How to submit a code review that uses a filter file
Question
I scanned our application using a filter file. What information should be included with the V&V Code Review submission package?
Answer
When a filter file is used in the scan of an application with the -filter command-line option, the developers must include the filter file in the materials provided for review. As part of the review, each of the filters in the filter file will be examined to ensure that the filter is appropriate and does not remove true positive findings from the scan results. If filters do remove valid findings, this will result in scan issues being reported and a failed code review validation report.
A filter definition by itself does not provide enough information for the reviewer to determine whether or not it is appropriate so the developers must provide additional information about the filter. The following materials must be provided in a code review submission that uses a filter file:
- The filter file(s)
- A scan (FPR) of the application that does not use the filter file(s) must be provided along with the scan that does use them. This additional scan does not need to be audited
- If it is not obvious, please indicate in a readme file which FPR uses the filters and is meant to be reviewed
- An explanation of why the filterss are valid and why the affected findings should be removed - the same type of information that would be provided when auditing the findings normally within Audit Workbench (this information can be provided in the comments within the filter file or in a separate document)
- This information should include the category (e.g., Privacy Violation) of the findings that the filter affects
If not enough information is provided to determine whether or not a filter is appropriate, it will be reported as a scan issue in the report which will result in an overall failure for the review.