When Fortify does not support the programming language version used
Question
How do I scan my application with Fortify Static Code Analyzer (SCA) and submit it for a V&V secure code review if Fortify does not support the programming language version my application uses?
Answer
If the application is written in a newer version of a programming language than is supported by the current Fortify release, Fortify will still produce meaningful results and still successfully scan the majority of the application source code. The results of the scan in these cases are considered reliable and will cover the source code that was successfully scanned (usually most of the application source code). Only portions of the source code that make use of unsupported programming language version features will produce errors, and any such errors will not be held against passing or block the VA code review authorization process.
The resulting FPR should be audited and can be submitted for a V&V secure code review. A readme file should be included with the V&V secure code review submission materials that provides information on the programming language version in use, the version supported by Fortify, a list of the scan errors, and a list of the files not scanned due to the programming language version not supported. Any scan errors or files not scanned due to the programming language version not supported will not be held against passing the review.
Note that other scan errors or warnings not related to the programming language version not supported by Fortify must still be resolved. See Troubleshooting Fortify Errors for help on how to resolve other scan issues.
Additional Details
Fortify publishes the versions of the programming languages it supports in the Fortify Software System Requirements document (see the Supported Languages section of the Fortify Static Code Analyzer Requirements chapter), available in the Docs directory of the Fortify SCA distribution.
The VA Software Assurance team has encountered the unsupported version issue with applications written in Ruby and ColdFusion. Fortify SCA currently supports version 1.9.3 of Ruby and versions 8, 9, 10 of ColdFusion. Many applications use newer versions of these programming languages.
An indication that the programming language version is not supported is that Fortify will report errors during the scan such as, “Unexpected Exception while parsing file…” When this happens, developers should take the steps outlined in File parsing or Syntax errors. If debug logs do not indicate how to fix the error, check that the programming language version in use is supported by Fortify.