HPE Security Fortify Audit Workbench User Guide AWB 17.10

HPE_AWB_Guide_17.10

User Manual:

Open the PDF directly: View PDF PDF.
Page Count: 131 [warning: Documents this large are best viewed by clicking the View PDF Link!]

HPE Security Fortify Audit
Workbench
Software Version: 17.10
UserGuide
Document Release Date: April 2017
Software Release Date: April 2017
Legal Notices
Warranty
The only warranties for Hewlett Packard Enterprise Development products and services are set forth in the express warranty
statements accompanying such products and services. Nothing herein should be construed as constituting an additional
warranty. HPE shall not be liable for technical or editorial errors or omissions contained herein.
The information contained herein is subject to change without notice.
Restricted Rights Legend
Confidential computer software. Valid license from HPE required for possession, use or copying. Consistent with FAR 12.211
and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items
are licensed to the U.S. Government under vendor's standard commercial license.
The software is restricted to use solely for the purpose of scanning software for security vulnerabilities that is (i) owned by
you; (ii) for which you have a valid license to use; or (iii) with the explicit consent of the owner of the software to be scanned,
and may not be used for any other purpose.
You shall not install or use the software on any third party or shared (hosted) server without explicit consent from the third
party.
Copyright Notice
© Copyright 2004 - 2017 Hewlett Packard Enterprise Development LP
Trademark Notices
Adobe is a trademark of Adobe Systems Incorporated.
Microsoft® and Window are U.S. registered trademarks of Microsoft Corporation.
Documentation Updates
The title page of this document contains the following identifying information:
lSoftware Version number
lDocument Release Date, which changes each time the document is updated
lSoftware Release Date, which indicates the release date of this version of the software
To check for recent updates or to verify that you are using the most recent edition of a document, go to:
https://www.protect724.hpe.com/community/fortify/fortify-product-documentation
You will receive updated or new editions if you subscribe to the appropriate product support service. Contact your HPE sales
representative for details.
UserGuide
HPE Security Fortify Audit Workbench (17.10) Page 2 of 131
Contents
Preface 8
Contacting HPESecurity Fortify Support 8
For More Information 8
About the Documentation Set 8
Change Log 9
Chapter 1: Introduction 11
About HPESecurity FortifyAudit Workbench 11
Audit Projects and Issue Templates 11
Hybrid 2.0 Technology 11
Integration with Fortify Software Security Center 12
Related Documents 12
All Products 12
HPE Security Fortify Software Security Center 13
HPE Security Fortify Static Code Analyzer 15
Chapter 2: Getting Started 16
About Upgrades 16
Enabling Fortify SCAand Applications Updates from Audit Workbench 16
Upgrading Manually 17
Configuring Automatic Upgrades 18
Renewing Expired Licenses 18
About Starting Audit Workbench 19
Starting Audit Workbench on Windows Systems 19
Starting Audit Workbench on Non-Windows Systems 19
About HPE Security Fortify Software Security Content 19
Configuring Security Content Updates 20
Updating Security Content 21
Importing Custom Security Content 22
Logging in to Fortify Software Security Center 22
Chapter 3: Scanning Source Code 23
Scanning Java Projects 23
Quick Scan Mode 24
Scanning Large and Complex Projects 25
Scanning Visual Studio Solutions and Projects 30
UserGuide
HPE Security Fortify Audit Workbench (17.10) Page 3 of 131
Re-scanning Projects 32
Chapter 4: Scan Results 34
About Viewing Scan Results 34
Issues View 34
Filter Sets 35
Specifying the Default Filter Set 36
Folders (Tabs) 36
Group By List 37
Specifying the Default Issue Grouping 37
Search Box 38
Analysis Evidence View 38
Project Summary View 39
Summary Tab 40
Certification Tab 40
Runtime Analysis Tab 40
Build Information Tab 40
Analysis Information Tab 40
Viewing Summary Graph Information 41
Source Code View 44
About Displayed Source Code 45
Issue Auditing View 45
Summary Tab 45
Details Tab 46
WebInspect Agent Details Tab 47
Recommendations Tab 47
History Tab 48
Diagram Tab 48
Filters Tab 48
Warnings Tab 49
Functions View 51
Customizing the Issues View 51
Working with Issues 53
Filtering Issues with Audit Guide 53
Grouping Issues 55
Creating a Custom Group By Option 57
Selectively Displaying Issues Assigned to You 57
About Suppressed, Removed, and Hidden Issues 57
Creating Attribute Summary Tables for Multiple Issues 58
Searching for Issues 60
Search Modifiers 61
Search Query Examples 63
Performing Simple Searches 64
Performing Advanced Searches 65
About Issue Templates 66
Configuring Custom Filter Sets and Filters 67
UserGuide
HPE Security Fortify Audit Workbench (17.10) Page 4 of 131
Creating a New Filter Set 67
Creating a Filter from the Issues View 67
Creating a Filter from the Issue Auditing View 68
Copying a Filter from One Filter Set to Another 69
Setting the Default Filter Set 70
Managing Folders 70
Creating a Folder 70
Adding a Folder to a Filter Set 71
Renaming a Folder 72
Removing a Folder 72
Configuring Custom Tags for Auditing 73
Adding a Custom Tag 74
Deleting a Custom Tag 76
Committing Custom Tags to Fortify Software Security Center 76
Synchronizing Custom Tags with Fortify Software Security Center 77
Issue Template Sharing 77
Exporting an Issue Template 77
Importing an Issue Template 78
Synchronizing Filter Sets and Folders 78
Committing Filter Sets and Folders 79
Advanced Configuration 79
Bug-Tracking System Integration 79
Public APIs 80
Penetration Test Schema 80
Chapter 5: Auditing Analysis Results 81
Working with Audit Projects 81
Opening an Audit Project 81
Opening Audit Projects Without the Default Filter Set 81
Performing a Collaborative Audit 82
Refreshing Permissions From Fortify Software Security Center 83
Merging Audit Data 83
Merging Audit Data Using the Command-line Utility 84
Additional Metadata 84
Uploading Audit Results to Fortify Software Security Center 84
Evaluating Issues 85
Performing Quick Audits 86
Performing Quick Audits for Custom Tags 86
Adding Screen Captures to Issues 87
Viewing Images 87
Creating Issues for Undetected Vulnerabilities 87
Suppressing Issues 88
Submitting an Issue as a Bug 88
Correlation Justification 89
Using Correlation Justification 90
UserGuide
HPE Security Fortify Audit Workbench (17.10) Page 5 of 131
Third-Party Penetration Results 92
Viewing Penetration Test Results 92
Chapter 6: Audit Workbench Reports 94
BIRT Reports 94
Generating BIRT Reports 95
Legacy Reports and Templates 96
Opening Legacy Report Templates 97
Generating Legacy Reports 97
Legacy Report Templates 98
Selecting Report Sections 99
Editing Report Subsections 99
Editing Text Subsections 99
Editing Results List Subsections 101
Editing Charts Subsections 101
Saving Legacy Report Templates 102
Saving Changes to Report Templates 102
Report Template XML Files 102
Adding Report Sections 102
Adding Text Subsections 103
Adding Results List Subsections 104
Adding Charts Subsections 104
Chapter 7: Using the Functions View 106
Opening the Functions View 107
Sorting and Viewing Functions 108
Locating Functions in Source Code 108
Synchronizing the Functions View with the Analysis Evidence View 108
Locating Classes in Source Code 109
Determining Which Rules Matched a Function 109
Writing Rules for Functions 109
Creating Custom Cleanse Rules 110
Chapter 8: Troubleshooting 111
Creating Archive Logs for HPESecurity Fortify Technical Support 111
Using the Debugging Option 111
Addressing the org.eclipse.swt.SWTError Error 112
Out of Memory Errors 112
Allocating More Memory for Audit Workbench 113
Allocating More Memory for Fortify Static Code Analyzer 113
Specifying the Amount of Memory Used by External Processes 114
UserGuide
HPE Security Fortify Audit Workbench (17.10) Page 6 of 131
Saving a Project That Exceeds the Maximum Removed Issues Limit 114
Resetting the Default Views 115
Appendix A: Sample Files 116
Basic Samples 116
Advanced Samples 117
Appendix B: Static Analysis Results Prioritization 120
About Results Prioritization 120
Quantifying Risk 121
Estimating Impact and Likelihood with Input from RulesandAnalysis 122
Appendix C: Legacy Report Components 125
Fortify Security Report 125
Fortify Developer Workbook Report 128
OWASP Top Ten Reports 129
Fortify Scan Summary Report 129
Send Documentation Feedback 131
UserGuide
HPE Security Fortify Audit Workbench (17.10) Page 7 of 131
Preface
Contacting HPESecurity Fortify Support
If you have questions or comments about using this product, contact HPESecurityFortify Technical
Support using one of the following options.
To Manage Your Support Cases, Acquire Licenses, and Manage Your Account
https://support.fortify.com
To Email Support
fortifytechsupport@hpe.com
To Call Support
1.844.260.7219
For More Information
For more information about HPE Security software products: http://www.hpe.com/software/fortify
About the Documentation Set
The HPE Security Fortify Software documentation set contains installation, user, and deployment
guides for all HPE Security Fortify Software products and components. In addition, you will find
technical notes and release notes that describe new features, known issues, and last-minute updates.
