Micro Focus

Fortify Static Code Analyzer

Software Version: 22.2.0

User Guide

Document Release Date: November 2022

Software Release Date: November 2022

User Guide

Legal Notices

Micro Focus

The Lawn

22-30 Old Bath Road

Newbury, Berkshire RG14 1QN

UK

https://www.microfocus.com

Warranty

The only warranties for products and services of Micro Focus and its affiliates and licensors (“Micro Focus”) are set forth in the

express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an

additional warranty. Micro Focus shall not be liable for technical or editorial errors or omissions contained herein. The

information contained herein is subject to change without notice.

Restricted Rights Legend

Confidential computer software. Except as specifically indicated otherwise, a valid license from Micro Focus is required for

possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software

Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard

commercial license.

Copyright Notice

Trademark Notices

All trademarks, service marks, product names, and logos included in this document are the property of their respective owners.

Documentation Updates

The title page of this document contains the following identifying information:

l

Software Version number

l

Document Release Date, which changes each time the document is updated

l

Software Release Date, which indicates the release date of this version of the software

This document was produced on November 10, 2022. To check for recent updates or to verify that you are using the most

recent edition of a document, go to:

https://www.microfocus.com/support/documentation

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 2 of 223

User Guide

Contents

Preface

13

Contacting Micro Focus Fortify Customer Support

For More Information

About the Documentation Set

Fortify Product Feature Videos

Change Log

14

Chapter 1: Introduction

17

Fortify Static Code Analyzer

Fortify Software Security Content

Fortify ScanCentral SAST

Fortify Scan Wizard

Sample Projects

See Also

"Regex Analysis Properties" on page 195

"Mobile Build Sessions" on page 45

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 48 of 223

User Guide

Chapter 3: Analysis Process Overview

Translation and Analysis Phase Verification

Micro Focus Fortify Audit Workbench result certification indicates whether the code analysis from a

scan is complete and valid. The project summary in Fortify Audit Workbench shows the following

specific information about Fortify Static Code Analyzer scanned code:

l

List of files scanned, with file sizes and timestamps

l

Java class path used for the translation (if applicable)

l

Rulepacks used for the analysis

l

Fortify Static Code Analyzer runtime settings and command-line options

l

Any errors or warnings encountered during translation or analysis

l

Machine and platform information

Note: To obtain result certification, you must specify FPR for the analysis phase output format.

To view result certification information, open the FPR file in Fortify Audit Workbench and select Tools

> Project Summary > Certification. For more information, see the Micro Focus Fortify Audit

Workbench User Guide.

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 49 of 223

Chapter 4: Translating Java Code

This section describes how to translate Java code.

Fortify Static Code Analyzer supports analysis of Jakarta EE (Java EE) applications (including JSP

files, configuration files, and deployment descriptors), Java Bytecode, and Java code with Lombok

annotations.

This section contains the following topics:

Java Command-Line Syntax

Handling Java Warnings

Translating Jakarta EE (Java EE) Applications

Translating Java Bytecode

Troubleshooting JSP Translation and Analysis Issues

Java Command-Line Syntax

To translate Java code, all types defined in a library that are referenced in the code must have a

corresponding definition in the source code, a class file, or a JAR file. Include all source files on the

Fortify Static Code Analyzer command line.

If your project contains Java code that refers to Kotlin code, make sure that the Java and Kotlin code

are translated in the same Fortify Static Code Analyzer instance so that the Java references to Kotlin

elements are resolved correctly. Kotlin to Java interoperability does not support Kotlin files provided

by the –sourcepath option. For more information about the –sourcepath option, see "Java

Command-Line Options" on the next page

The basic command-line syntax to translate Java code is shown in the following example:

sourceanalyzer -b <build_id> -cp <classpath> <files>

With Java code, Fortify Static Code Analyzer can either:

l

Emulate the compiler, which might be convenient for build integration

l

Accept source files directly, which is convenient for command-line scans

For information about integrating Fortify Static Code Analyzer with Ant, see "Ant Integration" on

page 116.

To have Fortify Static Code Analyzer emulate the compiler, type:

sourceanalyzer -b <build_id> javac [<translation_options>]

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 50 of 223

User Guide

Chapter 4: Translating Java Code

To pass files directly to Fortify Static Code Analyzer, type:

sourceanalyzer -b <build_id> -cp <classpath> [<translation_options>]

where:

l

<translation_options> are options passed to the compiler.

l

-cp <classpath> specifies the class path to use for the Java source code.

Include all JAR dependencies normally used to build the project. Separate multiple paths with

semicolons (Windows) or colons (non-Windows).

Similar to javac, Fortify Static Code Analyzer loads classes in the order they appear in the class

path. If there are multiple classes with the same name in the list, Fortify Static Code Analyzer uses

the first loaded class. In the following example, if both A.jar and B.jar include a class called

MyData.class, Fortify Static Code Analyzer uses the MyData.class from A.jar.

sourceanalyzer -cp A.jar:B.jar myfile.java

Fortify strongly recommends that you avoid using duplicate classes with the -cp option.

Fortify Static Code Analyzer loads JAR files in the following order:

a.

b.

c.

From the -cp option

From jre/lib

From <sca_install_dir>/Core/default_jars

This enables you to override a library class by including the similarly-named class in a

JAR specified with the -cp option.

For descriptions of all the available Java-specific command-line options, see "Java Command-Line

Options" below.

Java Command-Line Options

The following table describes the Java command-line options (for Java SE and Jakarta EE).

Java or Jakarta EE Option

Description

Specifies the application server to process JSP files.

-appserver

weblogic | websphere

Equivalent Property Name:

com.fortify.sca.AppServer

Specifies the application server’s home.

-appserver-home <dir>

l

For WebLogic, this is the path to the directory that

contains the server/lib directory.

l

For WebSphere, this is the path to the directory that

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 51 of 223

User Guide

Chapter 4: Translating Java Code

Java or Jakarta EE Option

Description

contains the JspBatchCompiler script.

Equivalent Property Name:

com.fortify.sca.AppServerHome

Specifies the version of the application server.

-appserver-version

Equivalent Property Name:

com.fortify.sca.AppServerVersion

Specifies the class path to use for analyzing Java source

code. The format is the same as javac: a semicolon- or colon-

separated list of directories. You can use Fortify Static Code

Analyzer file specifiers as shown in the following example:

-cp <dirs> |

-classpath <dirs>

-cp "build/classes:lib/*.jar"

For information about file specifiers, see "Specifying Files

and Directories" on page 133.

Equivalent Property Name:

com.fortify.sca.JavaClasspath

-extdirs <dirs>

Similar to the javac extdirs option, accepts a semicolon- or

colon-separated list of directories. Any JAR files found in

these directories are included implicitly on the class path.

Equivalent Property Name:

com.fortify.sca.JavaExtdirs

Specifies one or more directories that contain compiled Java

sources.

-java-build-dir <dirs>

Indicates the JDK version for which the Java code is written.

See the Micro Focus Fortify Software System Requirements

document for supported versions. The default is Java 1.8.

-source <version> |

-jdk <version>

Equivalent Property Name:

com.fortify.sca.JdkVersion

Displays any unresolved types, fields, and functions

referenced in translated Java source files at the end of the

translation. It lists only field and function references for

which the receiver type is a resolved Java type. Displays

-show-unresolved-symbols

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 52 of 223

User Guide

Chapter 4: Translating Java Code

Java or Jakarta EE Option

Description

each class, field, and function with the source information of

the first translated occurrence in the code. This information

is also written to the log file.

Equivalent Property Name:

com.fortify.sca.ShowUnresolvedSymbols

Specifies a semicolon- or colon-separated list of directories

that contain source code that is not included in the scan but

is used for name resolution. The source path is similar to

class path, except it uses source files instead of class files for

resolution. Only source files that are referenced by the

target file list are translated.

-sourcepath <dirs>

Equivalent Property Name:

com.fortify.sca.JavaSourcePath

Java Command-Line Examples

To translate a single file named MyServlet.java with javaee.jar as the class path, type:

sourceanalyzer -b MyServlet -cp lib/javaee.jar MyServlet.java

To translate all .java files in the src directory using all JAR files in the lib directory as a class path,

type:

sourceanalyzer -b MyProject -cp "lib/*.jar" "src/**/*.java"

To translate and compile the MyCode.java file with the javac compiler, type:

sourceanalyzer -b MyProject javac -classpath libs.jar MyCode.java

Handling Java Warnings

To see all warnings that were generated during translation, type the following command before you

start the scan phase:

sourceanalyzer -b <build_id> -show-build-warnings

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 53 of 223

User Guide

Chapter 4: Translating Java Code

Java Translation Warnings

You might see the following warnings for when translating Java code.

Warning

Description / Resolution

These warnings are typically caused by

missing resources. For example, some of

Unable to resolve type...

Unable to resolve function...

Unable to resolve field...

Unable to locate import...

Unable to resolve symbol...

the .jar and .class files required to

build the application might not have been

specified

To resolve these warnings, make sure that

you include all the required files that your

application uses.

This warning is typically caused by

duplicate classes in the Java files.

Multiple definitions found for class...

To resolve these warnings, make sure that

the source files displayed in the warning

are not duplicates of a same file included

several times in the sources to translate

(for example if it contains two versions of

the same project). If a duplicate exists,

remove one of them from the files to

translate. Then Fortify Static Code

Analyzer can determine which version of

the class to use.

Translating Jakarta EE (Java EE) Applications

To translate Jakarta EE applications, Fortify Static Code Analyzer processes Java source files and

Jakarta EE components such as JSP files, deployment descriptors, and configuration files. While you

can process all the pertinent files in a Jakarta EE application in one step, your project might require

that you break the procedure into its components for integration in a build process or to meet the

needs of various stakeholders in your organization.

Translating Java Files

To translate Jakarta EE applications, use the same procedure used to translate Java files. For

examples, see "Java Command-Line Examples" on the previous page.

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 54 of 223

User Guide

Chapter 4: Translating Java Code

Translating JSP Projects, Configuration Files, and Deployment

Descriptors

In addition to translating the Java files in your Jakarta EE (Java EE) application, you might also need

to translate JSP files, configuration files, and deployment descriptors. Your JSP files must be part of a

Web Application Archive (WAR). If your source directory is already organized in a WAR file format,

you can translate the JSP files directly from the source directory. If not, you might need to deploy

your application and translate the JSP files from the deployment directory.

For example:

sourceanalyzer -b MyJavaApp "/**/*.jsp" "/**/*.xml"

where /**/*.jsp refers to the location of your JSP project files and /**/*.xml refers to the location

of your configuration and deployment descriptor files.

Jakarta EE (Java EE) Translation Warnings

You might see the following warning in the translation of Jakarta EE applications:

Could not locate the root (WEB-INF) of the web application. Please build

your web application and try again. Failed to parse the following jsp

files:

<list_of_jsp_files>

This warning indicates that your web application is not deployed in the standard WAR directory

format or does not contain the full set of required libraries. To resolve the warning, make sure that

your web application is in an exploded WAR directory format with the correct WEB-INF/lib and

WEB-INF/classes directories containing all the .jar and .class files required for your application.

Also verify that you have all the TLD files for all your tags and the corresponding JAR files with their

tag implementations.

Translating Java Bytecode

Fortify recommends that you do not translate Java bytecode and JSP/Java code in the same call to

sourceanalyzer. Use multiple invocations of sourceanalyzer with the same build ID to translate a

project that contains both bytecode and JSP/Java code.

In addition to translating source code, you can translate the Java bytecode in your project. To

translate bytecode, you have the following two options:

l

Request that Fortify Static Code Analyzer decompile the bytecode classes to regular Java files for

inclusion in the translation.

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 55 of 223

User Guide

Chapter 4: Translating Java Code

To have the bytecode decompiled for the translation, add the following property to the fortify-

sca.properties file (or include this property on the command line using the -D option):

com.fortify.sca.DecompileBytecode=true

l

Request that Fortify Static Code Analyzer translate bytecode without decompilation.

For best results, Fortify recommends that the bytecode be compiled with full debug information

(javac -g).

To include bytecode in the Fortify Static Code Analyzer translation:

a.

Add the following properties to the fortify-sca.properties file (or include these

properties on the command line using the -D option):

com.fortify.sca.fileextensions.class=BYTECODE

com.fortify.sca.fileextensions.jar=ARCHIVE

This specifies how Fortify Static Code Analyzer processes .class and .jar files.

b. In the Fortify Static Code Analyzer translation phase, specify the Java bytecode files that you

want to translate. For best performance, specify only the .jar or .class files that require

scanning.

In the following example, the .class files are translated:

sourceanalyzer -b MyProject -cp "lib/*.jar" "src/**/*.class"

Troubleshooting JSP Translation and Analysis Issues

The following sections provide troubleshooting information for translating and scanning JSP.

Unable to Translate Some JSPs

Fortify Static Code Analyzer uses either the built-in compiler or your specific application server JSP

compiler to translate JSP files into Java files for analysis. If the JSP parser encounters problems when

Fortify Static Code Analyzer converts JSP files to Java files, you will see a message similar to the

following:

Failed to translate the following jsps into analysis model. Please see the

log file for any errors from the jsp parser and the user manual for hints

on fixing those

<list_of_jsp_files>

This typically happens for one or more of the following reasons:

l

The web application is not laid out in a proper deployable WAR directory format

l

Some JAR files or classes required for the application are missing

l

Some tag libraries or their definitions (TLD) for the application are missing

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 56 of 223

User Guide

Chapter 4: Translating Java Code

To obtain more information about the problem, perform the following steps:

1. Open the Fortify Static Code Analyzer log file in an editor.

2. Search for the following strings:

l

Jsp parser stdout:

l

Jsp parser stderr:

The JSP parser generates these errors. Resolve the errors and rerun Fortify Static Code Analyzer.

For more information about scanning Jakarta EE applications, see "Translating Jakarta EE (Java EE)

Applications" on page 54.

Increased Issues Counts in JSP-Related Categories

If the analysis results contain a considerable increase in the number of vulnerabilities in JSP-related

categories such as cross-site scripting compared with earlier Fortify Static Code Analyzer versions,

you can specify the -legacy-jsp-dataflow option in the analysis phase (with the -scan option).

This option enables additional filtering on JSP-related dataflow to reduce the number of spurious

false positives detected.

The equivalent property for this option that you can specify in the fortify-sca.properties file is

com.fortify.sca.jsp.LegacyDataflow.

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 57 of 223

Chapter 5: Translating Kotlin Code

This section describes how to translate Kotlin code.

This section contains the following topics:

Kotlin Command-Line Syntax

58

60

61

Kotlin and Java Translation Interoperability

Translating Kotlin Scripts

Kotlin Command-Line Syntax

The translation of Kotlin code is similar to the translation of Java code. To translate Kotlin code, all

types defined in a library that are referenced in the code must have a corresponding definition in the

source code, a class file, or a JAR file. Include all source files on the Fortify Static Code Analyzer

command line.

The basic command-line syntax to translate Kotlin code is shown in the following example:

sourceanalyzer –b <build_id> -cp <classpath> [<translation_options>]

<files>

where

l

-cp <classpath> specifies the class path to use for the Kotlin source code.

Include all JAR dependencies normally used to build the project. Separate multiple paths with

semicolons (Windows) or colons (non-Windows).

Fortify Static Code Analyzer loads classes in the order they appear in the class path. If there are

multiple classes with the same name in the list, Fortify Static Code Analyzer uses the first loaded

class. In the following example, if both A.jar and B.jar include a class called MyData.class,

Fortify Static Code Analyzer uses the MyData.class from A.jar.

sourceanalyzer –cp "A.jar:B.jar" myfile.kt

Fortify strongly recommends that you avoid using duplicate classes with the -cp option.

For descriptions of all the available Kotlin-specific command-line options, see "Kotlin Command-Line

Options" on the next page.

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 58 of 223

User Guide

Chapter 5: Translating Kotlin Code

Kotlin Command-Line Options

The following table describes the Kotlin-specific command-line options.

Kotlin Option

Description

Specifies the class path to use for translating Kotlin source

code, which is a semicolon- or colon-separated list of

directories. You can use Fortify Static Code Analyzer file

specifiers as shown in the following example:

-cp <paths> |

-classpath <dirs>

-cp "build/classes:lib/*.jar"

For information about file specifiers, see "Specifying Files

and Directories" on page 133.

Equivalent Property Name:

com.fortify.sca.JavaClasspath

Indicates the JDK version for which the Kotlin code is

written. See the Micro Focus Fortify Software System

Requirements document for supported versions. The default

is Java 1.8.

-source <version> |

-jdk <version>

Equivalent Property Name:

com.fortify.sca.JdkVersion

Specifies a semicolon- or colon-separated list of directories

that contain Java source code that is not included in the

scan but is used for name resolution. The source path is

similar to class path, except it uses source files instead of

class files for resolution. Only source files that are

referenced by the target file list are translated.

-sourcepath <dirs>

Equivalent Property Name:

com.fortify.sca.JavaSourcePath

-jvm-default <mode>

Specifies the generation of the DefaultImpls class for

methods with bodies in Kotlin interfaces. The valid values

for <mode> are:

l

disable—Specifies to generate the DefaultImpls class

for each interface that contains methods with bodies.

l

all—Specifies to generate the DefaultImpls class if an

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 59 of 223

User Guide

Chapter 5: Translating Kotlin Code

Kotlin Option

Description

interface is annotated with

@JvmDefaultWithCompatibility.

l

all-compatibility—Specifies to generate the

DefaultImpls class unless an interface is annotated

with @JvmDefaultWithoutCompatibility.

Equivalent Property Name:

com.fortify.sca.KotlinJvmDefault

Kotlin Command-Line Examples

To translate a single file named MyKotlin.kt with A.jar as the class path, type:

sourceanalyzer -b MyProject -cp lib/A.jar MyKotlin.kt

To translate all .kt files in the src directory using all JAR files in the lib directory as a class path,

type:

sourceanalyzer -b MyProject -cp "lib/**/*.jar" "src/**/*.kt"

To translate and scan a gradle project using gradlew, type:

sourceanalyzer -b MyProject gradlew clean assemble

sourceanalyzer -b MyProject -scan –f MyResults.fpr

To translate all files in the src directory using Java dependencies from src/java and all JAR files in

the lib directory and subdirectories as a class path, type:

sourceanalyzer –b MyProject –cp "lib/**/*.jar" -sourcepath "src/java" "src"

Kotlin and Java Translation Interoperability

If your project contains Kotlin code that refers to Java code, you can provide Java files to the

translator the same way as Kotlin files that refers to another Kotlin file. You can provide them as part

of the translated project source or as –sourcepath parameters.

If your project contains Java code that refers to Kotlin code, make sure that the Java and Kotlin code

are translated in the same Fortify Static Code Analyzer instance so that the Java references to Kotlin

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 60 of 223

User Guide

Chapter 5: Translating Kotlin Code

elements are resolved correctly. Kotlin to Java interoperability does not support Kotlin files provided

by the –sourcepath option. For more information about the –sourcepath option, see "Kotlin

Command-Line Options" on page 59

Translating Kotlin Scripts

Fortify Static Code Analyzer supports translation of Kotlin scripts excluding the experimental script

customization. Script customization includes adding external properties, providing static or dynamic

dependencies, and so on. Script definitions (templates) are used to create custom scripts and the

template is applied to the script based on the *.kts file extension. Fortify Static Code Analyzer

translates *.kts files but does not apply these templates.

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 61 of 223

Chapter 6: Translating Visual Studio and

MSBuild Projects

Fortify Static Code Analyzer supports translation of the following types of projects built with Visual

Studio or MSBuild:

l

C/C++ projects

l

.NET projects written in C# or Visual Basic (VB.NET)

This includes projects that target .NET, .NET Framework, .NET Core, and .NET Standard

l

ASP.NET applications

This includes applications that make use of the ASP.NET Core framework

l

Xamarin applications that target Android and iOS platforms

For the list of supported versions of relevant programming languages and frameworks, as well as

Visual Studio and MSBuild, see the Micro Focus Fortify Software System Requirements document.

This section contains the following topics:

Visual Studio and MSBuild Project Translation Prerequisites

62

63

65

Visual Studio and MSBuild Project Translation Command-Line Syntax

Handling Special Cases for Translating Visual Studio and MSBuild Projects

Alternative Ways to Translate Visual Studio and MSBuild Projects

Visual Studio and MSBuild Project Translation

Prerequisites

Important! Fortify Static Code Analyzer supports translation of Visual Studio and MSBuild

projects on Windows systems only.

Fortify recommends that each project you translate is complete and that you perform the translation

in an environment where you can build it without errors. A complete project contains the following:

l

All necessary source code files (C/C++, C#, or VB.NET)

l

All required reference libraries

This includes those from relevant frameworks, NuGet packages, and third-party libraries.

l

For C/C++ projects, include all necessary header files that do not belong to the Visual Studio or

MSBuild installation

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 62 of 223

User Guide

Chapter 6: Translating Visual Studio and MSBuild Projects

l

For ASP.NET and ASP.NET Core projects, include all the necessary ASP.NET page files

The supported ASP.NET page types are ASAX, ASCX, ASHX, ASMX, ASPX, AXML, BAML, CSHTML,

Master, RAZOR, VBHTML, and XAML.

Visual Studio and MSBuild Project Translation

Command-Line Syntax

The basic syntax to translate Visual Studio or MSBuild projects is to append an MSBuild command

that builds the project to the Fortify Static Code Analyzer command. The following command

translates a Visual Studio solution called Sample.sln:

sourceanalyzer –b <build_id> msbuild /t:rebuild Sample.sln

This command builds and translates the solution or project. Fortify strongly recommends you run this

command from the Developer Command Prompt for Visual Studio to ensure an optimal environment

for the translation.

Important! When you translate from the Developer Command Prompt for Visual Studio

environment, Fortify recommends that you run the dotnet restore command before you run

the Fortify Static Code Analyzer translation. You must run this command from the top-level folder

of the project. This ensures that all required reference libraries are downloaded and installed in

the project.

After the translation is complete, you can perform the analysis phase as shown in the following

example:

sourceanalyzer –b <build_id> -scan -f <results>.fpr

Handling Special Cases for Translating Visual Studio

and MSBuild Projects

Running Translation from a Script

As stated previously, Fortify recommends that you run the Fortify Static Code Analyzer translation of

Visual Studio and MSBuild projects from the Developer Command Prompt for Visual Studio. To

perform the translation in a non-interactive mode such as with a script, establish an optimal

environment for translation by executing the following command before you run the Fortify Static

Code Analyzer translation:

cmd.exe /k <vs_install_dir>/Common7/Tools/VSDevCmd.bat

where <vs_install_dir> is the directory where you installed Visual Studio.

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 63 of 223

User Guide

Chapter 6: Translating Visual Studio and MSBuild Projects

Translating Plain .NET and ASP.NET Projects

You can translate plain .NET and ASP.NET projects from the Windows Command Prompt as well as

from a Visual Studio environment. When you translate from the Windows Command Prompt, make

sure the path to the MSBuild executable required to build your project is included in PATH

environment variable.

Translating C/C++ and Xamarin Projects

You must translate C/C++ and Xamarin projects either from a Developer Command Prompt for Visual

Studio or from the Micro Focus Fortify Extension for Visual Studio.

Note: For Xamarin projects, there is no need to use a custom rule for the Xamarin.Android API if a

rule for the corresponding native Android API exists in the Fortify Secure Coding Rulepacks.

Doing so can cause duplicate issues to be reported.

Translating Projects with Settings Containing Spaces

If your project is built with a configuration or other settings file that contains spaces, make sure to do

the following in the MSBuild command:

l

Enclose the setting value in quotes (in addition to the quotes around the appropriate command-

line option)

l

Quotes are escaped

For example, to translate a Visual Studio solution Sample.sln that is built with configuration My

Configuration, use the following command:

sourceanalyzer –b MySampleProj msbuild /t:rebuild

"/p:Configuration=\"My Configuration\"" Sample.sln

Translating a Single Project from a Visual Studio Solution

If your Visual Studio solution contains multiple projects, you have the option to translate a single

project instead of the entire solution. Project files have a file name extension that ends with proj

such as .vcxproj and .csproj. To translate a single project, specify the project file instead of the

solution as the parameter for the MSBuild command.

The following example translates the Sample.vcxproj project file:

sourceanalyzer –b MySampleProj msbuild /t:rebuild Sample.vcxproj

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 64 of 223

User Guide

Chapter 6: Translating Visual Studio and MSBuild Projects

Working with Multiple Targets and Projects for MSBuild

Command

Recent versions of MSBuild enable you to build multiple targets and specific projects using an

extended syntax of the /t option. However, Fortify recommends that you avoid this syntax for

translating Visual Studio or MSBuild projects. Specifying a single rebuild target is sufficient to

translate any supported Visual Studio and MSBuild project.

If you cannot use a single rebuild target to translate your project, Fortify provides limited support of

multiple targets and projects specified for the MSBuild command. To use this feature, add the –

multiple-msbuild-targets option to the Fortify Static Code Analyzer command, as shown in the

following example:

sourceanalyzer –b MySampleProj -multiple-msbuild-targets msbuild

/t:Project1:build;Project2:build Sample.sln

Note: Support of this translation mode is limited, and Fortify Static Code Analyzer might not

properly handle all combinations of targets and projects.

Analyzing Projects That Build Multiple Executable Files

If your Visual Studio or MSBuild project builds multiple executable files (such as files with the file

name extension *.exe), Fortify strongly recommends that you run the analysis phase separately for

each executable file to avoid false positive issues in the analysis results. To do this, use –binary-

name option when running the analysis phase and specify the executable file name or .NET assembly

name as the parameter.

The following example shows how to translate and analyze a Visual Studio solution Sample.sln that

consists of two projects, Sample1 (a C++ project with no associated .NET assembly name) and

Sample2 (a .NET project with .NET assembly name Sample2). Each project builds a separate

executable file, Sample1.exe and Sample2.exe, respectively.

sourceanalyzer -b MySampleProj msbuild /t:rebuild Sample.sln

sourceanalyzer -b MySampleProj -scan -binary-name Sample1.exe -f

Sample1.fpr

sourceanalyzer -b MySampleProj -scan -binary-name Sample2 -f Sample2.fpr

For more information about the -binary-name option, see "Analysis Options" on page 123.

Alternative Ways to Translate Visual Studio and

MSBuild Projects

This section describes alternative methods of translating Visual Studio and MSBuild projects.

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 65 of 223

User Guide

Chapter 6: Translating Visual Studio and MSBuild Projects

Alternative Translation Options for Visual Studio Solutions

The following are two alternative ways of translation available only for Visual Studio solutions:

l

Use the Micro Focus Fortify Extension for Visual Studio

The Fortify Extension for Visual Studio runs the translation and analysis (scan) phases together in

one step.

l

Append a devenv command to the Fortify Static Code Analyzer command

The following command translates a Visual Studio solution called Sample.sln:

sourceanalyzer –b MySampleProj devenv Sample.sln /rebuild

Note that Fortify Static Code Analyzer converts a devenv invocation to the equivalent MSBuild

invocation, therefore in this case, the solution with this command is built by MSBuild instead of the

devenv tool.

Translating Without Explicitly Running Fortify Static Code

Analyzer

You have the option to translate your Visual Studio or MSBuild project without invoking Fortify Static

Code Analyzer directly. This requires the Fortify.targets file, which is located in the <sca_

install_dir>\Core\private-bin\sca\MSBuildPlugin directory. You can specify the file using

an absolute or relative path in the MSBuild command line that builds your project. For example:

msbuild /t:rebuild

/p:CustomAfterMicrosoftCommonTargets=<sca_install_dir>\Core\private-

bin\sca\MSBuildPlugin\Fortify.targets Sample.sln

There are several environment variables that you can set to configure the translation of your project.

Most of them have default values, which Fortify Static Code Analyzer uses if the variable is not set.

