Fortify SCA behaviour for oracle codebase ( .sql , .trig , .pkg, .syn etc files) is not as expected :
Observations : 1) It reports Zero issues with Oracle codebase(s). 2) It considers only .sql files but not any other .pkg etc. Though introducing com.fortify.sca.fileextensions.pkg = PLSQL in fortify-sca.properties dint help. It still doesnt consider .pkg files. Is there any other step required to achieve this? 3) Though introducing SQL-injeciton code ( https://docs.oracle.com/cd/E38689_01/pt853pbr0/eng/pt/tpcd/task_PreventingSQLInjection-0749b7.html ) for testing purpose , also dint help. It doesnt catch this problem as well.
Are these known issues ?
Can someone please advise.
By default, files with the extension sql are assumed to be T-SQL rather than PL/SQL on Windows platforms. If you are using Windows and have PL/SQL files with the sql extension, you can configure SCA to treat them as PL/SQL rather than explicitly specify it each time your run sourceanalyzer. To change the default behavior, set the com.fortify.sca.fileextensions.sql property in fortify-sca.properties to “TSQL” or “PLSQL.”