You can access the latest versions of these documents from the following HPE Security user community
website:
https://www.protect724.hpe.com/community/fortify/fortify-product-documentation
You will need to register for an account.
UserGuide
Preface
HPE Security Fortify Audit Workbench (17.10) Page 8 of 131
Change Log
The following table lists changes made to this document. Revisions to this document are published only
if the changes made affect product functionality.
Software Release /
DocumentVersion Change
17.10 Added:
l"Logging in to Fortify Software Security Center" on page22 - Added
information about connecting to HPESecurityFortify Software
Security Center with single sign-on credentials.
l"Specifying the Default Issue Grouping" on page37 - New option to
specify a default Group By setting
Updated:
l"Details Tab" on page46 - Now includes Remediation Effort
16.20 Updated:
l"Updating Security Content" on page21 - New way to view external
mappings
l"Configuring Custom Tags for Auditing" on page73 and "Evaluating
Issues" on page85 - New types of custom tags
l"Summary Tab" on page45 and "Evaluating Issues" on page85 - New
Audit Assistant tags
16.10 Added:
l"Warnings Tab" on page49 - Updated analysis warnings view moved
fromProject Summary to the Issue Auditing view
l"Refreshing Permissions From Fortify Software Security Center" on
page83
Updated:
l"Scanning Large and Complex Projects" on page25 and "Scanning
Visual Studio Solutions and Projects" on page30 - Updated interface
for selecting Rulepacks
l"Adding a Custom Tag" on page74 - New option to make custom
tags restricted
l"Uploading Audit Results to Fortify Software Security Center" on
page84 - New instructions for refreshing Fortify Software Security
Centerpermissions
l"Generating BIRT Reports" on page95 - New ability to save in XLS
format
lTerminology updated to match Fortify Software Security Center
UserGuide
Change Log
HPE Security Fortify Audit Workbench (17.10) Page 9 of 131
Software Release /
DocumentVersion Change
Removed:Hotspot filter
UserGuide
Change Log
HPE Security Fortify Audit Workbench (17.10) Page 10 of 131
Chapter 1: Introduction
This section contains the following topics:
About HPESecurity FortifyAudit Workbench 11
Integration with Fortify Software Security Center 12
Related Documents 12
About HPESecurity FortifyAudit Workbench
Audit Workbench complements HPESecurityFortify Static Code Analyzer (Fortify Static Code
Analyzer) with a graphical user interface you can use to scan software projects and to organize,
investigate, and prioritize the analysis results so that your team can fix security issues quickly and
effectively.
From Audit Workbench, you can view and audit FPR files from HPESecurityFortify Software Security
Center, HPESecurityFortify Runtime Application Protection, and HPE Security Fortify scanning plugins
for IDEs. Audit Workbench issue templates help you sort the results of large scans in a way that works
for your business and workflows.
Audit Projects and Issue Templates
After you initiate a source code scan from Audit Workbench, Fortify Static Code Analyzer scans and
analyzes the code to produce comprehensive results. Audit Workbench organizes these results into an
audit project.
In Fortify Software Security Center, an application is a codebase that serves as a container for one or
more application versions. A Fortify Software Security Center application version is an instance of the
codebase that will eventually be deployed. An Audit Workbench audit project is comparable to a Fortify
Software Security Center application version in that it represents a snapshot of the codebase.
Issue templates determine how Audit Workbench (and Fortify Software Security Center) configures and
prioritizes the vulnerabilities (issues) uncovered in source code. Audit Workbench comes with a single
basic issue template, which you can use as is, or modify to suit your project needs. You can also import
an issue template from Fortify Software Security Center, or create a new issue template from Audit
Workbench.
Hybrid 2.0 Technology
The Audit Workbench Hybrid 2.0 technology connects penetration test results directly to source code
analysis results to reveal hidden vulnerability relationships and expose their root causes within the
source code. This enables your security and development teams to more accurately identify and
prioritize vulnerabilities, and more productively investigate and remediate security defects in the source
code.
HPE Security Fortify Audit Workbench (17.10) Page 11 of 131
Integration with Fortify Software Security Center
Fortify Software Security Center provides a web portal that developers, managers, and security teams
can use to share, collaborate, and track remediation of the potential vulnerabilities Fortify Static Code
Analyzer scans uncover. If you connect Audit Workbench to your Fortify Software Security Center
instance, you can upload and merge your scan and audit results and share them with your team. This
enables you to monitor trends and indicators across multiple application versions.
Integration with Fortify Software Security Center enables you to:
lUpload and download FPR files
lPerform collaborative audits
lManage the security content, which consists of HPESecurity Fortify Secure Coding Rulepacks,
custom Rulepacks, and external metadata applied during Fortify Static Code Analyzer scans
lCheck for and install available upgrades of Fortify Static Code Analyzer and associated applications
(including Audit Workbench)
lDownload issue templates
lUpload new and modified issue templates
Related Documents
This topic describes documents that provide information about HPE Security Fortify Audit Workbench.
Note: The Protect724 site location is https://www.protect724.hpe.com/community/fortify/fortify-
product-documentation.
All Products
The following documents provide general information for all products.
Document / File Name Description Location
HPE Security Fortify Software
System Requirements
HPE_Sys_Reqs_<version>.pdf
This document provides the
details about the environments
and products supported for this
version of HPE Security Fortify
Software.
Included with product
download and on the
Protect724 site
HPE Security Fortify Software
Release Notes
HPE_FortifySW_RN_
<version>.txt
This document provides an
overview of the changes made
to HPE Security Fortify
Software for this release and
important information not
included elsewhere in the
Included on the Protect724 site
UserGuide
Chapter 1: Introduction
HPE Security Fortify Audit Workbench (17.10) Page 12 of 131
Document / File Name Description Location
product documentation.
What’s New in HPE Security
Fortify Software <version>
HPE_Whats_New_
<version>.pdf
This document describes the
new features in HPE Security
Fortify Software products.
Included on the Protect724 site
HPE Security Fortify Open
Source and Third-Party
License Agreements
HPE_OpenSrc_<version>.pdf
This document provides open
source and third-party software
license agreements for software
components used in HPE
Security Fortify Software.
Included with product
download and on the
Protect724 site
HPE Security Fortify Glossary
HPE_Glossary.pdf
This document provides
definitions for HPE Security
Fortify Software terms.
Included with product
download and on the
Protect724 site
HPE Security Fortify Software Security Center
The following documents provide information about HPE Security Fortify Software Security Center.
Document / File Name Description Location
HPE Security Fortify Software
Security Center User Guide
HPE_SSC_Guide_
<version>.pdf
HPE_SSC_Help_<version>
This document provides Fortify
Software Security Center users
with detailed information about
how to deploy and use Fortify
Software Security Center. It
provides all of the information
you need to acquire, install,
configure, and use Fortify
Software Security Center.
It is intended for use by system
and instance administrators,
database administrators (DBAs),
enterprise security leads,
development team managers,
and developers. Fortify Software
Security Center provides security
team leads with a high-level
overview of the history and
current status of a project.
Included with product
download and on the
Protect724 site
HP Fortify Software Security
Center User Guide: Legacy
User Interface
This document is the user guide
for HP Software Security Center
version 4.30. The legacy (4.30)
Included with product
download and on the
Protect724 site
UserGuide
Chapter 1: Introduction
HPE Security Fortify Audit Workbench (17.10) Page 13 of 131
Document / File Name Description Location
HP_Fortify_SSC_User_Guide_
Legacy.pdf
PDFonly; no help file
user interface is available from
the Fortify Software Security
Center version 16.20 user
interface. Specific areas of
functionality are available only in
the 4.30 interface.
HPE Security Fortify Software
Security Center Process
Designer Guide: Legacy User
Interface
HPE_SSC_Proc_Design_
Guide_Legacy_<version>.pdf
HPE_SSC_Proc_Design_Help_
<version>
This document provides
information about how to start
the Process Designer, configure
its connection to your Fortify
Software Security Center
instance, and then use it to work
with Fortify Software Security
Center process templates, which
are used only in the Fortify
Software Security Center legacy
(version 4.30) user interface.
Included with product
download and on the
Protect724 site
HP Fortify Software Security
Center Installation and
Configuration Guide: Legacy
User Interface
HP_Fortify_SSC_Install_and_
Config_Guide_Legacy.pdf
PDFonly; no help file
This document provides system
and database administrators with
complete instructions on how to
configure Fortify Software
Security Center server software
using the legacy (v4.30) user
interface.
Included with product
download and on the
Protect724 site
HPE Security Fortify Software
Security Center Process
Designer Guide: Legacy User
Interface
HPE_SSC_Proc_Design_
Guide_Legacy_<version>.pdf
HPE_SSC_Proc_Design_Help_
<version>
This legacy document provides
information about how to start
the Process Designer, configure
its connection to your Fortify
Software Security Center
instance, and then use it to work
with Fortify Software Security
Center process templates.
Included with product
download and on the
Protect724 site
UserGuide
Chapter 1: Introduction
HPE Security Fortify Audit Workbench (17.10) Page 14 of 131
HPE Security Fortify Static Code Analyzer
The following documents provide information about Static Code Analyzer.
Document / File Name Description Location
HPE Security Fortify Static
Code Analyzer User Guide
HPE_SCA_Guide_
<version>.pdf
HPE_SCA_Help_<version>
This document describes how
to use Fortify Static Code
Analyzer to scan code on many
of the major programming
platforms. It is intended for
people responsible for security
audits and secure coding.
