Summary
Question
The site is using the fortify sca plugin in the below manner for some projects:
<profiles>
<profile>
<id>is-parent</id>
<activation>
<file> <exists>../ias-services-impl</exists> </file>
</activation>
<properties>
<fortify.sca.plugin.phase>skip</fortify.sca.plugin.phase>
</properties>
</profile>
</profiles>
The project repository holds multiple modules for example :
ias-services-impl/hyperloop-grizzly/pom.xml
ias-services-impl/ias-web/pom.xml
ias-services-impl/pom.xml
The way it is being built is, the project is built at the root and since these are submodules, they get built as and when its required then they trigger a down stream job of running the scan on the root level. What they are seeing in the log is the aggregate flag set to true. We went over the documentation for the plugin and tried few things to unset that value but a way has not been found, all the scan info for the sub projects are going into the same FPR.
Answer
Going in to Fortify_SCA_and_Apps_(version)\\plugins\\maven, unzip maven-plugin-bin.zip in the directory. Then go to docs\\index.html to open file in a browser editor.
from there click on Usage -> Direct Invocation and you will find the property fortify.sca.aggregate. This can be changed from true to false to stop this behavior.
eg -Dfortify.sca.aggregate=false