OpenText™ Fortify Audit Workbench

Software Version: 24.2.0

User Guide

Document Release Date: May 2024

Software Release Date: May 2024

Legal Notices

Open Text Corporation

275 Frank Tompa Drive, Waterloo, Ontario, Canada, N2L 0A1

Copyright Notice

The only warranties for products and services of Open Text and its affiliates and licensors (“Open Text”) are as may be set forth in the

express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an

additional warranty. Open Text shall not be liable for technical or editorial errors or omissions contained herein. The information

contained herein is subject to change without notice.

Trademark Notices

“OpenText” and other Open Text trademarks and service marks are the property of Open Text or its affiliates. All other trademarks or

service marks are the property of their respective owners.

Documentation Updates

The title page of this document contains the following identifying information:

l

Software Version number

l

Document Release Date, which changes each time the document is updated

l

Software Release Date, which indicates the release date of this version of the software

This document was produced for OpenText™ Fortify Audit Workbench CE 24.2 on May 15, 2024. To check for recent updates or to

verify that you are using the most recent edition of a document, go to:

https://www.microfocus.com/support/documentation

OpenText™ Fortify Audit Workbench (24.2.0)

Page 2 of 152

User Guide

Contents

Preface

9

Contacting Customer Support

For More Information

About the Documentation Set

Fortify Product Feature Videos

Change Log

10

12

Chapter 1: Introduction

About Fortify Audit Workbench

Audit Projects and Issue Templates

Hybrid 2.0 Technology

12

13

Integration with Fortify Static Code Analyzer

Integration with Fortify Software Security Center

13

See Also

Integration with Fortify Software Security Center

Fortify Software Security Center provides a web portal that developers, managers, and security teams

can use to share, collaborate, and track remediation of the potential vulnerabilities that Fortify Static

Code Analyzer scans uncover. If you connect Fortify Audit Workbench to your Fortify Software

Security Center server, you can upload and merge your scan and audit results and share them with

your team. This enables you to monitor trends and indicators across multiple application versions.

Integration with Fortify Software Security Center enables you to:

l

Upload audit projects (FPR files)

l

Perform collaborative application audits

l

Manage the security content, which consists of Fortify Secure Coding Rulepacks, custom Rulepacks,

and external metadata applied during Fortify Static Code Analyzer scans

l

Check for and install available upgrades of Fortify Static Code Analyzer and associated applications

(including Fortify Audit Workbench)

l

Download issue templates

l

Upload new and modified issue templates

OpenText™ Fortify Audit Workbench (24.2.0)

Page 13 of 152

User Guide

Chapter 1: Introduction

"Configuring a Connection to Fortify Software Security Center" on page 22

See Also

"Updating Security Content" below

"Importing Custom Security Content" on page 28

Updating Security Content

To optimize Fortify Audit Workbench functionality to scan with Fortify Static Code Analyzer, you

must have up-to-date security content. You can update Fortify security content from a configured

server or from your local system.

Important! To update security content, you must have Fortify Static Code Analyzer locally

installed.

OpenText™ Fortify Audit Workbench (24.2.0)

Page 26 of 152

User Guide

Chapter 2: Getting Started

To update security content:

1. Select Options > Options.

2. In the left pane, select Security Content Management.

Note: Scroll to the bottom of the Installed Fortify Security Content list to see the external

mappings.

Any custom rules and custom external mappings appear in the Installed Custom Security

Content list.

3. You must provide the location of a locally installed Fortify Static Code Analyzer. If the Static

Code Analyzer Path shows <Unavailable>, do the following:

a. Click Browse to the right of Static Code Analyzer Path.

b. Go to the Fortify Static Code Analyzer installation directory and select the executable file.

On Windows, the file name is sourceanalyzer.exe. On non-Windows systems, the file

name is sourceanalyzer.

c. Click OK.

OpenText™ Fortify Audit Workbench (24.2.0)

Page 27 of 152

User Guide

Chapter 2: Getting Started

4. To update Fortify security content from a server, do the following:

a. (Optional) From the Locale list, select a language.

Fortify provides security content in English, Simplified Chinese, Traditional Chinese,

Japanese, Korean, Spanish, or Brazilian Portuguese. Issue descriptions and recommendations

are available in the selected language and the Fortify categories are in English.

b. Click Update.

5. To update Fortify security content from your local system, under Update Security Content from

Local System, do the following:

a. Click Fortify Security Content.

b. Navigate to a Fortify security content ZIP file, and then click Open.

All existing security content is replaced with the selected Fortify security content. Any existing

custom security content is unchanged.

"Configuring Security Content Updates" on page 24

Importing Custom Security Content

You can import custom security content to use in your scans.

Note: To import custom external metadata, you must place your external metadata file in the

<sca_install_dir>/Core/config/CustomExternalMetadatadirectory.

To import custom rules, do the following:

1. Select Options > Options.

2. In the left pane, select Security Content Management.

3. Under Update Security Content from Local System, click Custom Security Content.

4. Select the custom rules files to import (*.xml and *.bin), and then click Open.

OpenText™ Fortify Audit Workbench (24.2.0)

Page 28 of 152

Chapter 3: Scanning Source Code

You can scan your source code and view the analysis results in the Fortify Audit Workbench auditing

interface.

This section contains the following topics:

Scanning Java Projects

29

About Quick Scan Mode

31

35

37

Scanning Large and Complex Projects

Scanning Visual Studio Solutions

Rescanning Projects

Scanning Java Projects

The Audit Guide Wizard combines the translation and analysis phases of the scanning process into a

single step. Use this wizard to scan small Java projects that have source code in a single directory.

To scan a new Java project:

1. Start Fortify Audit Workbench.

2. Under Start New Project, click Scan Java Project.

3. Select the folder that contains all the source code you want to analyze, and then click Select

Folder.

Note: Fortify Static Code Analyzer sets the build ID to the folder name.

4. Select the Java version used for your project, and then click OK.

OpenText™ Fortify Audit Workbench (24.2.0)

Page 29 of 152

User Guide

Chapter 3: Scanning Source Code

The Audit Guide Wizard opens.

5. Select the settings for the types of issues you want to display in the results, and then click Scan.

Fortify Static Code Analyzer analyzes the source code. If Fortify Static Code Analyzer encounters

any problems as it scans the source code, Fortify Audit Workbench displays a warning.

6. If a warning is displayed, click OK.

7. After the scan is complete, Fortify Audit Workbench displays the analysis results.

Fortify Audit Workbench stores the analysis results (FPR file) in the following directory:

l

Windows: C:\Users\<username>\AppData\Local\Fortify\AWB-<version>\<build_

ID>

l

Non-Windows: <userhome>/.fortify/AWB-<version>/<build_ID>

Note: Fortify Static Code Analyzer scans started from Fortify Audit Workbench are invoked with

the server Java Virtual Machine.

OpenText™ Fortify Audit Workbench (24.2.0)

Page 30 of 152

User Guide

Chapter 3: Scanning Source Code

About Quick Scan Mode

Quick scan mode provides a way to quickly scan your projects for critical- and high-priority issues.

Fortify Static Code Analyzer performs the scan faster by reducing the depth of the analysis and

applying the Quick View filter set. The quick scan settings are configurable. For more details about

the configuration of quick scan mode, see the OpenText™ Fortify Static Code Analyzer User Guide.

Quick scans are a great way to get many applications through an assessment so that you can quickly

find issues and begin remediation. The performance improvement you get depends on the complexity

and size of the application. Although the scan is faster than a full scan, it does not provide as robust a

result set. Other issues that a quick scan cannot detect might exist in your application. Fortify

recommends that you run full scans whenever possible.

Note: By default, Fortify Software Security Center does not allow you to upload scans performed

in quick scan mode. However, you can configure your Fortify Software Security Center application

version so that uploaded audit projects scanned in quick scan mode are processed. For more

information, see analysis results processing rules in the OpenText™ Fortify Software Security

Center User Guide.

To perform a quick scan, follow the steps described in "Scanning Large and Complex Projects" below

and select the Enable Quick Scan Mode check box. Quick scan is also available when you scan Visual

Studio solutions (see "Scanning Visual Studio Solutions" on page 35). Fortify Audit Workbench

displays the scan results in its Project Summary view. You audit quick scan results just as you audit

full scan results.

Scanning Large and Complex Projects

Exceptionally large codebases might require some configuration to ensure a complete scan, including

using Fortify Static Code Analyzer to scan the code in smaller sections. While Fortify Audit Workbench

enables you to edit Fortify Static Code Analyzer command options, you can handle large, complex

scans more successfully directly through the command console. In addition, if a system has memory

constraints, Fortify Static Code Analyzer must compete with the Fortify Audit Workbench for

resources, which might result in slow or failed scans.

Use the Advanced Static Analysis wizard for projects that have source code in multiple directories,

special translation or build requirements, or that have files that you want to exclude from the project.

Note: Fortify Audit Workbench filters out unsupported files within the selected source code

directories.

To scan a new project:

1. Start Fortify Audit Workbench.

2. Under Start New Project, click Advanced Scan.

3. Select the root directory of the project, and then click Select Folder.

OpenText™ Fortify Audit Workbench (24.2.0)

Page 31 of 152

User Guide

Chapter 3: Scanning Source Code

The Advanced Static Analysis wizard opens.

Note: The following image shows the wizard options when you select a Java project. The

options are different for other programming languages.

The wizard automatically includes all supported files in the scan.

4. (Optional) To add files from another directory:

a. Click Add Directory.

b. Select the folder that contains the files you want to add to the scan, and then click Select

Folder.

The navigation pane displays the directory and Fortify Audit Workbench adds all supported

files to the scan. (To remove the directory, right-click the folder, and then select Remove

Root.)

5. (Optional) To exclude files or directories that contain, for example, test source code, right-click

the file or directory, and then click Exclude.

OpenText™ Fortify Audit Workbench (24.2.0)

Page 32 of 152

User Guide

Chapter 3: Scanning Source Code

6. For Java projects, set the following:

a. Select the build directories and JAR files, and then click Classpath Directory.

Note: If you do not select the classpath directory, Fortify Static Code Analyzer uses the

CLASSPATHenvironment variable value.

The folder turns blue and the files are added to the class path.

b. From the Java Version list, select the Java version of the project.

7. In the Build ID box, type a build ID.

The root directory is the default build ID.

8. To specify a different output file path than the default, in the Output file box, type the path and

file name for the FPR file that Fortify Static Code Analyzer will generate.

9. To perform a quick scan, select the Enable Quick Scan Mode check box.

For information about quick scans, see "About Quick Scan Mode" on page 31.

10. Click Next.

The analysis process includes the following phases:

l

During the clean phase, Fortify Static Code Analyzer removes files from previous translation of

the project.

l

During the translation phase, Fortify Static Code Analyzer translates source code identified in

the previous page into an intermediate format that is associated with a build ID. The build ID is

typically the project.

l

During the scan phase, Fortify Static Code Analyzer scans source files identified during the

translation phase and generates analysis results, in the Fortify Project Results (FPR) format.

11. (Optional) To skip an analysis phase, clear the Enable clean, Enable translation, or Enable scan

check box.

For example, if the security content has changed but the project has not changed, you might

want to skip both the clean and the translation phases so that Fortify Static Code Analyzer scans

the project without translating it again.

12. Modify the command-line options for each Fortify Static Code Analyzer analysis phase to suit

your requirements.

13. (Optional) To specify the amount of memory Fortify Static Code Analyzer used for analysis:

a. Click Configure Memory.

b. Adjust the slider to the amount of memory required.

Note: Fortify Audit Workbench displays the amount of memory you set for Fortify Static

Code Analyzer followed by the amount of memory on your system.

c. Click OK.

OpenText™ Fortify Audit Workbench (24.2.0)

Page 33 of 152

User Guide

Chapter 3: Scanning Source Code

14. (Optional) To analyze the source code using an installed custom Rulepack, or to turn off a

Rulepack, do the following:

a. Click Configure Rulepacks.

The Additional Options dialog box opens.

b. In the Installed Fortify Security Content list, clear the check boxes that correspond to any

Rulepacks you want to make unavailable during the scan.

Note: For instructions on how to add custom security content, see "Importing Custom

Security Content" on page 28.

c. Click OK.

15. From the Advanced Static Analysis wizard, click Next.

16. Select your scan settings, and then click Scan.

Fortify Static Code Analyzer starts the scan and displays progress information throughout the

process. If Fortify Static Code Analyzer encounters any problems scanning the source code, it displays

a warning.

OpenText™ Fortify Audit Workbench (24.2.0)

Page 34 of 152

User Guide

Chapter 3: Scanning Source Code

After the scan is complete, Fortify Audit Workbench loads the audit project and displays the analysis

results.

Scanning Visual Studio Solutions

If you have Visual Studio and the Fortify Extension for Visual Studio installed on the same machine as

Fortify Audit Workbench, you can analyze Visual Studio solutions and projects.

To scan a Visual Studio solution:

1. Start Fortify Audit Workbench.

2. Under Start New Project, click Visual Studio Build Integration.

Note: The Visual Studio Build Integration command is only available if you have installed

the Fortify Extension for Visual Studio with the Fortify Applications and Tools installation.

3. Select the folder that contains the solution you want to analyze, and then click Select Folder.

Note: Fortify Static Code Analyzer uses the selected folder name as the build ID.

The Advanced Static Analysis wizard opens.

4. Configure the solution settings as follows:

a. (Optional) Next to the Visual Studio solution file box, click Browse. Navigate to and select

your Visual Studio solution file.

b. From the Visual Studio version list, select the Visual Studio version used for the solution.

c.

In the Build configuration box, leave the default value DEBUG.

d. (Optional) In the Build ID box, type a different build ID.

OpenText™ Fortify Audit Workbench (24.2.0)

Page 35 of 152

User Guide

Chapter 3: Scanning Source Code

e. (Optional) To change the output location and file name, click Browse to the right of Output

file.

f. To run the scan in quick scan mode, select the Enable Quick Scan Mode check box.

g. Click Next.

The Advanced Static Analysis wizard displays details about the Fortify Static Code Analyzer

analysis phases for the scan.

l

During the clean phase, Fortify Static Code Analyzer removes files from previous translation of

the project.

l

During the translation phase, Fortify Static Code Analyzer translates source code identified in

the previous page into an intermediate format that is associated with a build ID. The build ID is

typically the project.

l

During the scan phase, Fortify Static Code Analyzer scans source files identified during the

translation phase and generates analysis results, in the Fortify Project Results (FPR) format.

5. (Optional) To skip a scanning phase, clear the Enable clean, Enable translation, or Enable scan

check box.

For example, if the Rulepacks have changed but the project has not changed, you might want to

skip both the clean and the translation phases so that Fortify Static Code Analyzer scans the

project without retranslating the source code.

6. Modify the command-line options for each Fortify Static Code Analyzer phase, if necessary.

7. (Optional) To specify the amount of memory Fortify Static Code Analyzer uses for scanning:

a. Click Configure Memory.

b. Adjust the slider to the amount of memory required.

Note: Fortify Audit Workbench displays the amount of memory you set for Fortify Static

Code Analyzer followed by the amount of memory on your system.

c. Click OK.

8. (Optional) To analyze the source code using an installed custom Rulepack, or to turn off a

Rulepack, do the following:

a. Click Configure Rulepacks.

b. In the Installed Fortify Security Content list, clear the check boxes that correspond to any

Rulepacks you want to make unavailable during the scan.

Note: For instructions on how to add custom security content, see "Importing Custom

Security Content" on page 28.

c. Click OK.

9. From the Advanced Static Analysis wizard, click Next.

10. Select your scan settings, and then click Scan.

Fortify Static Code Analyzer starts the scan and displays progress information throughout the

process. If Fortify Static Code Analyzer encounters any problems scanning the source code, it displays

a warning.

OpenText™ Fortify Audit Workbench (24.2.0)

Page 36 of 152

User Guide

Chapter 3: Scanning Source Code

After the scan is completed, Fortify Audit Workbench loads the audit project and displays the analysis

results.

Rescanning Projects

This section describes how to rescan a project that was translated locally with new or updated rules.

Fortify Audit Workbench automatically loads the FPR project settings such as the build ID and source

code path, and allows you to change the command-line scanning options.

After Fortify Static Code Analyzer completes the scan, Fortify Audit Workbench merges the analysis

results with those from the previous scan to determine which issues are new, which have been

removed, and which were uncovered in both scans.

To rescan a project:

1. Open an FPR file.

2. Select Tools > Rescan Project.

Note: You can only rescan a project on the same machine where the project was originally

scanned.

The Rescan Build ID dialog box opens.

3. If the source code has changed since the most recent scan, click Update Project Translation to

re-translate the project.

Note: If the FPR file that you opened was generated by a Fortify Static Code Analyzer scan

that was not initiated from Fortify Audit Workbench, then Update Project Translation is

unavailable.

Note: If the source code has changed since the most recent scan, you must update the

translation before you rescan the code. Otherwise, a new scan cannot uncover the issues in

the updated source code.

4. (Optional) Modify the Fortify Static Code Analyzer scan phase command-line options, as

necessary.