These variables are listed in the following table.

Environment

Variable

Description

Default Value

FORTIFY_

MSBUILD_

BUILDID

Specifies the Fortify Static Code Analyzer

build ID for translation. Make sure that you

set this value.

None

This is equivalent to the Fortify Static Code

Analyzer -b option.

FORTIFY_

MSBUILD_

Enables debug mode. This is equivalent to

False

the Fortify Static Code Analyzer –debug

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 66 of 223

User Guide

Chapter 6: Translating Visual Studio and MSBuild Projects

Environment

Variable

Description

Default Value

DEBUG

option.

FORTIFY_

MSBUILD_

DEBUG_

Enables verbose debug mode. This is

equivalent to the Fortify Static Code

False

Analyzer –debug-verbose option. Takes

VERBOSE

precedence over FORTIFY_MSBUILD_

DEBUG variable if both are set to true.

FORTIFY_

MSBUILD_MEM

Specifies the memory requirements

Automatic allocation based on

physical memory available on

the system

translation in the form of the JVM -Xmx

option. For example, -Xmx2G.

FORTIFY_

MSBUILD_

SCALOG

Specifies the location (absolute path) of the

Fortify Static Code Analyzer log file.

%LOCALAPPDATA%/Fortify/

sca/log/sca.log

This is equivalent to the Fortify Static Code

Analyzer -logfile option.

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 67 of 223

Chapter 7: Translating C and C++ Code

This section describes how to translate C and C++ code.

Important! The chapter describes how to translate C and C++ code that is not a part of a Visual

Studio or MSBuild project. For instructions on translating Visual Studio or MSBuild projects, see

"Translating Visual Studio and MSBuild Projects" on page 62.

This section contains the following topics:

C and C++ Code Translation Prerequisites

C and C++ Command-Line Syntax

68

69

Scanning Pre-processed C and C++ Code

C/C++ Precompiled Header Files

C and C++ Code Translation Prerequisites

Make sure that you have any dependencies required to build the project available, including headers

for third-party libraries. Fortify Static Code Analyzer translation does not require object files and

static/dynamic library files.

Note: Fortify Static Code Analyzer might not support all non-standard C++ constructs.

If you use Gradle to build your C++ project, make sure that the C++ Application Plugin is added to

your Gradle file in one of the following formats:

apply plugin: 'cpp'

plugins {

id 'cpp-application'

}

For more information about integrating with Gradle, see "Build Integration" on page 114.

C and C++ Command-Line Syntax

Command-line options passed to the compiler affect preprocessor execution and can enable or

disable language features and extensions. For Fortify Static Code Analyzer to interpret your source

code in the same way as the compiler, the translation phase for C/C++ source code requires the

complete compiler command line. Prefix your original compiler command with the sourceanalyzer

command and options.

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 68 of 223

User Guide

Chapter 7: Translating C and C++ Code

The basic command-line syntax for translating a single file is:

sourceanalyzer -b <build_id> [<sca_options>] <compiler> [<compiler_

options>] <file>.c

where:

l

<sca_options> are options passed to Fortify Static Code Analyzer.

l

<compiler> is the name of the C/C++ compiler you use, such as gcc, g++, or cl. See the Micro

Focus Fortify Software System Requirements document for a list of supported C/C++ compilers.

l

<compiler_options> are options passed to the C/C++ compiler.

l

<file>.c must be in ASCII or UTF-8 encoding.

Note: All Fortify Static Code Analyzer options must precede the compiler options.

The compiler command must successfully complete when executed on its own. If the compiler

command fails, then the Fortify Static Code Analyzer command prefixed to the compiler command

also fails.

For example, if you compile a file with the following command:

gcc -I. -o hello.o -c helloworld.c

then you can translate this file with the following command:

sourceanalyzer -b MyProject gcc -I. -o hello.o -c helloworld.c

Fortify Static Code Analyzer executes the original compiler command as part of the translation phase.

In the previous example, the command produces both the translated source suitable for scanning, and

the object file hello.o from the gcc execution. You can use the Fortify Static Code Analyzer -nc

option to disable the compiler execution.

Scanning Pre-processed C and C++ Code

If, before compilation, your C/C++ build executes a third-party C preprocessor that Fortify Static Code

Analyzer does not support, you must invoke the Fortify Static Code Analyzer translation on the

intermediate file. Fortify Static Code Analyzer touchless build integration automatically translates the

intermediate file provided that your build executes the unsupported preprocessor and supported

compiler as two commands connected by a temporary file rather than a pipe chain.

C/C++ Precompiled Header Files

Some C/C++ compilers support Precompiled Header Files, which can improve compilation

performance. Some compilers' implementations of this feature have subtle side-effects. When the

feature is enabled, the compiler might accept erroneous source code without warnings or errors. This

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 69 of 223

User Guide

Chapter 7: Translating C and C++ Code

can result in a discrepancy where Fortify Static Code Analyzer reports translation errors even when

your compiler does not.

If you use your compiler's Precompiled Header feature, disable Precompiled Headers, and then

perform a full build to make sure that your source code compiles cleanly.

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 70 of 223

Chapter 8: Translating JavaScript and

TypeScript Code

You can analyze JavaScript projects that contain JavaScript, TypeScript, JSX, and TSX source files, as

well as JavaScript embedded in HTML files.

Some JavaScript frameworks are transpiled (source-to-source compilation) to plain JavaScript. This

generated code is optimized., minimized, or both. Therefore, you might want to exclude it from

translation because it would be challenging to fix any vulnerabilities Fortify Static Code Analyzer

might report in this code. Use the -exclude command-line option to manually exclude this type of

code.

Fortify Static Code Analyzer does not translate minified JavaScript (*.min.js).

Note: When you translate JavaScript and TypeScript code, make sure that you specify all source

files together in one invocation. Fortify Static Code Analyzer does not support adding new files to

the file list associated with the build ID on subsequent invocations.

This section contains the following topics:

Translating Pure JavaScript Projects

Excluding Dependencies

71

72

73

Excluding NPM Dependencies

Translating JavaScript Projects with HTML Files

Including External JavaScript or HTML in the Translation

Translating Pure JavaScript Projects

The basic command-line syntax to translate JavaScript is:

sourceanalyzer –b <build_id> <js_file_or_dir>

where <js_file_or_dir> is the either the name of the JavaScript file to be translated or a directory

that contains multiple JavaScript files. You can also translate multiple files by specifying *.js for the

<js_file_or_dir>.

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 71 of 223

User Guide

Chapter 8: Translating JavaScript and TypeScript Code

Excluding Dependencies

You can avoid translating specific dependencies by adding them to the appropriate property setting

in the fortify-sca.properties file. Files specified in the following properties are not translated:

l

com.fortify.sca.skip.libraries.ES6

l

com.fortify.sca.skip.libraries.jQuery

l

com.fortify.sca.skip.libraries.javascript

l

com.fortify.sca.skip.libraries.typescript

Each property specifies a list of comma- or colon-separated file names (without path information).

The files specified in these properties apply to both local files and files on the internet. Suppose, for

example, that the JavaScript code includes the following local file reference:

8"></script>

By default, the com.fortify.sca.skip.libraries.jQuery property in the fortify-

sca.properties file includes jquery-us.js, and therefore Fortify Static Code Analyzer does not

translate the file shown in the previous example.

You can use regular expressions for the file names. Note that Fortify Static Code Analyzer

automatically inserts the regular expression '(-?\d+\.\d+\.\d+)?' before .min.js or .js for

each file name included in the com.fortify.sca.skip.libraries.jQuery property value.

Note: You can also exclude local files or entire directories with the -exclude command-line

option. For more information about this option, see "Translation Options" on page 121.

Excluding NPM Dependencies

By default, Fortify Static Code Analyzer translates only the NPM dependences that are imported in

the code. You can change this behavior with the following two properties:

l

The com.fortify.sca.follow.imports property directs Fortify Static Code Analyzer to resolve

all imported files and include them in the translation.

This property is enabled by default. Setting this property to false prevents NPM dependencies that

are not explicitly included on the command-line from being included in the translation.

l

The com.fortify.sca.exclude.unimported.node.modules property directs Fortify Static

Code Analyzer to exclude all files in any node_modules directory from the translation except files

that are specifically imported by the com.fortify.sca.follow.imports property.

This property is enabled by default to avoid translating dependencies that are not needed for the

final project such as those only required for the build system.

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 72 of 223

User Guide

Chapter 8: Translating JavaScript and TypeScript Code

Translating JavaScript Projects with HTML Files

If the project contains HTML files in addition to JavaScript files, set the

com.fortify.sca.EnableDOMModeling property to true in the fortify-sca.properties file or

on the command line as shown in the following example:

sourceanalyzer –b MyProject <js_file_or_dir>

-Dcom.fortify.sca.EnableDOMModeling=true

When you set the com.fortify.sca.EnableDOMModeling property to true, this can decrease false

negative reports of DOM-related attacks, such as DOM-related cross-site scripting issues.

Note: If you enable this option, Fortify Static Code Analyzer generates JavaScript code to model

the DOM tree structure in the HTML files. The duration of the analysis phase might increase

(because there is more translated code to analyze).

If you set the com.fortify.sca.EnableDOMModeling property to true, you can also specify

additional HTML tags for Fortify Static Code Analyzer to include in the DOM modeling with the

com.fortify.sca.DOMModeling.tags property. By default, Fortify Static Code Analyzer includes

the following HTML tags: body, button, div, form, iframe, input, head, html, and p.

For example, to include the HTML tags ul and li in the DOM model, use the following command:

sourceanalyzer –b MyProject <js_file_or_dir>

-Dcom.fortify.sca.DOMModeling.tags=ul,li

Including External JavaScript or HTML in the

Translation

To include external JavaScript or HTML files that are specified with the src attribute, you can specify

which domains Fortify Static Code Analyzer can download and include in the translation phase. To do

this, specify one or more domains with the

com.fortify.sca.JavaScript.src.domain.whitelist property.

Note: You can also set this property globally in the fortify-sca.properties file.

For example, you might have the following statement in your HTML file:

</script>

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 73 of 223

User Guide

Chapter 8: Translating JavaScript and TypeScript Code

If you are confident that the xyzdomain.com domain is a safe location from which to download files,

then you can include them in the translation phase by adding the following property specification on

the command line:

-Dcom.fortify.sca.JavaScript.src.domain.whitelist="xyzdomain.com/foo"

Note: You can omit the www. prefix from the domain in the property value. For example, if the src

tag in the original HTML file specifies to download files from www.google.com, you can specify

just the google.com domain.

To trust more than one domain, include each domain separated by the vertical bar character (|) as

shown in the following example:

-Dcom.fortify.sca.JavaScript.src.domain.whitelist=

"xyzdomain.com/foo|abcdomain.com|123.456domain.com”

If you are using a proxy server, then you need to include the proxy server information on the

command line as shown in the following example:

-Dhttp.proxyHost=example.proxy.com -Dhttp.proxyPort=8080

For a complete list of proxy server options, see the Networking Properties Java documentation.

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 74 of 223

Chapter 9: Translating Python Code

Fortify Static Code Analyzer translates Python applications, and processes files with the .py

extension as Python source code.

This section contains the following topics:

Python Translation Command-Line Syntax

Including Imported Modules and Packages

Including Namespace Packages

Using the Django Framework with Python

Python Command-Line Options

Python Command-Line Examples

Python Translation Command-Line Syntax

The basic command-line syntax to translate Python code is:

sourceanalyzer -b <build_id> -python-version <python_version>

-python-path <dirs> <files>

Note: When you translate Python code, make sure that you specify all source files together in one

invocation. Fortify Static Code Analyzer does not support adding new files to the file list

associated with the build ID on subsequent invocations.

Including Imported Modules and Packages

To translate Python applications and prepare for a scan, Fortify Static Code Analyzer searches for any

imported modules and packages used by the application. Fortify Static Code Analyzer does not

respect the PYTHONPATH environment variable, which the Python runtime system uses to find

imported modules and packages.

Fortify Static Code Analyzer searches for imported modules and packages using the list of directories

in the following order:

1. The common root directory for all project source files. which Fortify Static Code Analyzer

calculates automatically. For example, if there are two project directories

PrimaryDir/project1/* and PrimaryDir/project2/*, the common root directory is

PrimaryDir.

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 75 of 223

User Guide

Chapter 9: Translating Python Code

To remove the common root directory as a search target for imported modules and packages,

include the -python-no-auto-root-calculation option in the translation command.

2.

The directories specified with the -python-path option.

Fortify Static Code Analyzer includes a subset of modules from the standard Python library

(module "builtins", all modules originally written in C, and others) in the translation. Fortify Static

Code Analyzer first searches for a standard Python library module in the set included with Fortify

Static Code Analyzer and then in the paths specified with the -python-path option. If your

Python code imports any module that Fortify Static Code Analyzer cannot find, it produces a

warning. To make sure that all modules of the standard Python library are found, add the path to

your standard Python library in the -python-path list.

3. The current directory that contains the file Fortify Static Code Analyzer is translating. For

example, when Fortify Static Code Analyzer translates a PrimaryDir/project1/a.py, the

directory PrimaryDir/project1 is added as the last directory to search for imported modules

and packages.

Including Namespace Packages

To translate namespace packages, include all the paths to the namespace package directories in the -

python-path option. For example, if you have two subpackages for a namespace package package_

name in multiple folders as in this example:

/path_1/package_name/subpackageA

/path_2/package_name/subpackageB

Include the following with the -python-path option: /path_1;/path_2.

Using the Django Framework with Python

Fortify Static Code Analyzer supports the Django framework. To translate code created using the

Django framework, add the following properties to the <sca_install_

dir>/Core/config/fortify-sca.properties configuration file:

com.fortify.sca.limiters.MaxPassthroughChainDepth=8

com.fortify.sca.limiters.MaxChainDepth=8

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 76 of 223

User Guide

Chapter 9: Translating Python Code

By default, Fortify Static Code Analyzer attempts to discover Django templates in the project root

folder. Any Django templates found are automatically added to the translation. If you do not want

Fortify Static Code Analyzer to automatically discover Django templates, use the -django-disable-

autodiscover option. If your project requires Django templates, but the project is configured such

that Django templates are in an unexpected location, use the -django-template-dirs option to

specify the directories that contain the templates in addition to the -django-disable-

autodiscover option.

You can specify additional locations of Django template files by adding the -django-template-

dirs option to the sourceanalyzer command:

-django-template-dirs <dirs>

Python Command-Line Options

The following table describes the Python options.

Python Option

Description

Specifies the Python source code version to scan. The valid values for

-python-version

<version> are 2 and 3. The default value is 2.

Equivalent Property Name:

com.fortify.sca.PythonVersion

Disables the automatic calculation of a common root directory of all

project source files to use for importing modules and packages.

-python-no-auto-

root-calculation

Equivalent Property Name:

com.fortify.sca.PythonNoAutoRootCalculation

Specifies a semicolon-separated (Windows) or colon-separated (non-

-python-path

<dirs>

Windows) list of additional import directories. You can use the -python-

path option to specify all paths used to import packages or modules.

Include all paths to namespace package directories with this option.

Fortify Static Code Analyzer sequentially searches the specified paths

for each imported file and uses the first file encountered.

Equivalent Property Name:

com.fortify.sca.PythonPath

Specifies that Fortify Static Code Analyzer does not automatically

discover Django templates.

-django-disable-

autodiscover

Equivalent Property Name:

com.fortify.sca.DjangoDisableAutodiscover

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 77 of 223

User Guide

Chapter 9: Translating Python Code

Python Option

Description

Specifies a semicolon-separated (Windows) or colon-separated (non-

Windows) list of directories that contain Django templates. Fortify Static

Code Analyzer sequentially searches the specified paths for each Django

template file and uses the first template file encountered.

-django-template-

dirs <dirs>

Equivalent Property Name:

com.fortify.sca.DjangoTemplateDirs

See Also

"Python Properties" on page 203

Python Command-Line Examples

To translate Python 3 code, type:

sourceanalyzer -b Python3Proj -python-version 3 -python-path

/usr/lib/python3.4:/usr/local/lib/python3.4/site-packages src/*.py

To translate Python 2 code, type:

sourceanalyzer -b MyPython2 -python-path

/usr/lib/python2.7:/usr/local/lib/python2.7/site-packages src/*.py

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 78 of 223

Chapter 10: Translating Code for Mobile

Platforms

Fortify Static Code Analyzer supports analysis of the following mobile application source languages:

l

Swift, Objective-C, and Objective-C++ for iOS applications developed using Xcode

l

Java for Android applications

For information about translating Xamarin applications, see "Translating Visual Studio and MSBuild

Projects" on page 62.

This section contains the following topics:

Translating Apple iOS Projects

Translating Android Projects

79

80

Translating Apple iOS Projects

This section describes how to translate Swift, Objective-C, and Objective-C++ source code for iOS

applications. Fortify Static Code Analyzer automatically integrates with the Xcode Command Line

Tool, Xcodebuild, to identify the project source files.

iOS Project Translation Prerequisites

The following are the prerequisites for translating iOS projects:

l

Objective-C++ projects must use the non-fragile Objective-C runtime (ABI version 2 or 3).

l

Use Apple’s xcode-select command-line tool to set your Xcode path. Fortify Static Code

Analyzer uses the system global Xcode configuration to find the Xcode toolchain and headers.

l

Make sure that all source files required for a successful Xcode build are provided.

You can exclude files from the analysis using the -exclude option (see "iOS Code Analysis

Command-Line Syntax" on the next page).

l

Make sure that you have any dependencies required to build the project available.

l

To translate Swift code, make sure that you have available all third-party modules, including

CocoaPods. Bridging headers must also be available. However, Xcode usually generates them

automatically during the build.

l

If your project includes property list files in binary format, you must first convert them to XML

format. You can do this with the Xcode putil command.

l

To translate Objective-C projects, ensure that the headers for third-party libraries are available.

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 79 of 223

User Guide

Chapter 10: Translating Code for Mobile Platforms

l

To translate WatchKit applications, make sure that you translate both the iPhone application target

and the WatchKit extension target.

iOS Code Analysis Command-Line Syntax

The command-line syntax to translate iOS code using Xcodebuild is:

sourceanalyzer -b <build_id> xcodebuild [<compiler_options>]

where <compiler_options> are the supported options that are passed to the Xcode compiler. You

must include the build option with any <compiler_options>. The Fortify Static Code Analyzer

Xcodebuild integration does not support the output format of alternate build commands such as

xcodebuild archive.

Note: Xcodebuild compiles the source code when you run this command.

To exclude files from the analysis, use the -exclude option (see "Translation Options" on page 121).

All source files that match the exclude specification are not translated, even if they are included in the

Xcode build. The following is an example:

sourceanalyzer -b MyProject -exclude "**/TestFile.swift" xcodebuild clean

build

If your application uses any property list files (for example, <file>.plist), translate these files with

a separate sourceanalyzer command. Use the same build ID that you used to translate the project

files. The following is an example:

sourceanalyzer -b MyProject <path_to_plist_files>

If your project uses CocoaPods, include -workspace to build the project. For example:

sourceanalyzer -b DemoAppSwift xcodebuild clean build -workspace

DemoAppSwift.xcworkspace -scheme DemoAppSwift -sdk iphonesimulator

You can then perform the analysis phase, as shown in the following example:

sourceanalyzer -b DemoAppSwift -scan -f MyResults.fpr

Translating Android Projects

This section describes how to translate Java source code for Android applications. You can use Fortify

Static Code Analyzer to scan the code with Gradle from either:

l

Your operating system's command line

l

A terminal window running in Android Studio

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 80 of 223

User Guide

Chapter 10: Translating Code for Mobile Platforms

The way you use Gradle is the same for either method.

Note: You can also scan Android code directly from Android Studio with the Micro Focus Fortify

Analysis Plugin for IntelliJ and Android Studio. For more information, see the Micro Focus Fortify

Analysis Plugin for IntelliJ IDEA and Android Studio User Guide.

Android Project Translation Prerequisites

The following are the prerequisites for translating Android projects:

l

Android Studio and the relevant Android SDKs are installed on the system where you will run the

scans

l

Your Android project uses Gradle for builds.

If you have an older project that does not use Gradle, you must add Gradle support to the

associated Android Studio project

Use the same version of Gradle that is provided with the version of Android Studio that you use to

create your Android project

l

Make sure you have available all dependencies that are required to build the Android code in the

application's project

l

To translate your Android code from a command window that is not displayed within Android

Studio, make sure that Gradle Wrapper (gradlew) is defined on the system path

Android Code Analysis Command-Line Syntax

Use gradlew to scan Android projects, which is similar to using Gradle except that you use the Gradle

Wrapper. For information about how to translate your Android project using the Gradle Wrapper, see

"Gradle Integration" on page 117.

Filtering Issues Detected in Android Layout Files

If your Android project contains layout files (used to design the user interface), your project files

might include R.java source files that are automatically generated by Android Studio. When you

scan the project, Fortify Static Code Analyzer can detect issues associated with these layout files.

Fortify recommends that Issues reported in any layout file be included in your standard audit so you

can carefully determine if any of them are false positives. After you identify issues in layout files that

you are not interested in, you can filter them out as described in "Filtering the Analysis" on page 179.

You can filter out the issues based on the Instance ID.

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 81 of 223

Chapter 11: Translating Go Code

This section describes how to translate Go code. Fortify Static Code Analyzer supports analysis of Go

code on Windows, Linux, and macOS.

This section contains the following topics:

Go Command-Line Syntax

Go Command-Line Options

Resolving Dependencies

82

84

Go Command-Line Syntax

For best results, your project must be compilable and you must have all required dependencies

available.

The following entities are excluded from the translation (and the scan):

l

Vendor folder

l

All projects defined by any go.mod files in subfolders, except the project defined by the go.mod file

under the %PROJECT_ROOT%

l

All files with the _test.go suffix (unit tests)

The basic command-line syntax to translate Go code is:

sourceanalyzer -b <build_id> [-gopath <dir>] [-goroot <dir>] <files>

Go Command-Line Options

The following table describes the command-line options that are specifically for translating Go code.

Go Option

Description

Specifies the root directory of your project. Make sure that the directory

structure adheres to the Go workspace hierarchy

-gopath <dir>

(https://golang.org/doc/gopath_code.html). If this option is not specified,

then the GOPATH system environment variable is used.

You must specify the gopath directory as an absolute path. The following

examples are valid values for <dir>:

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 82 of 223

User Guide

Chapter 11: Translating Go Code

Go Option

Description

/home/projects/go_workspace/my_proj

C:\projects\go_workspace\my_proj

The following example is an invalid value for <dir>:

go_workspace/my_proj

If this option and the GOPATH system environment variable is not set,

then the gopath defaults to a subdirectory named go in the user's home

directory ($HOME/go on Linux and %USERPROFILE%\go on Windows),

unless that directory contains a Go distribution.

Equivalent Property Name

com.fortify.sca.GOPATH

Specifies the location of the Go installation. If this option is not specified,

the GOROOT system environment variable is used.

-goroot <dir>

If this option is not specified and the GOROOT system environment

variable is not set, then Fortify Static Code Analyzer uses the Go

compiler included in the Fortify Static Code Analyzer installation.

Equivalent Property Name

com.fortify.sca.GOROOT

Specifies one or more comma-separated proxy URLs. You can also

-goproxy <url>

specify direct or off (to disable network usage).

If this option is not specified and the GOPROXY system environment

variable is not set, then Fortify Static Code Analyzer uses

https://proxy.golang.org,direct.

Equivalent Property Name

com.fortify.sca.GOPROXY

See Also

"Go Properties" on page 204

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 83 of 223

User Guide

Chapter 11: Translating Go Code

Resolving Dependencies

Fortify Static Code Analyzer supports two dependency management systems built into Go:

l

Modules

Fortify Static Code Analyzer downloads all required dependencies using the native Go toolchain. If

access to the internet is restricted on the machine where you run Fortify Static Code Analyzer, then

do one of the following:

l

If you are using an artifact management system such as Artifactory, set the GOPROXY

environment variable or use the -goproxy option described in "Go Command-Line Options" on

page 82.

l

Download all required dependencies using modules and vendoring.

l

GOPATH dependency resolution

If you are using a third-party dependency management system such as dep, you must download all

dependencies before you start the translation.

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 84 of 223

Chapter 12: Translating Ruby Code

This section contains the following topics:

Ruby Command-Line Syntax

Ruby Command-Line Syntax

The basic command-line syntax to translate Ruby code is:

sourceanalyzer –b <build_id> <file>

where <file> is the name of the Ruby file you want to scan. To include multiple Ruby files, separate

them with a space, as shown in the following example:

sourceanalyzer –b <build_id> file1.rb file2.rb file3.rb

In addition to listing individual Ruby files, you can use the asterisk (*) wildcard to select all Ruby files

in a specified directory. For example, to find all the Ruby files in a directory called src, use the

following sourceanalyzer command:

sourceanalyzer –b <build_id> src/*.rb

Note: When you translate Ruby code, make sure that you specify all source files together in one

invocation. Fortify Static Code Analyzer does not support adding new files to the file list

associated with the build ID on subsequent invocations.

Ruby Command-Line Options

The following table describes the Ruby translation options.

Ruby Option

Description

Specifies one or more paths to directories that contain Ruby libraries

(see "Adding Libraries " on the next page)

-ruby-path <dirs>

Equivalent Property Name:

com.fortify.sca.RubyLibraryPaths

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 85 of 223

User Guide

Chapter 12: Translating Ruby Code

Ruby Option

Description

Specifies the path(s) to a RubyGems location (see "Adding Gem Paths"

below)

-rubygem-path

<dirs>

Equivalent Property Name:

com.fortify.sca.RubyGemPaths

See Also

"Ruby Properties" on page 205

Adding Libraries

If your Ruby source code requires a specific library, add the Ruby library to the sourceanalyzer

command. Include all ruby libraries that are installed with ruby gems. For example, if you have a

utils.rb file that resides in the /usr/share/ruby/myPersonalLibrary directory, then add the

following to the sourceanalyzer command:

-ruby-path /usr/share/ruby/myPersonalLibrary

Separate multiple libraries with semicolons (Windows) or colons (non-Windows). The following is an

example of the option on non-Windows system:

-ruby-path /path/one:/path/two:/path/three

Adding Gem Paths

To add all RubyGems and their dependency paths, import all RubyGems. To obtain the Ruby gem

paths, run the gem env command. Under GEM PATHS, look for a directory similar to:

/home/myUser/gems/ruby-version

This directory contains another directory called gems, which contains directories for all the gem files

installed on the system. For this example, use the following in your command line:

-rubygem-path /home/myUser/gems/ruby-version/gems

If you have multiple gems directories, separate them with semicolons (Windows) or colons (non-

Windows ) such as:

-rubygem-path /path/to/gems:/another/path/to/more/gems

Note: On Windows systems, separate the gems directories with a semicolon.

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 86 of 223

Chapter 13: Translating COBOL Code

In the previous release, Fortify Static Code Analyzer introduced updated COBOL code translation,

which is now the default translation method. The previous translation method, referred to now as

legacy COBOL translation is still available for use with a command-line option. Use the legacy

COBOL translation method if either of the following is true:

l

You run Fortify Static Code Analyzer on a non-Windows operating system

l

Your COBOL dialect is unsupported.

The following sections describe the default COBOL code translation. Information that pertains only to

the legacy COBOL translation is indicated as such.

For a list of supported technologies for translating COBOL code, see the Micro Focus Fortify Software

System Requirements document. Fortify Static Code Analyzer does not currently support custom

rules for COBOL applications.

Note: To scan COBOL with Fortify Static Code Analyzer, you must have a Fortify Static Code

Analyzer license file that specifically includes COBOL scanning capabilities. Contact Micro Focus

Fortify Customer Support for more information about scanning COBOL and the required license

file.

