You will learn

How to generate a Fortify Audit Workbench report and upload it to ThreadFix.

Prerequisites

Audience: IT Professional
Difficulty: Basic
Time needed: Approximately 10 minutes
Tools required: N/A

Generate Results

1. After launching Audit Workbench, select Scan Java Project...:
   

   

    

2. Select the directory containing the Java Project to be scanned and click OK:
   

   

    

3. Select the version of Java the project uses and click OK:
   

   

    

4. Select the appropriate options from for the project (the defaults work for a majority of projects) and select Scan:
   

   

    

5. After the scan has finished, from the File menu select Save Project As... and save the results to the desired directory:
   

Filter Set

To see all vulnerabilities within Audit Workbench before uploading them to ThreadFix, go to Tools -> Project Configuration > Filter sets and make “Security auditor view” the default filter set before saving. 

Upload Results

1. After generating a report, log in to ThreadFix and navigate to the Portfolio page, found on the Navigation sidebar under the Application sub-menu.
   

   

    

2. Expand the Team the report will be uploaded to:
   

   

    

3. After picking one of the Team's applications, select Upload Scan and drag the report into the pane:
   

   

    

4. Once ThreadFix finishes processing the report, the results can be viewed on the individual application's page:
   

   

Finding Status Processing

The following list indicates how finding statuses from Fortify are marked within ThreadFix when ingesting a scan:

• Not an issue or Suppressed - False Positive

• Exploitable or Need more information - Open

• Hidden - not ingested into ThreadFix