[研究]Opentext Fortify SAST (SCA) 讓客製化報告 Critical, High 數量為 0

[研究]Opentext Fortify SAST (SCA) 讓客製化報告 Critical, High 數量為 0

2025-08-29

靜態程式碼分析工具 25.0 版開始簡稱 SAST，之前簡稱 SCA 

• Opentext Fortify SAST（Static Application Security Testing）
• Opentext Fortify SCA (Static Code Analyzer)

Fortify SAST 並不是能 100% 保證不會誤判 (就像防毒軟體、黑箱 Web 弱點掃描工具、黑箱主機弱點掃描工具、滲透測試、、、也是)。但是若遇到業主 or 上司、主管硬是要求 Critical, High, Medium, 甚至 Low 在程式碼修改掃瞄後都必須達到 0 的情況，原廠也不是沒有提供一些應對措施，例如在 AWB (AuditWorkBench) 設定為 Hide (隱藏)，產出的 pdf 報告就不會有。

本篇是從「客製化報告」產出 .pdf 時著手。

********************************************************************************

【問題數量】

原來 .xml 中 (若有)，砍掉。

共找到 $TOTAL_FINDINGS$ 個問題

********************************************************************************

【目錄清單】

原來 .xml 中，修改 <Refinement></Refinement> 內容

<SubSection enabled="true"> <Title>Issues by Folder</Title> <Description>A table summarizing the number of issues found and the breakdown of issues in each Fortify Priority Level</Description> <IssueListing limit="-1" listing="false" showShortFileNames="false"> <Refinement></Refinement> <Chart chartType="table"> <Axis>Folder</Axis> <MajorAttribute>Analysis</MajorAttribute> </Chart> </IssueListing> </SubSection>

改為

<SubSection enabled="true"> <Title>Issues by Folder</Title> <Description>A table summarizing the number of issues found and the breakdown of issues in each Fortify Priority Level</Description> <IssueListing limit="-1" listing="false" showShortFileNames="false"> <Refinement>[fortify priority order]:none</Refinement> <Chart chartType="table"> <Axis>Folder</Axis> <MajorAttribute>Analysis</MajorAttribute> </Chart> </IssueListing> </SubSection>

產出 .pdf 報告上畫面

[fortify priority order] 預設會抓 critical, high, medium, low 的資訊，改成不存在的名稱後，就變成 0。

********************************************************************************

【類別清單】

原來 .xml 中

<SubSection enabled="true"> <Title>Issues By Category</Title> <IssueListing limit="-1" listing="false" showShortFileNames="false"> <Refinement>[fortify priority order]:critical</Refinement> <Chart chartType="table"> <Axis>Category</Axis> <MajorAttribute>Analysis</MajorAttribute> </Chart> </IssueListing> </SubSection> <SubSection enabled="true"> <Title>Issues By Category</Title> <IssueListing limit="-1" listing="false" showShortFileNames="false"> <Refinement>[fortify priority order]:high</Refinement> <Chart chartType="table"> <Axis>Category</Axis> <MajorAttribute>Analysis</MajorAttribute> </Chart> </IssueListing> </SubSection> <SubSection enabled="true"> <Title>Issues By Category</Title> <IssueListing limit="-1" listing="false" showShortFileNames="false"> <Refinement>[fortify priority order]:medium</Refinement> <Chart chartType="table"> <Axis>Category</Axis> <MajorAttribute>Analysis</MajorAttribute> </Chart> </IssueListing> </SubSection> <SubSection enabled="true"> <Title>Issues By Category</Title> <IssueListing limit="-1" listing="false" showShortFileNames="false"> <Refinement>[fortify priority order]:low</Refinement> <Chart chartType="table"> <Axis>Category</Axis> <MajorAttribute>Analysis</MajorAttribute> </Chart> </IssueListing> </SubSection>

改為

<SubSection enabled="true"> <Title>Issues By Category</Title> <IssueListing limit="-1" listing="false" showShortFileNames="false"> <Refinement>[fortify priority order]:critical none</Refinement> <Chart chartType="table"> <Axis>Category</Axis> <MajorAttribute>Analysis</MajorAttribute> </Chart> </IssueListing> </SubSection> <SubSection enabled="true"> <Title>Issues By Category</Title> <IssueListing limit="-1" listing="false" showShortFileNames="false"> <Refinement>[fortify priority order]:high none</Refinement> <Chart chartType="table"> <Axis>Category</Axis> <MajorAttribute>Analysis</MajorAttribute> </Chart> </IssueListing> </SubSection> <SubSection enabled="true"> <Title>Issues By Category</Title> <IssueListing limit="-1" listing="false" showShortFileNames="false"> <Refinement>[fortify priority order]:medium none</Refinement> <Chart chartType="table"> <Axis>Category</Axis> <MajorAttribute>Analysis</MajorAttribute> </Chart> </IssueListing> </SubSection> <SubSection enabled="true"> <Title>Issues By Category</Title> <IssueListing limit="-1" listing="false" showShortFileNames="false"> <Refinement>[fortify priority order]:low none</Refinement> <Chart chartType="table"> <Axis>Category</Axis> <MajorAttribute>Analysis</MajorAttribute> </Chart> </IssueListing> </SubSection>