Included with product
download and on the
Protect724 site
HPE Security Fortify Static
Code Analyzer Installation
Guide
HPE_SCA_Install_
<version>.pdf
HPE_SCA_Install_Help_
<version>
This document contains
installation instructions for
Fortify Static Code Analyzer
and Applications.
Included with product
download and on the
Protect724 site
HPE Security Fortify Static
Code Analyzer Performance
Guide
HPE_SCA_Perf_Guide_
<version>.pdf
PDF only; no help file
This document provides
guidelines for selecting
hardware to scan different
types of codebases and offers
tips for optimizing memory
usage and performance.
Included with product
download and on the
Protect724 site
HPE Security Fortify Static
Code Analyzer Custom Rules
Guide
HPE_SCA_Cust_Rules_Guide_
<version>.zip
PDF only; no help file
This document provides the
information that you need to
create custom rules for Fortify
Static Code Analyzer. This
guide includes examples that
apply rule-writing concepts to
real-world security issues.
Included with product
download
UserGuide
Chapter 1: Introduction
HPE Security Fortify Audit Workbench (17.10) Page 15 of 131
Chapter 2: Getting Started
The following topics provide an overview of HPESecurity FortifyAudit Workbench, instructions on how
to start the tool, and instructions on how to upgrade the Static Code Analyzer and Applications (Fortify
Static Code Analyzer, Audit Workbench, and any plugins or packages you have installed) as new
versions of the products become available.
This section contains the following topics:
About Upgrades 16
Renewing Expired Licenses 18
About Starting Audit Workbench 19
About HPE Security Fortify Software Security Content 19
Logging in to Fortify Software Security Center 22
About Upgrades
You can check on the availability of new Fortify SCAand Applications (including Audit Workbench)
versions from the Audit Workbench user interface. If a version newer than the one you have installed is
available, you can download it and upgrade your instance.
You can also configure Audit Workbench to check for, download, and install new versions automatically
at startup. Whether you upgrade your Fortify SCAand Applications manually or automatically, your
data is preserved.
To enable upgrades from Audit Workbench, a Fortify Software Security Center administrator must first
set up the auto upgrade capability on the server host. The following topics address how to set up auto
upgrades (as a Fortify Software Security Center administrator) for Audit Workbench and how to
perform the upgrades from Audit Workbench.
Enabling Fortify SCAand Applications Updates from Audit
Workbench
To make a new Fortify SCAand Applications installer available to Audit Workbench users for upgrades:
1. On the Fortify Software Security Center host, navigate to the <appserver_deployment_
location>/ssc/WEB-INF/internal directory and open the securityContext.xml file in a
text editor.
2. Locate the following line:
<!-- <security:intercept-url pattern="/update-site/**" access="PERM_
ANONYMOUS"/> -->
HPE Security Fortify Audit Workbench (17.10) Page 16 of 131
3. Remove the comment tags from the line of text so that it looks like the following:
<security:intercept-url pattern="/update-site/**" access="PERM_
ANONYMOUS"/>
4. Save and close the securityContext.xml file.
5. Navigate to the <appserver_deployment_location>/ssc/update-site/installers
directory.
6. Open and read the readme.txt file.
7. From the readme.txt file, copy the sample update.xml file content (between and including the
<installerInformation> and
</installerInformation> tags, and then paste it into a new text file with the file name
update.xml.
8. Name the new file update.xml and save it to the <appserver_deployment_
location>/ssc/update-site/installers directory.
9. Any time a new Fortify SCAand Applications installer file (HPE_Security_Fortify_SCA_and_
Apps_<version>_<OS>.exe) becomes available, place it in the <appserver_deployment_
location>/ssc/update-site/installers directory.
10. Open the update.xml file in a text editor, and then do the following:
a. In the versionId element, type the version ID for the new installer.
The version ID is the version number without the periods.
Make sure that the value you type matches the Fortify SCAand Applications version in the
installer.
b. In the <version> element, type the version number for the new installer.
11. Save and close your edited update.xml file.
Upgrading Manually
You can check for newer Fortify SCAand Applications versions manually, either from the Audit
Workbench Help menu, or from the Options dialog box.
To check for, and (potentially) install, a newer Fortify SCAand Applications version, do one of the
following:
lSelect Help > Check for Upgrades.
Alternatively,
1. Select Options > Options.
The Options dialog box opens to the Server Configuration settings.
2. Under Audit Workbench Upgrade Configuration on the right, do the following:
a. In the Server URL box, type the URL for your Fortify Software Security Center server.
b. Click Check Now.
UserGuide
Chapter 2: Getting Started
HPE Security Fortify Audit Workbench (17.10) Page 17 of 131
The Audit Workbench polls the upgrade server for information about the Fortify SCAand Applications
versions available for the platform on which it is running. If a newer version is available, Audit
Workbench prompts you to indicate whether you want to proceed to download and install it.
Important: If you have an HPESecurityFortify Plugin for Eclipse installed, after you upgrade your
Fortify SCAand Applications from Audit Workbench, you must uninstall, and then reinstall the
Eclipse Plugin.
Configuring Automatic Upgrades
To configure upgrade checks at Audit Workbench startup:
1. From Audit Workbench, select Options > Options.
2. In the left pane, leave Server Configuration selected.
3. Under Audit Workbench Upgrade Configuration on the right, do the following:
a. In the Server URL box, type the URL for the installers folder on your Fortify Software
Security Center server.
b. Select the Check for upgrades at startup check box.
4. Click OK.
After this, each time you start Audit Workbench, it checks the server to determine whether a newer
Fortify SCAand Applications version is available and then, if a newer version is available, downloads
and installs it.
Important: If you have an HPESecurityFortify Plugin for Eclipse installed, after you upgrade your
Fortify SCAand Applications from Audit Workbench, you must uninstall, and then reinstall the
Eclipse Plugin.
Renewing Expired Licenses
The license for Fortify Static Code Analyzer and its tools, including Audit Workbench, expires annually.
You can get an updated license from the Fortify Customer Portal.
To update an expired license:
1. Log on to the Fortify Customer Portal (https://support.fortify.com).
If you do not have an account, contact HPESecurityFortify Technical Support
(fortifytechsupport@hpe.com).
If you encounter a problem logging into your account, send an email to HPESecurityFortify
Technical Support (fortifytechsupport@hpe.com) with “Portal Access” as the subject.
2. After you log onto the Fortify Customer Portal, at the top of the page, click the My Licenses tab.
The Download Licenses page lists all licenses with current maintenance agreements. If you do not
see your license, email HPESecurityFortify Technical Support (fortifytechsupport@hpe.com) with
“Maintenance Renewal Verification” as the subject. If your maintenance agreement was recently
renewed, the Download Licenses page might not yet reflect this.
UserGuide
Chapter 2: Getting Started
HPE Security Fortify Audit Workbench (17.10) Page 18 of 131
3. Click the link for the license you want to use.
The license is downloaded automatically to your machine.
4. Start Audit Workbench, and check to make sure that you can log on.
About Starting Audit Workbench
You can start Audit Workbench from the start menu on a Windows system. You can start it from the
command line on any supported operating system.
Starting Audit Workbench on Windows Systems
To start Audit Workbench on a Windows system, do one of the following:
lSelect Start > All Programs > HPE Security Fortify SCA and Applications <version> > Audit
Workbench
where <version> is the version you have installed.
Alternatively,
1. Open a Command window, and then change to the <sca_install_dir>\bin directory.
2. At the prompt, type auditworkbench.cmd.
Starting Audit Workbench on Non-Windows Systems
To start Audit Workbench on a non-Windows system:
1. Open a command prompt window, and then change to the <sca_install_dir>/bin directory.
2. At the prompt, type auditworkbench.
About HPE Security Fortify Software Security
Content
Audit Workbench uses a knowledgebase of rules to enforce secure coding standards applicable to the
codebase for static analysis. HPE Security Fortify Software Security Content(security content) consists
of Secure Coding Rulepacks and external metadata:
lSecure Coding Rulepacks describe general secure coding idioms for popular languages and public
APIs.
lExternal metadata include mappings from the HPE Security categories to alternative categories (such
as CWE, OWASP Top 10, and PCIDSS). You can modify the existing mapping in the external
metadata document (externalmetadata.xml) or create your own files to map HPE Security issues
to different taxonomies, such as internal application security standards or additional compliance
obligations (recommended). For instructions on how to create your own custom external metadata,
see the HPESecurity Fortify Static Code Analyzer Custom Rules Guide.
UserGuide
Chapter 2: Getting Started
HPE Security Fortify Audit Workbench (17.10) Page 19 of 131
You can update your security content in English, Spanish, Brazilian Portuguese, Japanese, Korean,
Simplified Chinese, or Traditional Chinese. HPE recommends that you periodically update the security
content.
Configuring Security Content Updates
You can specify the server information to use to update security content.
To configure security content updates:
1. Select Options > Options.
2. In the left panel, select Server Configuration.
3. To update security content from your Fortify Software Security Center server:
a. Under Security Content Update Configuration, select the Update Security Content from
Software Security Center check box.
b. Under Software Security Center Configuration, specify the Fortify Software Security Center
server URL and if necessary, the proxy server and port number.
