Audit tag mapping
The SAST Aviator algorithm predicts issues to be true positives or false positives and, in some cases, unsure.
In Fortify Software Security Center, the Fortify Software Security Center needs to set a certain audit tag value, and decide to suppress an issue or not. As a user, you may have customized the available audit tag values in Fortify Software Security Center resulting in deviations from the default values. For these reasons, SAST Aviator has functionality to map its predictions to audit tag values and suppression status in Fortify Software Security Center.
To configure this mapping, SAST Aviator considers the two tiers of support. See Supported languages and vulnerability categories for more information. Considering there are two tiers and three different SAST Aviator outcomes (true positive (TP), false positive (FP), unsure), there are six different cases. These cases must be mapped to an Fortify Software Security Center audit value and a suppression status. The following is the default mapping performed by SAST Aviator:
| Tier | Tier configuration name | Outcome | Audit value | Suppressed |
|---|---|---|---|---|
| Supported with automatic suppression | tier_1 | TP | Exploitable | No |
| Supported with automatic suppression | tier_1 | FP | Not an issue | Yes |
| Supported with automatic suppression | tier_1 | Unsure | Not set | No |
| Supported without automatic suppression | tier_2 | TP | Suspicious | No |
| Supported without automatic suppression | tier_2 | FP | Not an issue | No |
| Supported without automatic suppression | tier_2 | Unsure | Not set | No |
To override the default tag mapping, use the --tag-mapping argument when you run an audit.
fcli aviator ssc audit --av <application_version_name:id> --tag-mapping=<file.yaml>
Note: SAST Aviator provides a clear and reasonable message even if the mapping file does not comply with the format.
The following tag mapping file is the default one that implements the mapping as explained in the table above. Use this mapping file as a basis to configure your required mapping. In addition to changing audit tag values and suppression status, you can also select a different audit tag altogether.
# Set the SSC tag to use to store Aviator results. Optional.
# If not set, defaults to "87f2364f-dcd4-49e6-861d-f8d3f351686b"
tag_id: "87f2364f-dcd4-49e6-861d-f8d3f351686b"
# Map Aviator results to SSC tag values. “tier_1” are issues that are
# high-confidence cases that by default are suppressed automatically.
# “tier_2” are the remaining issues.
# “value” is a String attribute that maps to a tag value in SSC. It may be
# omitted. In that case, Aviator will not set a value (but will still add a
# comment)
# “suppress” is a Boolean attribute that defaults to “false”
mapping:
tier_1:
fp:
value: "Not an Issue"
suppress: true
tp:
value: "Exploitable"
suppress: false
unsure:
suppress: false
tier_2:
fp:
value: "Not an Issue"
suppress: false
tp:
value: "Suspicious"
suppress: false
unsure:
suppress: false