A colleague of mine recently ran a scan of a code base using HP Fortify 4.3 using an HP Fortify 4.3 installation on his computer.
When I opened the .fpr file in my HP Fortify 4.3 installation, the line numbers in the issues do not always match the lines in the code window when I double-click on the issue.
For example if an issue is reported in line 214 of a particular Java class, when I double-click the issue to view it in a code window, the highlighted line 214 doesn't contain the reported issue. It might instead be on line 205.
This doesn't happen with every source file.
What might be the cause? I assume the .fpr file contains a snapshot of the code that was audited. If that's true, then why would the line numbers not be in sync when I open the file in my Fortify installation?
Thanks in advance!
Yes the .fpr file does contain a snapshot of the code that was audited. But that is not its first choice Fortify uses when displaying code. (The source code is zipped up, so that is not used for performance reasons [I think]). If you have a copy of the source code on your machine that is in the same location as the code your colleague scan, Fortify will use that. And it may be that the source code has changed since the scan.
When Fortify goes to display source code and cannot find code at the external path of the scan, it will then display a message:
The current source path is invalid, but the project contains a copy of the scanned source code. Would you like to extract the source code to a location on disk, or update the path to an existing location?
With three options:
If you want exactly what was scan then choose the first option
If you want it to point Fortify to the location of the source code on your system use the third option.
If you want it to use the internal source then do the following
When you do this, Fortify will automatically start using that location to pull the source code for display.