4. To specify an update server from which to update security content, in the Security Content
Update Configuration section, do the following:
UserGuide
Chapter 2: Getting Started
HPE Security Fortify Audit Workbench (17.10) Page 20 of 131
a. In the Server URL box, type the URL for the update server.
b. If required, specify the proxy server and port.
5. To update security content automatically and with a specific frequency:
a. Select the Perform Security Content Update Automatically check box.
b. In the Security Content Update Frequency (Days) box, specify how often (type the number
of days) you want the security content automatically updated.
6. Click Apply, and then click OK.
Updating Security Content
You can download security content in English, Spanish, Brazilian Portuguese, Japanese, Korean,
Simplified Chinese, or Traditional Chinese. Issue descriptions and recommendations are available in the
selected language and categories are in English.
To update your security content:
1. Select Options > Options.
2. In the left panel, select Security Content Management.
Note: Scroll to the bottom of the Installed Fortify Security Content list to see the external
UserGuide
Chapter 2: Getting Started
HPE Security Fortify Audit Workbench (17.10) Page 21 of 131
mappings.
Any custom rules and custom external mappings appear in the Installed Custom Security
Content list.
3. In the Update Security Content list, select the security content in the language you want.
The Security Content Update window displays the results of the security content update.
4. Click OK to close the Security Content Update window.
Importing Custom Security Content
To import custom rules, do the following:
1. Select Options > Options.
2. In the left panel, select Security Content Management.
3. Click Import Custom Security Content.
4. Select the custom rules file you want to import, and then click Open.
Logging in to Fortify Software Security Center
The first time you perform an operation that requires a connection to Fortify Software Security Center,
you are prompted to log in.
To log in to Fortify Software Security Center:
1. From the Login Method menu, select the login method set up for you on Fortify Software Security
Center.
2. Depending on the selected login method, do one of the following:
Login Method Procedure
Username/Password lType your Fortify Software Security Center user name and password.
X.509 SSO a. Click the Browse button to the right of Certificate.
b. In the Browser for Certificate dialog box, locate the p12 package
with the certificate, and then click Open.
c. Type the password if required.
Kerberos SSO No additional information is required.
3. Click OK to connect to Fortify Software Security Center.
UserGuide
Chapter 2: Getting Started
HPE Security Fortify Audit Workbench (17.10) Page 22 of 131
Chapter 3: Scanning Source Code
The following topics describe how to scan source code and view the scan and analysis results in the
Audit Workbench auditing interface.
This section contains the following topics:
Scanning Java Projects 23
Quick Scan Mode 24
Scanning Large and Complex Projects 25
Scanning Visual Studio Solutions and Projects 30
Re-scanning Projects 32
Scanning Java Projects
The Audit Guide wizard combines the translation and analysis phases of the scanning process into a
single step. Use this wizard to scan small Java projects that have source code in a single directory.
To scan a new Java project:
1. Start Audit Workbench.
2. Under Start New Project, click Scan Java Project.
The Browse for Folder dialog box opens.
3. Select the folder that contains all the source code you want to analyze, and then click OK.
Note: Fortify Static Code Analyzer sets the build ID to the folder name.
4. Select the Java version used for your project, and then click OK.
The Audit Guide Wizard opens.
HPE Security Fortify Audit Workbench (17.10) Page 23 of 131
5. Select the settings for the types of issues you want to display in the results, and then click Scan.
Fortify Static Code Analyzer analyzes the source code. If Fortify Static Code Analyzer encounters
any problems as it scans the source code, Audit Workbench displays a warning.
6. If a warning is displayed, click OK.
After the scan is completed, Audit Workbench displays the analysis results.
Note: Fortify Static Code Analyzer scans invoked from Audit Workbench are invoked with the
server Java Virtual Machine.
Quick Scan Mode
With quick scan mode, you can quickly scan projects for major issues. For example, a quick scan of the
WebGoat sample application uncovers 284 possible issues. By contrast, a full scan of the WebGoat
sample application uncovers 1,150 possible issues.
UserGuide
Chapter 3: Scanning Source Code
HPE Security Fortify Audit Workbench (17.10) Page 24 of 131
In quick scan mode, Fortify Static Code Analyzer searches for high-confidence, high-severity issues.
Quick scans are a great way to get many applications through an assessment so that you can quickly
find issues and begin remediation. Although the scan is faster than a full scan, it does not provide as
robust a result set. Critical and other issues that a quick scan cannot detect may exist in your application.
HPE recommends that you run full scans whenever possible.
To perform a quick scan, follow the steps described in "Scanning Large and Complex Projects" below
and select the Enable Quick Scan Mode check box. Quick scan is also available when you scan Visual
Studio solutions (see "Scanning Visual Studio Solutions and Projects" on page30). Audit Workbench
displays the scan results in its Project Summary view. You audit quick scan results just as you audit full
scan results.
Scanning Large and Complex Projects
Exceptionally large codebases may require distinct measures to ensure a complete scan, including using
Fortify Static Code Analyzer to scan the code in smaller sections. While Audit Workbench enables you to
edit Fortify Static Code Analyzer command parameters, you can handle large, complex scans more
successfully directly through the command console. In addition, if a system has memory constraints,
Fortify Static Code Analyzer must compete with the HPE SecurityFortify Audit Workbench for
resources, possibly resulting is slow or failed scans.
Use the Advanced Static Analysis wizard to translate and analyze JavaScript, PHP, ASP, .NET, and SQL
projects. You can use the wizard for Java projects that have source code in multiple directories, special
translation or build conditions, or that have files that you want to exclude from the project.
Note: Audit Workbench filters out unsupported files within the selected source code directories.
To scan a new project:
1. Start Audit Workbench.
2. Under Start New Project, click Advanced Scan.
The Browse for Folder dialog box opens.
3. Select the root directory of the project, and then click OK.
The Advanced Static Analysis wizard opens.
UserGuide
Chapter 3: Scanning Source Code
HPE Security Fortify Audit Workbench (17.10) Page 25 of 131
The wizard automatically includes all supported files in the scan.
4. (Optional) To add files from another directory:
a. Click Add Directory.
The Browse to Folder dialog box opens.
b. Select the folder that contains the files you want to add to the scan, and then click OK.
The navigation panel displays the directory and Audit Workbench adds all supported files to
the scan. (To remove the directory, right-click the folder, and then select Remove Root.)
5. (Optional) To exclude files or directories that contain, for example, test source code, right-click the
file or directory, and then select Exclude.
6. For Java projects, set the following:
a. Select the build directories and jar files and then click Classpath Directory.
Note: If you do not select the classpath directory, Fortify Static Code Analyzer uses the
CLASSPATH environment variable value.
UserGuide
Chapter 3: Scanning Source Code
HPE Security Fortify Audit Workbench (17.10) Page 26 of 131
The folder turns blue and the files are added to the classpath.
b. From the Java Version list, select the Java version of the project.
7. In the Build ID box, type the build ID.
The root directory is the default build ID.
8. To specify a different output file path than the default, in the Output file box, type the path and
file name for the FPR file that Fortify Static Code Analyzer is to generate.
9. To perform a quick scan, select the Enable Quick Scan Mode check box.
For information about quick scans, see "Quick Scan Mode" on page24.
10. Click Next.
The scan process includes the following phases:
lDuring the clean phase, Fortify Static Code Analyzer removes files from previous translation of
the project.
UserGuide
Chapter 3: Scanning Source Code
HPE Security Fortify Audit Workbench (17.10) Page 27 of 131
lDuring the translation phase, Fortify Static Code Analyzer translates source code identified in
the previous screen into an intermediate format that is associated with a build ID. The build ID is
typically the project.
lDuring the scan phase, Fortify Static Code Analyzer scans source files identified during the
translation phase and generates analysis results, in the Fortify Project Results (FPR) format.
11. (Optional) To skip a scanning phase, clear the Enable clean,Enable translation, or Enable scan
check box.
For example, if the security content has changed but the project has not changed, you might want
to disable both the clean and the translation phases so that Fortify Static Code Analyzer scans the
project without retranslating.
12. Modify the command-line options for each Fortify Static Code Analyzer scan phase as required.
13. (Optional) To specify the amount of memory Fortify Static Code Analyzer uses for scanning:
a. Click Configure Memory.
b. Adjust the slider to the amount of memory required.
c. Click OK.
UserGuide
Chapter 3: Scanning Source Code
HPE Security Fortify Audit Workbench (17.10) Page 28 of 131
14. (Optional) To analyze the source code using an installed custom Rulepack, or to disable a Rulepack,
do the following:
a. Click Configure Rulepacks.
The Additional Options dialog box opens.
b. In the Installed Fortify Security Content list, clear the check boxes that correspond to any
Rulepacks you want to disable during the scan.
Note: For instructions on how to add custom security content, see "Importing Custom
Security Content" on page22.
c. Click OK.
UserGuide
Chapter 3: Scanning Source Code
HPE Security Fortify Audit Workbench (17.10) Page 29 of 131
15. From the Advanced Static Analysis wizard, click Next.
16. Select your scan settings, and then click Scan.
Fortify Static Code Analyzer starts the scan and displays progress information throughout the process.
If Fortify Static Code Analyzer encounters any problems scanning the source code, it displays a
warning.
After the scan is completed, Audit Workbench loads the audit project and displays the analysis results.
