HP Fortify -- annotating method parameters

Question

I'm trying to eliminate false-positives from an HP Fortify scan of a Java application.

This method causes a "Privacy Violation" issue (the PrintWriter is a servlet response)

 private void writeOutput(String passwordRules, PrintWriter out) {
      ...
      out.print(passwordRules);
      ...
 }

This is because Fortify follows naming conventions, to decide that passwordRules contains private data. But my passwordRules is not private data -- it contains stuff like "Minimum 8 characters".

I can make the error go away by changing the name of the variable. However in principle I don't want to compromise the readability of my code, for the benefit of a source code analyser.

I expected this to fix it:

 private void writeOutput(@FortifyNotPassword String passwordRules, PrintWriter out) ...

However it seems the annotation isn't written for that context:

 The annotation @FortifyNotPassword is disallowed for this location.

I tried:

 private void writeOutput(String passwordRules, PrintWriter out) {
      ...
      @FortifyNotPassword String rules = passwordRules;
      out.print(rules);
      ...
 }

... but this doesn't remove the false-positive. (And it compromises my principle of not making code less readable).

I've also tried the above with @FortifyNotPrivate, with the same results.

So what's the right way to do this?

Answer 1

Fortify offers you two ways to deal with this situation: 1) suppress the issue, or 2) hide the issue. Which you select depends on what you believe will work best for you.

Suppressed issues. You can mark an issue as suppressed if you are sure that the specific vulnerability is not, and never will be, a concern. You might also want to suppress warnings for specific types of issues that might not be high priority or of immediate concern. For example, you can suppress issues that are fixed, or issues that - in your case - you do not plan to fix. Suppressed issues are not included in the group totals shown in the issues panel. This approach may be best when you want to eliminate awareness of the issue altogether.

Hidden issues. You can hide a group of issues temporarily to avoid distraction as you focus elsewhere. For example, you could hide all issues except those assigned to you. The individuals assigned to address the issues you have hidden in your view can still access them. The group totals displayed in the issues panel include hidden issues. If you find an issue in a folder list that you want to hide or direct to another folder, you can create a new filter using the filter wizard. The filter wizard displays all the attributes with matching conditions for the filter. P 29 of the document HP_Fortify_Audit_Workbench_User_Guide_4.30; this documentation is with your Fortify program files. This alternative might be preferable if you want others to be aware of the issues, even as you ignore it.

Removed issues. This alternative is not particularly relevant to your situation, but I present it for the sake of completeness. As multiple scans are run on a project over time, issues are often remediated or become obsolete. As it merges scan results, Static Code Analyzer marks issues that were uncovered in a previous scan, but are no longer evident in the most recent SCA analysis results as Removed. Removed issues are not included in the group totals shown in the issues panel. As you do not intend to "remediate" this issue, it will not become a "removed issue."

To show or hide suppressed, hidden, and removed issues, use the Option menu. Visibility filters show or hide issues.