Big news! The community will be moving to a new platform April 21. Read more.
Big news! The community will be moving to a new platform April 21. Read more.
Cadet 1st Class Cadet 1st Class
Cadet 1st Class
2781 views

Is there a way to correct bogus code paths generated by Fortify SCA?

Scanning our product with Fortify 17.10, we are seeing numerous bogus findings based upon completely invalid code paths.  The worst example comes from having base64 conversion classes in a utility jar, e.g. Base64InputStream.java.  This class is being misinterpreted as applying to code using InputStream.  The same exists with OutputStream, e.g. Base64OutputStream is being seen used in place of java.io.OutputStream in terms of the code paths.  Another case is hasNext().

This is extremely problematic given the number of issues being reported.  It would be insane to need to rename all classes to something else to resolve this.  I could understand a class named OutputStream confusing Fortify SCA as compared to java.io.OutputStream, but I cannot see how Base64OutputStream is being assumed to be OutputStream.

0 Likes
1 Reply
Cadet 3rd Class
Cadet 3rd Class

 Did you receive any response? I am having a similar problem with 17.20 wherein a Map.put is being erroneously treated as an HttpHearder.put.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.