HPE Audit WorkBench Project Comparison

Question

I am using "merge audit projects" option in HPE Audit Workbench, once the projects get merged only new issues are shown. Is there a possibility that I can see issues of both versions of projects and the new issues aswell?

Answer 1

In Audit Workbench to view removed issues you can do Tools -> How Removed Issues

It is important to understand how Audit Workbench merges projects together, it is not an "append" type of operation. It treats the two FPR (Fortify Project Report) files as being scans of the same code base that are either from scans after code changes or the same FPR audited by two different auditors/devs and you want to create a single FPR file that contains the audits of both individuals.

For example:

• FPR A
  • Issue A
  • Issue B
• FPR B
  • Issue B
  • Issuc C

In this example, there are 2 FPRs. In A there are two issues, A and B. Code was changed and a new scan was run (B). In the new scan shows issues B and C. B existed from the first scan, C is a new issue introduced from code changes, and A has been remediated.

When these two FPRs are merged together, there are two active issues B, C. A is considered removed since it is not in the newest FPR (C).

• FPR C
  • Issue A (Removed)
  • Issue B (Existing)
  • Issue C (New)

If you merge together two scans from different code bases, then the issues from the first scan are not in the second scan, so Fortify assumes they have been remediated.

One of the reasons you merge projects together is to move analysis/comments from a previous scan into the current scan.

Another is if two individuals worked on auditing a copy of the same FPR file then they want to combine the two analysis's into one file.

Answer 2

Keep in mind that the merge audit projects are meant to merge projects from scans of the same code base (usually from different builds).

If that's what you're doing, you may want to look at your view settings to ensure that you're seeing more than just "new" issues.