How to view error messages reported by Fortify

Question

How do I determine if Fortify reported any error messages during the scan?

I received a report indicating there were scan errors. How do I view those error messages?

Answer

Fortify provides several methods to view the error messages that result from a scan:

  • If scanning from the command line, between the translation and scan calls, call sourceanalyzer with the -show-build-warnings option:

      sourceanalyzer -b <build_id> -show-build-warnings

  • If either scanning or viewing an FPR in Audit Workbench, warnings should be enabled to be displayed by selecting Show View > Warnings from the Options menu in the top level menu bar. Once enabled, the Warnings tab can be viewed in the Issue Auditing View, located in the bottom center of the Audit Workbench screen, near the Audit, Details, and Recommendations tabs:

    Fortify warnings tab

    Note that the Micro Focus Security Fortify Audit Workbench User Guide provides more details on how to copy/save/export the warnings.

  • When using the Fortify plugin for Eclipse, viewing Warnings can be enabled in the Window menu by selecting Show View > Warnings. By default, the Warnings will appear in the bottom center row of tabs (near the Audit, Details and Recommendation tabs), similar to how it is displayed in the Audit Workbench software (see above).

  • When using the Fortify plugin for Visual Studio, warnings can be viewed in Fortify’s Project Summary window by selecting Analysis Information > Warnings.

  • The error and warning messages may be extracted directly from the FPR file. Fortify provides a tool, FPRUtility, to extract information directly from the FPR file. This tool is located in the bin directory of the Fortify installation directory (the same directory where sourceanalyzer is located). The tool may be run as follows to extract the error messages:

      FPRUtility -information -errors -project <fpr_file> -f output.txt

When you have the list of errors, resolve them until no relevant errors remain. The page Troubleshooting Fortify Errors provides information on how to resolve common Fortify scanning errors. If there are no errors, the message “No warnings occurred during analysis” will be displayed.

References