Findings no longer found in 24.2.0

Hello,

We have updated from Fortify 22.1.1 to Fortify 24.2.0 and have noticed certain findings are no longer present. These findings have included "Poor Style: Variable Never Used" for Java and C++ scans, and “Poor Style: Empty Synchronized Block” for Java scans.

The code snippets we've used to test for these findings are as follows:

For C++ and Java:

if (false)
{
    int i = 0;
}

and for Java:

synchronized(this) { }

We have seen these findings present in 22.1.1, but when we upgraded to 24.2.0 they are no longer found. Is there a setting we have to enable inside the Audit Workbench to show these findings? Or in Fortify 24.2.0 were these findings removed?

Thank you in advance!

  • Verified Answer

    +1

    This problem has been resolved. 

    From "What’s New in Fortify Software 24.2.0":

         - "The default scan policy has changed from classic to security. The security scan policy excludes issues related to code quality from the analysis results."

    Certain findings were not appearing because the scan policy was defaulting to "security" in the Fortify 24.2 version. Passing the argument "-scan-policy classic" allowed for the code quality findings to be found once again.