Command or options used for translation phase not provided

Question

What does the Fortify scan issue “Command or options used for translation phase not provided” mean, how can I detect it, and how can I fix it?

Answer

This scan issue indicates that the developer was either missing information in the code review validation PDF request form or provided incorrect information. The “Fortify build tools(s) used” section of the form asks the developer to mark which tool or tools were used to perform the scan and provide the command-line options used for the translation phase of the scan, if appropriate for the tool. If using the scan wizard or build integration, the files being used to perform the scan should be provided separately. This information is used during the review in addition to other analysis and information to determine if the scan was performed correctly.

Note that this scan issue is only reported for informational purposes and not counted against passing a review.

How to detect

This issue is detected by looking at the validation request form and checking that the tool used to perform the scan is selected and either the command-line options used for the translation phase of the scan or the files used to perform the scan are provided. If this field is not filled in or the required scan information is not provided then this issue will be reported. Please note that the command-line options for the translation phase are needed, not the scan or analysis phase (the phase that includes -scan on the command-line).

How to resolve

This issue is resolved by providing all the requested information in this section of the VA Application Security Testing Validation Request Form.

  1. Select the tool used to perform the scan from the list provided. Note that this is only for the tool used to run the scan. If Audit Workbench is only used to view the results of the scan, it should not be selected. This technical note provides recommendations about the tools available.

  2. If scanning from the command-line or Audit Workbench, provide the translation phase command-line options in the text box provided in the PDF code review validation request form. The following technical note shows how to access the translation phase options: Entering command-line arguments into Audit Workbench (see specific instructions for Visual Studio or Eclipse users below). Be sure you provide the translation phase options, not the scan or analysis phase options.

  3. If scanning using the scan wizard, build environment integration, or custom scripts, please provide the scripts or build files that are used to perform the scan along with the other materials included in the code review validation submission package.

  4. If scanning using the Fortify Eclipse Plugin, it is generally not possible to view the entire set of translation commands that Fortify uses. In this case, it is only required that the developer provide any additional commands that they added to the scan as described in this technical note. If no additional commands were added, please state that in the PDF code review validation request form.

  5. If scanning using the Fortify Visual Studio Plugin, the translation commands can generally be found in a file (or files) referenced in the console Output pane of Visual Studio while the scan is running. Fortify will likely indicate that an external file was generated that contains the commands, in one of the two following formats:

    1. If the Visual Studio console output references a *_Build.txt file: This file can usually be found in the AppData directory (in Windows environments). If this is the case, please include this file (or files) in your code review submission package. The following message (or similar) may be displayed which indicates the location of the file:

      Output:

       Running: TRANSLATE : @"C:\Users\<username>\AppData\Local\Fortify\VS<version>\<application_name>\<application_name>_Build.txt"

    2. If the Visual studio console output references a *.rsp file: This file can also be found in the AppData directory (in Windows environments). If this is the case, please include this file (or files) in your code review submission package, as well as the console output itself. The following message (or similar) may be displayed which indicates the location of the file, and this output should be included with the submission package along with the *.rsp file(s):

      Output:

       Running SCA translation: C:\Program Files\Fortify\<Fortify_version>\bin\sourceanalyzer.exe
 -Xss16M -machine-output -b <solution_name>.sln @"C:\Users\<username>\AppData\Local\Fortify\<Fortify_version>\build\<solution_name>.sln\scratch\MSBuildPlugin\<project_name>.rsp"

References