Auditing issues

To evaluate and assign audit values to an issue or group of issues:

1. Select the issue or group of issues in the Analysis Results window (see Analysis Results Window).

   If multiple issues are selected, then this information is displayed on the Audit tab as Issue: Multiple Issues Selected.

2. Read the abstract on the Audit tab, which provides high-level information about the issue, such as the analyzer that found the issue.

   For example, Command Injection (Input Validation and Representation, data flow) indicates that this issue, detected by the Dataflow Analyzer, is a Command Injection issue in the Input Validation and Representation kingdom.

3. Click the Details tab to see more details about the issue.
4. On the Audit tab, select an analysis value for the issue to represent your evaluation.

5. Specify values for any custom tags as required by your organization.

   To specify a date in a date-type custom tag, click the Select Date button   to select a date from a calendar.

   To specify text in a text-type custom tag, click the Edit Text button  , and then enter text in the Edit Text Value dialog box.

6. If the audit results have been submitted to Fortify Audit Assistant in Application Security, then you can specify whether to include or exclude the issue from Fortify Audit Assistant training from the AA_Training list.

   If you select a different value for the analysis tag than the AA_Prediction value set by Fortify Audit Assistant, and you select Include from the AA_Training list, then the next time the data is submitted to Fortify Audit Assistant, it updates the information used to predict whether an issue represents a true vulnerability. For more information about Fortify Audit Assistant tags, see the OpenText™ Application Security User Guide.

7. (Optional) In the Comments box, click to add comments relevant to the issue and your evaluation, and then click the Add Comment button  .