Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to diff Fortify SCA scans

Tags:

fortify

We have Fortify SCA and we are setting up regular, automated scans of our source code. Our intention is to have an alert if there is an introduced security issue. Is there a way, perhaps using FPRUtility (or some other method) to accomplish this? Ultimately I prefer something that can be easily run from the command line, but if this can also be accomplished using the GUI then I would appreciate knowing how to do that as well.

like image 717
user1 Avatar asked Jan 08 '15 16:01

user1


People also ask

What are the different phases in Fortify scan?

Fortify SCA comprises five distinct analyzers: data flow, control flow, semantic, structural, and configuration.

How do I Fortify a scan?

How do I run a fortify scan locally? Run a locally installed version of Fortify Static Code analyzer on the currently opened project to create an FPR. Open the FPR in Fortify Audit Workbench to view the results. Run a remote translation and scan using Fortify Scan Central.

What is the difference between Sonarqube and Fortify?

Fortify essentially classifies the code quality issues in terms of its security impact on the solution. While Sonarqube is more of a Static code analysis tool which also gives you like "code smells," though Sonarqube also lists out the vulnerabilities as part of its analysis.


1 Answers

  1. Use Audit Workbench to run a report. Choose "developer workbook" and disable all except one section. (you can choose any section you want).

  2. In the report section's additional properties, set the filter for the issues to [issue age]:new. This means the report will show ONLY issues in your FPR that were not present in the previous scan, and were introduced in the latest scan. Save the template.

  3. In your scan configuration, make sure to scan to the same FPR every time per project, so that "new" issues can be calculated by the report runner.

  4. After the scan is complete, use the answer by @user1836982 to run the report. Choose the XML template and process it programmatically.

like image 199
Douglas Held Avatar answered Oct 05 '22 04:10

Douglas Held