While converting the audited .fpr files to pdf in audit workbench for fortify scan results, only one issue's comment under each category is present in the pdf file. On what basis is the tool selecting which issue's comment to print in the pdf?
Please help. Thanks in advance
If you go to generate legacy report, Pop up will show up.
On the top you will find button for "Visibility Setting" , this will show another pop up for showing Suppressed/ Removed / Hidden issues. HP fortify snapshot.
Also "Issue Breakdown by Analysis" tab also gives control while adding issues
Related
Question:
Does anyone know how to fix this aside from completely reinstalling the entire Fortify software suite?
Background:
Audit Workbench was up then my PC restarted. Now the Project summary does not show (nor does the code preview).
What I have tried so far:
I tried resetting the display and restarting my PC but it does not bring the Audit Workbench module back.
Previous Fix:
Before when I had this issue, I had to get Fortify completely reinstalled to get it fixed. Because this is on a Government Pc, it will take a while to get it reinstalled. I need this for my job.
Edit: Best Path Forward (Until bug is fixed):
When I open the for through the application (start menu, Fortify SCA folder, Audit Workbench, choose for file), it shows the module. For some reason, a forced restart causes Fortify to not show the module when opening the FPRs directly from the file system.
The other thing is that you cannot pin Audit Workbench to the taskbar which makes this bug more annoying than it should be. I will make a script that I can pin to the taskbar to open the Audit Workbench without going through the start menu every time.
Edit: Found temporary solution
I did a bit of testing and whenever I open the FPR with Audit Workbench, I need to open 2 windows, 1 immediately after the other, to get the project summary back. The first one I open will not show the Project Summary but the 2nd one will. It only shows the pane on the 2nd window for some reason.
Check question for "Path Forward"
I am using Fortify Audit Workbench 18.20.1071 to do analysis on already created Fortify projects. The Fortify projects (extension .fpr) were created using standard Fortify commands. The discovered code issues, are listed on the left pane, and are grouped by categories, depending on a predefined view. When clicking on those issues, I was previously able to see the code in the source code panel/viewer/editor (separate panel to the center-right). For some reason I am not able to open that panel anymore. I don't recall changing anything in the settings, but I'm not able to see the associated code anymore.
If I create a pdf Developer Workbook report, from the Fortify project, I am able to see the source code (in the pdf file), therefore I know that the source code is available. I assume it's just some Audit Workbench settings that I need to change, but I don't know which ones.
There is no code associated with my question, as it is related to the functionality of the Audit Workbench application.
What I expect to see is the following: When I click on a listed issue on the left pane, the source code file associated with the flagged issue should open on the pane to the center-right.
Any suggestion would be greatly appreciated. Thanks a bunch!
I had the same issue using ver 19.10 and here's how I got the source code tab to show again.
Reset the config (options/options/audit configuration/reset interface)
Reboot computer
Open audit workbench and reload project
I am using AWB version 4.10.0120 and SCA version 6.10.0120. I'm trying to generate a report in audit workbench only for critical and high issues or by comment dates. Is this possible?
Open project report in workbench
Go to Reports and select the report template, i.e. Fortify Developer Workbook, OWASP top 10 2010
Go to results outline on right pan and in left pan you will see Refine issues in subsection, click on "Advanced" link
Chose the filter, Fortify Priority order: Critical &High, if you have create two filters using &operator
You can use the filter comments if you want to generate result based on comments contains some keywords
If you can apply these filter in other subsection of the report i.e. Issue count by categories, issues breakdown by analysis, executive summary.
We have Fortify SCA and we are setting up regular, automated scans of our source code. Our intention is to have an alert if there is an introduced security issue. Is there a way, perhaps using FPRUtility (or some other method) to accomplish this? Ultimately I prefer something that can be easily run from the command line, but if this can also be accomplished using the GUI then I would appreciate knowing how to do that as well.
Use Audit Workbench to run a report. Choose "developer workbook" and disable all except one section. (you can choose any section you want).
In the report section's additional properties, set the filter for the issues to [issue age]:new. This means the report will show ONLY issues in your FPR that were not present in the previous scan, and were introduced in the latest scan. Save the template.
In your scan configuration, make sure to scan to the same FPR every time per project, so that "new" issues can be calculated by the report runner.
After the scan is complete, use the answer by #user1836982 to run the report. Choose the XML template and process it programmatically.
(1) Command for the Fortify report generation to XML FORMAT:
FORTIFY_INSTALL_DIR\bin\ReportGenerator.bat -format xml -f target_file_name.xml -source your_fpr_file_name.fpr -template Detailed-DefaultReportDefinition.xml
(2) you can also use AWB to generate the .pdf/.rtf/.xml report by Report(top menu bar) -> save report -> select format ->save
(3) Just added procedure to create excel sheet here: Export HP Fortify SCA 4.10 results in EXCEL format
(4) If you have access to DB (oracle), you can query with script
If you are using Fortify SCA, you should also have access to Fortify Software Security Center (SSC). SSC can be used to track trending data across builds of a project. SSC has built in capabilities to send out alerts based on user-defined events within SSC; I have never worked with those so can't offer any thoughts other than what the docs say.
The reports generated by Fortify SCA (.fpr files) are zip files XML documents storing all the relevant data; I would suspect some of the data in those files are related to the SCA rulesets that are present in both SCA and SSC instances. I suspect without the rulesets you would be able to determine that new issues have been introduced, but not any good data on what they are, priority level, etc.
When I go to the Overview tab of any project I get five options:
Summary, Issues, Reports, Popular Issues, Labels.
I can create Versions via the Admin tab.
However if I look at an Atlassian project I can see a 'Versions' button on the Summary page.
Tried to include a URL to it but SO will not let me.
This 'Versions' button gives a very handy report of the Versions & a version can be selected to give a detailed report of that Version.
How can I add this to my summary ?
If I add the URL params I get nothing as in
my_server:8080/browse/MY_PROJECT?selectedTab=com.atlassian.jira.plugin.system.project%3Aversions-panel
We have v6.1.2
Sadly I have just found at that this is only possible for SCRUM style Jira projects. I found this page 'Viewing the Version report' which says it only works for SCRUM projects
Why JIRA Why ?
Why on earth would I not want to be able to list the issues in such a convenient way. Instead I have to create a unique filter for each version.
The project reports such as Summary are not customizable. The Versions tab only appears after you create your first version, which is not always obvious.