5. To perform a quick scan, select the Enable Quick Scan Mode check box.

6. (Optional) To change the Rulepacks used to analyze the project:

a. Click Configure Rulepacks.

b. Click to expand the Installed Fortify Security Content.

c. To add and remove Rulepacks, select or clear the check boxes, as necessary.

Note: For instructions on how to add custom security content, see "Importing Custom

Security Content" on page 28.

d. Click OK.

7. Click Scan.

OpenText™ Fortify Audit Workbench (24.2.0)

Page 37 of 152

User Guide

Chapter 3: Scanning Source Code

After the scan is complete, Fortify Audit Workbench displays the results. Compare the new results

with the issues uncovered in the previous scan as follows:

l

To display all new issues, select the All tab (green), and then, in the Group By list, select New

Issue. Expand the Issue New group.

l

To display removed issues, select the All tab, and then select Options > Show Removed Issues.

l

To review issues found in both the previous scan and the new scan, select the All tab, and then in

the Group By list, select New Issue. Expand the Issue Updated group.

OpenText™ Fortify Audit Workbench (24.2.0)

Page 38 of 152

Chapter 4: Viewing Analysis Results

After a scan is completed, Fortify Audit Workbench displays the analysis results in the auditing

interface.

This section contains the following topics:

About Viewing Analysis Results

About Issue Templates

Configuring Custom Filter Sets and Filters

Managing Folders

Configuring Custom Tags for Auditing

Issue Template Sharing

Advanced Configuration

About Viewing Analysis Results

After the scan is complete (or, after you open an existing audit project), summary analysis results are

displayed in the Issues view and in the Project Summary view of the auditing interface. The Analysis

Trace and Issue Auditing views are open, but do not contain any information until you select an issue

from the Issues view.

OpenText™ Fortify Audit Workbench (24.2.0)

Page 39 of 152

User Guide

Chapter 4: Viewing Analysis Results

View / Tab

More Information

Issues (top left)

"Issues View" below

Project Summary (top center) "Project Summary View" on page 45

Source Code (top center)

"Source Code Tab" on page 49

"Analysis Trace View" on page 50

Analysis Trace (bottom left)

Issue Auditing (bottom center) "Issue Auditing View" on page 52

Functions (right)

"Functions View" on page 59

Issues View

The Issues view lists the issues detected in the application and provides several ways to group them.

The view contains the Filter Set list, folders (tabs), the Group By list, the My Issues check box, and a

search box.

Note: In this view, you can right-click an issue and select Issue Attributes to see all the

attributes associated with the issue such as Analysis tag, analyzer that detected the issue,

severity, and more.

OpenText™ Fortify Audit Workbench (24.2.0)

Page 40 of 152

User Guide

Chapter 4: Viewing Analysis Results

Filter Sets

Fortify Audit Workbench applies filters to sort and display the issues that Static Code Analyzer

uncovers. Fortify Audit Workbench organizes filters into distinct filter sets.

The selected filter set controls which issues are listed in the Issues view. The filter set determines the

number and types of containers (folders) that are shown and how and where to display issues. The

default filter sets sort the issues by severity into the Critical, High, Medium, Low, and All folders.

Because filter sets are saved to audit project files, each audit project can have unique filter sets.

Fortify Audit Workbench provides the following filter sets for new projects:

l

Quick View: This is the default initial filter set for new projects. The Quick View filter set provides a

view only of issues in the Critical folder (these have a potentially high impact and a high likelihood

of occurring) and the High folder (these have a potentially high impact and a low likelihood of

occurring). The Quick View filter set provides a useful first look at results that enables you to

quickly address the most pressing issues.

l

Security Auditor View: This is the default filter set for projects scanned in earlier product

versions. This view shows all security issues detected. The Security Auditor View filter contains no

visibility filters, so all issues are shown.

For instructions on how to create custom filter sets, see "Configuring Custom Filter Sets and Filters"

on page 83.

If you open an FPR file that contains no custom filtertemplate.xmlfile or if you open an FVDL file

or a webinspect.xmlfile, the audit project opens with the Quick View filter set selected.

Specifying the Default Filter Set

You can change the initial filter set to use for new or opened projects. You can also turn off the

default filter set so that Audit Workbench uses the filter set last enabled in the issue template to

display analysis results for new projects.

To select the filter set for new or opened projects:

1. Select Options > Options.

2. In the left pane, select Audit Configuration, and then select the Configuration tab on the right.

3. Under Audit Project Load Mode, leave the Default Filter Set check box selected.

If you clear the check box, the default filter is loaded. For newly-opened projects, the default filter

for FPRs that have no embedded template or the default filter from the embedded template is

the Security Auditor View filter set.

4. From the list to the right of the Default Filter Set check box, select the filter set to use to display

analysis results for new projects.

5. Click OK.

OpenText™ Fortify Audit Workbench (24.2.0)

Page 41 of 152

User Guide

Chapter 4: Viewing Analysis Results

Folders (Tabs)

The color-coded Critical, High, Medium, Low, and All tabs on the Issues view are called folders. You

can customize the folders and their settings. The number of folders, names, colors, and the issue list

can vary between filter sets and projects.

Note: In Audit Workbench, the term folder does not refer to the folder icon in the issues list.

Within each color-coded folder, issues are grouped into subfolders. At the end of each folder name,

enclosed in brackets, is the number of audited issues and the total number of issues in the folder. For

example, Command Injection - [1 / 3] indicates that one out of three issues categorized as

Command Injection has been audited.

The filter set you select from the Filter Set list determines which folders are visible in the Issues view.

The following table describes the folders that are visible when the Security Auditor View filter set is

selected.

Folder

Description

Critical

This folder contains issues that have a high impact and a high likelihood of occurring.

Issues at this risk level are easy to discover and to exploit and represent the highest

security risk to a program. Remediate critical issues immediately.

High

This folder contains issues that have a high impact and a low likelihood of occurring.

High-priority issues are often difficult to discover and exploit, but can result in much

asset damage. They represent a significant security risk to a program. Remediate

these issues with the next patch release.

Medium

Low

This folder contains issues that have a low impact and a high likelihood of exploitation.

Medium-priority issues are easy to discover and exploit but often result in little asset

damage. These issues represent a moderate security risk to a program. Remediate

these issues as time permits.

This folder contains issues that have a low impact and a low likelihood of exploitation.

Low-priority issues are potentially difficult to discover and to exploit and typically

result in little asset damage. These issues represent a minor security risk to the

program. Remediate these issues as time permits.

OpenText™ Fortify Audit Workbench (24.2.0)

Page 42 of 152

User Guide

Chapter 4: Viewing Analysis Results

Folder

Description

All

This folder contains all the issues.

An issue is listed in a folder if the folder filter conditions match the issue attributes. Each filter set has

a default folder, indicated by (default) next to the folder name. If an issue does not match any of the

folder filters, the issue is listed in the default folder.

You can create your own folders as you need them. For example, you might group all hot issues for a

project into a Hot folder and group all warning issues for the same project into a Warning folder. For

instructions on how to create your own folders, see "Creating a Folder" on page 87.

Each folder contains a list of all the issues with attributes that match the folder filter conditions. One

folder in each filter set is the default folder, indicated by (default) in the folder name.

Note: To show or hide suppressed, hidden, and removed issues, set the user interface

preferences from the Options dialog box (see "Customizing the Issues View" on page 59).

Group By List

You can use the Group By list of grouping attributes to sort the issues into subfolders. The grouping

attribute you select is applied to all visible folders. To list all issues in the folder without any grouping,

select <none>.

To customize the existing groups, you can specify which attributes to sort by, add or remove the

attributes to create sub-groupings, and add your own grouping options.

The grouping attributes apply to the application instance. You can apply the grouping attributes to

any project opened with that instance of the application.

See Also

"Grouping Issues" on page 73

"Creating a Custom Grouping Option" on page 76

Specifying the Default Issue Grouping

You can change the initial Group By setting to use for new or opened projects.

OpenText™ Fortify Audit Workbench (24.2.0)

Page 43 of 152

User Guide

Chapter 4: Viewing Analysis Results

To select the default Group By setting:

1. Select Options > Options.

2. In the left pane, select Audit Configuration, and then select the Configuration tab on the right.

3. Under Audit Project Load Mode, select the Default Issue Grouping check box.

If you clear the check box, the default Group By setting is set to Category.

4. From the list to the right of the Default Issue Grouping check box, select the grouping you want

to use to sort issues.

5. Click OK.

Sorting Issues

There are several different ways to sort the issues in the Issues View. Select a sort option from the

Sort list. The following table describes the sort options.

Sort Method

Icon

Description

Alphabetical

Sorts the groups and the issues within the groups in alphabetical

order

Sorts the groups and the issues within the groups in reverse-

alphabetical order

Group size

Sorts the groups by the number of contained issues from largest to

smallest

Sorts the groups by the number of contained issues from smallest

to largest

Last modified

date

Sorts the groups and issues in groups by the date last modified by

Fortify Static Code Analyzer or the audit/comment date from

newest to oldest

Sorts the groups and issues in groups by the date last modified by

Fortify Static Code Analyzer or the audit/comment date from

oldest to newest

Search Box

Use the search box to limit the issues displayed in the folder and to search for specific issues. For

detailed information about how to use the search box, see "Search Syntax" on page 62.

OpenText™ Fortify Audit Workbench (24.2.0)

Page 44 of 152

User Guide

Chapter 4: Viewing Analysis Results

Project Summary View

The Project Summary view provides detailed information about the scan.

To open this view, select Tools > Project Summary.

Summary Tab

The Summary tab shows high-level information about the project. For more information, see "Viewing

Summary Graph Information" on the next page.

Note: If the Summary tab header indicates that there are warnings in your scan, you can review

them in more detail in the Issue Auditing view. For more information, see "Warnings Tab" on

page 57.

Certification Tab

The Certification tab displays the certification status for the analysis results. Results certification is a

check to ensure that the analysis results were not altered after Fortify Static Code Analyzer produced

them

Build Information Tab

The Build Information tab displays the following information:

l

Build details including the build ID, build label, number of files scanned, source last-modified date,

and the date of the scan, which might be different than the date the files were translated

l

Total lines of code (Total LOC) scanned

l

List of files scanned with file sizes and timestamps

l

Libraries referenced in the scan

l

Java class path used in the translation

Analysis Information Tab

The Analysis Information tab shows the version of Fortify Static Code Analyzer that performed the

scan, details about the computer on which the scan was run, the user who started the scan, scan date,

and the time required to scan the code.

The Analysis Information tab includes the following subtabs:

l

Security Content—Lists information about the Rulepacks used to scan the source code

l

Properties—Displays the Fortify Static Code Analyzer configuration properties used in the scan

l

Commandline Arguments—Displays the command-line options used to scan the project

OpenText™ Fortify Audit Workbench (24.2.0)

Page 45 of 152

User Guide

Chapter 4: Viewing Analysis Results

Viewing Summary Graph Information

The summary graph displayed in the Project Summary view provides multiple perspectives on the

sets of issues, grouped by priority (Critical, High, Medium, and Low) uncovered in a scan. You can drill

down in the graph to see detailed information about each issue set, and create various bar charts for

issues based on a selected issue attribute.

To access details about issue sets in an audit project:

1. Scan your project source code or open an existing audit project.

After the results are loaded, the Project Summary view displays the Summary tab, which

includes the summary graph. The summary graph initially displays issues sorted into the Critical,

High, Medium, and Low folders.

Note: If you change the selection in the Filter Set list (Issues), the summary graph changes

accordingly.

OpenText™ Fortify Audit Workbench (24.2.0)

Page 46 of 152

User Guide

Chapter 4: Viewing Analysis Results

2. To see a different view of the high priority issues, click the High bar.

By default, the graph displays high priority issues based on the analysis attribute (assigned

analysis values).

Note: The example here shows information for analysis results that have been partially

audited. If these results were from a fresh, unaudited scan, no analysis information would be

available. The graph would just display a single bar that represents all (unaudited) high

priority issues.

OpenText™ Fortify Audit Workbench (24.2.0)

Page 47 of 152

User Guide

Chapter 4: Viewing Analysis Results

3. To view the high priority issues based on a different attribute, select an item from the View By

list.

4. On the Issues in High bar graph, select a bar for a category that contains multiple issues.

OpenText™ Fortify Audit Workbench (24.2.0)

Page 48 of 152

User Guide

Chapter 4: Viewing Analysis Results

In the example shown here, the Path Manipulation bar is selected. You can see that of the six

issues, two are marked as Suspicious and four are marked as Bad Practice.

5. To synchronize the issues list with the displayed graphical view, click Sync Issue List with

Graph.

The issue list in the Issues view now reflects the selections in the summary graph.

6. To return to the previous view in the summary graph, click Back.

7. To return to the original summary graph view (issues based on priority), click Return to Folder

Graph.

Source Code Tab

After you open a project in Fortify Audit Workbench, the top center view displays the Project

Summary tab. After you select an issue in the Issues view to the left, Fortify Audit Workbench adds

the source code tab to the top center view. This source code tab shows the code related to the issue

selected in the Issues view.

If multiple nodes represent an issue in the Analysis Trace view (below the Issues view), the source

code tab shows the code associated with the selected node.

OpenText™ Fortify Audit Workbench (24.2.0)

Page 49 of 152

User Guide

Chapter 4: Viewing Analysis Results

From the source code tab, you can use the context menu commands to:

l

Create new issues (Create New Issue).

For more information, see "Creating Issues for Undetected Vulnerabilities" on page 107.

l

Create a custom rule (Generate Rule for Function).

For more information, see "Writing Rules for Functions" on page 133.

l

Jump to the declaration of a function, class, variable, field, or an argument within source code that

Fortify Static Code Analyzer translated (Jump to Declaration).

l

Locate the file name and line number where a function occurs in the source code (Find Usages).

The search results are displayed in the Search tab of the Issue Auditing view.

l

Refresh the code displayed in source code tab (Refresh).

You might need to use this if the file was modified outside of Fortify Audit Workbench.

l

Customize the appearance in the source code tab such as fonts, colors, text edit settings, and so on

(Editor Preferences).

About Displayed Source Code

After you open an FPR file in Audit Workbench, the source code tab displays source code that is

stored locally. If that source code was updated since the last scan, Fortify Audit Workbench displays

the updated source code, even if the latest scan did not use that updated source code.

However, if that source code is updated after you open the FPR file and Fortify Audit Workbench has

already started and searched for the source code (even if you close the FPR in Audit Workbench and

then re-open it) Fortify Audit Workbench does not look for or display the updated source code. It

displays the updated source code only after you quit, and then restart Fortify Audit Workbench.

Analysis Trace View

When you select an issue, the Analysis Trace view displays the relevant analysis trace. This is a set of

program points that show how the analyzer found the issue. For dataflow and control flow issues, the

set is presented in the order executed. For dataflow issues, this trace view presents the path that the

tainted data follows from the source function to the sink function.

For example, when you select an issue that is related to potentially tainted dataflow, the Analysis

Trace view shows the direction the dataflow moves in this section of the source code.

The Analysis Trace view uses the icons described in the following table to show how the dataflow

moves in this section of the source code or execution order.

Icon

Description

Data is assigned to a field or variable

Information is read from a source external to the code such as an HTML form or a web

address

OpenText™ Fortify Audit Workbench (24.2.0)

Page 50 of 152

User Guide

Chapter 4: Viewing Analysis Results

Icon

Description

Data is assigned to a globally scoped field or variable

A comparison is made

The function call receives tainted data

The function call returns tainted data

Passthrough, tainted data passes from one place to another

Note: This is typically shown as functionA(x : y)to indicate that data is

transferred from xto y. The xand yvalues are one of the following:

l

An argument index

l

return—The return value of a function

l

this—The instance of the current object

l

A specific object field or key

An alias is created for a memory location

Data is read from a variable

Data is read from a global variable

Tainted data is returned from a function

A pointer is created

A pointer is dereferenced

The scope of a variable ends

The execution jumps

A branch is taken in the code execution

A branch is not taken in the code execution

Generic

OpenText™ Fortify Audit Workbench (24.2.0)

Page 51 of 152

User Guide

Chapter 4: Viewing Analysis Results

Icon

Description

A runtime source, sink, or validation step

Taint change

The Analysis Trace view can include inductions. Inductions provide supporting evidence for their

parent nodes. Inductions consist of:

l

A text node, displayed in italics as a child of the trace node. This text node is expanded by default.

l

An induction trace, displayed as a child of the text node (a box surrounds the induction trace).

The italics and the box distinguish the induction from a standard subtrace. To display the induction

reference information for that induction, click it.

Issue Auditing View

The Issue Auditing view at the bottom center of the auditing interface provides detailed information

about each issue on the tabs, which are described in the following topics.

Note: If any of the tabs are not visible, select Options > Show View to open them.

OpenText™ Fortify Audit Workbench (24.2.0)

Page 52 of 152

User Guide

Chapter 4: Viewing Analysis Results

Audit Tab

The Audit tab displays information about the selected issue and enables auditors to add an audit

evaluation, comments, and custom tag values. The following table describes the tab interface

elements.

Element

Issue

Description

Displays the issue location, including the file name and line number.

User

Displays the name of the user assigned to the issue if the results were

uploaded to Fortify Software Security Center and a user was assigned.

