Troubleshooting Fortify Errors
Question
Fortify has reported errors or warnings when scanning my application. How do I resolve these errors?
Answer
There are a number of different error messages that may be reported by Fortify. Common error messages will be listed here along with pointers to other technical notes that provide information on how to resolve those issues. If there is not any specific guidance for the errors you are encountering, the general guidance below should be followed. Please see the page on How to view error messages reported by Fortify for details on viewing errors messages.
General Guidance
If there is no specific guidance below for the errors encountered, the scan should be run using the -debug and -logfile options and the resulting log files should be reviewed.
If the log files do not indicate how to resolve the errors, the developer should include the following items in future code review validation submissions and they will be taken into consideration during the review:
- the debug log files
- the translation command options
- a readme file explaining the steps taken to try to resolve the problem
Errors that cannot be resolved will not be counted against passing the review.
Error Codes
Please note that the following is not a complete list of error messages and will be expanded as more become known:
| Error Code(s) | Error Message | Notes |
|---|---|---|
| N/A | No warnings occurred during analysis | No errors have occurred. The scan is good to go. |
| N/A | Error performing ASP.NET Precompilation | How to troubleshoot "Error performing ASP.NET Precompilation" |
| -1 | Misplaced closing tag [...] | This error likely does not affect the results of the scan, however it is recommended to check the referenced file to see if there are any misplaced HTML tags. |
| 1 | Unexpected exception: higher order analysis | See General Guidance above. |
| 101 | File [...] not found | See General Guidance above. Note this also may be a result of spaces in a file name or other errors on the command-line. |
| 207 | An error was encountered while reading from file [...] | See General Guidance above. |
| 212 | Encountered an exception while trying to read rule pack | Examine configuration of system where Fortify is installed and of the file flagged in the error - could be a permission issue. If the rulepack is externalmetadata.xml, this file must be moved to the Core/config/ExternalMetadata directory. |
| 236 | Your license does not allow access to Fortify SCA for Python | If the application contains Python code, use a Fortify license that includes SCA for Python (such as the VA Fortify license). |
| 309 | Duplicate description element ID [...]. A Description tag with that name already exists. | This can be the result of having multiple copies of the Fortify provied- rulepacks installed (e.g., in the Fortify config/rules and Fortify config/customrules directories). If that is the case, remove the rulepacks from the customrules directory. If that does not resolve the issue, see General Guidance above. |
| 1001, 1381, 1554, 10000, ... | Error parsing file or Syntax error | See: File parsing or Syntax errors |
| 1002, 1003 | Unexpected exception while resolving file | See General Guidance above. |
| 1005 | Unexpected exception during dataflow analysis | See General Guidance above. |
| 1007 | Unexpected exception during control flow analysis | See General Guidance above. |
| 1009 | Unexpected exception while building call graph | See General Guidance above. |
| 1010 | Unexpected exception during configuration file analysis | See General Guidance above. |
| 1038 | Unexpected exception in initial analysis phase | See General Guidance above. |
| 1103 | Translator execution failed. | Try scanning the code with the Fortify Visual Studio plugin which will ensure the scan is configured properly. If this does not resolve the issue, see the General Guidance above. |
| 1105, 1480 | There is not enough memory available to complete analysis | Increase the amount of memory allocated to Fortify: How to increase memory for Fortify translation |
| 1114 | Function [...] is too complex for exhaustive dataflow analysis and further analysis will be skipped (stack) | See: "Function...is too complex" Errors |
| 1124, 1125, 1126, 1127 | Scan progress is slow due to [critically] low memory | This error doesn't affect the accuracy of the results, however to speed the scan up see: How to increase memory for Fortify translation |
| 1137 | Function [...] is too complex for exhaustive dataflow analysis and further analysis will be skipped (visits) | See: "Function...is too complex" Errors |
