“Fortify cannot locate web.xml or WEB-INF directory”
Question
How do I resolve issues reported by the Fortify scan of the form:
Could not locate the deployment descriptor (web.xml) for your web application.
or:
Could not locate the root (WEB-INF) of the web application.
Answer
This warning does not halt the scanning process. Analysis will continue and results are likely not to be affected.
A J2EE application can have multiple web applications and every JSP file needs to belong to a web application. SCA uses the location of web.xml to identify where the web applications are. To be more specific, when SCA analyzes a JSP file, it goes up the directory tree looking for web.xml. When found, it decides that this is the web application that the JSP file belongs to, otherwise it gives the warning above. Note that other file types like TLD have been reported to cause this issue, so those can be searched for as well if there are no JSP files found without an associated web.xml.
To find out which JSP file is missing the web.xml, do the following from the command line:
- Traverse to the root directory of the J2EE application.
-
In a non-Windows environment, run the following commands:
pwd > forsupport.txtfind . -name 'WEB-INF' >> forsupport.txt find . -name 'web.xml' >> forsupport.txt find . -name '*.jsp' >> forsupport.txt -
In Windows run the following:
dir /S /B /AD "WEB-INF" > forsupport.txt dir /S /B "web.xml" >> forsupport.txt dir /S /B "*.jsp" >> forsupport.txt
This will create a file called forsupport.txt. A search for all occurrences of WEB-INF, all occurrences of web.xml, and all the JSP files in this application will be conducted, and the results will be saved in forsupport.txt. If using Windows, the whole path of each result is recorded. If not using Windows, the first line will be the current directory, and then all the other results relative to this directory.
By comparing the results in forsupport.txt, you should be able to find at least one JSP file that does not have a WEB-INF or web.xml to associate it with.