Fortify SCA 24.2.0 (was 23.1.1) (#40)

.github/workflows/fortify.yml

@@ -29,7 +29,7 @@ jobs:
         cache-name: fortify
       with:
         path: ./Fortify
-        key: fortify-23.1.1
+        key: fortify-24.2.0
 
     # https://github.com/gruntwork-io/fetch
     - uses: Homebrew/actions/setup-homebrew@master
@@ -50,21 +50,21 @@ jobs:
     - name: Install Fortify
       run: |
         if [[ ! -d Fortify ]] ; then
-          GITHUB_OAUTH_TOKEN=${{secrets.FORTIFY_INSTALLER_TOKEN}} fetch --repo="https://github.com/lightbend/scala-fortify" --tag="23.1.1_linux_x64" --release-asset="Fortify_SCA_23.1.1_linux_x64.run" .
-          chmod +x Fortify_SCA_23.1.1_linux_x64.run
+          GITHUB_OAUTH_TOKEN=${{secrets.FORTIFY_INSTALLER_TOKEN}} fetch --repo="https://github.com/lightbend/scala-fortify" --tag="24.2.0_linux_x64" --release-asset="Fortify_SCA_24.2.0_linux_x64.run" .
+          chmod +x Fortify_SCA_24.2.0_linux_x64.run
           mkdir Fortify
-          echo installdir=`pwd`/Fortify/Fortify_SCA_23.1.1 > Fortify_SCA_23.1.1_linux_x64.run.options
-          echo fortify_license_path=`pwd`/fortify.license >> Fortify_SCA_23.1.1_linux_x64.run.options
-          ./Fortify_SCA_23.1.1_linux_x64.run --mode unattended
+          echo installdir=`pwd`/Fortify/Fortify_SCA_24.2.0 > Fortify_SCA_24.2.0_linux_x64.run.options
+          echo fortify_license_path=`pwd`/fortify.license >> Fortify_SCA_24.2.0_linux_x64.run.options
+          ./Fortify_SCA_24.2.0_linux_x64.run --mode unattended
           # download the Scala security rules; VersionTests makes sure they're the ones we expect
-          ./Fortify/Fortify_SCA_23.1.1/bin/fortifyupdate
+          ./Fortify/Fortify_SCA_24.2.0/bin/fortifyupdate
         fi
 
     - name: Test
       run: |
         sbt ++${{matrix.scala}} compile
         rm -f target/vulnerabilities-actual.txt
-        ./Fortify/Fortify_SCA_23.1.1/bin/sourceanalyzer \
+        ./Fortify/Fortify_SCA_24.2.0/bin/sourceanalyzer \
           -b akka-http-webgoat \
           -logfile target/scan.log \
           -scan \

fortify.sbt

@@ -1,10 +1,10 @@
 // enable the plugin
 addCompilerPlugin(
-  "com.lightbend" %% "scala-fortify" % "1.1.0"
+  "com.lightbend" %% "scala-fortify" % "1.1.1-RC1"
     cross CrossVersion.patch)
 
 // configure the plugin
 scalacOptions ++= Seq(
-  "-P:fortify:scaversion=23.1",
+  "-P:fortify:scaversion=24.2",
   "-P:fortify:build=akka-http-webgoat"
 )

vulnerabilities-2.13.x.txt

@@ -189,6 +189,3 @@ Routes.scala(51) :  ->ProcessBuilder.!!(this)
         Routes.scala(139) : <=> (this)
     Routes.scala(139) : <->akka.http.webgoat.Routes$$anonfun$commandInjectionFromCookie$2.innerinit^(0->this)
     Routes.scala(138) :  ->akka.http.webgoat.Routes$$anonfun$commandInjectionFromCookie$1.apply(0)
-
-[C28720E53777D9E9CB1598CACD02F9E7 : low : J2EE Bad Practices : Leftover Debug Code : structural ]
-    BootWebGoat.scala(11)

vulnerabilities-3.x.txt

@@ -164,23 +164,3 @@ Routes.scala(51) :  ->ProcessBuilder.!!(this)
         Routes.scala(139) : <=> (this)
     Routes.scala(139) : <->akka.http.webgoat.Routes$commandInjectionFromCookie$lzyINIT1$$anonfun$1$$anonfun$1.innerinit^(0->this)
     Routes.scala(138) :  ->akka.http.webgoat.Routes$commandInjectionFromCookie$lzyINIT1$$anonfun$1.apply(0)
-
-[3C19C215BE7A8DF59CD47FC24DAF64B0 : low : Code Correctness : Constructor Invokes Overridable Function : structural ]
-    BootWebGoat.scala(16)
-    Function: akka.http.webgoat.BootWebGoat.BootWebGoat [BootWebGoat.scala(11)]
-        Function: akka.http.webgoat.BootWebGoat.system [BootWebGoat.scala(12)]
-
-[3C19C215BE7A8DF59CD47FC24DAF64B1 : low : Code Correctness : Constructor Invokes Overridable Function : structural ]
-    BootWebGoat.scala(16)
-    Function: akka.http.webgoat.BootWebGoat.BootWebGoat [BootWebGoat.scala(11)]
-        Function: akka.http.webgoat.BootWebGoat.system [BootWebGoat.scala(12)]
-
-[3C19C215BE7A8DF59CD47FC24DAF64B2 : low : Code Correctness : Constructor Invokes Overridable Function : structural ]
-    BootWebGoat.scala(21)
-    Function: akka.http.webgoat.BootWebGoat.BootWebGoat [BootWebGoat.scala(11)]
-        Function: akka.http.webgoat.BootWebGoat.system [BootWebGoat.scala(12)]
-
-[3C19C215BE7A8DF59CD47FC24DAF64B3 : low : Code Correctness : Constructor Invokes Overridable Function : structural ]
-    BootWebGoat.scala(33)
-    Function: akka.http.webgoat.BootWebGoat.BootWebGoat [BootWebGoat.scala(11)]
-        Function: akka.http.webgoat.BootWebGoat.system [BootWebGoat.scala(12)]