java – 为什么Fortify SCA会针对我项目中不再存在的文件报告问题？

我使用sca-maven-plugin为我的项目设置了SCA扫描设置,我从源代码构建并安装到我的本地存储库中.我的构建是通过已安装Fortify的服务器上的TeamCity构建代理运行的.

让扫描运行没有任何问题,我很高兴使用ReportGenerator从生成的.fpr生成报告.早期的报告表明我有一些PHP文件漏洞,这些漏洞被错误地包含在项目中(这是一个Java项目).自从删除这些文件后,为什么Fortify仍会报告这些文件的漏洞,即使它们在我的项目中不再存在？

我已经确认构建代理配置为在检出最新源之前清理所有源,事实上我可以在服务器上看到这些PHP文件不再存在,但报告和.fpr仍然报告针对它们的问题.

是否有某些地方存在跟踪/趋势问题,我还需要清除,或者还有其他我缺少的东西？

构建的输出显示文件确实丢失但仍包括在分析范围中,如下所示：

[07:40:16][com.....myapp:web] [INFO] --- sca-maven-plugin:3.90:scan (default-cli) @ web ---
[07:40:16][com.....myapp:web] [INFO]                    Packaging -> war
[07:40:16][com.....myapp:web] [INFO]        Top-Level Artifact ID -> web
[07:40:16][com.....myapp:web] [INFO]                  Build Label -> web-2.0.0-SNAPSHOT
[07:40:16][com.....myapp:web] [INFO]                Build Version -> 2.0.0-SNAPSHOT
[07:40:16][com.....myapp:web] [INFO]           Build Project Name -> web
[07:40:16][com.....myapp:web] [INFO]                     Build ID -> web-2.0.0-SNAPSHOT
[07:40:16][com.....myapp:web] [INFO]                 Results File -> C:\...\buildAgent\work\c649372994269e88/myapp.fpr
[07:40:16][com.....myapp:web] [INFO]   Location of SCA Executable -> sourceanalyzer
[07:40:16][com.....myapp:web] [INFO]                     Scan Log -> C:\...\buildAgent\work\c649372994269e88\web\target/sca-scan.log
[07:40:16][com.....myapp:web] [INFO]             FindBugs Results -> false
[07:40:16][com.....myapp:web] [INFO]                Fail on Error -> false
[07:40:16][com.....myapp:web] [INFO]                Upload to SSC -> false
[07:40:16][com.....myapp:web] [INFO] Issues will not be tracked and trended without uploading to SSC.
[07:40:16][com.....myapp:web] [INFO] *** !! Scanning aggregate project - web !! ***
[07:40:16][com.....myapp:web] [INFO] Created output dir C:\...\buildAgent\work\c649372994269e88\web\target
[07:40:16][com.....myapp:web] [INFO] cmd: "cmd.exe /X /C "sourceanalyzer -scan @C:\...\buildAgent\work\c649372994269e88\web\target/sca-scan-args.txt""
[07:40:19][com.....myapp:web] Fortify Static Code Analyzer 6.00.0096
[07:40:25][com.....myapp:web] [error]: File C:/.../buildAgent/work/c649372994269e88/web/target/myapp/WEB-INF/views/components/datatables/media/unit_testing/templates/dom_data_th.PHP not found
[07:40:25][com.....myapp:web] [error]: File C:/.../buildAgent/work/c649372994269e88/web/target/myapp/WEB-INF/views/components/datatables/media/unit_testing/controller.PHP not found
[07:40:25][com.....myapp:web] [error]: File C:/.../buildAgent/work/c649372994269e88/web/target/myapp/WEB-INF/views/components/datatables/media/unit_testing/performance/large.PHP not found
[07:40:25][com.....myapp:web] [error]: File C:/.../buildAgent/work/c649372994269e88/web/target/myapp/WEB-INF/views/components/datatables/media/unit_testing/templates/-complex_header.PHP not found
[07:40:25][com.....myapp:web] [error]: File C:/.../buildAgent/work/c649372994269e88/web/target/myapp/WEB-INF/views/components/datatables/media/unit_testing/templates/2512.PHP not found
[07:40:25][com.....myapp:web] [error]: File C:/.../buildAgent/work/c649372994269e88/web/target/myapp/WEB-INF/views/components/datatables/media/unit_testing/templates/6776.PHP not found
[07:40:25][com.....myapp:web] [error]: File C:/.../buildAgent/work/c649372994269e88/web/target/myapp/WEB-INF/views/components/datatables/media/unit_testing/templates/complex_header_2.PHP not found
[07:40:25][com.....myapp:web] [error]: File C:/.../buildAgent/work/c649372994269e88/web/target/myapp/WEB-INF/views/components/datatables/media/unit_testing/templates/deferred_table.PHP not found
[07:40:25][com.....myapp:web] [error]: File C:/.../buildAgent/work/c649372994269e88/web/target/myapp/WEB-INF/views/components/datatables/media/unit_testing/templates/dom_data.PHP not found

解决方法:

SCA正在使用构建缓存.你也应该用它来清理它

sourceanalyzer -b buildID -clean

命令.你可以使用maven插件来调用sca-maven-plugin：清理目标或附加sca-maven-plugin：清理目标到maven阶段’clean’并调用干净的目标.

你跑的时候要小心.它将删除第一次扫描创建的所有现有文件.