Scanning Visual Studio Solutions and Projects
If you have Visual Studio and the HPESecurityFortify Package for Visual Studio installed on the same
machine as Audit Workbench, you can analyze Visual Studio solutions and projects.
UserGuide
Chapter 3: Scanning Source Code
HPE Security Fortify Audit Workbench (17.10) Page 30 of 131
The source code analysis supports the following languages in Visual Studio solutions:
lC/C++
lC#
lVB .NET
lASP .NET
To scan a Visual Studio solution:
1. Start Audit Workbench.
2. Under Start New Project, click Visual Studio Build Integration.
3. Select the folder that contains the solution you want to analyze, and then click OK.
Note: Fortify Static Code Analyzer uses the selected folder name as the build ID.
The Advanced Static Analysis wizard opens.
4. Configure the solution settings, as follows:
a. (Optional) Next to the Visual Studio solution file box, click Browse.
b. Navigate to and select the file for your Visual Studio solution.
c. From the Visual Studio version list, select the Visual Studio version used for the solution.
d. In the Build configuration box, leave the default value DEBUG.
e. (Optional) In the Build ID box, type a different build ID.
f. (Optional) Select a different path and name for the Output file.
g. To run the scan in quick scan mode, select the Quick Scan Mode check box.
h. Click Next.
UserGuide
Chapter 3: Scanning Source Code
HPE Security Fortify Audit Workbench (17.10) Page 31 of 131
The Advanced Static Analysis wizard displays details about the Fortify Static Code Analyzer
analysis phases for the scan.
lDuring the clean phase, Fortify Static Code Analyzer removes files from previous translation of
the project.
lDuring the translation phase, Fortify Static Code Analyzer translates source code identified in
the previous screen into an intermediate format that is associated with a build ID. The build ID is
typically the project.
lDuring the scan phase, Fortify Static Code Analyzer scans source files identified during the
translation phase and generates analysis results, in the Fortify Project Results (FPR) format.
5. (Optional) To skip a scanning phase, clear the Enable clean,Enable translation, or Enable scan
check box.
For example, if the Rulepacks have changed but the project has not changed, you might want to
disable the both the clean and the translation phases so that Fortify Static Code Analyzer scans the
project without retranslating the source code.
6. Modify the command-line options for each Fortify Static Code Analyzer phase, if necessary.
7. (Optional) To specify the amount of memory Fortify Static Code Analyzer uses for scanning:
a. Click Configure Memory.
b. Adjust the slider to the amount of memory required.
c. Click OK.
8. (Optional) To analyze the source code using an installed custom Rulepack, or to disable a Rulepack,
do the following:
a. Click Configure Rulepacks.
b. In the Installed Fortify Security Content list, clear the check boxes that correspond to any
Rulepacks you want to disable during the scan.
Note: For instructions on how to add custom security content, see "Importing Custom
Security Content" on page22.
c. Click OK.
9. From the Advanced Static Analysis wizard, click Next.
10. Select your scan settings, and then click Scan.
Fortify Static Code Analyzer starts the scan and displays progress information throughout the process.
If Fortify Static Code Analyzer encounters any problems scanning the source code, it displays a
warning.
After the scan is completed, Audit Workbench loads the audit project and displays the analysis results.
Re-scanning Projects
This section describes how to re-scan a project that was translated locally with new or updated rules.
Audit Workbench automatically loads the FPR project settings such as the build ID and source code
path, and allows you to change the command-line scanning options.
UserGuide
Chapter 3: Scanning Source Code
HPE Security Fortify Audit Workbench (17.10) Page 32 of 131
After Fortify Static Code Analyzer completes the scan, Audit Workbench merges the analysis results
with those from the previous scan to determine which issues are new, which have been removed, and
which were uncovered in both scans.
To re-scan a project:
1. Open an FPR file.
2. Click Scan.
Note: You can only re-scan a project on the same machine where the project was originally
scanned.
The Rescan Build ID dialog box opens.
3. If the source code has changed since the most recent scan, click Update Project Translation to
retranslate the project.
Note: If the FPR file that you opened was generated by a Fortify Static Code Analyzer scan
that was not initiated from Audit Workbench, the Update Project Translation button is
unavailable.
Note: If the source code has changed since the most recent scan, you must update the
translation before you re-scan the code. Otherwise, a new scan cannot uncover the issues in
the updated source code.
4. (Optional) Modify the Fortify Static Code Analyzer scan phase command-line options, as
necessary.
5. (Optional) To change the Rulepacks used to analyze the project:
a. Click Configure Rulepacks.
b. To add and remove Rulepacks, select or clear the check boxes, as necessary.
Note: For instructions on how to add custom security content, see "Importing Custom
Security Content" on page22.
c. Click OK.
6. Click Scan.
After the scan is complete, Audit Workbench displays the results. Compare the new results with the
issues uncovered in the previous scan as follows:
lTo display all new issues, click the All tab (green), and then, in the Group by list, select New
Issue.
lTo display removed issues, click the All tab, and then select Options > Show Removed Issues.
lTo review issues found in both the previous scan and the new scan, click the All tab, expand the
Issue Updated group, and then, from the Group by list, select New Issue.
UserGuide
Chapter 3: Scanning Source Code
HPE Security Fortify Audit Workbench (17.10) Page 33 of 131
Chapter 4: Scan Results
After a scan is completed, Audit Workbench displays the results in the auditing interface.
This section contains the following topics:
About Viewing Scan Results 34
Working with Issues 53
Searching for Issues 60
About Issue Templates 66
Configuring Custom Filter Sets and Filters 67
Managing Folders 70
Configuring Custom Tags for Auditing 73
Issue Template Sharing 77
Advanced Configuration 79
About Viewing Scan Results
After the scan is completed (or, after you open an existing audit project), summary results are displayed
in the Issues view and in the Project Summary view of the auditing interface. The Analysis Evidence
and Issue Auditing views are open, but do not contain any information until you select an issue from
the Issues view.
View For more information, see...
Issues (top left) "Issues View" below
Project Summary (top center) "Project Summary View" on page39
Analysis Evidence (bottom left) "Analysis Evidence View" on page38
Issue Auditing (bottom center) "Issue Auditing View" on page45
Functions (right) "Functions View" on page51
Issues View
The Issues view provides a way to group and select the issues to audit. The view contains the Filter Set
list, folders (tabs), the Group By list, the My Issues check box, and a search box.
Note: In this view, you can right-click an issue and select Issue Attributes to see all the attributes
associated with the issue such as Analysis tag, analyzer that detected the issue, severity, and more.
HPE Security Fortify Audit Workbench (17.10) Page 34 of 131
Filter Sets
Audit Workbench applies filters to sort and display the issues that Static Code Analyzer uncovers. Audit
Workbench organizes filters into distinct filter sets.
The selected filter set controls which issues are listed in the Issues view. The filter set determines the
number and types of containers (folders) that are shown and how and where to display issues. The
default filter sets sort the issues by severity into the Critical,High,Medium,Low, and All folders.
Because filter sets are saved to audit project files, each audit project can have unique filter sets.
Audit Workbench provides the following filter sets for new projects:
lQuick View: This is the default initial filter set for new projects. The Quick View filter set provides a
view only of issues in the Critical folder (these have a potentially high impact and a high likelihood of
occurring) and the High folder (these have a potentially high impact and a low likelihood of
occurring). The Quick View filter set provides a useful first look at results that enables you to quickly
address the most pressing issues.
lSecurity Auditor View: This is the default filter set for projects scanned in earlier product versions.
This view reveals a broad set of security issues to be audited. The Security Auditor View filter
contains no visibility filters, so all issues are shown.
For instructions on how to create custom filter sets, see "Configuring Custom Filter Sets and Filters" on
page67.
If you open an FPR file that contains no custom filtertemplate.xml file or if you open an FVDL file
or a webinspect.xml file, the audit project opens with the Quick View filter set selected.
UserGuide
Chapter 4: Scan Results
HPE Security Fortify Audit Workbench (17.10) Page 35 of 131
Specifying the Default Filter Set
You can change the initial filter set to use for new or opened projects. You can also disable the default
filter set so that the filter set last enabled in the issue template is used to display scan results for new
projects.
To select the filter set for new or opened projects:
1. Select Options > Options.
2. In the left panel, select Audit Configuration, and then click the Configuration tab on the right.
3. Under Audit Project Load Mode, leave the Default Filter Set check box selected.
If you clear the check box, the default filter is loaded. For newly-opened projects, the default filter
for FPRs that have no embedded template or the default filter from the embedded template is the
Security Auditor View filter set.
4. From the list to the right of the Default Filter Set check box, select the filter set to use to display
scan results for new projects.
5. Click OK.
Folders (Tabs)
The color-coded Critical,High,Medium,Low, and All tabs on the Issues view are called folders. You
can customize the folders and their settings. The number of folders, names, colors, and the issue list can
vary between filter sets and projects.
Note: In Audit Workbench, the term folder does not refer to the folder icons in the issues list.
The filter set you select from the Filter Set list determines which folders are visible in the Issues view.
The following folders are visible while the Security Auditor View filter set is selected:
lThe Critical folder contains issues that have a high impact and a high likelihood of occurring. Issues
at this risk level are easy to discover and to exploit, and represent the highest security risk to a
program. Remediate critical issues immediately.
