How can I extract a very simple sourceanalyzer / fortify report that only gives defect counts?

Question

I need to be able to easily track a change in defect counts between builds. My idea was to extract the counts for critical, high, medium, and low severity defects with a report. All of the report templates I can find are complex, and I'm not seeing a way to generate a custom one through AWB.

Alternatively, if there is a way to determine if there are new issues and what severity they are, that would be great, too.

The purpose of this is to run a weekly job on our build server and trigger an email if there are any new issues found and/or if the issue counts for each severity are above a threshold.

Answer 1

The standard Fortify installation includes a FPRUtility.bat that can be used for querying an .fpr file for the information needed. Getting the number of critical, high, medium, and low issues involves writing a custom query for each of these counts:

FPRUtility.bat -project [Your .fpr file] -information -search -query "[fortify priority order]:critical"
FPRUtility.bat -project [Your .fpr file] -information -search -query "[fortify priority order]:high"
FPRUtility.bat -project [Your .fpr file] -information -search -query "[fortify priority order]:medium"
FPRUtility.bat -project [Your .fpr file] -information -search -query "[fortify priority order]:low"

These can likely be combined into a single command, but this will spit out either "No issues matched search query" if no issues of the given severity exist or "# issues of # matched search query".