This section contains the following topics:

Preparing COBOL Source and Copybook Files for Translation

COBOL Command-Line Syntax

87

88

90

COBOL Command-Line Options

Preparing COBOL Source and Copybook Files for

Translation

Fortify Static Code Analyzer supports translation of COBOL source files on Windows systems only.

Legacy COBOL Translation: Fortify Static Code Analyzer supports translation of COBOL source

files on the supported platforms and architectures listed in the Micro Focus Fortify Software

System Requirements document.

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 87 of 223

User Guide

Chapter 13: Translating COBOL Code

Before you can analyze a COBOL program, you must copy the following program components to the

Windows system where you run Fortify Static Code Analyzer:

l

COBOL source code

Fortify recommends that your COBOL source code files have extensions .CBL, .cbl, .COB or .cob.

Therefore, there is no need to manage extension specification from the command line as described

in "Translating COBOL Source Files Without File Extensions" on the next page and "Specifying Files

an d Directories" on page 133 .

Note: Fortify Static Code Analyzer translates COBOL source code files with or without file

extensions.

l

All copybook files that the COBOL source code uses

l

All SQL INCLUDE files that the COBOL source code references (a SQL INCLUDE file is technically a

copybook file)

Important! The copybook files must have the file extension .CPY or .cpy.

Legacy COBOL Translation: Fortify Static Code Analyzer translates copybook files with or

without file extensions.

If your COBOL source code contains:

COPY FOO

or

EXEC SQL INCLUDE FOO END-EXEC

then FOO is the name of a COBOL copybook and the corresponding copybook file has the name

FOO.CPY or FOO.cpy.

Legacy COBOL Translation:

l

The corresponding copybook file has the name FOO with or without a file extension. If the

copybook files have file extensions, use the -copy-extensions command-line option. For

more information, see "Legacy COBOL Translation Command-Line Options" on page 90.

l

The COPY command can also accept a directory-file-path structure instead of a file name.

Fortify recommends that you place your COBOL source code files in a directory called sources and

your copybook files in a directory called copybooks. Create these directories at the same level.

COBOL Command-Line Syntax

The basic syntax used to translate a single COBOL source code file is:

sourceanalyzer -b <build_id> <path>

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 88 of 223

User Guide

Chapter 13: Translating COBOL Code

The basic syntax used to scan a translated COBOL program is:

sourceanalyzer -b <build_id> -scan -f <results>.fpr

Legacy COBOL Translation: Free-format COBOL is the default translation mode. Fortify Static

Code Analyzer supports the translation of fixed-format COBOL. To translate fixed-format COBOL,

you must specify the -fixed-format command-line option. For more information, see "Legacy

COBOL Translation Command-Line Options" on the next page.

Translating COBOL Source Files Without File Extensions

If you have COBOL source files retrieved from a mainframe without .COB or .CBL file extensions

(which is typical for COBOL file names), then you must include the following in the translation

command line:

-noextension-type COBOL

The following example command translates COBOL source code without file extensions:

sourceanalyzer -b MyProject -noextension-type COBOL -copydirs copybooks

sources

Translating COBOL Source Files with Arbitrary File Extensions

If you have COBOL source files with an arbitrary extension .xyz, then you must include the following

in the translation command line:

-Dcom.fortify.sca.fileextensions.xyz=COBOL

You must also include the expression *.xyz in the file or directory specifier, if any (see "Specifying

Files and Directories" on page 133).

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 89 of 223

User Guide

Chapter 13: Translating COBOL Code

COBOL Command-Line Options

The following table describes the COBOL command-line options.

COBOL Option

Description

Specifies one or more semicolon-separated directories where Fortify

Static Code Analyzer looks for copybook files.

-copydirs <dirs>

Equivalent Property Name:

com.fortify.sca.CobolCopyDirs

Specifies the COBOL dialect. The valid values for <dialect> are

-dialect <dialect>

COBOL390 and MICROFOCUS. The dialect value is case insensitive. The

default value is COBOL390.

Equivalent Property Name:

com.fortify.sca.CobolDialect

Specifies one or more semicolon-separated COBOL checker directives.

-checker-

directives

Note: This option is intended for advanced users of Micro Focus

Server Express.

Equivalent property name:

com.fortify.sca.CobolCheckerDirectives

Legacy COBOL Translation Command-Line Options

The following table describes the command-line options for the legacy COBOL translation.

Legacy COBOL Option

Description

Specifies translation of COBOL code using legacy COBOL translation.

This option is required to enable legacy COBOL translation.

-cobol-legacy

Equivalent Property Name:

com.fortify.sca.CobolLegacy

Specifies one or more semicolon- or colon-separated directories where

Fortify Static Code Analyzer looks for copybook files.

-copydirs <dirs>

Equivalent Property Name:

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 90 of 223

User Guide

Chapter 13: Translating COBOL Code

Legacy COBOL Option

Description

com.fortify.sca.CobolCopyDirs

Specifies one or more semicolon- or colon-separated copybook file

extensions.

-copy-extensions

<ext>

Equivalent Property Name:

com.fortify.sca.CobolCopyExtensions

Specifies fixed-format COBOL to direct Fortify Static Code Analyzer to

only look for source code between columns 8–72 in all lines of code.

-fixed-format

IBM Enterprise COBOL code is typically fixed-format. The following are

indications that you might need the -fixed-format option:

l

The COBOL translation appears to hang indefinitely

l

Fortify Static Code Analyzer reports numerous parsing errors in the

COBOL translation

Equivalent Property Name:

com.fortify.sca.CobolFixedFormat

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 91 of 223

Chapter 14: Translating Salesforce Apex and

Visualforce Code

This section contains the following topics:

Apex and Visualforce Translation Prerequisites

Apex and Visualforce Command-Line Syntax

Apex and Visualforce Command-Line Options

92

93

Apex and Visualforce Translation Prerequisites

To translate Apex and Visualforce projects, make sure that all the source code to scan is available on

the same machine where you have installed Fortify Static Code Analyzer.

To scan your custom Salesforce app, download it to your local computer from your Salesforce

organization (org) where you develop and deploy it. The downloaded version of your app consists of:

l

Apex classes in files with the .cls extension

l

Visualforce web pages in files with the .page extension

l

Apex code files called database “trigger” functions are in files with the .trigger extension

l

Visualforce component files with the .component extension

l

Objects with the .object extension

Use the Ant Migration Tool available on the Salesforce website to download your app from your org in

the Salesforce cloud to your local computer. Make sure that the project manifest files are set up

correctly for the specified target in your build.xml file.

For example, the following package.xml manifest file provides Fortify Static Code Analyzer with all

classes, custom objects, pages, and components for version 55.

<?xml version="1.0" encoding="UTF-8"?>

<types>

<name>ApexClass</name>

</types>

<types>

<name>ApexTrigger</name>

</types>

<types>

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 92 of 223

User Guide

Chapter 14: Translating Salesforce Apex and Visualforce Code

<name>ApexPage</name>

</types>

<types>

<name>ApexComponent</name>

</types>

<types>

<name>CustomObject</name>

</types>

</Package>

Configure the retrieve targets using the Ant Migration Tool documentation. If your organization uses

any apps from the app exchange, make sure that these are downloaded as packaged targets.

Apex and Visualforce Command-Line Syntax

The basic command-line syntax to translate Apex and Visualforce code is:

sourceanalyzer -b <build_id> -apex <files>

where <files> is an Apex or Visualforce file or a path to the source files.

Important! Supported file extensions for the source code files are: .cls, .component,

.trigger, .object, and .page.

For descriptions of all the Apex- and Visualforce-specific command-line options, see "Apex and

Visualforce Command-Line Options" below.

Apex and Visualforce Command-Line Options

The following table describes the Apex and Visualforce translation command-line options.

Apex or Visualforce Option

Description

Directs Fortify Static Code Analyzer to use Apex and

-apex

Visualforce translation for files with the .cls extension.

Without this option, Fortify Static Code Analyzer translates

*.cls files as Visual Basic code.

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 93 of 223

User Guide

Chapter 14: Translating Salesforce Apex and Visualforce Code

Apex or Visualforce Option

Description

Note: Alternatively, you can set the

com.fortify.sca.fileextensions.cls property to

APEX either on the command line (include -

Dcom.fortify.sca.fileextensions.cls=APEX) or

in the <sca_install_dir>/Core/config/fortify-

sca.properties file.

Equivalent Property Name:

com.fortify.sca.Apex

Specifies the Apex source code version to scan. The valid

-apex-version <version>

value for <version> is 55. The default value is 55.

Equivalent Property Name:

com.fortify.sca.ApexVersion

See Also

"Apex Properties" on page 206

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 94 of 223

Chapter 15: Translating Other Languages

and Configurations

This section contains the following topics:

Translating PHP Code

95

96

Translating ABAP Code

Translating Flex and ActionScript

Translating ColdFusion Code

Translating Scala Code

Translating Dockerfiles

Translating HCL

Translating JSON

Translating YAML

Translating ASP/VBScript Virtual Roots

Classic ASP Command-Line Example

VBScript Command-Line Example

Translating PHP Code

The syntax to translate a single PHP file named MyPHP.php is shown in the following example:

sourceanalyzer -b <build_id> MyPHP.php

To translate a file where the source or the php.ini file entry includes a relative path name (starts

with ./ or ../), consider setting the PHP source root as shown in the following example:

sourceanalyzer -php-source-root <path> -b <build_id> MyPHP.php

For more information about the -php-source-root option, see the description in "PHP Command-

Line Options" on the next page.

Note: When you translate PHP code, make sure that you specify all source files together in one

invocation. Fortify Static Code Analyzer does not support adding new files to the file list

associated with the build ID on subsequent invocations.

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 95 of 223

User Guide

Chapter 15: Translating Other Languages and Configurations

PHP Command-Line Options

The following table describes the PHP-specific command-line options.

PHP Option

Description

Specifies an absolute path to the project root directory. The relative path

name first expands from the current directory. If the file is not found,

then the path expands from the specified PHP source root directory.

-php-source-root

<path>

Equivalent Property Name:

com.fortify.sca.PHPSourceRoot

Specifies the PHP version. The default version is 7.4. For a list of valid

versions, see the Micro Focus Fortify Software System Requirements

document.

-php-version

Equivalent Property Name:

com.fortify.sca.PHPVersion

See Also

"PHP Properties" on page 207

Translating ABAP Code

Translating ABAP code is similar to translating other operating language code. However, it requires

additional steps to extract the code from the SAP database and prepare it for scanning. See

"Importing the Transport Request" on the next page for more information. This section assumes you

have a basic understanding of SAP and ABAP.

To translate ABAP code, the Fortify ABAP Extractor program downloads source files to the

presentation server, and optionally, invokes Fortify Static Code Analyzer. You need to use an account

with permission to download files to the local system and execute operating system commands.

Because the extractor program is executed online, you might receive a max dialog work process

time reached exception message if the volume of source files selected for extraction exceeds the

allowable process run time. To work around this, download large projects as a series of smaller

Extractor tasks. For example, if your project consists of four different packages, download each

package separately into the same project directory. If the exception occurs frequently, work with your

SAP Basis administrator to increase the maximum time limit (rdisp/max_wprun_time).

When a PACKAGE is extracted from ABAP, the Fortify ABAP Extractor extracts everything from

TDEVC with a parentcl field that matches the package name. It then recursively extracts everything

else from TDEVC with a parentcl field equal to those already extracted from TDEVC. The field

extracted from TDEVC is devclass.

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 96 of 223

User Guide

Chapter 15: Translating Other Languages and Configurations

The devclass values are treated as a set of program names and handled the same way as a program

name, which you can provide.

Programs are extracted from TRDIR by comparing the name field with either:

l

The program name specified in the selection screen

l

The list of values extracted from TDEVC if a package was provided

The rows from TRDIR are those for which the name field has the given program name and the

expression LIKEprogramname is used to extract rows.

This final list of names is used with READ REPORT to get code out of the SAP system. This method

does read classes and methods out as well as merely REPORTS, for the record.

Each READ REPORT call produces a file in the temporary folder on the local system. This set of files is

what Fortify Static Code Analyzer translates and scans, producing an FPR file that you can open with

Micro Focus Fortify Audit Workbench.

See Also

"ABAP Properties" on page 207

INCLUDE Processing

As source code is downloaded, the Fortify ABAP Extractor detects INCLUDE statements in the source.

When found, it downloads the include targets to the local machine for analysis.

Importing the Transport Request

To scan ABAP code, you need to import the Fortify ABAP Extractor transport request on your SAP

Server. You can find the Fortify transport request in <sca_install_dir>/Tools/SAP_

Extractor.zip.

The Fortify ABAP Extractor package, SAP_Extractor.zip, contains the following files:

l

K900XXX.S9S (where the “XXX” is the release number)

l

R900XXX.S9S (where the “XXX” is the release number)

These files make up the SAP transport request that you must import into your SAP system from

outside your local Transport Domain. Have your SAP administrator or an individual authorized to

install transport requests on the system import the transport request.

The S95 files contain a program, a transaction (YSCA), and the program user interface. After you

import them into your system, you can extract your code from the SAP database and prepare it for

Fortify Static Code Analyzer scanning.

Installation Note

The Fortify ABAP Extractor transport request is supported on a system running SAP release 7.02, SP

level 0006. If you are running a different SAP version and you get the transport request import error:

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 97 of 223

User Guide

Chapter 15: Translating Other Languages and Configurations

Install release does not match the current version, then the transport request

installation has failed.

To try to resolve this issue, perform the following steps:

1. Re-run the transport request import.

The Import Transport Request dialog box opens.

2. Select the Options tab.

3. Select the Ignore Invalid Component Version check box.

4. Complete the import procedure.

If this does not resolve the issue or if your system is running on an SAP version with a different table

structure, Fortify recommends that you export your ABAP file structure using your own technology so

that Fortify Static Code Analyzer can scan the ABAP code.

Adding Fortify Static Code Analyzer to your Favorites List

Adding Fortify Static Code Analyzer to your Favorites list is optional, but doing so can make it quicker

to access and launch Fortify Static Code Analyzer scans. The following steps assume that you use the

user menu in your day-to-day work. If your work is done from a different menu, add the Favorites link

to the menu that you use. Before you create the Fortify Static Code Analyzer entry, make sure that

the SAP server is running and you are in the SAP Easy Access area of your web-based client.

To add Fortify Static Code Analyzer to your Favorites list:

1.

From the SAP Easy Access menu, type S000 in the transaction box.

The SAP Menu opens.

2. Right-click the Favorites folder and select Insert transaction.

The Manual entry of a transaction dialog box opens.

3.

Type YSCA in the Transaction Code box.

4. Click the green check mark button .

The Extract ABAP code and launch SCA item appears in the Favorites list.

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 98 of 223

User Guide

Chapter 15: Translating Other Languages and Configurations

5. Click the Extract ABAP code and launch SCA link to launch the Fortify ABAP Extractor.

Running the Fortify ABAP Extractor

To run the Fortify ABAP Extractor:

1. Start the program from the Favorites link, the transaction code, or manually start the Extractor

object.

This opens the Fortify ABAP Extractor.

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 99 of 223

User Guide

Chapter 15: Translating Other Languages and Configurations

2. Select the code to download.

Provide the start and end name for the range of software components, packages, programs, or

BSP applications that you want to scan.

Note: You can specify multiple objects or ranges.

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 100 of 223

User Guide

Chapter 15: Translating Other Languages and Configurations

3. Provide the Fortify Static Code Analyzer-specific information described in the following table.

Field

Description

FPR File Path (Optional) Type or select the directory where you want to store the scan

results file (FPR). Include the name for the FPR file in the path name. You must

provide the FPR file path if you want to automatically scan the downloaded

code on the same machine where you are running the extraction process.

Working

ActionScript Command-Line Examples

The following examples illustrate command-line syntax for typical scenarios for translating

ActionScript.

Example 1

The following example is for a simple application that contains only one MXML file and a single SWF

library (MyLib.swf):

sourceanalyzer -b MyFlexApp -flex-libraries lib/MyLib.swf -flex-sdk-root

/home/myself/flex-sdk/ -flex-source-roots . my/app/FlexApp.mxml

This identifies the location of the libraries to include and the Flex SDK and the Flex source root

locations. The single MXML file, located in /my/app/FlexApp.mxml, results in translating the MXML

application as a single ActionScript class called FlexApp and located in the my.app package.

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 105 of 223

User Guide

Chapter 15: Translating Other Languages and Configurations

Example 2

The following example is for an application in which the source files are relative to the src directory.

It uses a single SWF library, MyLib.swf, and the Flex and framework libraries from the Flex SDK:

sourceanalyzer -b MyFlexProject -flex-sdk-root /home/myself/flex-sdk/

-flex-source-roots src/ -flex-libraries lib/MyLib.swf "src/**/*.mxml"

"src/**/*.as"

This example locates the Flex SDK and uses Fortify Static Code Analyzer file specifiers to include the

.as and .mxml files in the src folder. It is not necessary to explicitly specify the .SWC files located in

the –flex-sdk-root, although this example does so for the purposes of illustration. Fortify Static

Code Analyzer automatically locates all .SWC files in the specified Flex SDK root, and it assumes that

these are libraries intended for use in translating ActionScript or MXML files.

Example 3

In this example, the Flex SDK root and Flex libraries are specified in the properties file because typing

the information for each sourceanalyzer run is time consuming and the data does not change often.

Divide the application into two sections and store them in folders: a main section folder and a modules

folder. Each folder contains a src folder where the paths start. File specifiers contain wild cards to

pick up all the .mxml and .as files in both src folders. An MXML file in

main/src/com/foo/util/Foo.mxml is translated as an ActionScript class named Foo in the

package com.foo.util, for example, with the source roots specified here:

sourceanalyzer -b MyFlexProject -flex-source-roots main/src:modules/src

"./main/src/**/*.mxml" "./main/src/**/*.as" "./modules/src/**/*.mxml"

"./modules/src/**/*.as"

Handling Resolution Warnings

To see all warnings that were generated during translation, type the following command before you

start the scan phase:

sourceanalyzer -b <build_id> -show-build-warnings

ActionScript Warnings

You might receive a message similar to the following:

The ActionScript front end was unable to resolve the following imports:

a.b at y.as:2. foo.bar at somewhere.as:5. a.b at foo.mxml:8.

This error occurs when Fortify Static Code Analyzer cannot find all the required libraries. You might

need to specify additional SWC or SWF Flex libraries (using the -flex-libraries option or the

com.fortify.sca.FlexLibraries property) so that Fortify Static Code Analyzer can complete the

analysis.

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 106 of 223

User Guide

Chapter 15: Translating Other Languages and Configurations

Translating ColdFusion Code

To treat undefined variables in a CFML page as tainted, uncomment the following line in <sca_

install_dir>/Core/config/fortify-sca.properties:

#com.fortify.sca.CfmlUndefinedVariablesAreTainted=true

This instructs the Dataflow Analyzer to watch out for register-globals-style vulnerabilities. However,

enabling this property interferes with Dataflow Analyzer findings in which a variable in an included

page is initialized to a tainted value in an earlier-occurring included page.

ColdFusion Command-Line Syntax

Type the following to translate ColdFusion source code:

sourceanalyzer -b <build_id> -source-base-dir <dir> <files> | <file_

specifiers>

where:

l

<build_id> specifies the build ID for the project

l

<dir> specifies the root directory of the web application

l

<files> | <file_specifiers> specifies the CFML source code files

For a description of how to use <file_specifiers>, see "Specifying Files and Directories" on

page 133.

Note: Fortify Static Code Analyzer calculates the relative path to each CFML source file with the

-source-base-dir directory as the starting point. Fortify Static Code Analyzer uses these

relative paths when it generates instance IDs. If you move the entire application source tree to a

different directory, the Fortify Static Code Analyzer- generated instance IDs remain the same if

you specify an appropriate parameter for the -source-base-dir option.

ColdFusion (CFML) Command-Line Options

The following table describes the CFML options.

ColdFusion Option

Description

The web application root directory.

-source-base-dir <web_app_root_dir> <files>

| <file_specifiers>

Equivalent Property Name:

com.fortify.sca.SourceBaseDir

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 107 of 223

User Guide

Chapter 15: Translating Other Languages and Configurations

Translating SQL

On Windows platforms, Fortify Static Code Analyzer assumes that files with the .sql extension are T-

SQL rather than PL/SQL. If you have PL/SQL files with the .sql extension on Windows, you must

configure Fortify Static Code Analyzer to treat them as PL/SQL.

To specify the SQL type for translation on Windows platforms, type one of the following translation

commands:

sourceanalyzer -b <build_id> -sql-language TSQL <files>

or

sourceanalyzer -b <build_id> -sql-language PL/SQL <files>

Alternatively, you can change the default behavior for files with the .sql extension. In the fortify-

sca.properties file, set the com.fortify.sca.fileextensions.sql property to TSQL or

PLSQL.

See Also

"SQL Properties" on page 209

PL/SQL Command-Line Example

The following example translates two PL/SQL files:

sourceanalyzer -b MyProject x.pks y.pks

The following example translates all PL/SQL files in the sources directory:

sourceanalyzer -b MyProject "sources/**/*.pks"

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 108 of 223

User Guide

Chapter 15: Translating Other Languages and Configurations

T-SQL Command-Line Example

The following example translates two T-SQL files:

sourceanalyzer -b MyProject x.sql y.sql

The following example translates all T-SQL files in the sources directory:

sourceanalyzer -b MyProject "sources\**\*.sql"

Note: This example assumes the com.fortify.sca.fileextensions.sql property in

fortify-sca.properties is set to TSQL.

Translating Scala Code

Translating Scala code requires the following:

l

The Scala compiler plugin

You can download this plugin from the Maven Central Repository.

l

A Lightbend license file

This license file is included with the Fortify Static Code Analyzer installation in the <sca_install_

dir>/plugins/lightbend directory

For instructions on how set up the license and translate Scala code, see the Lightbend documentation

at https://developer.lightbend.com/guides/fortify.

Important! If your project contains source code other than Scala, you must translate the Scala

code using the Scala Fortify compiler plugin, and then translate other source code with

sourceanalyzer using the same build ID before you run the analysis phase.

Translating Dockerfiles

By default, Fortify Static Code Analyzer translates the following files as Dockerfiles: Dockerfile*,

dockerfile*, *.Dockerfile, and *.dockerfile.

Note: You can modify the file extension used to detect Dockerfiles using the

com.fortify.sca.fileextensions property. See "Translation and Analysis Phase Properties"

on page 188.

Fortify Static Code Analyzer accepts the following escape characters in Dockerfiles: backslash (\) and

backquote (`). If the escape character is not set in the Dockerfile, then Fortify Static Code Analyzer

assumes that the backslash is the escape character.

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 109 of 223

User Guide

Chapter 15: Translating Other Languages and Configurations

The syntax to translate a directory that contains Dockerfiles is shown in the following example:

sourceanalyzer -b <build_id> <dir>

If the Dockerfile is malformed, Fortify Static Code Analyzer writes an error to the log file indicating

that the file cannot be parsed and skips the analysis of the Dockerfile. The following is an example of

the error written to the log:

Unable to parse dockerfile ProjA.Dockerfile, error on Line 1:20: mismatched

input '\n' expecting {LINE_EXTEND, WHITESPACE}

Unable to parse config file

C:/Users/jsmith/MyProj/docker/dockerfile/ProjA.Dockerfile

Translating HCL

By default, Fortify Static Code Analyzer translates files with the HCL extensions .hcl and .tf. The

following example translates two HCL files with different file extensions:

sourceanalyzer -b MyProject x.hcl y.tf

The following example translates all HCL files in the sources directory:

sourceanalyzer -b MyProject "sources\**\*.tf" "sources\**\*.hcl"

Note: HCL analysis support is specific to Terraform and supported cloud provider Infrastructure

as Code (IaC) configurations.

Translating JSON

By default, Fortify Static Code Analyzer translates files with the JSON extension .json as JSON. The

following example translates a JSON file:

sourceanalyzer -b MyProject x.json

The following example translates all JSON files in the sources directory:

sourceanalyzer -b MyProject "sources\**\*.json"

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 110 of 223

User Guide

Chapter 15: Translating Other Languages and Configurations

Translating YAML

By default, Fortify Static Code Analyzer translates files with the YAML extensions .yaml and .yml.

The following example translates two YAML files with different file extensions:

sourceanalyzer -b MyProject x.yaml y.yml

The following example translates all YAML files in the sources directory:

sourceanalyzer -b MyProject "sources\**\*.yaml" "sources\**\*.yml"

Translating ASP/VBScript Virtual Roots

Fortify Static Code Analyzer allows you to handle ASP virtual roots. For web servers that use virtual

directories as aliases that map to physical directories, Fortify Static Code Analyzer enables you to use

an alias.

For example, you can have virtual directories named Include and Library that refer to the physical

directories C:\WebServer\CustomerOne\inc and C:\WebServer\CustomerTwo\Stuff,

respectively.

The following example shows the ASP/VBScript code for an application that uses virtual includes:

For this example, the previous ASP code refers to the file in the following physical location:

C:\Webserver\CustomerOne\inc\Task1\foo.inc

The real directory replaces the virtual directory name Include in this example.

Accommodating Virtual Roots

To provide the mapping of each virtual directory to Fortify Static Code Analyzer, you must set the

com.fortify.sca.ASPVirtualRoots.name_of_virtual_directory property in your Fortify

Static Code Analyzer command-line invocation as shown in the following example:

sourceanalyzer -Dcom.fortify.sca.ASPVirtualRoots.<virtual_directory>=<full_

path_to_corresponding_physical_directory>

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 111 of 223

User Guide

Chapter 15: Translating Other Languages and Configurations

Note: On Windows, if the physical path includes spaces, you must enclose the property setting in

quotes:

sourceanalyzer "-Dcom.fortify.sca.ASPVirtualRoots.<virtual_

directory>=<full_path_to_corresponding_physical_directory>"

To expand on the example in the previous section, pass the following property value to Fortify Static

Code Analyzer:

-Dcom.fortify.sca.ASPVirtualRoots.Include="C:\WebServer\CustomerOne\inc"

-Dcom.fortify.sca.ASPVirtualRoots.Library="C:\WebServer\CustomerTwo\Stuff"

This maps Include to C:\WebServer\CustomerOne\inc and Library to

C:\WebServer\CustomerTwo\Stuff.

When Fortify Static Code Analyzer encounters the #include directive:

Fortify Static Code Analyzer determines if the project contains a physical directory named Include. If

there is no such physical directory, Fortify Static Code Analyzer looks through its runtime properties

and finds the -Dcom.fortify.sca.ASPVirtualRoots.Include=

"C:\WebServer\CustomerOne\inc" setting. Fortify Static Code Analyzer then looks for this file:

C:\WebServer\CustomerOne\inc\Task1\foo.inc.

Alternatively, you can set this property in the fortify-sca.properties file located in <sca_

install_dir>\Core\config. You must escape the backslash character (\) in the path of the

physical directory as shown in the following example:

com.fortify.sca.ASPVirtualRoots.Library=C:\\WebServer\\CustomerTwo\\Stuff

com.fortify.sca.ASPVirtualRoots.Include=C:\\WebServer\\CustomerOne\\inc

Note: The previous version of the ASPVirtualRoot property is still valid. You can use it on the

Fortify Static Code Analyzer command line as follows:

-Dcom.fortify.sca.ASPVirtualRoots=C:\WebServer\CustomerTwo\Stuff;

C:\WebServer\CustomerOne\inc

This prompts Fortify Static Code Analyzer to search through the listed directories in the order

specified when it resolves a virtual include directive.

