问题
I want to supress the issues(which ever i want) fortify shows on the report in java files either by annotations or other means. like we supress PMD issues using @supressWarnings(PMD.XXX)
回答1:
There are Java annotations you can use within code to say for example that a function "cleanses" taint. Further information and the relevant jars are available in /Samples/advanced/javaAnnotations/ With regard to suppressing other issues, these is partly what auditing is about as you can audit issues as not an issue or use the suppress button to suppress the issue itself (the difference being the issue will disappear by default when using the latter). Alternatively if you are saying that there are a large subset of findings you don't want to see, such as those to do with command line arguments or issues found with the semantic analyzer, then you can use filters within the project template to hide these.
I would suggest auditing these however unless you are really positive that there won't be security vulnerabilities with them.
来源:https://stackoverflow.com/questions/20705134/how-to-supress-hp-fortify-critical-issues-in-java-code