CODEWITHSUNDEEP
securityfortify
slim
slim

Reputation: 41271

Fortify SSC "attack surface" options

When I generate a report using Fortify SSC, it lists the "attack surfaces" it's analysed:

Attack Surface:
Command Line Arguments:
(list of classes)
File System:
(list of classes)
GUI Form:
(list of classes)
Java Properties:
(list of classes)

... and so on.

In the Eclipse plugin, I can filter out certain attack surfaces using the "Audit Guide" menu option. So, for example, I can reason that my application is intended for an environment where the system owner is trustworthy, and therefore command-line inputs are trustworthy -- therefore, so I can tick "Taint from Command-Line inputs" to hide those issues.

However I don't see an equivalent option on the Web version of Fortify SSC, and our admin tells me there is no such option.

Can I get the equivalent attack-surface based suppression of issues, in collaborative Fortify projects?

Upvotes: 2

Views: 387

Answers (2)

Douglas Held
Douglas Held

Reputation: 1461

@James Nix' answer is technically correct.

But a better way to do this is: 1. Set up the Audit Guide filters for your FPR, in AWB. 2. Save the file. 3. From Tools->Project Configuration upload your filter settings to the server. On the server the filter is stored in a "Project Template" object. 4. Whatever Project Template you created on the server, assign it to the project.

All of your filters are now enforced for that project on the server. No matter what filters are applied in the FPR, the server's Project Template will take precedence.

Upvotes: 1

James Nix
James Nix

Reputation: 935

The Audit Guide is simply a set of Filters that you can turn on and off. The "Taint from Command-Line Arguments" Audit Guide question has one filter taint:args. It shows or hides the issues based on you checking or un-checking the question in the Audit Guide. Since no SSC reports have this toggle ability, you will have to provide an audit result for each of the items. If you want to do this inside of SSC, you can manually suppress these items by following these steps:

  1. Open your Project Version
  2. Click Audit Issues
  3. There is a Search box at the bottom left. Put taint:args in that box and click the Search button.
  4. Select all of the issues and mark them according to your standards of auditing. For example, mark them as Not an Issue and then suppress them.

Upvotes: 2

Related Questions