Analysis

Displays the audit assessment for the selected issue. To change the

assessment, select an item from the list. This is the primary tag. The

default primary tag is Analysis, but it might be different depending on

the custom tag settings in the project configuration. The valid values for

Analysis are Not an Issue, Reliability Issue, Bad Practice, Suspicious, and

Exploitable.

<custom_tagname>

Displays any custom tags if defined for the audit project. These are

displayed below the primary tag.

If the audit results were submitted to OpenText™ Fortify Audit Assistant

in Fortify Software Security Center, then in addition to any other custom

tags, the tab displays the following tags:

l

AA_Prediction—Exploitability level that Fortify Audit Assistant

assigned to the issue. You cannot modify this tag value.

l

AA_Confidence—Confidence level from Fortify Audit Assistant for

the accuracy of its AA_Prediction value. You cannot modify this tag

value.

l

AA_Training—Whether to include or exclude the issue from Fortify

Audit Assistant training. You can modify this value.

For more information about Fortify Audit Assistant, see the OpenText™

Fortify Software Security Center User Guide.

Suppresses the issue.

Suppress

Unsuppresses the issue (only visible if the issue is suppressed).

Suppressed issues are hidden by default. To display suppressed issues,

select Options > Show Suppressed Issues.

Unsuppress

OpenText™ Fortify Audit Workbench (24.2.0)

Page 53 of 152

User Guide

Chapter 4: Viewing Analysis Results

Element

File Bug

Description

Provides access to a supported bug tracker.

Comment

Appends additional information about the issue to the comment box.

Rule Information

Shows information, such as the category and kingdom that describes the

issue.

More Information

Recommendations

Opens the Details tab (see "Details Tab" below).

Opens the Recommendations tab (see "Recommendations Tab" on the

next page).

Show merge conflicts

Shows merge conflicts in the Comments box that might exist after a

merge of audit projects. This check box is available only if merge

conflicts exist.

Details Tab

The Details tab provides an abstract of the issue, a detailed explanation, and examples. The following

table describes the tab sections.

Section

Description

Abstract/Custom

Abstract

Summary of the issue, including any custom abstracts defined by your

organization.

Explanation/Custom

Explanation

Description of the conditions in which this type of issue occurs. This

includes a discussion of the vulnerability, the constructs typically

associated with it, how an attacker can exploit it, and the potential

consequences of an attack. This section also includes any custom

explanations defined by your organization.

Instance ID

Unique identifier for the issue.

Priority Metadata

Values

Priority metadata values for this issue including impact and likelihood.

Legacy Priority

Metadata Values

Legacy priority metadata values for the issue including severity and

confidence.

Note: For more information about metadata values, see "Estimating Impact and Likelihood with

Input from Rules and Analysis" on page 142.

OpenText™ Fortify Audit Workbench (24.2.0)

Page 54 of 152

User Guide

Chapter 4: Viewing Analysis Results

WebInspect Agent Details Tab

The WebInspect Agent Details tab displays information about runtime issues that OpenText™

Fortify WebInspect Agent discovered. The following table describes the tab sections.

Section

Description

Request

Shows the path of the request, the referrer address, and the method.

Stack Trace

Shows the order of methods called during execution and line number information.

Blue, clickable code links are only displayed for Fortify Static Code Analyzer-

scanned code.

Recommendations Tab

The Recommendations tab displays suggestions and examples of how to secure the vulnerability or

remedy the bad practice. The following table describes the tab sections.

Section

Description

Recommendations/Custom

Recommendations

Describes possible solutions for the selected issue. It can also

include examples and recommendations defined by your

organization.

Tips/Custom Tips

Provides useful information specific to the selected issue, and any

custom tips defined by your organization.

References/Custom

References

Lists references for the recommendations provided, including any

custom references defined by your organization.

History Tab

The History tab displays a complete list of audit actions, including details such as the time and date,

and the name of the user who modified the issue.

Diagram Tab

The Diagram tab displays a graphical representation of the node execution order, call depth, and

expression type of the issue selected in the Issues view. This tab displays information that is relevant

to the rule type. The vertical axis represents the execution order.

OpenText™ Fortify Audit Workbench (24.2.0)

Page 55 of 152

User Guide

Chapter 4: Viewing Analysis Results

For dataflow issues, the trace starts with the first function to call the taint source, then traces the calls

to the source (blue node) and ends the trace at the sink (red node). In the diagram, the source (src)

and sink nodes are also labeled. A red X on a vertical axis indicates that the called function finished

executing.

The horizontal axis shows the call depth. A line shows the direction that control is passed. If control

passes with tainted data through a variable, then the line is red. If control passes without tainted data,

the line is black.

The icons used for the expression type of each node in the diagram are the same icons used in the

Analysis Trace view. For a description of the icons, see "Analysis Trace View" on page 50.

Filters Tab

The Filters tab displays all the filters in the selected filter set.

OpenText™ Fortify Audit Workbench (24.2.0)

Page 56 of 152

User Guide

Chapter 4: Viewing Analysis Results

The following table describes the options to create new filters.

Option

Description

Filters

Displays a list of the visibility and folder filters configured in the selected filter set

where:

l

Visibility filters show or hide issues

l

Folder filters sort the issues into the folder tabs in the Issues view

Right-click a filter to show issues that match the filter or to enable, disable, copy, or

delete it.

If

Displays conditions for the selected filter.

The first list displays issue attributes, the second specifies how to match the attribute,

and third is the value the filter matches.

Note: This option is only visible when you create a new filter or edit an existing

filter. In this case, a dialog box displays the If section.

Then

Indicates the filter type, where Hide Issue is a visibility filter and Set Folder to is a

folder filter.

Note: This option is only visible when you create a new filter or edit an existing

filter. In this case, a dialog box displays the Then section.

Warnings Tab

The Warnings tab lists any warnings that occurred during the analysis.

OpenText™ Fortify Audit Workbench (24.2.0)

Page 57 of 152

User Guide

Chapter 4: Viewing Analysis Results

A common source of warnings are missing references. To resolve this type of warning, make sure that

the reference files are either within the project directory structure or in a location known to Fortify

Static Code Analyzer. The scan can also issue a warning if a class has no functional content. In this

case, the warning is not an issue because an empty class has no impact on a scan.

The following table describes the Warnings tab options.

Task

Procedure

l

See the complete message that is

truncated on the tab.

Double-click the message.

l

Copy a warning message to the

clipboard.

Right-click a message, and then select Copy.

Save a warning message to a file.

1. Right-click a message, and then select Export Entry.

2. Type a name for the file, and then click Save.

The file includes the audit project name, FPR file location, the

warning code, and the warning message.

Save all the warning messages to

a file.

1.

Click Export Warnings

.

2. Type a name for the file, and then click Save.

The file includes the project name, FPR file location, the

warning codes, and the warning messages.

Search the warning message

Type the search text in the filter text box.

OpenText™ Fortify Audit Workbench (24.2.0)

Page 58 of 152

User Guide

Chapter 4: Viewing Analysis Results

Task

Procedure

Modify the text message at the

top of the tab.

1.

Edit the <fortify_working_

dir>/config/tools/warnings-view.propertiesfile

where <fortify_working_dir>is:

l

Windows:

C:\Users\<username>\AppData\Local\Fortify

l

Non-Windows: <userhome>/.fortify

2.

Edit the text following message=to the text you want to

display in the Warnings tab.

Close and reopen the Warnings tab to see the updated text.

Functions View

The Functions view in the top right shows how and where a function occurs in the source code,

whether a security rule covers the function, and which rule IDs match the function. The Functions

view can also list the functions that Fortify Static Code Analyzer identified as tainted source, and the

functions that were not covered by rules in the last scan. For detailed information about the

Functions view, see "Using the Functions View" on page 129.

Customizing the Issues View

You can customize the Issues view to determine which issues it displays.

To change the Issues view:

1. Select Options > Options.

2. In the left pane, select Audit Configuration.

3. To change your preferences on the Appearance tab, select or clear the check boxes described in

the following table.

Preference

Description

Show Suppressed Issues

Show Removed Issues

Displays all suppressed issues (off by default).

Displays all issues detected in the previous scan, but are no

longer evident in the new Issues view. When multiple scans are

run on a project over time, vulnerabilities are often remediated or

become obsolete. Fortify Static Code Analyzer marks these

vulnerabilities as Removed Issues.

OpenText™ Fortify Audit Workbench (24.2.0)

Page 59 of 152

User Guide

Chapter 4: Viewing Analysis Results

Preference

Description

Show Hidden Issues

Collapse Issues

Displays all hidden issues.

Shows similar issues based on certain attributes under a shared

parent node in the Issues view.

Use Short File Names

Show Category of Issue

References the issues in the Issues view by file name only,

instead of by relative path.

Displays the category of an issue in the Issues view and the

Audit tab.

Show Only My Issues

Displays only issues assigned to you.

Displays the All folder aligned on the right.

Displays the name text in the folder tabs.

Right justify ‘All’ Folder

Display Name in Folder

Tabs

Show Abstract

Displays the abstract text in the Audit tab.

Displays comments in the Audit tab.

Show Comments

Show ‘All’ Folder in Project Displays another bar in the chart on the Summary tab in the

Summary Graph

Include Comments

Parent Fill Opacity

Project Summary view.

Displays the history items for comments on the History tab.

Controls the opacity of the parent tile in Smart View. The setting

ranges from 0% opaque on the left to 100% opaque on the right.

Note: To restore the default settings at any time, click Reset Interface.

4. To save your preferences, click OK.

OpenText™ Fortify Audit Workbench (24.2.0)

Page 60 of 152

User Guide

Chapter 4: Viewing Analysis Results

Searching for Issues

You can use the search box below the issues list to search for issues. After you perform a search, the

label next to the folder name changes to indicate the number of issues that match the search as a

subset of the total.

To perform a simple search, do one of the following:

l

Type a search query in the search box and press Enter.

l

To select a search query that you used before, click the arrow in the search box, and then select a

search query from the list.

To get assistance with composing a search query, do the following:

1. Click in the search box, and then press Ctrl + Space.

2. From the displayed list, double-click a search modifier to begin your search query.

3. For assistance to specify the comparison, with your cursor placed after the modifier in the search

box, press Ctrl + Space.

4. From the displayed list, double-click a comparison to add it to your search query.

5. Type the rest of the search query, and then press Enter to perform the search.

OpenText™ Fortify Audit Workbench (24.2.0)

Page 61 of 152

User Guide

Chapter 4: Viewing Analysis Results

The Issues view lists all the issues that match your search string.

Creating complex search strings can involve several steps. If you type an invalid search query, the

magnifying glass icon in the search box changes to a warning icon to notify you of the error. Click the

warning sign to view information about the search query error.

The advanced search feature makes it easier to build complex search strings. For a description of this

feature and instructions on how to use it, see "Performing Advanced Searches" on page 70.

See Also

"Search Syntax" below

"Search Modifiers" on the next page

"Search Query Examples" on page 70

"Performing Advanced Searches" on page 70

Search Syntax

To indicate the type of comparison to perform, wrap search terms with delimiters. The following table

describes the syntax to use for a search query.

Comparison

contains

equals

Description

Searches for a term without any special qualifying delimiters

Searches for an exact match when the term is wrapped in quotation marks ("")

regex

Searches for values that match a Java-style regular expression delimited by a

forward slash (/)

Example: /eas.+?/

number range Searches for a range of numbers using the standard mathematical interval

notation of parentheses and/or brackets to indicate whether the endpoints are

excluded or included, respectively

Example: (2,4]indicates greater than two and less than or equal to four

not equal

Excludes issues specified by the string when you precede the string with the

exclamation character (!)

Example: file:!Main.javareturns all issues that are not in Main.java

You can further qualify search terms with modifiers. The syntax for using a modifier is

<modifier>:<search_term>.

A search query can contain multiple modifiers and search terms. If you specify more than one

modifier, the search returns only issues that match all the modified search terms. For example,

OpenText™ Fortify Audit Workbench (24.2.0)

Page 62 of 152

User Guide

Chapter 4: Viewing Analysis Results

file:ApplicationContext.java category:SQL Injectionreturns only SQL injection issues

found in ApplicationContext.java.

If you use the same modifier more than once in a search query, then the search terms qualified by

those modifiers are treated as an ORcomparison. For example, file:ApplicationContext.java

category:SQL Injection category:Cross-Site Scriptingreturns SQL injection issues and

cross-site scripting issues found in ApplicationContext.java.

For complex searches, you can also insert the AND or the OR keyword between your search queries.

Note that AND and OR operations have the same priority in searches.

See Also

"Search Modifiers" below

"Search Query Examples" on page 70

"Searching for Issues" on page 61

"Performing Advanced Searches" on page 70

Search Modifiers

You can use a search modifier to specify to which issue attribute the search term applies. To use a

modifier that contains a space in the name, such as the name of the custom tag, you must enclose the

modifier in brackets. For example, to search for issues that are new, type [issue age]:new.

A search that is not qualified by a modifier matches the search query based on the following

attributes: kingdom, primary rule id, analyzer, filename, severity, class name, function name, instance

id, package, confidence, type, subtype, taint flags, category, sink, and source.

The following examples describe using the search with and without applying a search modifier:

l

To apply the search to all modifiers, type a string such as control flow. This searches all the

modifiers and returns any results that contain the "control flow" string.

l

To apply the search to a specific modifier, type the modifier name and the string as follows:

analyzer:control flow. This returns all results detected by the Control Flow Analyzer.

The following table describes the search modifiers. A few modifiers have a shortened modifier name

indicated in parentheses. You can use either modifier string.

Search Modifier

(Issue Attribute)

Description

Searches for issues based on the accuracy value specified (0.1

through 5.0).

accuracy

Searches for issues that have the specified audit analysis value

analysis

such as exploitable, not an issue, and so on.

OpenText™ Fortify Audit Workbench (24.2.0)

Page 63 of 152

User Guide

Chapter 4: Viewing Analysis Results

Search Modifier

(Issue Attribute)

Description

[analysis type]

Searches for issues based on the analyzer product such as SCA

and WEBINSPECT.

analyzer

Searches the issues for the specified analyzer such as control

flow, data flow, structural, and so on.

Searches for issues based on whether Application Defender

[app defender protected]

(def)

can protect the vulnerability category (protectedor not

protected).

Searches for issues that contain the search term in the part of

the request that caused the vulnerability for penetration test

results.

[attack payload]

Searches for issues based on the type of penetration test

attack conducted (URL, parameter, header, or cookie).

[attack type]

audience

Searches for issues based on intended audience such as dev,

targeted, medium, broad, and so on.

Note: This metadata is legacy information that is no longer

used and will be removed in a future release. Fortify

recommends that you do not use this search modifier.

audited

body

Searches the issues to find trueif the primary tag is set and

falseif the primary tag is not set. The default primary tag is

the Analysis tag.

Searches for issues that contain the search term in the HTTP

message body in penetration test results, which is all the data

that is transmitted immediately following the headers.

Searches for issues that contain the search term in the

information for the filed bug.

bug

Note: This information is discarded each time you restart

Fortify Audit Workbench.

Searches for the specified category or category substring.

category(cat)

OpenText™ Fortify Audit Workbench (24.2.0)

Page 64 of 152

User Guide

Chapter 4: Viewing Analysis Results

Search Modifier

(Issue Attribute)

Description

Searches for issues based on the specified class name.

class

Searches for the specified string within the few lines of code

that are stored for each vulnerability by default. If code

snippets were excluded from the scan results during the

analysis, then the search will not return any results.

codesnippet

Searches for issues that contain the search term in the

comments added to the issue.

comments

(comment, com)

Searches for issues with comments from a specified user.

commentuser

Searches for issues that have the specified confidence value

0.1 through 5.0 (legacy metadata).

confidence(con)

Searches for issues that contain the search term in the cookie

from the HTTP query for penetration test results.

cookies

Searches for issues based on whether the issues are correlated

with another analyzer.

correlated

Searches for issues based on whether the issues are in the

same correlation group.

[correlation group]

<custom_tagname>

Searches for issues based on the value of the specified custom

tag.

You can search a list-type custom tag using a range of values.

The values of a list-type custom tag are an enumerated list

where the first value is 0, the second is 1, and so on. You can

use the search syntax for a range of numbers to search for

ranges of list-type custom tag values. For example, analysis:

[0,2]returns the issues that have the values of the first three

analysis values, 0, 1, and 2 (Not an Issue, Reliability Issue, and

Bad Practice).

To search for a specific date in a date-type custom tag, specify

the date in the format: yyyy-mm-dd.

To search for issues that have no value set for a custom tag,

use <none>for the search term. For example, to search for all

issues that have no value set in the custom tag labeled Target

OpenText™ Fortify Audit Workbench (24.2.0)

Page 65 of 152

User Guide

Chapter 4: Viewing Analysis Results

Search Modifier

(Issue Attribute)

Description

Date, type: [Target Date]:<none>.

Searches for issues that have the specified dynamic hot spot

ranking value.

dynamic

Searches for issues based on the original priority value

determined by the engine that identified the issue.

engine priority

file

Searches for issues where the primary location or sink node

function call occurs in the specified file path.

filetype

Searches for issues based on the file type such as asp, csharp,

java, jsp, xml, and so on.

Searches for issues that have a priority level that matches the

[fortify priority order]

specified issue priority. Valid values are critical, high,

medium, and low.

