OpenText™ Fortify Extension for Visual

Studio

Software Version: 24.2.0

User Guide

Document Release Date: May 2024

Software Release Date: May 2024

User Guide

Legal Notices

Open Text Corporation

275 Frank Tompa Drive, Waterloo, Ontario, Canada, N2L 0A1

Copyright Notice

The only warranties for products and services of Open Text and its affiliates and licensors (“Open Text”) are as may be set forth

in the express warranty statements accompanying such products and services. Nothing herein should be construed as

constituting an additional warranty. Open Text shall not be liable for technical or editorial errors or omissions contained herein.

The information contained herein is subject to change without notice.

Trademark Notices

“OpenText” and other Open Text trademarks and service marks are the property of Open Text or its affiliates. All other

trademarks or service marks are the property of their respective owners.

Documentation Updates

The title page of this document contains the following identifying information:

l

Software Version number

l

Document Release Date, which changes each time the document is updated

l

Software Release Date, which indicates the release date of this version of the software

This document was produced on May 03, 2024. To check for recent updates or to verify that you are using the most recent

edition of a document, go to:

https://www.microfocus.com/support/documentation

OpenText™ Fortify Extension for Visual Studio (24.2.0)

Page 2 of 108

User Guide

Contents

Preface

7

Contacting Customer Support

For More Information

About the Documentation Set

Fortify Product Feature Videos

Change Log

8

Chapter 1: Introduction

10

11

Fortify Extension for Visual Studio

Fortify Security Content

Installing Fortify Extension for Visual Studio

"Importing Custom Security Content" on page 24

OpenText™ Fortify Extension for Visual Studio (24.2.0)

Page 22 of 108

User Guide

Chapter 2: Using the Fortify Extension for Visual Studio

Updating Security Content

To enable the Fortify Extension for Visual Studio to scan with a locally installed Fortify Static Code

Analyzer, you must have up-to-date security content. You can update Fortify security content from a

configured server or from your local system.

To update security content:

1. From the Fortify extension menu, select Options.

2. In the left pane, select Security Content Management.

3. To update security content, you must provide the location of a locally installed Fortify Static

Code Analyzer. If not already specified, do the following:

a. Click Browse to the right of Fortify Executable Path.

b. Navigate to the Fortify Static Code Analyzer installation folder.

The default installation folder on Windows is: C:\Program Files\Fortify\Fortify_

SCA_<version>.

c. Click OK.

4. To update Fortify security content from a server, do the following:

a. (Optional) From the Locale list, select the language you want for the Fortify security content.

By default, English is the selected language.

b. Click Update.

All existing security content is replaced with the Fortify security content from the server.

5. To update Fortify security content from your local system, under Update Security Content from

Local System, do the following:

a. Click Fortify Security Content.

b. Navigate to a Fortify security content ZIP file, and then click Open.

6. Click OK to accept the update confirmation message.

OpenText™ Fortify Extension for Visual Studio (24.2.0)

Page 23 of 108

User Guide

Chapter 2: Using the Fortify Extension for Visual Studio

Any existing custom security content is unchanged.

"Configuring Security Content Updates" on page 21

Importing Custom Security Content

You can import custom security content to use in your scans. Fortify Extension for Visual Studio

stores custom rules in the <sca_install_dir>\Core\config\customrulesfolder.

Note: To import custom external metadata, you must place your external metadata file in the

<sca_install_dir>\Core\config\CustomExternalMetadatafolder.

To import custom rules:

1. From the Fortify extension menu, select Options.

2. In the left pane, select Security Content Management.

3. Under Update Security Content from Local System, click Custom Security Content.

The Select Security Content dialog box opens.

4.

Select the custom rules files to import (*.xmland *.bin), and then click Open.

The Last Update information box reflects the imported custom security content.

About Quick Scan Mode

Quick scan mode provides a way to quickly scan your projects for critical- and high-priority issues.

Fortify Static Code Analyzer performs the scan faster by reducing the depth of the analysis and

applying the Quick View filter set. Quick scan settings are configurable. For more details about the

configuration of quick scan mode, see the OpenText™ Fortify Static Code Analyzer User Guide.

Quick scans are a great way to get many applications through an assessment so that you can quickly

find issues and begin remediation. The performance improvement you get depends on the complexity

and size of the application. Although the scan is faster than a full scan, it does not provide as robust a

result set. Other issues that a quick scan cannot detect might exist in your application. Fortify

recommends that you run full scans whenever possible.

Note: By default, Fortify Software Security Center ignores uploaded scans performed in quick

scan mode. However, you can configure your Fortify Software Security Center application version

so that it processes uploaded audit projects scanned in quick scan mode. For more information,

see the analysis results processing rules in the OpenText™ Fortify Software Security Center User

Guide.

You can use quick scan mode for scans that use a locally installed Fortify Static Code Analyzer. Audit

quick analysis results just as you audit full analysis results. To perform a quick scan, see "Configuring

Advanced Local Scan Options" on page 26.

OpenText™ Fortify Extension for Visual Studio (24.2.0)

Page 24 of 108

User Guide

Chapter 2: Using the Fortify Extension for Visual Studio

Configuring Local Scan Options

Use the analysis configuration to customize the security content, specify the SQL type, and specify

the amount of memory Fortify Static Code Analyzer uses during a local scan. To configure these

settings, you must provide the location of a locally installed Fortify Static Code Analyzer. You can

specify the location of Fortify Static Code Analyzer on the Security Content Management page.

To configure the analysis options:

1. From the Fortify extension menu, select Options.

2. In the left pane, select Project Configuration.

The Project Configuration dialog box opens to show the Analysis Configuration tab.

OpenText™ Fortify Extension for Visual Studio (24.2.0)

Page 25 of 108

User Guide

Chapter 2: Using the Fortify Extension for Visual Studio

3. Specify the scope of the configuration by doing one of the following:

l

To configure the settings for the projects in the open solution only, select the Enable Project

Specific Settings check box.

l

To change the default scan configuration for all projects scanned from this Visual Studio

instance, click Configure Defaults.

4. By default, Fortify Static Code Analyzer treats SQL files as T-SQL. If your files use PL/SQL, from

the SQL Type list, select PL/SQL.

Note: The SQL Type setting notifies Fortify Static Code Analyzer about the SQL type that

the project uses. Fortify Static Code Analyzer only scans SQL code if it is included in the

project.

5. To specify the amount of memory to use for the scan, type an integer in the Memory (MB) box.

Note: Do not allocate more than two thirds of the available physical memory.

6. To customize the security content that you want to use, clear the Use all installed security

content check box, and then select the Fortify Secure Coding Rulepacks and any specific custom

security content that you want to use.

7. Click OK.

Configuring Advanced Local Scan Options

Use the advanced scan options to activate or deactivate quick scan mode and customize Fortify Static

Code Analyzer translation and scan command-line options. To configure these settings, you must

provide the location of a locally installed Fortify Static Code Analyzer. You can specify the location of

Fortify Static Code Analyzer on the Security Content Management page.

To change the advanced translation and scan options:

1. From the Fortify extension menu, select Options.

2. In the left pane, select Project Configuration.

OpenText™ Fortify Extension for Visual Studio (24.2.0)

Page 26 of 108

User Guide

Chapter 2: Using the Fortify Extension for Visual Studio

3. Select the Advanced Scan Options tab.

4. Specify the scope of the advanced scan options by doing one of the following:

l

To configure the options for the projects in the open solution only, select Enable Project

Specific Settings.

l

To change the default scan options for all projects scanned from this Visual Studio instance,

click Configure Defaults.

5. Select the Use Additional Static Code Analyzer Options check box and type Fortify Static

Code Analyzer command-line options for either the translation or scan phase.

Note: These options are also included in a Fortify ScanCentral SAST analysis.

For detailed information about the available Fortify Static Code Analyzer options and the proper

syntax, see the OpenText™ Fortify Static Code Analyzer User Guide.

Under Local Scan Options, the Command-Line Preview box shows the complete Fortify Static

Code Analyzer scan command line.

6. (Optional) In the Build ID box, type a build ID for the scan.

The default build ID is the name of the project or solution.

7. To deactivate merging the results of the next scan you run with results from the previous scan,

clear the Merge with Previous Scan check box.

By default, when you rescan a project from Visual Studio, the scan merges results from the

previous scan with the results from the new scan. This enables you to see specifically which

issues have been fixed and which issues were introduced since the earlier scan.

OpenText™ Fortify Extension for Visual Studio (24.2.0)

Page 27 of 108

User Guide

Chapter 2: Using the Fortify Extension for Visual Studio

8. To perform a quick scan, select the Enable Quick Scan Mode check box.

For information about quick scans, see "About Quick Scan Mode" on page 24.

9. Click OK to save the advanced scan options.

Scanning Projects or Solutions Locally

Before you start the scan, save all files in the solution and make sure that the active solution

configuration is valid for the projects loaded in the solution. If the configuration is invalid, Fortify

Static Code Analyzer cannot successfully scan the solution and a message indicating that the

configuration is invalid is written to the log file.

Note: Fortify Static Code Analyzer runs scans in a Java Virtual Machine (JVM).

To scan a solution or project on the local system, start the scan in one of the following ways:

l

To scan at the solution level, select Analyze Solution from the Fortify extension menu.

l

To scan at the project level, select a project, and then select Analyze Project from the Fortify

extension menu.

After the scan has finished, the Fortify Extension for Visual Studio displays the results in the auditing

interface.

You can now audit the analysis results in Visual Studio. For instructions, see "Auditing Issues" on

page 58. If the codebase was audited before, results from the previous audit are automatically

integrated with the new analysis results.

By default, the analysis results are stored as an FPR file in the folder that contains the solution or

project. To save this file to a different location, select Save Audit Project As from the Fortify

extension menu.

About Scanning with Fortify ScanCentral SAST

This section describes the requirements to use Fortify ScanCentral SAST to analyze your code and to

upload the analysis results to Fortify Software Security Center.

With Fortify Extension for Visual Studio, you can either:

l

Perform the entire analysis (translation and scan) with Fortify ScanCentral SAST

l

Perform the translation locally and then automatically upload the translated project to Fortify

ScanCentral SAST for the scan phase

You must translate the project or solution locally if it uses a language that Fortify ScanCentral

SAST does not support for remote translation. For a list of languages supported with remote

translation, see the Fortify Software System Requirements document.

Make sure that the Fortify security content version on the local system is the same as the version

on the Fortify ScanCentral sensor. Fortify strongly recommends that you periodically update the

security content. For information about how to update the security content locally, see "Updating

OpenText™ Fortify Extension for Visual Studio (24.2.0)

Page 28 of 108

User Guide

Chapter 2: Using the Fortify Extension for Visual Studio

Security Content" on page 23. Use the fortifyupdate utility to update security content on the

Fortify ScanCentral SAST sensor (see the OpenText™ Fortify Static Code Analyzer User Guide).

To analyze your code with Fortify ScanCentral SAST, you need the following:

l

A local copy of a Fortify ScanCentral SAST client.

For information on how to obtain a Fortify ScanCentral SAST client, see "Requirements for

Analyzing Source Code" on page 17.

l

A properly configured Fortify ScanCentral SAST installation

Make sure the configuration for your Fortify ScanCentral SAST client is properly authorized with a

client authentication token that matches the setting for the Fortify ScanCentral SAST Controller.

For more information, see the OpenText™ Fortify ScanCentral SAST Installation, Configuration, and

Usage Guide.

l

To connect to Fortify ScanCentral SAST, you need either:

l

A ScanCentral SAST Controller URL

Important! If the ScanCentral SAST Controller uses an SSL connection from an internal

certificate authority or a self-signed certificate, you must add the certificate to the Java

Keystore depending on the location of the Fortify ScanCentral SAST client:

o

Fortify Static Code Analyzer: <sca_install_dir>\jre\lib\security/cacerts

o

Fortify Applications and Tools: <tools_install_dir>\jre\lib\security/cacerts

o

Standalone Fortify ScanCentral SAST client: <java_home_

dir>\lib\security\cacerts

l

A Fortify Software Security Center URL and an authentication token of type

ToolsConnectToken

To configure the Fortify Software Security Center URL, see "Configuring a Connection to Fortify

Software Security Center" on page 18. For instructions about how to create an authentication

token, see the OpenText™ Fortify Software Security Center User Guide.

To upload the analysis results to a Fortify Software Security Center server, you need the following:

l

A Fortify Software Security Center URL or a ScanCentral SAST Controller that is integrated with a

Fortify Software Security Center server

Note: Fortify recommends that the Fortify Software Security Center URL configured in the

Server Configuration options matches the Fortify Software Security Center server integrated

with the ScanCentral SAST Controller.

l

A Fortify Software Security Center authentication token of type ToolsConnectToken

For instructions on how to create an authentication token, see the OpenText™ Fortify Software

Security Center User Guide.

l

An application and application version that exists in Fortify Software Security Center

l

Permission to access the application and application version to which you want to upload

OpenText™ Fortify Extension for Visual Studio (24.2.0)

Page 29 of 108

User Guide

Chapter 2: Using the Fortify Extension for Visual Studio

"Scanning Projects or Solutions with Fortify ScanCentral SAST" on the next page

"Advanced Scanning of Solutions with Fortify ScanCentral SAST" on page 33

Configuring Fortify ScanCentral SAST Options

This section describes how to configure the default Fortify ScanCentral SAST options to use when

you submit a solution or project for analysis to Fortify ScanCentral SAST. You can specify how to

connect to the ScanCentral SAST Controller, the sensor pool selection, and whether to upload analysis

results to Fortify Software Security Center. To change the analysis options and perform a scan for a

specific solution, see "Advanced Scanning of Solutions with Fortify ScanCentral SAST" on page 33.

To configure the Fortify ScanCentral SAST options:

1. From the Fortify extension menu, select Options.

2. To configure the Fortify ScanCentral SAST client location:

a. In the left pane, select Security Content Management.

b. To the right of the Fortify Executable Path box, click Browse, and do one of the following:

o

If you installed Fortify Static Code Analyzer that includes an embedded Fortify

ScanCentral SAST client, select <sca_install_dir>\bin\sourceanalzer.exe.

To select a client installed with Fortify Applications and Tools, change the file type to

o

ScanCentral, and then select <tools_install_dir>\bin\scancentral.bat.

To select a client installed in a different location, change the file type to ScanCentral, and

o

then select scancentral.bat.

3. In the left pane, select ScanCentral SAST Configuration.

4. To specify how to connect to Fortify ScanCentral SAST, do one of the following:

l

Select Use Controller URL, and then in the Controller URL box, type the URL for the

ScanCentral SAST Controller.

Example: https://<controller_host>:<port>/scancentral-ctrl

OpenText™ Fortify Extension for Visual Studio (24.2.0)

Page 30 of 108

User Guide

Chapter 2: Using the Fortify Extension for Visual Studio

Tip: Click Test Controller Connection to confirm that the URL is valid, and the Controller

is accessible.

l

Select Get Controller URL from SSC, and then in the Token box, paste the value for an

authentication token of type ToolsConnectToken.

Make sure that you have the Fortify Software Security Center URL that is associated with the

ScanCentral SAST Controller provided in the Server Configuration options (see "Configuring

a Connection to Fortify Software Security Center" on page 18).

Tip: Click Test SSC Connection to confirm that the URL and token is valid and the server

is accessible.

5. To upload the analysis results to Fortify Software Security Center, select the Send Scan Results

to SSC check box.

l

In the Token box, paste the value for an authentication token of type ToolsConnectToken.

Note: If you connect to Fortify ScanCentral SAST using a Controller URL, Fortify

Extension for Visual Studio uploads analysis results to the Fortify Software Security

Center server specifically integrated with the ScanCentral SAST Controller.

6. (Optional) To specify Fortify Static Code Analyzer command-line options for the translation or

scan phase:

Important! To specify Fortify Static Code Analyzer command-line options, you must have a

local installation of Fortify Static Code Analyzer that includes an embedded Fortify

ScanCentral SAST client specified on the Security Content Management page.

a. Click Advanced Scan Options.

The Project Configuration page opens to the Advanced Scan Options tab.

b. Select the Use Additional Static Code Analyzer Options check box and type Fortify Static

Code Analyzer command-line options for the translation or scan phase.

For detailed information about the available Fortify Static Code Analyzer options and the

proper syntax, see the OpenText™ Fortify Static Code Analyzer User Guide.

c. In the left pane, select ScanCentral SAST Configuration to return to the Fortify ScanCentral

SAST option configuration.

7. Under Sensor Pool, specify whether to use the default sensor pool or be provided a list of sensor

pools to choose from when you start a scan with Fortify ScanCentral SAST.

8. (Optional) in the Notification Email box, type an email address to receive job status

notifications.

9. Click OK to save your configuration.

Scanning Projects or Solutions with Fortify ScanCentral SAST

Before you can scan your project or solution with Fortify ScanCentral SAST, you must configure the

Fortify ScanCentral SAST options as described in "Configuring Fortify ScanCentral SAST Options" on

OpenText™ Fortify Extension for Visual Studio (24.2.0)

Page 31 of 108

User Guide

Chapter 2: Using the Fortify Extension for Visual Studio

the previous page. In addition, make sure that the active solution configuration is valid for the

projects loaded in the solution. If the configuration is invalid, Fortify Static Code Analyzer cannot

successfully scan the solution and Fortify Extension for Visual Studio writes a message to indicate

that the configuration is invalid to the log file.

To scan at the solution level with custom Fortify ScanCentral SAST options for this solution, see

"Advanced Scanning of Solutions with Fortify ScanCentral SAST" on the next page.

To scan a project or solution with Fortify ScanCentral SAST:

1. Start the scan by doing one of the following:

l

To perform a remote translation and remote scan, select one of the following from the Fortify

extension menu:

o

ScanCentral > Remote > Upload Solution

o

ScanCentral > Remote > Upload Project

l

To perform a local translation and remote scan, select one of the following from the Fortify

extension menu:

o

ScanCentral > Local > Upload Solution

o

ScanCentral > Local > Upload Project

Note: If Fortify Static Code Analyzer is not installed locally, then the Local menu command is

not available.

2. If prompted, select the application version where you want to upload the analysis results, and

then click OK.

3. If prompted, select a sensor pool from the Select Sensor Pool dialog box, and then click OK.

To view the analysis results, you can either:

l

Copy the provided job token and use it in the Fortify ScanCentral SAST client command-line to

retrieve the analysis results (FPR) file from the Fortify ScanCentral SAST Controller (see the

OpenText™ Fortify ScanCentral SAST Installation, Configuration, and Usage Guide for instructions),

OpenText™ Fortify Extension for Visual Studio (24.2.0)

Page 32 of 108

User Guide

Chapter 2: Using the Fortify Extension for Visual Studio

and then open it in Visual Studio (see "Opening Audit Projects" on page 82).

l

If you uploaded the analysis results to Fortify Software Security Center, you can check the status of

the job (and view the results) on the Fortify Software Security Center server. After the scan is

complete, you can open the analysis results in Fortify Extension for Visual Studio (see either

"Performing a Collaborative Audit" on page 83 or "Remediating Results from Fortify Software

Security Center" on page 87 ).

Advanced Scanning of Solutions with Fortify ScanCentral SAST

You can customize the Fortify ScanCentral SAST scan configuration for the current solution. You can

adjust the translation type (local or remote), Fortify Static Code Analyzer options for translation and

scan, whether to upload analysis results to Fortify Software Security Center, and the sensor pool

selection.

To run a customized scan using Fortify ScanCentral SAST:

1. From the Fortify extension menu, select ScanCentral > Advanced Scan.

Any existing Fortify ScanCentral SAST configuration options are displayed in the ScanCentral

SAST Advanced Scan dialog box.

2. Specify where to run the translation phase of the analysis by selecting one of the following:

l

Local—Run the translation phase on the local system and the scan phase with Fortify

ScanCentral SAST.

l

Remote—Run the entire analysis using Fortify ScanCentral SAST.

3. To specify Fortify Static Code Analyzer command-line options for the translation or scan phase,

under Static Code Analyzer Options, type command-line options for the translation and scan

phase.

For detailed information about the available Fortify Static Code Analyzer options and the proper

syntax, see the OpenText™ Fortify Static Code Analyzer User Guide.

OpenText™ Fortify Extension for Visual Studio (24.2.0)

Page 33 of 108

User Guide

Chapter 2: Using the Fortify Extension for Visual Studio

4. To upload the analysis results to Fortify Software Security Center, select the Send Scan Results

to SSC check box.

Note: If this check box is not available, you must first configure an authentication token in

the ScanCentral SAST Configuration options (see "Configuring Fortify ScanCentral SAST

Options" on page 30).

5. Specify whether to use the default sensor pool or be prompted to select a sensor pool from a list.

6. Click Scan.

7. If prompted, select the application version where you want to upload the analysis results, and

then click OK.

8. If prompted, select a sensor pool from the Select Sensor Pool dialog box, and then click OK.

To view the analysis results, you can either:

l

Copy the provided job token and use it in the Fortify ScanCentral SAST client command-line to

retrieve the analysis results (FPR) file from the Fortify ScanCentral SAST Controller (see the

OpenText™ Fortify ScanCentral SAST Installation, Configuration, and Usage Guide for instructions),

and then open it in Visual Studio (see "Opening Audit Projects" on page 82).

l

If you uploaded the analysis results to Fortify Software Security Center, you can check the status of

the job (and view the results) on the Fortify Software Security Center server. After the scan is

complete, you can open the analysis results in Fortify Extension for Visual Studio (see either

"Performing a Collaborative Audit" on page 83 or "Remediating Results from Fortify Software

Security Center" on page 87 ).

Viewing Analysis Results

After a scan has been performed (or after you open an existing audit project), a summary of the

analysis results is displayed in the Analysis Results window and in the Project Summary window. The

Analysis Trace and Issue Auditing windows are open, but do not contain any information until you

select an issue from the Analysis Results window.

Window

More Information

Analysis Results "Analysis Results Window" on the next page

Project Summary "Viewing Project Summary Information" on page 37

Analysis Trace

Issue Auditing

"Analysis Trace Window" on page 38

"Issue Auditing Window" on page 40

OpenText™ Fortify Extension for Visual Studio (24.2.0)

Page 34 of 108

User Guide

Chapter 2: Using the Fortify Extension for Visual Studio

Analysis Results Window

The Analysis Results window enables you to group, filter, and select the issues you want to audit.

Filter Sets

The selected filter set controls which issues the Analysis Results window displays. The filter set

determines the number and types of containers (folders) and how issues are displayed.

Each project can have unique sets because the filter sets are saved in an audit project results file.

The filter sets sort the issues into Critical, High, Medium, and Low folders, based on potential

severity. All default filter sets have the same sorting mechanism.

The Fortify Extension for Visual Studio provides the following filter sets:

l

Quick View—This is the default filter set for new projects. The Quick View filter set provides a

view only of issues in the Critical folder (these have a potentially high impact and a high likelihood

of occurring) and the High folder (these have a potentially high impact and a low likelihood of

occurring). The Quick View filter set provides a useful first look at results that enables you to

quickly address the most serious issues.

l

Security Auditor View— This view shows all security issues detected. The Security Auditor View

filter contains no visibility filters, and therefore all issues are shown.

If you open an FPR file that contains no custom filtertemplate.xmlfile or if you open an FVDL file

or a webinspect.xmlfile, the audit project results open with the Quick View filter set selected.

For information about how to create your own filter sets, see "Creating a Filter Set" on page 64.

OpenText™ Fortify Extension for Visual Studio (24.2.0)

Page 35 of 108

User Guide

Chapter 2: Using the Fortify Extension for Visual Studio

Folders (Tabs)

The tabs on the Analysis Results window are called folders. You can customize the settings for the

color-coded folders. The number of folders, names, colors, and the issue list can vary between filter

sets and audit projects. For information about how to create your own folders, see "Creating a Folder"

on page 67.

Within each color-coded folder, issues are grouped into subfolders. At the end of each folder name,

enclosed in brackets, is the number of audited issues and the total number of issues in the folder. For

example, a folder with the name Command Injection - [1 / 3] indicates that one issue out of three

categorized as Command Injection has been audited.

Each folder contains a list of issues. An issue is sorted into a folder if its attributes match the folder

filter conditions. One folder in each filter set is the default folder, indicated by (default)in the

folder name. If an issue does not match any of the folder filters, the issue is listed in the default folder.

Note: To show or hide suppressed, hidden, and removed issues, select a setting from the

Visibility list. For more information, see "Customizing the Issues Display" below.

Group By List

The Group by selection sorts the issue list into subfolders. The selected attribute is applied to all

visible folders. Select <none> from the Group by list to display all issues in the folder without any

grouping. The group by settings are for the application instance. You can apply the grouping

attribute to any audit project opened with that instance of the application.

You can customize the existing groups by changing which attributes the groups are sorted by, adding

or removing the attributes to create sub-groupings, and adding your own grouping.

See Also

"Grouping Issues" on page 91

Customizing the Issues Display

You can customize the issues displayed in the Analysis Results window. Determine which issues it

displays by selecting an option from the Visibility list in the Analysis Results toolbar.

The visibility options are as follows:

l

Show Removed Issues—Shows all the issues you have removed or fixed. If you merged audit data

into your current audit project, shows all the issues that were removed since the previous analysis.

l

Show Suppressed Issues—Shows all the issues that you have suppressed.

l

Show Hidden Issues—Shows all the issues that have been hidden.

l

Show My Issues—Shows only your issues.

l

Use Short File Name—References the issues in the Issues view by file name only, instead of by

relative path. This option is enabled by default.

OpenText™ Fortify Extension for Visual Studio (24.2.0)

Page 36 of 108

User Guide

Chapter 2: Using the Fortify Extension for Visual Studio

Viewing Project Summary Information

The Project Summary window provides detailed information about the scan.

To open the Project Summary dialog box:

1. Open an audit project file (FPR, FVDL, or XML).

2. From the Fortify extension menu, select Project Summary.

The following table describes the information provided on the Project Summary tabs.

Tab

Description

Summary

Certification

Displays high-level audit project information.

Displays the certification status for the analysis results. Results

certification is a check to ensure that the analysis results have not been

altered after Fortify Static Code Analyzer produced them.

OpenText™ Fortify Extension for Visual Studio (24.2.0)

Page 37 of 108

User Guide

Chapter 2: Using the Fortify Extension for Visual Studio

Tab

Description

Build Information

Displays the following information:

l

Build details including the build ID, build label, number of files

scanned, lines of code, and the date of the scan, which might be

different than the date the files were translated

l

List of files scanned with file sizes and timestamps

l

Libraries referenced in the scan

Analysis Information

Displays the version of Fortify Static Code Analyzer that performed the

scan, details about the computer on which the scan was run, and the

user who started the scan. The Analysis Information subtabs contain

the following information:

l

Security Content—Lists information about the Rulepacks (including

the Rulepack name, version, ID, and SKU) and the external metadata

used in the scan

l

Properties—Displays the Fortify Static Code Analyzer configuration

properties used in the scan

l

Commandline Arguments—Displays the command-line options

used in the scan

l

Warnings—Lists all errors and warnings that occurred during the

scan

Analysis Trace Window

When you select an issue, the Analysis Trace window displays the trace that the analyzer used to

detect the issue.

OpenText™ Fortify Extension for Visual Studio (24.2.0)

Page 38 of 108

User Guide

Chapter 2: Using the Fortify Extension for Visual Studio

This trace is presented in sequential order. For dataflow issues, this trace is a presentation of the path

that the tainted data follows from the source function to the sink function. For example, when you

select an issue that is related to potentially tainted dataflow, the Analysis Trace window shows the

direction of the dataflow in this section of the source code.

The Analysis Trace window uses the icons described in the following table to show how the dataflow

moves in this section of the source code or execution order.

Icon

Description

Data is assigned to a field or variable

Information is read from a source external to the code (HTML form, URL, and so on)

Data is assigned to a globally scoped field or variable

A comparison is made

The function call receives tainted data

The function call returns tainted data

Passthrough, tainted data passes from one parameter to another

Note: This is typically shown as functionA(x : y) to indicate that data is transferred

from x to y. The x and y values are either:

l

An argument index

l

return—The return value of a function

l

this—The instance of the current object

l

A specific object field or key

An alias is created for a memory location

Data is read from a variable

Data is read from a global variable

Tainted data is returned from a function

OpenText™ Fortify Extension for Visual Studio (24.2.0)

Page 39 of 108

User Guide

Chapter 2: Using the Fortify Extension for Visual Studio

Icon

Description

A pointer is created

A pointer is dereferenced

The scope of a variable ends

The execution jumps

A branch is taken in the code execution

A branch is not taken in the code execution

Generic

A runtime source, sink, or validation step

Taint change

The Analysis Trace window can contain inductions. Inductions provide supporting evidence for their

parent nodes. Inductions consist of:

l

A text node displayed in italics as a child of the trace node. This text node is expanded by default.

l

An induction trace, displayed as a child of the text node.

To display the induction reference information for that induction, click it.

Issue Auditing Window

The Issue Auditing window displays detailed information about each issue on the following tabs:

l

The Audit tab displays information about the selected issue and enables auditors to add an audit

evaluation, comments, and custom tag values.

OpenText™ Fortify Extension for Visual Studio (24.2.0)

Page 40 of 108

User Guide

Chapter 2: Using the Fortify Extension for Visual Studio

The following table describes the elements of the Audit tab.

Element

Issue

Description

Displays the issue location, which includes the file name and line number.

Analysis

Lists values that the auditor can use to assess the issue. Valid values for

the Analysis tag are Not an Issue, Reliability Issue, Bad Practice,

Suspicious, and Exploitable.

<custom_tagname> Displays any custom tags if defined for the audit project.

If the audit results have been submitted to OpenText™ Fortify Audit

Assistant in Fortify Software Security Center, then in addition to any

other custom tags, the tab displays the following tags:

l

AA_Prediction—Exploitability level that Fortify Audit Assistant

assigned to the issue. You cannot change this tag value.

l

AA_Confidence—Confidence level from Fortify Audit Assistant for

the accuracy of its AA_Prediction value. You cannot change this tag

value.

l

AA_Training—Whether to include or exclude the issue from Fortify

Audit Assistant training. You can change this value.

For more information about Fortify Audit Assistant tags, see the

OpenText™ Fortify Software Security Center User Guide.

Suppress

Suppresses the issue.

OpenText™ Fortify Extension for Visual Studio (24.2.0)

Page 41 of 108

User Guide

Chapter 2: Using the Fortify Extension for Visual Studio

Element

Description

File Bug

Provides access to a supported bug tracking system, such as Azure

DevOps Server. For a list of supported bug tracking systems, see the

Fortify Software System Requirements document.

Comments

Submits additional information about the issue as a comment.

Rule Information

Shows information, such as the category and kingdom that describes the

issue.

More Information

Recommendations

Opens the Details tab.

Opens the Recommendations tab.

For information about auditing, see "Auditing Issues" on page 58.

l

The Details tab provides a detailed description of the selected issue and offers guidelines to

address it.

The Details tab includes some or all the sections described in the following table.

Section

Description

Abstract/Custom

Abstract

Summary of the issue, including any custom abstracts defined by your

organization.

OpenText™ Fortify Extension for Visual Studio (24.2.0)

Page 42 of 108

User Guide

Chapter 2: Using the Fortify Extension for Visual Studio

Section

Description

Explanation/Custom

Explanation

Description of the conditions in which this type of issue occurs. This

includes a discussion of the vulnerability, the constructs typically

associated with it, how an attacker can exploit it, and the potential

consequences of an attack. This section also includes any custom

explanations defined by your organization.

Instance ID

Unique identifier for the issue.

Primary Rule ID

Identifies the primary rule that found the issue.

Priority metadata values for this issue including impact and likelihood.

Priority Metadata

Values

Legacy Priority

Metadata Values

Legacy priority metadata values for the issue including severity and

confidence.

l

The Recommendations tab provides suggestions and examples of how to secure the vulnerability

or remedy the bad practice. The recommendations include some or all the sections described in the

following table.

Section

Description

Recommendations/Custom

Recommendations

Describes possible solutions for the selected issue. It can also

include examples and recommendations defined by your

organization.

Tips/Custom Tips

Provides useful information specific to the selected issue, and

any custom tips defined by your organization.

References/Custom

References

Lists references for the recommendations provided, including

any custom references defined by your organization.

l

The History tab displays a complete list of audit actions, including details such as the date and

time, and the name of the user who modified the issue.

The Diagram tab displays a graphical representation of the node execution order, call depth, and

expression type of the selected issue. This tab displays information that is relevant to the rule type.

The vertical axis represents the execution order.

OpenText™ Fortify Extension for Visual Studio (24.2.0)

Page 43 of 108

User Guide

Chapter 2: Using the Fortify Extension for Visual Studio

For dataflow issues, the trace starts with the first function to call the taint source, then traces the

calls to the source (blue node) and ends the trace at the sink (red node). In the diagram, the source

(src) and sink nodes are also labeled. A red X on a vertical axis indicates that the function called

finished executing.

The horizontal axis shows the call depth. A line shows the direction that control is passed. If control

passes with tainted data traveling through a variable the line is red, and when it is without tainted

data, the line is black.

The icons used for the expression type of each node in the diagram are the same icons used in the

Analysis Trace window. For a description of the icons, see "Analysis Trace Window" on page 38.

OpenText™ Fortify Extension for Visual Studio (24.2.0)

Page 44 of 108

User Guide

Chapter 2: Using the Fortify Extension for Visual Studio

l

The Filters tab displays all the filters in the selected filter set.

The following table describes the options to create new filters.

Option

Description

Filters

Displays a list of the visibility and folder filters configured in the selected filter set,

where:

l

Visibility Filters show or hide issues

l

Folder Filters sort the issues into the folder tabs in the Analysis Results window

Right-click a filter to show issues that match the filter or to enable, disable, copy, or

delete it.

If

Displays the conditions for the selected filter.

The first list displays issue attributes, the second list specifies how to match the

attribute, and the third is the value the filter matches.

Then

Indicates the filter type, where Hide Issue is a visibility filter and Set Folder to is a

folder filter.

For information about creating filters, see "Creating a Filter from the Filters Tab" on page 65.

Code Editor

The Code Editor shows the section of code related to the issue selected in the Analysis Results

window. When multiple nodes represent an issue in the Analysis Trace window, the Code Editor shows

the code associated with the selected node.

OpenText™ Fortify Extension for Visual Studio (24.2.0)

Page 45 of 108

User Guide

Chapter 2: Using the Fortify Extension for Visual Studio

Grouping Issues

The items visible in the Analysis Results window vary depending on the selected grouping attribute.

The value you select from the Group by list sorts issues in all visible folders into subfolders. The

grouping attributes enable you to group and view the issues in different ways.

You can view issues using any of the grouping attributes, and you can create and edit customized

groups. The following table describes the standard grouping attributes.

Attribute

Description

Analysis

Groups issues by the analysis tag value assigned, such as Suspicious,

Exploitable, and Not an Issue.

Analysis Type

Groups issues by analyzer product, such as SCA, WEBINSPECT, and

SECURITYSCOPE (OpenText™ Fortify WebInspect).

Analyzer

Groups issues by analyzer group, such as Control Flow, Data Flow,

Semantic, and Structural.

App Defender Protected

Groups issues by whether Application Defender can protect the

vulnerability category.

Creating a Custom Group By Option

You can create a custom Group By option that groups issues in a hierarchical format in sequential

order based on specific attributes.

To create a new Group By option:

1. From the Group by list, select <Edit>.

The Edit Custom Groupings dialog box opens.

2. To create a grouping from a provided set of group types, select a grouping type from the

Grouping Types list.

For example, selecting Category Analyzer group type creates a list that has top-level nodes that

contain the category of the issue, such as Buffer Overflow, with the issues grouped below by

analyzer, such as semantic, or dataflow, followed by the issues.

-Buffer Overflow [0/2]

--DataFlow [0/1]

----Main.cs:234

-+Semantic [0/1]

OpenText™ Fortify Extension for Visual Studio (24.2.0)

Page 47 of 108

User Guide

Chapter 2: Using the Fortify Extension for Visual Studio

3. To create a custom group by option, select Create New from the Grouping Types list, and then

do the following:

a. In the Create New dialog box, type a group name, and then click OK.

b. From the list on the left, select a grouping type, and then click the right arrow to move the

option to the Grouping Order column.

c. Repeat step b to select additional grouping types.

Searching for Issues

In the Analysis Results window, use the search box located below the issue list to find specific issues

and to limit the issues displayed in a folder. After you type a search term, the label next to the folder

name changes to indicate the number of issues that match the search as a subset of the total.

To perform a simple search, do one of the following:

l

Type a search query in the search box, and then press Enter.

l

To select a search term you used previously (during the current session), click the arrow in the

search box, and then select a search term from the list. Fortify Extension for Visual Studio discards

saved search terms after you exit Visual Studio.

The Analysis Results window displays the search results.

See Also

"Performing Advanced Searches" below

"Search Syntax" on the next page

"Search Modifiers" on page 50

"Search Query Examples" on page 55

Performing Advanced Searches

You can use the advanced search feature to build complex search strings.

Note: Advanced search is not available when you remediate audit results that are stored in

Fortify Software Security Center.

To use the advanced search feature:

1.

To the right of the search box, click Advanced Search

.

The Advanced Search dialog box opens.

OpenText™ Fortify Extension for Visual Studio (24.2.0)

Page 48 of 108

User Guide

Chapter 2: Using the Fortify Extension for Visual Studio

2. From the first list on the left, select a modifier.

To specify an unqualified search term, select Any Attribute from the modifier list.

3. From the middle list, select a comparison term.

4. In the box on the right, either type a search term, or select one from the list.

The search term list includes the known values in the current scan for the specified modifier.

However, you can type any value into this box.

5. To add an AND or OR row to the query, click Add Criteria

6. To set the operator, click either AND or OR.

.

7. Specify the modifier, comparison term, and search term.

8. Add as many rows as you need for the search query.

9. To remove a row, to the right of the row, click Delete

.

10. To remove all rows, at the bottom of the dialog box, click Clear.

11. To submit your completed search query, click Find.

Note: Find is only enabled after you create a complete search query.

Search Syntax

To indicate the type of comparison to perform, wrap the search terms with delimiters. The following

table shows the syntax to use for the search string.

Comparison

contains

equals

Description

Searches for a term without any qualifying delimiters

Searches for an exact match if the term is wrapped in quotation marks ("")

OpenText™ Fortify Extension for Visual Studio (24.2.0)

Page 49 of 108

User Guide

Chapter 2: Using the Fortify Extension for Visual Studio

Comparison

Description

regex

Searches for values that match a Java-style regular expression delimited by a

forward slash (/)

Example, /eas.+?/

Note: This search comparison is not available when you remediate audit

results stored in Fortify Software Security Center.

number range

not equals

Searches for a range of numbers using the standard mathematical interval

notation of parentheses and/or brackets to indicate whether the endpoints are

excluded or included, respectively.

Example: (2,4] indicates greater than two and less than or equal to four

Excludes issues specified by the string by preceding the string with an

exclamation character (!)

Example, file:!Main.javareturns all issues that are not in Main.java.

You can further qualify search terms with modifiers. The syntax for using a modifier is

<modifier>:<search_term>. For more information, see "Search Modifiers" below.

A search string can contain multiple modifiers and search terms. If you specify more than one

modifier, the search returns only issues that match all the modified search terms. For example,

file:ApplicationContext.java category:SQL Injectionreturns only SQL injection issues

found in ApplicationContext.java.

If you use the same modifier more than once in a search string, then the search terms qualified by

those modifiers are treated as an ORcomparison. For example, file:ApplicationContext.java

category:SQL Injection category:Cross-Site Scriptingreturns SQL injection issues and

cross-site scripting issues found in ApplicationContext.java.

For complex searches, you can also insert the AND or the OR keyword between your search queries.

Note that AND and OR operations have the same priority in searches.

Search Modifiers

You can use a search modifier to specify to which issue attribute the search term applies. To use a

modifier that contains a space in the name, such as the name of the custom tag, you must enclose the

modifier in brackets. For example, to search for issues that are new, type [issue age]:new.

A search that is not qualified by a modifier matches the search string on the following attributes:

kingdom, primary rule id, analyzer, filename, severity, class name, function name, instance id, package,

confidence, type, subtype, taint flags, category, sink, and source.

OpenText™ Fortify Extension for Visual Studio (24.2.0)

Page 50 of 108

User Guide

Chapter 2: Using the Fortify Extension for Visual Studio

The following examples describe using the search with and without applying a search modifier:

l

To apply the search to all modifiers, type a string, such as control flow. This searches all the

modifiers and returns any results that contain the “control flow” string.

l

To apply the search to a specific modifier, type the modifier name and the string as follows:

analyzer:control flow. This returns all results detected by the Control Flow Analyzer.

The following table lists descriptions of the search modifiers. A few modifiers have a shortened

modifier name indicated in parentheses in the Modifier column. You can use either modifier name.

Search Modifier (Issue

Attribute)

Description

Searches for issues based on the accuracy value specified (0.1

through 5.0).

accuracy

Searches for issues that have the specified audit analysis value

analysis

such as exploitable, not an issue, and so on.

[analysis type]

analyzer

Searches for issues by analyzer product such as SCAand

WEBINSPECT.

Searches the issues for the specified analyzer such as

control flow, data flow, structural, and so on.

Searches for issues based on whether Application Defender

[app defender protected]

(def)

can protect the vulnerability category (protectedor not

protected).

audience

audited

Searches for issues based on intended audience such as dev,

targeted, medium, broad, and so on.

Note: This metadata is legacy information that is no longer

used and will be removed in a future release. Fortify

recommends that you do not use this search modifier.

Searches the issues to find trueif the primary tag is set and

falseif the primary tag is not set. The default primary tag is

the Analysis tag.

Searches for the given category or category substring.

Searches for issues based on the specified class name.

category(cat)

class

OpenText™ Fortify Extension for Visual Studio (24.2.0)

Page 51 of 108

User Guide

Chapter 2: Using the Fortify Extension for Visual Studio

Search Modifier (Issue

Attribute)

Description

Searches the comments submitted on the issue.

comments

(comment, com)

Searches for issues with comments from a specified user.

commentuser

Searches for issues that have the specified confidence value.

Fortify Static Code Analyzer calculates the confidence value

based on the number of assumptions made in code analysis.

The more assumptions made, the lower the confidence value.

confidence(con)

Searches for issues based on the value of the specified custom

tag.

<custom_tagname>

You can search a list-type custom tag using a range of values.

The values of a list-type custom tag are an enumerated list

where the first value is 0, the second is 1, and so on. You can

use the search syntax for a range of numbers to search for

ranges of list-type custom tag values. For example, analysis:

[0,2]returns the issues that have the values of the first three

Analysis values, 0, 1, and 2 (Not an Issue, Reliability Issue, and

Bad Practice).

To search for a specific date in a date-type custom tag, specify

the date in the format: yyyy-mm-dd.

To search for issues that have no value set for a custom tag,

use <none>as the search term. For example, to search for all

issues that have no value set in the custom tag labeled Target

Date, type: [Target Date]:<none>.

Searches for issues that have the specified dynamic hot spot

ranking value.

dynamic

Searches for issues where the primary location or sink node

function call occurs in the specified file path.

file

Searches for issues that have a priority level that matches the

[fortify priority order]

specified issue priority. Valid values are critical, high,

medium, and low.

Searches for issues that have audit data modified by the

historyuser

OpenText™ Fortify Extension for Visual Studio (24.2.0)

Page 52 of 108

User Guide

Chapter 2: Using the Fortify Extension for Visual Studio

Search Modifier (Issue

Attribute)

Description

specified user.

Searches for issues based on the impact value specified (0.1

through 5.0).

impact

Searches for an issue based on the specified instance ID.

[instance id]

[issue age]

Searches for the issue age, which is new, updated,

reintroduced, or removed.

Searches for audited issues based on whether the issue is an

open issue or not an issue (determined by the level of analysis

set for the primary tag).

[issue state]

Searches for all issues in the specified kingdom.

kingdom

Searches for issues based on the specified likelihood value (0.1

through 5.0).

likelihood

Searches for issues on the primary location line number. For

dataflow issues, the value is the sink line number. Also see

"sourceline" on the next page.

line

Searches for all issues that have a confidence value up to and

including the number specified as the search term.

maxconf

Searches for all issues that have a confidence greater than or

equal to the specified value.

minconf

Searches for issues based on the value of the specified

<metadata_listname>

metadata external list. Metadata external lists include [owasp

top ten <year>], [cwe top 25 <version>], [pci ssf

<version>], [stig <version>], and others.

Searches for issues where the primary location occurs in the

specified package or namespace. (For dataflow issues, the

primary location is the sink function.)

package

Searches for issues where the primary location or sink node

function call occurs in the specified code context. Also see

"sink" on the next page and "[source context]" on the next

[primary context]

OpenText™ Fortify Extension for Visual Studio (24.2.0)

Page 53 of 108

User Guide

Chapter 2: Using the Fortify Extension for Visual Studio

Search Modifier (Issue

Attribute)

Description

page.

Searches for issues that have the specified primary tag value.

By default, the primary tag is the Analysis tag.

primary

Searches for all issues related to the specified sink rule.

primaryrule(rule)

Searches for issues based on the probability value specified

(1.0 through 5.0).

probability

Searches for issues based on the remediation effort value

specified. The valid values are whole numbers from 1.0 to 12.0.

[remediation effort]

ruleid

Searches for all issues reported by the specified rule IDs used

to generate the issue source, sink, and all passthroughs.

Searches for issues based on the specified severity value

(legacy metadata).

severity (sev)

sink

Searches for issues that have the specified sink function name.

Also see "[primary context]" on the previous page.

Searches for dataflow issues that have the specified source

function name. Also see "[source context]" below.

source

Searches for dataflow issues that have the source function call

contained in the specified code context. Also see "source"

above and "[primary context]" on the previous page .

[source context]

Searches for dataflow issues with the source function call that

the specified file contains. Also see "file" on page 52.

sourcefile

sourceline

status

Searches for dataflow issues having taint source entering the

flow on the specified line. Also see "line" on the previous page.

Searches issues that have the status reviewed, unreviewed,

or under review.

Searches for suppressed issues.

suppressed

taint

Searches for issues that have the specified taint flag.

OpenText™ Fortify Extension for Visual Studio (24.2.0)

Page 54 of 108

User Guide

Chapter 2: Using the Fortify Extension for Visual Studio

Search Modifier (Issue

Attribute)

Description

Searches for issues that have the specified string in the

dataflow trace.

trace

Enables you to search on the nodes within an issue’s analysis

trace. Each tracenode search value is a concatenation of the

tracenode’s file path, line number, and additional information.

tracenode

Searches for the specified value in all the steps of the analysis

trace.

tracenodeallpaths

Searches for issues based on the specified URL.

Searches for issues assigned to the specified user.

url

user

Search Query Examples

The following table contains search query examples.

Search Target

Query

All privacy violations in file names that contain jsp

with getSSN()as a source

category:privacy violation

source:getssn file:jsp

All file names that contain com/test/123

file:com/test/123

All paths that contain traces with

trace:mydbcode.sqlcleanse

mydbcode.sqlcleanseas part of the name

All paths that contain traces with cleanseas part of trace:cleanse

the name

All issues that contain cleanseas part of any

cleanse

modifier

All suppressed vulnerabilities with asdfin the

suppressed:true comments:asdf

comments

All categories except for SQL Injection

category:!SQL Injection

version:!<none>

All issues that have a value specified for a custom tag

labeled version

OpenText™ Fortify Extension for Visual Studio (24.2.0)

Page 55 of 108

User Guide

Chapter 2: Using the Fortify Extension for Visual Studio

Filtering Issues with the Audit Guide

You can use the Audit Guide wizard to filter vulnerability issues in your audit project based on a set of

security-related questions.

To use the Audit Guide:

1. From the Fortify extension menu, select Audit Guide.

2. Select the settings for the types of issues you want to display.

OpenText™ Fortify Extension for Visual Studio (24.2.0)

Page 56 of 108

User Guide

Chapter 2: Using the Fortify Extension for Visual Studio

3. To use the advanced filtering options, select the Advanced tab.

l

In the Audit Guide Filters list, select the types of issues to filter out and ignore.

To see a description on the right side, click an issue type.

As you select items in the Audit Guide Filters list, the Fortify Extension for Visual Studio

displays the filter details for this issue type below the Audit Guide Filters list and shows the

number of issues found by each filter.

4. Click OK to apply your filter selections.

Auditing Analysis Results

The security team examines the Fortify Project Results (FPR) and assigns values to custom tags

associated with audit project issues during a code audit. The development team can then use these

tag values to determine which issues to address and in what order.

To enable project auditing out of the box, Fortify Software Security Center provides a single default

tag named Analysis. Valid values for the Analysis tag are Not an Issue, Reliability Issue, Bad Practice,

Suspicious, and Exploitable. You can change the Analysis tag attributes, revise the tag values, or add

new values based on your auditing needs.

To refine your audit process, you can define your own custom tags. For example, you might create a

custom tag to track the sign-off process for an issue. After a developer audits his own issues, a

OpenText™ Fortify Extension for Visual Studio (24.2.0)

Page 57 of 108

User Guide

Chapter 2: Using the Fortify Extension for Visual Studio

security expert can review those same issues and mark each as “approved” or “not approved.” For

more information, see "Configuring Custom Tags for Auditing" on page 61.

You can also define custom tags from Fortify Software Security Center, either directly with issue

template uploads through Fortify Software Security Center, or through issue templates in audit

project files.

Note: Although you can add new custom tags as you audit a project, if these custom tags are not

defined in Fortify Software Security Center for the issue template associated with the application

version, then the new tags are lost if you upload the audit project (FPR) to Fortify Software

Security Center.

Auditing Issues

To evaluate and assign audit values to an issue or group of issues:

1. Select the issue or group of issues in the Analysis Results window (see "Analysis Results Window"

on page 35).

Note: If multiple issues are selected, then this information is displayed on the Audit tab as

Issue: Multiple Issues Selected.

2. Read the abstract on the Audit tab, which provides high-level information about the issue, such

as the analyzer that found the issue.

For example, Command Injection (Input Validation and Representation, data flow) indicates

that this issue, detected by the Dataflow Analyzer, is a Command Injection issue in the Input

Validation and Representation kingdom.

3. Click the Details tab to see more details about the issue.

4. On the Audit tab, select an analysis value for the issue to represent your evaluation.

5. Specify values for any custom tags as required by your organization.

To specify a date in a date-type custom tag, click Select Date

calendar.

to select a date from a

To specify text in a text-type custom tag, click Edit Text , and then enter text in the Edit Text

Value dialog box.

6. If the audit results have been submitted to Fortify Audit Assistant in Fortify Software Security

Center, then you can specify whether to include or exclude the issue from Fortify Audit Assistant

training from the AA_Training list.

Note: If you select a different value for the analysis tag than the AA_Prediction value set by

Fortify Audit Assistant, and you select Include from the AA_Training list, then the next time

the data is submitted to Fortify Audit Assistant, it updates the information used to predict

whether an issue represents a true vulnerability. For more information about Fortify Audit

Assistant tags, see the OpenText™ Fortify Software Security Center User Guide.

7. (Optional) In the Comments box, click to add comments relevant to the issue and your

evaluation, and then click Add Comment .

OpenText™ Fortify Extension for Visual Studio (24.2.0)

Page 58 of 108

User Guide

Chapter 2: Using the Fortify Extension for Visual Studio

Suppressing Issues

You can suppress issues that are either fixed or issues that you do not plan to fix. Suppression marks

the issue and all future discoveries of this issue as suppressed. As such, it is a semi-permanent

marking of a vulnerability.

To suppress an issue, do one of the following:

l

Select the issue in the Analysis Results window, and then click Suppress on the Audit tab.

l

Right-click the issue in the Analysis Results window, and then select Suppress Issue.

To display results that have been suppressed:

l

From the Visibility list on the Analysis Results toolbar, select Show Suppressed Issues.

Submitting an Issue as a Bug

You can submit issues to your bug tracking application if integration between the applications has

been configured. For a list of supported client-side bug tracking plugins, see the Fortify Software

System Requirements document.

To submit an issue as a bug:

1. In the Analysis Results window, select an issue.

2. In the Issue Auditing window, select the Audit tab, and then click File Bug.

If this is the first time you are submitting a bug, the Select Bug Tracker Integration dialog box

opens. Select a bug tracking application, and then click Select.

3. If prompted, provide your bug tracker login credentials.

4. Specify the values if changes are needed and review the issue description.

Depending on the integration and your bug tracking application, the values include items such as

product name, severity level, summary, and version.

5. Click File Bug.

The issue is submitted as a bug in the bug tracking application.

Using Issue Templates

Fortify Static Code Analyzer produces comprehensive results for source code analysis. On large

codebases, these results can be overwhelming. Issue templates provide features to sort and filter the

results in ways that best suit your needs. The filtering and sorting mechanisms appropriate during a

given phase in the development process can change depending on the phase of development.

Similarly, the filtering and sorting mechanisms might vary depending on the role of the user.

You can sort issues by grouping issues into folders, which are logically defined sets of issues

presented in the tabs on the Analysis Results window. You can further customize the sorting by

OpenText™ Fortify Extension for Visual Studio (24.2.0)

Page 59 of 108

User Guide

Chapter 2: Using the Fortify Extension for Visual Studio

providing custom definitions for the folders into which the issues are sorted. You can provide

definitions for any number of folders, whose contents are then defined by filters. Filters can either

alter the visibility of an issue or place it into a folder. When used to sort issues into folders, you can

define the nature of the issues that appear in the customized folders.

You group filters into filter sets and then use the filter sets to sort and filter the issues displayed. An

issue template can contain definitions for multiple filter sets. Using multiple filter sets in an audit

project enables you to quickly change the sorting and visibility of the issues you are auditing. For

example, the default issue template used in the interface provides two filter sets. These filter sets

provide an increasingly restrictive view of security-related issues. Defining multiple filter sets for an

audit project enables different views for different users, and a customized view does not affect any

other views.

In addition to providing sorting and filtering mechanisms, you can also customize the auditing process

by defining custom tags in the issue template. Auditors associate custom tags with issues during the

audit. For example, you can use custom tags to track impact, severity, or priority of an issue using the

same names and values used to track these attributes in other systems, such as a bug tracking

system. For more information about custom tags, see "Configuring Custom Tags for Auditing" on the

next page.

Issue templates contain the following settings:

l

Folder filters—Control how issues are sorted into the folders

l

Visibility filters—Control which issues are shown and hidden

l

Filter sets—Group folder and visibility filters

l

Folder properties—Name, color, and the filter set in which it is active

l

Custom tags—Specify which audit tags are displayed and the values for each

The issue template applied to a project uses the following order of preference:

1. The template that exists in the audit project

2.

3.

The template <tools_install_dir>\Core\config\filters\defaulttemplate.xml

The template <sca_install_dir>\Core\config\rules\defaulttemplate.xml

4. The embedded Fortify default template

Saving Issue Templates

Once an issue template is associated with an audit project, all changes made to that template, such as

the addition of folders, custom tags, filter sets, or filters, apply to the audit project, and the issue

template is stored in the FPR when the project is saved. For information about how to change the

issue template associated with an audit project, see "Importing Issue Templates" on the next page.

Exporting Issue Templates

Exporting an issue template creates a file that contains the filter sets and custom tags for the current

audit project. This is useful if you want to import the issue template into another audit project file.

OpenText™ Fortify Extension for Visual Studio (24.2.0)

Page 60 of 108

User Guide

Chapter 2: Using the Fortify Extension for Visual Studio

To export an issue template:

1. From the Fortify extension menu, select Project Configuration.

2. Select the Filter Sets tab.

3. Click Export Issue Template.

4. Browse to the location where you want to save the file.

5. Type a file name without an extension, and then click Save.

The template settings are saved to the new XML file.

Importing Issue Templates

Importing an issue template overwrites the project configuration settings. The filter sets and custom

tags are replaced with the ones in the issue template.

To import an issue template:

1. From the Fortify extension menu, select Project Configuration.

2. Select the Filter Sets tab.

3. Click Import Issue Template.

4. Select the issue template file to import, and then click Open.

The filter sets and custom tags are updated.

To revert to the default issue template settings, click Reset Issue Template to Default.

Configuring Custom Tags for Auditing

Custom tags enable auditors to set additional attributes that describe the issue. You can use custom

tag values to filter and find issues.

The Analysis tag is configured by default and when you apply the Analysis tag to an issue, the icon

in the Analysis Results issue list indicates the analysis status.

To refine your auditing process, you can define your own custom tags. You can create the following

types of custom tags: list, decimal, string, and date. For example, you might create a list-type custom

tag to track the sign-off process for an issue. After a developer audits his own issues, a security expert

can review those same issues and mark each as “approved” or “not approved.”

After you define a custom tag, the Audit tab displays it below the Analysis tag, which enables you to

specify values as they relate to specific issues. The tag is also available in other areas of the interface,

such as in the Group By list as a way to group issues in a folder, in the search box as a search modifier

(similarly available as a modifier for filters), and in the project summary graph as an attribute by

which to graphically sort issues.

OpenText™ Fortify Extension for Visual Studio (24.2.0)

Page 61 of 108

User Guide

Chapter 2: Using the Fortify Extension for Visual Studio

Adding a Custom Tag

You can add custom tags to use when you audit results. Custom tags are saved as part of an issue

template.

To add a custom tag:

1. From the Fortify extension menu, select Project Configuration.

2. Select the Custom Tags tab.

3. Next to Tags, click Create Tag

.

Note: Any previously hidden tags are listed, and you can re-enable them. To create a new

tag, click Create New.

4. In the Create New Tag dialog box, type a name for the tag.

5. From the Type list, select the type of tag. The following tag types are available:

l

List—Accepts selection from a list of values that you specify for the tag

l

Date—Accepts a calendar date

l

Decimal—Accepts a number with a precision of up to 18 (up to 9 decimal places)

OpenText™ Fortify Extension for Visual Studio (24.2.0)

Page 62 of 108

User Guide

Chapter 2: Using the Fortify Extension for Visual Studio

l

Text—Accepts a string with up to 500 characters (HTML/XML tags and newlines are not

allowed)

6. Click OK.

The Tags list now includes the new tag.

7. To add a value for a list-type tag, do the following:

a. From the Tags list, select the tag.

b. Next to Values, click Add Value

.

c. In the Add Value dialog box, type a value, and then click OK.

d. To use this value as the default for the new tag, select a value in the Values list, and then

select Default on the right.

If no default is selected, the default value for the custom tag is empty.

e. To add a description for the value, type it in the Description box.

f. Repeat steps b through e until you have added all the tag values.

8. To add a description for any tag type:

a. From the Tags list, select the tag.

b. Type a description in the Description box on the right.

9. To make this custom tag the primary tag:

Note: You can only set a list-type tag as a primary tag.

a. Click Set Primary Tag.

b. In the Set Primary Tag dialog box, select the custom tag from the Primary Tag list, and then

click OK.

The primary tag determines the audit status for each issue as well as the audit icon in the

Analysis Results window. By default, the primary tag is Analysis.

Hiding a Custom Tag

If you hide a custom tag, it is no longer available on the Audit tab or as a search or filter option. If you

hide a custom tag that was set for any issues, that tag and values are hidden from the issue. You can

make this tag available again when you create a custom tag (see "Adding a Custom Tag" on the

previous page). If you make the tag available again, the tag and values are restored.

Note: You cannot hide a custom tag that is set as the primary tag.

To hide a custom tag:

1. From the Fortify extension menu, select Project Configuration.

2. Select the Custom Tags tab.

3. Select the tag from the Tags list.

4. Next to Tags, click Hide Tag

.

OpenText™ Fortify Extension for Visual Studio (24.2.0)

Page 63 of 108

User Guide

Chapter 2: Using the Fortify Extension for Visual Studio

If you hide a tag that has an associated filter, you are prompted to delete the filter.

Creating a Filter Set

To create a new filter set, you copy an existing set, and then make changes the settings.

To create a new filter set:

1. From the Fortify extension menu, select Project Configuration.

2. Select the Filter Sets tab.

3. Next to Filter Sets, click Create Filter Set

.

4. In the Create New Filter Set dialog box, type a name for the new filter set.

5. Select an existing filter set to copy, and then click OK.

6. To change the description of the new filter set, select it in the Filter Sets list, and then edit the

text in the Description box on the right.

A new filter set with the same folders, visibility filters, and folder filters as the copied filter set is

created.

"Creating a Filter from the Filters Tab" on the next page

"Copying a Filter to Another Filter Set" on page 66

"Managing Folders" on page 67

OpenText™ Fortify Extension for Visual Studio (24.2.0)

Page 64 of 108

User Guide

Chapter 2: Using the Fortify Extension for Visual Studio

Creating a Filter from the Analysis Results Window

If you find an issue in a folder list that you want to hide or direct to another folder, you can create a

new filter with the filter wizard. The wizard displays all the attributes that match the filter conditions.

Note: To find the filter that directed the issue to the folder, right-click the issue, and select Why

is this issue here? To find the filter that hid an issue, right-click the issue, and then select Why is

this issue hidden?

To create a new filter from an issue:

1. In the Analysis Results window, select a filter set from the Filter Set list.

2. Right-click an issue, and then select Generate Filter.

The Create Filter dialog box opens and displays a list of suggested conditions.

3. To expand the conditions list, click More Choices.

4. Select the conditions to use for the filter. You can fine tune the filter later from the Filter tab.

5. To specify the type of filter you want to create, do one of the following:

l

To create a visibility filter, select Hide Issue.

l

To create a folder filter, select Set Folder to, and then select the folder name or select Create

New to create a new folder.

A new folder is displayed only in this filter set.

6. Click Create Filter.

The new filter is placed at the end of the filter list. For folder filters, this gives the new filter the

highest priority. Issues matching the new folder filter appear in the targeted folder.

7. To change the priority of a folder filter, drag the filter higher in the folder filter list.

Note: The filter is created only in the selected filter set.

Creating a Filter from the Filters Tab

Use the Filters tab option to create general filters for the attributes and values you want to filter. The

filter is created in the selected filter set only.

Folder filters are applied in order and the issue is directed to the last folder filter it matches in the list.

The wizard places your new filter at the end of the list.

OpenText™ Fortify Extension for Visual Studio (24.2.0)

Page 65 of 108

User Guide

Chapter 2: Using the Fortify Extension for Visual Studio

To create a new filter on the Filters tab:

1. In the Analysis Results window, select a filter set from the Filter Set list.

2. In the Filters window, right-click Visibility Filters or Folder Filters, and then select Create New

Filter.

3. Under If, specify the conditions for the filter, by doing the following:

a. From the first list, select an issue attribute.

For a description of the available issue attributes, see "Search Modifiers" on page 50.

b. From the second list, select how to match the value.

The third list automatically displays the attribute values.

c. From the third list, select a value or specify a range as instructed.

4. Set Then to one of the following options:

l

To create a visibility filter, select Hide Issue.

l

To create a folder filter, select Set Folder to, and then select the folder name or select Create

New to create a new folder.

The new filter is displayed at the end of the list. For folder filters, this gives the new filter the

highest priority. Issues that match the new folder filter are displayed in the targeted folder.

5. (Optional) For folder filters, drag the filter higher in the folder filter list to change its priority.

The issues are sorted based on the new filter.

Note: The filter is only created in the selected filter set.

Copying a Filter to Another Filter Set

Filter settings are local to the filter set. However, you can copy the filter to another filter set in the

project. If you copy a folder filter to another filter set and that folder is not already active in the filter

set, the folder is automatically added.

OpenText™ Fortify Extension for Visual Studio (24.2.0)

Page 66 of 108

User Guide

Chapter 2: Using the Fortify Extension for Visual Studio

To copy a filter:

1. In the Analysis Results window, select a filter set from the Filter Set list.

2. On the Filters tab, right-click a filter, and then select Copy Filter To.

The Select a Filter Set dialog box lists the filter sets.

3. Select a filter set, and then click OK.

The filter is added to the destination filter set in the last position.

4. To change the order of the folder filters, drag the filters in the list.

Managing Folders

Folders are logical sets of issues that are defined by the filters in the active filter set. Even though a

folder can appear in more than one filter set, the contents might differ depending on the filters in that

filter set that target the folder. To accommodate filter sets that attempt to provide sorting

mechanisms that have little overlap, it is possible to have filter sets with different folders. Folders are

defined without any relation to the filter sets in which they might appear.

Creating a Folder

You can add a new folder to a filter set so that you can display a group of issues you have filtered to

the folder.

To create a folder:

1. From the Fortify extension menu, select Project Configuration.

2. Select the Folders tab.

Currently defined folders are listed on the left. Folder properties including the name, color, and

description of the selected folder are shown on the right.

OpenText™ Fortify Extension for Visual Studio (24.2.0)

Page 67 of 108

User Guide

Chapter 2: Using the Fortify Extension for Visual Studio

3. To associate the new folder with an existing filter set, select a filter set from the Folders for

Filter Set list.

This selection updates the Folders list to display folders associated with the selected filter set.

4. To add a folder:

a. Next to Folders, click Create Folder

.

The Create New Folder dialog box opens.

b. Type a unique name for the new folder, select a folder color, and then click OK.

The folder is added to the bottom of the Folders list.

5. To sort all issues that do not match a folder filter into this folder, select Default Folder.

6. Click OK.

The new folder is added to the local issue template. The folder displays as a tab with the other folders

in the Analysis Results window.

Note: To display issues in this folder, create a folder filter that targets the new folder (see

"Creating a Filter from the Analysis Results Window" on page 65 and "Creating a Filter from the

Filters Tab" on page 65 ).

Adding a Folder to a Filter Set

This section describes how to enable an existing folder in a filter set. Create a new folder that only

appears in the selected filter set using the instructions in "Creating a Folder" on the previous page. To

display issues in this folder, create a folder filter that targets the new folder.

OpenText™ Fortify Extension for Visual Studio (24.2.0)

Page 68 of 108

User Guide

Chapter 2: Using the Fortify Extension for Visual Studio

To add a folder to a filter set:

1. From the Fortify extension menu, select Project Configuration.

2. Select the Folders tab.

3. From the Folder for Filter Set list, select a filter set to which you want to add an existing folder.

This selection updates the Folders list to display folders associated with the selected filter set.

4. Next to Folders, click Add Folder

.

The Enable New Folder to the Filter Set dialog box opens. If all folders are already associated

with the selected filter set, the Create New Folder dialog box opens.

5. Select the folder to add, and then click Select.

The selected folder is listed.

6. Click OK.

The folder is displayed as a tab with the other folders in the Analysis Results window.

Renaming a Folder

You can rename a folder. Modifying the name of a folder is a global change reflected in all filter sets.

To rename a folder:

1. From the Fortify extension menu, select Project Configuration.

2. Select the Folders tab.

3. From the Folders for Filter Set list, select a filter set that displays the folder you want to

rename.

4. In the Folders list, select the folder you want to rename.

The folder properties are displayed on the right.

5. In the Name box, type the new folder name.

6. Click OK.

The tab displays the new folder name.

Removing a Folder

You can remove a folder from a specific filter set without removing it from other filter sets.

To remove a folder:

1. From the Fortify extension menu, select Project Configuration.

2. Select the Folders tab.

3. From the Folders for Filter Set list, select a filter set, other than (All Folders), that contains the

folder you want to remove.

The folders in the selected filter set are listed.

4. In the Folders list, select the folder you want to remove.

OpenText™ Fortify Extension for Visual Studio (24.2.0)

Page 69 of 108

User Guide

Chapter 2: Using the Fortify Extension for Visual Studio

5. To the right of Folders, click Remove Folder

.

The folder is only removed from the selected filter set.

If the folder is a target of a folder filter, the Conflicts Occurred Removing Folder dialog box opens.

Do one of the following:

l

To target the filter to a different folder, select a folder from the Retarget the filters list, and

then click Retarget Filters.

l

To delete the filter, click Delete Filters, and then click Yes to confirm the deletion.

6. Click OK to close the Project Configuration dialog box.

The folder is no longer displayed as a tab in the Analysis Results window.

Generating Analysis Results Reports

The following topics provide information about generating reports from your analysis results.

Issue Reports

The issue reports described in this section are based on the Business Intelligence and Reporting

Technology (BIRT) system. You can generate issue reports from the Fortify Extension for Visual

Studio or from the command line (BIRTReportGenerator utility). For information about how to

generate issue reports based on BIRT from the command line, see the OpenText™ Fortify Static Code

Analyzer User Guide.

The following table describes the issue reports available.

Report Template

Description

CWE Top 25

This report lists the most widespread and critical weaknesses that can lead

to serious software vulnerabilities (based on the National Vulnerability

Database).

OpenText™ Fortify Extension for Visual Studio (24.2.0)

Page 70 of 108

User Guide

Chapter 2: Using the Fortify Extension for Visual Studio

Report Template

Description

CWE/SANS Top 25

This report details issues related to the CWE/SANS Top 25 Most

Dangerous Programming Errors and provides information about where and

how to fix the issues. It describes the technical risk posed by unremediated

issues discovered during analysis and provides an estimate of the

development effort needed to test, verify, and fix them.

Developer Workbook This report provides the information a developer needs to understand and

fix the issues discovered during an application audit.

DISA CCI 2

This report provides a standard identifier for policy-based requirements

that connects high-level policy expressions and low-level technical

implementations.

DISA STIG

This report addresses DISA compliance based on STIG violations and

provides information about where and how to fix the issues. It describes

the technical risk posed by unremediated issues and provides an estimate

of the development effort required to test, verify, and fix them.

FISMA Compliance:

FIPS 200

This report addresses FISMA compliance related to FIPS-200 through

controls specified in NIST SP 800-53. It details policy violations and

provides information about where and how to fix the issues. It describes

the technical risks posed by unremediated violations and provides an

estimate of the development effort required to test, verify, and fix them.

GDPR

This report groups all detected issues that are relevant to privacy under

the EU General Data Protection Regulation (GDPR) legislation. Use this as

a framework to help identify and protect personal data as it relates to

application security.

MISRA

This report addresses compliance with either the Motor Industry Software

Reliability Association (MISRA) C or C++ guidelines. The results focus on

the security relevant guidelines and can be used to help create a

compliance matrix for MISRA. This report describes the technical risk

posed by the unremediated issues discovered during analysis and an

provides an estimate of the development effort needed to test, verify, and

fix them.

OWASP API Top 10

This report focuses on weaknesses affecting Web APIs and is intended to

be used in combination with other standards and best practices to

thoroughly capture all relevant risks. For example, use this report in

combination with the OWASP Top 10 to identify issues related to input

OpenText™ Fortify Extension for Visual Studio (24.2.0)

Page 71 of 108

User Guide

Chapter 2: Using the Fortify Extension for Visual Studio

Report Template

Description

validation such as injections.

OWASP ASVS 4.0

This report groups detected issues based the OWASP Application Security

Verification Standard security requirements for secure development.

OWASP MASVS 2.0

This report groups detected issues based on the OWASP Mobile

Application Security Verification Standard requirements for secure mobile

application development.

OWASP Mobile

Top 10

This report details the top ten OWASP mobile-related issues and provides

information about where and how to fix them. It describes the technical risk

posed by the unremediated issues discovered during analysis and gives an

estimate of the development effort required to test, verify, and fix them.

OWASP Top 10

This report details the top ten OWASP-related issues and provides

information about where and how to fix them. It describes the technical

risks posed by unremediated issues discovered during analysis and gives

an estimate of the development effort required to test, verify, and fix the

issues.

PCI DSS Compliance: This report summarizes the application security portions of PCI DSS. It

Application Security includes tests for 21 application security-related requirements across

Requirements

sections 3, 4, 6, 7, 8, and 10 of PCI DSS and reports whether each

requirement is either “In Place” or “Not In Place.”

PCI SSF Compliance: This report summarizes the application security portions of PCI SSF. It

Secure Software

Requirements

includes tests for 23 application security-related control objectives across

Control Objective sections 2, 3, 4, 5, 6, 7,8, and A.2 of PCI SSF and reports

whether each control objective is "In Place" or "Not In Place."

Generating Issue Reports

To generate an issue report:

1. From the Fortify extension menu, select Generate BIRT Report.

The Generate BIRT Report dialog box opens.

OpenText™ Fortify Extension for Visual Studio (24.2.0)

Page 72 of 108

User Guide

Chapter 2: Using the Fortify Extension for Visual Studio

2. From the Report Template list, select the type of report you want.

3. If available for the template, select the template version from the Options list.

4. Select the information you want to include in the report.

Note: Not all options are available for all report types.

a. To include detailed descriptions of reported issues, select the Detailed Report check box.

b. To categorize issues by Fortify Priority instead of folder names, select the Categories By

Fortify Priority check box.

c. To include Description of Key Terminology in the report, select the Key Terminology check

box.

d. To include the About Fortify Solutions section in the report, select the About

Fortify Solutions check box.

5. To filter information from the report, select the optional issue filter settings as follows:

l

Click Removed to include removed issues in the report.

l

Click Suppressed to include suppressed issues in the report.

OpenText™ Fortify Extension for Visual Studio (24.2.0)

Page 73 of 108

User Guide

Chapter 2: Using the Fortify Extension for Visual Studio

l

Click Hidden to include hidden issues in the report.

l

Click Collapse Issues to collapse issues of the same sink and type into a single issue.

l

Click Only My Issues to include only issues assigned to your user name.

l

Click Advanced to build a search query to further filter the issues to include in the report. For

more information about the search modifiers, see "Search Modifiers" on page 50.

6. From the Format list, select a format for the report.

You can save the report in the following formats: Portable Document Format (PDF), HTML, and

Microsoft Word.

7. To specify an alternative location to save the report, click Browse, and then select a location.

8. Click Generate.

9. If a report with the same file name already exists, you are prompted to either:

l

Click No to overwrite the existing report.

l

Click Yes to have the report saved to a file with a sequential number appended to the file

name (for example: Sample1_DISA_STIG(1).pdf).

Legacy Reports

The legacy reports include user-configurable report templates. Report templates provide several

optional sections and subsections that gather and present specific types of data. You can generate

legacy reports from Fortify Extension for Visual Studio or from the command line (ReportGenerator

utility). For information about how to generate legacy reports from the command line, see the

OpenText™ Fortify Static Code Analyzer User Guide.

The following sections describe the default reports and report templates, instructions on how to

modify existing reports, and how to create your own reports.

Generating Legacy Issue Reports

After you select the report template and report settings, you generate the report to view the results.

You can save report results as PDF and XML files.

To generate a legacy issue report:

1. From the Fortify extension menu, select Generate Legacy Report.

2. From the Report list, select a report template.

3. (Optional) Change the report section settings.

4. Click Print Report.

5. Specify a file name and a location to save the report.

6. Select the report file format (PDF or XML).

7. Click Save.

The Fortify Extension for Visual Studio generates the report in the format you selected.

OpenText™ Fortify Extension for Visual Studio (24.2.0)

Page 74 of 108

User Guide

Chapter 2: Using the Fortify Extension for Visual Studio

Legacy Report Templates

This section describes how to select and edit a legacy report template. You can modify legacy report

templates from the Generate Legacy Report dialog box, or you can edit report templates directly in

XML (see "Legacy Report Template XML Files" on page 79). If you or another user have edited or

created additional legacy report templates, you might not see the default report templates described

in this section.

The legacy report templates include:

l

Fortify Security Report—A mid-level report that provides comprehensive information about the

analysis performed and the high-level details of the audit that was performed. It also provides a

high-level description and examples of categories that are of the highest priority.

l

Fortify Developer Workbook—Provides a comprehensive list of all categories of issues found and

multiple examples of each issue. It also gives a high-level summary of the number of issues in each

category.

l

OWASP Top Ten <year>—Provides high-level summaries of uncovered vulnerabilities organized

based on the top ten issues that the Open Web Security Project (OWASP) has identified.

l

Fortify Scan Summary—Provides high-level information based on the category of issues that

Fortify Static Code Analyzer found as well as a project summary and a detailed project summary

The following sections describe how to view report templates and customize them to address your

reporting needs.

Opening Legacy Report Templates

To open a report template:

1. From the Fortify extension menu, select Generate Legacy Report.

2. Select a report template from the Report list.

The Generate Legacy Report dialog box displays the report template settings.

Selecting Legacy Report Sections

You can choose which sections to include in the report.

To select the sections to include in a report:

1. Click a section title to view the contents of the section.

The section details display in the right side of the dialog box.

2. To include a section in the report, select the section title check box in the list on the left side.

3. To remove a section from the report, clear the check box next to the section title.

For details on how to edit each section, see "Editing Legacy Report Subsections" on the next page.

OpenText™ Fortify Extension for Visual Studio (24.2.0)

Page 75 of 108

User Guide

Chapter 2: Using the Fortify Extension for Visual Studio

Editing Legacy Report Subsections

When you select a section title, you can edit the contents that display in the report. You can edit text,

add or change text variables, or customize the issues shown in a chart or results list.

Editing Text Subsections

To edit a text subsection:

1. Select the check box next to the subsection title to include this text in the report.

A description of the text is displayed below the subsection title.

2. Click Edit.

The text box displays the text and variables to include in the report.

3. Edit the text and text variables.

As you edit text subsections, you can insert variables that are defined when you run the report. The

following table describes these variables.

Variable

Description

$AUDIT_GUIDE_

SUMMARY$

List of filters created with answers to Audit Guide Wizard questions

$CLASSPATH_

LISTING$

JAR files used in the scan, one relative path per line

$COMMANDLINE_

ARGS$

Complete list of command-line options (same format as project

summary)

$FILE_LISTING$

List of files scanned, each file in the following format:

<relative_file_path> # Lines # kb <timestamp>

$FILTERSET_

DETAILS$

List of filters used by the current filter set

$FILTERSET_NAME$

Name of the current filter set

$FORTIFY_SCA_

VERSION$

Fortify Static Code Analyzer version

$LIBDIR_LISTING$

$TLOC$

Libdirs specified during scan, one relative path per line

Total lines of code

$NUMBER_OF_FILES$ Total number of files scanned

OpenText™ Fortify Extension for Visual Studio (24.2.0)

Page 76 of 108

User Guide

Chapter 2: Using the Fortify Extension for Visual Studio

Variable

Description

$PROJECT_BUILD_

LABEL$

Build label of project

$PROJECT_NAME$

$PROPERTIES$

Build ID

Complete list of properties set during analysis phase (same format as

project summary)

$RESULTS_

CERTIFICATION$

Complete certification detail with list of validity on a per file basis (same

format as project summary)

$RESULTS_

Short certification description (same format as project summary)

CERTIFICATION_

SUMMARY$

$RULEPACKS$

Complete list of Rulepacks used during the analysis (same format as

project summary)

$SCAN_COMPUTER_

ID$

Hostname of the machine on which the scan was performed

$SCAN_DATE$

Date of the analysis with the default formatting style for the locale

$SCAN_SUMMARY$

Summary of the codebase scanned in the format: # files, # lines

of code

$SCAN_TIME$

$SCAN_USER$

Time of the analysis phase

User name of the user who performed the scan

Source base path of the codebase

$SOURCE_BASE_

PATH$

$TOTAL_FINDINGS$

$VERSION_LABEL$

Number of issues, excluding suppressed or removed issues

Label of the scanned project (available only if the Fortify Static Code

Analyzer -build-labeloption was used in the scan)

$WARNINGS$

Complete list of warnings issued (same format as project summary)

Number of warnings found in the scan

$WARNING_

SUMMARY$

OpenText™ Fortify Extension for Visual Studio (24.2.0)

Page 77 of 108

User Guide

Chapter 2: Using the Fortify Extension for Visual Studio

Editing Results List Subsections

To edit a result list subsection:

1. Select the check box next to the subsection title to include this text in the report.

A description of the results list is displayed below the subsection title.

2. Click the issues list heading to expand the options.

3. Select the attributes used to group the results list.

If you group by category, the recommendations, abstract, and explanation for the category are

also included in the report.

4. (Optional) Refine the issues shown in this subsection with a search query.

For more details about the search syntax, see "Searching for Issues" on page 48.

Editing Chart Subsections

To edit a chart subsection:

1. Select the check box next to the subsection title to include this text in the report.

A chart description is displayed below the subsection title.

2. Select the attributes used to group the chart data.

3. (Optional) Refine the issues shown in this subsection with a search query.

For information about search syntax, see "Searching for Issues" on page 48.

4. Select the chart format (table, pie, or bar).

Saving Legacy Report Templates

You can save the current report settings as a new template that you can select later to run more

reports.

To save settings as a report template:

1. From the Fortify extension menu, select Generate Legacy Report.

2. From the Report list, select a report template.

3. Make changes to the report section and subsection settings.

4. Click Save as New Template.

When you select the report template name from the Report list, the report settings are displayed in

the Generate Legacy Report dialog box.

Saving Changes to Legacy Report Templates

You can save changes to a report template so that your new settings are displayed as the default

settings for that template.

OpenText™ Fortify Extension for Visual Studio (24.2.0)

Page 78 of 108

User Guide

Chapter 2: Using the Fortify Extension for Visual Studio

To save changes to a report template:

1. From the Fortify extension menu, select Generate Legacy Report.

2. From the Report list, select the report template to save as the default report template.

3. (Optional) Make changes to the report section and subsection settings.

4. Click Save Settings as Default.

Legacy Report Template XML Files

Report templates are saved as XML files. You can edit the XML files to make changes or to create new

report template files. When you edit the XML files, you can choose the sections and the contents of

each section to include in the report template.

The default location for the report template XML files is <tools_install_

dir>\Core\config\reports.

To customize the logos used in the reports, you can replace header.jpgand footer.jpgin this

folder.

Adding Legacy Report Sections

You can add report sections by editing the XML files. In the structure of the XML, the

ReportSectionelement defines a new section. It includes a Titleelement for the section name,

and it must include at least one Subsectionelement to define the section contents in the report. The

following XML is the Results Outlinesection of the Fortify Security Report

(DefaultReportDefinition.xml):

<Title>Results Outline</Title>

<Title>Overall number of results</Title>

<Description>Results count</Description>

<Text>The scan found $TOTAL_FINDINGS$ issues.</Text>

</SubSection>

<Title>Vulnerability Examples by Category</Title>

<Description>Results summary for critical and high priority issues.

Vulnerability examples are provided by category.

</Description>

<Refinement>[fortify priority order]:critical OR

[fortify priority order]:high</Refinement>

<Axis>Category</Axis>

</Chart>

</IssueListing>

</SubSection>

</ReportSection>

OpenText™ Fortify Extension for Visual Studio (24.2.0)

Page 79 of 108

User Guide

Chapter 2: Using the Fortify Extension for Visual Studio

In this example, the Results Outlinesection contains two subsections. The first is a text

subsection titled Overall number of results. The second subsection is a results list titled

Vulnerability Examples by Category. A section can contain multiple subsections.

Adding Report Subsections

In the report sections, you can add subsections or edit subsection content. Subsections can generate

text, results lists, or charts.

Adding Text Subsections

In a text subsection, you can include the Titleelement, the Descriptionelement, and the Text

element. In the Textelement, you can provide the default content although the user can edit the

content before generating a report. For a description of the text variables available to use in text

subsections, see "Editing Legacy Report Subsections" on page 76. The following XML is the Overall

number of result s subsection in the Results Outlin e section:

<Title>Overall number of results</Title>

<Description>Results count</Description>

<Text>The scan found $TOTAL_FINDINGS$ issues.</Text>

</SubSection>

In this example, the text subsection is titled Overall number of results. The text that describes

the purpose of the text is Results count. The text in the text field that the user can edit before

running a report uses one variable named $TOTAL_FINDINGS$.

Adding Results List Subsections

In a results list subsection, you can include the Titleelement, the Descriptionelement, and the

IssueListingelement. In the IssueListingelement, you can define the default content for the

limit and set listingto true. You can include the Refinementelement either with or without a

default statement although the user can edit the content before they generate a report. To generate

a results list, the Chartelement's attribute chartTypeis set to list. You can also include the Axis

element. The following XML is the Vulnerability Examples by Categorysubsection in the

Results Outlinesection:

<Title>Vulnerability Examples by Category</Title>

<Description>Results summary for critical and high priority issues.

Vulnerability examples are provided by category.

</Description>

<Refinement>[fortify priority order]:critical OR

[fortify priority order]:high</Refinement>

<Axis>Category</Axis>

</Chart>

OpenText™ Fortify Extension for Visual Studio (24.2.0)

Page 80 of 108

User Guide

Chapter 2: Using the Fortify Extension for Visual Studio

</IssueListing>

</SubSection>

In this example, the results list subsection title is Vulnerability Examples by Category. The

text Results summary for critical and high priority issues. Vulnerability

examples are provided by category.is used to describe the purpose of the subsection. This

subsection lists (listing=true) one issue (limit="1") per category (the value of the Axis

element) where there are issues matching the statement [fortify priority order]:critical

OR [fortify priority order]:high(the value of the Refinementelement).

Adding Chart Subsections

In a chart subsection, you can include the Titleelement, the Descriptionelement, and the

IssueListingelement. In the IssueListingelement, you can define the default content for the

limit and set listingto false. You can include the Refinementelement either with or without a

default statement although the user can edit the content before generating a report. To generate a

pie chart, set the Chartelement's attribute chartTypeto pie. The options are table, pie, and bar.

The user can change this setting before generating the report. You can also define the Axiselement.

The following code shows an example of a chart subsection:

<Title>New Issues</Title>

<Description>A list of issues discovered since the previous

analysis.</Description>

<Text>The following issues have been discovered since the

last scan:</Text>

<Axis>New Issue</Axis>

</Chart>

</IssueListing>

</SubSection>

In this subsection, a chart (limit="-1" listing="false") has the title New Issuesand a text

section that contains The following issues have been discovered since the last

scan:. This chart includes all issues (the Refinementelement is empty) and groups the issues based

on the value of New Issue(the value of the Axiselement). The subsection includes a pie chart

(chartType="pie").

Working with Audit Projects

This section provides information about how to open an audit project, migrate audit data, merge audit

data, audit projects collaboratively, and upload audit results to Fortify Software Security Center.

OpenText™ Fortify Extension for Visual Studio (24.2.0)

Page 81 of 108

User Guide

Chapter 2: Using the Fortify Extension for Visual Studio

Opening Audit Projects

To open an audit project file:

1. Open a solution or project.

2. From the Fortify extension menu, select Open Audit Project.

3. Browse to and select an audit project file (FPR, FVDL, or XML).

4. Click Open.

5. If the source code is not available in the FPR, you are prompted to select the root directory for

your project's source code. Select the root folder, and then click OK.

The Fortify Extension for Visual Studio displays the project in the auditing interface.

Configuring the Default Filter Set for Auditing

You can specify a default filter set to use with an audit project. Fortify Extension for Visual Studio

uses this filter set every time you audit the project. The filter set must exist in the project template.

Otherwise, the default filter set available in the audit project's template is used.

To configure a default filter set for an audit project:

1. From the Fortify extension menu, select Options.

2. In the left pane, select Project Configuration.

3. Select the Audit Options tab.

The Audit Options tab is only visible if you have an audit project open.

4. Specify the scope of the configuration by doing one of the following:

l

To configure the settings for the projects in the open solution only, select the Enable Project

Specific Settings check box.

l

To change the default audit configuration for all projects scanned from this Visual Studio

instance, click Configure Defaults.

5. Make sure that Override default filter set on start with is selected, and then select a filter set

from the list.

See Also

"Creating a Filter Set" on page 64

"Managing Folders" on page 67

About Merging Audit Data

You can merge audit data into your project from another file. Audit data includes the custom tags and

comments that were added to an issue. Comments are merged into a chronological list, while the

custom tag values are updated.

OpenText™ Fortify Extension for Visual Studio (24.2.0)

Page 82 of 108

User Guide

Chapter 2: Using the Fortify Extension for Visual Studio

Note: Issues are not merged. Only the newer scanned issues are shown. Issues in the older file

that are not in the newer file are marked as removed.

Make sure that the projects you merge contain the same analysis information, that the scan was on

the same source code (no missing libraries or files), the Fortify Static Code Analyzer options were the

same, and the scan was performed with the same set of Fortify Secure Coding Rulepacks and custom

Rulepacks.

Merging Audit Data

To merge audit projects:

1. Open an audit project in Visual Studio.

2. From the Fortify extension menu, select Merge Audit Projects.

The Select Audit Project dialog box opens.

3. Select an audit project (FPR, FVDL, or XML file), and then click Open.

The audit projects are merged.

4. To confirm the number of issues added or removed from the file, click OK.

Note: If the scan is identical, the process does not add or remove issues.

The audit project now contains all audit data from both files.

Performing a Collaborative Audit

You can audit a project in Fortify Software Security Center collaboratively with other Fortify Software

Security Center users.

To start a collaborative audit:

1. If necessary, configure a connection to Fortify Software Security Center:

a. From the Fortify extension menu, select Options.

b. In the left pane, select Server Configuration.

c. Under Software Security Center, specify the Server URL for Fortify Software Security

Center.

Tip: Click Test Connection to confirm that the URL is valid and you can successfully

connect to the Fortify Software Security Center server.

d. Click OK.

2. If you already have an audit project open, close it.

3. From the Fortify extension menu, select Open Collaborative Audit.

4. If prompted, type your Fortify Software Security Center login credentials.

For information about logging into Fortify Software Security Center, see "Logging in to Fortify

Software Security Center" on page 18.

OpenText™ Fortify Extension for Visual Studio (24.2.0)

Page 83 of 108

User Guide

Chapter 2: Using the Fortify Extension for Visual Studio

5. In the Download Collaborative Audit dialog box, select an application version, and then click

Select.

The Fortify Extension for Visual Studio downloads the audit project file from Fortify Software

Security Center and opens it in the auditing interface.

6. Audit the project as described in "Auditing Issues" on page 58.

7. When you complete the audit, select Upload Audit Project from the Fortify extension menu.

Note: If necessary, update your audit permission settings from Fortify Software Security Center

by selecting Refresh Permissions from the Fortify extension menu.

Uploading Results to Fortify Software Security Center

You can manually upload analysis results to Fortify Software Security Center any time after a scan is

completed. However, before you do, a corresponding application version must already exist in Fortify

Software Security Center.

Important! If Fortify Software Security Center uses an SSL connection from an internal certificate

authority or a self-signed certificate, you must import the Fortify Software Security Center

certificate into the local Windows certificate store.

Note: By default, Fortify Software Security Center ignores uploaded scans performed in quick

scan mode. However, you can configure your Fortify Software Security Center application version

so that it processes uploaded audit projects scanned in quick scan mode. For more information,

see the analysis results processing rules in the OpenText™ Fortify Software Security Center User

Guide.

To upload results to Fortify Software Security Center:

1. If necessary, configure a connection to Fortify Software Security Center:

a. From the Fortify extension menu, select Options.

b. In the left pane, select Server Configuration.

c. Under Software Security Center, specify the Server URL for Fortify Software Security

Center.

Tip: Click Test Connection to confirm that the URL is valid and you can successfully

connect to the Fortify Software Security Center server.

d. Click OK.

2. From the Fortify extension menu, select Upload Audit Project.

3. If prompted, type your Fortify Software Security Center credentials.

For information about logging into Fortify Software Security Center, see "Logging in to Fortify

Software Security Center" on page 18.

The Upload Audit Project dialog box lists the current applications.

4. Select an application version, and then click Select.

OpenText™ Fortify Extension for Visual Studio (24.2.0)

Page 84 of 108

User Guide

Chapter 2: Using the Fortify Extension for Visual Studio

Note: If you are working on a collaborative audit for an application you just downloaded,

then the audit project is automatically uploaded to the same application version. You are not

prompted to select an application.

Integrating with a Bug Tracker Application

The Fortify Extension for Visual Studio provides a plugin interface to integrate with bug tracker

applications. This enables you to file bugs directly from the Fortify Extension for Visual Studio. For a

list of supported bug tracker applications, see the Fortify Software System Requirements document.

Filing Bugs to Azure DevOps Server

The Fortify Extension for Visual Studio supports integration with bug tracker applications so that you

can file bugs directly to Azure DevOps Server. For a list of supported versions, see the Fortify

Software System Requirements document.

To file a bug to Azure DevOps Server:

1. Open an audit project in Visual Studio.

2. In the Analysis Results window, select an issue.

3. In the Issue Auditing window, select the Audit tab, and then click File Bug.

4. If this is the first time you have filed a bug, the Select Bug Tracker Integration dialog box opens.

Do the following:

a. Select Azure DevOps Server, and then click Select.

b. Click Servers, and then click Add.

c. In the Add Azure DevOps Server dialog box, provide the necessary information, and then

click OK.

d. Click Close to close the Add/Remove DevOps Server dialog box.

e. In the Connect to Azure DevOps Server dialog box, select a server, a Team Project Collection,

and a Team Project, and then click Connect.

5. Specify the following information for your installation:

Project: <team_project_name>

WorkItem Type: Bug

6. Click OK.

7. (Optional) In the Azure DevOps Server dialog box, provide the information to file the bug report.

8. Click File Bug.

OpenText™ Fortify Extension for Visual Studio (24.2.0)

Page 85 of 108

User Guide

Chapter 2: Using the Fortify Extension for Visual Studio

Troubleshooting

The following topics provide information about how to troubleshoot problems you might encounter

working with the Fortify Extension for Visual Studio.

Enabling Debug Mode

If you encounter any errors, you can enable debug mode to help troubleshoot. When you enable

debug mode, Fortify Extension for Visual Studio writes additional information to the log files.

To enable debug mode:

1.

Navigate to the <tools_install_dir>\Core\configfolder and open the

fortify.propertiesfile in a text editor.

2. You can either enable debug mode for all Fortify Software components or for specific

components. Remove the comment tag (#) from in front of the property and set the value to

true.

Property

Description

#com.fortify.Debug=false

If set to true, all the Fortify Software components run

in debug mode.

#com.fortify.VS.Debug=false

If set to true, the Fortify Extension for Visual Studio

runs in debug mode.

Locating the Log Files

To get help with diagnosing an issue, send the log files to Customer Support. On Windows systems,

the log files are in the following folders:

l

C:\Users\<username>\AppData\Local\Fortify\VS<VSversion>-<version>\log

l

C:\Users\<username>\AppData\Local\Fortify\sca<version>\log

The log files in this folder are only available if you analyze the code locally with Fortify Static Code

Analyzer.

l

C:\Users\<username>\AppData\Local\Fortify\scancentral-<version>\log

The log files in this folder are only available if you analyze the code with Fortify ScanCentral SAST.

OpenText™ Fortify Extension for Visual Studio (24.2.0)

Page 86 of 108

Chapter 3: Remediating Results from Fortify

Software Security Center

You can download audit results for your code from Fortify Software Security Center so that you can

resolve security-related issues in Visual Studio.

This section contains the following topics:

Requirements for Remediating Results

87

88

99

Opening a Fortify Software Security Center Application

Viewing Analysis Results from Fortify Software Security Center

Viewing Issue Information

Locating Issues in Source Code

Auditing Analysis Results

102

103

Requirements for Remediating Results

To remediate results from Fortify Software Security Center, you must have the following:

l

A Fortify Software Security Center URL

l

If your Fortify Software Security Center server uses an SSL connection from an internal certificate

authority or a self-signed certificate, you must import the Fortify Software Security Center

certificate into the local Windows certificate store.

l

A user account on the Fortify Software Security Center server that has permission to access

application versions

To log into Fortify Software Security Center, you can use a user name and password or an

authentication token.

l

To audit issues in the analysis results, your user account must have audit permission.

In addition to audit permissions, the following audit tasks require additional permissions:

l

To add comments to issues or assign values to custom tags that require comments, your user

account must have the permission to comment on issues.

l

To override issue priority, your user account must have the permission to edit restricted custom

tag values.

Note: You do not need to specify a Fortify license file for the Fortify Extension for Visual Studio.

Only Fortify Software Security Center requires a license file.

OpenText™ Fortify Extension for Visual Studio (24.2.0)

Page 87 of 108

User Guide

Chapter 3: Remediating Results from Fortify Software Security Center

Opening a Fortify Software Security Center

Application

To open an application version in the Fortify Extension for Visual Studio:

1. If you have not already done so, configure a connection to a Fortify Software Security Center

server:

a. From the Fortify extension menu, select Options.

b. In the left pane, select Server Configuration.

c. Under Software Security Center, specify the Server URL for Fortify Software Security

Center.

Tip: Click Test Connection to confirm that the URL is valid and you can successfully

connect to the Fortify Software Security Center server.

d. Click OK.

2. From the Fortify extension menu, select Connect to SSC.

3. If prompted, type your Fortify Software Security Center login credentials.

For information about logging into Fortify Software Security Center, see "Logging in to Fortify

Software Security Center" on page 18.

4. In the Select Application Version dialog box, select an application version to open, and then click

OK.

The Fortify Extension for Visual Studio downloads the analysis results for the application version from

Fortify Software Security Center.

Note: To open a different application version in Fortify Software Security Center, reselect Fortify

> Connect to SSC from the Fortify extension menu.

Viewing Analysis Results from Fortify Software

Security Center

After you open an application version, you can see the analysis results in the Fortify Remediation

window. This window displays all security issues, organized in folders (color-coded tabs) in an issue

list.

OpenText™ Fortify Extension for Visual Studio (24.2.0)

Page 88 of 108

User Guide

Chapter 3: Remediating Results from Fortify Software Security Center

Folders contain logically defined sets of issues. For example, the Critical folder contains all critical

issues for an application. Similarly, the Low folder contains all low-priority issues.

Filters determine which issues are visible. The filters are organized into distinct groups called filter

sets. An issue template can contain definitions for multiple filter sets. You can use multiple filter sets

to change the sorting and visibility of issues.

To remediate issues, the project you have open in Visual Studio must correspond to the application

version you opened in Fortify Software Security Center (see "Opening a Fortify Software Security

Center Application" on the previous page ).

Viewing and Selecting Issues

To view and select issues in an opened application version:

1. From the Group By list, select an attribute for sorting issues in all visible folders into groups.

The default grouping is Category. For a description of the available Group By attributes, see

"Grouping Issues" on page 91.

2. To filter the issues within the selected grouping:

a. From the Filter By list, select a filter category.

OpenText™ Fortify Extension for Visual Studio (24.2.0)

Page 89 of 108

User Guide

Chapter 3: Remediating Results from Fortify Software Security Center

b. To refine the issues further, select a filter option from the list to the right of the selected filter

category.

3. By default, issues assigned to your Fortify Software Security Center user name are visible. To see

issues assigned to all users, click Clear

.

To see issues assigned to a specific user, do the following:

a. Click Select User

.

b. In the Select User dialog, select a user name, and then click OK.

Only issues assigned to the selected user are shown in the Fortify Remediation window.

Tip: To see only issues assigned to you, from the Filter By list, select Assignments and My

Assignments.

4. Click a folder (tab) to view the associated issues.

Note: The folders shown depends on your Group By, Filter By, Assigned User, and Filter

Set selections. It is possible that not all folders are shown. The folders shown also depends

on the issue template associated with the application version.

The following table describes the folders that are visible when the Security Auditor View filter

set is selected.

Folder

Description

Critical

This folder contains issues that have a high impact and a high likelihood of

occurring. Issues at this risk level are easy to discover and to exploit and

represent the highest security risk to a program. Remediate critical issues

immediately.

High

This folder contains issues that have a high impact and a low likelihood of

occurring. High-priority issues are often difficult to discover and exploit, but can

result in much asset damage. They represent a significant security risk to a

program. Remediate these issues with the next patch release.

Medium

This folder contains issues that a have low impact and a high likelihood of

exploitation. Medium-priority issues are easy to discover and exploit but often

result in little asset damage. These issues represent a moderate security risk to a

program. Remediate these issues as time permits.

OpenText™ Fortify Extension for Visual Studio (24.2.0)

Page 90 of 108

User Guide

Chapter 3: Remediating Results from Fortify Software Security Center

Folder

Description

Low

This folder contains issues that have a low impact and a low likelihood of

exploitation. Low-priority issues are potentially difficult to discover and to exploit

and typically result in little asset damage. These issues represent a minor security

risk to the program. Remediate these issues as time permits.

All

This folder contains all the issues.

Within each color-coded folder, issues are grouped into subfolders. At the end of each folder

name, enclosed in brackets, is the number of audited issues and the total number of issues in the

folder. For example, a folder with the name Command Injection - [1 / 3] indicates that one issue

out of three categorized as Command Injection has been audited.

5. Expand the Advanced Filter Options section to access the filter set and issue visibility settings.

6. From the Filter Set list, select a filter to apply:

l

Select Security Auditor View to list all issues relevant to a security auditor.

l

Select Quick View to list only issues in the Critical folder (these have a potentially high

impact and a high likelihood of occurring) and the High folder (these have a potentially high

impact and a low likelihood of occurring).

Note: You might see different filter sets depending on the filter sets associated with the

application you opened.

7. Click to expand a folder and view the associated issues.

The Fortify Extension for Visual Studio retrieves the corresponding issues from Fortify Software

Security Center.

8. Click an issue name to view the issue information.

Note: Selecting the check box for an issue opens the Bulk Audit tab where you can add

audit information for multiple issues.

See Also

"Grouping Issues" below

"Searching for Issues" on page 94

Grouping Issues

The items visible in the Fortify Remediation window issues list vary depending on the selected

grouping attribute. The attribute you select from the Group By list sorts issues in all visible folders

into subfolders. Use the Group By attributes to group and view the issues in different ways. The

following table describes the available Group By attributes.

OpenText™ Fortify Extension for Visual Studio (24.2.0)

Page 91 of 108

User Guide

Chapter 3: Remediating Results from Fortify Software Security Center

Attribute

Description

Analysis

Groups issues by the audit analysis value assigned, such as

Suspicious, Exploitable, and Not an Issue.

Analysis Type

Groups issues by analyzer product, such as SCA, WEBINSPECT, and

SECURITYSCOPE (WebInspect Agent).

Analyzer

Groups issues by analyzer group, such as Control Flow, Data Flow,

Semantic, and Structural.

App Defender Protected

Groups issues by whether Application Defender can protect the

vulnerability category.

See Also

"Search Syntax" below

"Search Modifiers" on the next page

Search Syntax

To indicate the type of comparison to perform for a search in the Fortify Remediation window, wrap

the search terms with delimiters. The following table shows the syntax to use for the search string.

Comparison

contains

Description

Searches for a term without any qualifying delimiters

equals

Searches for an exact match if the term is wrapped in quotation marks ("")

number range

Searches for a range of numbers using the standard mathematical interval

notation of parentheses and/or brackets to indicate whether the endpoints are

excluded or included, respectively.

Example: (2,4] indicates greater than two and less than or equal to four

OpenText™ Fortify Extension for Visual Studio (24.2.0)

Page 94 of 108

User Guide

Chapter 3: Remediating Results from Fortify Software Security Center

Comparison

Description

not equals

Excludes issues specified by the string by preceding the string with an

exclamation character (!)

Example, file:!Main.javareturns all issues that are not in Main.java.

You can further qualify search terms with modifiers. The syntax for using a modifier is

<modifier>:<search_term>. For more information, see "Search Modifiers" below.

A search string can contain multiple modifiers and search terms. If you specify more than one

modifier, the search returns only issues that match all the modified search terms. For example,

file:ApplicationContext.java category:SQL Injectionreturns only SQL injection issues

found in ApplicationContext.java.

If you use the same modifier more than once in a search string, then the search terms qualified by

those modifiers are treated as an ORcomparison. For example, file:ApplicationContext.java

category:SQL Injection category:Cross-Site Scriptingreturns SQL injection issues and

cross-site scripting issues found in ApplicationContext.java.

For complex searches, you can also insert the AND or the OR keyword between your search queries.

Note that AND and OR operations have the same priority in searches.

Search Modifiers

You can use a search modifier to specify to which issue attribute the search term applies. To use a

modifier that contains a space in the name, such as the name of the custom tag, you must enclose the

modifier in brackets. For example, to search for issues that are new, type [issue age]:new.

A search that is not qualified by a modifier matches the search string on the following attributes:

kingdom, primary rule id, analyzer, filename, severity, class name, function name, instance id, package,

confidence, type, subtype, taint flags, category, sink, and source.

The following examples describe using the search with and without applying a search modifier:

l

To apply the search to all modifiers, type a string, such as control flow. This searches all the

modifiers and returns any results that contain the “control flow” string.

l

To apply the search to a specific modifier, type the modifier name and the string as follows:

analyzer:control flow. This returns all results detected by the Control Flow Analyzer.

The following table describes the search modifiers. A few modifiers have a shortened modifier name

indicated in parentheses. You can use either modifier name.

Search Modifier (Issue

Attribute)

Description

Searches for issues based on the accuracy value specified (0.1

through 5.0).

accuracy

OpenText™ Fortify Extension for Visual Studio (24.2.0)

Page 95 of 108

User Guide

Chapter 3: Remediating Results from Fortify Software Security Center

Search Modifier (Issue

Attribute)

Description

Searches for issues that have the specified audit analysis value

analysis

such as exploitable, not an issue, and so on.

[analysis type]

analyzer

Searches for issues by analyzer product such as SCAand

WEBINSPECT.

Searches the issues for the specified analyzer such as

control flow, data flow, structural, and so on.

Searches for issues based on whether Application Defender

[app defender protected]

(def)

can protect the vulnerability category (protectedor not

protected).

audience

audited

Searches for issues based on intended audience such as dev,

targeted, medium, broad, and so on.

Note: This metadata is legacy information that is no longer

used and will be removed in a future release. Fortify

recommends that you do not use this search modifier.

Searches the issues to find trueif the primary tag is set and

falseif the primary tag is not set. The default primary tag is

the Analysis tag.

Searches for the given category or category substring.

Searches for issues based on the specified class name.

Searches the comments submitted on the issue.

category(cat)

class

comments

(comment, com)

Searches for issues with comments from a specified user.

commentuser

Searches for issues that have the specified confidence value.

Fortify Static Code Analyzer calculates the confidence value

based on the number of assumptions made in code analysis.

The more assumptions made, the lower the confidence value.

confidence(con)

Searches for issues based on the value of the specified custom

tag.

<custom_tagname>

OpenText™ Fortify Extension for Visual Studio (24.2.0)

Page 96 of 108

User Guide

Chapter 3: Remediating Results from Fortify Software Security Center

Search Modifier (Issue

Attribute)

Description

You can search a list-type custom tag using a range of values.

The values of a list-type custom tag are an enumerated list

where the first value is 0, the second is 1, and so on. You can

use the search syntax for a range of numbers to search for

ranges of list-type custom tag values. For example, analysis:

[0,2]returns the issues that have the values of the first three

Analysis values, 0, 1, and 2 (Not an Issue, Reliability Issue, and

Bad Practice).

To search for a specific date in a date-type custom tag, specify

the date in the format: yyyy-mm-dd.

To search for issues that have no value set for a custom tag,

use <none>as the search term. For example, to search for all

issues that have no value set in the custom tag labeled Target

Date, type: [Target Date]:<none>.

Searches for issues that have the specified dynamic hot spot

ranking value.

dynamic

Searches for issues based on the original priority value

determined by the engine that identified the issue.

[engine priority]

file

Searches for issues where the primary location or sink node

function call occurs in the specified file path.

Searches for issues that have a priority level that matches the

[fortify priority order]

specified issue priority. Valid values are critical, high,

medium, and low.

Searches for issues that have audit data modified by the

specified user.

historyuser

impact

Searches for issues based on the impact value specified (0.1

through 5.0).

Searches for an issue based on the specified instance ID.

[instance id]

[issue age]

Searches for the issue age, which is new, updated,

reintroduced, or removed.

OpenText™ Fortify Extension for Visual Studio (24.2.0)

Page 97 of 108

User Guide

Chapter 3: Remediating Results from Fortify Software Security Center

Search Modifier (Issue

Attribute)

Description

Searches for audited issues based on whether the issue is an

open issue or not an issue (determined by the level of analysis

set for the primary tag).

[issue state]

Searches for all issues in the specified kingdom.

kingdom

Searches for issues based on the specified likelihood value (0.1

through 5.0).

likelihood

Searches for issues on the primary location line number. For

dataflow issues, the value is the sink line number. Also see

"sourceline" on the next page.

line

Searches for all issues that have a confidence value up to and

including the number specified as the search term.

maxconf

Searches for all issues that have a confidence greater than or

equal to the specified value.

minconf

Searches for issues based on the value of the specified

<metadata_listname>

metadata external list. Metadata external lists include [owasp

top ten <year>], [cwe top 25 <version>], [pci ssf

<version>], [stig <version>], and others.

Searches for issues where the primary location occurs in the

specified package or namespace. (For dataflow issues, the

primary location is the sink function.)

package

Searches for issues where the primary location or sink node

function call occurs in the specified code context. Also see

"sink" on the next page and "[source context]" on the next

page .

[primary context]

Searches for issues that have the specified primary tag value.

By default, the primary tag is the Analysis tag.

primary

Searches for all issues related to the specified sink rule.

primaryrule(rule)

Searches for all issues that have the specified Priority Override

[priority override]

tag value. Valid values are critical, high, medium, and low.

OpenText™ Fortify Extension for Visual Studio (24.2.0)

Page 98 of 108

User Guide

Chapter 3: Remediating Results from Fortify Software Security Center

Search Modifier (Issue

Attribute)

Description

Searches for issues based on the probability value specified

(1.0 through 5.0).

probability

Searches for issues based on the remediation effort value

specified. The valid values are whole numbers from 1.0 to 12.0.

[remediation effort]

severity (sev)

sink

Searches for issues based on the specified severity value

(legacy metadata).

Searches for issues that have the specified sink function name.

Also see "[primary context]" on the previous page.

Searches for dataflow issues that have the specified source

function name. Also see "[source context]" below.

source

Searches for dataflow issues that have the source function call

contained in the specified code context. Also see "source"

above and "[primary context]" on the previous page .

[source context]

Searches for dataflow issues with the source function call that

the specified file contains. Also see "file" on page 97.

sourcefile

sourceline

status

Searches for dataflow issues having taint source entering the

flow on the specified line. Also see "line" on the previous page.

Searches issues that have the status reviewed, unreviewed,

or under review.

Searches for suppressed issues.

suppressed

taint

url

Searches for issues that have the specified taint flag.

Searches for issues based on the specified URL.

Searches for issues assigned to the specified user.

user

Viewing Issue Information

After you select an issue, the Fortify Extension for Visual Studio displays the issue-specific content on

the Audit, Recommendations, Details, and History tabs. If you select multiple issues, Fortify

Extension for Visual Studio displays the Bulk Audit tab (see "Auditing Multiple Issues" on page 104).

OpenText™ Fortify Extension for Visual Studio (24.2.0)

Page 99 of 108

User Guide

Chapter 3: Remediating Results from Fortify Software Security Center

Audit Tab

The Fortify Remediation window Audit tab provides a dashboard of analysis information for the

selected issue.

Note: Any changes you make on the Audit tab are automatically uploaded to the application

version in Fortify Software Security Center.

The following table describes the Audit tab features.

Element

Description

User

The user assigned to the selected issue. If the box is empty, no user is

assigned to the selected issue. To assign a user to the issue, see "Auditing

Analysis Results" on page 103.

Analysis

Your assessment for the selected issue. To change the assessment, select an

item from the list. This is the primary tag as defined in Fortify Software

Security Center. The default name of this tag is Analysis, but it might be

different for your organization.

<custom_

tagname>

Any custom tags your organization has defined in Fortify Software Security

Center. If available, these are displayed below the Analysis (primary) tag.

If the audit results have been submitted to Fortify Audit Assistant in Fortify

Software Security Center, then in addition to any other custom tags, the tab

displays the following tags:

l

AA_Prediction—Exploitability level that Fortify Audit Assistant assigned

to the issue. You cannot modify this tag value.

OpenText™ Fortify Extension for Visual Studio (24.2.0)

Page 100 of 108

User Guide

Chapter 3: Remediating Results from Fortify Software Security Center

Element

Description

l

AA_Confidence—Confidence level from Fortify Audit Assistant for the

accuracy of its AA_Prediction value. You cannot modify this tag value.

l

AA_Training—Whether to include or exclude the issue from Fortify Audit

Assistant training. You can modify this value.

For more information about Fortify Audit Assistant, see the OpenText™

Fortify Software Security Center User Guide.

Comments

(bottom left)

Any additional information added to the issue. For instructions on how to

add comments, see "Auditing Analysis Results" on page 103.

File Path

The path to the location of the source file for the selected issue.

(top right)

Issue Abstract

A summary of the selected issue.

(below File Path)

Analysis Trace

(bottom right)

The items of evidence that the analyzer uncovered. The analysis trace is

presented in the order it was discovered. For information about the Analysis

Trace icons, see "Analysis Trace Window" on page 38.

See Also

"Auditing Analysis Results" on page 103

"Auditing Multiple Issues" on page 104

Recommendations Tab

The Recommendations tab provides suggestions and examples that show how to secure a

vulnerability or remedy a bad practice. The following table describes the tab sections.

Section

Description

Recommendations/Custom

Recommendations

Describes possible solutions for the selected issue. It can also

include examples and recommendations defined by your

organization.

Tips/Custom Tips

Provides useful information specific to the selected issue, and any

custom tips defined by your organization.

References/Custom

References

Lists references for the recommendations provided, including any

custom references defined by your organization.

OpenText™ Fortify Extension for Visual Studio (24.2.0)

Page 101 of 108

User Guide

Chapter 3: Remediating Results from Fortify Software Security Center

Details Tab

The Details tab provides an abstract of the selected issue description. It might also provide more

detailed explanations, including examples with descriptive text and code samples. The following table

describes the tab sections.

Section

Description

Abstract/Custom

Abstract

Displays a summary description of the selected issue, including custom

abstracts defined by your organization.

Explanation/Custom

Explanation

Displays a description of the conditions under which an issue of the

selected type occurs. This includes a discussion of the vulnerability, the

constructs typically associated with it, ways in which attackers can exploit

it, and the potential ramifications of an attack. This section also provides

custom explanations defined by your organization.

Instance ID

A unique identifier for the issue.

Primary Rule ID

The identifier for the primary rule that found the issue.

Priority metadata values for an issue.

Priority Metadata

Values

Legacy Priority

Legacy priority metadata values for an issue.

Metadata Values

History Tab

The History tab displays a history of audit actions, including details such as the time and date, and

the name of the user who modified the issue.

Locating Issues in Source Code

Because the Fortify Extension for Visual Studio works as an extension to your Visual Studio IDE, you

can use it to locate security-related issues in your code. Make sure that the revision of the source code

open in Visual Studio corresponds to the application version you opened on Fortify Software Security

Center.

To locate an issue in the source code, do either of the following:

l

From a folder in the Fortify Remediation window, select an issue.

l

From the Audit tab, select a step from the Analysis Trace.

OpenText™ Fortify Extension for Visual Studio (24.2.0)

Page 102 of 108

User Guide

Chapter 3: Remediating Results from Fortify Software Security Center

The Fortify Extension for Visual Studio jumps to the line of code that contains the security-related

issue in Visual Studio.

Auditing Analysis Results

After you select and review an issue, you can assign audit information on the Audit tab. To audit

multiple selected issues in batch, see "Auditing Multiple Issues" on the next page. To see any updates

to the audit information made in Fortify Software Security Center, click Refresh

.

To audit an issue:

1. From a folder in the Fortify Remediation window, click an issue.

2. To assign a user to the issue, do one of the following:

l

Click Assign Issue to User , select a user name from the Select User dialog box, and then

click OK.

l

Click Claim to assign the issue to yourself.

To remove an assigned user, click Unassign Issue

.

3. From the Analysis list, select a value that reflects your assessment of this issue.

This is the primary tag defined in Fortify Software Security Center. The default name of this tag is

Analysis, but it might be different for your organization.

4. If the priority override capability is enabled on Fortify Software Security Center, you can override

the priority value for the issue as follows:

a. From the Priority Override list, select the preferred priority value.

b. Explain why you changed the value in the Add Comment for Issue dialog box.

c. Click OK.

The Priority changes to the value you selected. A warning symbol indicates that the Fortify-

determined priority value was changed.

Note: The issue is not automatically visible in the newly assigned priority folder until the

application metrics are refreshed on Fortify Software Security Center.

OpenText™ Fortify Extension for Visual Studio (24.2.0)

Page 103 of 108

User Guide

Chapter 3: Remediating Results from Fortify Software Security Center

5. If additional custom tags are associated with the application version, specify values for those

tags.

The Fortify Extension for Visual Studio displays all custom tags assigned to the application;

however, you can only provide values for tags that your Fortify Software Security Center user

account has permission to edit. Use the following instructions to provide values for custom tags:

l

For text- and decimal-type custom tags, type the value in the box, and then click Save

.

Text-type custom tags accept up to 500 characters (HTML/XML tags and newlines are not

allowed).

l

For date-type custom tags, type a date or click Select Date

to select a date from a

calendar.

For an extensible list-type custom tag, you can add a new value to the tag by clicking Add

Value. You can then assign this new value to the custom tag by selecting it from the list.

If any tag requires a comment, then after you provide a value for the tag, the Add Comment for

Issue dialog box opens. In the Comment box, type a comment to describe the value you specified

for the tag, and then click OK.

6. To add a comment for the issue audit:

a. Click Add Comment

.

b. In the Add Comment for Issue dialog box, type a comment, and then click OK.

The Fortify Extension for Visual Studio makes the updates to the application version on Fortify

Software Security Center.

See Also

"Suppressing Issues" on page 106

"Auditing Multiple Issues" below

Auditing Multiple Issues

You can evaluate and assign audit information to a group of issues. To audit a single issue on the

Audit tab, see "Auditing Analysis Results" on the previous page. To see any updates to the audit

information made in Fortify Software Security Center, click Refresh

.

To audit multiple issues:

1. In the Fortify Remediation window, select multiple issues (by selecting the check box for each

issue) to which you want to add the same audit information.

You can select one or more issues in the selected folder (tab). Switching to a different folder

(tab) clears any previous selected issues. When you select multiple issues, Fortify Extension for

Visual Studio displays the Bulk Audit tab.

OpenText™ Fortify Extension for Visual Studio (24.2.0)

Page 104 of 108

User Guide

Chapter 3: Remediating Results from Fortify Software Security Center

Tip: Right-click an issue to clear all the selected issues or to select all issues in the current

folder (tab).

2. To assign a user to the selected issues, do one of the following:

l

Click Assign Issue to User , select a user name from the Select User dialog box, and then

click OK.

l

Click Claim to assign the issues to yourself.

To remove an assigned user, click Unassign Issue

.

3. From the Analysis list, select a value that reflects your assessment of this issue.

This is the primary tag defined in Fortify Software Security Center. The default name of this tag is

Analysis, but it might be different for your organization.

OpenText™ Fortify Extension for Visual Studio (24.2.0)

Page 105 of 108

User Guide

Chapter 3: Remediating Results from Fortify Software Security Center

4. If additional custom tags are associated with the application version, specify values for those

tags.

The Fortify Extension for Visual Studio displays all custom tags assigned to the application;

however, you can only provide values for tags that your Fortify Software Security Center user

account has permission to edit.

Use the following instructions to provide values for custom tags:

l

For text- and decimal-type custom tags, type the value in the box.

Text-type custom tags accept up to 500 characters (HTML/XML tags and newlines are not

allowed).

l

For date-type custom tags, type a date or click Select Date

calendar.

to select a date from a

If any tag requires a comment, then after you provide a value for the tag, you must type a

comment in the comment box that appears below the tag box.

5. To add a comment for the audit of these issues, type the content in the Comment box.

6. Click Save.

The Fortify Extension for Visual Studio makes the updates to the application version in Fortify

Software Security Center.

See Also

"Suppressing Issues" below

"Auditing Analysis Results" on page 103

Suppressing Issues

You can suppress issues that are either fixed or that you do not plan to fix. Suppression marks the

issue and all future discoveries of this issue as suppressed. As such, it is a semi-permanent marking of

a vulnerability.

To suppress an issue:

1. From a folder in the Fortify Remediation window, select one or more issues.

2. On the Audit or Bulk Audit tab, click Suppress.

3. (Optional) In the Suppress Issues dialog box, describe the reason for suppressing the issue.

4. Click OK to confirm the issue suppression.

OpenText™ Fortify Extension for Visual Studio (24.2.0)

Page 106 of 108

User Guide

Chapter 3: Remediating Results from Fortify Software Security Center

To unsuppress an issue:

1. Make sure that suppressed issues are visible.

To display issues that have been suppressed, see "Customizing Issue Visibility" on page 93.

2. From a folder in the Fortify Remediation window, select one or more suppressed issues.

3. On the Audit or Bulk Audit tab, click Unsuppress.

4. (Optional) In the Suppress Issues dialog box, describe the reason for unsuppressing the issue.

5. Click OK to confirm the issue unsuppression.

OpenText™ Fortify Extension for Visual Studio (24.2.0)

Page 107 of 108

Send Documentation Feedback

If you have comments about this document, you can contact the documentation team by email.

Note: If you are experiencing a technical issue with our product, do not email the documentation

team. Instead, contact Customer Support at https://www.microfocus.com/support so they can

assist you.

If an email client is configured on this computer, click the link above to contact the documentation

team and an email window opens with the following information in the subject line:

Feedback on User Guide (Fortify Extension for Visual Studio 24.2.0)

Just add your feedback to the email and click send.

If no email client is available, copy the information above to a new message in a web mail client, and

send your feedback to fortifydocteam@opentext.com.

We appreciate your feedback!

OpenText™ Fortify Extension for Visual Studio (24.2.0)

Page 108 of 108