Example: SQL Injection
lThe High folder contains issues that have a high impact and a low likelihood of occurring.
High-priority issues are often difficult to discover and exploit, but can result in much asset damage.
They represent a significant security risk to a program. Remediate these issues with the next patch
release.
Example: Password Management: Hardcoded Password
lThe Medium folder contains issues that a have low impact and a high likelihood of exploitation.
Medium-priority issues are easy to discover and exploit, but often result in little asset damage. These
issues represent a moderate security risk to a program. Remediate these issues as time permits.
Example: ASP.NET Misconfiguration: Missing Error Handling
UserGuide
Chapter 4: Scan Results
HPE Security Fortify Audit Workbench (17.10) Page 36 of 131
lThe Low folder contains issues that have a low impact and a low likelihood of exploitation. Remediate
these issues as time permits. Low-priority issues can be difficult to discover and to exploit and
typically result in little asset damage. These issues represent a minor security risk to the program.
Example: Poor Error Handling: Empty Catch Block
lThe All folder contains the issues from all of the other folders.
An issue is listed in a folder if the folder filter conditions match the issue attributes. Each filter set has a
default folder, indicated by (default) next to the folder name. If an issue does not match any of the
folder filters, the issue is listed in the default folder.
You can create your own folders as you need them. For example, you might group all hot issues for a
project into a Hot folder and group all warning issues for the same project into a Warning folder. For
instructions on how to create your own folders, see "Creating a Folder" on page70.
Each folder contains a list of all of the issues with attributes that match the folder filter conditions. One
folder in each filter set is the default folder, indicated by (default) in the folder name.
Note: To show or hide suppressed, hidden, and removed issues, set the user interface preferences
from the Options dialog box (see "Customizing the Issues View" on page51).
Group By List
The Group By list options sort the issues into sub folders. The option you select is applied to all visible
folders. To list all issues in the folder without any grouping, select <none>.
To customize the existing groups, you can specify which attributes to sort by, add or remove the
attributes to create sub-groupings, and add your own grouping options.
The Group By settings apply to the application instance. You can apply the Group By option to any
project opened with that instance of the application.
For more information, see "Grouping Issues" on page55.
Specifying the Default Issue Grouping
You can change the initial Group By setting to use for new or opened projects.
To select the default Group By setting:
1. Select Options > Options.
2. In the left panel, select Audit Configuration, and then click the Configuration tab on the right.
3. Under Audit Project Load Mode, select the Default Issue Grouping check box.
If you clear the check box, the default Group By setting is set to Category.
UserGuide
Chapter 4: Scan Results
HPE Security Fortify Audit Workbench (17.10) Page 37 of 131
4. From the list to the right of the Default Issue Grouping check box, select the grouping you want
to use to sort issues.
5. Click OK.
Search Box
The search box enables you to limit the issues displayed in the folder and to search for specific issues.
For detailed information about how to use the search box, see "Searching for Issues" on page60.
Analysis Evidence View
When you select an issue, the Analysis Evidence view displays the relevant trace output. This is a set of
program points that show how the analyzer found the issue. For dataflow and control flow issues, the
set is presented in the order executed. For dataflow issues, this evidence is a presentation of the path
that the tainted data follows from the source function to the sink function.
For example, when you select an issue that is related to potentially tainted dataflow, the Analysis
Evidence view shows the direction the dataflow moves in this section of the source code.
The Analysis Evidence view uses the icons listed in the following table to show how the dataflow moves
in this section of the source code or execution order.
Icon Description
Data is assigned to a field or variable
Information is read from a source external to the code such as an HTMLform or a URL
Data is assigned to a globally scoped field or variable
A comparison is made
The function call receives tainted data
The function call returns tainted data
Passthrough, tainted data passes from one parameter to another in a function call
An alias is created for a memory location
Data is read from a variable
Data is read from a global variable
Tainted data is returned from a function
UserGuide
Chapter 4: Scan Results
HPE Security Fortify Audit Workbench (17.10) Page 38 of 131
Icon Description
A pointer is created
A pointer is dereferenced
The scope of a variable ends
The execution jumps
A branch is taken in the code execution
A branch is not taken in the code execution
Generic
A runtime source, sink, or validation step
Taint change
The Analysis Evidence view can display inductions. Inductions provide supporting evidence for their
parent nodes. Inductions consist of a text node, displayed in italics as a child of the trace node, and an
induction trace, displayed as a child of the text node (a box surrounds the induction trace). The italics
and the box distinguish the induction from a standard sub trace.
Project Summary View
The Project Summary view provides detailed information about the scan.
UserGuide
Chapter 4: Scan Results
HPE Security Fortify Audit Workbench (17.10) Page 39 of 131
To open this view, select > Tools > Project Summary.
Summary Tab
The Summary tab shows high-level information about the project. For more information, see "Viewing
Summary Graph Information" on the next page.
Certification Tab
The Certification tab displays the result certification status and indicates whether the code analysis for
a scan was complete. Results certification is a check to ensure that the analysis results have not been
altered after HPESecurityFortify Static Code Analyzer or HPESecurityFortify Runtime Application
Protection produced them. Results certification shows specific information about the scanned code,
including:
lFPR certification
lCertification details such as the results and rules signatures
Runtime Analysis Tab
If Runtime analysis data is available, the Runtime Analysis tab displays the following run information:
lNumber of issues found by Runtime Application Protection
lBuild ID
lEngine version
lDates and times the run started and ended
lMachine on which the scan was performed
Build Information Tab
The Build Information tab displays the following information:
lBuild details such as the build ID, number of files scanned, source last-modified date, and the date of
the scan, which might be different than the date the files were translated
lExecutable lines of code (LOC) scanned - Ignore this metric. It is no longer used.
lTotal lines of code (LOC) scanned
This metric provides the approximate number of lines that contain code constructs (comments are
excluded). The process to determine the LOC varies for the different supported languages.
lList of files scanned with file sizes and timestamps
lLibraries referenced for the scan
lJava classpath used for the translation
Analysis Information Tab
The Analysis Information tab shows the Fortify Static Code Analyzer version that performed the
scan, details about the computer on which the scan was run, the user who started the scan, scan date,
and the time required to scan the code.
UserGuide
Chapter 4: Scan Results
HPE Security Fortify Audit Workbench (17.10) Page 40 of 131
The Analysis Information tab includes the following subtabs:
lSecurity Content: Lists information about the Rulepacks used to scan the source code
lProperties: Displays the Fortify Static Code Analyzer properties files settings
lCommandline Arguments: Displays the command-line options used to analyze the project
Viewing Summary Graph Information
The summary graph displayed in the Project Summary view provides multiple perspectives on the sets
of issues, grouped by priority (Critical, High, Medium, and Low) uncovered in a scan. You can drill down
in the graph to see detailed information about each issue set, and create various bar charts for issues
based on a selected issue attribute.
The following procedure uses the WebGoat sample Java application to demonstrate how to access
information about sets of issues graphically depicted in the summary graph.
To access details about issue sets in an audit project:
1. Scan your project source code or open an existing audit project.
After the results are loaded, the Project Summary view displays the Summary tab, which includes
the summary graph. The summary graph initially displays issues sorted into the Critical,High,
Medium, and Low folders.
Note: If you change the selection in the Filter Set list (Issues), the summary graph changes
accordingly.
UserGuide
Chapter 4: Scan Results
HPE Security Fortify Audit Workbench (17.10) Page 41 of 131
2. To see a different view of the high priority issues, click the High bar.
By default, the graph displays high priority issues based on the analysis attribute (assigned analysis
values).
Note: The example here shows information for scan results that have been partially audited. If
these results were from a fresh, unaudited scan, no analysis information would be available.
The graph would just display a single bar that represents all (unaudited) high priority issues.
UserGuide
Chapter 4: Scan Results
HPE Security Fortify Audit Workbench (17.10) Page 42 of 131
3. To view the high priority issues based on a different attribute, select an item from the View By list.
4. On the Issues in High bar graph, select a bar for a category that contains multiple issues.
In the example shown here, the Null Dereference bar is selected. You can see that, of eight issues,
three were marked as Suspicious and five were marked as Bad Practice.
UserGuide
Chapter 4: Scan Results
HPE Security Fortify Audit Workbench (17.10) Page 43 of 131
5. To synchronize the issues list with the displayed graphical view, click Sync Issue List with Graph.
The issues list in the Issues view now reflects the selections in the summary graph.
6. To return to the previous view in the summary graph, click Back.
7. To return to the original summary graph view (issues based on priority), click Return to Folder
Graph.
Source Code View
After you open a project in Audit Workbench, the top center view displays the Project Summary tab.
After you select an issue in the Issues view to the left, Audit Workbench adds the source code tab to
the top center view. This source code tab shows the code related to the issue selected in the Issues
view.
If multiple nodes represent an issue in the Analysis Evidence view (below the Issues view), the source
code tab shows the code associated with the selected node. From the source code view, you can use the
code assist feature to create custom rules and new issues. For information about how to create a new
issue from Audit Workbench, see "Creating Issues for Undetected Vulnerabilities" on page87.
UserGuide
Chapter 4: Scan Results
HPE Security Fortify Audit Workbench (17.10) Page 44 of 131
About Displayed Source Code
After you open an FPR file in Audit Workbench, the source code tab displays source code that is stored
locally. If that source code was updated since the last scan, Audit Workbench displays the updated
source code, even if the latest scan did not use that updated source code.
