对比AppScan Source和Fortify扫描AltoroJ的结果

1、漏洞总数
AppScan Source：91
Fortify：121

2、Disclaimer.htm:34(Cross-Site Scripting:DOM)的漏洞Fortify能扫描出来，AppScan Source扫描不出来
另外，Fortify能扫描出比较多Persistent类型的XSS漏洞
并且归类比较好（分DOM、Persistent、Reflected类型列出）

3、AdminLoginServlet.java:35(Password Management:Hardcoded Password)的漏洞Fortify能扫描出来，AppScan Source扫描不出来

4、Fortify扫出的DBUtil.java:238(Access Control:Database)在AppScan中被归类到SQL Injection

5、admin.jsp:18(Password Management:Empty Password)属于误报

6、Fortify会报比较多这类问题：
Code Correctness：Class Does Not Implement equals
Hardcoded Domain in HTML
Hidden Field
J2EE Bad Practices
J2EE Misconfiguration
Missing Check against Null
Password Management:Password in Comment
Poor Error Handling
System Information Leak:Incomplete Servlet Error Handling

7、Fortify会报比较多transfer.jsp:32(Cross-Site Request Forgery)这类CSRF的问题，而AppScan Source没有扫出来

8、Fortify有扫出ServletUtil.java(Missing XML Validation)的问题，而AppScan Source没有扫出来

9、Fortify有扫出AdminServlet.java:65(Redundant Null Check)的问题，而AppScan Source没有扫出来