Searches for issues that contain the search term in the request

header for penetration test results.

headers

Searches for issues that have audit data modified by the

specified user.

historyuser

[http version]

impact

Searches for issues based on the specified HTTP version such

as HTTP/1.1.

Searches for issues based on the impact value specified (0.1

through 5.0).

Searches for an issue based on the specified instance ID.

[instance id]

[issue age]

Searches for the issue age, which is new, updated,

reintroduced, or removed.

Searches for audited issues based on whether the issue is an

open issue or not an issue (determined by the level of analysis

set for the primary tag).

[issue state]

Searches for all issues in the specified kingdom.

kingdom

Searches for issues based on the specified likelihood value (0.1

likelihood

OpenText™ Fortify Audit Workbench (24.2.0)

Page 66 of 152

User Guide

Chapter 4: Viewing Analysis Results

Search Modifier

(Issue Attribute)

Description

through 5.0).

Searches for issues on the primary location line number. For

dataflow issues, the value is the sink line number. See also

"sourceline" on page 69.

line

Searches for issues that were manually created by penetration

test tools, and not automatically produced by a web crawler

such as OpenText™ Fortify WebInspect.

manual

Searches for issues based on the specified category that is

mapped across the various analyzers (Fortify Static Code

Analyzer, Fortify WebInspect, and Fortify WebInspect Agent).

[mapped category]

Searches for all issues that have a confidence value equal to or

less than the number specified as the search term.

maxconf

Searches for dataflow issues that have a virtual call confidence

value equal to or less than the number specified as the search

term.

maxVirtConf

Searches for issues based on the value of the specified

<metadata_listname>

metadata external list. Metadata external lists include [owasp

top ten <year>], [cwe top 25 <version>],

[pci ssf <version>], [stig <version>], and others.

method

Searches for issues based on the method, such as GET, POST,

DELETE, and so on.

Searches for all issues that have a confidence value equal to or

greater than the number specified as the search term.

minconf

Searches for dataflow issues that have a virtual call confidence

value equal to or greater than the number specified as the

search term.

min_virtual_call_

confidence

(virtconf, minVirtConf)

Searches for issues where the primary location occurs in the

specified package or namespace. For dataflow issues, the

primary location is the sink function.

package

Searches for issues that contain the search term in the HTTP

parameters

OpenText™ Fortify Audit Workbench (24.2.0)

Page 67 of 152

User Guide

Chapter 4: Viewing Analysis Results

Search Modifier

(Issue Attribute)

Description

query parameters.

Searches for issues that have the specified primary tag value.

By default, the primary tag is the Analysis tag.

primary

Searches for issues where the primary location or sink node

function call occurs in the specified code context. See also

"sink" below and "[source context]" below.

[primary context]

Searches for all issues related to the specified sink rule.

primaryrule(rule)

Searches for issues based on the probability value specified

(1.0 through 5.0).

probability

Searches for issues based on the remediation effort value

specified. The valid values are whole numbers from 1.0 to 12.0.

[remediation effort]

This attribute is not currently used.

[request id]

response

Searches for issues that contain the search term in the

response from the protocol used in penetration test results.

Searches for all issues reported by the specified rule IDs used

to generate the issue source, sink and all passthroughs.

ruleid

This attribute is not currently used.

[secondary requests]

Searches for issues based on the specified severity value

(legacy metadata).

severity(sev)

Searches for issues where the primary location or sink node

function call occurs in file names that contain the specified

search term, but not anywhere in its full path. For full path

matches, use the modifier "file" on page 66.

shortfilename

Searches for issues that have the specified sink function name.

Creating a Filter from the Issues View

When a folder list includes an issue that you want to hide or direct to another folder, you can create a

new filter using the filter wizard. The wizard displays all the attributes that match the conditions in

the filter.

Note: To find the filter that directed the issue to the folder, right-click the issue, and then select

Why is this issue here? To find the filter that hid an issue, right-click the issue, and then select

Why is this issue hidden?

To create a new filter from an issue:

1. In the Issues view, select a filter set from the Filter Set list.

2. Right-click an issue, and then select Create Filter.

The Create Filter dialog box lists suggested conditions.

3. To see all the conditions, select the Show all conditions check box.

4. Select the conditions you want to use in the filter.

You can fine tune the filter later by modifying it on the Filter tab.

5. Select the type of filter you want to create, as follows:

l

To create a visibility filter, select Hide Issue.

l

To create a folder filter, select Set Folder to, and then select the folder name or select Other

Folder to add an existing folder or create a new one.

A new folder is displayed in this filter set only.

6. Click Create Filter.

The wizard places the new filter at the end of the filter list. For folder filters, this gives the new

filter the highest priority. Issues that match the new folder filter appear in the targeted folder.

7. (Optional) For folder filters, drag the filter higher in the folder filter list to change the priority.

The issues are sorted with the new filter.

Note: The filter is only created in the selected filter set.

OpenText™ Fortify Audit Workbench (24.2.0)

Page 84 of 152

User Guide

Chapter 4: Viewing Analysis Results

Creating a Filter from the Issue Auditing View

Use the Filters tab in the Issue Auditing view to create visibility filters and folder filters.

Folder filters are applied in order and the issue is directed to the last folder filter it matches in the list.

To create a new filter on the Filters tab:

1. From the Filter Set list, select a filter set.

2. Select the Filters tab in the Issue Auditing view.

3. Right-click Visibility Filters or Folder Filters, and then select Create New Filter.

The Create Filter dialog box opens.

4. From the first list, select an issue attribute.

OpenText™ Fortify Audit Workbench (24.2.0)

Page 85 of 152

User Guide

Chapter 4: Viewing Analysis Results

For a description of the available issue attributes, see "Search Modifiers" on page 63. The second

list is then automatically populated with the available comparison methods.

5. From the second list, select how to match the value.

The third list contains the possible values for the attribute.

6. Select a value or specify a range as instructed in the If line.

7. Set Then to one of the following options:

l

To create a visibility filter, select Hide Issue.

l

To create a folder filter, select Set Folder to, and then select the folder name or select Other

Folder to add a folder from another filter set or create a new folder.

8. Click Save.

The new filter is displayed at the end of the list. For folder filters, this gives the new filter the

highest priority. Issues that match the new folder filter appear in the targeted folder.

9. (Optional) For folder filters, drag the filter higher in the folder filter list to change the priority.

The issues are sorted with the new filter.

Note: The filter is only created in the selected filter set.

Copying a Filter from One Filter Set to Another

Filter settings are local to a filter set. However, you can copy the filter to another filter set in the audit

project. If you copy a folder filter to another set and that folder is not already active in the set, the

folder is automatically added.

To copy a filter:

1. In the Issues view, select a filter set from the Filter Set list.

2. Select the Filters tab in the Issue Auditing view.

3. Right-click a filter, and then select Copy Filter To.

The Select a Filter Set dialog box opens with a list of all the filter sets.

4. Select a filter set, and then click OK.

The filter is added to the filter set in the last position.

5. (Optional) For folder filters, you can adjust the order of the filter list by dragging and dropping

the filter to a different location in the list.

Setting the Default Filter Set

To specify the default filter set used to view scan findings:

1. In the Issues view, click the Filter Set list, and then select Edit.

The Project Configuration dialog box opens to the Filter Sets tab.

OpenText™ Fortify Audit Workbench (24.2.0)

Page 86 of 152

User Guide

Chapter 4: Viewing Analysis Results

2. In the Filter Sets list, select the filter set you want to use as the default for the issue template.

3. Select the Default filter set check box, and then click OK.

Managing Folders

Folders are logical sets of issues that are defined by the filters in the active filter set. Even though a

folder can appear in more than one filter set, the contents might differ depending on the filters in that

filter set that target the folder. To accommodate filter sets that provide sorting mechanisms with little

overlap, you can have filter sets with different folders. Folders are defined independent of the filter

sets they may appear in. For example, a filter set might place low priority issues into a red folder that

is labeled "Hot."

Creating a Folder

You can create a new folder so that you can display a group of issues you have filtered to the folder.

Folders must have unique names.

Note: If this functionality is restricted to administrator users, and you are not an administrator,

you cannot create folders.

To create a new folder:

1. Select Tools > Project Configuration.

2. Select the Folders tab.

The Folders pane on the left lists the folders for the filter set selected in the Folder for Filter

Set list. Fields on the right show the name, color, and description of the selected folder.

OpenText™ Fortify Audit Workbench (24.2.0)

Page 87 of 152

User Guide

Chapter 4: Viewing Analysis Results

3. To associate the folder with an existing filter set, select the filter set from the Filter Set list.

Select (All Folders) to create a new folder in the issue template without associating it with a

specific filter set. You can associate the folder with an existing filter set later.

Note: Selecting a filter set updates the Folders list to display the folders that are associated

with the selected filter set.

4. To add a folder:

a.

Next to Folders, click Add Folder

.

The Add Folder dialog box opens.

Note: If you have created folders in other filter sets, the Add New Folder to Filter Set

dialog box opens. Click Create New.

b. Type a unique name for the new folder, and then select a folder color.

c. Click OK.

The folder is added to the bottom of the folder list.

5. In the Description box, type a description for the new folder.

6. To change the tab position of the folder on the Issues view, drag the folder up or down in the

Folders list.

The top position is on the left and the bottom position is on the right.

7. To put all issues that do not match a folder filter into this folder, select the Default Folder check

box.

8. Click OK.

OpenText™ Fortify Audit Workbench (24.2.0)

Page 88 of 152

User Guide

Chapter 4: Viewing Analysis Results

The folder is displayed as a tab with the other folders. If you selected default, all issues that do not

match a folder filter are displayed. The new folder is added to the issue template for the audit project.

Note: To display issues in this folder, create a folder filter that targets the new folder. For more

information, see "Creating a Filter from the Issues View" on page 84 and "Creating a Filter from

the Issue Auditing View" on page 85 .

Adding a Folder to a Filter Set

This section describes how to enable an existing folder in a filter set. Create a new folder that is only

included in the selected filter set using the instructions in "Creating a Folder" on page 87. To display

issues in this folder, create a folder filter that targets the new folder.

To add a folder to a filter set:

1. Select Tools > Project Configuration.

The Project Configuration dialog box opens.

2. Select the Folders tab.

3. Click the Filter Set list to select the filter set where you want to add a folder.

The Folders list displays the folders in the selected filter set.

4.

Next to Folders, click Add Folder

.

The Add New Folder to Filter Set dialog box opens.

Note: If the selected filter set already includes all existing folders, the Create Folder dialog

box opens and you can create a new folder for the selected filter set.

5. Select the folder to add to the selected filter set, and then click Select.

6. Click OK.

The folder is displayed as a tab along with the other folders.

Renaming a Folder

You can rename a folder. Modifying the name of a folder is a global change reflected in all filter sets.

To rename a folder:

1. Select Tools > Project Configuration.

2. Select the Folders tab.

3. In the Filter Set list, select (All Folders).

4. Select the folder in the Folders list.

The folder properties are displayed on the right.

5. Type the new name for the folder.

The folder name changes in the Folders list as you type.

6. Click OK.

OpenText™ Fortify Audit Workbench (24.2.0)

Page 89 of 152

User Guide

Chapter 4: Viewing Analysis Results

The new folder name is displayed on the tab.

Removing a Folder

You can remove a folder from a filter set without removing it from other filter sets.

To remove a folder:

1. Select Tools > Project Configuration.

2. Select the Folders tab.

3. Select a filter set from the Filter Set list.

The Folders list displays the folders in the selected filter set.

4.

Select the folder, and then next to Folders, click Delete Folder .

Note: The folder is removed only from the selected filter set.

If the folder is a target of a folder filter, the Conflicts Occurred Removing Folder dialog box opens.

Do one of the following:

a. To target the filter to a different folder, select a folder from the Retarget the filters list, and

then click Retarget Filters.

b. To delete the filter, click Delete Filters, and then click Yes to confirm the deletion.

5. Click OK to close the Project Configuration dialog box.

The folder is no longer displayed as a tab in the Issues view.

OpenText™ Fortify Audit Workbench (24.2.0)

Page 90 of 152

User Guide

Chapter 4: Viewing Analysis Results

Configuring Custom Tags for Auditing

To audit code in Fortify Software Security Center, the security team examines project analysis results

(FPR) and assigns values to custom tags associated with application version issues. The development

team can then use these tag values to determine which issues to address and in what order.

The Analysis tag is provided by default. The Analysis tag is a list-type tag and has the following valid

values: Not an Issue, Reliability Issue, Bad Practice, Suspicious, and Exploitable. You can modify the

Analysis tag attributes, change the tag values, or add new values based on your auditing needs.

To refine your auditing process, you can define your own custom tags. You can create the following

types of custom tags: list, decimal, string, and date. For example, you might create a list-type custom

tag to track the sign-off process for an issue. After a developer audits his own issues, a security expert

can review those same issues and mark each as “approved” or “not approved.”

You can also define custom tags from Fortify Software Security Center, either directly with issue

template uploads through Fortify Software Security Center, or from Fortify Audit Workbench through

issue templates in FPR files.

Note: Although you can add new custom tags from Fortify Audit Workbench as you audit a

project, if these custom tags are not defined in Fortify Software Security Center for the issue

template associated with the application version, then the new tags are lost if you upload the FPR

file to Fortify Software Security Center.

You can add the following attributes to your custom tags:

l

Extensible—This enables users to create a new value while auditing, even without the permission

to manage custom tags.

l

Restricted—This restricts who can set the tag value on an issue. Administrators, security leads, and

managers have permission to audit restricted tags.

l

Hidden (Fortify Software Security Center only)—Use this setting to hide a tag from an application

version or issue template.

After you define a custom tag, it is displayed below the Analysis tag, which enables you to specify

values as they relate to specific issues. Custom tags are also available in other areas of the interface,

such as in the Group By list to group issues in a folder, in the search field as a search modifier

(similarly available as a modifier for filters), and in the project summary graph as an attribute by

which to graphically sort issues.

Adding a Custom Tag

You can create custom tags to use in auditing results. Custom tags are project-wide and are saved as

part of an issue template.

OpenText™ Fortify Audit Workbench (24.2.0)

Page 91 of 152

User Guide

Chapter 4: Viewing Analysis Results

To add a custom tag:

1. Select Tools > Project Configuration.

2. Select the Custom Tags tab.

3.

Next to Tags, click Add Tag

.

Note: Any previously hidden tags are listed, and you can re-enable them. To create a new

tag, click Create New.

The Add New Tag dialog box opens.

4. In the Name box, type a name for the new tag.

Important! Make sure that the name you specify for a custom tag is not a database reserved

word.

5. From the Type list, select one of the following tag types:

l

List—Accepts selection from a list of values that you specify for the tag

l

Date—Accepts a calendar date

OpenText™ Fortify Audit Workbench (24.2.0)

Page 92 of 152

User Guide

Chapter 4: Viewing Analysis Results

l

Decimal—Accepts a number with a precision of up to 18 (up to 9 decimal places)

l

Text—Accepts a string with up to 500 characters (HTML/XML tags and newlines are not

allowed)

6. Click OK.

The Tags list now includes the new tag.

7. Configure any or all the following optional tag settings:

l

To allow users to add new values for a list-type tag in an audit, leave the Extensible check box

selected.

l

To allow only administrators, security leads, and managers to set this tag on an issue, select

the Restricted check box.

l

Type a description of the custom tag in the Description box.

l

For a list-type tag, from the Default Value list, select the default value for the tag.

If you do not specify a default value, the default is null.

8. To add a value for a list-type tag, do the following:

a. From the Tags list, select the tag name.

b.

Next to Values, click Add Value

.

c. In the Enter Value dialog box, type a value, and then click OK.

d. Type a description of the value in the Description box.

e. Repeat steps a through d for each additional value required for the new tag.

9. To make this custom tag the primary tag:

Note: You can only set a list-type tag as a primary tag.

a. Click Set Primary Tag.

b. Select the custom tag from the Primary Tag list, and then click OK.

The primary tag name is shown in bold in the Tags list. The primary tag determines the audit

status for each issue as well as the audit icon in the Issues view. By default, the primary tag is

Analysis.

The Audit tab in the Issue Auditing view now displays the new tag and its default value (if you

assigned one).

Hiding a Custom Tag

If you hide a custom tag, it is no longer available on the Audit tab in the Issue Auditing view or as a

search or filter option.

Note: If you hide a custom tag that was set for any issues, that tag and values are hidden from

the issue. If you make the tag available again, the tag and values are restored.

You cannot hide the primary tag.

OpenText™ Fortify Audit Workbench (24.2.0)

Page 93 of 152

User Guide

Chapter 4: Viewing Analysis Results

To hide a custom tag:

1. Select Tools > Project Configuration.

The Project Configuration dialog box opens.

2. Select the Custom Tags tab.

3. Select the tag from the Tags list.

4.

Next to Tags, click Hide Tag

.

This action hides the tag from your available custom tags. You can make this tag available again

when you add a custom tag (see "Adding a Custom Tag" on page 91).

5. Click OK.

If you hide a tag that has an associated filter, you are prompted to delete the filter.