However, if that source code is updated after you open the FPR file and Audit Workbench has already
started and searched for the source code (even if you close the FPR in Audit Workbench and then re-
open it) Audit Workbench does not look for or display the updated source code. It displays the updated
source code only after you quit, and then restart Audit Workbench.
Issue Auditing View
The Issue Auditing view at the bottom center of the auditing interface provides detailed information
about each issue on the tabs described in the following topics.
Note: If any of the tabs are not visible, select Options >Show View to open them.
Summary Tab
The Summary tab displays information about the selected issue and enables auditors to add comments
and custom tag values. The following table describes the tab elements.
Element Description
Issue Displays the issue location, including the file name and line number.
User Displays the name of the user assigned to the issue if the results were
uploaded to Fortify Software Security Center and a user was assigned in
Fortify Software Security Center.
Analysis List of values that the auditor can use to assess the issue. Valid values for
Analysis are Not an Issue, Reliability Issue, Bad Practice, Suspicious, and
UserGuide
Chapter 4: Scan Results
HPE Security Fortify Audit Workbench (17.10) Page 45 of 131
Element Description
Exploitable.
<custom_tags> Displays any custom tags if defined for the audit project.
If the audit results have been submitted to Audit Assistant in Fortify
Software Security Center, then in addition to any other custom tags, the tab
displays the following tags:
lAA_PredictionExploitability level that Audit Assistant assigned to the
issue. You cannot modify this tag value.
lAA_ConfidenceConfidence level from Audit Assistant for the accuracy
of its AA_Prediction value. This is a percentage, expressed in values that
range from 0.000 to 1.000. For example, a value of 0.982 indicates a
confidence level of 98.2 percent. You cannot modify this tag value.
lAA_TrainingWhether to include or exclude the issue from Audit
Assistant training. You can modify this value.
For more information about Audit Assistant, see the HPE SecurityFortify
Software Security Center User Guide.
Suppress Suppresses the issue
Unsuppress Unsuppresses the issue (only visible if the issue is suppressed).
File Bug Provides access to a supported bug tracking system.
Comment Appends additional information about the issue to the comment field.
Rule Information Shows information, such as the category and kingdom that describes the
issue.
More Information Opens the Details tab.
Recommendations Opens the Recommendations tab.
Showmergeconflicts Shows merge conflicts in the Comments box that might exist after a merge
of audit projects. This check box is available only if merge conflicts exist.
Details Tab
The Details tab provides a detailed description of the selected issue and guidelines on how to resolve it.
The following table describes the tab elements.
Element Description
Abstract/Custom
Abstract
Summary description of the issue, including custom abstracts that your
organization defined.
Explanation/Custom Description of the conditions in which this type of issue occurs. This includes a
UserGuide
Chapter 4: Scan Results
HPE Security Fortify Audit Workbench (17.10) Page 46 of 131
Element Description
Explanation discussion of the vulnerability, the constructs typically associated with it, how
it can be exploited, and the potential consequences of an attack. This element
also provides custom explanations that your organization defined.
Instance ID Unique identifier for the issue.
Priority Metadata
Values
Includes impact and likelihood.
Legacy Priority
Metadata Values
Includes severity and confidence.
Remediation Effort The relative amount of effort required to fix and verify an issue.
Note: For more information about metadata values and remediation effort, see "Estimating Impact
and Likelihood with Input from RulesandAnalysis" on page122.
WebInspect Agent Details Tab
The WebInspect Agent Details tab displays the following information about runtime issues found by
HPESecurityFortify Runtime Application Protection. The following table describes the tab elements.
Element Description
Request Shows the path of the request, the referrer address, and the method.
StackTrace Shows the order of methods called during execution and line number information.
Blue, clickable code links are only displayed for Fortify Static Code Analyzer-scanned
code.
Recommendations Tab
The Recommendations tab displays suggestions and examples of how to secure the vulnerability or
remedy the bad practice. The following table lists the elements on the tab.
Element Description
Recommendations/Custom
Recommendations
Recommendations for this type of issue, including examples, as well as
custom recommendations that your organization defined.
Tips/Custom Tips Tips for this type of issue, including any custom tips that your
organization defined.
References/Custom
References
Reference information, including any custom reference that your
organization defined.
UserGuide
Chapter 4: Scan Results
HPE Security Fortify Audit Workbench (17.10) Page 47 of 131
History Tab
The History tab displays a complete list of audit actions, including details such as the time and date, and
the name of the user who modified the issue.
Diagram Tab
The Diagram tab displays a graphical representation of the node execution order, call depth, and
expression type of the issue selected in the Issues view. This tab displays information that is relevant to
the rule type. The vertical axis represents the execution order.
For dataflow issues, the trace starts with the first function to call the taint source, then traces the calls to
the source (blue node), and ends the trace at the sink (red node). In the diagram, the source (src) and
sink nodes are also labeled. A red X on a vertical axis indicates that the called function finished
executing.
The horizontal axis shows the call depth. A line shows the direction that control is passed. If control
passes with tainted data through a variable then the line is red. If it control passes without tainted data,
the line is black.
The icons used for the expression type of each node in the diagram are the same icons used in the
Analysis Evidence view. To view the icons and the descriptions, see "Analysis Evidence View" on
page38.
Filters Tab
The Filters tab displays all the filters in the selected filter set. The following table describes the Filters
tab options to create new filters.
UserGuide
Chapter 4: Scan Results
HPE Security Fortify Audit Workbench (17.10) Page 48 of 131
Option Description
Filters Displays a list of the visibility and folder filters configured in the selected filter set.
lVisibility filters show or hide issues
lFolder filters sort the issues into the folder tabs in the Issues view
Right-click a filter to show issues that match the filter or to enable, disable, copy, or delete
it.
If Displays the filters conditions.
The first list displays a list of issue attributes, the second list specifies how to match the
attribute, and third is the value the filter matches.
Note: This option is visible when you create a new filter or edit an existing filter. In this
case, a dialog box displays the If section.
Then Indicates the filter type, where Hide Issue is a visibility filter and Set Folder to is a folder
filter.
Note: This option is visible when you create a new filter or edit an existing filter. In this
case, a dialog box displays the Then section.
Warnings Tab
The Warnings tab lists any warnings that occurred during the analysis.
UserGuide
Chapter 4: Scan Results
HPE Security Fortify Audit Workbench (17.10) Page 49 of 131
A common source of warnings are missing references. To resolve this type of warning, make sure that
the reference files are either within the project directory structure or in a location known to Fortify
Static Code Analyzer. The scan can also issue a warning if a particular class has no functional content. In
this case, the warning is not an issue because an empty class has no impact on a scan.
The following table describes the Warnings tab options.
Task Procedure
See the complete message that is
truncated on the tab.
lDouble-click the message.
Copy a warning message to the
clipboard.
lRight-click a message, and then select Copy.
Save a warning message to a file. 1. Right-click a message, and then select Export Entry.
2. Type a name for the file, and then click Save.
The file includes the audit project name, FPR file location, the
warning code, and the warning message.
Save all the warning messages to
a file. 1. Click Export Warnings .
2. Type a name for the file, and then click Save.
The file includes the project name, FPR file location, the warning
codes, and the warning messages.
Search the warning message Type the search text in the filter text box.
UserGuide
Chapter 4: Scan Results
HPE Security Fortify Audit Workbench (17.10) Page 50 of 131
Task Procedure
Modify the text message at the
top of the tab.
1. Edit the <fortify_working_
dir>/config/tools/warnings-view.properties file
where <fortify_working_dir>is:
lWindows:
C:\Users\<username>\AppData\Local\Fortify
lNon-windows: /home/<username>/.fortify
2. Edit the text following message= to the text you want to
display in the Warning tab.
Close and reopen the Warnings tab to see the updated text.
Functions View
The Functions view in the top right shows how and where a function occurs in the source code,
whether or not the function was covered by a security rule, and which rule IDs match the function. The
Functions view can also list the functions that Fortify Static Code Analyzer identified as tainted source,
and the functions that were not covered by rules in the last scan. For detailed information about the
Functions view, see "Using the Functions View" on page106.
Customizing the Issues View
You can customize the Issues view to determine which issues it displays.
To change the Issues view:
1. Select Options > Options.
2. In the left panel, select Audit Configuration.
UserGuide
Chapter 4: Scan Results
HPE Security Fortify Audit Workbench (17.10) Page 51 of 131
3. To change your preferences on the Appearance tab, select or clear the check boxes described in
the following table.
Preference Description
ShowSuppressedIssues Displays all suppressed issues (disabled by default).
Show Removed Issues Displays all issues that were uncovered in the previous analysis, but
are no longer evident in the new Issues view. When multiple scans
are run on a project over time, vulnerabilities are often remediated or
become obsolete. Fortify Static Code Analyzer marks these
vulnerabilities as Removed Issues.
Show Hidden Issues Displays all hidden issues.
Collapse Issues Shows similar issues based on certain attributes under a shared
parent node in the Issues view.
UserGuide
Chapter 4: Scan Results
HPE Security Fortify Audit Workbench (17.10) Page 52 of 131
Preference Description
UseShortFileNames References the issues in the Issues view by file name only, instead of
by relative path.
Show Category of Issue Displays the category of an issue in the Issues and Issue Summary
views.
