Incorrect scan policy was used

Question

What does the Fortify scan issue “Incorrect scan policy was used” mean, how can I detect it, and how can I fix it?

Answer

This scan issue indicates that the Fortify scan was performed using a scan policy other than classic. Other scan policies only look for a subset of the applicable vulnerabilities in the scanned application. Many issues are therefore not included in the results, including issues that may be of high priority.

Fortify is not currently using the classic scan policy as its default.

How to detect

Since the Fortify default scan policy is not set to the desired value, the scan policy must be explicitly set. Therefore to detect this issue, it is necessary to look where the scan policy value may be set. The absense of setting the value or setting the policy to an incorrect value indicates that there is an issue.

Setting the scan policy may be done either on the command line or via Fortify properties. Both of these places may be checked by using Audit Workbench or the Fortify plugin for your IDE:

  1. Open the Project Summary. If it is not already open, it can be opened using Tools -> Project Summary.

  2. Select the Analysis Information Tab

  3. Select the Commandline Arguments sub-tab

    Analysis information tab with the Commandline Arguments sub-tab selected

  4. Check for the -scan-policy or -sc option. It may also be set as a property on the command-line -Dcom.fortify.sca.ScanPolicy=classic
    • If it is present and set to classic then this is likely not an issue.
    • If it is set to a value other than classic, this is an issue
    • If it is not present, continue on and look at the properties

  5. Select the Properties sub-tab in the Analysis Information Tab

    Analysis information tab with the Commandline Arguments sub-tab selected

  6. Check for the com.fortify.sca.ScanPolicy property
    • If it is present and set to classic then this is likely not an issue.
    • If it is set to a value other than classic, this is an issue
    • If it is not present, this is an issue

How to resolve

By default, Fortify is not currently using the classic scan policy, so it must be set explicitly as part of the scan process. See this technical note for details on how to set the scan policy.

References