HP Fortify Scan Warning: Reference cannot be resolved

Question

I'm using HP Fortify SCA version 4.40. After scanning a Java project, Fortify reports one scan warning:

The following references to java functions could not be resolved. These functions may be part of classes that could not be found, or there may be a type error at the call site of the given function relative to the function declaration. Please ensure the java source code can be compiled by a java compiler.

~instance~for~static~field~

I understand that to resolve this type of warning, I need to update the sourceanalyzer classpath to point to the jar that contains the missing referenced function. However in the above, "~instance~for~static~field~" doesn't give me any information on where to find the missing reference. Given the size of the codebase I'm working with, I can't manually dig into each and every class looking for a possible missing reference that fits the above vague description.

Does anyone have any insight into this type of vague warning? Is there a reason why no further details are provided? Any suggestions for getting more details about where this missing reference actually is located?

Answer 1

Have you tried looking at the log files? Default location is

%userprofile%/AppData/local/Fortify/xxx 

where xxx is the Fortify application used [e.g. AWB-4.40, Eclipse.Plugin-4.40, sca6.4, VS2013-4.21]

You could also specify that more detailed log files get created when you retry the scan. If you are using the command line you can add the following to both the translation and scan steps

-debug -verbose -logfile PATH\filename.log