Displaying Analysis Results Information from an FPR File

The FPRUtility A command-line utility used to merge audited projects, verify FPR signatures, combine or split source code files and audit projects into FPR files, and display information from FPR files. -information option displays information about the analysis results. You can obtain information to:

Validate signatures
Examine any errors associated with the FPR Fortify project results. The Fortify Static Code Analyzer output file format.
Obtain the number of issues for each analyzer A component of a security software product that looks for security issues using one or more particular techniques., vulnerability A weakness that allows an attacker to reduce a system’s information assurance. Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness. (same as issue) category, or custom grouping
Obtain lists of issues (including some basic information). You can filter these lists.
Obtain the list of analyzed files and the number of lines of code (LOC) for each file. You can also compare the LOC with another FPR.

To display signature information for the analysis:

FPRUtility -information -signature -project <project>.fpr -f <output>.txt

To display a full analysis error report for the FPR:

FPRUtility -information -errors -project <project>.fpr -f <output>.txt

To display the number of issues per vulnerability category or analyzer:

FPRUtility -information -categoryIssueCounts -project <project>.fpr 
FPRUtility -information -analyzerIssueCounts -project <project>.fpr

To display the number of issues for a custom grouping based on a search:

FPRUtility -information -search -query <search_expression> \
[-categoryIssueCounts] [-analyzerIssueCounts] \
[-includeSuppressed] [-includeRemoved] \
-project <project>.fpr -f <output>.txt

Note: By default, the result does not include suppressed and removed issues. To include suppressed or removed issues, use the -includeSuppressed or -includeRemoved options.

To display information for issues in CSV format:

FPRUtility -information -listIssues \
-search [-queryAll | -query <search_expression>] \
[-categoryIssueCounts] [-analyzerIssueCouts] \
[-includeSuppressed] [-includeRemoved] \
-project <project>.fpr -f <output>.csv -outputFormat CSV

To display information for all issues from the most recent scan (excluding unsuppressed and removed issues) using the Quick View filter set Determines the issues to display in the auditing interface. The filter set customizes the analysis results panel by determining the number and types of containers (folders) and how issues are displayed.:

FPRUtility -information -listIssues \
-search -queryAllExistingUnsuppressed \
-filterSet "Quick View" \
[-categoryIssueCounts] [-analyzerIssueCouts] \
-project <project>.fpr -f <output>.txt

To display a comparison of the number of lines of code for analyzed files in two FPRs:

FPRUtility -information -loc -project <project>.fpr \
-compareTo <oldproject>.fpr -f <output>.txt

FPRUtility Information Options

The following table lists the FPRUtility options that apply to project information.

FPRUtility Option	Description
`-information`	Displays information for the project.
Specify one of the following options to indicate what information to display:
`-signature`	Displays the signature for analysis results and rules.
`-mappings`	Displays the migration mappings report.
`-errors`	Displays a full error report for the FPR.
`-versions`	Displays the Fortify Static Code Analyzer and the Fortify Secure Coding Rulepacks versions used in the static scan.
`-functionsMeta`	Displays all functions that the static analyzer encountered in CSV format. To filter which functions are displayed, include `-excludeCoveredByRules`, and `-excludeFunctionsWithSource`.
`-categoryIssueCounts`	Displays the number of issues for each vulnerability category.
`-analyzerIssueCounts`	Displays the number of issues for each analyzer.
`-search <query_option>`	Use `-search -query <search_expression>` to display the number of issues in the result of your specified search expression. To display the number of issues per vulnerability category or analyzer, add the optional `-categoryIssueCounts` and `-analyzerIssueCounts` options to the search option. Use the `-includeSuppressed` and `-includeRemoved` options to include suppressed or removed issues. Use `-search -queryAll` to search all the issues in the FPR including suppressed and removed issues. Use `-search ‑queryAllExistingUnsuppressed` to search all the issues in the FPR excluding suppressed and removed issues.
`-loc`	Displays the list of analyzed files each with the number of lines of code (LOC) in the following format: <filename>: <total_loc> (<executable_loc>) where <total_loc> is the approximate number of lines that contain code constructs (comments are excluded). Use `-compareTo <project>.fpr` with this option to compare the number of lines of code with another FPR. The comparison output includes the following information: `+` indicates new analyzed files `-` indicates removed analyzed files `` indicates files with a different number of lines of code. The difference in the number of lines of code is shown next to the executable LOC number as in (`+`N or `-`N). For example: ProjectA/main.jsp: 115 +15 (85 +7) In the previous example, the comparison shows that the number of lines of code in `main.jsp` is different between the two FPR files. There are 15 additional total LOC and 7 additional executable LOC.
`-project <project>.fpr`	Specifies the FPR from which to extract the results information.
`-listIssues`	Displays the location for each issue in one of the following formats: `<sink_filename>:<line_num>` or `<sink_filename>:<line_num>` (`<category>` \| `<analyzer>`) You can also use the `-listIssues` option with `-search` and with both issueCounts grouping options. If you group by `-categoryIssueCounts`, then the output includes (<analyzer>) and if you group by `‑analyzerIssueCounts`, then the output includes (<category>). If you specify the `-outputFormat CSV` option, then each issue is displayed on one line in the format: "<instanceid>", "<category>", "<sink_filename>:<line_num>", "<analyzer>"
`-filterSet <filterset_name>`	Displays only the issues and counts that pass the filters specified in the filter set. Filter sets are ignored without this option. Important! You must use `-search` with this option.
`-f <output>`	Specifies the output file. The default is `System.out`.
`-outputformat <format>`	Specifies the output format. The valid values are `TEXT` and `CSV`. The default value is `TEXT`.
`-debug`	Displays debug information that can be helpful to troubleshoot issues with FPRUtility.

FPRUtility Signature Exit Codes

Upon completion of the -information -signature command, FPRUtility provides one of the exit codes described in the following table.

Exit Code	Description
0	The project is signed, and all the signatures are valid.
1	The project is signed, and some, but not all, of the signatures passed the validity test.
2	The project is signed but none of the signatures are valid.
3	The project had no signatures to validate.