Using Virtual Roots Example

You have a file as follows:

C:\files\foo\bar.asp

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 112 of 223

User Guide

Chapter 15: Translating Other Languages and Configurations

To specify this file, use the following include:

<!-- #include virtual="/foo/bar.asp">

Then set the virtual root in the sourceanalyzer command as follows:

-Dcom.fortify.sca.ASPVirtualRoots=C:\files\foo

This strips the /foo from the front of the virtual root. If you do not specify foo in the

com.fortify.sca.ASPVirtualRoots property, then Fortify Static Code Analyzer looks for

C:\files\bar.asp and fails.

The sequence to specify virtual roots is as follows:

1. Remove the first part of the path in the source.

2. Replace the first part of the path with the virtual root as specified on the command line.

Classic ASP Command-Line Example

To translate a single file classic ASP written in VBScript named MyASP.asp, type:

sourceanalyzer -b mybuild "MyASP.asp"

VBScript Command-Line Example

To translate a VBScript file named myApp.vb, type:

sourceanalyzer -b mybuild "myApp.vb"

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 113 of 223

Chapter 16: Integrating into a Build

You can integrate the analysis into supported build tools.

This section contains the following topics:

Modifying a Build Script to Invoke Fortify Static Code Analyzer

Touchless Build Integration

Ant Integration

Gradle Integration

Maven Integration

Build Integration

You can translate entire projects in a single operation. Prefix your original build operation with the

sourceanalyzer command followed by the Fortify Static Code Analyzer options.

The basic command-line syntax to translate a complete project is:

sourceanalyzer -b <build_id> [<sca_options>] <build_tool> [<build_tool_

options>]

where <build_tool> is the name of your build tool, such as make, gmake, msbuild, devenv, or

xcodebuild. See the Micro Focus Fortify Software System Requirements document for a list of

supported build tools. Fortify Static Code Analyzer executes your build tool and intercepts all

compiler operations to collect the specific command line used for each input.

Note: Fortify Static Code Analyzer only processes the compiler commands that the build tool

executes. If you do not clean your project before you execute the build, then Fortify Static Code

Analyzer only processes those files that the build tool re-compiles.

For information about integrating with Xcodebuild, see "iOS Code Analysis Command-Line Syntax" on

page 80. For information about integration with MSBuild, see "Translating Visual Studio and MSBuild

Projects " on page 62.

Successful build integration requires that the build tool:

l

Executes a Fortify Static Code Analyzer-supported compiler

l

Executes the compiler on the operating system path search, not with a hardcoded path (This

requirement does not apply to xcodebuild integration.)

l

Executes the compiler, rather than executing a sub-process that then executes the compiler

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 114 of 223

User Guide

Chapter 16: Integrating into a Build

If you cannot meet these requirements in your environment, see "Modifying a Build Script to Invoke

Fortify Static Code Analyzer" below.

Make Example

If you build your project with the following build commands:

make clean

make

make install

then you can simultaneously translate and compile the entire project with the following example

commands:

make clean

sourceanalyzer -b MyProject make

make install

Modifying a Build Script to Invoke Fortify Static Code

Analyzer

As an alternative to build integration, you can modify your build script to prefix each compiler, linker,

and archiver operation with the sourceanalyzer command. For example, a makefile often defines

variables for the names of these tools:

CC=gcc

CXX=g++

LD=ld

AR=ar

You can prepend the tool references in the makefile with the sourceanalyzer command and the

appropriate Fortify Static Code Analyzer options.

CC=sourceanalyzer -b mybuild gcc

CXX=sourceanalyzer -b mybuild g++

LD=sourceanalyzer -b mybuild ld

AR=sourceanalyzer -b mybuild ar

When you use the same build ID for each operation, Fortify Static Code Analyzer automatically

combines each of the separately-translated files into a single translated project.

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 115 of 223

User Guide

Chapter 16: Integrating into a Build

Touchless Build Integration

Fortify Static Code Analyzer includes a generic build tool called touchless that enables translation

of projects using build systems that Fortify Static Code Analyzer does not directly support. The

command-line syntax for touchless build integration is:

sourceanalyzer -b <build_id> touchless <build_command>

For example, you might use a python script called build.py to compute dependencies and execute

appropriately-ordered C compiler operations. Then to execute your build, run the following command:

python build.py

Fortify Static Code Analyzer does not have native support for such a build design. However, you can

use the touchless build tool to translate and build the entire project with the single command:

sourceanalyzer -b <build_id> touchless python build.py

The same requirements for successful build integration with supported build systems described

earlier in this chapter (see "Build Integration" on page 114) apply to touchless integration with

unsupported build systems.

Ant Integration

Fortify Static Code Analyzer provides an easy way to translate Java source files for projects that use

an Ant build file. You can apply this integration on the command line without modifying the Ant

build.xml file. When the build runs, Fortify Static Code Analyzer intercepts all javac task

invocations and translates the Java source files as they are compiled. Make sure that you pass any

properties to Ant by adding them to the ANT_OPTS environment variable. Do not include them in the

sourceanalyzer command.

Note: You must translate any JSP files, configuration files, or any other non-Java source files that

are part of the application in a separate step.

To use the Ant integration, make sure that the sourceanalyzer executable is on the system PATH.

Prepend your Ant command-line with the sourceanalyzer command as follows:

sourceanalyzer -b <build_id> ant [<ant_options>]

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 116 of 223

User Guide

Chapter 16: Integrating into a Build

Gradle Integration

You can translate projects that are built with Gradle without any modification of the build.gradle

file. When the build runs, Fortify Static Code Analyzer translates the source files as they are compiled.

See the Micro Focus Fortify Software System Requirements document for platforms and languages

supported specifically for Gradle integration. Any files in the project in unsupported languages for

Gradle integration are not translated (with no error reporting). These files are therefore not analyzed,

and any existing potential vulnerabilities can go undetected.

To integrate Fortify Static Code Analyzer into your Gradle build, make sure that the

sourceanalyzer executable is on the system PATH. Prepend the Gradle command line with the

sourceanalyzer command as follows:

sourceanalyzer -b <build_id> <sca_options> gradle [<gradle_options>]

<gradle_tasks>

For example:

sourceanalyzer -b MyProject gradle clean build

sourceanalyzer -b MyProject gradle --info assemble

If your build file name is different than build.gradle, then include the build file name with the --

build-file option as shown in the following example:

sourceanalyzer -b MyProject gradle --build-file sample.gradle clean

assemble

You can also use the Gradle Wrapper (gradlew) as shown in the following example:

sourceanalyzer -b MyProject gradlew [<gradle_options>]

If your application uses XML or property configuration files, translate these files with a separate

sourceanalyzer command. Use the same build ID that you used for the project files. The following

are examples:

sourceanalyzer -b MyProject <path_to_xml_files>

sourceanalyzer -b MyProject <path_to_properties_files>

After translating the project with gradle or gradlew, you can then perform the analysis phase as

shown in the following example:

sourceanalyzer -b MyProject -scan -f MyResults.fpr

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 117 of 223

User Guide

Chapter 16: Integrating into a Build

Including Verbose and Debug Options

If you use the Fortify Static Code Analyzer -verbose option, then you must also include the -gradle

option. Use of this option applies to both Gradle and the Gradle Wrapper. For example:

sourceanalyzer -b MyProject -gradle -verbose gradle assemble

As part of the gradle integration, Fortify Static Code Analyzer temporarily updates the original build

file build.gradle. If you include the -debug option, Fortify Static Code Analyzer saves a copy of the

original build file as build.gradle.orig). After the analysis with the -debug option is complete,

rename the build.gradle.orig file back to build.gradle and run sourceanalyzer again without

the -debug option.

Maven Integration

Fortify Static Code Analyzer includes a Maven plugin that provides a way to add the following

capabilities to your Maven project builds:

l

Fortify Static Code Analyzer clean, translate, scan

l

Fortify Static Code Analyzer export mobile build session (MBS) for a Fortify Static Code Analyzer

translated project

l

Send translated code to Micro Focus Fortify ScanCentral SAST

l

Upload results to Micro Focus Fortify Software Security Center

You can use the plugin directly or integrate its functionality into your build process.

Installing and Updating the Fortify Maven Plugin

The Fortify Maven Plugin is located in <sca_install_dir>/plugins/maven. This directory

contains a binary and a source version of the plugin in both zip and tarball archives. To install the

plugin, extract the version (binary or source) that you want to use, and then follow the instructions in

the included README.TXT file. Perform the installation in the directory where you extracted the

archive.

For information about supported versions of Maven, see the Micro Focus Fortify Software System

Requirements document.

If you have a previous version of the Fortify Maven Plugin installed, and then install the latest version.

Uninstalling the Fortify Maven Plugin

To uninstall the Fortify Maven Plugin, manually delete all files from the <maven_local_

repo>/repository/com/fortify/ps/maven/plugin directory.

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 118 of 223

User Guide

Chapter 16: Integrating into a Build

Testing the Fortify Maven Plugin Installation

After you install the Fortify Maven Plugin, use one of the included sample files to be sure your

installation works properly.

To test the Fortify Maven Plugin using the Eightball sample file:

1.

Add the directory that contains the sourceanalyzer executable to the path environment

variable.

For example:

export set PATH=$PATH:/<sca_install_dir>/bin

or

set PATH=%PATH%;<sca_install_dir>/bin

2.

3.

Type sourceanalyzer -version to test the path setting.

Fortify Static Code Analyzer displays the version information if the path setting is correct.

Navigate to the sample Eightball directory: <root_dir>/samples/EightBall.

4. Type the following command:

mvn com.fortify.sca.plugins.maven:sca-maven-plugin:<ver>:clean

where <ver> is the version of the Fortify Maven Plugin you are using. If the version is not

specified, Maven uses the latest version of the Fortify Maven Plugin installed in the local

repository.

Note: To see the version of the Fortify Maven Plugin, open the pom.xml file that you

extracted in <root_dir> in a text editor. The Fortify Maven Plugin version is specified in the

<version> element.

5. If the command in step 4 completed successfully, then the Fortify Maven Plugin is installed

correctly. The Fortify Maven Plugin is not installed correctly if you get the following error

message:

[ERROR] Error resolving version for plugin

'com.fortify.sca.plugins.maven:sca-maven-plugin' from the repositories

Check the Maven local repository and try to install the Fortify Maven Plugin again.

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 119 of 223

User Guide

Chapter 16: Integrating into a Build

Using the Fortify Maven Plugin

There are two ways to perform a Fortify analysis on a maven project:

l

As a Maven Plugin

In this method, you perform the Fortify analysis tasks as goals with the mvn command. For example,

use the following command to translate source code:

mvn com.fortify.sca.plugins.maven:sca-maven-plugin:<ver>:translate

To analyze your code this way, see the documentation included with the Fortify Maven Plugin. The

following table describes where to find the documentation after you install the Fortify Maven

Plugin.

Package Type Documentation Location

Binary

Source

<root_dir>/docs/index.html

<root_dir>/sca-maven-plugin/target/site/index.html

l

In a Fortify Static Code Analyzer build integration

In this method, prepend the maven command used to build your project with the sourceanalyzer

command and any Fortify Static Code Analyzer options. To analyze your files as part of a Fortify

Static Code Analyzer build integration:

a. Clean out the previous build:

sourceanalyzer -b MyProject -clean

b. Translate the code:

sourceanalyzer -b MyProject [<sca_options>] [<mvn_command_with_

options>]

For example:

sourceanalyzer -b MyProject mvn package

See "Command-Line Interface" on page 121 for descriptions of available Fortify Static Code

Analyzer options.

c. Complete the analysis by running the scan as shown in the following example:

sourceanalyzer -b MyProject [<sca_scan_options>] -scan -f

MyResults.fpr

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 120 of 223

Chapter 17: Command-Line Interface

This chapter describes general Fortify Static Code Analyzer command-line options and how to specify

source files for analysis. Command-line options that are specific to a language are described in the

chapter for that language.

This section contains the following topics:

Specifying Files and Directories

Translation Options

The following table describes the translation options.

Translation Option

Description

Specifies a build ID. Fortify Static Code Analyzer uses a build ID to

-b <build_id>

track the files that are compiled and combined as part of a build, and

then later, to scan those files.

Equivalent Property Name:

com.fortify.sca.BuildID

Specifies a colon-separated list of languages to exclude from the

-disable-language

translation phase. The valid language values are abap,

actionscript, apex, cfml, cobol, configuration, cpp, dotnet,

golang, java, javascript, jsp, kotlin, objc, php, plsql,

python, ruby, scala, sql, swift, tsql, typescript, and vb.

Equivalent Property Name:

com.fortify.sca.DISabledLanguages

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 121 of 223

User Guide

Chapter 17: Command-Line Interface

Translation Option

Description

Specifies a colon-separated list of languages to translate. The valid

-enable-language

language values are abap, actionscript, apex, cfml, cobol,

configuration, cpp, dotnet, golang, java, javascript, jsp,

kotlin, objc, php, plsql, python, ruby, scala, sql, swift, tsql,

typescript, and vb.

Equivalent Property Name:

com.fortify.sca.EnabledLanguages

Specifies the files to exclude from the translation. Files excluded

from translation are also not scanned. Separate multiple file paths

with semicolons (Windows) or colons (non-Windows). For example:

-exclude

<file_specifiers>

sourceanalyzer –cp "**/*.jar" "**/*"

-exclude "**/Test/*.java"

This example excludes all Java files in any Test subdirectory. See

"Specifying Files and Directories" on page 133 for more information

on how to use file specifiers.

Note: When you integrate the translation with most compilers or

build tools, Fortify Static Code Analyzer translates all source files

that the compiler or build tool processes even if this option

specifies to exclude them. However, the Fortify Static Code

Analyzer xcodebuild and MSBuild integrations do support the

-exclude option.

Equivalent Property Name:

com.fortify.sca.exclude

Specifies the source file encoding type. Fortify Static Code Analyzer

enables you to scan a project that contains differently encoded

source files. To work with a multi-encoded project, you must specify

-encoding <encoding_

name>

the -encoding option in the translation phase, when Fortify Static

Code Analyzer first reads the source code file. Fortify Static Code

Analyzer remembers this encoding in the build session and

propagates it into the FVDL file.

Valid encoding names are from the java.nio.charset.Charset.

Typically, if you do not specify the encoding type, Fortify Static Code

Analyzer uses file.encoding from the

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 122 of 223

User Guide

Chapter 17: Command-Line Interface

Translation Option

Description

java.io.InputStreamReader constructor with no encoding

parameter. In a few cases (for example with the ActionScript parser),

Fortify Static Code Analyzer defaults to UTF-8 encoding.

Equivalent Property Name:

com.fortify.sca.InputFileEncoding

When specified before a compiler command line, Fortify Static Code

Analyzer translates the source file but does not run the compiler.

-nc

Specifies the file type for source files that have no file extension. The

-noextension-type

<file_type>

valid file type values are ABAP, ACTIONSCRIPT, APEX, APEX_OBJECT,

APEX_TRIGGER, ARCHIVE, ASPNET, ASP, ASPX, BITCODE, BSP,

BYTECODE, CFML, COBOL, CSHARP, DOCKERFILE, GENERIC, GO, HOCON,

HTML, INI, JAVA, JAVA_PROPERTIES, JAVASCRIPT, JSP, JSPX,

KOTLIN, MSIL, MXML, OBJECT, PHP, PLSQL, PYTHON, RUBY, RUBY_ERB,

SCALA, SWIFT, SWC, SWF, TLD, SQL, TSQL, TYPESCRIPT, VB, VB6,

VBSCRIPT, VISUAL_FORCE, VUE, and XML.

Analysis Options

The following table describes the analysis options.

Analysis Option

Description

Specifies the build ID used in a prior translation command.

-b <build_id>

Equivalent Property Name:

com.fortify.sca.BuildID

Causes Fortify Static Code Analyzer to perform a security analysis for

the specified build ID.

-scan

Note: Do not use this option together with the -scan-module

option in the same sourceanalyzer command.

Causes Fortify Static Code Analyzer to perform a security analysis for

the specified build ID as a separate module.

-scan-module

Note: Do not use this option together with the -scan option in the

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 123 of 223

User Guide

Chapter 17: Command-Line Interface

Analysis Option

Description

same sourceanalyzer command.

Equivalent Property Name:

com.fortify.sca.ScanScaModule

Specifies the libraries previously scanned as separate modules in a

comma- or colon-separated list of build IDs to include in the project scan.

-include-modules

Equivalent Property Name:

com.fortify.sca.IncludeScaModules

Specifies the analyzers you want to enable with a colon- or comma-

-analyzers

<analyzer_list>

separated list of analyzers. The valid analyzer names are buffer,

content, configuration, controlflow, dataflow, nullptr,

semantic, and structural. You can use this option to disable

analyzers that are not required for your security requirements.

Equivalent Property Name:

com.fortify.sca.DefaultAnalyzers

Uses speed dial to scan the project with a scan precision level. The lower

the scan precision level, the faster the scan performance.The valid values

-p <level> |

-scan-precision

<level>

are 1, 2, 3, and 4. For more information, see "Configuring Scan Speed with

Speed Dial" on page 161.

Equivalent Property Name:

com.fortify.sca.PrecisionLevel

Quickly scan the project for critical- and high-priority issues using the

-quick

fortify-sca-quickscan.properties file, which provides a less in-

depth analysis. By default, quick scan disables the Buffer Analyzer and

the Control Flow Analyzer. In addition, it applies the Quick View filter set.

For more information, see "Quick Scan" on page 160.

Equivalent Property Name:

com.fortify.sca.QuickScanMode

Specifies a subset of source files to scan. Only the source files that were

linked in the named binary at build time are included in the scan. You can

use this option multiple times to specify the inclusion of multiple binaries

in the scan.

-bin <binary> |

-binary-name

Equivalent Property Name:

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 124 of 223

User Guide

Chapter 17: Command-Line Interface

Analysis Option

Description

com.fortify.sca.BinaryName

Disables all rules of the specified type in the default Rulepacks. You can

use this option multiple times to specify multiple rule types.

-disable-default-

rule-type

<type>

The <type> parameter is the XML tag minus the suffix Rule. For

example, use DataflowSource for DataflowSourceRule elements. You

can also specify specific sections of characterization rules, such as

Characterization:Control flow, Characterization:Issue, and

Characterization:Generic.

The <type> parameter is case-insensitive.

Specifies a results filter file. For more information, see "Filtering the

Analysis" on page 179.

-filter <file>

Equivalent Property Name:

com.fortify.sca.FilterFile

Disables rules in default Rulepacks that lead directly to issues. Fortify

Static Code Analyzer still loads rules that characterize the behavior of

functions.

-no-default-issue-

rules

Note: This is equivalent to disabling the following rule types:

DataflowSink, Semantic, Controlflow, Structural, Configuration,

Content, Statistical, Internal, and Characterization:Issue.

Equivalent Property Name:

com.fortify.sca.NoDefaultIssueRules

Disables loading of rules from the default Rulepacks. Fortify Static Code

Analyzer processes the Rulepacks for description elements and language

libraries, but processes no rules.

-no-default-rules

Equivalent Property Name:

com.fortify.sca.NoDefaultRules

Disables source rules in the default Rulepacks.

-no-default-

source-rules

Note: Characterization source rules are not disabled.

Equivalent Property Name:

com.fortify.sca.NoDefaultSourceRules

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 125 of 223

User Guide

Chapter 17: Command-Line Interface

Analysis Option

Description

Disables sink rules in the default Rulepacks.

Note: Characterization sink rules are not disabled.

-no-default-sink-

rules

Equivalent Property Name:

com.fortify.sca.NoDefaultSinkRules

Specifies the issue template file to use for the scan. This only affects

scans on the local machine. If you upload the FPR to Micro Focus Fortify

Software Security Center, it uses the issue template assigned to the

application version.

-project-template

<file>

Equivalent Property Name:

com.fortify.sca.ProjectTemplate

Specifies a custom Rulepack or directory. You can use this option

multiple times to specify multiple Rulepack files. If you specify a

directory, Fortify Static Code Analyzer includes all the files in the

-rules <file> |

<dir>

directory with the .bin and .xml extensions.

Equivalent Property Name:

com.fortify.sca.RulesFile

Output Options

The following table describes the output options. Apply all these options during the analysis phase

(with the -scan option). You can specify the build-label, build-project, and build-version

options during the translation phase and they are overridden if specified again for the analysis phase.

Output Option

Description

Specifies the file to which analysis results are written. If you do not

specify an output file, Fortify Static Code Analyzer writes the output to

the terminal.

-f <file> |

-output-file

<file>

Equivalent Property Name:

com.fortify.sca.ResultsFile

-format <format>

Controls the output format. Valid options are fpr, fvdl, fvdl.zip,

text, and auto. The default is auto, which selects the output format

based on the file extension of the file provided with the -f option.

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 126 of 223

User Guide

Chapter 17: Command-Line Interface

Output Option

Description

The FVDL is an XML file that contains the detailed Fortify Static Code

Analyzer analysis results. This includes vulnerability details, rule

descriptions, code snippets, command-line options used in the scan, and

any scan errors or warnings.

The FPR is a package of the analysis results that includes the FVDL file

as well as extra information such as a copy of the source code used in the

scan, the external metadata, and custom rules (if applicable). Micro

Focus Fortify Audit Workbench is automatically associated with the .fpr

file extension.

Note: If you use result certification, you must specify the fpr format.

See the Micro Focus Fortify Audit Workbench User Guide for

information about result certification.

You can prevent some information from being included in the FPR or

FVDL file to improve scan time or output file size. See other options in

this table and see "Optimizing FPR Files" on page 164.

Equivalent Property Name:

com.fortify.sca.Renderer

-append

Appends results to the file specified with the -f option. The resulting

FPR contains the issues from the earlier scan as well as issues from the

current scan. The build information and program data (lists of sources

and sinks) sections are also merged. To use this option, the output file

format must be fpr or fvdl. For information on the -format output

option, see the description in this table.

The engine data, which includes Fortify security content information,

command-line options, system properties, warnings, errors, and other

information about the execution of Fortify Static Code Analyzer (as

opposed to information about the program being analyzed), is not

merged. Because engine data is not merged with the -append option,

Fortify does not certify results generated with -append.

If this option is not specified, Fortify Static Code Analyzer adds any new

findings to the FPR file, and labels the older result as previous findings.

In general, only use the -append option when it is impossible to analyze

an entire application at once.

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 127 of 223

User Guide

Chapter 17: Command-Line Interface

Output Option

Description

Equivalent Property Name:

com.fortify.sca.OutputAppend

Specifies the label of the project being scanned. Fortify Static Code

Analyzer does not use this label but includes it in the analysis results.

-build-label

<label>

Equivalent Property Name:

com.fortify.sca.BuildLabel

Specifies the name of the project being scanned. Fortify Static Code

Analyzer does not use the name but includes it in the analysis results.

-build-project

<project_name>

Equivalent Property Name:

com.fortify.sca.BuildProject

Specifies the version of the project being scanned. Fortify Static Code

Analyzer does not use the version but includes it in the analysis results.

-build-version

Equivalent Property Name:

com.fortify.sca.BuildVersion

Excludes source files from the FPR file.

-disable-source-

bundling

Equivalent Property Name:

com.fortify.sca.FPRDisableSourceBundling

Excludes the Fortify security content descriptions from the analysis

results file.

-fvdl-no-

descriptions

Equivalent Property Name:

com.fortify.sca.FVDLDisableDescriptions

Excludes engine data from the analysis results file. The engine data

includes Fortify security content information, command-line options,

system properties, warnings, errors, and other information about the

Fortify Static Code Analyzer execution.

-fvdl-no-

enginedata

Equivalent Property Name:

com.fortify.sca.FVDLDisableEngineData

Excludes program data from the analysis results file. This removes the

taint source information from the Functions view in Fortify Audit

Workbench.

-fvdl-no-progdata

Equivalent Property Name:

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 128 of 223

User Guide

Chapter 17: Command-Line Interface

Output Option

Description

com.fortify.sca.FVDLDisableProgramData

Excludes the code snippets from the analysis results file.

-fvdl-no-snippets

Equivalent Property Name:

com.fortify.sca.FVDLDisableSnippets

Other Options

The following table describes other options.

Other Option

Description

Reads command-line options from the specified file.

@<file>

Note: By default, this file uses the JVM system encoding. You can

change the encoding by using the

com.fortify.sca.CmdlineOptionsFileEncoding property

specified in the fortify-sca.properties file. For more

information about this property, see "Translation and Analysis Phase

Properties" on page 188.

Prints a summary of command-line options.

-h |

-? |

-help

Includes debug information in the Fortify Support log file, which is only

useful for Micro Focus Fortify Customer Support to help troubleshoot.

-debug

Equivalent Property Name:

com.fortify.sca.Debug

-debug-verbose

This is the same as the -debug option, but it includes more details,

specifically for parse errors.

Equivalent Property Name:

com.fortify.sca.DebugVerbose

Sends verbose status messages to the console and to the Fortify

Support log file.

-verbose

Equivalent Property Name:

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 129 of 223

User Guide

Chapter 17: Command-Line Interface

Other Option

Description

com.fortify.sca.Verbose

Specifies the log file that Fortify Static Code Analyzer creates.

-logfile <file>

Equivalent Property Name:

com.fortify.sca.LogFile

Directs Fortify Static Code Analyzer to overwrite the log file for each run

of sourceanalyzer. Without this option, Fortify Static Code Analyzer

appends information to the log file.

-clobber-log

Equivalent Property Name:

com.fortify.sca.ClobberLogFile

Disables the command-line progress information.

-quiet

Equivalent Property Name:

com.fortify.sca.Quiet

Displays the Fortify Static Code Analyzer version and versions of various

independent modules included with Fortify Static Code Analyzer (all

other functionality is contained in Fortify Static Code Analyzer).

-version |

-v

Enables automatic allocation of memory based on the physical memory

available on the system. This is the default memory allocation setting.

-autoheap

Specifies the maximum amount of memory Fortify Static Code Analyzer

uses.

-Xmx<size>M | G

Heap sizes between 32 GB and 48 GB are not advised due to internal

JVM implementations. Heap sizes in this range perform worse than at 32

GB. The JVM optimizes heap sizes smaller than 32 GB. If your scan

requires more than 32 GB, then you need 64 GB or more. As a guideline,

assuming no other memory intensive processes are running, do not

allocate more than 2/3 of the available memory.

When you specify this option, make sure that you do not allocate more

memory than is physically available, because this degrades performance.

As a guideline, and the assumption that no other memory intensive

processes are running, do not allocate more than 2/3 of the available

memory.

Note: Specifying this option overrides the default memory allocation

obtained with the -autoheap option.

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 130 of 223

User Guide

Chapter 17: Command-Line Interface

Directives

Use only one directive at a time and do not use any directive in conjunction with translation or

analysis commands. Use the directives described in the following table to list information about

previous translation commands.

Directive

Description

Deletes all Fortify Static Code Analyzer intermediate files and build

records. If you specify a build ID, only files and build records that relate

to that build ID are deleted.

-clean

Displays all objects created but not used in the production of any other

binaries. If fully integrated into the build, it lists all the binaries

produced.

-show-binaries

Displays a list of all known build IDs.

-show-build-ids

-show-build-tree

When you scan with the -bin option, displays all files used to create

the binary and all files used to create those files in a tree layout. If the

-bin option is not present, the tree is displayed for each binary.

Note: This option can generate an extensive amount of

information.

-show-build-warnings Use with -b <build_id> to show any errors and warnings that

occurred in the translation phase on the console.

Note: Fortify Audit Workbench also displays these errors and

warnings in the results Certification tab.

-show-files

-show-loc

Displays the files included in the specified build ID. When the -bin

option is present, displays only the source files that went into the

binary.

Displays the number of lines in the code being translated.

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 131 of 223

User Guide

Chapter 17: Command-Line Interface

LIM License Directives

Fortify Static Code Analyzer provides directives to manage the usage of your LIM license. You can

store or clear the LIM license pool credentials. You can also request (and release) a detached lease for

offline analysis if the specified license pool permits detached leases.