| 1138 | Function [...] is too complex for exhaustive dataflow analysis and further analysis will be skipped (time) | See: "Function...is too complex" Errors |
| 1142 | An unexpected error occurred during internal memory management. The scan will continue, but memory may be quickly exhausted and scan results may be incomplete. | See General Guidance above. |
| 1202 | Unable to resolve symbol [...] | First ensure the classpath is properly configured (see Fortify SCA Guide Chapter 4). If that does not resolve the problem, see the General Guidance above. |
| 1207 | Config file [...] could not be located for web app | See General Guidance above. |
| 1211 | Unable to resolve type | First ensure the classpath is properly configured (see Fortify SCA Guide Chapter 4). If that does not resolve the problem, see the General Guidance above. |
| 1212 | Unable to resolve function <method> at <code location> | First ensure the classpath is properly configured (see Fortify SCA Guide Chapter 4). If that does not resolve the problem, see the General Guidance above. |
| 1213 | Unable to resolve field | First ensure the classpath is properly configured (see Fortify SCA Guide Chapter 4). If that does not resolve the problem, see the General Guidance above. |
| 1214 | Multiple definitions found for class | Resolve the multiple class definitions. Consider scanning the code into multiple FPR files, if appropriate. |
| 1215 | Could not locate the deployment descriptor (web.xml) for your web application | See: "Fortify cannot locate web.xml or WEB-INF directory" |
| 1216 | Unable to locate import (?) | First ensure the classpath is properly configured (see Fortify SCA Guide Chapter 4). If that does not resolve the problem, see the General Guidance above. |
| 1219 | Cannot locate class [...] in the given search path and the Microsoft .NET Framework libraries | See: "Cannot locate class..." Errors |
| 1225 | Unable to locate the Microsoft .NET disassembler tool (ildasm) | "Unable to locate the Microsoft .NET disassembler tool (ildasm)..." Errors |
| 1227 | An exception occurred while trying to load the classpath archive [...] The file may be corrupt or unreadable. | See General Guidance above. |
| 1228 | The properties file [...] ends in a continuation marker. The file may be corrupt. | See General Guidance above. |
| 1230 | Ignoring file: [...] as the top level class [...] is already defined in: [...] | See General Guidance above. |
| 1232 | A format error or IO Exception prevented the class file at [...] from being read | See General Guidance above. |
| 1236 | Failed to translate the following aspx files into analysis model. | See General Guidance above. |
| 1237 | The following references to java symbols could not be resolved. | Some instances may be resolved by adjusting the classpath provided to Fortify, but that does not fix this issue in all instances. |
| 1343 | Function [...] is too complex for controlflow analysis and will be skipped. (time) | "Function...is too complex" Errors |
| 1364 | No rules files found | This has been seen in conjunction with specifying rulepacks on the command-line and may be related to that. Try using the default rulepacks to resolve this issue. |
| 1380 | Rule "[...]", line 15:86: Cannot compare types [...] | See General Guidance above. |
| 1389 | Internal error: Transformer [...] produced malformed NST. | See General Guidance above. |
| 1394 | Internal error: NST parameter list is malformed: [...] | See General Guidance above. |
| 1395 | Message:Misplaced closing tag [...] | This error likely does not affect the results of the scan, however it is recommended to check the referenced file to see if there are any misplaced HTML tags. |
| 1425 | Option "-source-base-dir" (or property "com.fortify.sca.SourceBaseDir") should be set when processing cfml files | Set -source-base-dir as recommended. |
| 1426 | The amount of memory allocated to Source Code Analysis Engine [...] appears to exceed the amount of physical memory available to applications [...] This may significantly degrade performance. | Decrease the amount of memory allocated to Fortify: How to increase memory for Fortify translation. |
| 1501 | Classpath entry [...] doesn't exist | Modify the classpath supplied to Fortify as needed to provide the correct class path (see Fortify SCA Guide Chapter 4). |
| 1551, 1552 | Multiple ColdFusion errors (Unable to resolve component, Couldn't locate function, Unexpected token, etc) | Can be related to using unsupported versions of ColdFusion. |
| 6001 | No files were excluded as the file patterns [...] specified for -exclude option did not match any files | This error does not affect the accuracy of the results, however it may mean some files were scanned that were meant to be excluded. |
