Scan was not performed correctly
Question
What do the Fortify scan issues “Scan was not performed correctly”, “Scan may have not been performed correctly”, and “Scan performed incorrectly for the programming language in use” mean, how can I detect it, and how can I fix it?
Answer
These scan issues indicate that the developer performed the scan in a manner which may have led to incorrect results. Fortify must be able to build the application so it is critical to choose a tool and use it in a manner that correctly builds the application. These scan issues are based on information provided in the VA Secure Code Review Validation Request Form and other scan issues that were found as part of the review. If there is a likely link between the way the scan was performed and errors detected, then this issue will be counted against passing the review. If there is not a likely link, but there may be a better way to perform the scan, then this finding is just provided for informational purposes.
How to detect
Fortify provides a variety of command-line, GUI, and build environment tools to scan an application. Make sure you are using a recommended tool for the language and environment used for the application. If you are using a recommended tool, then look for other common scan issues such as scan errors or files not scanned. If any of these can be resolved by adjusting how the scan is performed, then this is likely an issue that must be resolved.
How to resolve
There are several steps that should be considered when resolving this issue:
- Use a recommended tool for the language and environment. Tools are recommended based on being appropriate for each language, ease of getting a correct scan, and repeatability of the scan. If the application is built with Eclipse or Visual Studio, the Fortify plugins for those programs should be used to conduct the scan which will decrease the likelihood of scan issues. If the application is written in a compiled language, integrating the scan into the build environment also greatly increases Fortify’s ability to build the code correctly before it performs the scan.
- If errors are reported, they may be resolved by adjusting how the tool is scanning the code. For example, if scanning in Java and classes are not found, then it is likely the classpath being used for the translation phase of the scan must be adjusted. Some errors will provide additional information that indicate command-line options are missing. That information should be followed. The Software Assurance Program Office provides information on resolving many common error codes.
- There are many other issues that may occur from incorrectly scanning an application. Make sure that your scan does not contain any other of the common Fortify scan issues or other issues covered in these technical notes.