Note: By default, Fortify Static Code Analyzer requires an HTTPS connection to the LIM server

and you must have a trusted certificate. For more information, see "Adding Trusted Certificates"

on page 41.

Use the directives described in the following table for a license managed by the LIM.

Directive

Description

Stores your LIM license pool credentials so that Fortify Static Code

-store-license-

pool-credentials Analyzer uses the LIM for licensing. The proxy information is optional.

"<lim_url>|<lim_

pool_name>|<lim_

pool_

pwd>|<proxy_

Fortify Static Code Analyzer stores the pool password and the proxy

credentials provided with this directive in the fortify-sca.properties

file as encrypted data. If your license pool credentials change after you

have installed Fortify Static Code Analyzer, you can run this directive again

url>|<proxy_

to save the new credentials.

user>|<proxy_

pwd>"

Example:

sourceanalyzer -store-license-pool-credentials

"https://<ip_address>/LIM.REST.API|TeamA|mypassword"

Associated Property Names:

com.fortify.sca.lim.Url

com.fortify.sca.lim.PoolName

com.fortify.sca.lim.PoolPassword

com.fortify.sca.lim.ProxyUrl

com.fortify.sca.lim.ProxyUsername

com.fortify.sca.lim.ProxyPassword

-clear-license-

pool-credentials

Removes the LIM license pool credentials from the fortify-

sca.properties file. If your license pool credentials change, you can

remove them with this directive, and then use the -store-license-

pool-credentials directive to save the new credentials.

Requests a detached lease from the LIM license pool for exclusive use on

this system for the specified duration (in minutes). This enables you to run

Fortify Static Code Analyzer even when disconnected from your corporate

intranet.

-request-

detached-lease

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 132 of 223

User Guide

Chapter 17: Command-Line Interface

Directive

Description

Note: To use this directive, the license pool must be configured to

allow detached leases.

Releases a detached lease back to the license pool.

-release-

detached-lease

Specifying Files and Directories

File specifiers are expressions that allow you to pass a long list of files or a directory to Fortify Static

Code Analyzer using wildcard characters. Fortify Static Code Analyzer recognizes two types of

wildcard characters: a single asterisk character (*) matches part of a file name, and double asterisk

characters (**) recursively matches directories. You can specify one or more files, one or more file

specifiers, or a combination of files and file specifiers.

Note: File specifiers do not apply to C, C++, or Objective-C++.

The following table describes examples of file and directory specifiers.

File / Directory Specifier

Description

Matches all files in the named directory and any

subdirectories or the named directory when used for a

directory parameter.

<dir>

<dir>/**/*

<dir>/**/Example.java

Matches any file named Example.java found in the named

directory or any subdirectories.

Matches any file with the specified extension found in the

named directory.

<dir>/*.java

<dir>/*.jar

Matches any file with the specified extension found in the

named directory or any subdirectories.

<dir>/**/*.kt

<dir>/**/*.jar

Matches all directories and files found in the named directory

<dir>/**/beta/**

that have beta in the path, including beta as a file name.

<dir>/**/classes/

Matches all directories and files with the name classes

found in the named directory and any subdirectories.

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 133 of 223

User Guide

Chapter 17: Command-Line Interface

File / Directory Specifier

Description

Matches all files in the current directory tree that have a

**/test/**

test element in the path, including test as a file name.

**/webgoat/*

Matches all files in any webgoat directory in the current

directory tree.

Matches:

l

/src/main/java/org/owasp/webgoat

l

/test/java/org/owasp/webgoat

Does not match (assignments directory does not match)

l

/test/java/org/owasp/webgoat/assignments

Note: Windows and many Linux shells automatically expand parameters that contain the asterisk

character (*), so you must enclose file-specifier expressions in quotes. Also, on Windows, you can

use the backslash character (\) as the directory separator instead of the forward slash (/).

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 134 of 223

Chapter 18: Command-Line Utilities

This section contains the following topics:

Fortify Static Code Analyzer Utilities

About Updating Security Content

Working with FPR Files from the Command Line

Generating Analysis Reports from the Command Line

Checking the Fortify Static Code Analyzer Scan Status

Fortify Static Code Analyzer Utilities

Fortify Static Code Analyzer command-line utilities enable you to manage Fortify Security Content

and FPR files, run reports, perform post-installation configurations, and monitor scans. These utilities

are located in <sca_install_dir>/bin. The utilities for Windows are provided as .bat or .cmd

files. The following table describes the utilities.

Note: By default, log files for most Fortify Static Code Analyzer utilities are written to the

following directory:

l

Windows: C:\Users\<username>\AppData\Local\Fortify\<utility_name>-

<version>\log

l

Non-Windows: <userhome>/.fortify/<utility_name>-<version>/log

More

Utility

Description

Information

fortifyupdate

Compares installed security content to the current

version and makes any required updates

FPRUtility

With this utility you can:

l

Merge audited projects

l

Verify FPR signatures

l

Display information from an FPR file including:

page 140

l

Any errors associated with the analysis

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 135 of 223

User Guide

Chapter 18: Command-Line Utilities

More

Utility

Description

Information

l

Number of issues

Filtered lists of issues in different formats

Lines of code for analyzed files

List of analyzed functions

Mappings for a migrated project

l

Combine or split source code files and audit projects

into FPR files

Alter an FPR

BIRTReportGenerator

ReportGenerator

Generates BIRT reports and legacy reports from FPR

files

scapostinstall

After you install Fortify Static Code Analyzer, this

utility enables you to migrate properties files from a

previous version of Fortify Static Code Analyzer,

"Running the

Post-Install

Tool" on

specify a locale, and specify a proxy server for security page 39

content updates and for Fortify Software Security

Center.

SCAState

Provides state analysis information on the JVM during "Checking the

the scan phase

About Updating Security Content

You can use the fortifyupdate utility to download the latest Fortify Secure Coding Rulepacks and

metadata from Fortify.

The fortifyupdate utility gathers information about the existing security content in your Fortify

installation and contacts the Fortify Rulepack update server with this information. The server returns

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 136 of 223

User Guide

Chapter 18: Command-Line Utilities

new or updated security content, and removes any obsolete security content from your Fortify Static

Code Analyzer installation. If your installation is current, a message is displayed to that effect.

Updating Security Content

Use the fortifyupdate utility to either download security content or import a local copy of the

security content. This utility is located in the <sca_install_dir>/bin directory.

The default read timeout for this utility is 180 seconds. To change the timeout setting, add the

rulepackupdate.SocketReadTimeoutSeconds property in the server.properties

configuration file. For more information, see the Micro Focus Fortify Static Code Analyzer Tools

Properties Reference Guide.

The basic command-line syntax for this utility is shown in the following example:

fortifyupdate [<options>]

To update your Fortify Static Code Analyzer installation with the latest Fortify Secure Coding

Rulepacks and external metadata from the Fortify Rulepack update server, type the following

command:

fortifyupdate

To update security content from the local system:

fortifyupdate -import <my_local_rules>.zip

To update security content from a Fortify Software Security Center server using credentials:

fortifyupdate -url <ssc_url> -sscUser <username> -sscPassword <password>

fortifyupdate Command-Line Options

The following table lists the fortifyupdate options.

fortifyUpdate Option

Description

Specifies to accept the public key. When this is

specified, you are not prompted to provide a public key.

Use this option to accept the public key if you are

-acceptKey

updating from a non-standard location using the -url

option.

Specifies to use the SSL certificate provided by the

server.

-acceptSSLCertificate

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 137 of 223

User Guide

Chapter 18: Command-Line Utilities

fortifyUpdate Option

Description

Imports the ZIP file that contains security content. By

-import <file>.zip

default, Rulepacks are imported into the <sca_

install_dir>/Core/config/rules directory.

Specifies a core directory where fortifyupdate stores

the update. If this is not specified, the fortifyupdate

performs the update in the <sca_install_dir>.

-coreDir <dir>

Important! Make sure that you copy the contents

of the <sca_install_dir>/config/keys folder

and paste it to a config/keys folder in this

directory before you run fortifyupdate.

Specifies to only update external metadata.

Specifies to only update Rulepacks.

-includeMetadata

-includeRules

Specifies a locale. English is the default if no security

content exists for the specified locale. The valid values

are:

-locale <locale>

l

en (English)

l

es (Spanish)

l

ja (Japanese)

l

ko (Korean)

l

pt_BR (Brazilian Portuguese)

l

zh_CN (Simplified Chinese)

l

zh_TW (Traditional Chinese)

Note: The values are not case-sensitive.

Alternatively, you can specify a default locale for

security content updates in the fortify.properties

configuration file. For more information, see the Micro

Focus Fortify Static Code Analyzer Tools Properties

Reference Guide .

Specifies a proxy server network name or IP address.

-proxyhost <host>

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 138 of 223

User Guide

Chapter 18: Command-Line Utilities

fortifyUpdate Option

Description

Specifies a proxy server port number.

-proxyport <port>

Specifies a user name if the proxy server requires

authentication.

-proxyUsername

Specifies the password if the proxy server requires

authentication.

-proxyPassword

Displays the currently installed Rulepacks including any

custom rules and custom metadata.

-showInstalledRules

Displays the currently installed external metadata.

-showInstalledExternalMetadata

Specifies a URL from which to download the security

content. The default URL is

-url <url>

https://update.fortify.com or the value set for

the rulepackupdate.server property in the

server.properties configuration file.

For more information about the server.properties

configuration file, see the Micro Focus Fortify Static

Code Analyzer Tools Properties Reference Guide .

You can download the security content from a Fortify

Software Security Center server by providing a Fortify

Software Security Center URL.

Specify one of the following types of credentials if you are updating security content from Fortify

Software Security Center with the -url option:

Specifies a Fortify Software Security Center user

account by user name and password.

-sscUsername

-sscPassword

Specifies a Fortify Software Security

-sscAuthToken

Center authentication token of type

UnifiedLoginToken, CIToken, or ToolsConnectToken.

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 139 of 223

User Guide

Chapter 18: Command-Line Utilities

Working with FPR Files from the Command Line

Use the FPRUtility located in the bin directory of your Fortify Static Code Analyzer installation to

perform the following tasks:

l

"Merging FPR Files" below

l

"Displaying Analysis Results Information from an FPR File" on page 142

l

"Extracting a Source Archive from an FPR File" on page 146

l

"Altering FPR Files" on page 148

l

"Allocating More Memory for FPRUtility" on page 148

Merging FPR Files

The FPRUtility -merge option combines the analysis results from two FPR files into a single FPR file.

The values of the primary project are used to resolve conflicts. When you merge two FPR files, copies

of both the primary analysis results and the secondary analysis results are stored in the merged FPR.

When you open a merged FPR in Micro Focus Fortify Audit Workbench or Micro Focus Fortify

Software Security Center, removed issues are determined as those that exist in the secondary analysis

results but not in the primary analysis results. Similarly, new issues are those that exist in the

primary analysis results, but not in the secondary analysis results.

To merge FPR files:

FPRUtility -merge -project <primary>.fpr -source <secondary>.fpr \

-f <merged>.fpr

To merge FPR files and set instance ID migrator options:

FPRUtility -merge -project <primary>.fpr -source <secondary>.fpr \

-f <merged>.fpr -iidmigratorOptions "<iidmigrator_options>"

FPRUtility Data Merge Options

The following table lists the FPRUtility options that apply to merging data.

FPRUtility Option

Description

Merges the specified project and source FPR files.

-merge

Specifies the primary FPR file to merge. Conflicts are resolved

using the values in this file.

-project <primary>.fpr

Specifies the secondary FPR file to merge. The primary project

-source <secondary>.fpr

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 140 of 223

User Guide

Chapter 18: Command-Line Utilities

FPRUtility Option

Description

overrides values if conflicts exist.

Specifies the name of the merged FPR file to contain the result

of the merged files.

-f <merged>.fpr

Note: When you specify this option, neither of the original

FPR files are modified. If you do not use this option, the

primary FPR is overwritten with the merged results.

Forces the migration, even if Fortify Static Code Analyzer and

the Rulepack versions of the two projects are the same.

-forceMigration

Specifies to ignore the analysis dates in the primary and

secondary FPR files for the merge. Otherwise, the secondary

FPR is always updated with the primary FPR .

-ignoreAnalysisDates

Specifies to use the filter sets and folders from the issue

template in the secondary FPR.

-useSourceIssueTemplate

Specifies an instance ID mapping file. This enables you to modify

mappings manually rather than using the migration results.

Supply your own instance ID mapping file.

-useMigrationFile

<mapping_file>

Specifies instance ID migrator options. Separate included

options with spaces and enclosed them in quotes. Some valid

options are:

-iidmigratorOptions

<iidmigrator_options>

l

-i provides a case-sensitive file name comparison of the

merged files

l

-u <scheme_file> tells iidmigrator to read the matching

scheme from <scheme_file> for instance ID migration

Note: Wrap <-iidmigrator_options> in single quotes

('-u <scheme_file>') when working from a Cygwin

command prompt.

Windows example:

FPRUtility -merge -project <primary>.fpr

-source <secondary>.fpr -f <merged>.fpr

-iidmigratorOptions "-u scheme_file"

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 141 of 223

User Guide

Chapter 18: Command-Line Utilities

FPRUtility Option

Description

Displays debug information that can be helpful to troubleshoot

issues with FPRUtility.

-debug

FPRUtility Data Merge Exit Codes

Upon completion of the -merge command, FPRUtility provides one of the exit codes described in the

following table.

Exit Code Description

0

5

The merge completed successfully.

The merge failed.

Displaying Analysis Results Information from an FPR File

The FPRUtility -information option displays information about the analysis results. You can obtain

information to:

l

Validate signatures

l

Examine any errors associated with the FPR

l

Obtain the number of issues for each analyzer, vulnerability category, or custom grouping

l

Obtain lists of issues (including some basic information). You can filter these lists.

l

Obtain the list of analyzed files and the number of lines of code (LOC) for each file. You can also

compare the LOC with another FPR.

To display signature information for the analysis:

FPRUtility -information -signature -project <project>.fpr -f <output>.txt

To display a full analysis error report for the FPR:

FPRUtility -information -errors -project <project>.fpr -f <output>.txt

To display the number of issues per vulnerability category or analyzer:

FPRUtility -information -categoryIssueCounts -project <project>.fpr

FPRUtility -information -analyzerIssueCounts -project <project>.fpr

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 142 of 223

User Guide

Chapter 18: Command-Line Utilities

To display the number of issues for a custom grouping based on a search:

FPRUtility -information -search -query <search_expression> \

[-categoryIssueCounts] [-analyzerIssueCounts] \

[-includeSuppressed] [-includeRemoved] \

-project <project>.fpr -f <output>.txt

Note: By default, the result does not include suppressed and removed issues. To include

suppressed or removed issues, use the -includeSuppressed or -includeRemoved options.

To display information for issues in CSV format:

FPRUtility -information -listIssues \

-search [-queryAll | -query <search_expression>] \

[-categoryIssueCounts] [-analyzerIssueCouts] \

[-includeSuppressed] [-includeRemoved] \

-project <project>.fpr -f <output>.csv -outputFormat CSV

To display information for all issues from the most recent scan (excluding unsuppressed and removed

issues) using the Quick View filter set:

FPRUtility -information -listIssues \

-search -queryAllExistingUnsuppressed \

-filterSet "Quick View" \

[-categoryIssueCounts] [-analyzerIssueCouts] \

-project <project>.fpr -f <output>.txt

To display a comparison of the number of lines of code for analyzed files in two FPRs:

FPRUtility -information -loc -project <project>.fpr \

-compareTo <oldproject>.fpr -f <output>.txt

FPRUtility Information Options

The following table lists the FPRUtility options that apply to project information.

FPRUtility Option

Description

Displays information for the project.

-information

Specify one of the following options to indicate what information to display:

Displays the signature for analysis results and rules.

Displays the migration mappings report.

-signature

-mappings

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 143 of 223

User Guide

Chapter 18: Command-Line Utilities

FPRUtility Option

Description

Displays a full error report for the FPR.

-errors

Displays the Fortify Static Code Analyzer and the Fortify Secure Coding

Rulepacks versions used in the static scan.

-versions

Displays all functions that the static analyzer encountered in CSV format.

-functionsMeta

To filter which functions are displayed, include -

excludeCoveredByRules, and -excludeFunctionsWithSource.

Displays the number of issues for each vulnerability category.

Displays the number of issues for each analyzer.

-categoryIssueCounts

-analyzerIssueCounts

-search <query_option>

l

Use -search -query <search_expression> to display the number

of issues in the result of your specified search expression. To display the

number of issues per vulnerability category or analyzer, add the optional

-categoryIssueCounts and -analyzerIssueCounts options to the

search option. Use the -includeSuppressed and -includeRemoved

options to include suppressed or removed issues.

l

Use -search -queryAll to search all the issues in the FPR including

suppressed and removed issues.

l

Use -search -queryAllExistingUnsuppressed to search all the

issues in the FPR excluding suppressed and removed issues.

Displays the list of analyzed files each with the number of lines of code

(LOC) in the following format:

-loc

<filename>: <total_loc> (<executable_loc>)

where <total_loc> is the approximate number of lines that contain code

constructs (comments are excluded).

Use -compareTo <project>.fpr with this option to compare the

number of lines of code with another FPR. The comparison output includes

the following information:

l

+ indicates new analyzed files

l

- indicates removed analyzed files

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 144 of 223

User Guide

Chapter 18: Command-Line Utilities

FPRUtility Option

Description

l

* indicates files with a different number of lines of code. The difference

in the number of lines of code is shown next to the executable

LOC number as in (+N or -N). For example:

* ProjectA/main.jsp: 115 +15 (85 +7)

In the previous example, the comparison shows that the number of lines

of code in main.jsp is different between the two FPR files. There are 15

additional total LOC and 7 additional executable LOC.

Specifies the FPR from which to extract the results information.

Displays the location for each issue in one of the following formats:

-project <project>.fpr

-listIssues

<sink_filename>:<line_num> or

<sink_filename>:<line_num> (<category> | <analyzer>)

You can also use the -listIssues option with -search and with both

issueCounts grouping options. If you group by -categoryIssueCounts,

then the output includes (<analyzer>) and if you group by

-analyzerIssueCounts, then the output includes (<category>).

If you specify the -outputFormat CSV option, then each issue is displayed

on one line in the format:

"<instanceid>", "<category>",

"<sink_filename>:<line_num>", "<analyzer>"

Displays only the issues and counts that pass the filters specified in the

filter set. Filter sets are ignored without this option.

-filterSet <filterset_

name>

Important! You must use -search with this option.

-f <output>

Specifies the output file. The default is System.out.

Specifies the output format. The default value is TEXT.

-outputFormat TEXT | CSV

-debug

Displays debug information that can be helpful to troubleshoot issues

with FPRUtility.

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 145 of 223

User Guide

Chapter 18: Command-Line Utilities

FPRUtility Signature Exit Codes

Upon completion of the -information -signature command, FPRUtility provides one of the exit

codes described in the following table.

Exit Code Description

0

1

2

3

The project is signed, and all the signatures are valid.

The project is signed, and some, but not all, of the signatures passed the validity test.

The project is signed but none of the signatures are valid.

The project had no signatures to validate.

Extracting a Source Archive from an FPR File

The FPRUtility -sourceArchive option creates a source archive (FSA) file from a specified FPR file

and removes the source code from the FPR file. You can extract the source code from an FPR file,

merge an existing source archive (FSA) back into an FPR file, or recover source files from a source

archive.

To archive data:

FPRUtility -sourceArchive -extract -project <project>.fpr -f <output_

archive>.fsa

To archive data to a directory:

FPRUtility -sourceArchive -extract -project <project>.fpr \

-recoverSourceDirectory -f <output_dir>

To add an archive to an FPR file:

FPRUtility -sourceArchive -mergeArchive -project <project>.fpr \

-source <old_source_archive>.fsa -f <project_with_archive>.fpr

To recover files that are missing from an FPR file:

FPRUtility -sourceArchive -fixSecondaryFileSources \

-payload <source_archive>.zip -project <project>.fpr -f <output>.fpr

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 146 of 223

User Guide

Chapter 18: Command-Line Utilities

FPRUtility Source Archive Options

The following table lists the FPRUtility options that apply to working with the source archive.

FPRUtility Option

Description

Creates an FSA file so that you can extract a source

archive.

-sourceArchive

One of:

Use the -extract option to extract the contents of

the FPR file.

-extract

-mergeArchive

-fixSecondaryFileSources

Use the -mergeArchive option to merge the

contents of the FPR file with an existing archived file

(-source option).

Use the -fixSecondaryFileSources option to

recover source files from a source archive (-

payload option) missing from an FPR file.

Specifies the FPR to archive.

-project <project>.fpr

-recoverSourceDirectory

Use with the -extract option to extract the source

as a directory with restored source files.

Specifies the name of the existing archive. Use only if

you are merging an FPR file with an existing archive

-source <old_source_archive>.fsa

-payload <source_archive>.zip

(-mergeArchive option).

Use with the -fixSecondaryFileSources option

to specify the source archive from which to recover

source files.

Specifies the output file. You can generate an FPR, a

directory, or an FSA file.

-f <project_with_archive>.fpr |

<output_archive>.fsa |

<output_dir>

Displays debug information that can be helpful to

troubleshoot issues with FPRUtility.

-debug

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 147 of 223

User Guide

Chapter 18: Command-Line Utilities

Altering FPR Files

Use the FPRUtility -trimToLastScan option to remove the previous scan results from a merged

project (FPR). This reduces the size of the FPR file when you no longer need the previous scan results.

This can also reduce the time it takes to open an FPR in Fortify Audit Workbench.

To remove the previous scan from the FPR:

FPRUtility -trimToLastScan -project <merged_project>.fpr [-f <output>.fpr]

FPRUtility Alter FPR File Options

FPRUtility Option

Description

Removes the previous scan results from a merged

project.

-trimToLastScan

Specifies the merged FPR to alter. If this project is not a

merged project, then the FPR file remains unchanged.

-project <merged_project>.fpr

-f <output>.fpr

Specifies the name of the altered output file.

If you do not specify this option, then the merged FPR is

altered.

Allocating More Memory for FPRUtility

Performing tasks with large and complex FPR files might trigger out-of-memory errors. By default,

1000 MB is allocated for FPRUtility. To increase the memory, add the -Xmx option to the command

line. For example, to allocate 2 GB for FPRUtility, use the following command:

FPRUtility -Xmx2G -merge -project <primary>.fpr -source <secondary>.fpr \

-f <output>.fpr

Generating Analysis Reports from the Command Line

There are two command-line utilities you can use to generate analysis reports:

l

BIRTReportGenerator—Generates issue reports from FPR files that are based on the Business

Intelligence and Reporting Technology (BIRT) system.

Note: To generate BIRT reports on a Linux system running OpenJDK, you must install

fontconfig, DejaVu Sans fonts, and DejaVu Serif fonts.

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 148 of 223

User Guide

Chapter 18: Command-Line Utilities

l

ReportGenerator—Generates legacy reports from FPR files. You can specify a report template,

otherwise ReportGenerator uses a default report template. See the Micro Focus Fortify Audit

Workbench User Guide for a description of the available report templates.

Generating Issue Reports

Use the BIRTReportGenerator utility to generate issue reports that are based on the BIRT system.

The basic command-line syntax to generate an issue report is:

BIRTReportGenerator -template <template_name>

-source <audited_proj>.fpr -format <format>

-output <report_file_name>

The following is an example of how to generate an OWASP Top 10 2021 report with additional

options:

BIRTReportGenerator -template "owasp top 10" -source auditedProj.fpr

-format pdf -ShowSuppressed --Version "owasp top 10 2021"

--UseFortifyPriorityOrder -output MyOWASP_Top10_Report.pdf

BIRTReportGenerator Command-Line Options

The following table lists the BIRTReportGenerator options.

BIRTReportGenerator Option

Description

(Required) Specifies the report template name. The valid

-template <template_name>

values for <template_name> are "CWE Top 25",

"CWE/SANS Top 25", "Developer Workbook", "DISA

CCI 2", "DISA STIG", "FISMA Compliance", GDPR,

MISRA, "OWASP ASVS 4.0", "OWASP Mobile Top

10", "OWASP Top 10", "PCI DSS Compliance", and

"PCI SSF Compliance".

Note: You only need to enclose the report template

name in quotes if a space exists in the <template_

name>. The template name values are not case-

sensitive.

(Required) Specifies the audited project on which to

base the report.

-source <audited_proj>.fpr

-format pdf | doc | html

(Required) Specifies the generated report format.

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 149 of 223

User Guide

Chapter 18: Command-Line Utilities

BIRTReportGenerator Option

Description

Note: The format values are not case-sensitive.

(Required) Specifies the file to which the report is

written.

-output <report_file.***>

Note: If you specify a file that already exists, that

file is overwritten.

Specifies a search query to filter issues before

generating the report. For example:

-searchQuery <query>

-searchQuery audited:false

For a description of the search query syntax, see the

Micro Focus Fortify Audit Workbench User Guide.

Include issues that are marked as suppressed.

Include issues that are marked as removed.

Include issues that are marked as hidden.

-ShowSuppressed

-ShowRemoved

-ShowHidden

Specifies a filter set to use to generate the report (for

-filterSet <filterset_name>

example, -filterSet "Quick View").

Specifies the version for the template. The valid values

for the template versions are listed below. The template

version values are case-insensitive.

--Version <version>

Note: Templates that are not listed here have

only one version available.

If you do not specify a version and multiple

versions are available, BIRTReportGenerator

uses the most recent version based on the

external metadata used when the FPR was

created.

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 150 of 223

User Guide

Chapter 18: Command-Line Utilities

BIRTReportGenerator Option

Description

l

For the "CWE Top 25" template, the version is

"CWE Top 25 <year>" (for example, "CWE Top 25

2022")

l

For the "CWE/SANS Top 25" template, the version is

"<year> CWE/SANS Top 25" (for example, "2011

CWE/SANS Top 25")

l

For the "DISA STIG" template, the version

is "DISA STIG <version>" (for example,

"DISA STIG 5.1")

l

For the "FISMA Compliance" template, the version is

"NIST 800-53 Rev <version>" (for example,

"NIST 800-53 Rev 5")

l

For the MISRA template, the available versions are

"MISRA C 2012" or "MISRA C++ 2008"

l

For the "OWASP Top 10" template, the version is

"OWASP Top 10 <year>" (for example, "OWASP

Top 10 2021")

l

For the "PCI DSS Compliance" template, the version

is "<version> Compliance" (for example, "3.2.1

Compliance")

l

For the "PCI SSF Compliance" template, the version is

"PCI SSF <version>" (for example,

"PCI SSF 1.1")

Include the Description of Key Terminology section in

--IncludeDescOfKeyTerminology

the report.

Include the About Fortify Solutions section in the report.

--IncludeAboutFortify

--SecurityIssueDetails

Provide detailed descriptions of reported issues. This

option is not available for the Developer Workbook

template.

Use Fortify Priority Order instead of folder names to

categorize issues. This option is not available for the

Developer Workbook and PCI Compliance templates.

--UseFortifyPriorityOrder

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 151 of 223

User Guide

Chapter 18: Command-Line Utilities

BIRTReportGenerator Option

Description

Displays detailed information about the options.

-h | -help

Displays debug information that can be helpful to

troubleshoot issues with BIRTReportGenerator.

-debug

Troubleshooting BIRTReportGenerator

Occasionally, you might encounter an out of memory error when you generate a report. You might see

a message similar to the following in the command-line output:

java.lang.OutOfMemoryError: GC overhead limit exceeded

To increase the memory allocated for BIRTReportGenerator:

1.

2.

Make a copy of the <sca_install_dir>/bin/BIRTReportGenerator file as a backup.

Open the <sca_install_dir>/bin/BIRTReportGenerator file in a text editor.

