Code scanned but not delivered

Question

What does the Fortify scan issue “Code scanned but not delivered” mean, how can I detect it, and how can I fix it?

Answer

This scan issue indicates that code files were included in the Fortify scan but not included in the delivered code. When source code files are scanned, but not included in the distribution package, it’s not clear if findings associated with the extra files need to be analyzed and remediated or if the files were simply omitted from what was delivered and planned for production.

How to detect

Detect this issue by comparing the code to be delivered to the code that was scanned by Fortify. This ensures that all the source code has been scanned and the version that was scanned is the version that is to be deployed. The following steps may be performed to compare the two sets of code:

  1. Export the code from the FPR file - this will correspond to the code files that were scanned

    1. Open the FPR in Audit Workbench

    2. Select the Tools -> Extract Source Code menu item

    3. Select the folder to export the code to

  2. Compare the extracted code to the source code distribution supplied as part of the secure code review package. You can use WinMerge, diff, or other appropriate application.

    1. Look for source code files in the scanned files that are not in the distribution package.

    2. Note that Fortify often generates a number of intermediate files, and usually places those in a folder separate from the scanned source code. For example, Fortify will often extract and scan the JavaScript code from a given HTML file and put that code in a file <original filename>.html.js (potentially in a temp or user directory). These files do not need to be delivered as part of a code review submission package.

How to resolve

For any code files that are scanned, but not delivered perform the following as appropriate:

  • Rescan the code and remove files that should not be in the production build
  • Deliver the code that was scanned
  • Include a file with the code review package that indicates why there is a discrepancy

References