Delivered scan does not match previous submissions

Question

What does the Fortify scan issue “Delivered scan does not match previous submissions” mean, how can I detect it, and how can I fix it?

Answer

This scan issue indicates that there is a significant difference in the Fortify scan file(s), the zip(s) of scanned code, or both between the current review and the previous review of the application. There are many potential causes for this issue.

How to detect

If there is a significant difference in the number or content of the Fortify scan file(s) or structure of the zip(s) of scanned code, this could be an issue.

How to resolve

The appropriate resolution depends on the reason for the detected differences:

1. The full application must be delivered for each review. If only part of the application was delivered, this should be resolved by delivering the full application for each review.
2. If this was a different application delivered under the same Application ID, please see Incorrect submission materials potentially provided.
3. If parts of the application are no longer being scanned or there has been a major structural change to the application that may have led to this issue, please include a readme file with future code review submissions describing the change and the reasons for it. If possible and appropriate, please provide a mapping between the old structure and the new structure.

References

• Application Registration FAQ “How do I register a custom-developed or a COTS application?”