How to troubleshoot Fortify not scanning some files in a project

Question

Why is Fortify not scanning some files in my project?

Answer

There are a number of reasons Fortify may not be scanning some files that you expect it to be scanning. First check to make sure the project, solution, sourceanalyzer command line or selected files includes the files to be scanned. If it looks like the file is included, one of the following may be the reason:

  • There was an error parsing the file: Some parsing errors result in the file not being parsed and therefore not subsequently scanned. Look at the error messages reported by Fortify and see if any occur in the files that are not scanned. If this is the reason, the resolution is the same as handling a parsing or syntax error. Additionally, it would be useful to include a document that indicates that the files are not scanned due to the parsing errors to ensure that they are not overlooked during the review.

    Note that we have seen occasional instances where the parsing errors are not being reported to the user. In these cases, it is necessary to generate a log file (see How to create a Fortify log file) to see the parsing errors. If you have parsing errors reported in the log file, please handle them in the same manner as you would handle other parsing errors.

  • The file was empty: When Fortify encounters an empty code file or a file containing an empty class, “It shows in the translate as building line numbers, but it will not be included in the scan because when we build the NST’s there is nothing to include since the class is empty (and thus the whole file).” (Quote from Fortify technical support). If you have empty files or classes not shown as scanned by Fortify, include a file with your V&V validation package that lists the files that were not scanned with an explanation that they (or the class that they contain) are empty so Fortify does not scan them.

Additional note for Visual Studio projects: if there are files not being scanned, you should confirm that they are actually part of the solution, and not just remnants left over in the project directory. You can search for the files in the Visual Studio solution explorer to ensure they are part of the solution.

References