Troubleshooting JSP Translation and Analysis Issues

The following sections provide troubleshooting information for translating and scanning JSP.

Unable to Translate Some JSPs

Fortify Static Code Analyzer uses either the built-in compiler or your specific application server JSP compiler to translate JSP files into Java files for analysis. If the JSP parser encounters problems when Fortify Static Code Analyzer converts JSP files to Java files, you will see a message similar to the following:

Failed to translate the following jsps into analysis model. Please see the log file for any errors from the jsp parser and the user manual for hints on fixing those
<list_of_jsp_files>

This typically happens for one or more of the following reasons:

The web application is not laid out in a proper deployable WAR directory format
Some JAR files or classes required for the application are missing
Some tag libraries or their definitions (TLD) for the application are missing

To obtain more information about the problem, perform the following steps:

Open the Fortify Static Code Analyzer log file in an editor.
Search for the following strings:
- Jsp parser stdout:
- Jsp parser stderr:

The JSP parser generates these errors. Resolve the errors and rerun Fortify Static Code Analyzer.

For more information about scanning Jakarta EE applications, see Translating Jakarta EE (Java EE) Applications.

Increased Issues Counts in JSP-Related Categories

If the analysis results contain a considerable increase in the number of vulnerabilities in JSP-related categories such as cross-site scripting compared with earlier Fortify Static Code Analyzer versions, you can specify the -legacy-jsp-dataflow option in the analysis phase (with the -scan option). This option enables additional filtering on JSP-related dataflow to reduce the number of spurious false positives detected.

The equivalent property for this option that you can specify in the fortify-sca.properties file is com.fortify.sca.jsp.LegacyDataflow.