Unable to extract source code from FPR files
Question
What does the Fortify scan issue “Unable to extract source code from FPR files” mean, how can I detect it, and how can I fix it?
Answer
This scan issue indicates that the scanned source code was not included in the FPR file. The scanned source is required to verify that the all the source code was scanned. By default the scanned source code is included in the FPR file, however it may be excluded if the scan was performed in quick scan mode, the FPR was uploaded to a software security center (SSC) server, or if it was explicitly excluded on the command line.
How to detect
To detect this issue, try to extract the source code from the FPR file. If it succeeds there is no issue. If it fails then this is an issue. To export the code from the FPR file, follow these steps:
-
Open the FPR in Audit Workbench
-
Select the Tools -> Extract Source Code menu item
-
Select the folder to export the code
If the code is not present in the FPR file then the “Extract Source Code” menu item will be greyed out.
How to resolve
The resolution for this issue depends on why the code is not included in the FPR:
- Quick scan mode was used - Rescan without quick scan mode enabled. Instructions for this may be found in the tech note: Quick scan mode used
- Source was explicitly excluded on the command line using the -disable-source-rendering option - remove the command line option and rescan the code
- The source was removed because the source was uploaded to the SSC - When downloading an artifact from the SSC, select the “Application & Sources” button. This will preserve both the audit information and the scanned source code.
- Object code was scanned instead of scanning the source code as required for the VA Secure Code Review - Rescan using the source code instead of the object code.