Fortify Static Code Analyzer – Improving Performance – Optimizing FPR Files

Filter Files

Filter files are flat files that you can specify with a scan using the ‑filter option. Use a filter file to blacklist specific filter out particular vulnerability instances, rules, and vulnerability categories. If you determine that a certain issue category or rule is not relevant for a particular scan, you can stop Fortify Static Code Analyzer from flagging these types of issues and adding them to the FPR. Using a filter file can reduce both the scan time and results file size.

For example, if you are scanning a simple program that just reads a specified file, you might not want to see path manipulation issues, because these are likely planned as part of the functionality. To filter out path manipulation issues, create a file that contains a single line:

Path Manipulation

Save this file as filter.txt. Use the -filter option for the scan as shown in the following example:

sourceanalyzer -b <build_id> -scan -f myResults.fpr -filter filter.txt

The myResults.fpr does not include any issues with the category Path Manipulation.

Excluding Issues from the FPR with Filter Sets

Filters in an issue template determine how the results from Fortify Static Code Analyzer are shown. For example, you can have a filter to put any detected SQL Injection issues into a separate folder called SQL Injections, or you might have a filter that hides issues with a confidence below a certain threshold. In addition to filters, filter sets enable you to have a selection of filters used at any one time. Each FPR has an issue template associated with it. You can use filter sets to reduce the number of issues based on conditions you specify with filters in an issue template. This can dramatically reduce the size of an FPR.

To do this, use Micro Focus Fortify Audit Workbench to create a filter and a filter set and then run the Fortify Static Code Analyzer scan with the filter set. For more detailed instructions about how to create filters and filter sets in Fortify Audit Workbench, see the Micro Focus Fortify Audit Workbench User Guide. The following example describes the basic steps for how to create and use a scan-time filter:

READ  Scanning Java project with Advanced Scan - Fortify Static Code Analyzer

1. In this example, suppose you use OWASP Top 10 2017 and you only want to see issues categorized within this standard. Create a filter in Fortify Audit Workbench such as:

2. If [OWASP Top 10 2017] does not contain A Then hide issue

This filter looks through the issues and if an issue does not map to an OWASP Top 10 2017 category with ‘A’ in the name, then it hides it. Because all OWASP Top 10 2017 categories start with ‘A’ (A1, A2, …, A10), then any category without the letter ‘A’ is not in the OWASP Top 10 2017. The filter hides the issues from view in Fortify Audit Workbench, but they are still in the FPR.

2. In Fortify Audit Workbench, create a new filter set called OWASP_Filter_Set that contains the previous filter, and then export the issue template to a file called IssueTemplate.xml.

3. You can then specify this filter at scan‑time with the following command:

4. sourceanalyzer ‑b <build_id> -scan -f myFilteredResults.fpr
5. -project-template IssueTemplate.xml -Dcom.fortify.sca.FilterSet=OWASP_Filter_set

In the previous example, the inclusion of the ‑Dcom.fortify.sca.FilterSet property tells Fortify Static Code Analyzer to use the OWASP_Filter_Set filter set from the issue template IssueTemplate.xml. Any filters that hide issues from view are removed and are not written to the FPR. Therefore, you can reduce the visible number of issues, make the scan very targeted, and reduce the size of the resulting FPR file.

Note: Although filtering issues with a filter set can reduce the size of the FPR, they do not usually reduce the scan time. Fortify Static Code Analyzer examines the filter set after it calculates the issues to determine whether to write them to the FPR file. The filters in a filter set determine the rule types that Fortify Static Code Analyzer loads.

Excluding Source Code from the FPR

You can reduce the scan time and the size of the FPR file by excluding the source code information from the FPR. This is especially valuable for large source files or codebases. You do not generally get a scan time reduction for small source files.

READ  Micro Focus Fortify Static Code Analyzer - New Updates

There are two ways to prevent Fortify Static Code Analyzer from including source code in the FPR. You can set the property in the <sca_install_dir>/Core/config/fortify‑sca.properties file or specify an option on the command line. The following table describes these settings.