Committing Custom Tags to Fortify Software Security Center

To commit custom tags to Fortify Software Security Center:

1. With an audit project open, select Tools > Project Configuration.

2. Select the Custom Tags tab.

3. Click Commit.

Note: Any list-type custom tags without values are not uploaded to Fortify Software Security

Center.

4. If prompted, type your Fortify Software Security Center credentials.

For information about logging into Fortify Software Security Center, see "Logging in to Fortify

Software Security Center" on page 22.

The Custom Tag Upload dialog box opens.

5. Do one of the following:

l

If the issue template and the application version already exist in Fortify Software Security

Center:

o

To upload the custom tags to the global pool and assign them to the application version,

click Yes.

o

To upload the custom tags to the global pool without assigning them to the application

version, click No.

o

To prevent uploading the custom tags to Fortify Software Security Center, click Cancel.

l

If the issue template does not exist in Fortify Software Security Center:

o

To upload the custom tags to the global pool only in Fortify Software Security Center, click

Yes.

o

To prevent uploading the custom tags to Fortify Software Security Center, click No.

OpenText™ Fortify Audit Workbench (24.2.0)

Page 94 of 152

User Guide

Chapter 4: Viewing Analysis Results

Synchronizing Custom Tags with Fortify Software Security Center

To synchronize custom tags for an audit project that has been uploaded to Fortify Software Security

Center.

1. Select Tools > Project Configuration.

2. Select the Custom Tags tab.

3. Select the custom tag.

4. Click Synchronize.

5. If required, type your Fortify Software Security Center credentials.

For information about logging into Fortify Software Security Center, see "Logging in to Fortify

Software Security Center" on page 22.

The Custom Tag Download dialog box opens.

6. If the application version and the issue template both exist in Fortify Software Security Center,

select either Application Version or Issue Template to specify from where to download the

custom tags.

7. To download custom tags from the issue template, click Yes.

Issue Template Sharing

After an issue template is associated with an audit project, all changes made to that template, such as

the addition of folders, custom tags, filter sets, or filters, apply to the audit project. The issue template

is stored in the FPR when the audit project is saved. For information about how to associate the issue

template with an audit project, see "Importing an Issue Template" on the next page. With issue

templates, you can use the same project settings for another project.

Exporting an Issue Template

Exporting an issue template creates a file that contains the filter sets, folders, and custom tags for the

current project. After you export an issue template, you can import it into another audit project file.

To export an issue template:

1. Select Tools > Project Configuration.

2. Select the Filter Sets tab.

3. Click Export.

The Select a Template File Location dialog box opens.

4. Browse to the location where you want to save the file.

5. Type a file name without an extension.

6. Click Save.

OpenText™ Fortify Audit Workbench (24.2.0)

Page 95 of 152

User Guide

Chapter 4: Viewing Analysis Results

Note: If any hidden custom tags exist in the template, you are prompted to indicate whether

to include them in the exported issue template. Hidden tags are created anytime you add a

custom tag and later delete it. Fortify Audit Workbench saves and hides deleted custom tags

so you can easily restore them later. If you do not want hidden tags included in the exported

issue template, click Ignore Tags.

The current template settings are saved to an XML file.

Importing an Issue Template

Importing an issue template overwrites the audit project configuration settings. The local filter sets

and custom tags are replaced with the filter sets and custom tags in the issue template.

To import an issue template:

1. Select Tools > Project Configuration.

2. Select the Filter Sets tab.

3. Click Import.

The Locate Template File dialog box opens.

4. Select the issue template file to import.

5. Click Open.

The filter sets, custom folders, and custom tags are updated.

Note: You can also click Reset to Default to return the settings to the default issue template.

Synchronizing Filter Sets and Folders

To download filter sets and folders configured from Fortify Software Security Center:

1. Select Tools > Project Configuration.

2. Select the Filter Sets tab.

3. Click Synchronize.

A message advises you that downloading filter sets and folders from Fortify Software Security

Center overwrites your local filter sets and folders.

4. To proceed with the synchronization, click Yes.

5. If required, provide your Fortify Software Security Center credentials, and then click OK.

OpenText™ Fortify Audit Workbench (24.2.0)

Page 96 of 152

User Guide

Chapter 4: Viewing Analysis Results

For information about logging into Fortify Software Security Center, see "Logging in to Fortify

Software Security Center" on page 22.

If the current issue template does not exist in Fortify Software Security Center, do the following:

a. In the Issue Template column, select an issue template name.

b. Click OK.

6. The Audit Workbench downloads the filter sets and folders from the selected issue template in

Fortify Software Security Center, and overwrites your current issue template.

Committing Filter Sets and Folders

If you want to upload filter sets and folders to an issue template in Fortify Software Security Center,

do the following:

1. Select Tools > Project Configuration.

2. Select the Filter Sets tab.

3. Select the filter set from the list.

4. Click Commit.

5. If required, provide your Fortify Software Security Center credentials.

For information about logging into Fortify Software Security Center, see "Logging in to Fortify

Software Security Center" on page 22.

The Update Existing Issue Template or Add Issue Template dialog box opens, depending on

whether the issue template already exists in Fortify Software Security Center.

OpenText™ Fortify Audit Workbench (24.2.0)

Page 97 of 152

User Guide

Chapter 4: Viewing Analysis Results

6. Do one of the following:

a. To upload filter sets and folders to the issue template, click Yes.

b. To add the issue template that contains the current set of custom tags to Fortify Software

Security Center, click Yes.

Advanced Configuration

This section contains the following topics:

l

"Integrating with a Bug Tracker Application" below

l

"Public APIs" on the next page

l

"Penetration Test Schema" on the next page

Integrating with a Bug Tracker Application

Audit Workbench provides a plugin interface to integrate with bug tracker applications. This enables

you to file bugs directly from Audit Workbench. For a list of supported bug tracker applications, see

the Fortify Software System Requirements document.

To select the plugin to use:

1. Open an audit project.

2. Select Tools > Select Bug Tracker.

3. Select a bug tracker from the list, and then click OK.

For bug tracker plugin components selected in the Fortify Applications and Tools installation, sample

source code is available in <tools_install_

dir>/Samples/bugtrackers/BugTrackerPlugin<bug_tracker_app>, where <bug_tracker_

app> is the name of the bug tracker application. To write your own plugin, see the instructions in the

READMEtext file, which is in each bug tracker directory. A JavaDoc includes API information in

<tools_install_dir>/Samples/advanced/JavaDoc/public-api/index.html.

Configuring Proxy Settings for Bug Tracker Integration

If the bug tracker you use requires a proxy connection, specify the proxy settings. When you submit

an issue as a bug, select the Use proxy check box. Fortify Audit Workbench provides the proxy

settings to the bug tracker plugin.

To configure proxy settings for bug tracker integration:

1. Select Options > Options.

2. In the left pane, select Bugtracker Proxy Configuration.

OpenText™ Fortify Audit Workbench (24.2.0)

Page 98 of 152

User Guide

Chapter 4: Viewing Analysis Results

3. Under HTTP Proxy, specify the proxy server, port number, and optionally credentials for proxy

authentication.

4. If the connection uses HTTPS requests, then provide the proxy settings under HTTPS Proxy.

5. Click OK to save your changes.

Public APIs

Fortify publishes public APIs so that you can create custom parsers for pentest tools and services

that are not included in the default distribution. The APIs are in (fortify-public-*.jar), and you

can use them to compile your custom parser.

Penetration Test Schema

Fortify also provides a generic penetration test schema (pentestimport.xsd) that you can view in

<tools_install_dir>/Core/config/schemas. This provides another option for importing

additional pentest results. Instead of creating a custom parser for your tool or service, you can

translate the results into the Fortify generic format (using XSLT or a similar technology). You can

then open or merge these translated results automatically. See "Penetration Test Results" on

page 112 for more information.

OpenText™ Fortify Audit Workbench (24.2.0)

Page 99 of 152

Chapter 5: Auditing Analysis Results

When Fortify Static Code Analyzer scans application source code, its discoveries are presented as

potential vulnerabilities rather than actual vulnerabilities. Every application is unique, and all

functionality runs within a context that the development team understands best. No technology can

fully determine whether a suspect behavior is considered a vulnerability without direct developer

confirmation.

For example, Fortify Static Code Analyzer might discover that a web page designed to display data to

the user (for example, a financial transaction record page) appears to allow any authenticated user to

request any data with no check of viewing permission. Whether or not this behavior is considered a

vulnerability depends entirely on the intended design of the application. If the application is supposed

to allow any user to see all data, then the auditor can mark the discovery as a non-issue; otherwise,

the auditor can mark the issue as a vulnerability for the team to address.

Note: If your Fortify license restricts auditing, then you can view the analysis results, but you

cannot audit issues or make any changes to the audit project.

The topics in this section provide information about how to audit analysis results opened in Fortify

Audit Workbench.

This section contains the following topics:

Working with Audit Projects

Submitting an Issue as a Bug

Correlation Justification

Penetration Test Results

Working with Audit Projects

After you scan a project, you can audit the analysis results. You can also audit the results of a

collaborative audit from Fortify Software Security Center.

Opening an Audit Project

To open an audit project:

1. Start Fortify Audit Workbench.

2. Select File > Open Project.

The Select Audit Project dialog box opens.

3. Browse to and select the FPR file, and then click Open.

OpenText™ Fortify Audit Workbench (24.2.0)

Page 100 of 152

User Guide

Chapter 5: Auditing Analysis Results

Opening Audit Projects Without the Default Filter Set

If you open an audit project that does not contain the filter set specified as the default filter set for

new projects (by default, this is the Quick View filter set), a message is displayed to inform you that

the filter set is not available in the audit project’s issue template.

The default filter set from the template is loaded at startup, regardless of the setting. This would also

happen, for example, with any FPR files downloaded from OpenText™ Fortify on Demand.

To resolve this, do one of the following:

l

To apply the default filter set from the current issue template, click Cancel.

l

To update the issue template for the project, click Update Issue Template.

After you select Update Issue Template, some filter sets that were available before the update, for

example Developer View and Critical Exposure, are no longer available.

A warning is displayed to let you know that you cannot undo the update.

l

To ensure that the default filter set for the project is never overridden, click Never Override

Default Filter Set.

Performing a Collaborative Audit

You can audit a project in Fortify Software Security Center collaboratively with other Fortify Software

Security Center users. You can open an application version in Fortify Software Security Center, apply

your audit evaluation, and then upload the audit project back to Fortify Software Security Center.

To start a collaborative audit:

1. Start Fortify Audit Workbench.

If you already have an audit project open, close it.

2. Under Collaborative Applications, click Sign In.

3. Type your Fortify Software Security Center logon credentials.

For information about logging into Fortify Software Security Center, see "Logging in to Fortify

Software Security Center" on page 22.

Fortify Audit Workbench displays a list of applications that you have permission to access.

OpenText™ Fortify Audit Workbench (24.2.0)

Page 101 of 152

User Guide

Chapter 5: Auditing Analysis Results

4. Select an application version to audit.

To quickly find an application version, type the name or partial name of an application in the

Search box. The search is case-insensitive. To clear the search results, clear the Search box.

If necessary, click Refresh to update the list of applications in Fortify Software Security Center.

The audit project file is downloaded from Fortify Software Security Center and opened in Fortify

Audit Workbench.

5. Audit the project as described in "Evaluating Issues" on page 104.

6. When you have completed the audit, select Tools > Upload Audit Project.

Note: If necessary, you can refresh your Fortify Software Security Center audit permission

settings. See "Refreshing Permissions from Fortify Software Security Center" below.

Refreshing Permissions from Fortify Software Security Center

The Fortify Software Security Center administrator assigns roles to users that determine the actions

they can perform in Fortify Software Security Center. When you work on a collaborative audit and the

administrator changes your auditing permissions, you might need to refresh the permissions in Audit

Workbench.

To refresh your permissions from Fortify Software Security Center:

1. Select Options > Options.

2. In the left pane, select Server Configuration.

3. Click Refresh Permissions for the Current Audit.

4. Click OK.

Merging Audit Data

Audit data includes the custom tags and comments that were added to an issue. You can merge the

audit data for your project with audit data from another results file. Comments are merged into a

chronological list and custom tag values are updated. If custom tag values conflict (if the same tag is

set to different values for a given issue), Fortify Audit Workbench prompts you to resolve the conflict.

Note: Issues are not merged. Merged results include only the issues found in the latest scan.

Issues uncovered in the older scan that were not uncovered in the latest scan are marked as

Removed and are hidden by default.

Make sure that the projects you merge contain the same analysis information. That is, make sure that

the scans were performed on the same source code (no missing libraries or files), the Fortify Static

Code Analyzer settings were the same, and the scan was performed using the same security content.

OpenText™ Fortify Audit Workbench (24.2.0)

Page 102 of 152

User Guide

Chapter 5: Auditing Analysis Results

To merge projects:

1. Open a project in Fortify Audit Workbench.

2. Select Tools > Merge Audit Projects.

3. Select an audit project (FPR file), and then click Open.

The Progress Information dialog box opens. When complete, the Merge dialog box opens.

Note: After you select an FPR, Fortify Audit Workbench might prompt you to choose

between the issue template in the current FPR and the issue template in the FPR you are

merging in.

4. Click Yes to confirm the number of issues added or removed from the file.

Note: If the scan is identical, no issues are added or removed.

The project now contains all audit data from both result files.

Merging Audit Data Using the Command-Line Utility

You can also use the FPRUtility command-line utility to merge audit data. This utility enables you to

merge an audited project, verify the signature of the FPR, or display analysis results information from

and FPR. For more information about how to use this utility, see the OpenText™ Fortify Static Code

Analyzer Applications and Tools Guide.

Additional Metadata

Each issue in Audit Workbench contains additional metadata that is not produced by the Fortify

internal analyzers. Examples include alternative categories (for example, OWASP, CWE, WASC), and

prioritization values that are used in the default filters (for example, impact, accuracy, probability).

You can view the metadata attributes through the standard grouping and search mechanisms.

If you open an older FPR that does not contain metadata values, the metadata values for the issues

are retrieved from legacy mapping files. These legacy mapping files exist in the <tools_install_

dir>/Core/Config/LegacyMappingsdirectory, and are indexed by either issue category, or issue

category and analyzer. The legacy mapping files are accessed as needed, so each issue in your project

must always have metadata values, whether those values come from the FPR, the legacy mapping

files, or a combination of the two.

Uploading Audit Results to Fortify Software Security Center

When you work on a collaborative audit and you download the audit project from Fortify Software

Security Center, Audit Workbench retains the application version for the audit project. If you want to

upload the audit project to a different application version, you need to disconnect the audit project

from Fortify Software Security Center before you upload the results. To disconnect the current audit

project from Fortify Software Security Center, select Options > Options, click Server Configuration,

and then click Disconnect the Current Audit.

OpenText™ Fortify Audit Workbench (24.2.0)

Page 103 of 152

User Guide

Chapter 5: Auditing Analysis Results

Note: If you created any custom tags or filter sets for your project's issue template, you must first

commit them to Fortify Software Security Center before you upload the project so that

information is also uploaded. See "Committing Custom Tags to Fortify Software Security Center"

on page 94 and "Committing Filter Sets and Folders" on page 97 for more information.

Note: By default, Fortify Software Security Center does not allow you to upload scans performed

in quick scan mode. However, you can configure your Fortify Software Security Center application

version so that uploaded audit projects scanned in quick scan mode are processed. For more

information, see analysis results processing rules in the OpenText™ Fortify Software Security

Center User Guide.

To upload results to Fortify Software Security Center:

1. Select Tools > Upload Audit Project.

2. If prompted, type your Fortify Software Security Center credentials.

For information about logging into Fortify Software Security Center, see "Logging in to Fortify

Software Security Center" on page 22.

3. If the audit project is not already associated with an application version, select an application

version, and then click OK.

Note: If you see a message that the application version is not committed or does not exist,

this indicates that you opened an audit project that was previously associated with an

application version that does not exist in Fortify Software Security Center to which Fortify

Audit Workbench is currently connected. Disconnect the audit project from Fortify Software

Security Center as described previously in this section.

A message notifies you when the upload is complete.

4. Click OK.

Updates you made to issues including comments and tag values (for tags that already exist for the

application version in Fortify Software Security Center) are uploaded.

Evaluating Issues

To evaluate and assign audit values to an issue or group of issues:

1. Select the issue or group of issues in the Issues view (see "About Viewing Analysis Results" on

page 39).

Note: If multiple issues are selected, then this information is displayed on the Audit tab as

Issue: Multiple Issues Selected.

2. Read the abstract on the Audit tab, which provides high-level information about the issue, such

as the analyzer that found the issue.

For example, Command Injection (Input Validation and Representation, Data Flow) indicates

that this issue that the Dataflow Analyzer detected, is a Command Injection issue in the Input

Validation and Representation kingdom.

OpenText™ Fortify Audit Workbench (24.2.0)

Page 104 of 152

User Guide

Chapter 5: Auditing Analysis Results

3. Click the Details tab to see more details about the issue.

4. On the Audit tab, select an analysis value for the issue to represent your evaluation.

5. Specify values for any custom tags defined by your organization.

To specify a date in a date-type custom tag, click Select Date

calendar.

to select a date from a

For text-type custom tags, you can click Edit Text to see and edit long text strings. This tag

accepts up to 500 characters (HTML/XML tags and newlines are not allowed).

