Issues not audited
Question
What does the Fortify scan issue “Issues not audited” mean, how can I detect it, and how can I fix it?
Answer
This scan issue indicates that the issues reported by Fortify have not been audited by the developers. VA code review SOP requires that the developers audit all the issues reported by Fortify. The audited issues are then validated during the V&V secure code review process to ensure that issues have either been mitigated or are false positives.
How to detect
Open the FPR file in either Audit Workbench or the IDE where you generate the FPR.
-
First ensure that Audit Workbench is displaying all the issues reported by the scan. Look for the “Filter Set” drop down box in the upper left hand corner of Audit Workbench as shown in the following image:
The Filter Set should be set to “Security Auditor View.” Other values only display a subset of the reported issues.
-
Next, look at each issue displayed in that issues panel. After each issue, it displays the number of audited instances of the issue against the total number of reported instances - [ <audited instances> / <total instances> ]. For each issue, the number of audited instances should match the total number of instances.
How to resolve
For secure code reviews, all Critical and High issues must be audited.
Auditing is performed by selecting an issue, then going to the audit pane and filling in the appropriate information. Each issue should be marked as to whether it is a false positive or not (false positives are marked by using the Analysis tag of “Not an Issue”) and including comments supporting that tag. If it is marked as a false positive, provide a detailed explanation of why it is a false positive or the mitigations in place to fix the issue. The more details provided (such as file name and line numbers where input is validated), the easier it is for the reviewers to validate the mitigation.
Note that if the same comment applies to multiple instances of an issue, multiple instances can be selected and the comment applied to all the selected instances at the same time.
Also note that the Fortify merge feature can be used to bring comments forward from previous scans, so the comments do not need to be copied manually from previous FPR files that have been audited already.