How to configure Fortify Speed Dial for use at the VA

Question

How do I configure Fortify Speed Dial for scanning code at the VA?

Answer

Note: Setting the precision level as described in the following article will result in an incomplete scan, these features should not be used when submitting scans for the OIS Software Assurance certification process. Setting a precision level for scans delivered for review will result in an “Unresovled Scan Issue” and will prevent application certification.

The new Speed Dial feature offers some additional flexibility in DevSecOps environments by allowing lite scans before they hit the full pipeline scans. The feature released with Fortify v.20.2.0 allows developers to configure the precision level or depth of the scan. This means different precision levels can be used at various stages of the CI/CD pipeline, for example using faster, less precise scans regularly on early builds and running the full scan periodically or as a release gate.

The precision level controls are defined in a configuration file, and assigned a precision level, e.g. “1.” The precision level acts as a filter: depending on the setting, Fortify will not use certain Analyzers and valid findings can be filtered out which will result in an incomplete scan. Using any of Fortify’s default precision levels can potentially result in valid findings not being reported. If you merge a speed dial scan with a full scan, this might remove issues from previous scans that still exist in your application (and would be detected again with a full scan).

The Speed Dial setting must be explicitly changed on the command line or in the Fortify properties file in order to change the precision. The feature can be used to perform quick scans when developers check in code, but is not recommended to be used otherwise. By default, Micro Focus Fortify Software Security Center blocks uploaded scans performed with a precision level. Although, you can configure your Fortify Software Security Center application version so that uploaded audit projects scanned with these precision levels are processed.

Example default configuration precision levels:

  • Precision Level 1 - This is the quickest scan and is recommended if you are scanning a few files. By default, a scan with this precision level disables the Buffer Analyzer, Control Flow Analyzer, Dataflow Analyzer, and Null Pointer Analyzer.
  • Precision Level 2 - By default, a scan with this precision level enables all analyzers. The scan runs quicker by performing with reduced limiters. This results in fewer issues detected.

Precision Configuration Files

The actual settings for each precision level is defined in a configuration properties file, located in the <sca_install_dir>/Core/config/scales directory. There is one file for each level: level-<precision_level>.properties. The settings can be modified in these files to specify exactly which analyzers are disabled and which findings or categories should be filtered out.

How to set the precision level

Configuring speed dial for a scan from the command line can be done with the -scan-precision (or -p) options. The following is an example of setting the precision level to “2”:

sourceanalyzer -b <build_id> -scan -scan-precision 2 -f myresults.fpr

The precision level can also be configured in the fortify-sca.properties file using the com.fortify.sca.PrecisionLevel property:

com.fortify.sca.PrecisionLevel=2

The scan precision option can not be used on a scan with Quick scan mode enabled. Quick scan mode must not be used when scanning code at the VA for the same reason, many issues are not included in the results, including issues that may be of critical or high priority.

Please see this technical note) for more information on Quick scan mode.

References