Scanned source differs from provided source
Question
What does the Fortify scan issue “Scanned source differs from provided source” mean, how can I detect it, and how can I fix it?
Answer
This scan issue indicates that there are changes in code files between the versions delivered and the versions scanned by Fortify. When source code files differ between the versions scanned and delivered, it is not possible for the reviewer to determine which version is the production version of the code and whether or not the correct version was scanned.
How to detect
Detect this issue by comparing the code to be delivered to the code that was scanned by Fortify. This ensures that all the source code has been scanned and the version that was scanned is the version that is to be deployed. The following steps may be performed to compare the two sets of code:
-
Export the code from the FPR file - this will correspond to the code files that were scanned
-
Open the FPR in Audit Workbench
-
Select the Tools -> Extract Source Code menu item
-
Select the folder to export the code to
-
-
Compare the extracted code to the source code distribution supplied as part of the secure code review package. You can use WinMerge, diff, or other appropriate application.
- Look for differences in source code files indicate that the code sets are different
How to resolve
For any code files that are modified between the version scanned and delivered perform the following as appropriate:
- Rescan the appropriate version of the code
- Deliver the appropriate version of the code
- Include a file with the code review package that indicates why there is a discrepancy