Examine the text output format. Run the SCA Engine on StringSearch.java as follows:
sourceanalyzer StringSearch.java
The output shows three issues.
Issue 1
[C9FE6AF8A29314E2DC22F0E9191802F8 : low : Unchecked Return Value : semantic ] StringSearch.java(18) : FileInputStream.read(0)
Issue 2
[2AE729678F97328125F563C53BEB1524 : medium : Resource Injection : data flow ] StringSearch.java(16) : -> new FileInputStream(0) StringSearch.java(14) : <=> (searchIn) StringSearch.java(6) : -> StringSearch.main(0)
Issue 3
[3A8FE7972DB6C28956AC54DF8E63424D : medium : Unreleased Resource : control flow ] StringSearch.java(16) : start -> loaded : fos.new FileInputStream(...) StringSearch.java(21) : loaded -> end_of_scope : #end_scope(fos)
The first line of the text output is the common root directory of all the files that have reported vulnerabilities, such as:
[/opt/FortifySoftware/SCAS3.1-EE/Tutorial/understand_results]
The first line of each issue has the following format:
[Instance ID : severity : category : analyzer ]
For example, Issue 1 reports that on line 18 in the StringSearch.java file, the return value of FileInputStream.read() is not checked. The issue details also indicate that this was detected by the Semantic Analyzer and that, by default, it was assigned the severity low.
If the SCA Engine has more information about a particular issue, it includes the information on subsequent lines.
For example, Issue 2 reports that line 16 in StringSearch.java contains a potential resource injection vulnerability that could allow an attacker to control a resource used by the application. The subsequent lines of output show that the value, potentially controlled by an attacker, enters the program at line 6 as the first argument to StringSearch.main(). This issue is identified by the Data Flow Analyzer and assigned a medium risk.
Values that cause data flow issues can pass through several hops between where they enter the program and the point at which the program uses the data as part of a sensitive operation.
The Control Flow Analyzer can also provide additional information about an issue. Issue 3 reports that the resource created on line 16 was not properly released before it went out of scope. In other words, the code fails to call close() on the resource.