SourceAndLibScanner error with Fortify version 22.2.1


We are seeing an issue with Fortify SourceAndLibScanner addon after updating Fortify SCA from version 22.1.1 to version 22.2.1. The Sonatype scan throws this error and fails to upload the scan results to SSC:
"Can not convert Sonatype result to proper SSC report"

The log has this error: class org.bouncycastle.jcajce.provider.asymmetric.edec.BCXDHPublicKey cannot be cast to class (org.bouncycastle.jcajce.provider.asymmetric.edec.BCXDHPublicKey is in unnamed module of loader 'app'; is in module java.base of loader 'bootstrap')

The problem seems to be caused by JRE version that ships with Fortify version 22.2.1. SourceAndLibScanner works fine with JRE

Does anyone know if SourceAndLibScanner is still being maintained/updated? Looks like it was last updated a year ago.

  • 0  

    Please verify and confirm the Bouncy Castle Crypto provider (bcprov-jdkXXon) version and ensure it's compatible with the JDK/JRE in use.

  • 0   in reply to Hersh Tahir

    Fortify SCA version 22.2.2 includes bcprov-jdk15on-1.70.jar in [install_dir]\Core\lib

    Installing SourceAndLibScanner version 21.1.2 adds an older version of this file (bcprov-jdk15on-1.64.jar) to the same directory.

    SourceAndLibScanner 21.1.2 will fail after this installation.

    After some experimentation I discoverd that deleting the older version of bcprov library (bcprov-jdk15on-1.64.jar) will make SourceAndLibScanner run normally again. I assume it uses the newer version.

    Our installation uses the jre that comes with Fortify SCA:
    openjdk 2022-07-19 LTS
    OpenJDK Runtime Environment Zulu11.58+23-CA (build
    OpenJDK 64-Bit Server VM Zulu11.58+23-CA (build, mixed mode)

    This workaround solved the issue for this Fortify SCA update but I'd still like to know if SourceAndLibScanner is still being maintained and updated to work with future versions of Fortify?