Troubleshooting JSP translation and analysis issues

The following sections provide troubleshooting information for JSP analysis.

Unable to translate some JSPs

OpenText SAST uses either the built-in compiler or your specific application server JSP compiler to translate JSP files into Java files for analysis. If the JSP parser encounters problems when OpenText SAST converts JSP files to Java files, you will see a message similar to the following:

Failed to translate the following jsps into analysis model. Please see the log file for any errors from the jsp parser and the user manual for hints on fixing those
<list_of_jsp_files>

This typically happens for one or more of the following reasons:

• The web application is not laid out in a proper deployable WAR directory format
• Some JAR files or classes required for the application are missing
• Some tag libraries or their definitions (TLD) for the application are missing

To obtain more information about the problem, perform the following steps:

1. Open the OpenText SAST log file in an editor.

2. Search for the following strings:

   • Jsp parser stdout:
   • Jsp parser stderr:

The JSP parser generates these errors. Resolve the errors and rerun OpenText SAST.

For more information about how to analyze Jakarta EE applications, see Translating Jakarta EE (Java EE) applications.

Increased issues count in JSP-related categories

If the analysis results contain a considerable increase in the number of vulnerabilities in JSP-related categories such as cross-site scripting compared with earlier OpenText SAST versions, you can specify the -legacy-jsp-dataflow option in the analysis phase (with the -scan option). This option enables additional filtering on JSP-related dataflow to reduce the number of spurious false positives detected.

The equivalent property for this option that you can specify in the fortify-sca.properties file is com.fortify.sca.jsp.LegacyDataflow.