Cadet 1st Class
Cadet 1st Class
475 views

Fortify SCA 17.20.0183 issues with ES6, and JS comments

When trying to scan an ember project that has been compiled to ES6 using `ember build -prod`, Fortify SCA sourceanalyzer throws various `[warning]: Unexpected exception while parsing file (javascript)`.

Fortify SCA seems to ignore the js comment symbols, `//`, and tries to translate comment strings. If I remove the comments, then there are of issues with proper es6 syntax. The JS file is not minimized, and is not silently thrown out by fortify as with ember decorated js files.

I don't see a lot of documentation on ES6 configs besides `com.fortify.sca.skip.libraries.ES6`, which didn't do anything, any ideas?

Thanks

```
sourceanalyzer -b test -clean
sourceanalyzer -b test script.js
```

Parse error at line 40005, column 17. Encountered: imported
```
// once imported , do something ...
```

Parse error at line 1895, column 31. Encountered: $
```
if (edge) {
edge.update(`#${color}`);
}
```

```
sourceanalyzer --version
Fortify Static Code Analyzer 17.20.0183 (using JRE 1.8.0_144)
```

Output of `fortifyupdate --showInstalledRules`:
```
Currently Installed Rulepacks in /home/b249020acaf7/HPE_Security/Fortify_SCA_and_Apps_17.20/Core/config/rules
(truncated)
Fortify Secure Coding Rules, Extended, JavaScript v2019.2.0.0009
(truncated)
```

0 Likes
1 Reply
Cadet 1st Class
Cadet 1st Class

Also used fortify scanwizard to auto generate the test script for javascript, which picked up the file but still ran into the same issues.

Ruled out env, issue happens in rhel/deb based systems.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.