6. If the audit results have been submitted to Fortify Audit Assistant in Fortify Software Security

Center, then you can specify whether to include or exclude the issue from Fortify Audit Assistant

training from the AA_Training list.

Note: If you select a different value for the analysis tag than the AA_Prediction value set by

Fortify Audit Assistant, and you select Include from the AA_Training list, then the next time

the data is submitted to Fortify Audit Assistant, it updates the information used to predict

whether an issue represents a true vulnerability. For more information about Fortify Audit

Assistant, see the OpenText™ Fortify Software Security Center User Guide.

7. (Optional) In the Comments box, type comments relevant to the issue and your evaluation.

Performing Quick Audits

As you audit issues, you can use a keyboard combination to assign an analysis value to multiple

selected issues.

To assign an analysis value to multiple issues simultaneously:

1. In the Issues view, select the issues that you want to assign the same analysis value.

2. Press Ctrl + Shift + A (Cmd + Shift + A on macOS).

Audit Workbench displays a window in the lower-right corner to indicate you are in Quick Audit

Issue mode.

Note: Do not hold this keyboard combination in the next step.

3. Press one of the following number keys:

l

To assign Not an Issue, press 1

l

To assign Reliability Issue, press 2

l

To assign Bad Practice, press 3

l

To assign Suspicious, press 4

l

To assign Exploitable, press 5

l

To assign a custom analysis value configured for your organization, press the number that

corresponds to its position in the Analysis list on the Audit tab.

OpenText™ Fortify Audit Workbench (24.2.0)

Page 105 of 152

User Guide

Chapter 5: Auditing Analysis Results

Audit Workbench provides keyboard shortcuts for only the first ten values in the Analysis list. (To

assign the tenth value in the list, you press Ctrl + Shift + A, and then press 0). If no value is listed for

the key you press, no value is assigned.

Performing Quick Audits for Custom Tags

Instead of using the Analysis tag for quick audits, you can use a custom tag your organization has

created.

To use a custom tag for quick audits:

1. Select Options > Options.

2. In the left pane, select Audit Configuration, and then select the Configuration tab on the right.

3. Under Quick Audit Preference, from the Attribute to use for quick action audit list, select a

custom tag.

Note: Only list-type tags are available to use for quick audits.

If no custom tags have been created, the list only includes the Analysis tag.

4. Click OK.

The keyboard shortcut functions just as it does for the Analysis tag values. Audit Workbench provides

keyboard shortcuts for only the first ten values in the list of custom tag values. (To assign the tenth

value in the list, you press Ctrl + Shift + A, and then press 0). If there is no value in the list for the key

you press, no value is assigned.

Adding Screenshots to Issues

You can attach a screenshot or other image to an issue. Attached images are stored in the FPR file

and are accessible from Fortify Software Security Center. The following image formats are supported:

l

GIF

l

JPG

l

PNG

To add an image to an issue:

1. Select the issue.

2. In the Issue Auditing pane, select the Screenshots tab.

3. Click Add.

4. In the New Screenshot dialog box, click Browse to find and select the file.

5. (Optional) In the Description box, type a description.

6. Click Add.

OpenText™ Fortify Audit Workbench (24.2.0)

Page 106 of 152

User Guide

Chapter 5: Auditing Analysis Results

Viewing Images

After you add a screenshot to an issue, the image is displayed on the right side of the Screenshots

tab.

To view a full-size version of an image added to an issue:

1. In the Issue Auditing pane, select the Screenshots tab.

2. From the list of screenshots, click the image you want to view.

3. Click Preview.

Creating Issues for Undetected Vulnerabilities

Add undetected issues that you want to identify as issues to the issues list. You can audit manually

configured issues on the Audit tab, just as you do other issues.

To create an issue:

1. Select the object in the line of code in the source code tab.

2. Right-click the line that contains the issue, and then select Create New Issue.

The Create New Issue dialog box opens.

3. Select the issue category, and then click OK.

The issues list displays the file name and source code line number for the new issue next to a blue

icon. The rule information in the Audit tab includes Custom Issue. You can edit the issue to include

audit information, just as you can other issues.

Suppressing Issues

You can suppress issues that are either fixed or that you do not plan to fix. Suppression marks the

issue and all future discoveries of this issue as suppressed. As such, it is a semi-permanent marking of

a vulnerability.

To suppress an issue, do one of the following:

l

In the Issues view, select the issue, and then, on the Audit tab in the Issue Auditing view, click

Suppress

.

l

In the Issues view, right-click the issue, and then click Suppress Issue.

Note: You can select and suppress multiple issues at the same time.

To display issues that have been suppressed, select Options > Show Suppressed Issues.

To unsuppress an issue, first display the suppressed issues, and then do one of the following:

l

In the Issues view, select the suppressed issue, and then, on the Audit tab in the Issue Auditing

view, click Unsuppress

.

OpenText™ Fortify Audit Workbench (24.2.0)

Page 107 of 152

User Guide

Chapter 5: Auditing Analysis Results

l

Right-click the issue in the Issues view, and then select Unsuppress Issue.

Note: You can select and unsuppress multiple issues at the same time.

Submitting an Issue as a Bug

You can submit issues to your bug tracker application if integration between the applications has

been configured.

To submit an issue as a bug:

1. Select the issue in the Issues view, and then, on the Audit tab, click File Bug

.

2. If this is the first time you have filed a bug, the Select Bug Tracker Integration dialog box opens.

Select a bug tracker application, and then click OK.

For information about configuring the plugin with bug tracker applications, see "Integrating with

a Bug Tracker Application" on page 98.

3. Specify all required values and review the issue description. Depending on the integration and

your bug tracker application, the values include items such as the bug tracker application web

address, product name, severity level, summary, and version.

4. If the connection to the bug tracker requires a proxy, select the Use proxy check box.

With this option selected, Fortify Audit Workbench uses the proxy settings specified for bug

trackers. For more information, see "Configuring Proxy Settings for Bug Tracker Integration" on

page 98.

5. Click Submit.

You must already be logged in before you can file a bug through the user interface for bug tracker

applications that require a logon. The issue is submitted as a bug in the bug tracker application.

If you use Fortify Software Security Center, you can submit an issue as a bug using a bug tracker

application configured through Fortify Software Security Center.

To submit an issue as a bug through Fortify Software Security Center:

1. Select the issue in the Issues view, and then, on the Audit tab, click File Bug

.

The first time you submit a bug, the Select Bug Tracker Integration dialog box opens. Select

Fortify Software Security Center, and then click OK.

2. Specify the values if changes are needed and review the issue description. Depending on the

integration and your bug tracker application, the values include items such as the bug tracker

application web address, product name, severity level, summary, and version.

3. Click Submit.

If your bug tracker application requires you to log in, you must do so before you can file a bug

through that interface.

OpenText™ Fortify Audit Workbench (24.2.0)

Page 108 of 152

User Guide

Chapter 5: Auditing Analysis Results

Correlation Justification

A correlation occurs when an issue uncovered by one analyzer (Fortify WebInspect Agent, Fortify

Static Code Analyzer, or Fortify WebInspect) is related directly or indirectly to an issue uncovered by

another analyzer.

Correlated events help you identify issues that have a higher probability of being exploited. A

vulnerability that is linked to other vulnerabilities might represent an issue that has multiple points of

entry. For example, if Fortify WebInspect scan results are correlated with Fortify Static Code Analyzer

scan results, this increases the likelihood that the associated Fortify Static Code Analyzer issues are

exploitable.

Fortify Audit Workbench provides additional information to help you resolve these correlated issues

and mitigate the risks they present. In Fortify Audit Workbench, this additional information is

presented as Correlation Justification.

Using Correlation Justification

To use correlation justification:

1. In the Issues view, select a correlated issue.

A correlated issue is identified in the issues list by a blue sphere on the issue icon, as shown

below.

OpenText™ Fortify Audit Workbench (24.2.0)

Page 109 of 152

User Guide

Chapter 5: Auditing Analysis Results

2. In the Issue Auditing view, select the Correlated Issues tab.

The Correlated Issues tab lists the other issues that are correlated with the issue you first

selected.

Because you first selected a correlated issue, the View Correlations button is available.

3. Click View Correlations.

The Correlation Justification dialog box opens and displays the following three panes:

l

The correlated issues tree on the left displays all correlated issues within a correlated group,

sorted based on analyzers.

l

The relationship pane at the top right displays the correlation chain between issues. The chain

describes any indirect or direct relationship between the two selected issues.

l

The pane at the bottom right describes each correlation rule in the correlation chain displayed

OpenText™ Fortify Audit Workbench (24.2.0)

Page 110 of 152

User Guide

Chapter 5: Auditing Analysis Results

in the relationship pane.

4. To select two issues, press Ctrl, and then click each issue.

The relationship pane displays the two issues and their relationships.

OpenText™ Fortify Audit Workbench (24.2.0)

Page 111 of 152

User Guide

Chapter 5: Auditing Analysis Results

5. To inspect the attributes that correlate the issues, move your cursor to each link in the

relationship pane.

6. Click OK.

Use correlation justification to gain insight into code vulnerabilities and understand why certain

issues are correlated. This can help to reduce the time it takes to remediate the issues.

Penetration Test Results

Fortify Audit Workbench supports import of XML for dynamic issues from Fortify WebInspect or from

your own custom parser that produces results in an XML file.

To create your own parser, write a class that implements the

com.fortify.pub.issueparsing.AnalysisFileParserinterface from the Fortify public API. It

can use any of the classes and utilities from <tools_install_dir>/Core/lib/fortify-public-

<version>.jar. The Fortify public API documentation is in <tools_install_

dir>/Samples/advanced/JavaDoc/public-api/index.html. The section for parsing scans and

creating issues is in the com.fortify.pub.issueparsingpackage.

OpenText™ Fortify Audit Workbench (24.2.0)

Page 112 of 152

User Guide

Chapter 5: Auditing Analysis Results

Viewing Penetration Test Results

Pentest issues have an analyzerattribute equal to pentest, and an analysis typeattribute that

reflects the tool or service (for instance, Fortify WebInspect issues have the WEBINSPECTanalysis

type. You can view these attributes through the standard grouping and search mechanisms.

After you select a pentest issue, Fortify Audit Workbench displays the penetration test details on the

Pentest Details tab. The following table lists the penetration test details.

Pentest Detail Description

Request

Path

Click the question mark icon to view the full request.

Web address without the context and parameters.

Referer header in the request.

Referer

Method

Either GET or POST.

Parameters

Cookies

Attack Type

Parameters included in the HTTP query.

Cookies included in the HTTP query.

Type of pentest attack conducted (web address, parameter, header, or cookie).

Attack Payload Part of the request that causes the vulnerability.

Trigger

Part of the response that shows that a vulnerability occurred.

To view the full response, click the question mark icon next to the trigger.

OpenText™ Fortify Audit Workbench (24.2.0)

Page 113 of 152

Chapter 6: Generating Analysis Reports

Fortify Audit Workbench provides two types of analysis reports:

l

Issue reports based on the Business Intelligence and Reporting Technology (BIRT) system

l

Legacy reports based on user-configurable report templates

This section contains the following topics:

Issue Reports

114

118

Legacy Reports and Templates

Issue Reports

You can generate issue reports based on the BIRT system from Fortify Audit Workbench or from the

command line. For information on how to generate issue reports from the command line using the

BIRTReportGenerator utility, see the OpenText™ Fortify Static Code Analyzer User Guide.

The following table describes the issue reports available.

Report Template

Description

CWE Top 25

This report lists the most widespread and critical weaknesses that can lead

to serious software vulnerabilities (based on the National Vulnerability

Database).

CWE/SANS Top 25

This report details issues related to the CWE/SANS Top 25 Most

Dangerous Programming Errors and provides information about where and

how to fix the issues. It describes the technical risk posed by unremediated

issues discovered during analysis and provides an estimate of the

development effort needed to test, verify, and fix them.

Developer Workbook This report provides the information a developer needs to understand and

fix the issues discovered during an application audit.

DISA CCI 2

This report provides a standard identifier for policy-based requirements

that connect high-level policy expressions and low-level technical

implementations.

DISA STIG

This report addresses DISA compliance based on STIG violations and

provides information about where and how to fix the issues. It describes

OpenText™ Fortify Audit Workbench (24.2.0)

Page 114 of 152

User Guide

Chapter 6: Generating Analysis Reports

Report Template

Description

the technical risk posed by unremediated issues and provides an estimate

of the development effort required to test, verify, and fix them.

FISMA Compliance:

FIPS 200

This report addresses FISMA compliance related to FIPS-200 through

controls specified in NIST SP 800-53. It details policy violations and

provides information about where and how to fix the issues. It describes

the technical risks posed by unremediated violations and provides an

estimate of the development effort required to test, verify, and fix them.

GDPR

This report groups all detected issues that are relevant to privacy under

the EU General Data Protection Regulation (GDPR) legislation. Use this as a

framework to help identify and protect personal data as it relates to

application security.

MISRA

This report addresses compliance with either the Motor Industry Software

Reliability Association (MISRA) C or C++ guidelines. The results focus on

the security relevant guidelines and can help to create a compliance matrix

for MISRA. This report describes the technical risk posed by the

unremediated issues discovered during analysis and an provides an

estimate of the development effort needed to test, verify, and fix them.

OWASP API Top 10

This report focuses on weaknesses affecting Web APIs and is intended to

be used in combination with other standards and best practices to

thoroughly capture all relevant risks. For example, you can use it in

combination with the OWASP Top 10 to identify issues related to input

validation such as injections.

OWASP ASVS 4.0

This report groups detected issues based on the OWASP Application

Security Verification Standard requirements for secure development.

OWASP MASVS 2.0

This report groups detected issues based on the OWASP Mobile

Application Security Verification Standard requirements for secure mobile

application development.

OWASP Mobile

Top 10

This report details the top ten OWASP mobile-related issues and provides

information about where and how to fix them. It describes the technical risk

posed by the unremediated issues discovered during analysis and gives an

estimate of the development effort required to test, verify, and fix them.

OpenText™ Fortify Audit Workbench (24.2.0)

Page 115 of 152

User Guide

Chapter 6: Generating Analysis Reports

Report Template

Description

OWASP Top 10

This report details the top ten OWASP-related issues and provides

information about where and how to fix them. It describes the technical

risks posed by unremediated issues discovered during analysis and gives

an estimate of the development effort required to test, verify, and fix the

issues.

PCI DSS Compliance: This report summarizes the application security portions of PCI DSS. It

Application Security includes tests for 21 application security-related requirements across

Requirements

sections 3, 4, 6, 7, 8, and 10 of PCI DSS and reports whether each

requirement is either “In Place” or “Not In Place.”

PCI SSF Compliance: This report summarizes the application security portions of PCI SSF. It

Secure Software

Requirements

includes tests for 23 application security-related control objectives across

Control Objective sections 2, 3, 4, 5, 6, 7, 8, and A.2 of PCI SSF and reports

whether each control objective is "In Place" or "Not In Place."

Generating Issue Reports

To generate an issue report:

1. Select Tools > Reports > Generate BIRT Report.

The Generate BIRT Report dialog box opens.

OpenText™ Fortify Audit Workbench (24.2.0)

Page 116 of 152

User Guide

Chapter 6: Generating Analysis Reports

2. From the Report Template list, select the type of report you want.

3. From the Options list, select the template version (if multiple versions are available).

4. Select the information to include in the report.

Note: Not all options are available for all report templates.

a. To include detailed descriptions of reported issues, select the Detailed Report check box.

b. To categorize issues by Fortify Priority instead of folder names, select the Categories By

Fortify Priority check box.

c. To include descriptions of key terminology in the report, select the Key Terminology check

box.

d. To include the About Fortify Solutions section in the report, select the About Fortify

Solutions check box.

OpenText™ Fortify Audit Workbench (24.2.0)

Page 117 of 152

User Guide

Chapter 6: Generating Analysis Reports

5. To filter information from the report, click Issue Filter Settings.

You can filter the issues as follows:

l

Click Removed to include removed issues in the report.

l

Click Suppressed to include suppressed issues in the report.

l

Click Hidden to include hidden issues in the report.

l

Click Collapse Issues to collapse issues of the same sink and type into a single issue.

l

Click Only My Issues to include only issues assigned to your user name.

l

Click Advanced to build a search query to further filter the issues to include in the report. For

more information about the search modifiers, see "Search Modifiers" on page 63.

6. From the Format list, select the format for the report.

You can save the report in the following formats: Portable Document Format (PDF), HTML, and

Microsoft Word (DOC).

7. To specify an alternative location to save the report, click Browse, and then select a directory.

8. Click Generate.

9. If a report with the same file name already exists, you are prompted to either:

l

Click Overwrite to overwrite the existing report.

l

Click Append Version Number to have the report saved to a file with a sequential number

appended to the file name (for example: buildABC CWESANSTop25(1).pdf).

Legacy Reports and Templates

The legacy reports include user-configurable report templates. Report templates provide several

optional sections and subsections that gather and present specific types of data. For detailed

descriptions of the report templates, see "Legacy Report Components" on page 145. You can

generate legacy reports from Fortify Audit Workbench or from the command line using the

ReportGenerator utility. For information on how to generate legacy reports from the command line,

see the OpenText™ Fortify Static Code Analyzer User Guide.

