TL;DR
This guide shows you how to effectively suppress false positive findings in Fortify Static Code Analyzer (SCA). We’ll cover using suppression files, understanding the different types of suppression, and best practices for maintaining a clean scan result.
1. Understanding Suppression Files
Suppression files tell Fortify SCA to ignore specific issues found during a scan. They are essential for managing false positives or vulnerabilities you’ve intentionally accepted. There are two main types:
- Local Suppression: Added directly within the source code using comments. Good for one-off fixes or when an issue is very localized.
- Project Suppression: Stored in a separate file (usually XML) and applied during the scan. Best for recurring issues across multiple files or modules.
2. Creating Local Suppressions
Local suppressions are added as comments directly in your code. The syntax varies depending on the programming language.
Example (Java)
// @SuppressWarnings("SSRF")
String url = request.getParameter("url"); // Vulnerable to Server-Side Request Forgery
Example (JavaScript)
/* eslint-disable security/detect-unsafe-regex */
const regex = new RegExp(userInput); // Potentially vulnerable to Regular Expression Denial of Service
Important: Be specific with the suppression ID. Avoid suppressing entire categories unless absolutely necessary.
3. Creating Project Suppression Files
- Generate a Baseline: After your initial scan, Fortify SCA will create a baseline file containing all detected issues.
- Edit the Baseline File (XML): Open the XML file in a text editor or IDE. You’ll see entries for each finding.
- Suppress Specific Issues: Modify the XML to suppress unwanted findings. The key attributes are:
id: Unique identifier of the issue.name: Name of the vulnerability.category: Category of the vulnerability (e.g., “SSRF”, “XSS”).file: Path to the file containing the issue.
Example XML snippet
<Issue id="12345" name="Server-Side Request Forgery" category="SSRF" severity="High" file="src/com/example/MyClass.java" active="false"/> - Apply the Suppression File: Configure your Fortify SCA scan to use this updated suppression file.
4. Best Practices for Suppression
- Investigate Before Suppressing: Always try to fix the underlying issue before resorting to suppression.
- Document Your Suppressions: Add clear comments explaining why an issue is being suppressed (especially in project files).
- Keep Suppression Files Minimal: Avoid suppressing large numbers of issues. This can hide real vulnerabilities.
- Regularly Review Suppressions: Periodically review your suppression files to ensure they are still valid and necessary. Code changes may resolve previously suppressed issues.
- Use Specific Suppressions: Suppress only the specific line or block of code causing the false positive, not entire files or categories.
- Consider Custom Rules: If you consistently encounter the same false positives, explore creating custom rules to avoid them in future scans.
5. Using the Fortify SCA UI
The Fortify SCA web interface provides tools for managing suppressions:
- Issue Details: From the issue details page, you can often directly suppress an issue (local suppression).
- Baseline Management: The baseline management section allows you to edit and apply project suppression files.