Filtering using FortifyRemove comments

Similar to linters, compilers, and static analysis tools built directly into IDEs, developers are accustomed to controlling the results of these tools directly from the code. Similarly if required, developers can use inline comments to manage issues triggered by OpenText SAST. Developers can prevent issues from being reported by specifying either the rule ID that triggers the issue or the category of the finding in the FortifyRemove().

When issues are removed with comments, OpenText SAST logs the issues that are removed, including their location and category.

This functionality is available and enabled by default for Java and C# code. The functionality can disabled in fortify-rules.properties by setting com.fortify.sca.rules.EnableRuleComments=false. For more information, see fortify-rules.properties

Basic Comments

For example, consider the following Java Hello World application.

public class MyClass {

    public static void main(String[] args) {

        System.out.println("Hello World");

    }

}

Consider there is a rule with an ID 625EEE1F-464F-42DC-85D6-269A637EF747 that triggers on the main function as J2EE Bad Practices: Leftover Debug Code.

If the developer disagrees and they do not want this issue to display any longer, either of the following configurations will prevent the issue from appearing.

public class MyClass {

    // FortifyRemove(ID="625EEE1F-464F-42DC-85D6-269A637EF747")

    public static void main(String[] args) {

        System.out.println("Hello World");

    }

}

Or

public class MyClass {

    // FortifyRemove(Category="J2EE Bad Practices: Leftover Debug Code")

    public static void main(String[] args) {

        System.out.println("Hello World");

    }

}

Note: the string argument can use either " or '

Wildcards

The * wildcard can be used to expand a category to cover multiple subcategories or multiple matching categories.

For example:

// FortifyRemove(Category="Cross-Site Scripting: *")

Would remove all variants of Cross-Site Scripting issues.

Whereas:

// FortifyRemove(Category="Cross-Site *")

Would remove all variants of Cross-Site Scripting issues, along with any categories that start with "Cross-Site", such as "Cross-Site Request Forgery".

Multiple conditions

Other than using wildcards you can specify multiple categories or rule IDs using the Categories or IDs properties respectively, which take arrays of strings.

For example

// FortifyRemove(Categories=["Cross-Site Scripting: Reflected", "Cross-Site Scripting: Persistent"])

would prevent either Cross-Site Scripting: Reflected or Cross-Site Scripting: Persistent issues appearing on the following line.

// FortifyRemove(IDs=["A", "B", "C", "D"]

Would prevent rules with the IDs A, B, C, or D from triggering on the following line.

Additionally you can specify multiple criteria together, separated by a semi-colon ( ; ).

For example:

// FortifyRemove(Category="SQL Injection"; ID="ABCD-1234")

Would prevent SQL Injection issues appearing on the following line, as well as prevent issues from rule ID ABCD-1234 triggering.

Adding Justifications

Issues are logged as removed by FortifyRemove comments. A justification property can be specified that accepts a string that will be logged alongside the removal information that can help expand on why the issue is being removed.

For example:

// FortifyRemove(Category="Cross-Site Scripting: *"; Justification="We remove XSS here because we're using custom framework XYZ that automatically protects against the attack")