Hidden and suppressed Issues

Question

What does the Fortify scan issue “Hidden and suppressed Issues” mean, how can I detect it, and how can I fix it?

Answer

This scan issue indicates that the issues reported by Fortify have either been hidden and/or suppressed by the developers. Developers must audit all the issues reported by Fortify and hiding or suppressing issues violates this requirement.

How to detect

Open the FPR file in either Audit Workbench or the IDE where you generate the FPR.

  • First, make sure you are viewing hidden and suppressed issues.

    • (Audit Workbench only) select Options->Show Suppressed Issues and Options->Show Hidden Issues

      Options menu with show suppressed issues and show hidden issues checked

    • (AWB and IDE) Select Options->Options, select the Interface Preferences or Audit Configuration tab and select “Show Suppressed Issues” and “Show Hidden Issues”

      Options dialog, audit configuration with show suppressed issues and show hidden issues checked

  • Ensure that Audit Workbench is displaying all the issues reported by the scan. Look for the “Filter Set” drop down box in the upper left hand corner of Audit Workbench as shown in the following image:

    Filter set with security auditor view selected

    The Filter Set should be set to “Security Auditor View.” Other values only display a subset of the reported issues.

  • Go to the green tab on the issues pane as shown above. Look at the title bar for the tab that lists issue counts. Hidden and suppressed issue counts should both be 0. If they are not zero, then look through the issues displayed for the issues that have been hidden or suppressed. Hidden issues will be grayed out and tagged with (hidden) and suppressed issues will be indicated with an X icon and tagged with (suppressed).

How to resolve

Resolving these issues depends on how they issues were originally hidden or suppressed.

For suppressed issues, right click on the issue in the issues pane and select “Unsuppress Issue”

Right click unsupress issue dialog

For hidden issues, there are a variety of ways to set filters to hide issues. For instance, if you scanned the project in Audit Workbench, then you may have selected a filter in the audit guide (perhaps unintentionally by indicating that this is not a J2EE application) or right clicked on an issue to create a filter. See this technical note about using Fortify’s default values to avoid unintentionally hiding certain issues.

Generally the filters need to be changed to unhide the issue. To determine why the issue is hidden, right click on it as shown with suppressed issues above and select either “Why is this issue here?” or “Audit Guide Filters” as permitted to learn more about how it was hidden, then correct it as appropriate.

In Audit Workbench, if you click the Filters tab it will show if any filters have been configured to hide issues under the “Visibility Filters” heading:

Filters tab showing visibility filters

You can delete any filters that hide issues by highlighting the filter and clicking “Delete Filter”

Instead of hiding or suppressing issues that are false positives or do not apply to your system, mark the issue as “Not an Issue” and provide detailed comments indicating why that is the case.

References