Removed Findings

Question

What does the Fortify scan issue “Removed Findings” mean, how can I detect it, and how can I fix it?

Answer

This scan issue indicates that there are a large number of removed issues included in the FPR file. Removed findings are expected when issues get fixed and previous scans of the code are merged into scans with the fixes. However, when combined with other issues such as problems comparing scanned source with delivered source, it makes it difficult for the reviewer to determine why issues were removed. For example, it can be difficult to distinguish between the removed issues indicating that a large number of issues were fixed or code wasn’t scanned that should have been scanned.

How to detect

Open the FPR file in either Audit Workbench or the IDE where you generate the FPR.

  • First, make sure you are viewing removed issues.

    • (Audit Workbench only) select Options->Show Removed Issues

      Options menu with show removed issues highlighted

    • (AWB and IDE) Select Options->Options, select the Interface Preferences tab and select Show Removed Issues

      Options dialog, audit configuration

  • Ensure that Audit Workbench is displaying all the issues reported by the scan. Look for the “Filter Set” drop down box in the upper left hand corner of Audit Workbench as shown in the following image:

    Filter set with security auditor view selected

    The Filter Set should be set to “Security Auditor View.” Other values only display a subset of the reported issues.

  • Go to the green tab on the issues pane as shown above. Look at the title bar for the tab that lists issue counts. If there are a large number of removed issues or a large number compared to the total number of issues, there is a potential for concerns, especially if other scan issues are present.

How to resolve

Occasionally, such as with major releases, when there are a large number of removed issues in the scan file, perform a clean scan and copy audit information over to the new scan instead of performing a merge from a previously audited FPR file. This will give you a clean baseline with no removed issues (and a smaller FPR file).

If there are a large number of removed issues in a delivered FPR file due to no longer scanning a large amount of code that was previously scanned, consider including a file with the code review package that describes why this was done.

References