Property Name Description
com.fortify.sca.
FPRDisableSourceBundling=true

Command-Line Option:
‑disable‑source‑bundling

This excludes source code from the FPR.
com.fortify.sca.
FVDLDisableSnippets=trueCommand-Line Option:
–fvdl-no-snippets
This excludes code snippets from the FPR.

The following command-line example uses both options:

sourceanalyzer -b <build_id> -disable-source-bundling
-fvdl-no-snippets ‑scan -f mySourcelessResults.fpr

Reducing the FPR File Size

There are a few ways to reduce the size of FPR files. The quickest way to do this without affecting results is to exclude the source code from the FPR as described in Excluding Source Code from the FPR.

There are a few other options and properties that you can use to select what is excluded from the FPR. You can set these properties in the Fortify Static Code Analyzer properties file: <sca_install_dir>/Core/config/fortify‑sca.properties or specify them during the scan phase with ‑D<property_name>=true. Most of these options have an equivalent command-line option.

Property Name Description
com.fortify.sca.
FPRDisableMetatable
=true

Command-Line Option:
‑disable‑metatable

This excludes the metatable from the FPR. Micro Focus Fortify Audit Workbench uses the metatable to map information in Functions view.
com.fortify.sca.
FVDLDisableDescriptions
=true

Command-Line Option:
‑fvdl‑no‑descriptions

This excludes rule descriptions from the FPR. If you do not use custom descriptions, the descriptions in the Fortify Taxonomy (https://vulncat.fortify.com) are used.
com.fortify.sca.
FVDLDisableEngineData
=true

Command-Line Option:
‑fvdl‑no‑enginedata

This excludes engine data from the FPR. This is useful if your FPR contains a large number of warnings when you open the file in Fortify Audit Workbench.

Note: If you exclude engine data from the FPR, you must merge the FPR with the current audit project locally before you upload it to Micro Focus Fortify Software Security Center. Fortify Software Security Center cannot merge it on the server because the FPR does not contain the Fortify Static Code Analyzer version.

com.fortify.sca.
FVDLDisableProgramData
=true

Command-Line Option:
‑fvdl‑no‑progdata

This excludes the program data from the FPR. This removes the Taint Sources information from the Functions view in Fortify Audit Workbench. This property typically only has a minimal effect on the overall size of the FPR file.

Opening Large FPR Files

To reduce the time required to open a large FPR file, there are some properties that you can set in the <sca_install_dir>/Core/config/fortify.properties configuration file. The following table describes these properties.

Property Name Description
com.fortify.
model.DisableProgramInfo=true
This setting disables use of the code navigation features in Micro Focus Fortify Audit Workbench.
com.fortify.
model.IssueCutOffStartIndex
=<num> (inclusive)

com.fortify.
model.IssueCutOffEndIndex
=<num> (exclusive)

The IssueCutOffStartIndex property is inclusive and IssueCutOffEndIndex is exclusive so that you can specify a subset of issues you want to see. For example, to see the first 100 issues, specify the following:

com.fortify.model.
IssueCutOffStartIndex=0
com.fortify.model.
IssueCutOffEndIndex=101

Because the IssueCutOffStartIndex is by default, you do not need to specify this property.

com.fortify.
model.IssueCutOffByCategoryStartIndex=
<num> (inclusive)

com.fortify.
model.IssueCutOffByCategoryEndIndex=
<num> (exclusive)

These two properties are similar to the previous cutoff properties except these are specified for each category. For example, to see the first five issues for every category, specify the following:

com.fortify.model.
IssueCutOffByCategoryEndIndex=6
com.fortify.
model.MinimalLoad=true
This minimizes the data loaded in the FPR. This also restricts usage of the Functions view and might prevent Fortify Audit Workbench from loading the source from the FPR.
com.fortify.
model.MaxEngineErrorCount=
<num>
This property specifies the number of Fortify Static Code Analyzer reported warnings that are loaded with the FPR. For projects with a large number of scan warnings, this can reduce both load time in Fortify Audit Workbench and the amount of memory required to open the FPR.
com.fortify.
model.ExecMemorySetting
Specifies the JVM heap memory size for Audit Workbench to launch external utilities such as iidmigrator and fortifyupdate.

Leave a Comment