When excluding a few source files that has compilation errors from the scan, why does IBM Security AppScan Source report compilation errors for some of the excluded files but not all of them?
AppScan Source will never report findings from excluded files, but during compilation, there are some confusion regarding the exclusion of files in AppScan Source and whether or not they are actually scanned.
During a Java/JSP scan, the directory containing the .jsps is passed to the JSP compiler. The result of this is that the JSP Compiler will attempt to precompile every .jsp in that location, regardless of whether or not it was included or excluded in the AppScan Source project.
In the example below, you can see that the staging directory is passed to the Tomcat JSP Compiler:
Command Line:../java -classpath <class_path> org.apache.jasper.JspC -compile ... "/<project>_staging/WEB-INF/classes" -uriroot "/<project>_staging"
If there are errors and the jsp compiler fails, AppScan Source will then attempt to precompile the individual .jsps. This is performed by checking the list of included .jsps in the AppScan Source project to see if there is a corresponding .class file in the staging directory.
If the .class file exists, it indicates that the .jsp was successfully compiled. If it does not exist, a command is executed to precompile just that one .jsp. This is only done for the included .jsps, not the excluded ones.
For this reason, you will see a compilation error in the AppScan Source console error for one of the excluded .jsp files and not the other ones that were excluded because they were never actually precompiled due to the JSP Compiler exiting early.