How to scan TypeScript files
Question
My application includes TypeScript code, but it is not being scanned. How do I scan TypeScript code with Fortify?
Answer
Fortify scans TypeScript code in a manner similar to other languages, including JavaScript. However, in some applications the VA Software Assurance Program Office has observed that while other languages are scanned when using the standard scanning methods (e.g., IDE plugin, command-line tools, Scan Wizard, Audit Workbench) the TypeScript code in the application is not scanned. You can determine whether or not the TypeScript code was scanned by following this technical note to detect code not scanned.
If the TypeScript code in the application is not scanned, it is recommended to scan it independently from the rest of the application and create a separate .fpr scan file that can then be separately audited and submitted for code review. This can be done from the command line as follows:
sourceanalyzer -b buildid clean
sourceanalyzer -b buildid <path_to_code_root>/**/*.ts
sourceanalyzer -b buildid -scan -f results.fpr