畫面

********************************************************************************

【結果概要】

原來 .xml 中

<ReportSection enabled="true" optionalSubsections="true"> <Title>Critical Results Outline</Title> <SubSection enabled="true"> <Title>Vulnerability Examples by Category</Title> <Description>Results summary of all issue categories. Vulnerability examples are provided by category.</Description> <IssueListing limit="-1" listing="true" showShortFileNames="false"> <Refinement>[fortify priority order]:critical</Refinement> <Chart chartType="list"> <Axis>Category</Axis> <MajorAttribute>Analysis</MajorAttribute> </Chart> </IssueListing> </SubSection> </ReportSection> <ReportSection enabled="true" optionalSubsections="true"> <Title>High Results Outline</Title> <SubSection enabled="true"> <Title>Vulnerability Examples by Category</Title> <Description>Results summary of all issue categories. Vulnerability examples are provided by category.</Description> <IssueListing limit="-1" listing="true" showShortFileNames="false"> <Refinement>[fortify priority order]:high</Refinement> <Chart chartType="list"> <Axis>Category</Axis> <MajorAttribute>Analysis</MajorAttribute> </Chart> </IssueListing> </SubSection> </ReportSection> <ReportSection enabled="true" optionalSubsections="true"> <Title>Medium Results Outline</Title> <SubSection enabled="true"> <Title>Vulnerability Examples by Category</Title> <Description>Results summary of all issue categories. Vulnerability examples are provided by category.</Description> <IssueListing limit="-1" listing="true" showShortFileNames="false"> <Refinement>[fortify priority order]:medium</Refinement> <Chart chartType="list"> <Axis>Category</Axis> <MajorAttribute>Analysis</MajorAttribute> </Chart> </IssueListing> </SubSection> </ReportSection> <ReportSection enabled="true" optionalSubsections="true"> <Title>Low Results Outline</Title> <SubSection enabled="true"> <Title>Vulnerability Examples by Category</Title> <Description>Results summary of all issue categories. Vulnerability examples are provided by category.</Description> <IssueListing limit="-1" listing="true" showShortFileNames="false"> <Refinement>[fortify priority order]:low</Refinement> <Chart chartType="list"> <Axis>Category</Axis> <MajorAttribute>Analysis</MajorAttribute> </Chart> </IssueListing> </SubSection> </ReportSection>

改為

<ReportSection enabled="true" optionalSubsections="true"> <Title>Critical Results Outline</Title> <SubSection enabled="true"> <Title>Vulnerability Examples by Category</Title> <Description>Results summary of all issue categories. Vulnerability examples are provided by category.</Description> <IssueListing limit="-1" listing="true" showShortFileNames="false"> <Refinement>[fortify priority order]:none</Refinement> <Chart chartType="list"> <Axis>Category</Axis> <MajorAttribute>Analysis</MajorAttribute> </Chart> </IssueListing> </SubSection> </ReportSection> <ReportSection enabled="true" optionalSubsections="true"> <Title>High Results Outline</Title> <SubSection enabled="true"> <Title>Vulnerability Examples by Category</Title> <Description>Results summary of all issue categories. Vulnerability examples are provided by category.</Description> <IssueListing limit="-1" listing="true" showShortFileNames="false"> <Refinement>[fortify priority order]:none</Refinement> <Chart chartType="list"> <Axis>Category</Axis> <MajorAttribute>Analysis</MajorAttribute> </Chart> </IssueListing> </SubSection> </ReportSection> <ReportSection enabled="true" optionalSubsections="true"> <Title>Medium Results Outline</Title> <SubSection enabled="true"> <Title>Vulnerability Examples by Category</Title> <Description>Results summary of all issue categories. Vulnerability examples are provided by category.</Description> <IssueListing limit="-1" listing="true" showShortFileNames="false"> <Refinement>[fortify priority order]:none</Refinement> <Chart chartType="list"> <Axis>Category</Axis> <MajorAttribute>Analysis</MajorAttribute> </Chart> </IssueListing> </SubSection> </ReportSection> <ReportSection enabled="true" optionalSubsections="true"> <Title>Low Results Outline</Title> <SubSection enabled="true"> <Title>Vulnerability Examples by Category</Title> <Description>Results summary of all issue categories. Vulnerability examples are provided by category.</Description> <IssueListing limit="-1" listing="true" showShortFileNames="false"> <Refinement>[fortify priority order]:none</Refinement> <Chart chartType="list"> <Axis>Category</Axis> <MajorAttribute>Analysis</MajorAttribute> </Chart> </IssueListing> </SubSection> </ReportSection>

畫面

********************************************************************************

(完)

相關