I have a java project I'm assessing using Fortify. Some of the issues need to be suppressed and if so, a comment needs to be made describing why the issue is being suppressed.
How can I see this comment in the generated application report? I'm using the web interface, not workbench.
The suppressed issue appears, I just want to be able to see the comment along with it.
Thank you in advance.
EDIT:
I am able to work in the workbench if needed.
After awhile of searching I was able to figure out how to go about this.
For starters, I should mention that our Fortify scan was initiated by a Jenkins build. In the web interface, or SSC, I had to navigate to the artifacts tap. From there, I pressed the "Download Application File With Sources" button, which gave me an updated FPR that contained all of the suppressions and comments.
After that I had to use the Audit WorkBench to open that .fpr file. Then I chose not to override the default filter (not sure if that will pop up for everyone) and clicked the "Reports" tab.
I then selected the "Developer Workbook" template from the dropdown then clicked Issue Filter Settings. I checked "Suppressed" and deselected Collapse Issues (only Suppressed should be checked).
Next, I added a filter for only high's and criticals by selecting advanced to the right of filter and choosing "fortify priority order", "does not contain", "low" or "medium". There's an "||" to the top right you can click to have an additional filter.
Then I selected generate and it worked! The comments for suppressed issues will appear under "Audit Comments" in the report for each issue. Hope this helps others in the future.