Setting analysis result processing rules for application versions

The analysis result processing rules enable management approval and oversight of code scans. You can specify the rules that are followed when analysis results for an application version are processed during scan artifact uploads.

1. Sign in as an Administrator

2. On the header, select Dashboard or Applications.

3. Select the application version for which you want to configure the processing rules for analysis results.

4. On the toolbar, click PROFILE.

5. In the APPLICATION PROFILE dialog box, select the PROCESSING RULES tab, and then review the listed processing rules.

6. Select or clear the check boxes for the processing rules you want to apply to the application version.

   These processing rules are described in the following table.

   Processing rule	Description
   Require approval if the Build Project is different between scans	Application Security compares the Build Project for the scan and the scan that preceded it. If the Build Projects differ, management approval is required before the scan can be uploaded.
   Check external metadata file versions in scan against versions on server	If a user attempts to upload an FPR file, Application Security compares the external metadata version for the file with the external metadata version on the Application Security server. If the external metadata version for the FPR file is later than the external metadata file version on the server, Application Security requires approval for the file upload. If the external metadata version for the FPR file is earlier than, or the same as, the external metadata file version on the server, then Application Security allows the FPR file upload.
   Require approval if file count decreases by more than 10%.	Application Security compares the file count for the scan and the scan that preceded it. If the file count decreased by more than ten percent, management approval is required before the scan can be uploaded.
   Require approval if file count increases by more than 10%.	Application Security compares the file count for the scan and the scan that preceded it. If the file count increased by more than ten percent, management approval is required before the scan can be uploaded.
   Require approval if result has Fortify Java Annotations	Application Security checks if the scan results include Fortify Java annotations. If any of the annotations is detected, management approval is required before the scan can be uploaded.
   Require approval if line count decreases by more than 10%.	Application Security compares the line count for the scan and the scan that preceded it. If the line count decreased by more than ten percent, management approval is required before the scan can be uploaded.
   Require approval if line count increases by more than 10%.	Application Security compares the line count for the scan and the scan that preceded it. If the line count increased by more than ten percent, management approval is required before the scan can be uploaded.
   Require approval if the engine version of a scan is newer than the engine version of the previous scan	Application Security checks if any scan engine version is newer than the one already used in the application. If it detects a newer version, management approval is required before the scan can be uploaded.
   Ignore SCA quick scan results and SCA speed dial results performed with a setting of less than four.	Blocks the processing of OpenText SAST (Fortify Static Code Analyzer) scans done in quick scan mode, which searches for high‑confidence, high‑severity issues. This rule also prevents the upload of speed dial analysis results performed at a level of less than four. To enable uploading speed dial and quick scan analysis results, clear this check box. After you choose between uploading a full scan or uploading speed dial analysis results, OpenText recommends that future analysis results uploaded for the application version be of the same type.
   Require approval if the Rulepacks used in the scan do not match the Rulepacks used in the previous scan	Application Security checks if you have added or removed a Rulepack, and whether a Rulepack version has changed. If it detects that a Rulepack has been added, removed, or updated, management approval is required before the scan can be uploaded.
   Require approval if SCA or WebInspect Agent scan does not have valid certification	Application Security checks if an OpenText SAST or OpenText DAST Agent scan has valid certification. If the certification is not valid, then someone might have tampered with the results in the upload. If the certification is missing, it is not possible to detect tampering. If certification is missing or is not valid, the scan upload requires management approval.
   Require approval if result has analysis warnings	Application Security checks if an OpenText SAST or OpenText DAST Agent scan contains analysis warnings. If it detects analysis warnings, the scan upload requires management approval. This processing rule applies only to the first upload of a given analysis results file, and does not apply to subsequent uploads of the artifact. For example, if audit information is added to a previously-uploaded FPR file that contains analysis warnings, Application Security does not require management approval when the changed artifact is again uploaded.
   Perform Force Instance ID migration on upload	A newer version of OpenText SAST (Fortify Static Code Analyzer) or of a Rulepack can change an instance ID from one created in a previous scan by an earlier version of OpenText SAST or a Rulepack. Both instance IDs identify the same issue. When enabled, this processing rule forces migration of old instance IDs to the corresponding new instance IDs, even if the OpenText SAST version (or Rulepack) versions are the same. For detailed information about how this rule works, see About processing rules that affect instance ID migration.
   Automatically perform Instance ID migration on upload	A newer version of OpenText SAST (Fortify Static Code Analyzer) or of a Rulepack can change an instance ID from one created in a previous scan by an earlier version of OpenText SAST or a Rulepack. Both instance IDs identify the same issue. When enabled, this processing rule automatically migrates old instance IDs to the corresponding new instance IDs to preserve the history of the issues. It is sometimes useful to disable this rule as a troubleshooting measure for customer support. For detailed information about how this rule works, see About processing rules that affect instance ID migration.
   Warn if audit information includes unknown custom tag	If the audit information includes an unknown custom tag, the processing rule requires management approval.
   Require the issue audit permission to upload audited analysis files	If a user attempts to upload audited analysis files, but does not have the permissions required to audit issues (edit custom tag values for issues, add comments to issues, and suppress and unsuppress issues), this processing rule blocks the upload.
   Disallow upload of analysis results that change values of hidden tags	If the analysis results contain any changes to values of hidden tags, Application Security blocks upload of the analysis results.
   Disallow upload of analysis results if there is one pending approval	If an analysis result still requires approval, Application Security blocks the upload of the analysis results.
   Disallow approval for processing if an earlier artifact requires approval	If an earlier scan artifact requires approval, and was not approved, this rule blocks the user from approving the current scan artifact. If this processing rule is not selected, then when a user approves the current artifact, all previous artifacts are automatically approved.

7. Click APPLY.

8. To confirm that you want to save the settings for analysis result processing rules, click OK.

About processing rules that affect instance ID migration

Two processing rules affect instance ID migration; Perform Force Instance ID migration on upload, and Automatically perform Instance ID migration on upload. An issue instance ID can mutate for any one of the following reasons:

• The IID-generation algorithm changes with a new OpenText SAST version

• Use of a new Rulepack version

• Changes to scan settings

  For example, using extra rules are specified for a scan.

• Vulnerable code is duplicated

  For example, the same vulnerable code is copied and pasted multiple times in an application version. In this case, OpenText SAST generates a unique instance ID for the first duplicate fragment, and then increments this generated instance ID for all remaining duplicated fragments. So, two separate scans can produce different instance IDs for the same code fragments, depending on the order in which the two scans uncover them.

The Automatically perform Instance ID migration on upload rule addresses issue instance ID mutation that results either from an IID-generation algorithm change with a new OpenText SAST version, or from a change in Rulepack version. For example, Application Security detects that the OpenText SAST version used in the latest scan is newer than the version used for previous scans. With Automatically perform Instance ID migration on upload selected, Application Security runs the migration. If Application Security detects no changes in the OpenText SAST version used, it does not run the migration (even if Automatically perform Instance ID migration on upload is selected).

The Perform Force Instance ID migration on upload rule addresses instance ID mutation that results from changes in scan settings or from vulnerable code duplication. Application Security can easily determine whether the OpenText SAST version or Rulepack version has changed. If Application Security detects such a change, it performs the migration automatically. However, in other cases (duplicate code, scan settings), Application Security cannot make this determination. You can use this processing rule to force Application Security to perform migration in such cases.

If you suspect that the issue instance ID changed as a result of either changes in scan settings or vulnerable code duplication, OpenText recommends that you select the Perform Force Instance ID migration on upload processing rule.

See Also

Uploading scan artifacts

Approving analysis results for an application version