Third-party JavaScript libraries not scanned by Fortify

Question

Some JavaScript files in my project related to jQuery, AngluarJS, ES6, Bootstrap, or TypeScript are not being scanned. Why is this?

Answer

As of Fortify SCA version 18.20, by default, the following files are skipped during the scan:

AngularJS	ES6	jQuery	Bootstrap	TypeScript
angular.js angular.min.js angular-animate.js angular-aria.js angular_1_router.js angular-cookies.js angular-message-format.js angular-messages.js angular-mocks.js angular-parse-ext.js angular-resource.js angular-route.js angular-sanitize.js angular-touch.js	es6-shim.min.js system-polyfills.js shims_for_IE.js	jquery.js jquery.min.js jquery-migrate.js jquery-migrate.min.js jquery-ui.js jquery-ui.min.js jquery.mobile.js jquery.mobile.min.js jquery.color.js jquery.color.min.js jquery.color.svg-names.js jquery.color.svg-names.min.js jquery.color.plus-names.js jquery.color.plus-names.min.js jquery.tools.min.js	bootstrap.js bootstrap.min.js	typescript.js typescriptServices.js typescript.d.ts typescriptServices.d.ts

Also note that similar filenames that include version numbers like jquery-1.11.0.min.js may also be skipped.

The above files are defined in the following Fortify SCA properties:

com.fortify.sca.skip.libraries.AngularJS
com.fortify.sca.skip.libraries.ES6
com.fortify.sca.skip.libraries.jQuery
com.fortify.sca.skip.libraries.javascript
com.fortify.sca.skip.libraries.typescript

Since Fortify default settings now disable the scanning of these files, they will not be counted as a Scan Issue. However, as in the past, any third-party code that is scanned must also be audited. Note that changing these Fortify default settings so that other files are not scanned will result in a Scan Issue being reported for Source Code Not Scanned.

More information can be found in Chapter 6 of the Fortify SCA User Guide.

References

Micro Focus Security Fortify Static Code Analyzer User Guide, Chapter 6: Skipping Translation of JavaScript Library Files