Filtering comments using FortifyRemove

Similar to linters, compilers, and static analysis tools built directly into IDEs, developers are accustomed to controlling the results of these tools directly from the code. Similarly if required, developers can use inline comments to manage issues triggered by OpenText SAST. Developers can prevent issues from being reported by specifying either the rule ID that triggers the issue or the category of the finding in the FortifyRemove().

This functionality is available and enabled by default for Java and C# code. The functionality can disabled in fortify-rules.properties by setting com.fortify.sca.rules.EnableRuleComments=false. For more information, see fortify-rules.properties

For example, consider the following Java Hello World application.

public class MyClass {

    public static void main(String[] args) {

        System.out.println("Hello World");

    }

}

Consider there is a rule with an ID 625EEE1F-464F-42DC-85D6-269A637EF747 that triggers on the main function as J2EE Bad Practices: Leftover Debug Code.

If the developer disagrees and they do not want this issue to display any longer, either of the following configurations will prevent the issue from appearing.

public class MyClass {

    // FortifyRemove(ID="625EEE1F-464F-42DC-85D6-269A637EF747")

    public static void main(String[] args) {

        System.out.println("Hello World");

    }

}

Or

public class MyClass {

    // FortifyRemove(Category=" J2EE Bad Practices: Leftover Debug Code")

    public static void main(String[] args) {

        System.out.println("Hello World");

    }

}