| 10002 | Unable to parse T-SQL at [...] | See: How to scan PL/SQL on Windows. |
| 12002 | Could not locate the deployment descriptor (web.xml) for your web application. | See General Guidance above. |
| 12003 | Assuming Java source level to be 1.8 as it was not specified. Note that the default value may change in future versions. | Explicitly set the Java version using the -source or -jdk command line options. |
| 12004 | The Java frontend was unable to resolve the following include | See General Guidance above. |
| 12004 | The Python frontend was unable to resolve the following import | See General Guidance above. |
| 12004, 12006 | The ASP/VBScript frontend was unable to resolve the following include / You may need to define some Virtual Roots. | "The ASP/VBScript frontend was unable to resolve the following include..." Errors |
| 12004, 12010 | The ActionScript frontend was unable to resolve the following import | "The ActionScript frontend was unable to resolve the following import..." Errors |
| 12004 | The ruby frontend was unable to resolve the following require | "The ruby frontend was unable to resolve the following require..." Errors |
| 12007 | You may need to add some arguments to the -python-path argument to SCA | Try configuring the -python-path argument as suggested by Fortify. See the SCA Guide Chapter 9: Translating Python Code within the Fortify documentation. |
| 12013 | Cycle detected in type hierarchy. | See General Guidance above. |
| 12014 | Translation errors occurred during execution of .Net translator | Try scanning the code with the Fortify Visual Studio plugin which will ensure the scan is configured properly. If this does not resolve the issue, see the General Guidance above. |
| 12019 | The following references to java functions could not be resolved | First ensure the classpath is properly configured (see Fortify SCA Guide Chapter 4). If that does not resolve the problem, see the General Guidance above. |
| 12020 | The following classes were not found, but a suggestion of which jar file might contain the class is provided. | Modify the classpath supplied to Fortify to include the jar files which contain the listed classes. |
| 12022 | The class [...] could not be found on the classpath, but it was found in the jar provided by HPE Fortify [...] | Set the Java version explicitly, if not set, and modify the classpath supplied to Fortify to include the jar files indicated. If Fortify pulled in the correct version of the jar files then this can be considered not an issue but a readme file must be included explaining they are the correct versions. |
| 12030 | Different parents of duplicate classes folder | Resolve the multiple class definitions. Consider scanning the code into multiple FPR files, if appropriate. |
| 12041 | The Python frontend was unable to resolve import of the following optional modules [...] | Try configuring the -python-path argument as suggested by Fortify. See the SCA Guide Chapter 9: Translating Python Code within the Fortify documentation. |
| 12042 | Imports located inside try statements are considered as optional | See General Guidance above. |
| 13509 | Rulescript errors | This appears to be a Fortify bug. |
| 13553 | Type name 'int' unrecognized, possibly misspelled | See General Guidance above. |
| 13554 | lambda0' matched a primitive type 'void' instead of a lambda | See General Guidance above. |
| 13555 | Could not determine type of 'lambda [...]' for expression 'lambda' [...] | See General Guidance above. |
| 13556 | Could not find a method that implements the lambda for the type [...] | See General Guidance above. |
| 20175 | Could not find the definition of class [...] Please add it to the classpath | Try adding the referenced class to Fortify's classpath. See this technical note for information on configuring Fortify's command line arguments. |
| 20705 | Unresolved dependencies found during translation. | See General Guidance above. |
| 20706 | Invalid input files found during translation. | See General Guidance above. |
Additional Notes
Some error messages may be the result of issues in the Fortify tool. Confirmed issues, and how to handle them, are posted in the OIS Software Assurance Program Announcements Teams Channel, as well as this technical note on parsing/syntax errors. Confirmed Fortify issues are also noted in the table above.
If you are having trouble resolving a warning or error message, see our FAQ for information on opening a support ticket.
References
- See referenced technical notes