static Code Analyzer                         15


Chapter 2: Getting Started                                   16

About Upgrades                                       16 Upgrading Manually                                    16 Configuring Automatic Upgrades                              17

Renewing Expired Licenses                                 18

About Starting Fortify Audit Workbench                        18 Starting Fortify Audit Workbench on Windows Systems                18 Starting Fortify Audit Workbench on Non-Windows Systems              18

Changing the Appearance                                 18

Fortify Software Security Content                              19 Configuring Security Content Updates                          19 Updating Security Content                                21 Manually Updating Security Content                           22



Importing Custom Security Content                          22

Working with Fortify Software Security Center                      22 Configuring a Connection to Fortify Software Security Center              23 Logging in to Fortify Software Security Center                    23


Chapter 3: Scanning Source Code                                 25 Scanning Java Projects                                     25 About Quick Scan Mode                                    27 Scanning Large and Complex Projects                             27 Scanning Visual Studio Solutions                                33 Rescanning Projects                                      35


Chapter 4: Viewing Scan Results                                37

About Viewing Analysis Results                                 37 Issues View                                          38 Filter Sets                                         39 Specifying the Default Filter Set                              39 Folders (Tabs)                                      40 Group By List                                       41 Specifying the Default Issue Grouping                          41 Sorting Issues                                       42 Search Box                                        42 Project Summary View                                    43 Summary Tab                                       43 Certification Tab                                     43 Build Information Tab                                   44 Analysis Information Tab                                 44 Viewing Summary Graph Information                           44 Source Code Tab                                       48 About Displayed Source Code                              48 Analysis Trace View                                     49 Issue Auditing View                                     50 Audit Tab                                         51 Details Tab                                        52 WebInspect Agent Details Tab                              53 Recommendations Tab                                  53 History Tab                                        53



Diagram Tab                                       53 Filters Tab                                        54 Warnings Tab                                      55 Functions View                                       57 Customizing the Issues View                                 57

Working with Issues                                    59 Filtering Issues with Audit Guide                             60 Grouping Issues                                     61 Creating a Custom Group By Option                          64 Using Smart View                                    65 Selectively Displaying Issues Assigned to You                       67 About Suppressed, Removed, and Hidden Issues                     68 Creating Attribute Summary Tables for Multiple Issues                  68

Searching for Issues                                     70 Search Modifiers                                     71 Search Query Examples                                  77 Performing Simple Searches                                78 Performing Advanced Searches                              79

About Issue Templates                                   80

Configuring Custom Filter Sets and Filters                         81 Creating a New Filter Set                                81 Creating a Filter from the Issues View                           81 Creating a Filter from the Issue Auditing View                       82 Copying a Filter from One Filter Set to Another                      84 Setting the Default Filter Set                               84

Managing Folders                                        84 Creating a Folder                                       85 Adding a Folder to a Filter Set                                86 Renaming a Folder                                      87 Removing a Folder                                      87

Configuring Custom Tags for Auditing                           88 Adding a Custom Tag                                 89 Hiding a Custom Tag                                 91 Committing Custom Tags to Fortify Software Security Center               91 Synchronizing Custom Tags with Fortify Software Security Center             92

Issue Template Sharing                                   92 Exporting an Issue Template                               92



Importing an Issue Template                               93 Synchronizing Filter Sets and Folders                          93 Committing Filter Sets and Folders                            94

Advanced Configuration                                   95 Integrating with a Bug Tracker Application                        95 Configuring Proxy Settings for Bug Tracker Integration                  95 Public APIs                                        96 Penetration Test Schema                                 96


Chapter 5: Auditing Analysis Results                              97

Working with Audit Projects                                97 Opening an Audit Project                                97 Opening Audit Projects Without the Default Filter Set                 98 Performing a Collaborative Audit                            98 Refreshing Permissions from Fortify Software Security Center               99 Merging Audit Data                                  99 Merging Audit Data Using the Command-line Utility                   100 Additional Metadata                                  100 Uploading Audit Results to Fortify Software Security Center               100

Evaluating Issues                                      101 Performing Quick Audits                                102 Performing Quick Audits for Custom Tags                      102 Adding Screen Captures to Issues                            103 Viewing Images                                   103 Creating Issues for Undetected Vulnerabilities                      104 Suppressing Issues                                   104

Submitting an Issue as a Bug                                105

Correlation Justification                                  106 Using Correlation Justification                              107

Penetration Test Results                                  110 Viewing Penetration Test Results                            111


Chapter 6: Generating Analysis Reports                          112

BIRT Reports                                        112 Generating BIRT Reports                                 114

Legacy Reports and Templates                              115



Generating Legacy Reports                              116 Legacy Report Templates                                116 Selecting Legacy Report Sections                            117 Opening Legacy Report Templates                           117 Editing Legacy Report Subsections                           118 Editing Text Subsections                              119 Editing Results List Subsections                           120 Editing Chart Subsections                              121 Saving Legacy Report Templates                            121 Saving Changes to Legacy Report Templates                     121 Report Template XML Files                               122 Adding Legacy Report Sections                           122 Adding Report Subsections                             123 Adding Text Subsections                              123 Adding Results List Subsections                           124 Adding Charts Subsections                             124


Chapter 7: Using the Functions View                            126 Opening the Functions View                               127 Sorting and Viewing Functions                              128 Locating Functions in Source Code                            129 Synchronizing the Functions View with the Analysis Trace View               129 Locating Classes in Source Code                              129 Determining Which Rules Matched a Function                       130 Writing Rules for Functions                                130 Creating Custom Cleanse Rules                              131


Chapter 8: Troubleshooting                                   132 Creating Archive Logs for Micro Focus Fortify Customer Support               132 Using the Debug Option                                   132 Locating Log Files                                      133 Addressing the org.eclipse.swt.SWTError Error                        133

Out of Memory Errors                                 134 Allocating Additional Memory for Fortify Audit Workbench               134 Allocating Additional Memory for Fortify Static Code Analyzer             134



Specifying the Amount of Memory used by External Processes             135 Saving a Project That Exceeds the Maximum Removed Issues Limit            135 Resetting the Default Views                            136


Appendix A: Sample Projects                                   137 Basic Samples                                         137 Advanced Samples                                      139


Appendix B: Static Analysis Results Prioritization                       141 About Results Prioritization                               141 Quantifying Risk                                    142 Estimating Impact and Likelihood with Input from Rules and Analysis            143


Appendix C: Legacy Report Components                             146 Fortify Security Report                                    146 Fortify Developer Workbook Report                             149 OWASP Top Ten Reports                                   150 Fortify Scan Summary Report                                 151


Send Documentation Feedback                               153

Preface


Preface


Contacting Micro Focus Fortify Customer Support

Visit the Support website to: