Fortify scans over multiple machines

Question

We work in a team and run Fortify software on our machines locally. We all have our project code setup in different root directories e.g I have project code at C:\work\development\, few of my colleagues have something like C:\Development\mainCodeLine\ etc etc. i.e. the root-folder where the project-code resides differs. Initially only I was working on Fortify but now there are many members of the team running Fortify. We currently share the FPR file that is saved in repository. We download it from the repository and run SCA commands over the same file so as to retain the details like hidden/suppressed issues. Over the period of time we observed that :

1. The Unique Instance ID that gets generated is unique over a single machine only. i.e. the Unique Instance ID remains same over scans on my machine only and it changes when the scan is carried out in my team-mate's machine. Is there any way we can configure Fortify to keep it same over multiple scans over multiple machines? Because of this we can't use the Unique Instance ID in the filter-file.

2. If I and my team-mate run scans parallelly on 2 separate machines on same code (only the project's root directory differs as stated earlier) then is there any way we can integrate these 2 reports?

Answer 1

There are indeed methods to combine scan results generated on different machines. I believe that the best way to accomplish this is to utilize the Fortify Software Security Center (SSC). Users conduct "fresh" scans each time, and when uploaded into a project in SSC, they will be merged - retaining any previous auditing information.

An alternative approach is to use the command line FPRUtility. (I don't have an install in front of me at the moment so the name might be slightly off - but it's in the bin directory along with sourceanalyzer and auditworkbench). The -h option should provide the info to get started merging FPRs.

Hope this helps.