Default analysis tags not used
Question
What does the Fortify scan issue “Default analysis tags not used” mean, how can I detect it, and how can I fix it?
Answer
This scan issue indicates that the developer created and used custom analysis tags when auditing Fortify results. The VA Secure Code Review Standard Operating Procedures (SOP) requires that developers audit the results of a Fortify scan. Auditing includes selecting an audit tag and providing comments for any issue tagged as “Not an Issue.” The default set of audit tags must be used as shown below:
How to detect
Open up the scan (.fpr) file in Audit Workbench or an IDE. Select the analysis dropdown for any issue. If it contains any tags besides the default set (“Not an Issue”, “Reliability Issue”, “Bad Practice”, “Suspicious”, and “Exploitable”) then this is a problem.
Note that the developer is welcome to create additional dropdowns with custom tags and values as long as the Analysis dropdown is always used and contains the default values.
How to resolve
The developer must manually set the Analysis values back to the original set. First select the “Edit…” link under the Analysis dropdown shown in the figure above. This will bring up a dialog that will allow the developer to adjust the values of the tags.
In the dialog, select “Analysis” from the “Tags” column. Then set the values in the “Values” column to the default values.