Does compilation of source code impact on SCA results?


I have done two scans with SCA on WebGoat Project (V7.0). 

In the first scan I have compiled the code (with mvn package), then I have used maven plugin in order to translate and scan project; 

In the second scan I have not compiled the code and I have only used maven translate and scan. 

In the "compilation scan" Fortify has detected 1347 Issues (155 critical) while in "no compilation scan" Fortify has detected 1119 Issues (94 critical)...

is there a better accuracy with compilation ? If so, why ? Is it better to always compile I also can scan without compilng? Why I have received so different results? 

Thanks very much in advance



  • Hi , it probably has to do with what is during the the maven goal.

    For example, maven compile, basically only compiles java source code to class file, but maven package basically builds the war archive. Can you compare both FPRs if the number of files scanned is indentical?

    I believe files like javascript, HTML and JSP files are not translated when running maven complile.