The Data Flow Analyzer did not follow some virtual or indirect function calls of call type Virtual. See the user manual for information about increasing the number of indirect function calls to be explored."? How do you fix it?
Has anyone seen this issue, "The Data Flow Analyzer did not follow some virtual or indirect function calls of call type Virtual. See the user manual for information about increasing the number of indirect function calls to be explored."?
How do you fix it? I can't find an answer for this in the documentation. When I Google it there is one reference to it but there is no answer.
I asked dev and they told me that, this message is generated by either of two limiters firing.
- com.fortify.sca.limiters.MaxFunPtrsForCall (default value 30)
- com.fortify.sca.limiters.MaxIndirectResolutionsForCall (default value 120)
The first limiter applies to function pointer calls, usually in C/C++. The second limiter applies to virtual function calls in any language with virtual dispatch, which is many.
These limiters firing indicates that SCA was not able to find a small number of possible targets of a function pointer call or virtual call. For example, if the code under scan has 150 different classes implementing java.util.Iterator, then at a virtual call site to Iterator.next(), SCA will consider all 150 implementations as possible targets of that call unless we can better restrict the possible target list based on the static type of the ‘this’ parameter to the call. Because 150 is greater than 120, the limiter will fire and SCA will print this warning.
Increasing either of these values is likely to increase runtime, memory use, and false positive rate. Continuing the Iterator example, it’s pretty unlikely that all 150 possible Iterator implementation could actually be reached at a single specific method call to next(). By including analysis through all of them, we raise the possibility of constructing false positive flows.
Is there any way to debug into the scan to figure out which call is causing the warning? Just to look at the one causing the warning to confirm that it doesn't need any attention. I'll need to write this up and being able to validate what you said would be great.
There isn't a way for you to debug this. SCA developers can debug this by setting a breakpoint at the statement that prints the warning message, and then inspect the variables to see what call site is active. If this is critical for you, please open a support case and provide a mobile build session. We can investigate this and get back to you.