Cannot determine what source code provided corresponds to source code scanned
Question
What does the Fortify scan issue “Cannot determine what source code provided corresponds to source code scanned” mean, how can I detect it, and how can I fix it?
Answer
This scan issue indicates that there were problems comparing the scanned source code to the delivered source code because the directory structures of the two do not match. This makes it difficult to determine if scan meets the requirement that the correct source was scanned.
How to detect
Detect this issue by comparing the code to be delivered to the code that was scanned by Fortify. The following steps may be performed to compare the two sets of code:
-
Export the code from the FPR file - this will correspond to the code files that were scanned
-
Open the FPR in Audit Workbench
-
Select the Tools -> Extract Source Code menu item
-
Select the folder to export the code to
-
-
Compare the extracted code to the source code distribution supplied as part of the secure code review package. You can use WinMerge, diff, or other appropriate application.
- Look to make sure the directory structure and location of code in that structure is the same between both versions of code. They should be the same, but if they differ greatly then the review will likely not be able to compare the two.
How to resolve
If the directory structure or location of files differs greatly between the scanned and delivered source code, the difference must be resolved. Either the code must be rescanned to match the delivered code or the delivered source code must be modified to match the scanned code. The appropriate action depends on which version will be the production version of the code.