Been working on a client's issue for the last week or so. Basically, they have some Java and JSP code that uses tags from struts-el in struts 1.2.9. The error, though, was strange - the translation step of sourceanalyzer was running into a jasper parsing error while trying to handle one of the struts-el tags. This line:
was creating this error:
[2010-03-25 18:29:53 INFO]
Jsp parser stderr: org.apache.jasper.JasperException: file:C:/src/index.jsp(23,0) Unable to find setter method for attribute: header
Tturns out Fortify SCA ships with it's own collection of tag libraries, including struts-el. The struts-el taglib shipped with Fortify 360 is older than what the code was using, so it didn't know of this header attribute of which the code spoke.
The quick workaround is to copy your struts-el.jar to Core\default_jars\jsp_tag_lib if you run into this.
Fortify Engineering's looking into this still - I expect them to announce it as a bug, and it'll go through their usual paths.
There's a slightly larger issue to this, though: since Fortify's using these libraries, you're introducing a false sense of security, as your code is only as secure as the lib that Fortify is using - in theory your version of those taglibs could have security issues, which might be missed as a result of this process...
UPDATE (3/29/2010) - turns out there's an undocumented way to get around this. I'm fairly slammed this week but will try to get a post up in the next few days.