Using Fortify sca plugin aggregates results

  • KM03719258
  • 30-Sep-2020
  • 30-Sep-2020


How do you stop all the scan info for the sub projects going into the same FPR.


The site is using the fortify sca plugin in the below manner for some projects:
<file> <exists>../ias-services-impl</exists> </file>
The project repository holds multiple modules for example :
The way it is being built is, the project is built at the root and since these are submodules, they get built as and when its required then they trigger a down stream job of running the scan on the root level. What they are seeing in the log is the aggregate flag set to true. We went over the documentation for the plugin and tried few things to unset that value but a way has not been found, all the scan info for the sub projects are going into the same FPR. 


Going in to Fortify_SCA_and_Apps_(version)\\plugins\\maven, unzip in the directory. Then go to docs\\index.html to open file in a browser editor.
from there click on Usage -> Direct Invocation and you will find the property This can be changed from true to false to stop this behavior.