Running Fortify scan on generated code (Java)

Running Fortify scan on generated code (Java)

  
Hi,

I am trying to run fortify SCA on the generated code and i am getting parser exception when it tries to parse one of then generated code

Processing /tmp/source/om_apm_revolving/src/osom_apm_revolving/webservices/rpc/WORLserviceErrorRecordList.java
[2013-06-24 17:43:23 WARNING]
Exception scanning typesig of: WrappedException
com.fortify.frontend.translator.java.typesig.ParseException: Parse error at line 1, column 70.  Encountered: T
 at com.fortify.frontend.translator.java.typesig.SignatureParser.generateParseException(SignatureParser.java:770)
 at com.fortify.frontend.translator.java.typesig.SignatureParser.jj_consume_token(SignatureParser.java:722)
 at com.fortify.frontend.translator.java.typesig.SignatureParser.ClassTypeSignature(SignatureParser.java:195)


Any reason why its failing.. I am using JDK 1.6 and Fortify SCA 3.80

thanks,
Pradeep V.B.
Hi Pradeep,

can you explain how we achieved this in the project, so that the community can take advantage of it?

From my side, I did a tarball in the unix box. The source code is in the share folder, in /opt/jbossas/server/outsystems/share. To keep in mind to use the -h so that tar follows symlinks.

After I handed over the code to Pradeep, he runned his magic on top of it.

Cheers,
Hi Pedro.

Thanks for getting the source code for the project..

I was able to generate the report for the project after making additions to the classpath and i was able to generate the report.

But i still had few warnings on few classes, especially when it tries to analyze the code... it gives warning about unresolved functions...

I would like to get more details on how to resolve these warnings..

Battle is half won.. :)

thanks,
Pradeep V.B.
WE BELIEVE! WE WILL WIN!

I'm hopping that some knowledge pops up from a keyboard somewhere... guys?!
Hello Pradeep

How are you generating the code for analysis? Are you using the Detach Source Code operation of the OutSystems Platform, or some other approach?

The entire source code, is not on the share folder ... if you use the content on the share folder, there are a few missing classes from the internal OutSystems Runtime engine. SCA analyzes the Java source code, an the OutSystems Runtime engine source code is not available on the share folder.

So, to avoid missing classes errors, and get the full analyzes power of SCA you would need to Detach the Source Code to get the OutSystems Runtine engine source, so SCA can find it.

More info on the procedure here:
http://www.outsystems.com/goto/technote-detach-java
http://www.outsystems.com/Community/download.aspx?DocumentId=184

Cheers

Miguel Simões João