Quick scan mode used
Question
What does the Fortify scan issue “Quick scan mode used” mean, how can I detect it, and how can I fix it?
Answer
This scan issue indicates that Fortify was run in quick scan mode. Quick scan mode only looks for a subset of the applicable vulnerabilities in the scanned application. Many issues are therefore not included in the results, including issues that may be of critical or high priority.
How to detect
Enabling quick scan mode may be done on the command line or via Fortify properties, however it is most likely to show up in the command line. To look at the command line, open up the Project Summary in Audit Workbench or your IDE, select the Analysis Information tab and the Commandline Arguments sub-tab:
On the command line, look for any of the following options that indicate that quick scan mode was enabled:
-
-quick -
-Dcom.fortify.sca.QuickScanMode=true
Properties may be viewed in the properties sub-tab in the Project Summary. The property com.fortify.sca.QuickScanMode is used to enable quick scan mode.
How to resolve
Fortify’s default is to not use quick scan mode. To enable quick scan, it must be explicitly enabled in either the Audit Workbench or IDE options dialog or explicitly limited in the command line or properties configuration. Resolve this issue by removing any explicit enabling of quick scan mode and rescan the application. Note that in Audit Workbench, the default scan settings should also be used.