Cybersecurity
DevOps Cloud (ADM)
IT Operations Cloud
If SCA local scan is running for long time and stuck in "InferredConstantResolution" with the following error message:
"InferredConstants: Found 8447630 resolved runtime-constant fields
logger:com.fortify.sca.analyzer.callgraph.CallGraphBuilder marker:DEV thread:sourceanalyzer-30
MDC:{msgId=20717, severity=NONE, step=COMPLETE_CALLGRAPH} NDC:[timerSourceanalyzer.Run, timerBackEnd.Analyze, timerInferredConstantResolution]"
there is a workaround to remove that message from the scan by disabling the InferredConstantResolution step that seems to be getting stuck.
We can go to "fortify-sca.properties" file, set the value of "com.fortify.sca.DisableInferredConstants" as true or
add the option "-Dcom.fortify.sca.DisableInferredConstants=true" to the sourceanalyzer command line when running the scan.
Disabling the Inferred Constants step should not have any negative impact on the results obtained from the scan, because it is actually intended as an optimization to eliminate paths where it is known that a variable can never take on a tainted value. In Java terminology, it is searching for variables that are "effectively final", meaning that the value of the variable is never modified even though it is not explicitly declared as a constant value. The only downside to disabling it is that there may be more code paths that must undergo a full data-flow analysis to determine if a value might be tainted.