Show Only My Issues Displays only issues assigned to you.
Right justify ‘All Folder Displays the All folder aligned on the right.
Display Name in Folder
Tabs
Displays the name text in the folder tabs.
Show Abstract in Issue
Summary
Displays the abstract text in the summary.
Show Comments in
Issue Summary
Displays comments in the summary.
Show ‘All’ Folder in
Issue Summary Graph
Displays another bar in the chart on the Project Summary tab.
Include Comments Displays the history items for comments on the History tab.
Note: To restore the default settings at any time, click Reset Interface.
4. To save your preferences, click OK.
Working with Issues
This section provides information about how to use Audit Workbench to review issues.
Filtering Issues with Audit Guide
You can use the Audit Guide wizard to filter vulnerability issues in your audit project based on a set of
security-related questions.
UserGuide
Chapter 4: Scan Results
HPE Security Fortify Audit Workbench (17.10) Page 53 of 131
To use the Audit Guide:
1. Select Tools >Audit Guide.
2. Make your selections for the types of issues you want to display.
3. To use the advanced filter options, click Advanced Mode.
The Advanced Audit Guide dialog box opens.
UserGuide
Chapter 4: Scan Results
HPE Security Fortify Audit Workbench (17.10) Page 54 of 131
a. In the Audit Guide Filters list, select the types of issues you want to filter out and ignore.
As you select items in the Audit Guide Filters list, the Audit Guide wizard also displays the
filter details for the selected filter type in the Filters table, including the number of issues that
match each filter.
b. To see a description of an issue type, click its name in the Audit Guide Filters list.
The Audit Guide wizard displays a description to the right of the list.
4. Click OK to apply your filter selections.
Grouping Issues
The items visible in the navigation tree vary depending on the selected grouping option in the Issues
view. The value you select from the Group By list sorts issues in all visible folders into subfolders.
To list all issues in a folder without any grouping, select <none>.
You can view issues with any of the Group By options, and you can create and edit customized groups.
The Group By options enable you to group and view the issues in different ways. In practice, you will
probably switch frequently between different groupings. The following table lists descriptions of the
standard Group By options.
UserGuide
Chapter 4: Scan Results
HPE Security Fortify Audit Workbench (17.10) Page 55 of 131
Option Description
Analysis Groups issues by the audit analysis, such as suspicious and exploitable.
Analysis Type Groups issues by analyzer product.
Analyzer Groups issues by analyzer group.
AppDefenderProtected Groups issues by whether or not Application Defender can protect the
vulnerability category.
Category Groups issues by vulnerability category. This is the default setting.
Category Analyzer A sample custom group that groups issues by category and then
analyzer.
File Name Groups issues by file name.
FortifyPriorityOrder Groups issues as Critical, High, Medium, and Low based on the combined
values of Fortify Static Code Analyzer impact and likelihood.
New Issue Shows which issues are new since the last scan. For example, if you run a
new scan, any issues that are new display in the tree under the New
Issues group and the others are displayed in the Issue Updated group.
Issues not found in the latest scan are displayed in the Removed list.
<metadata_listname> Groups issues by the alternative metadata external list names (for
example, OWASP Top 10 <year>, CWE, PCI <version>, STIG <version>,
and so on).
Package Groups issues by package or namespace. Does not appear for projects to
which this option does not apply, such as C projects.
Sink Groups issues that share the same dataflow sink function.
Source Groups issues that share the same dataflow source functions.
Source File Type Groups issues by source file types Fortify Static Code Analyzer
recognizes.
Note: Issues in files with different file extensions that are the same
source file type are grouped together(for example, issues in files with
the extensions:html,htm, and xhtml are grouped under html).
Taint Flag Groups issues by the taint flags that they contain.
<none> Displays a flat view without grouping.
Edit Select Edit to create a custom Group By option.
UserGuide
Chapter 4: Scan Results
HPE Security Fortify Audit Workbench (17.10) Page 56 of 131
Creating a Custom Group By Option
You can create a custom Group By option that groups issues in a hierarchical format in sequential order
based on specific attributes.
To create a new grouping option:
1. In the Group By list, select Edit.
The Edit Custom Groupings dialog box opens.
2. To create a custom group by option, do the following:
a. Select Create New from the Custom Group Name list.
b. In the Enter Value dialog box, type a name for the new custom group.
c. Click OK.
3. From the Grouping Types list on the left, select a grouping type, and then click the right arrow to
move the option to the Grouping Order column.
For example, selecting Category and then Analyzer creates a list that has top-level nodes that
contain the category of the issue, such as Buffer Overflow, with the issues grouped below by
analyzer (such as semantic, or dataflow), followed by the issues.
-Buffer Overflow [0/2]
--DataFlow [0/1]
----Main.cs:234
-+Semantic [0/1]
4. Repeat step 3 to select additional grouping types.
5. To change the order of the grouping types:
a. In the Grouping Order list, select the grouping type that you want to move up or down in the
grouping order.
b. Right-click the selected grouping type, and then select Move Up or Move Down from the
shortcut menu.
6. To delete a custom grouping, click Delete .
Selectively Displaying Issues Assigned to You
To view display only issues assigned to you in the Issues view, do one of the following:
lSelect the My Issues check box.
lSelect Options > Show Only My Issues.
About Suppressed, Removed, and Hidden Issues
You can control whether the Issues view lists the following types of issues:
lSuppressed issues. As you assess successive scans of an application version, you might want to
completely suppress some exposed issues. It is useful to mark an issue as suppressed if you are sure
that the specific vulnerability is not, and will never be, an issue of concern. You might also want to
UserGuide
Chapter 4: Scan Results
HPE Security Fortify Audit Workbench (17.10) Page 57 of 131
suppress warnings for specific types of issues that might not be high priority or of immediate
concern. For example, you can suppress issues that are fixed, or issues that you plan not to fix.
Suppressed issues are not included in the group totals shown in the Issues view.
lRemoved issues. As multiple scans are run on a project over time, issues are often remediated or
become obsolete. As it merges scan results, Fortify Static Code Analyzer marks issues that were
uncovered in a previous scan, but are no longer evident in the most recent Fortify Static Code
Analyzer analysis results as Removed. Removed issues are not included in the group totals shown in
the Issues view.
lHidden issues. You typically hide a group of issues temporarily so that you can focus on other issues.
For example, you could hide all issues except those assigned to you. The individuals assigned to
address the issues you have hidden in your view can still access them. The group totals displayed in
the Issues view include hidden issues.
To hide or show suppressed, removed, or hidden issues in the Issues view:
lFrom the Options menu, select (or deselect) one or more of the following:
lShow Suppressed Issues
lShow Removed Issues
lShow Hidden Issues
Creating Attribute Summary Tables for Multiple Issues
You can create a summary table of attributes (for example, in spreadsheet software such as Excel or
Google Sheets) for any number of issues that you select from the Issues view. You specify the format
options, select the issues, and then paste the comma delimited data into a spreadsheet program to
create the summary table.
The table can contain an attributes column followed by a single values column for every issue selected
or, the table can display one row per attribute and its corresponding values. Alternatively, you can
specify a customized table layout for the values that you copy to your spreadsheet program.
To create a spreadsheet table that contains an attributes column followed by a single values column for
each selected issue:
1. Select Options > Options.
2. In the left panel, select Audit Configuration, and then select the Configuration tab.
3. Under Multiple Issues Copy Format, leave the [h] List issues in columns option selected.
4. Select the attributes you want to include from the Include immutable attributes,Include
mutable attributes, and Include custom tags check boxes.
5. Click OK.
6. From the Issues view, use the Ctrl or Shift key and select all of the issues you want to include in a
table.
7. With the issues selected, press Ctrl +Alt +Shift +C.
8. Start the spreadsheet software, and then paste (Ctrl +V) the copied data into a single column.
UserGuide
Chapter 4: Scan Results
HPE Security Fortify Audit Workbench (17.10) Page 58 of 131
To create a spreadsheet table that displays one row per attribute and its values:
1. Select Options > Options.
2. In the left panel, select Audit Configuration, and then select the Configuration tab.
3. Under Multiple Issues Copy Format, select the [v] List issues in rows option.
4. Select the attributes you want to include from the Include immutable attributes,Include
mutable attributes, and Include custom tags check boxes.
5. Click OK.
6. From the Issues view, use the Ctrl or Shift key and select all of the issues you want to include in a
table.
7. With the issues selected, press Ctrl +Alt +Shift +C.
8. Start the spreadsheet software, and then paste (Ctrl +V) the copied data into a single column.
To create a customized table layout for the values that you copy to a spreadsheet program:
1. Select Options > Options.
2. In the left panel, select Audit Configuration, and then select the Configuration tab.
3. Under Multiple Issues Copy Format, select the Format manually option.
4. In the Attribute value format box, use the string described in the following table to specify the
data layout, format, and separators for the values you want to copy.
String Function
[h] Columnar format - Attributes are inserted in a single column and the spreadsheet table
expands to the right (horizontally) with a new column added for each issue copied in.
[v] Row format - Attributes are inserted in a single row (table header) and a new row
populated with values is added for each issue added (table expands vertically).
%s Textual data (you can use the complete java.util.Formatter syntax). See the
java.util.Formatter documentation at
http://docs.oracle.com/javase/8/docs/api/java/util/Formatter.html