First and foremost thanks for a great product - one of my favorite open source tools for code analysis. Here are somethings that came to mind while using this over the last few days:
According to the release log there is a way to mark results as a false finding(s). Furthermore, I see this field when I dump an XML output; however, I have yet to find how to do this. Is this still an ability within the tool? If so, what am I missing. If not, is it coming back in a future release. Would love to be able to export all but the ones marked false positive.
While on the subject, is there a way that I can change the criticality of a finding (high to low or any combination therein).
Reporting - In addition to the XML out put it would be good to see a PDF and HTML report type. With pretty graphs (management loves graphs) that shows vulnerability # by type and by criticality. Currently I do this in excel after exporting the results but see you already do graphs so why not add this :).
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
The 'mark as false findings' phrase refers to the ability to tick the check-boxes in the listview tab. I'm currently working on a version that will allow colours to be changed (associate an item's status with a colour inside your head ;) ) and will also allow items to be deleted which should make the assessment process easier.
That's an interesting idea. At the moment it's only possible to change status for an entire group of 'bad functions' as defined in the config files, but you can't change the status for anything that's checked by a more complex process (the items that aren't in config files).
I'll take a look at introducing this with the other changes which are mostly intended to make the results assessment process easier.
I'm currently working on CSV export of results in the next version. I'll take a look at a pretty HTML version, maybe the upcoming version or the one after that.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
First and foremost thanks for a great product - one of my favorite open source tools for code analysis. Here are somethings that came to mind while using this over the last few days:
According to the release log there is a way to mark results as a false finding(s). Furthermore, I see this field when I dump an XML output; however, I have yet to find how to do this. Is this still an ability within the tool? If so, what am I missing. If not, is it coming back in a future release. Would love to be able to export all but the ones marked false positive.
While on the subject, is there a way that I can change the criticality of a finding (high to low or any combination therein).
Reporting - In addition to the XML out put it would be good to see a PDF and HTML report type. With pretty graphs (management loves graphs) that shows vulnerability # by type and by criticality. Currently I do this in excel after exporting the results but see you already do graphs so why not add this :).
Hi Raymond
Firstly, thanks for the compliment.
The 'mark as false findings' phrase refers to the ability to tick the check-boxes in the listview tab. I'm currently working on a version that will allow colours to be changed (associate an item's status with a colour inside your head ;) ) and will also allow items to be deleted which should make the assessment process easier.
That's an interesting idea. At the moment it's only possible to change status for an entire group of 'bad functions' as defined in the config files, but you can't change the status for anything that's checked by a more complex process (the items that aren't in config files).
I'll take a look at introducing this with the other changes which are mostly intended to make the results assessment process easier.
I'm currently working on CSV export of results in the next version. I'll take a look at a pretty HTML version, maybe the upcoming version or the one after that.