The following sections provide information about the default reports and report templates,

instructions on how to modify existing reports, and how to create your own reports.

OpenText™ Fortify Audit Workbench (24.2.0)

Page 118 of 152

User Guide

Chapter 6: Generating Analysis Reports

Generating Legacy Reports

After you select a report template and specify report settings, you generate the report to view the

results. You can save the report results in PDF or XML format.

To run a report:

1. Select Tools > Reports > Generate Legacy Report.

2. Select a report template from the Report list.

3. (Optional) Make changes to the report section settings.

4. Click Save Report.

The Save Report dialog box opens.

5. Make any necessary changes to the report details, including its location and format.

6. Click Save.

Fortify Audit Workbench generates the report in the format you selected.

Legacy Report Templates

This section describes how to select and edit a legacy report template. You can modify legacy report

templates from the Generate Legacy Report dialog box, or you can edit report templates directly in

XML (see "Report Template XML Files" on page 125). If you or another user have edited or created

other default report templates, you might not see the default report templates described in this

section.

The legacy report templates include:

l

Fortify Developer Workbook—Provides a comprehensive list of all categories of issues found and

multiple examples of each issue. This report also gives a high-level summary of the number of

issues in each category.

l

Fortify Scan Summary—Provides high-level information based on the category of issues that

Fortify Static Code Analyzer found as well as a project summary and a detailed project summary.

l

Fortify Security Report—A mid-level report that provides comprehensive information on the

analysis performed and the high-level details of the audit that was performed. It also provides a

high-level description and examples of categories that are of the highest priority.

l

OWASP Top Ten <year>—Provides high-level summaries of uncovered vulnerabilities organized

based on the top ten issues that the Open Web Security Project (OWASP) has identified.

The following sections describe how to view report templates and customize them to address your

reporting needs.

Selecting Legacy Report Sections

You can choose sections to include in the report.

OpenText™ Fortify Audit Workbench (24.2.0)

Page 119 of 152

User Guide

Chapter 6: Generating Analysis Reports

To select the sections that you want to include in a report:

1. Click a section title to view the contents of the section.

The section details are displayed to the right of the dialog box.

2. To include a section in the report, select the section title check box in the list on the left side.

3. To remove a section from the report, clear the check box next to the section title.

For instructions on how to edit each section, see "Editing Legacy Report Subsections" on the next

page.

Opening Legacy Report Templates

To open a report template:

1. Select Tools > Reports > Generate Legacy Report.

The Generate Legacy Report dialog box opens.

OpenText™ Fortify Audit Workbench (24.2.0)

Page 120 of 152

User Guide

Chapter 6: Generating Analysis Reports

2. Select a report template from the Report list.

The Generate Report dialog box displays the report template settings.

Editing Legacy Report Subsections

When you select a section title, you can edit the contents that are displayed in the report. You can edit

text, add or change text variables, or customize the issues shown in a chart or results list.

OpenText™ Fortify Audit Workbench (24.2.0)

Page 121 of 152

User Guide

Chapter 6: Generating Analysis Reports

Editing Text Subsections

To edit a text subsection:

1. Select the check box next to the subsection title to include this text in the report.

A description of the text is displayed below the subsection title.

2. Click Edit Text.

The text box displays the text and variables to include in the report.

3. Edit the text and text variables.

As you edit text subsections, you can insert variables that are defined when you run the report. The

following table describes these variables.

Variable

Description

List of filters created with answers to Audit Guide Wizard questions

$AUDIT_GUIDE_

SUMMARY$

JAR files used in the scan, one relative path per line

Complete list of command-line options (same format as project summary)

List of scanned files, each in the format:

$CLASSPATH_

LISTING$

$COMMANDLINE_

ARGS$

$FILE_LISTING$

<relative_file_path> # Lines # kb <timestamp>

List of filters the current filter set uses

$FILTERSET_

DETAILS$

Name of the current filter set

$FILTERSET_

NAME$

Fortify Static Code Analyzer version

$FORTIFY_SCA_

VERSION$

Libdirs specified for the scan, one relative path per line

$LIBDIR_

LISTING$

Total lines of code

$TLOC$

Total number of files scanned

$NUMBER_OF_

FILES$

Build label of project

$PROJECT_BUILD_

LABEL$

OpenText™ Fortify Audit Workbench (24.2.0)

Page 122 of 152

User Guide

Chapter 6: Generating Analysis Reports

Variable

Description

Build ID

$PROJECT_NAME$

$PROPERTIES$

Complete list of properties set for the analysis phase (same format as

project summary)

Complete certification detail with a list of validity on a per file basis (same

format as project summary)

$RESULTS_

CERTIFICATION$

Short description of certification (same format as project summary)

$RESULTS_

CERTIFICATION_

SUMMARY$

Complete list of Rulepacks used for the analysis (same format as project

summary)

$RULEPACKS$

Hostname of machine on which the scan was performed

Date of analysis with the default format style for the locale

$SCAN_COMPUTER_

ID$

$SCAN_DATE$

$SCAN_SUMMARY$

$SCAN_TIME$

$SCAN_USER$

Summary of codebase scanned in format # files, # lines of code

Time of analysis phase

Username for the user who performed the scan

Source base path of codebase

$SOURCE_BASE_

PATH$

Number of issues, not including suppressed and removed issues

$TOTAL_

FINDINGS$

Label of the scanned project (available only if the Fortify Static Code

$VERSION_LABEL$

Analyzer -build-labeloption was used in the scan)

Complete list of warnings that occurred

Number of warnings found in scan

$WARNINGS$

$WARNING_

SUMMARY$

Editing Results List Subsections

To edit a result list subsection:

1. Select the check box next to the subsection title to include this text in the report.

A description of the results list is displayed below the subsection title.

OpenText™ Fortify Audit Workbench (24.2.0)

Page 123 of 152

User Guide

Chapter 6: Generating Analysis Reports

2. Click the issues list heading to expand the options.

3. Select the attributes used to group the results list.

If you group by category, the recommendations, abstract, and explanation for the category are

also included in the report. For the list of attributes to group by, see "Grouping Issues" on

page 73.

4. (Optional) To refine the issues shown in this subsection with a search query, click Advanced.

For information about the search syntax, see "Search Syntax" on page 62.

5. Select or clear the Limit number of Issues in each group check box.

6. If you selected the check box, type the number of issues to display per group.

Editing Chart Subsections

To edit a chart subsection:

1. Select the check box next to the subsection title to include this text in the report.

A chart description is displayed below the subsection title.

2. Select the attributes used to group the chart data.

For the list of attributes to group by, see "Grouping Issues" on page 73.

3. (Optional) To refine the issues shown in this subsection with a search query, click Advanced.

For information about the search syntax, see "Search Syntax" on page 62.

4. Select the chart format (table, pie, or bar).

Saving Legacy Report Templates

You can save the current report settings as a new template that you can select later to run more

reports.

To save settings as a report template:

1. Select Tools > Generate Legacy Report.

The Generate Report dialog box opens.

2. Select the report template from the Report list.

3. Make changes to the report section and subsection settings.

4. Click Save as New Template.

When you select the report template name from the Report list, the report settings are displayed in

the Generate Report dialog box.

Saving Changes to Legacy Report Templates

You can save changes to a report template so that your new settings are displayed as the defaults for

that template.

OpenText™ Fortify Audit Workbench (24.2.0)

Page 124 of 152

User Guide

Chapter 6: Generating Analysis Reports

To save changes a report template:

1. Select Tools > Generate Legacy Report.

The Generate Report dialog box opens.

2. Select the report template to save as the default report template from the Report list.

3. (Optional) Make changes to the report section and subsection settings.

4. Click Save Settings as Default.

Report Template XML Files

Report templates are saved as XML files. You can edit the XML files to make changes or to create new

report template files. When you edit the XML files, you can choose the sections and the contents of

each section to include in the report template.

The default location for folder that contains report template XML files is:

<tools_install_dir>/Core/config/reports/

To customize the logos used in the reports, you can replace header.pngand footer.pngin this

directory.

Adding Legacy Report Sections

You can add report sections by editing the XML files. In the XLM structure, the ReportSection

element defines a new section. It includes a Titleelement for the section name, and it must include

at least one Subsectionelement to define the contents of the section in the report. The following

XML is the Results Outlinesection of the Fortify Security Report:

<Title>Results Outline</Title>

<Title>Overall number of results</Title>

<Description>Results count</Description>

<Text>The scan found $TOTAL_FINDINGS$ issues.</Text>

</SubSection>

<Title>Vulnerability Examples by Category</Title>

<Description>Results summary for critical and high priority issues.

Vulnerability examples are provided by category.

</Description>

<Refinement>[fortify priority order]:critical OR

[fortify priority order]:high</Refinement>

<Axis>Category</Axis>

</Chart>

</IssueListing>

</SubSection>

</ReportSection>

OpenText™ Fortify Audit Workbench (24.2.0)

Page 125 of 152

User Guide

Chapter 6: Generating Analysis Reports

In the previous example, the Results Outlinesection contains two subsections. The first

subsection is a text subsection named Overall number of results. The second subsection is a

results list named Vulnerability Examples by Category. A section can contain multiple

subsections.

Adding Report Subsections

In the report sections, you can add subsections or edit subsection content. Subsections can generate

text, results lists, or charts.

Adding Text Subsections

In a text subsection, you can include the Titleelement, the Descriptionelement, and the Text

element. In the Textelement, you can provide the default content, although you can edit the content

before you generate a report. For a description of the text variables available to use in text

subsections, see "Editing Legacy Report Subsections" on page 121. The following XML is the

Overall number of result s subsection in the Results Outlinesection:

<Title>Overall number of results</Title>

<Description>Results count</Description>

<Text>The scan found $TOTAL_FINDINGS$ issues.</Text>

</SubSection>

In this example, the text subsection is titled Overall number of results. The text to describe the

purpose of the text is Results count. The text in the text field that the user can edit before running

a report uses one variable named $TOTAL_FINDINGS$.

OpenText™ Fortify Audit Workbench (24.2.0)

Page 126 of 152

User Guide

Chapter 6: Generating Analysis Reports

Adding Results List Subsections

In a results list subsection, you can include the Titleelement, the Descriptionelement, and the

IssueListingelement. In the IssueListingelement, you can define the default content for the

limit and set listingto true. You can include the Refinementelement either with or without a

default statement, although you can edit the content before you generate a report. To generate a

results list, the Chartelement attribute chartTypeis set to list. You can also define the Axis

element. The following XML is the Vulnerability Examples by Categorysubsection in the

Results Outlinesection:

<Title>Vulnerability Examples by Category</Title>

<Description>Results summary of the highest severity issues.

Vulnerability examples are provided by category.</Description>

<Refinement>[fortify priority order]:critical OR

[fortify priority order]:high</Refinement>

<Axis>Category</Axis>

</Chart>

</IssueListing>

</SubSection>

In this example, the results list subsection is titled Vulnerability Examples by Category. The

text to describe the purpose of the subsection is Results summary of the highest severity

issues. Vulnerability examples are provided by category. This subsection lists

(listing=true) one issue (limit="1") per Category (the Axiselement value) where there are

issues that match the statement [fortify priority order]:critical OR [fortify

priority order]:high(the value of the Refinementelement).

Adding Charts Subsections

In a chart subsection, you can include the Titleelement, the Descriptionelement, and the

IssueListingelement. In the IssueListingelement, you can define the default content for the

limit and set listingto false. You can include the Refinementelement either with or without a

default statement, although you can edit the content before generating a report. To generate a pie

chart, the Chartelement's attribute chartTypeis set to pie. The options are table, pie, and bar.

You can change this setting before you generate the report. You can also define the Axiselement.

OpenText™ Fortify Audit Workbench (24.2.0)

Page 127 of 152

User Guide

Chapter 6: Generating Analysis Reports

The following code shows an example of a chart subsection:

<Title>New Issues</Title>

<Description>A list of issues discovered since the previous

analysis.</Description>

<Text>The following issues have been discovered since the

last scan.</Text>

<Axis>New Issue</Axis>

</Chart>

</IssueListing>

</SubSection>

In this subsection, a chart (limit="-1" listing="false") has the title New Issuesand a text

section that contains the text The following issues have been discovered since the

last scan. This chart includes all issues (the Refinementelement is empty) and groups the issues

on the value of New Issues(the value of the Axiselement). This chart is displayed as a pie chart

(chartType="pie").

OpenText™ Fortify Audit Workbench (24.2.0)

Page 128 of 152

Chapter 7: Using the Functions View

Fortify Static Code Analyzer identifies all functions declared or called in your source code. You can use

the Functions view in Fortify Audit Workbench to determine where a function is located in the source

code, whether a security rule covered the function, and which rule IDs matched the function. You can

also list the functions that Fortify Static Code Analyzer identified as tainted source and view only the

functions not covered by rules applied in the most recent scan.

This section contains the following topics:

Opening the Functions View

Sorting and Viewing Functions

Locating Functions in Source Code

Synchronizing the Functions View with the Analysis Trace View

Locating Classes in Source Code

Determining Which Rules Matched a Function

Writing Rules for Functions

Creating Custom Cleanse Rules

OpenText™ Fortify Audit Workbench (24.2.0)

Page 129 of 152

User Guide

Chapter 7: Using the Functions View

Opening the Functions View

To open the Functions view:

1. Select Options > Show View > Functions.

Fortify Audit Workbench displays the Functions view in the top-right.

2. To view coverage information about top-level (global) functions, expand the Top-level

functions node.

3. To view descriptions of the icons displayed to the left of each function, click Legend.

l

Function Not Covered by Rules

This function does not have any rules associated with it.

OpenText™ Fortify Audit Workbench (24.2.0)

Page 130 of 152

User Guide

Chapter 7: Using the Functions View

Note: It is not necessary to have a rule for every function in an application because not all

functions have a security impact.

l

Function Covered by Rules

This function is covered by one or more rules; however, the rules are never triggered.

l

Function Covered by Rules and has Matching Rules

This function is covered by one or more rules and at least one of them triggered. This does not

necessarily mean an issue has been found. For example, a tainted data source rule matches

the source function but the tainted data that entered the function does not reach a sink.

Sorting and Viewing Functions

To change the order of, or to hide or show functions:

1. Open the Functions view.

2. From the Show list, select one of the following:

l

To display all functions, select All.

l

To display functions not covered by rules, select Not Covered by Rules.

l

To display functions that the Rulepack used in the most recent scan has identified as a source

of tainted data, select Taint Sources.

3. From the Group By list, select one of the following sorting methods:

l

To sort functions based on package, select package.

l

To sort listed functions by class, select class.

l

To sort listed functions alphabetically, select function.

4. Under Include API:

l

To show functions in external classes, select the External check box.

l

To show functions in internal classes, select the Internal check box.

l

To show functions in superclasses, select the Superclasses check box.

Fortify Audit Workbench updates the Functions view.

OpenText™ Fortify Audit Workbench (24.2.0)

Page 131 of 152

User Guide

Chapter 7: Using the Functions View

Locating Functions in Source Code

From the Functions view, you can list the file name and line number where the function occurs in the

source code.

To show where a function is located in the code:

1. In the Functions view, right-click a function, and then select Find Usages.

The Search view (at center bottom) lists the file locations and line numbers in which the function

is used.

2. To jump to a line of code where the function is used, click the corresponding row in the Search

view.

Synchronizing the Functions View with the Analysis

Trace View

You can synchronize the Functions view with the Analysis Trace view so that, after you select an

issue or a trace node from the Analysis Trace view, the Functions view automatically displays the

class that contains the selected item of evidence. This makes it easy for you to inspect other methods

in that class, other classes in that package, and so on.

To synchronize the Functions view with the Analysis Trace view:

1. In the Functions view, from the Group By list, select class.

2. In the top-right corner of the Analysis Trace view, click Synchronize with Functions View

.

The Functions view displays the class that contains the item you selected in the Analysis Trace

view.

The Synchronize with Function View toggles synchronization. To turn off synchronization, click

Synchronize with Functions View again.

Locating Classes in Source Code

To see where classes are used in the source code:

1. In the Functions view, right-click a class , and then select Find Usages.

The Search view (at center bottom) lists the file locations and line numbers in which the class is

used.

2. To jump to a line of code where the class is used, click the corresponding row in the Search view.

OpenText™ Fortify Audit Workbench (24.2.0)

Page 132 of 152

User Guide

Chapter 7: Using the Functions View

For functions defined in the source code, you can open the declaration in the Source view by

right-clicking a function and then selecting Open Declaration. The source code is displayed with the

line highlighted. Alternatively, you can double-click functions to display the declaration.

Determining Which Rules Matched a Function

You can display the rule ID for all the rules that matched a function. When rules match a function, a

green circle icon is displayed next to it.

Fortify Static Code Analyzer can match a rule to functions without finding an issue related to the rule.

For example, a tainted data source rule matches the source function but the tainted data entering at

that function does not reach a sink.

Note: To use the rule ID to locate related issues, see "Search Syntax" on page 62, or create

visibility or folder filters.

