java - 为什么 Fortify SCA 针对我的项目中不再存在的文件报告问题？

Question

我使用 sca-maven-plugin 为我的项目设置了一个 SCA 扫描设置，它​​是我从源代码构建并安装到我的本地存储库中的。我的构建是通过安装了 Fortify 的服务器上的 TeamCity 构建代理运行的。

运行扫描没有任何问题，我很高兴使用 ReportGenerator 从生成的 .fpr 生成报告。早期的报告表明我有一些来自 PHP 文件的漏洞，这些漏洞被错误地包含在项目(这是一个 Java 项目)中。删除这些文件后，为什么 Fortify 仍然报告这些文件的漏洞，即使它们不再存在于我的项目中？

我已经确认构建代理配置为在检查最新版本之前清理所有源，事实上我可以在服务器本身上看到这些 PHP 文件不再存在，但是报告和 .fpr 仍然报告问题他们。

是否存在我还需要清除的跟踪/趋势持续存在的问题，或者是否还有其他我遗漏的问题？

构建的输出，显示文件确实丢失但仍包含在分析范围内，如下所示:

[07:40:16][com.....myapp:web] [INFO] --- sca-maven-plugin:3.90:scan (default-cli) @ web ---
[07:40:16][com.....myapp:web] [INFO]                    Packaging -> war
[07:40:16][com.....myapp:web] [INFO]        Top-Level Artifact ID -> web
[07:40:16][com.....myapp:web] [INFO]                  Build Label -> web-2.0.0-SNAPSHOT
[07:40:16][com.....myapp:web] [INFO]                Build Version -> 2.0.0-SNAPSHOT
[07:40:16][com.....myapp:web] [INFO]           Build Project Name -> web
[07:40:16][com.....myapp:web] [INFO]                     Build ID -> web-2.0.0-SNAPSHOT
[07:40:16][com.....myapp:web] [INFO]                 Results File -> C:\...\buildAgent\work\c649372994269e88/myapp.fpr
[07:40:16][com.....myapp:web] [INFO]   Location of SCA Executable -> sourceanalyzer
[07:40:16][com.....myapp:web] [INFO]                     Scan Log -> C:\...\buildAgent\work\c649372994269e88\web\target/sca-scan.log
[07:40:16][com.....myapp:web] [INFO]             FindBugs Results -> false
[07:40:16][com.....myapp:web] [INFO]                Fail on Error -> false
[07:40:16][com.....myapp:web] [INFO]                Upload to SSC -> false
[07:40:16][com.....myapp:web] [INFO] Issues will not be tracked and trended without uploading to SSC.
[07:40:16][com.....myapp:web] [INFO] *** !! Scanning aggregate project - web !! ***
[07:40:16][com.....myapp:web] [INFO] Created output dir C:\...\buildAgent\work\c649372994269e88\web\target
[07:40:16][com.....myapp:web] [INFO] cmd: "cmd.exe /X /C "sourceanalyzer -scan @C:\...\buildAgent\work\c649372994269e88\web\target/sca-scan-args.txt""
[07:40:19][com.....myapp:web] Fortify Static Code Analyzer 6.00.0096
[07:40:25][com.....myapp:web] [error]: File C:/.../buildAgent/work/c649372994269e88/web/target/myapp/WEB-INF/views/components/datatables/media/unit_testing/templates/dom_data_th.php not found
[07:40:25][com.....myapp:web] [error]: File C:/.../buildAgent/work/c649372994269e88/web/target/myapp/WEB-INF/views/components/datatables/media/unit_testing/controller.php not found
[07:40:25][com.....myapp:web] [error]: File C:/.../buildAgent/work/c649372994269e88/web/target/myapp/WEB-INF/views/components/datatables/media/unit_testing/performance/large.php not found
[07:40:25][com.....myapp:web] [error]: File C:/.../buildAgent/work/c649372994269e88/web/target/myapp/WEB-INF/views/components/datatables/media/unit_testing/templates/-complex_header.php not found
[07:40:25][com.....myapp:web] [error]: File C:/.../buildAgent/work/c649372994269e88/web/target/myapp/WEB-INF/views/components/datatables/media/unit_testing/templates/2512.php not found
[07:40:25][com.....myapp:web] [error]: File C:/.../buildAgent/work/c649372994269e88/web/target/myapp/WEB-INF/views/components/datatables/media/unit_testing/templates/6776.php not found
[07:40:25][com.....myapp:web] [error]: File C:/.../buildAgent/work/c649372994269e88/web/target/myapp/WEB-INF/views/components/datatables/media/unit_testing/templates/complex_header_2.php not found
[07:40:25][com.....myapp:web] [error]: File C:/.../buildAgent/work/c649372994269e88/web/target/myapp/WEB-INF/views/components/datatables/media/unit_testing/templates/deferred_table.php not found
[07:40:25][com.....myapp:web] [error]: File C:/.../buildAgent/work/c649372994269e88/web/target/myapp/WEB-INF/views/components/datatables/media/unit_testing/templates/dom_data.php not found

Answer 1

SCA 正在使用构建缓存。你也应该用

sourceanalyzer -b buildID -clean

命令。当然，您可以通过调用 sca-maven-plugin:clean 目标或将 sca-maven-plugin:clean 目标附加到 maven 阶段“clean”并调用 clean 目标来使用 maven 插件来完成此操作。

运行时要小心。它将删除第一次扫描创建的所有现有文件。