The last line in the file includes -Xmx1500M, which is the total heap memory provided to

BIRTReportGenerator. This line looks similar to the following:

"%FORTIFY_CORE%\private-bin\awb\eclipse\eclipsec.exe" -vm "%JAVA_CMD%" ...

-Xmx1500M -Dcom.fortify.log.console=%CONSOLE_LOG% %USER_VM_OPTS%

3.

Change the value for the -Xmx option in that line to increase the amount of heap memory for

BIRTReportGenerator. For example, to allocate 32 GB to BIRTReportGenerator, set the option to

-Xmx32G.

Note: Do not allocate more memory that is physically available.

4. Save and close the file, and then rerun the report.

Generating a Legacy Analysis Report

Use the ReportGenerator utility to generate legacy reports. The legacy reports include user-

configurable report templates. The basic command-line syntax to generate a legacy analysis report is:

ReportGenerator -source <audited_proj>.fpr -format <format> -f <report_

file_name>

The following is an example of how to generate an PDF report using the Fortify Scan Summary

template and additional options:

ReportGenerator -source auditedProj.fpr -format pdf -f MyFortifyReport.pdf

-template ScanReport.xml -showSuppressed -user Alex

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 152 of 223

User Guide

Chapter 18: Command-Line Utilities

ReportGenerator Command-Line Options

The following table lists the ReportGenerator options.

ReportGenerator Option

Description

(Required) Specifies the audited project on which to base

the report.

-source <audited_proj>.fpr

(Required) Specifies the generated report format.

-format pdf | xml

(Required) Specifies the file to which the report is written.

-f <report_file.***>

Note: If you specify a file that already exists, that file is

overwritten.

Specifies the report template. If not specified,

-template <template_name>

ReportGenerator uses the default template. The default

template is located in <sca_install_

dir>/Core/config/reports/

DefaultReportDefinition.xml.

Note: Enclose the <template_name> in quotes if it

contains any spaces.

See the Micro Focus Fortify Audit Workbench User Guide for

a description of the available report templates and how to

customize them.

Specifies a user name to add to the report.

Include issues marked as suppressed.

Include issues marked as removed.

Include issues marked as hidden.

-user <username>

-showSuppressed

-showRemoved

-showHidden

Specifies a filter set to use to generate the report (for

-filterSet <filterset_name>

example, -filterset "Quick View").

Displays status messages to the console.

-verbose

-debug

Displays debug information that can be helpful to

troubleshoot issues with ReportGenerator.

Displays detailed information about the options.

-h

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 153 of 223

User Guide

Chapter 18: Command-Line Utilities

Checking the Fortify Static Code Analyzer Scan

Status

Use the SCAState utility to see up-to-date state analysis information during the scan phase.

To check Fortify Static Code Analyzer state:

1. Run a Fortify Static Code Analyzer scan.

2. Open another command window.

3. Type the following at the command prompt:

SCAState [<options>]

SCAState Utility Command-Line Options

The following table lists the SCAState utility options.

SCAState Option

Description

Displays all available information.

-a |

--all

Displays information that is useful to debug SCAState behavior.

Prints a thread dump for every thread.

-debug

-ftd |

--full-thread-dump

Displays the help information for the SCAState utility.

-h |

--help

Specifies the file to which the heap dump is written. The file is

interpreted relative to the remote scan’s working directory; this is

not necessarily the same directory where you are running

SCAState.

-hd <filename> |

--heap-dump <filename>

Displays the ongoing status of a running scan. This is the default.

If possible, this information is displayed in a separate terminal

window.

-liveprogress

-nogui

Causes the Fortify Static Code Analyzer state information to

display in the current terminal window instead of in a separate

window.

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 154 of 223

User Guide

Chapter 18: Command-Line Utilities

SCAState Option

Description

Displays information about the source code being scanned,

including how many source files and functions it contains.

-pi |

--program-info

Specifies the currently running Fortify Static Code

-pid <process_id>

Analyzer process ID. Use this option if there are multiple Fortify

Static Code Analyzer processes running simultaneously.

To obtain the process ID on Windows systems:

1. Open a command window.

2.

Type tasklist at the command prompt.

A list of processes is displayed.

3.

Find the java.exe process in the list and note its PID.

To find the process ID on Linux systems:

l

Type ps aux | grep sourceanalyzer at the command

prompt.

Displays scan information up to the point at which the command is

issued. This includes the elapsed time, the current phase of the

analysis, and the number of results already obtained.

-progress

Displays configuration settings (this does not include sensitive

information such as passwords).

-properties

-scaversion

Displays the Fortify Static Code Analyzer version number for the

sourceanalyzer that is currently running.

Prints a thread dump for the main scanning thread.

-td |

--thread-dump

Displays information from the timers and counters that are

instrumented in Fortify Static Code Analyzer.

-timers

Displays the SCAState version.

-version

-vminfo

Displays the following statistics that JVM standard MXBeans

provides: ClassLoadingMXBean, CompilationMXBean,

GarbageCollectorMXBeans, MemoryMXBean,

OperatingSystemMXBean, RuntimeMXBean, and ThreadMXBean.

<none>

Displays scan progress information (this is the same as -

progress).

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 155 of 223

User Guide

Chapter 18: Command-Line Utilities

Note: Fortify Static Code Analyzer writes Java process information to the location of the TMP

system environment variable. On Windows systems, the TMP system environment variable

location is C:\Users\<username>\AppData\Local\Temp. If you change this TMP system

environment variable to point to a different location, SCAState cannot locate the

sourceanalyzer Java process and does not return the expected results. To resolve this issue,

change the TMP system environment variable to match the new TMP location. Fortify

recommends that you run SCAState as an administrator on Windows.

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 156 of 223

Chapter 19: Improving Performance

This chapter provides guidelines and tips to optimize memory usage and performance when

analyzing different types of codebases with Fortify Static Code Analyzer.

This section contains the following topics:

Hardware Considerations

Sample Scans

Tuning Options

Quick Scan

Configuring Scan Speed with Speed Dial

Breaking Down Codebases

Limiting Analyzers and Languages

Optimizing FPR Files

Monitoring Long Running Scans

Antivirus Software

The use of antivirus software can negatively impact Fortify Static Code Analyzer performance. If you

notice long scan times, Fortify recommends that you temporarily exclude the internal Fortify Static

Code Analyzer files from your antivirus software scan. You can also do the same for the directories

where the source code resides, however the performance impact on the Fortify analysis is less than

with the internal directories.

By default, Fortify Static Code Analyzer creates internal files in the following location:

l

Windows: c:\Users\<username>\AppData\Local\Fortify\sca<version>

l

Non-Windows: <userhome>/.fortify/sca<version>

where <version> is the version of Fortify Static Code Analyzer you are using.

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 157 of 223

User Guide

Chapter 19: Improving Performance

Hardware Considerations

The variety of source code makes accurate predictions of memory usage and scan times impossible.

The factors that affect memory usage and performance consists of many different factors including:

l

Code type

l

Codebase size and complexity

l

Ancillary languages used (such as JSP, JavaScript, and HTML)

l

Number of vulnerabilities

l

Type of vulnerabilities (analyzer used)

Fortify developed the following set of "best guess" hardware recommendations based on real-world

application scan results. The following table lists these recommendations based on the complexity of

the application. In general, increasing the number of available cores might improve scan times.

Application

Complexity

RAM

(GB)

CPU Cores

Description

Simple

4

8

16 A standalone system that runs on a server or desktop

such as a batch job or a command-line utility.

Medium

32 A standalone system that works with complex

computer models such as a tax calculation system or

a scheduling system.

Complex

16

32

128 A three-tiered business system with transactional

data processing such as a financial system or a

commercial website.

Very Complex

256 A system that delivers content such as an application

server, database server, or content management

system.

Note: TypeScript and JavaScript scans increase the analysis time significantly. If the total lines of

code in an application consist of more than 20% TypeScript or JavaScript, use the next highest

recommendation.

The Micro Focus Fortify Software System Requirements document describes the system

requirements. However, for large and complex applications, Fortify Static Code Analyzer requires

more capable hardware. This includes:

l

Disk I/O—Fortify Static Code Analyzer is I/O intensive and therefore the faster the hard drive, the

more savings on the I/O transactions. Fortify recommends a 7,200 RPM drive, although a 10,000

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 158 of 223

User Guide

Chapter 19: Improving Performance

RPM drive (such as the WD Raptor) or an SSD drive is better.

l

Memory—See "Memory Tuning" on page 171 for more information about how to determine the

amount of memory required for optimal performance.

l

CPU—Fortify recommends a 2.1 GHz or faster processor.

Sample Scans

These sample scans were performed using Fortify Static Code Analyzer version 22.2.0 on dedicated

virtual machines. These scans were run using Micro Focus Fortify Software Security Content 2022

Update 3. The following table shows the scan times you can expect for several common open-source

projects.

Translation

Time (mm:ss)

Analysis (Scan)

Time (mm:ss)

Total

Issues

Project Name

Language

LOC System Configuration

nasm 0.98.38

C/C++

00:32

04:34

1,092

21,449 Linux VM with 8 CPUs

and 32 GB of RAM

WebGoat 8

Java

00:40

00:29

01:15

01:24

516

431

5,223 Linux VM with 8 CPUs

and 32 GB of RAM

10,034

WordPress for

Android

CakePHP

phpBB 3

PHP

00:25

00:35

02:24

02:17

01:55

01:52

4,836

1,399

1,061

47,772

34,224

PHP

SharpZipLib

.NET (C#)

12,185 Windows VM with

8 CPUs and 32 GB of

RAM

Hackademic-next

prisma

JavaScript

TypeScript

Python 3

Swift

01:29

01:05

02:39

00:25

03:55

03:13

10:16

00:57

794

86

39,252 Linux VM with 8 CPUs

and 32 GB of RAM

24,003

numpy-1.13.3

MediaBrowser

309

25

90,922

6,225 macOS VM with 2 CPUs

and 8 GB of RAM

Tuning Options

Fortify Static Code Analyzer can take a long time to process complex projects. The time is spent in

different phases:

l

Translation

l

Analysis

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 159 of 223

User Guide

Chapter 19: Improving Performance

Fortify Static Code Analyzer can produce large analysis result files (FPRs), which can cause a long

time to audit and upload to Micro Focus Fortify Software Security Center. This is referred to as the

following phase:

l

Audit/Upload

The following table lists tips on how to improve performance in the different time-consuming phases.

Phase

Option

Description

More Information

Translation

Translate and scan on

build-session different machines

"Mobile Build Sessions" on

page 45

-export-

-import-

build-session

Analysis

Run a quick scan

"Quick Scan" below

-quick

Set the scan precision

"Configuring Scan Speed with

Speed Dial" on the next page

-scan-

precision

Analysis

Scan the files related to "Breaking Down Codebases" on

a binary page 163

-bin

Analysis

Set maximum heap size "Memory Tuning" on page 171

-Xmx<size>M | G

-Xss<size>M | G

Set stack size for each

thread

"Memory Tuning" on page 171

Analysis

Apply a filter using a

filter file

"Using Filter Files" on page 164

-filter

<file>

Audit/Upload

Analysis

Exclude source files

from the FPR file

"Excluding Source Code from the

FPR" on page 165

-disable-

source-

bundling

Audit/Upload

Quick Scan

Quick scan mode provides a way to quickly scan your projects for critical- and high-priority issues.

Fortify Static Code Analyzer performs the scan faster by reducing the depth of the analysis. It also

applies the Quick View filter set. Quick scan settings are configurable. For more details about the

configuration of quick scan mode, see "fortify-sca-quickscan.properties" on page 214.

Quick scans are a great way to get many applications through an assessment so that you can quickly

find issues and begin remediation. The performance improvement you get depends on the complexity

and size of the application. Although the scan is faster than a full scan, it does not provide as robust a

result set. Fortify recommends that you run full scans whenever possible.

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 160 of 223

User Guide

Chapter 19: Improving Performance

Limiters

The depth of the Fortify Static Code Analyzer analysis sometimes depends on the available resources.

Fortify Static Code Analyzer uses a complexity metric to trade off these resources with the number of

vulnerabilities that it can find. Sometimes, this means giving up on a particular function when it does

not look like Fortify Static Code Analyzer has enough resources available.

Fortify Static Code Analyzer enables the user to control the “cutoff” point by using Fortify Static Code

Analyzer limiter properties. The different analyzers have different limiters. You can run a predefined

set of these limiters using a quick scan. See the "fortify-sca-quickscan.properties" on page 214 for

descriptions of the limiters.

To enable quick scan mode, use the -quick option with -scan option. With quick scan mode enabled,

Fortify Static Code Analyzer applies the properties from the <sca_install_

dir>/Core/config/fortify-sca-quickscan.properties file, in addition to the standard <sca_

install_dir>/Core/config/fortify-sca.properties file. You can adjust the limiters that

Fortify Static Code Analyzer uses by editing the fortify-sca-quickscan.properties file. If you

modify fortify-sca.properties, it also affects quick scan behavior. Fortify recommends that you

do performance tuning in quick scan mode, and leave the full scan in the default settings to produce a

highly accurate scan. For description of the quick scan mode properties, see "Fortify Static Code

Analyzer Properties Files" on page 186.

Using Quick Scan and Full Scan

l

Run full scans periodically—A periodic full scan is important as it might find issues that quick

scan mode does not detect. Run a full scan at least once per software iteration. If possible, run a full

scan periodically when it will not interrupt the development workflow, such as on a weekend.

l

Compare quick scan with a full scan—To evaluate the accuracy impact of a quick scan, perform a

quick scan and a full scan on the same codebase. Open the quick scan results in Micro Focus Fortify

Audit Workbench and merge it into the full scan. Group the issues by New Issue to produce a list of

issues detected in the full scan but not in the quick scan.

l

Quick scans and Micro Focus Fortify Software Security Center server—To avoid overwriting

the results of a full scan, by default Fortify Software Security Center ignores uploaded FPR files

scanned in quick scan mode. However, you can configure a Fortify Software Security Center

application version so that FPR files scanned in quick scan are processed. For more information, see

analysis results processing rules in the Micro Focus Fortify Software Security Center User Guide.

Configuring Scan Speed with Speed Dial

You can configure the speed and depth of the scan by specifying a precision level for the analysis

phase. You can use these precision levels to adjust the scan time to fit for example, into a pipeline and

quickly find a set of vulnerabilities while the developer is still working on the code. Although scans

with the speed dial settings are faster than a full scan, it does not provide as robust a result set.

Fortify recommends that you run full scans whenever possible.

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 161 of 223

User Guide

Chapter 19: Improving Performance

The precision level controls the depth and precision of the scan by associating configuration

properties with each level. The configuration properties files for each level are in the <sca_install_

dir>/Core/config/scales directory. There is one file for each level: (level-<precision_

level>.properties). You can modify the settings in these files to create your own specific

precision levels.

Important! Be aware that if you modify the configuration files, an upgrade of Fortify Static Code

Analyzer might might overwrite them.

Notes:

l

By default, Micro Focus Fortify Software Security Center blocks uploaded analysis results that

were created with a precision level less than four. However, you can configure your Fortify

Software Security Center application version so that uploaded audit projects scanned with

these precision levels are processed.

l

If you merge a speed dial scan with a full scan, this might remove issues from previous scans

that still exist in your application (and would be detected again with a full scan).

To specify the speed dial setting for a scan, include the -scan-precision (or -p) option in the scan

phase as shown in the following example:

sourceanalyzer -b MyProject -scan -scan-precision <level> -f MyResults.fpr

Note: You cannot use the speed dial setting and the -quick option in the same scan command.

The following table describes the four precision levels.

Precision

Level

Description

1

This is the quickest scan and is recommended if you are scanning a few files. By

default, a scan with this precision level disables the Buffer Analyzer, Control Flow

Analyzer, Dataflow Analyzer, and Null Pointer Analyzer.

2

3

By default, a scan with this precision level enables all analyzers. The scan runs

quicker by performing with reduced limiters. This results in fewer issues detected.

This precision level improves intermediate development scan speeds by up to 50%

(with a reduction in reported issues). Specifically, this level improves the scan time

for typed languages such as Java and C/C++.

4

This is equivalent to a full scan.

You can also specify the scan precision level with the com.fortify.sca.PrecisionLevel property

in the fortify-sca.properties file. For example:

com.fortify.sca.PrecisionLevel=1

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 162 of 223

User Guide

Chapter 19: Improving Performance

Breaking Down Codebases

It is more efficient to break down large projects into independent modules. For example, if you have a

portal application that consists of several modules that are independent of each other or have few

interactions, you can translate and scan the modules separately. The caveat to this is that you might

lose dataflow issue detection if some interactions exist.

For C/C++, you might reduce the scan time by using the –bin option with the –scan option. You need

to pass the binary file as the parameter (such as -bin <filename>.exe -scan or -bin

<filename>.dll -scan). Fortify Static Code Analyzer finds the related files associated with the

binary and scans them. This is useful if you have several binaries in a makefile.

The following table lists some useful Fortify Static Code Analyzer command-line options to break

down codebases.

Option

Description

Specifies a subset of source files to scan. Only the source files that were

linked in the named binary at build time are included in the scan. You can

use this option multiple times to specify the inclusion of multiple binaries

in the scan.

-bin <binary>

Displays all objects that were created but not used in the production of

any other binaries. If fully integrated into the build, it lists all the binaries

produced.

-show-binaries

-show-build-tree

When used with the -bin option, displays all files used to create the

binary and all files used to create those files in a tree layout. If the -bin

option is not present, Fortify Static Code Analyzer displays the tree for

each binary.

Limiting Analyzers and Languages

Occasionally, you might find that a significant amount of the scan time is spent either running one

analyzer or analyzing a particular language. It is possible that this analyzer or language is not

important to your security requirements. You can limit the specific analyzers that run and the specific

languages that Fortify Static Code Analyzer translates.

Disabling Analyzers

To disable specific analyzers, include the -analyzers option to Fortify Static Code Analyzer at scan

time with a comma- or colon-separated list of analyzers to enable. The valid parameter values for the

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 163 of 223

User Guide

Chapter 19: Improving Performance

-analyzers option are buffer, content, configuration, controlflow, dataflow, nullptr,

semantic, and structural.

For example, to run a scan that only includes the Dataflow, Control Flow, and Buffer analyzers, use the

following scan command:

sourceanalyzer -b MyProject -analyzers dataflow:controlflow:buffer -scan -f

MyResults.fpr

You can also do the same thing by setting com.fortify.sca.DefaultAnalyzers in the Fortify

Static Code Analyzer property file <sca_install_dir>/Core/config/fortify-

sca.properties. For example, to achieve the equivalent of the previous scan command, set the

following in the properties file:

com.fortify.sca.DefaultAnalyzers=dataflow:controlflow:buffer

Disabling Languages

To disable specific languages, include the -disable-language option in the translation phase,

which specifies a list of languages that you want to exclude. The valid language values are abap,

actionscript, apex, cfml, cobol, configuration, cpp, dotnet, golang, java, javascript, jsp,

kotlin, objc, php, plsql, python, ruby, scala, sql, swift, tsql, typescript, and vb.

For example, to perform a translation that excludes SQL and PHP files, use the following command:

sourceanalyzer -b MyProject <src_files> -disable-language sql:php

You can also disable languages by setting the com.fortify.sca.DISabledLanguages property in

the Fortify Static Code Analyzer properties file <sca_install_dir>/Core/config/fortify-

sca.properties. For example, to achieve the equivalent of the previous translation command, set

the following in the properties file:

com.fortify.sca.DISabledLanguages=sql:php

Optimizing FPR Files

This chapter describes how to handle performance issues related to the audit results (FPR) file. This

includes reducing the scan time, reducing FPR file size, and tips for opening large FPR files.

Using Filter Files

You can use a file to filter out specific vulnerability instances, rules, and vulnerability categories from

the analysis results. If you determine that a certain issue category or rule is not relevant for a

particular scan, you can stop Fortify Static Code Analyzer from adding them to the FPR. Using a filter

file can reduce both the scan time and analysis results file size.

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 164 of 223

User Guide

Chapter 19: Improving Performance

For example, if you are scanning a simple program that just reads a specified file, you might not want

to see path manipulation issues, because these are not likely planned as part of the functionality. To

filter out path manipulation issues, create a file that contains a single line:

Path Manipulation

Save this file as filter.txt. Use the -filter option in the analysis phase as shown in the following

example:

sourceanalyzer -b MyProject -scan -f MyResults.fpr -filter filter.txt

The MyResults.fpr does not include any issues with the category Path Manipulation. For more

information and an example of a filter file, see "Excluding Issues with Filter Files" on page 179.

Using Filter Sets

Filters in an issue template determine how the results from Fortify Static Code Analyzer are shown. In

addition to filters, filter sets enable you to have a selection of filters used at any one time. Each FPR

has an issue template associated with it. You can use filter sets to reduce the number of issues based

on conditions you specify with filters in an issue template. This can dramatically reduce the size of an

FPR.

To do this, use Micro Focus Fortify Audit Workbench to create a filter in a filter set, and then run the

Fortify Static Code Analyzer scan with the filter set and the containing issue template. For more

information and a basic example of how to create a filter set, see "Excluding Issues with Filters Sets"

on page 182.

Note: Although filtering issues with a filter set can reduce the size of the FPR, they do not usually

reduce the scan time. Fortify Static Code Analyzer examines the filter set after it calculates the

issues to determine whether to write them to the FPR file. The filters in a filter set determine the

rule types that Fortify Static Code Analyzer loads.

Excluding Source Code from the FPR

You can reduce the size of the FPR file by excluding the source code information from the FPR. This is

especially valuable for large source files or codebases. Typically, you do not get a scan time reduction

for small source files using this method.

There are properties you can use to prevent Fortify Static Code Analyzer from including source code

in the FPR. You can set either property in the <sca_install_dir>/Core/config/fortify-

sca.properties file or specify an option on the command line. The following table describes these

settings.

Property Name

Description

Excludes source code from the FPR.

com.fortify.sca.

FPRDisableSourceBundling=true

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 165 of 223

User Guide

Chapter 19: Improving Performance

Property Name

Description

Command-Line Option:

-disable-source-bundling

Excludes code snippets from the FPR.

com.fortify.sca.

FVDLDisableSnippets=true

Command-Line Option:

–fvdl-no-snippets

The following command-line example uses both options:

sourceanalyzer -b MyProject -disable-source-bundling

-fvdl-no-snippets -scan -f MySourcelessResults.fpr

Reducing the FPR File Size

There are a few ways to reduce the size of FPR files. The quickest way to do this without affecting

results is to exclude the source code from the FPR as described in "Excluding Source Code from the

FPR" on the previous page. You can also reduce the size of a merged FPR with the FPRUtility by

removing the previous scan results as described in "Altering FPR Files" on page 148.

There are a few other properties that you can use to select what is excluded from the FPR. You can

set these properties in the <sca_install_dir>/Core/config/fortify-sca.properties file or

specify an option on the command line for the analysis (scan) phase.

Property Name

Description

Excludes the metatable from the FPR. Micro Focus

Fortify Audit Workbench uses the metatable to map

information in Functions view.

com.fortify.sca.

FPRDisableMetatable

=true

Command-Line Option:

-disable-metatable

Excludes rule descriptions from the FPR. If you do

not use custom descriptions, the descriptions in the

Fortify Taxonomy (https://vulncat.fortify.com) are

used.

com.fortify.sca.

FVDLDisableDescriptions

=true

Command-Line Option:

-fvdl-no-descriptions

Excludes engine data from the FPR. This is useful if

your FPR contains many warnings when you open

the file in Fortify Audit Workbench.

com.fortify.sca.

FVDLDisableEngineData

=true

Command-Line Option:

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 166 of 223

User Guide

Chapter 19: Improving Performance

Property Name

Description

-fvdl-no-enginedata

Note: If you exclude engine data from the FPR,

you must merge the FPR with the current audit

project locally before you upload it to Micro

Focus Fortify Software Security Center. Fortify

Software Security Center cannot merge it on the

server because the FPR does not contain the

Fortify Static Code Analyzer version.

Excludes the program data from the FPR. This

removes the Taint Sources information from the

Functions view in Fortify Audit Workbench. This

property typically only has a minimal effect on the

overall size of the FPR file.

com.fortify.sca.

FVDLDisableProgramData

=true

Command-Line Option:

-fvdl-no-progdata

Opening Large FPR Files

To reduce the time required to open a large FPR file in Micro Focus Fortify Audit Workbench, you can

set some properties in the <sca_install_dir>/Core/config/fortify.properties file. For

more information about these properties, see the Micro Focus Fortify Static Code Analyzer Tools

Properties Reference Guide. The following table describes the properties you can use to reduce the

time to open large FPR files.

Property Name

Description

Disables use of the code navigation features

in Micro Focus Fortify Audit Workbench.

com.fortify.

model.DisableProgramInfo=true

Sets the start and end index for issue cutoff.

com.fortify.

model.IssueCutOffStartIndex

=<num> (inclusive)

The IssueCutOffStartIndex property is

inclusive and IssueCutOffEndIndex is

exclusive so that you can specify a subset of

com.fortify.

issues you want to see. For example, to see

the first 100 issues, specify the following:

model.IssueCutOffEndIndex

=<num> (exclusive)

com.fortify.model.

IssueCutOffStartIndex=0

com.fortify.model.

IssueCutOffEndIndex=101

Because the IssueCutOffStartIndex is 0

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 167 of 223

User Guide

Chapter 19: Improving Performance

Property Name

Description

by default, you do not need to specify this

property.

Sets the start index for issue cutoff by

category. These two properties are similar to

the previous cutoff properties except these

are specified for each category. For example,

to see the first five issues for every category,

specify the following:

com.fortify.

model.IssueCutOffByCategoryStartIndex=

<num> (inclusive)

com.fortify.

model.IssueCutOffByCategoryEndIndex=

<num> (exclusive)

com.fortify.model.

IssueCutOffByCategoryEndIndex=6

Minimizes the data loaded from the FPR. This

also restricts usage of the Functions view and

might prevent Fortify Audit Workbench from

loading the source from the FPR.

com.fortify.

model.MinimalLoad=true

Specifies the number of Fortify Static Code

Analyzer reported warnings to load from the

FPR. For projects with many scan warnings,

reducing this number from a default of 3000

can speed up the load time of large FPR files.

com.fortify.

model.MaxEngineErrorCount=

<num>

Specifies the JVM heap memory size for

Fortify Audit Workbench to launch external

utilities such as iidmigrator and fortifyupdate.

com.fortify.

model.ExecMemorySetting

Monitoring Long Running Scans

When you run Fortify Static Code Analyzer, large and complex scans can often take a long time to

complete. During the scan it is not always clear what is happening. While Fortify recommends that you

provide your debug logs to the Micro Focus Fortify Customer Support team, there are a couple of

ways to see what Fortify Static Code Analyzer is doing and how it is performing in real-time.

Using the SCAState Utility

The SCAState command-line utility enables you to see up-to-date state analysis information during

the analysis phase. The SCAState utility is located in the <sca_install_dir>/bin directory. In

addition to a live view of the analysis, it also provides a set of timers and counters that show where

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 168 of 223

User Guide

Chapter 19: Improving Performance

Fortify Static Code Analyzer spends its time during the scan. For more information about how to use

the SCAState utility, see the "Checking the Fortify Static Code Analyzer Scan Status" on page 154.

Using JMX Tools

You can use tools to monitor Fortify Static Code Analyzer with JMX technology. These tools can

provide a way to track Fortify Static Code Analyzer performance over time. For more information

about these tools, see the full Oracle documentation available at: http://docs.oracle.com.

Note: These are third-party tools and Micro Focus does not provide or support them.

Using JConsole

JConsole is an interactive monitoring tool that complies with the JMX specification. The disadvantage

of JConsole is that you cannot save the output.

