Why does Fortify SCA report issues against files which no longer exist in my project?

StackOverflow https://stackoverflow.com/questions/19448704

  •  01-07-2022
  •  | 
  •  

Domanda

I have an SCA scan setup for my project using the sca-maven-plugin, which I have built from source and installed into my local repository. My build is run via a TeamCity build agent on the server where Fortify has been installed.

I don't have any issues with getting the scan to run, and I am happily generating reports from the generated .fpr using ReportGenerator. Early reports indicated that I had some vulnerabilities from PHP files which were mistakenly included in the project (which is a Java project). Having since removed these files, why does Fortify still report vulnerabilities for these files, even though they no longer exist in my project?

I have confirmed that the build agent is configured to clean all sources before checking out the latest, and indeed I can see on the server itself that these PHP files no longer exist, but the reports and .fpr are still reporting issues against them.

Is there somewhere that issues are persistent for tracking / trending that I also need to clear out, or is there something else I'm missing?

Output from the build, showing that the files are indeed missing yet still including in the analysis scope, below:

[07:40:16][com.....myapp:web] [INFO] --- sca-maven-plugin:3.90:scan (default-cli) @ web ---
[07:40:16][com.....myapp:web] [INFO]                    Packaging -> war
[07:40:16][com.....myapp:web] [INFO]        Top-Level Artifact ID -> web
[07:40:16][com.....myapp:web] [INFO]                  Build Label -> web-2.0.0-SNAPSHOT
[07:40:16][com.....myapp:web] [INFO]                Build Version -> 2.0.0-SNAPSHOT
[07:40:16][com.....myapp:web] [INFO]           Build Project Name -> web
[07:40:16][com.....myapp:web] [INFO]                     Build ID -> web-2.0.0-SNAPSHOT
[07:40:16][com.....myapp:web] [INFO]                 Results File -> C:\...\buildAgent\work\c649372994269e88/myapp.fpr
[07:40:16][com.....myapp:web] [INFO]   Location of SCA Executable -> sourceanalyzer
[07:40:16][com.....myapp:web] [INFO]                     Scan Log -> C:\...\buildAgent\work\c649372994269e88\web\target/sca-scan.log
[07:40:16][com.....myapp:web] [INFO]             FindBugs Results -> false
[07:40:16][com.....myapp:web] [INFO]                Fail on Error -> false
[07:40:16][com.....myapp:web] [INFO]                Upload to SSC -> false
[07:40:16][com.....myapp:web] [INFO] Issues will not be tracked and trended without uploading to SSC.
[07:40:16][com.....myapp:web] [INFO] *** !! Scanning aggregate project - web !! ***
[07:40:16][com.....myapp:web] [INFO] Created output dir C:\...\buildAgent\work\c649372994269e88\web\target
[07:40:16][com.....myapp:web] [INFO] cmd: "cmd.exe /X /C "sourceanalyzer -scan @C:\...\buildAgent\work\c649372994269e88\web\target/sca-scan-args.txt""
[07:40:19][com.....myapp:web] Fortify Static Code Analyzer 6.00.0096
[07:40:25][com.....myapp:web] [error]: File C:/.../buildAgent/work/c649372994269e88/web/target/myapp/WEB-INF/views/components/datatables/media/unit_testing/templates/dom_data_th.php not found
[07:40:25][com.....myapp:web] [error]: File C:/.../buildAgent/work/c649372994269e88/web/target/myapp/WEB-INF/views/components/datatables/media/unit_testing/controller.php not found
[07:40:25][com.....myapp:web] [error]: File C:/.../buildAgent/work/c649372994269e88/web/target/myapp/WEB-INF/views/components/datatables/media/unit_testing/performance/large.php not found
[07:40:25][com.....myapp:web] [error]: File C:/.../buildAgent/work/c649372994269e88/web/target/myapp/WEB-INF/views/components/datatables/media/unit_testing/templates/-complex_header.php not found
[07:40:25][com.....myapp:web] [error]: File C:/.../buildAgent/work/c649372994269e88/web/target/myapp/WEB-INF/views/components/datatables/media/unit_testing/templates/2512.php not found
[07:40:25][com.....myapp:web] [error]: File C:/.../buildAgent/work/c649372994269e88/web/target/myapp/WEB-INF/views/components/datatables/media/unit_testing/templates/6776.php not found
[07:40:25][com.....myapp:web] [error]: File C:/.../buildAgent/work/c649372994269e88/web/target/myapp/WEB-INF/views/components/datatables/media/unit_testing/templates/complex_header_2.php not found
[07:40:25][com.....myapp:web] [error]: File C:/.../buildAgent/work/c649372994269e88/web/target/myapp/WEB-INF/views/components/datatables/media/unit_testing/templates/deferred_table.php not found
[07:40:25][com.....myapp:web] [error]: File C:/.../buildAgent/work/c649372994269e88/web/target/myapp/WEB-INF/views/components/datatables/media/unit_testing/templates/dom_data.php not found
È stato utile?

Soluzione

SCA is using a build cache. You should clean this as well with the

sourceanalyzer -b buildID -clean

command. You can do it with the maven plugin of course by calling the sca-maven-plugin:clean goal or attaching the sca-maven-plugin:clean goal to maven phase 'clean' and calling the clean goal.

Be careful when you run this though. It will delete all existing files that were created by the first scan.

Autorizzato sotto: CC-BY-SA insieme a attribuzione
Non affiliato a StackOverflow
scroll top