Fortify Scan Engine Version effect on results

1.2k views Asked by At

Scanning 3.5 million lines of code on SCA 4.30 w/ Scan Engine 6.30.0086 gets vastly different results than SCA 16.11 w/ 16.11.003

Is this correct? Similar scans on another code-base with much less in terms of code showed no difference across versions but obviously with a smaller sample size, this could be expected.

Does HP release information on what changes in Scan Engine versions? Does the scan engine versions effect results purposefully or could there be other factors influencing the results?

1

There are 1 answers

0
SBurris On

Multiple factors go into the rendering of results, more than just the scan engine. Over time the scan engine is improved, this can be in terms performance, fixing of bugs, or adding new features that allow our Security Research Team (https://community.hpe.com/t5/Security-Research/bg-p/off-by-on-software-security-blog) create new rules and/or refine existing rules to utilize the new features when identifying potential issues.

Even if the same rule pack is run on two difference scan engine versions, if some of the rules require features that are not available, the rule is not run and thus the results will differ.

You should also look at the warnings of the two scans. Are there any reference, parsing, or memory issues. These all should be handled to make sure you have a good clean scan (at the bare minimum, do you have the same exact warnings between the two scans). These warnings can also cause a difference in results between scans.

There could also be different settings between the to installs to cause the difference as well (filters, templates, etc.).

But in short, yes Scan Engine versions can cause different results even on the same code base with the same Rulepack versions. The internal workings of the Scan Engine is proprietary information and the detailed changes are not published.