Support for multiple verification tools
SD Elements supports the use of multiple verification tools, as well as manual verification. When you integrate with a security scanning tool, you have three options on how to process the results:
-
Merge
-
Replace Same Tool
-
Replace All
The final result after replacing or merging will yield an overall verification result. This new result appears on the flag inside the task view. The three options are described below.
Merge:
In a merge, if at least one scanner marks the task as a Fail, then the result is a Fail. Use this option when a) you use multiple scanners, or b) results are from a single scanning tool on different parts of the code.
-
If you import a Fortify scan with a Fail, and then import a Veracode scan with a Pass, then the final result will be a Fail.
-
Similarly, if one scanner marks the task as a Partial Pass, and another scanner marks the task as a Pass, then the result will be a Pass.
Replace Same Tool
The result from this import for a specific task will override any previous results generated by the same scanning tool. Use this option when you run the same scanner on the same code base more than once, and you only want to maintain the latest results.
-
If the task was previously marked by Fortify as a Fail, and you are importing another Fortify scan with a Pass, then the result will be Pass.
-
If you previously imported a Fortify scan, and you are now importing a Veracode scan, then the final result will be the same as a Merge.
Replace All
The result from this import for a specific task will override any previous results. Use this option when you want to ignore all previous scanning results.
-
If the task was previously marked as a Fail, but a new import marks it as a Pass, then the final result will be a Pass.