To use JConsole, you must first set some additional JVM parameters. Set the following environment

variable:

export SCA_VM_OPTS="-Dcom.sun.management.jmxremote

-Dcom.sun.management.jmxremote.port=9090

-Dcom.sun.management.jmxremote.ssl=false

-Dcom.sun.management.jmxremote.authenticate=false"

After the JMX parameters are set, start a Fortify Static Code Analyzer scan. During the scan, start

JConsole to monitor Fortify Static Code Analyzer locally or remotely with the following command:

jconsole <host_name>:9090

Using Java VisualVM

Java VisualVM offers the same capabilities as JConsole. It also provides more detailed information on

the JVM and enables you to save the monitor information to an application snapshot file. You can

store these files and open them later with Java VisualVM.

Similar to JConsole, before you can use Java VisualVM, you must set the same JVM parameters

described in "Using JConsole" above.

After the JVM parameters are set, start the scan. You can then start Java VisualVM to monitor the

scan either locally or remotely with the following command:

jvisualvm <host_name>:9090

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 169 of 223

Chapter 20: Troubleshooting

This section contains the following topics:

Scanning Complex Functions

Issue Non-Determinism

Locating the Log Files

Configuring Log Files

Reporting Issues and Requesting Enhancements

Exit Codes

The following table describes the possible Fortify Static Code Analyzer exit codes.

Exit

Code Description

0

1

2

Success

Generic failure

Invalid input files

(this could indicate that an attempt was made to translate a file that has a file extension

that Fortify Static Code Analyzer does not support)

3

4

Process timed out

Analysis completed with numbered warning messages written to the console and/or to

the log file

5

Analysis completed with numbered error messages written to the console and/or to the

log file

6

7

Scan phase was unable to generate issue results

Unable to detect a valid license or the LIM license expired at run time

By default, Fortify Static Code Analyzer only returns exit codes 0, 1, 2, 3, or 7.

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 170 of 223

User Guide

Chapter 20: Troubleshooting

You can extend the default exit code options by setting the com.fortify.sca.ExitCodeLevel

property in the <sca_install_dir>/Core/Config/fortify-sca.properties file.

The valid values are:

l

nothing—Returns any of the default exit codes (0, 1, 2, 3, or 7).

l

warnings—Returns exit codes 4 and 5 in addition to the default exit codes.

l

errors—Returns exit code 5 in addition to the default exit codes.

l

no_output_file—Returns exit code 6 in addition to the default exit codes.

Memory Tuning

The amount of physical RAM required for a scan depends on the complexity of the code. By default,

Fortify Static Code Analyzer automatically allocates the memory it uses based on the physical

memory available on the system. This is generally sufficient. As described in "Output Options" on

page 126, you can adjust the Java heap size with the -Xmx command-line option.

This section describes suggestions for what you can do if you encounter OutOfMemory errors during

the analysis.

Note: You can set the memory allocation options discussed in this section to run for all scans by

setting the SCA_VM_OPTS environment variable.

Java Heap Exhaustion

Java heap exhaustion is the most common memory problem that might occur during Fortify Static

Code Analyzer scans. It is caused by allocating too little heap space to the Java virtual machine that

Fortify Static Code Analyzer uses to scan the code. You can identify Java heap exhaustion from the

following symptom.

Symptom

One or more of these messages appears in the Fortify Static Code Analyzer log file and in the

command-line output:

There is not enough memory available to complete analysis. For details on

making more memory available, please consult the user manual.

java.lang.OutOfMemoryError: Java heap space

java.lang.OutOfMemoryError: GC overhead limit exceeded

Resolution

To resolve a Java heap exhaustion problem, allocate more heap space to the Fortify Static Code

Analyzer Java virtual machine when you start the scan. To increase the heap size, use the -Xmx

command-line option when you run the Fortify Static Code Analyzer scan. For example, -Xmx1G

makes 1 GB available. Before you use this parameter, determine the maximum allowable value for

Java heap space. The maximum value depends on the available physical memory.

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 171 of 223

User Guide

Chapter 20: Troubleshooting

Heap sizes between 32 GB and 48 GB are not advised due to internal JVM implementations. Heap

sizes in this range perform worse than at 32 GB. Heap sizes smaller than 32 GB are optimized by the

JVM. If your scan requires more than 32 GB, then you need 64 GB or more. As a guideline, assuming

no other memory intensive processes are running, do not allocate more than 2/3 of the available

memory.

If the system is dedicated to running Fortify Static Code Analyzer, you do not need to change it.

However, if the system resources are shared with other memory-intensive processes, subtract an

allowance for those other processes.

Note: You do not need to account for other resident but not active processes (while Fortify Static

Code Analyzer is running) that the operating system might swap to disk. Allocating more physical

memory to Fortify Static Code Analyzer than is available in the environment might cause

“thrashing,” which typically slows down the scan along with everything else on the system.

Native Heap Exhaustion

Native heap exhaustion is a rare scenario where the Java virtual machine can allocate the Java

memory regions on startup, but is left with so few resources for its native operations (such as garbage

collection) that it eventually encounters a fatal memory allocation failure that immediately terminates

the process.

Symptom

You can identify native heap exhaustion by abnormal termination of the Fortify Static Code Analyzer

process and the following output on the command line:

# A fatal error has been detected by the Java Runtime Environment:

#

# java.lang.OutOfMemoryError: requested ... bytes for GrET ...

Because this is a fatal Java virtual machine error, it is usually accompanied by an error log created in

the working directory with the file name hs_err_pidNNN.log.

Resolution

Because the problem is a result of overcrowding within the process, the resolution is to reduce the

amount of memory used for the Java memory regions (Java heap). Reducing this value should reduce

the crowding problem and allow the scan to complete successfully.

Stack Overflow

Each thread in a Java application has its own stack. The stack holds return addresses,

function/method call arguments, and so on. If a thread tends to process large structures with

recursive algorithms, it might need a large stack for all those return addresses. With the JVM, you can

set that size with the -Xss option.

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 172 of 223

User Guide

Chapter 20: Troubleshooting

Symptoms

This message typically appears in the Fortify Static Code Analyzer log file, but might also appear in

the command-line output:

java.lang.StackOverflowError

Resolution

The default stack size is 16 MB. To increase the stack size, pass the -Xss option to the

sourceanalyzer command. For example, -Xss32M increases the stack to 32 MB.

Scanning Complex Functions

During a Fortify Static Code Analyzer scan, the Dataflow Analyzer might encounter a function for

which it cannot complete the analysis and reports the following message:

Function <name> is too complex for <analyzer> analysis and will be skipped

(<identifier>)

where:

l

<name> is the name of the source code function

l

<analyzer> is the name of the analyzer

l

<identifier> is the type of complexity, which is one of the following:

l

l: Too many distinct locations

l

m: Out of memory

l

s: Stack size too small

l

t: Analysis taking too much time

l

v: Function visits exceed the limit

The depth of analysis Fortify Static Code Analyzer performs sometimes depends on the available

resources. Fortify Static Code Analyzer uses a complexity metric to tradeoff these resources against

the number of vulnerabilities that it can find. Sometimes, this means giving up on a particular function

when Fortify Static Code Analyzer does not have enough resources available. This is normally when

you see the "Function too complex" messages.

When you see this message, it does not necessarily mean that Fortify Static Code Analyzer completely

ignored the function in the program. For example, the Dataflow Analyzer typically visits a function

many times before completing the analysis, and might not have run into this complexity limit in the

previous visits. In this case, the results include anything learned from the previous visits.

You can control the "give up" point using Fortify Static Code Analyzer properties called limiters.

Different analyzers have different limiters.

The following sections provide a discussion of a resolution for this issue.

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 173 of 223

User Guide

Chapter 20: Troubleshooting

Dataflow Analyzer Limiters

There are three types of complexity identifiers for the Dataflow Analyzer:

l

l: Too many distinct locations

l

m: Out of memory

l

s: Stack size too small

l

v: Function visits exceed the limit

To resolve the issue identified by s, increase the stack size for by setting -Xss to a value greater than

16 MB.

To resolve the complexity identifier of m, increase the physical memory for Fortify Static Code

Analyzer.

To resolve the complexity identifier of l, you can adjust the following limiters in the Fortify Static

Code Analyzer property file <sca_install_dir>/Core/config/fortify-sca.properties or on

the command line.

Property Name

Default Value

1000

com.fortify.sca.

limiters.MaxTaintDefForVar

4000

4

com.fortify.sca.

limiters.MaxTaintDefForVarAbort

com.fortify.sca.

limiters.MaxFieldDepth

The MaxTaintDefForVar limiter is a dimensionless value expressing the complexity of a function,

while MaxTaintDefForVarAbort is the upper bound for it. Use the MaxFieldDepth limiter to

measure the precision when the Dataflow Analyzer analyzes any given object. Fortify Static Code

Analyzer always tries to analyze objects at the highest precision possible.

If a given function exceeds the MaxTaintDefForVar limit at a given precision, the Dataflow Analyzer

analyzes that function with lower precision (by reducing the MaxFieldDepth limiter). When you

reduce the precision, it reduces the complexity of the analysis. When the precision cannot be reduced

any further, Fortify Static Code Analyzer then proceeds with analysis at the lowest precision until

either it finishes, or the complexity exceeds the MaxTaintDefForVarAbort limiter. In other words,

Fortify Static Code Analyzer tries harder at the lowest precision to get at least some results from the

function. If Fortify Static Code Analyzer reaches the MaxTaintDefForVarAbort limiter, it gives up

on the function entirely and you get the "Function too complex" warning.

To resolve the complexity identifier of v, you can adjust the property

com.fortify.sca.limiters.MaxFunctionVisits. This property sets the maximum number of

times the taint propagation analyzer visits functions. The default is 50.

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 174 of 223

User Guide

Chapter 20: Troubleshooting

Control Flow and Null Pointer Analyzer Limiters

There are two types of complexity identifiers for both Control Flow and Null Pointer analyzers:

l

m: Out of memory

l

t: Analysis taking too much time

Due to the way that the Dataflow Analyzer handles function complexity, it does not take an indefinite

amount of time. Control Flow and Null Pointer analyzers, however, can take an exceptionally long time

when analyzing complex functions. Therefore, Fortify Static Code Analyzer provides a way to abort

the analysis when this happens, and then you get the "Function too complex" message with a

complexity identifier of t.

To change the maximum amount of time these analyzers spend to analyze functions, you can adjust

the following property values in the Fortify Static Code Analyzer property file <sca_install_

dir>/Core/config/fortify-sca.properties or on the command line.

Property Name

Description

Default Value

Sets the time limit (in milliseconds) for Control 600000

com.fortify.sca.

CtrlflowMaxFunctionTime

Flow analysis on a single function.

(10 minutes)

Sets the time limit (in milliseconds) for Null

Pointer analysis on a single function.

300000

(5 minutes)

com.fortify.sca.

NullPtrMaxFunctionTime

To resolve the complexity identifier of m, increase the physical memory for Fortify Static Code

Analyzer.

Note: If you increase these limiters or time settings, it makes the analysis of complex functions

take longer. It is difficult to characterize the exact performance implications of a particular value

for the limiters/time, because it depends on the specific function in question. If you never want to

see the "Function too complex" warning, you can set the limiters/time to an extremely high value,

however it can cause unacceptable scan time.

Issue Non-Determinism

Running in parallel analysis mode might introduce issue non-determinism. If you experience any

problems, contact Micro Focus Fortify Customer Support, and disable parallel analysis mode.

Disabling parallel analysis mode results in sequential analysis, which can be substantially slower but

provides deterministic results across multiple scans.

To disable parallel analysis mode:

1.

Open the fortify-sca.properties file located in the <sca_install_dir>/core/config

directory in a text editor.

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 175 of 223

User Guide

Chapter 20: Troubleshooting

2.

Change the value for the com.fortify.sca.MultithreadedAnalysis property to false.

com.fortify.sca.MultithreadedAnalysis=false

Locating the Log Files

By default, Fortify Static Code Analyzer creates two log files in the following location:

l

Windows: C:\Users\<username>\AppData\Local\Fortify\sca<version>\log

l

Non-Windows: <userhome>/.fortify/sca<version>/log

where <version> is the version of Fortify Static Code Analyzer that you are using.

The following table describes the two log files.

Default File Name

Description

The standard log provides a log of informational messages,

warnings, and errors that occurred in the run of

sourceanalyzer.

sca.log

The Fortify Support log provides:

sca_FortifySupport.log

l

The same log messages as the standard log file, but with

additional details

l

Additional detailed messages that are not included in

the standard log file

This log file is primarily helpful to Micro Focus Fortify

Customer Support or the development team to

troubleshoot any issues.

If you encounter warnings or errors that you cannot resolve, provide the Fortify Support log file to

Micro Focus Fortify Customer Support.

Configuring Log Files

You can configure the information that Fortify Static Code Analyzer writes to the log files by setting

logging properties (see "Logging Properties" on page 212). You can configure the following log file

settings:

l

The location and name of the log file

Property: com.fortify.sca.LogFile

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 176 of 223

User Guide

Chapter 20: Troubleshooting

l

Log level (see "Understanding Log Levels" below)

Property: com.fortify.sca.LogLevel

l

Whether to overwrite the log files for each run of sourceanalyzer

Property: com.fortify.sca.ClobberLogFile

Command-line option: -clobber-log

Understanding Log Levels

The log level you select gives you all log messages equal to and greater than it. The following table

lists the log levels in order from least to greatest. For example, the default log level of INFO includes

log messages with the following levels: INFO, WARN, ERROR, and FATAL. You can set the log level

with the com.fortify.sca.LogLevel property in the <sca_install_

dir>/Core/config/fortify.sca.properties file or on the command-line using the -D option.

Log Level

Description

DEBUG

Includes information that Micro Focus Fortify Customer Support or the development

team can use to troubleshoot an issue

INFO

Basic information about the translation or scan process

WARN

Information about issues where the translation or scan did not stop, but might

require your attention for accurate results

ERROR

FATAL

Information about an issue that might require attention

Information about an error that caused the translation or scan to abort

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 177 of 223

User Guide

Chapter 20: Troubleshooting

Reporting Issues and Requesting Enhancements

Feedback is critical to the success of this product. To request enhancements or patches, or to report

issues, visit Micro Focus Fortify Customer Support at https://www.microfocus.com/support.

Include the following information when you contact customer support:

l

Product: Fortify Static Code Analyzer

l

Version number of Fortify Static Code Analyzer and any independent Fortify Static Code Analyzer

modules: To determine the version numbers, run the following:

sourceanalyzer -version

l

Platform: (for example, Red Hat Enterprise Linux <version>)

l

Operating system: (such as Linux)

To request an enhancement, include a description of the feature enhancement.

To report an issue, provide enough detail so that support can duplicate the issue. The more

descriptive you are, the faster support can analyze and resolve the issue. Also include the log files, or

the relevant portions of them, from when the issue occurred.

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 178 of 223

Appendix A: Filtering the Analysis

This section describes two methods of filtering out vulnerabilities from the analysis results (FPR)

during the scan phase. You can use a filter file to remove issues based on specific vulnerability

instances, rules, and vulnerability categories. You can also use a filter set (created in Fortify Audit

Workbench) to remove issues that are hidden from view in an issue template.

Caution! Fortify recommends that you only use filter files if you are an advanced user. Do not use

filter files for standard audits, because auditors typically want to see and evaluate all issues that

Fortify Static Code Analyzer finds.

This section contains the following topics:

Excluding Issues with Filter Files

Excluding Issues with Filters Sets

179

182

Excluding Issues with Filter Files

You can create a file to filter out particular vulnerability instances, rules, and vulnerability categories

when you run the sourceanalyzer command. You specify the file with the -filter analysis option.

A filter file is a text file that you can create with any text editor. You specify only the filter items that

you do not want in this file. Each filter item is on a separate line in the filter file. You can specify the

following filter types:

l

See Also

"Filter File Example" below

Filter File Example

As an example, the following output is from a scan of the EightBall.java sample. This sample

project is included in the Fortify_SCA_Samples_<version>.zip archive in the basic/eightball

directory.

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 179 of 223

User Guide

Appendix A: Filtering the Analysis

The following commands are executed to produce the analysis results:

sourceanalyzer -b eightball EightBall.java

sourceanalyzer -b eightball -scan

The following results show five detected issues:

[F7A138CDE5235351F6A4405BA4AD7C53 : low : Unchecked Return Value : semantic

]

EightBall.java(12) : Reader.read()

[6291C6A33303ED270C269917AA8A1005 : high : Path Manipulation : dataflow ]

EightBall.java(12) : ->new FileReader(0)

EightBall.java(8) : <=> (filename)

EightBall.java(8) : <->Integer.parseInt(0->return)

EightBall.java(6) : <=> (filename)

EightBall.java(4) : ->EightBall.main(0)

[176CC0B182267DD538992E87EF41815F : critical : Path Manipulation : dataflow

]

EightBall.java(12) : ->new FileReader(0)

EightBall.java(6) : <=> (filename)

EightBall.java(4) : ->EightBall.main(0)

[E4B3ACF92911ED6D98AAC15876739EC7 : high : Unreleased Resource : Streams :

controlflow ]

EightBall.java(12) : start -> loaded : new FileReader(...)

EightBall.java(14) : loaded -> end_of_scope : end scope : Resource

leaked

EightBall.java(12) : start -> loaded : new FileReader(...)

EightBall.java(12) : java.io.IOException thrown

EightBall.java(12) : loaded -> loaded : throw

EightBall.java(12) : loaded -> end_of_scope : end scope : Resource

leaked : java.io.IOException thrown

[BB9F74FFA0FF75C9921D0093A0665BEB : low : J2EE Bad Practices : Leftover

Debug Code : structural ]

EightBall.java(4)

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 180 of 223

User Guide

Appendix A: Filtering the Analysis

The following is an example filter file that performs the following:

l

Remove all results related to the J2EE Bad Practice category

l

Remove the Path Manipulation based on its instance ID

l

Remove any dataflow issues that were generated from a specific rule ID

#This is a category to filter from scan output

J2EE Bad Practices

#This is an instance ID of a specific issue to be filtered

#from scan output

6291C6A33303ED270C269917AA8A1005

#This is a specific Rule ID that leads to the reporting of a

#specific issue in the scan output: in this case the

#dataflow sink for a Path Manipulation issue.

823FE039-A7FE-4AAD-B976-9EC53FFE4A59

To test the filtered output, copy the above text and paste it into a file with the name test_

filter.txt.

To apply the filtering in the test_filter.txt file, execute the following command:

sourceanalyzer -b eightball -scan -filter test_filter.txt

The filtered analysis produces the following results:

[176CC0B182267DD538992E87EF41815F : critical : Path Manipulation : dataflow

]

EightBall.java(12) : ->new FileReader(0)

EightBall.java(6) : <=> (filename)

EightBall.java(4) : ->EightBall.main(0)

[E4B3ACF92911ED6D98AAC15876739EC7 : high : Unreleased Resource : Streams :

controlflow ]

EightBall.java(12) : start -> loaded : new FileReader(...)

EightBall.java(14) : loaded -> end_of_scope : end scope : Resource

leaked

EightBall.java(12) : start -> loaded : new FileReader(...)

EightBall.java(12) : java.io.IOException thrown

EightBall.java(12) : loaded -> loaded : throw

EightBall.java(12) : loaded -> end_of_scope : end scope : Resource

leaked : java.io.IOException thrown

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 181 of 223

User Guide

Appendix A: Filtering the Analysis

Excluding Issues with Filters Sets

You can use filter sets in an issue template created in Micro Focus Fortify Audit Workbench to filter

issues from the analysis results. When you apply a filter set that hides issues from view during the

analysis phase, Fortify Static Code Analyzer does not write the hidden issues to the FPR. To do this,

use Fortify Audit Workbench to create a filter set, and then run the Fortify Static Code Analyzer scan

with the filter set and the issue template, which contains the filter set. For more detailed instructions

about how to create filters and filter sets in Fortify Audit Workbench, see the Micro Focus Fortify

Audit Workbench User Guide.

The following example describes the basic steps for how to create and use a filter in an issue template

to remove issues from an FPR:

1. Suppose you use OWASP Top 10 2021 and you only want to see issues categorized within this

standard. In Fortify Audit Workbench, create a new filter set called OWASP_Filter

2.

In Fortify Audit Workbench, create a visibility filter in the OWASP_Filter filter set:

If [OWASP Top 10 2021] does not contain A Then hide issue

This filter looks through the issues and if an issue does not map to an OWASP Top 10 2021

category with ‘A’ in the name, then it hides it. Because all OWASP Top 10 2021 categories start

with ‘A’ (A01, A02, …, A10), then any category without the letter ‘A’ is not in the OWASP Top 10

2021. The filter hides the issues from view in Fortify Audit Workbench, but they are still in the

FPR.

3.

In Fortify Audit Workbench, export the issue template to a file called IssueTemplate.xml.

4. Using Fortify Static Code Analyzer, specify the filter set in the analysis phase with the following

command:

sourceanalyzer -b MyProject -scan -f myFilteredResults.fpr

-project-template IssueTemplate.xml -Dcom.fortify.sca.FilterSet=OWASP_

Filter

Although filtering issues with a filter set can reduce the size of the FPR, it does not usually reduce the

scan time. Fortify Static Code Analyzer examines the filter set after it calculates the issues to

determine whether to write them to the FPR file. The filters in a filter set determine the rule types that

Fortify Static Code Analyzer loads.

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 182 of 223

Appendix B: Fortify Scan Wizard

This section contains the following topics:

Preparing to use Fortify Scan Wizard

Starting Fortify Scan Wizard

183

185

Preparing to use Fortify Scan Wizard

Fortify Scan Wizard uses the information you provide to create a script with the commands for Fortify

Static Code Analyzer to scan project code and optionally upload the analysis results to Micro Focus

Fortify Software Security Center. You can use Fortify Scan Wizard to create a script that runs your

scans locally or sends them to Micro Focus Fortify ScanCentral SAST for all or part of the analysis.

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 183 of 223

User Guide

Appendix B: Fortify Scan Wizard

To use Fortify Scan Wizard, you need access to the build directory of the projects you want to scan.

The following table describes some of the required information you will need, depending on how you

will analyze the project and if you want to upload the scan results to Fortify Software Security Center.

Important! If Fortify Software Security Center or the Fortify ScanCentral SAST Controller uses an

SSL connection from an internal certificate authority or a self-signed certificate, you must add the

certificate to the Java keystore for Fortify Static Code Analyzer (see "Adding Trusted Certificates"

on page 41).

Task

Requirements

Perform a remote analysis

(translation and scan

phases) with Fortify

ScanCentral SAST

Fortify ScanCentral SAST Controller URL

Note: If you are also uploading analysis results to Fortify

Software Security Center, then you do not need to specify a

Controller URL. The Fortify ScanCentral SAST that is integrated

with the Fortify Software Security Center server is used in this

case.

Make sure that your project is in a language that Fortify ScanCentral

SAST supports for translation. See the Micro Focus Fortify Software

System Requirements for a list of supported languages.

Perform a local Fortify

Static Code

Fortify ScanCentral SAST Controller URL

Analyzer translation and a

remote scan with Fortify

ScanCentral SAST

Upload analysis results to

Fortify Software Security

Center

Fortify Software Security Center server URL

Note: If you are using Fortify ScanCentral SAST, the Fortify

Software Security Center server must be integrated with the

Fortify ScanCentral SAST Controller.

Your Fortify Software Security Center login credentials

Note: If you do not have Fortify Software Security Center login

credentials, you must have an application name and version that

exists in Fortify Software Security Center.

An authentication token of type ToolsConnectToken

Note: If you do not have a token, you can use Fortify Scan

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 184 of 223

User Guide

Appendix B: Fortify Scan Wizard

Task

Requirements

Wizard to generate one. To do this, you must have Fortify

Software Security Center login credentials.

Note: If you generate a script for a Windows system, you cannot run that script on a non-

Windows system. Likewise, if you generate a script for a non-Windows system, you cannot run it

on a Windows system.

Starting Fortify Scan Wizard

To start Fortify Scan Wizard with Fortify SCA and Applications installed locally, do one of the

following, based on your operating system:

l

On Windows, select Start > All Programs > Fortify SCA and Applications <version> > Scan

Wizard.

You can also open a Command Prompt window, and then type scanwizard.

l

On Linux, navigate to the <sca_install_dir>/bin directory, and then run ScanWizard from the

command line.

l

On macOS, navigate to the <sca_install_dir>/bin directory, and then double-click

ScanWizard.

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 185 of 223

Appendix C: Configuration Options

The Fortify SCA and Applications installer places a set of properties files on your system. Properties

files contain configurable settings for Micro Focus Fortify Static Code Analyzer runtime analysis,

output, and performance.

This section contains the following topics:

Fortify Static Code Analyzer Properties Files

fortify-sca.properties

186

188

214

fortify-sca-quickscan.properties

Fortify Static Code Analyzer Properties Files

The properties files are located in the <sca_install_dir>/Core/config directory.

The installed properties files contain default values. Fortify recommends that you consult with your

project leads before you make changes to the properties in the properties files. You can modify any of

the properties in the configuration file with any text editor. You can also specify the property on the

command line with the -D option.

The following table describes the primary properties files. Additional properties files are described in

Micro Focus Fortify Static Code Analyzer Tools Properties Reference Guide.

Properties File Name

Description

Defines the Fortify Static Code Analyzer configuration properties.

fortify-sca.properties

Defines the configuration properties applicable for a Fortify Static

Code Analyzer quick scan.

fortify-sca-

quickscan.properties

Properties File Format

In the properties file, each property consists of a pair of strings: the first string is the property name

and the second string is the property value.

com.fortify.sca.fileextensions.htm=HTML

As shown above, the property sets the translation to use for .htm files. The property name is

com.fortify.sca.fileextensions.htm and the value is set to HTML.

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 186 of 223

User Guide

Appendix C: Configuration Options

Note: When you specify a path for Windows systems as the property value, you must escape any

backslash character (\) with a backslash (for example:

com.fortify.sca.ASPVirtualRoots.Library=C:\\WebServer\\CustomerA\\inc).

Disabled properties are commented out of the properties file. To enable these properties, remove the

comment symbol (#) and save the properties file. In the following example, the

com.fortify.sca.LogFile property is disabled in the properties file and is not part of the

configuration:

# default location for the log file

#com.fortify.sca.LogFile=${com.fortify.sca.ProjectRoot}/sca/log/sca.log

Precedence of Setting Properties

Fortify Static Code Analyzer uses properties settings in a specific order. You can override any

previously set properties with the values that you specify. Keep this order in mind when making

changes to the properties files.

The following table lists the order of precedence for Fortify Static Code Analyzer properties.

Order Property Specification

Description

1

Properties specified on the command line have the highest

priority and you can specify them in any scan.

Command line with the -D

option

2

Fortify Static Code

Analyzer quick scan

configuration file

Note: You can specify either quick scan or a scan

precision level. Therefore, these property settings both

have second priority.

Properties specified in the quick scan configuration file

(fortify-sca-quickscan.properties) have the

second priority, but only if you include the -quick option

to enable quick scan mode.

Fortify Static Code

Analyzer scan precision

property files

Properties specified in the scan precision property files

have the second priority, but only if you include the -scan-

precision option to enable scan precision.

3

Fortify Static Code

Analyzer configuration

file

Properties specified in the Fortify Static Code Analyzer

configuration file (fortify-sca.properties) have the

lowest priority. Edit this file to change the property values

on a more permanent basis for all scans.

Fortify Static Code Analyzer also relies on some properties that have internally defined default values.

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 187 of 223

User Guide

Appendix C: Configuration Options

fortify-sca.properties

The following sections describe the properties available for use in the fortify-sca.properties

file. See "fortify-sca-quickscan.properties" on page 214 for additional properties that you can use in

this properties file. Each property description includes the value type, the default value, the

equivalent command-line option (if applicable), and an example.