To display the rule IDs:

1. Open a project in Fortify Audit Workbench.

2. Open the Functions view.

3. Right-click a function, and then select Show Matched Rules.

The Search view (at center bottom) lists the rule IDs with the vulnerability category name (if

applicable) and the Rulepack file name.

Writing Rules for Functions

You can use the Custom Rule Wizard from the Functions view to create a rule for a function.

To write a rule for a function:

1. Open a project in Fortify Audit Workbench.

2. Open the Functions view.

3. To create a rule:

a. Right-click a function, and then select Generate Rule for Function.

The Custom Rule Wizard opens.

b. Select the rule that best matches the behavior or vulnerability category.

c. Provide the information the wizard directs, and save the new rule to a custom Rulepack.

4. To rescan the translated files with the custom Rulepack:

a. Select Options > Options.

b. In the left pane, select Security Content Management.

c. Click Import Custom Security Content.

d. Browse to and select the custom Rulepack, and then click Open.

OpenText™ Fortify Audit Workbench (24.2.0)

Page 133 of 152

User Guide

Chapter 7: Using the Functions View

e. Click OK to close the Options dialog box.

f. Click Scan.

After the scan is completed, the project is updated.

5. Click OK.

6. To verify that the rule matched the function:

a. Right-click the function, and then select Show Matched Rules.

b. Verify that at least one rule ID matches the ID of the rule you created.

The function is now covered by a custom Rulepack and is displayed with a green circle next to it.

Creating Custom Cleanse Rules

You can create custom cleanse rules for specific functions from Fortify Audit Workbench.

To create a cleanse rule for a function:

1. Right-click the function, and then select Generate Rule for Function.

The Custom Rule Wizard opens.

2. In the templates list, expand the DataflowCleanseRule folder, and then select Generic

Validation Rule.

3. Click Next.

4. On the Rule Language step, select the source code language, and then click Next.

5. On the Validation Function Information step, type the regular expressions for the package,

class, and function.

6. Verify that the information is correct, and then click Next.

7. Select the argument to cleanse, and then click Next.

8. Select the Rulepack to which you want to add the rule, and then click Finish.

OpenText™ Fortify Audit Workbench (24.2.0)

Page 134 of 152

Chapter 8: Troubleshooting

The following topics provide information on how to troubleshoot problems you might encounter

working with Fortify Audit Workbench and how to report an issue to Customer Support.

Creating Archive Logs for Customer Support

You can have Fortify Audit Workbench create an archive file that you can later send to Customer

Support to help resolve any support issues that might arise. The file includes your Fortify Audit

Workbench logs and system properties.

To create an archive of your Fortify Audit Workbench logs and system properties:

1. In the Fortify Audit Workbench menu bar, select Help > Contact Fortify Product Support.

2. In the Create Fortify support archive? dialog box, click Yes.

3. Navigate to the folder where you want to save the archive file.

4. Accept the default file name displayed in the File name box, or change it.

5. Click Save.

6. To contact Customer Support and supply the archive file, follow the instructions in the Save

Successful dialog box.

7. Click OK.

Using the Debug Option

If you encounter errors, you can enable the debug option to help troubleshoot.

To enable debugging:

1.

Navigate to the <tools_install_dir>/Core/configdirectory and open the

fortify.propertiesfile.

2. You can either enable debug mode for all Fortify Applications and Tools or for specific

applications. Remove the comment tag (#) from in front of the property and set the value to

true.

Property

Description

com.fortify.Debug

If set to true, all the Fortify Applications and Tools run in

debug mode.

com.fortify.awb.Debug

If set to true, Fortify Audit Workbench runs in debug

OpenText™ Fortify Audit Workbench (24.2.0)

Page 135 of 152

User Guide

Chapter 8: Troubleshooting

Property

Description

mode.

com.fortify.eclipse.Debug

com.fortify.VS.Debug

If set to true, the Fortify Plugin for Eclipse runs in debug

mode.

If set to true, the Fortify Extension for Visual Studio runs

in debug mode.

Locating Log Files

For help diagnosing a problem, provide log files to Customer Support. To package the log files in a zip,

see "Creating Archive Logs for Customer Support" on the previous page.

On Windows systems, the default Fortify log files are the following directories:

l

C:\Users\<username>\AppData\Local\Fortify\sca<version>\log

The log files in this directory are only available if you analyze the code with Fortify Static Code

Analyzer.

l

C:\Users\<username>\AppData\Local\Fortify\AWB-<version>\log

l

C:\Users\<username>\AppData\Local\Fortify\AWB-

<version>\workspace\.metadata\.log

On Linux and macOS systems, the default Fortify log files are the following directories:

l

<userhome>/.fortify/sca<version>/log

The log files in this directory are only available if you analyze the code with Fortify Static Code

Analyzer.

l

<userhome>/.fortify/AWB-<version>/log

l

<userhome>/.fortify/AWB-<version>/workspace/.metadata/.log

Addressing the org.eclipse.swt.SWTError Error

On Linux systems, Fortify Audit Workbench can fail to start, resulting in the following error:

org.eclipse.swt.SWTError: No more handles [gtk_init_check() failed]

If you see this error, check to make sure that X11 is configured correctly and that your DISPLAY

variable is set.

OpenText™ Fortify Audit Workbench (24.2.0)

Page 136 of 152

User Guide

Chapter 8: Troubleshooting

Out of Memory Errors

The following two scenarios can trigger out-of-memory errors in Fortify Audit Workbench.

Scenario

More Information

Opening or auditing a large and

complex FPR file

"Allocating Additional Memory for Fortify Audit

Workbench" below

Running a scan on large and complex

project

"Allocating Additional Memory for Fortify Static Code

Analyzer" below

As a guideline, assuming no other memory-intensive processes are running, do not allocate more than

two thirds of the available system memory.

Allocating Additional Memory for Fortify Audit Workbench

To increase the memory allocated for Fortify Audit Workbench, set the environment variable AWB_

VM_OPTS. (For example, set AWB_VM_OPTS=-Xmx4Gto allocate 4 GB to Fortify Audit Workbench.) If

you choose to set AWB_VM_OPTS, do not allocate more memory than is physically available. Over-

allocation degrades performance.

In Fortify Audit Workbench, issue information is persisted to disk. This persisted information is

reloaded on demand and thereby decreases the required memory footprint of Fortify Audit

Workbench. To prevent out-of-memory errors, you can set a value in the fortify.propertiesfile

to take advantage of the information persisted to disk functionality. Set the property as follows:

com.fortify.model.PersistDataToDisk=true

Allocating Additional Memory for Fortify Static Code Analyzer

To increase the memory allocated for Fortify Static Code Analyzer, do one of the following:

l

In the Advanced Static Analysis wizard, increase the amount of memory Fortify Static Code

Analyzer uses for scanning. This passes the memory allocation option to Fortify Static Code

Analyzer. This method does not require restarting Fortify Audit Workbench. See "Scanning Large

and Complex Projects" on page 31.

l

Before your start Fortify Audit Workbench, set the environment variable SCA_VM_OPTS. For

example, to allocate 32 GB to Fortify Static Code Analyzer, set the variable to -Xmx32G.

Note: If you choose to set SCA_VM_OPTS, do not allocate more memory than is physically

available. Overallocation degrades performance.

OpenText™ Fortify Audit Workbench (24.2.0)

Page 137 of 152

User Guide

Chapter 8: Troubleshooting

Specifying Memory for External Processes

You can specify how much memory external processes such as iidmigrator use by setting the

com.fortify.model.ExecMemorySettingproperty in the <tools_install_

dir>/Core/config/fortify.propertiesfile. Fortify Audit Workbench uses the iidmigrator tool

when merging analysis results. The default memory setting for iidmigrator is 1800 MB. The value for

this property setting specifies the maximum heap size.

If you set the value of this property and you have Fortify Static Code Analyzer installed, then in

addition to updating the file for Fortify Applications and Tools, make sure to apply the same property

change in the <sca_install_dir>/Core/config/fortify.propertiesfile.

Saving a Project that Exceeds the Maximum Removed

Issues Limit

When you save a project that has more than the maximum number of removed issues, Fortify Audit

Workbench displays following warning message:

Your project contains more than <removed_issues_limit> removed issues.

Would you like to persist them all, or limit the number to <removed_issues_

limit>?

If you limit the number, audited removed issues will take precedence over

unaudited ones.

Click Limit to limit the number of issues to the maximum or click Save All to save all the removed

issues. The com.fortify.RemovedIssuePersistanceLimitproperty controls the maximum

number of removed issues <removed_issues_limit>. See the OpenText™ Fortify Static Code Analyzer

Applications and Tools Guide for more information.

To configure how Fortify Audit Workbench handles this issue for future occurrences:

1. Select Options > Options.

2. In the left pane, select Audit Configuration.

3. Select the Configuration tab.

4. Under Save Audit Project Options, specify one of the following configuration settings:

l

Limit removed issues to the maximum number

l

Save all removed issues every time

l

Prompt me next time

5. Click OK.

OpenText™ Fortify Audit Workbench (24.2.0)

Page 138 of 152

User Guide

Chapter 8: Troubleshooting

Resetting the Default Views

If you have closed or moved views, such as the Issues view or the Audit tab, you can reset the user

interface to restore the views to the default state.

To reset the user interface to the default state:

1. Select Options > Options.

2. In the left pane, click Audit Configuration.

3. On the Appearance tab, click Reset Interface.

OpenText™ Fortify Audit Workbench (24.2.0)

Page 139 of 152

Appendix A: Static Analysis Results

Prioritization

The following topics describe how Fortify Static Code Analyzer automatically prioritizes the scan

results displayed in Fortify Audit Workbench.

This section contains the following topics:

About Results Prioritization

Estimating Impact and Likelihood with Input from Rules and Analysis

About Results Prioritization

Fortify Static Code Analyzer divides static analysis findings into four risk quadrants: critical, high,

medium, and low. Membership in each quadrant depends on whether the finding has a high or low

impact and high or low likelihood of occurring.

When Fortify Static Code Analyzer produces a results file, automated processing and human review

can convert issues into findings. Findings, which represent specific problems with the codebase,

sometimes map one-to-one with issues. However, in other cases, multiple related issues might be

combined into a single finding. For example, every form that submits a request without including a

unique token might produce an issue related to Cross-Site Request Forgery (CSRF), but these issues

OpenText™ Fortify Audit Workbench (24.2.0)

Page 140 of 152

User Guide

Appendix A: Static Analysis Results Prioritization

are more useful when they are combined into a single finding that indicates the application is

vulnerable to CSRF attacks.

On occasion, the static analysis process goes wrong. Depending on the rules and the analysis

algorithms used, a static analysis can produce false positives (reported vulnerabilities where no

vulnerabilities exist) or false negatives (unreported vulnerabilities) or both.

Quantifying Risk

Because it is not possible to determine if or when an organization will suffer consequences related to

a vulnerability, Fortify Static Code Analyzer takes a probabilistic approach to prioritizing

vulnerabilities. Risk is defined quantitatively, as follows:

risk = impact x likelihood

The risk that a vulnerability poses is equal to the impact of the vulnerability multiplied by the

likelihood that the impact will occur. Impact is defined as the negative outcome resulting from a

vulnerability and likelihood as the probability that the impact will happen.

Impact can come in many forms. For example, an organization might lose money or reputation

because of a successful attack, or it might lose business opportunity because the presence of a

vulnerability causes a system to fail a regulatory compliance check.

Two factors contribute to the likelihood that a vulnerability will cause harm:

l

The probability that the vulnerability will be discovered (by an attacker or an auditor)

l

The conditional probability that, once found, the vulnerability will be exploited

These probabilities change as the computer security field advances. New vulnerability assessment

techniques make it easier to find vulnerabilities, and new attack techniques increase the set of

vulnerabilities that attackers can exploit. Progressively better vulnerability prevention, mitigation, and

recovery strategies help counterbalance these advances.

OpenText™ Fortify Audit Workbench (24.2.0)

Page 141 of 152

User Guide

Appendix A: Static Analysis Results Prioritization

For example, consider Race Condition: Singleton Member Field vulnerabilities, which occur when code

assigns a value associated with a user session to a member variable of a singleton object in a web

application. Under the singleton model, the same class instance services all requests, therefore values

from one user session can spill over into another user’s session. The following code demonstrates a

singleton member field race condition:

public class GuestBook extends HttpServlet {

String name, password;

protected void doPost (HttpServletRequest request,

HttpServletResponse response) {

name = request.getParameter("username");

password = request.getParameter("password");

if (DBUtils.lookupUser(username, password)) {

accessSensitiveResources();

}

Although this vulnerability is simple to exploit after it is found, it can be difficult to find race

conditions because successful attacks often depend on very precise timing. Therefore, this class of

vulnerability has a low likelihood of occurring, which primarily reflects the difficulty involved in finding

the vulnerability.

For an example of a vulnerability whose likelihood is primarily governed by how difficult it is to

exploit, consider HTTP Header Manipulation, which occurs when unvalidated user input is included in

an HTTP response header and can enable cross-site scripting, HTTP response splitting, and cache

poisoning, among other attacks. The following code demonstrates a header manipulation

vulnerability:

String author = request.getParameter(AUTHOR_PARAM);

Cookie cookie = new Cookie("author", author);

cookie.setMaxAge(cookieExpiration);

response.addCookie(cookie);

In this case, identifying a vulnerable application is often quite simple because the vulnerability is

evident in web traffic returned from the server. Crafting a meaningful exploit, however, typically

involves a deep understanding of the application’s business logic, ready access to a pool of legitimate

users, and in some cases, a working knowledge of the network topography between the server and

the users. Therefore, this class of vulnerability has a low likelihood because it is difficult to exploit.

Estimating Impact and Likelihood with Input from

Rules and Analysis

Fortify Static Code Analyzer estimates the impact of a discovered vulnerability based on its type. The

impact value is associated with the static analysis rule that defines the vulnerability. In this way,

OpenText™ Fortify Audit Workbench (24.2.0)

Page 142 of 152

User Guide

Appendix A: Static Analysis Results Prioritization

results can indicate that a category such as cross-site scripting has a higher impact than a category

such as null pointer dereference.

To compute the likelihood portion of the risk equation, Fortify Static Code Analyzer draws on values

from the rules used for analysis, the analysis process itself, and from a human auditor (if an individual

has reviewed the results.) The likelihood of a finding is computed by combining the accuracy of the

rule and the confidence in the analysis with the probability that the vulnerability will be discovered

and acted upon, as follows:

likelihood = accuracy x confidence x probability

For the purpose of weighing static analysis results, an accuracy measure is associated with each rule

applied by the analysis engine. This number represents the possibility that the rule will correctly

identify a vulnerability.

For example, the rule that Fortify Static Code Analyzer uses to identify the member field race

condition has a high accuracy because it precisely identifies assignments to a member field of a

singleton object. Conversely, the rule used to identify cross-site request forgery has a low accuracy

because it identifies potentially vulnerable form submissions and relies on a human auditor to

determine whether the form submissions are susceptible to cross-site request forgery.

During static analysis, Fortify Static Code Analyzer might have to make assumptions about the way

the code behaves at runtime. The more assumptions Fortify Static Code Analyzer makes, the more

likely it is that a result is incorrect.

The term confidence is used to estimate the possibility that Fortify Static Code Analyzer correctly

applies the rule. For example, Fortify Static Code Analyzer reports reflected cross-site scripting

vulnerabilities in a JSP where data from a request parameter is echoed directly to the page with high

confidence. Conversely, Fortify Static Code Analyzer reports a persistent cross-site scripting issue

where data read from a database into a class selected at runtime using dependency injection is

rendered in the presentation tier with low confidence.

To represent the probability that the vulnerability is discovered and acted upon (with action

potentially coming the form of an exploit), Fortify Static Code Analyzer associates a probability

measure with each category of vulnerability identified by the rules. For example, cross-site scripting

vulnerabilities carry a higher probability than member field race conditions because they are more

likely to be discovered and exploited.

From a programmer’s perspective, some bugs are harder to fix than others. Modifying a single line of

code in a self-contained method is easier than modifying the result of a sequence of calls that span

the program. The term remediation effort describes the relative amount of effort required to fix and

verify a finding.

Fortify Static Code Analyzer provides a remediation effort with each finding it reports. For example,

member field race conditions have a small remediation effort, while cross-site request forgery, which

often involves major changes to a website, has a high remediation effort.

To avoid implying too much precision where little exists, Fortify Static Code Analyzer limits values of

impact, accuracy, confidence, and probability to a decimal range of from 0.1 to 5.0 and scales the

calculated likelihood value to the same range. It then defines high values for impact and likelihood as

those at 2.5 and above [2.5,5.0] and low values as those below 2.5 (0,2.5).

OpenText™ Fortify Audit Workbench (24.2.0)

Page 143 of 152

User Guide

Appendix A: Static Analysis Results Prioritization

Fortify Static Code Analyzer does not provide units for remediation effort because the absolute cost

of remediating different vulnerabilities differs from one organization to another. Instead, remediation

effort estimates the relative cost to remediate one kind of finding versus another, thereby enabling a

comparison of the effort required to remediate different vulnerabilities or vulnerabilities across more

than one project.

The following table provides sample impact, accuracy, confidence, and probability values for the four

vulnerabilities mentioned in this section along with the resulting risk calculations and corresponding

remediation effort for each vulnerability category.