FPRUtility interprets the space-separated conditions in the -information -search -query ... parameter by applying the boolean AND operator. To obtain a union of 2 conditions A || B, I figured I could intersect negations of other conditions that complement the former: !C && !D (where A || B || C || D always holds true). I.e., to find all high and critical issues, I use

FORTIFY_ROOT\jre\bin\java -d64 -Xmx4096M -jar FORTIFY_ROOT\Core\lib\exe\fpr-utility-exe.jar -project APP_VER_DATE.fpr -information -search -query "[OWASP Top 10 2017]:A [fortify priority order]:!low [fortify priority order]:!medium" -categoryIssueCounts -listIssues > issues.txt

In case of an audit, I figured I needed the older report generation utility to include suppressed issues (and their comments),

sed -e 's/\(IssueListing limit=\)"[^"]\+"/\1"-1"/' -i "FORTIFY_ROOT/Core/config/reports/DeveloperWorkbook.xml"
cmd /c call ReportGenerator -template DeveloperWorkbookAll.xml -format pdf -source APP_VER_DATE.fpr -showSuppressed -f "APP_VER_DATE_with_suppressed.pdf"

@SBurris,

If you don't want to show Suppressed/Hidden is it just -hideSuppressed and -hideHidden?

Also, is there a way to add custom filters to not show things like "nones" from the STIG/SANS/OWASP like you can create in the AWB GUI?

Basically, I need a command(s) to merge two FPRs and then compare them based on what is found new on the scanned code vs. the old FPR.

Merge should be:

FPRUtility -merge -project <newest_scan.fpr> -source <previous_scan.fpr> -f <BUILDXX_MergedWith_BUILDXY.fpr>

The custom filter I need after the merge is:

"[OWASP Top 10 2013]:!<none> OR [SANS Top 25 2011]:!<none> OR [STIG 3.9]:!<none> AND [Detected On]:!/^/"

• Where the Detected On field is a custom tag that I need to carry through from the previous FPR file into the newly merged one.

AND THEN output the report from that newly merged fpr in pdf and xml format to a location/filename I specify. Something along the lines of:

~AWB_Installation_Dir/bin/ReportGenerator -format pdf -f [BUILDXX_MergedWith_BUILDXY].pdf -source output.fpr 
    -template DisaStig3.10.xml -hideSuppressed -hideHidden

Obviously this can be a multitude of commands as long as we can get it back to Bamboo. Any help would be greatly appreciated. Thanks.

There is a command-line utility to generate an Report from the FPR file.

Currently there are two report generators: Legacy and BIRT. The BIRT report engine was introduced into Audit Workbench with version 4.40.

Here is an example using the BIRT Report engine to generate a DISA STIG report

BIRTReportGenerator -template "DISA STIG" -source HelloWorld_second.fpr 
    -output BirtReport.pdf -format PDF -showSuppressed --Version "DISA STIG 3.9" 
    -UseFortifyPriorityOrder

Using the legacy one is a little more involved. The command is:

ReportGenerator -format pdf -f LegacyReport.pdf -source HelloWorld_second.fpr 
    -template DisaStig3.10.xml -showSuppressed -showHidden

You can either use one of the predefined template reports located in the <SCA Install Dir>/Core/config/reports directory or generate one using the Report Wizard and saving the template which gets stored in the C:\Users\<USER>\AppData\Local\Fortify\config\AWB-XX.XX\reports\ directory in Windows.

On Linux/Mac look at the configuration file <SCA Install Dir>/Core/config/fortify.properties for the com.fortify.WorkingDirectory property, this is where the reports will be stored