I have done two scans with SCA on WebGoat Project (V7.0).
In the first scan I have compiled the code (with mvn package), then I have used maven plugin in order to translate and scan project;
In the second scan I have not compiled the code and I have only used maven translate and scan.
In the "compilation scan" Fortify has detected 1347 Issues (155 critical) while in "no compilation scan" Fortify has detected 1119 Issues (94 critical)...
is there a better accuracy with compilation ? If so, why ? Is it better to always compile I also can scan without compilng? Why I have received so different results?
Thanks very much in advance