Translation and Analysis Phase Properties

The properties for the fortify-sca.properties file in the following table are general properties

that apply to the translation and/or analysis (scan) phase.

Property Name

Description

Specifies the build ID of the build.

Value Type: String

com.fortify.sca.

BuildID

Default: (none)

Command-Line Option: -b

Specifies the directory to store intermediate files generated in the translation and analysis

phases. Fortify Static Code Analyzer makes extensive use of intermediate files located in

this project root directory. In some cases, you achieve better performance for analysis by

making sure this directory is on local storage rather than on a network drive.

com.fortify.sca.

ProjectRoot

Value Type: String (path)

Default (Windows): ${win32.LocalAppdata}\Fortify

Note: ${win32.LocalAppdata} is a special variable that points to the windows

Local Application Data shell folder.

Default (Non-Windows): $home/.fortify

Command-Line Option: -project-root

Example: com.fortify.sca.ProjectRoot=

C:\Users\<username>\AppData\Local\

Specifies how to translate specific file extensions for languages that do not require build

com.fortify.sca.

fileextensions.java

integration. The valid file extension types are ABAP, ACTIONSCRIPT, APEX, APEX_OBJECT,

APEX_TRIGGER, ARCHIVE, ASPNET, ASP, ASPX, BITCODE, BSP, BYTECODE, CFML, COBOL,

CSHARP, DOCKERFILE, GENERIC, GO, HOCON, HTML, INI, JAVA, JAVA_PROPERTIES,

JAVASCRIPT, JSP, JSPX, KOTLIN, MSIL, MXML, OBJECT, PHP, PLSQL, PYTHON, RUBY, RUBY_

ERB, SCALA, SWIFT, SWC, SWF, TLD, SQL, TSQL, TYPESCRIPT, VB, VB6, VBSCRIPT, VISUAL_

FORCE, VUE, and XML.

com.fortify.sca.

fileextensions.cs

com.fortify.sca.

fileextensions.js

com.fortify.sca.

fileextensions.py

Value Type: String (valid language type)

com.fortify.sca.

fileextensions.rb

Default: See the fortify-sca.properties file for the complete list.

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 188 of 223

User Guide

Appendix C: Configuration Options

Property Name

Description

Examples:

com.fortify.sca.

fileextensions.aspx

com.fortify.sca.fileextensions.java=JAVA

com.fortify.sca.fileextensions.cs=CSHARP

com.fortify.sca.fileextensions.js=TYPESCRIPT

com.fortify.sca.fileextensions.py=PYTHON

com.fortify.sca.fileextensions.swift=SWIFT

com.fortify.sca.fileextensions.razor=ASPNET

com.fortify.sca.fileextensions.php=PHP

com.fortify.sca.fileextensions.tf=HCL

com.fortify.sca.

fileextensions.php

Note: This is a partial list.

For the complete list, see

the properties file.

You can also specify a value of oracle:<path_to_script> to programmatically supply

a language type. Provide a script that accepts one command-line parameter of a file name

that matches the specified file extension. The script must write the valid Fortify Static

Code Analyzer file type (see previous list) to stdout and exit with a return value of zero. If

the script returns a non-zero return code or the script does not exist, the file is not

translated and Fortify Static Code Analyzer writes a warning to the log file.

Example:

com.fortify.sca.fileextensions.jsp=

oracle:<path_to_script>

Specifies custom-named compilers.

com.fortify.sca.

compilers.javac=

com.fortify.sca.

util.compilers.JavacCom

piler

Value Type: String (compiler)

Default: See the Compilers section in the fortify-sca.properties file for the

complete list.

com.fortify.sca.

compilers.c++=

com.fortify.sca.

util.compilers.GppCompi

ler

Example:

To tell Fortify Static Code Analyzer that “my-gcc” is a gcc compiler:

com.fortify.sca.

compilers.my-gcc=

com.fortify.sca.util.compilers.

GccCompiler

com.fortify.sca.

compilers.make=

com.fortify.sca.

util.compilers.Touchles

sCompiler

Notes:

l

Compiler names can begin or end with an asterisk (*), which matches zero or more

com.fortify.sca.

compilers.mvn=

com.fortify.sca.

util.compilers.MavenAda

pter

characters.

l

Execution of clang/clang++ is not supported with the gcc/g++ command names.

You can specify the following: com.fortify.sca.compilers.g++=

com.fortify.sca.util.compilers.GppCompiler

Note: This is a partial list.

For the complete list,

see the properties file.

If set to true, Fortify Static Code Analyzer includes

com.fortify.sca.

UseAntListener

com.fortify.dev.ant.SCAListener in the compiler options.

Value Type: Boolean

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 189 of 223

User Guide

Appendix C: Configuration Options

Property Name

Description

Default: false

Specifies a colon-separated list of languages to exclude from the translation phase. The

com.fortify.sca.

DISabledLanguages

valid language values are abap, actionscript, apex, cfml, cobol, configuration,

cpp, dotnet, golang, java, javascript, jsp, kotlin, objc, php, plsql, python, ruby,

scala, sql, swift, tsql, typescript, and vb.

Value Type: String

Default: (none)

Command-Line Option: -disable-language

Specifies a colon-separated list of languages to translate. The valid language values are

com.fortify.sca.

EnabledLanguages

abap, actionscript, apex, cfml, cobol, configuration, cpp, dotnet, golang, java,

javascript, jsp, kotlin, objc, php, plsql, python, ruby, scala, sql, swift, tsql,

typescript, and vb.

Value Type: String

Default: All languages in the specified source are translated unless explicitly excluded

with the com.fortify.sca.DISabledLanguages property.

Command-Line Option: -enable-language

Specifies one or more files to exclude from translation. Separate multiple files with

semicolons (Windows) or colons (non-Windows). See "Specifying Files and Directories" on

page 133 for more information on how to use file specifiers.

com.fortify.sca.

exclude

Note: Fortify Static Code Analyzer only uses this property during translation without

build integration. When you integrate with most compilers or build tools, Fortify

Static Code Analyzer translates all source files that the compiler or build tool

processes even if they are specified with this property. However, the Fortify Static

Code Analyzer xcodebuild and MSBuild integrations do support the -exclude

option.

Value Type: String

Default: Not enabled

Command-Line Option: -exclude

Example: com.fortify.sca.exclude=

file1.x;file2.x

com.fortify.sca.

CmdlineOptionsFileEncod

ing

Specifies the encoding of the command-line options file provided with @<filename> (see

"Other Options" on page 129). You can use this property, for example, to specify Unicode

file paths in the options file. Valid encoding names are from the

java.nio.charset.Charset

Note: This property is only valid in the fortify-sca.properties file and does not

work in the fortify-sca-quickscan.properites file or with the -D option.

Value Type: String

Default: JVM system default encoding

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 190 of 223

User Guide

Appendix C: Configuration Options

Property Name

Description

Example: com.fortify.sca.CmdlineOptionsFileEncoding=UTF-8

Specifies the source file encoding type. Fortify Static Code Analyzer allows you to scan a

project that contains differently encoded source files. To work with a multi-encoded

com.fortify.sca.

InputFileEncoding

project, you must specify the -encoding option in the translation phase, when Fortify

Static Code Analyzer first reads the source code file. Fortify Static Code Analyzer

remembers this encoding in the build session and propagates it into the FVDL file.

Typically, if you do not specify the encoding type, Fortify Static Code Analyzer uses

file.encoding from the java.io.InputStreamReader constructor with no encoding

parameter. In a few cases (for example with the ActionScript parser), Fortify Static Code

Analyzer defaults to UTF-8.

Value Type: String

Default: (none)

Command-Line Option: -encoding

Example:

com.fortify.sca.InputFileEncoding=UTF-16

com.fortify.sca.

RegExecutable

On Windows platforms, specifies the path to the reg.exe system utility. Specify the paths

in Windows syntax, not Cygwin syntax, even when you run Fortify Static Code Analyzer

from within Cygwin. Escape backslashes with an additional backslash.

Value Type: String (path)

Default: reg

Example:

com.fortify.sca.RegExecutable=

C:\\Windows\\System32\\reg.exe

Specifies whether the xcodebuild touchless adapter continues translation if the

xcodebuild subprocess exited with a non-zero exit code. If set to false, translation stops

after encountering a non-zero xcodebuild exit code and the Fortify Static Code Analyzer

touchless build halts with the same exit code. If set to true, the Fortify Static Code

Analyzer touchless build executes translation of the build file identified prior to the

xcodebuild exit, and Fortify Static Code Analyzer exits with an exit code of zero (unless

some other error also occurs).

com.fortify.sca.

xcode.TranslateAfterErr

or

Regardless of this setting, if xcodebuild exits with a non-zero code, then the xcodebuild

exit code, stdout, and stderr are written to the log file.

Value Type: Boolean

Default: false

If set to true, Fortify Static Code Analyzer generates implied methods when it encounters

implementation by inheritance.

com.fortify.sca.

AddImpliedMethods

Value Type: Boolean

Default: true

Specifies a comma- or colon-separated list of the types of analysis to perform. The valid

com.fortify.sca.

DefaultAnalyzers

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 191 of 223

User Guide

Appendix C: Configuration Options

Property Name

Description

values for this property are buffer, content, configuration, controlflow,

dataflow, , nullptr, semantic, and structural.

Value Type: String

Default: This property is commented out and all analysis types are used in scans.

Command-Line Option: -analyzers

If set to true, Fortify Static Code Analyzer removes dead code issues, for example because

the compiler generated dead code and it does not appear in the source code.

com.fortify.sca.

DeadCodeFilter

Value Type: Boolean

Default: true

com.fortify.sca.

DisableDeadCodeEliminat

ion

Dead code is code that can never be executed, such as code inside the body of an if

statement that always evaluates to false. If this property is set to true, then Fortify Static

Code Analyzer does not identify dead code, does not report dead code issues, and reports

other vulnerabilities in the dead code, even though they are unreachable during execution.

Value Type: Boolean

Default: false

Specifies a comma- or colon-separated list of analyzers to use for a scan in addition to the

com.fortify.sca.

EnableAnalyzer

default analyzers. The valid values for this property are buffer, content,

configuration, controlflow, dataflow, nullptr, semantic, and structural.

Value Type: String

Default: (none)

Extends the default exit code options. See "Exit Codes" on page 170 for a description of

the exit codes and the valid values for this property.

com.fortify.sca.

ExitCodeLevel

If set to true, higher-order analysis is enabled.

com.fortify.sca.

hoa.Enable

Value Type: Boolean

Default: true

Specifies a comma-separated list of languages for which to run higher-order analysis.

com.fortify.sca.

Phase0HigherOrder.Langu

ages

Valid values are python, swift, ruby, javascript, and typescript.

Value Type: String

Default: python,ruby,swift,javascript,typescript

Specifies the total time (in seconds) for higher-order analysis. When the analyzer reaches

the hard timeout limit, it exits immediately.

com.fortify.sca.

Phase0HigherOrder.Timeo

ut.Hard

Fortify recommends this timeout limit in case some issue causes the analysis to run too

long. Fortify recommends that you set the hard timeout to about 50% longer than the soft

timeout, so that either the fixpoint pass limiter or the soft timeout occurs first.

Value Type: Number

Default: 2700

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 192 of 223

User Guide

Appendix C: Configuration Options

Property Name

Description

Specifies the scan precision. Scans with a lower precision level are performed faster. The

com.fortify.sca.

PrecisionLevel

valid values are 1 and 2.

Value Type: Number

Default: (none)

Command-Line Option: -scan-precision | -p

Specifies the length of a taint path between input and output parameters in a function call.

Value Type: Integer

com.fortify.sca.

MaxPassthroughChainDept

h

Default: 4

Comma- or colon-separated list of languages that use type inference. This setting

improves the precision of the analysis for dynamically-typed languages.

com.fortify.sca.

TypeInferenceLanguages

Value Type: String

Default: javascript,python,ruby,typescript

Specifies the total amount of time (in seconds) that type inference can spend in phase 0

(the interprocedural analysis). Unlimited if set to zero or is not specified.

com.fortify.sca.

TypeInferencePhase0Time

out

Value Type: Long

Default: 300

The amount of time (in seconds) that type inference can spend to analyze a single

function. Unlimited if set to zero or is not specified.

com.fortify.sca.

TypeInferenceFunctionTi

meout

Value Type: Long

Default: 60

If set to true, disables function pointers during the scan.

Value Type: Boolean

com.fortify.sca.

DisableFunctionPointers

Default: false

If set to true, Fortify Static Code Analyzer ignores low severity issues found in a scan.

com.fortify.sca.

SuppressLowSeverity

Value Type: Boolean

Default: true

Specifies the cutoff level for severity suppression. Fortify Static Code Analyzer ignores

any issues found with a lower severity value than the one specified for this property.

com.fortify.sca.

LowSeverityCutoff

Value Type: Number

Default: 1.0

Specifies whether to enable Control Flow Analyzer timeouts.

com.fortify.sca.

analyzer.controlflow.En

ableTimeOut

Value Type: Boolean

Default: true

Specifies the path to a filter file for the scan. See "Excluding Issues with Filter Files" on

com.fortify.sca.

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 193 of 223

User Guide

Appendix C: Configuration Options

Property Name

Description

page 179 for more information.

Value Type: String (path)

Default: (none)

FilterFile

Command-Line Option: -filter

Specifies a comma-separated list of IIDs to be filtered out using a filter file.

com.fortify.sca.

FilteredInstanceIDs

Value Type: String

Default: (none)

Example:

com.fortify.sca.FilteredInstanceIDs=CA4E1623A2424919B98EC19FCA279FFA,

4418B3DC072647158B3758E6183C14CD

Specifies a subset of source files to scan. Only the source files that were linked in the

named binary at build time are included in the scan.

com.fortify.sca.

BinaryName

Value Type: String (path)

Default: (none)

Command-Line Option: -bin or -binary-name

If set to true, Fortify Static Code Analyzer performs a quick scan. Fortify Static Code

com.fortify.sca.

QuickScanMode

Analyzer uses the settings from fortify-sca-quickscan.properties, instead of the

fortify-sca.properties configuration file.

Value Type: Boolean

Default: (not enabled)

Command-Line Option: -quick

Specifies the issue template file to use for the scan. This only affects scans on the local

machine. If you upload the FPR to Micro Focus Fortify Software Security Center server, it

uses the issue template assigned to the application version.

com.fortify.sca.

ProjectTemplate

Value Type: String

Default: (none)

Command-Line Option: -project-template

Example:

com.fortify.sca.ProjectTemplate=

test_issuetemplate.xml

If set to true, Fortify Static Code Analyzer performs modular scan of this project, which

com.fortify.sca.

ScanScaModule

enables use of this library's build ID with the include-modules option (or the

com.fortify.sca.IncludeScaModules property) in subsequent scans.

This property is ignored if the -scan command-line option is specified.

Value Type: Boolean

Default: false

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 194 of 223

User Guide

Appendix C: Configuration Options

Property Name

Description

Command-Line Option: -scan-module

Specifies a comma- or colon-separated list of build IDs for libraries pre-scanned as

separate modules to use in the project scan. Each build ID must denote an existing

scanned library.

com.fortify.sca.

IncludeScaModules

Value Type: String (build IDs)

Default: (none)

Command-Line Option: -include-modules

Example:

com.fortify.sca.IncludeScaModules=LibA,LibB

If set to true, enables alias analysis.

com.fortify.sca.

alias.Enable

Value Type: Boolean

Default: true

Specifies a colon-separated list of functions to hide from all analyzers.

com.fortify.sca.

UniversalBlacklist

Value Type: String

Default: .*yyparse.*

Specifies whether Fortify Static Code Analyzer runs in parallel analysis mode.

Value Type: Boolean

com.fortify.sca.

MultithreadedAnalysis

Default: true

Specifies the number of threads for parallel analysis mode. Add this property only if you

need to reduce the number of threads used because of a resource constraint. If you

experience an increase in scan time or problems with your scan, a reduction in the number

of threads used might solve the problem.

com.fortify.sca.

ThreadCount

Value type: Integer

Default: (number of available processor cores)

Regex Analysis Properties

The properties for the fortify-sca.properties file in the following table apply to regular

expression analysis.

Property Name

Description

If set to true, regular expression analysis is enabled.

com.fortify.sca.

regex.Enable

Value Type: Boolean

Default: true

If set to true, binary files are excluded from a regular expression analysis.

com.fortify.sca.

regex.ExcludeBinaries

Value Type: Boolean

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 195 of 223

User Guide

Appendix C: Configuration Options

Property Name

Description

Default: true

Specifies the maximum size (in megabytes) for files that are scanned in a regular expression

analysis. Files that exceed this file size maximum are excluded from a regular expression

analysis.

com.fortify.sca.

regex.MaxSize

Value Type: Number

Default: 10

LIM License Properties

The properties for the fortify-sca.properties file in the following table apply to licensing with

the LIM.

Property Name

Description

Specifies the LIM server URL. Do not edit this value directly with a text editor. Use the

command-line option to change this value.

com.fortify.sca.

lim.Url

Value Type: String

Default: (none)

Command-Line Option: -store-license-pool-credentials

Example: https://<ip_address>/LIM.REST.API

Specifies the LIM license pool name. Do not edit this value directly with a text editor.

Use the command-line option to change this value.

com.fortify.sca.

lim.PoolName

Value Type: String

Default: (none)

Command-Line Option: -store-license-pool-credentials

Specifies the LIM license pool password (encrypted). Do not edit this value directly

with a text editor. Use the command-line option to change this value.

com.fortify.sca.

lim.PoolPassword

Value Type: String

Default: (none)

Command-Line Option: -store-license-pool-credentials

Specifies the proxy server used to connect to the LIM server.

com.fortify.sca.

lim.ProxyUrl

Value Type: String

Default: (none)

Examples:

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 196 of 223

User Guide

Appendix C: Configuration Options

Property Name

Description

http://proxy.example.com:8080

https://proxy.example.com

Command-Line Option: -store-license-pool-credentials

Specifies an encrypted user name for proxy authentication to connect to the LIM

server. Do not edit this value directly with a text editor. Use the command-line option

to change this value.

com.fortify.sca.

lim.ProxyUsername

Value Type: String

Default: (none)

Command-Line Option: -store-license-pool-credentials

Specifies an encrypted password for proxy authentication to connect to the LIM

server. Do not edit this value directly with a text editor. Use the command-line option

to change this value.

com.fortify.sca.

lim.ProxyPassword

Value Type: String

Default: (none)

Command-Line Option: -store-license-pool-credentials

If set to true, any attempt to connect to the LIM server without a trusted certificate

fails. If this property is set to false, a warning message displays for any attempt to

connect to the LIM server without a trusted certificate.

com.fortify.sca.

lim.RequireTrustedSSLCert

Value Type: Boolean

Default: true

If set to true and LIM license pool credentials are stored, Fortify Static Code Analyzer

waits for a LIM license to become available before starting a translation or scan. If this

property is set to false, Fortify Static Code Analyzer exits if it cannot obtain a LIM

license.

com.fortify.sca.

lim.WaitForInitialLicense

Value Type: Boolean

Default: true

See Also

"LIM License Directives" on page 132

Rule Properties

The properties for the fortify-sca.properties file in the following table apply to rules (and

custom rules) and Rulepacks.

Property Name

Description

Sets the directory used to search for the Fortify provided encrypted rules files.

com.fortify.sca.

DefaultRulesDir

Value Type: String (path)

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 197 of 223

User Guide

Appendix C: Configuration Options

Property Name

Description

Default:

${com.fortify.Core}/config/rules

Specifies a custom Rulepack or directory. If you specify a directory, all of the files in the

com.fortify.sca.

RulesFile

directory with the .bin and .xml extensions are included.

Value Type: String (path)

Default: (none)

Command-Line Option: -rules

Sets the directory used to search for custom rules.

Value Type: String (path)

com.fortify.sca.

CustomRulesDir

Default:

${com.fortify.Core}/config/customrules

com.fortify.sca.

Specifies a list of file extensions for rules files. Any files in <sca_install_

RulesFileExtensions

dir>/Core/config/rules (or a directory specified with the -rules option) whose

extension is in this list is included. The .bin extension is always included, regardless of the

value of this property. The delimiter for this property is the system path separator.

Value Type: String

Default: .xml

If set to true, rules from the default Rulepacks are not loaded. Fortify Static Code Analyzer

processes the Rulepacks for description elements and language libraries, but no rules are

processed.

com.fortify.sca.

NoDefaultRules

Value Type: Boolean

Default: (none)

Command-Line Option: -no-default-rules

If set to true, disables rules in default Rulepacks that lead directly to issues. Still loads rules

that characterize the behavior of functions. This can be helpful when creating custom issue

rules.

com.fortify.sca.

NoDefaultIssueRules

Value Type: Boolean

Default: (none)

Command-Line Option: -no-default-issue-rules

If set to true, disables source rules in the default Rulepacks. This can be helpful when

creating custom source rules.

com.fortify.sca.

NoDefaultSourceRules

Note: Characterization source rules are not disabled.

Value Type: Boolean

Default: (none)

Command-Line Option: -no-default-source-rules

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 198 of 223

User Guide

Appendix C: Configuration Options

Property Name

Description

If set to true, disables sink rules in the default Rulepacks. This can be helpful when creating

custom sink rules.

com.fortity.sca.

NoDefaultSinkRules

Note: Characterization sink rules are not disabled.

Value Type: Boolean

Default: (none)

Command-Line Option: -no-default-sink-rules

Java and Kotlin Properties

The properties for the fortify-sca.properties file in the following table apply to the translation

of Java and Kotlin code.

Property Name

Description

Specifies the class path used to analyze Java or Kotlin source code. Separate multiple

paths with semicolons (Windows) or colons (non-Windows).

com.fortify.sca.

JavaClasspath

Value Type: String (paths)

Default: (none)

Command-Line Option: -cp or -classpath

Specifies the Java source code version for Java or Kotlin translation.

Value Type: String

com.fortify.sca.

JdkVersion

Default: 1.8

Command-Line Option: -jdk or -source

Specifies a semicolon- (Windows) or colon-separated (non-Windows) list of Java or Kotlin

source file directories that are not included in the scan but are used for name resolution.

The source path is similar to class path, except it uses source files rather than class files for

resolution.

com.fortify.sca.

JavaSourcepath

Value Type: String (paths)

Default: (none)

Command-Line Option: -sourcepath

com.fortify.sca.

Appserver

Specifies the application server to process JSP files. The valid values are weblogic or

websphere.

Value Type: String

Default: (none)

Command-Line Option: -appserver

Specifies the application server's home directory. For WebLogic, this is the path to the

com.fortify.sca.

AppserverHome

directory that contains server/lib. For WebSphere, this is the path to the directory that

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 199 of 223

User Guide

Appendix C: Configuration Options

Property Name

Description

contains the JspBatchCompiler script.

Value Type: String (path)

Default: (none)

Command-Line Option: -appserver-home

Specifies the version of the WebLogic or WebSphere application server.

Value Type: String

com.fortify.sca.

AppserverVersion

Default: (none)

Command-Line Option: -appserver-version

Specifies directories to include implicitly on the class path for WebLogic and WebSphere

application servers.

com.fortify.sca.

JavaExtdirs

Value Type: String

Default: (none)

Command-Line Option: -extdirs

If set to true, Fortify Static Code Analyzer only translates Java source files that are

referenced by the target file list. Otherwise, Fortify Static Code Analyzer translates all files

included in the source path.

com.fortify.sca.

JavaSourcepathSearch

Value Type: Boolean

Default: true

Specifies semicolon- or colon-separated list of directories of commonly used JAR files. JAR

com.fortify.sca.

DefaultJarsDirs

files located in these directories are appended to the end of the class path option (-cp).

Value Type: String

Default: default_jars

If set to true, Java bytecode is decompiled for the translation.

Value Type: Boolean

com.fortify.sca.

DecompileBytecode

Default: false

If set to true, the JSP parser uses JSP security manager.

Value Type: Boolean

com.fortify.sca.

jsp.UseSecurityManager

Default: true

Specifies the encoding for JSPs.

Value Type: String (encoding)

com.fortify.sca.

jsp.DefaultEncoding

Default: ISO-8859-1

If set to true, enables additional filtering on JSP-related dataflow to reduce the amount of

spurious false positives detected.

com.fortify.sca.

jsp.LegacyDataflow

Value Type: Boolean

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 200 of 223

User Guide

Appendix C: Configuration Options

Property Name

Description

Default: false

Command-Line Option: -legacy-jsp-dataflow

com.fortify.sca.

KotlinJvmDefault

Specifies the generation of the DefaultImpls class for methods with bodies in Kotlin

interfaces. The valid values are:

l

disable—Specifies to generate the DefaultImpls class for each interface that

contains methods with bodies.

l

all—Specifies to generate the DefaultImpls class if an interface is annotated with

@JvmDefaultWithCompatibility.

l

all-compatibility—Specifies to generate the DefaultImpls class unless an

interface is annotated with @JvmDefaultWithoutCompatibility.

Value Type: String

Default: disable

If set to true, displays any unresolved types, fields, and functions referenced in translated

Java source files at the end of the translation.

com.fortify.sca.

ShowUnresolvedSymbols

Value Type: Boolean

Default: false

Command-Line Option: -show-unresolved-symbols

See Also

"Translating Java Code" on page 50

"Translating Kotlin Code" on page 58

JavaScript and TypeScript Properties

The properties for the fortify-sca.properties file in the following table apply to the translation

of JavaScript and TypeScript code.

Property Name

Description

If set to true, Fortify Static Code Analyzer generates JavaScript code to model

the DOM tree that an HTML file generated during the translation phase and

identifies DOM-related issues (such as cross-site scripting issues). Enable this

property if the code you are translating includes HTML files that have

embedded or referenced JavaScript code.

com.fortify.sca.

EnableDOMModeling

Note: Enabling this property can increase the translation time.

Value Type: Boolean

Default: false

com.fortify.sca.

If you set the com.fortify.sca.EnableDOMModeling property to true, you

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 201 of 223

User Guide

Appendix C: Configuration Options

Property Name

Description

can specify additional coma-separated HTML tags names for Fortify Static

Code Analyzer to include in the DOM modeling.

DOMModeling.tags

Value Type: String

Default: body, button, div, form, iframe, input, head, html, and p.

Example:

com.fortify.sca.DOMModeling.tags=ul,li

Specifies trusted domain names where Fortify Static Code Analyzer can

download referenced JavaScript files for the scan. Delimit the URLs with

vertical bars.

com.fortify.sca.

JavaScript.src.domain.whitelist

Value Type: String

Default: (none)

Example: com.fortify.sca.JavaScript.

src.domain.whitelist=

http://www.xyz.com|http://www.123.org

If set to true, JavaScript code embedded in JSP, JSPX, PHP, and HTML files is

not extracted and not scanned.

com.fortify.sca.

DisableJavascriptExtraction

Value Type: Boolean

Default: false

Specifies a list of comma- or colon-separated JavaScript technology library

files that are not translated. You can use regular expressions in the file names.

com.fortify.sca.

skip.libraries.ES6

Note that the regular expression '(-\d\.\d\.\d)?' is automatically inserted

before .min.js or .js for each file name included in the

com.fortify.sca.

skip.libraries.jQuery

com.fortify.sca.skip.libraries.jQuery property value.

com.fortify.sca.

Value Type: String

skip.libraries.javascript

com.fortify.sca.

skip.libraries.typescript

Defaults:

l

ES6: es6-shim.min.js,system-polyfills.js,

shims_for_IE.js

l

jQuery: jquery.js,jquery.min.js,

jquery-migrate.js,jquery-migrate.min.js,

jquery-ui.js,jquery-ui.min.js,

jquery.mobile.js,jquery.mobile.min.js,

jquery.color.js,jquery.color.min.js,

jquery.color.svg-names.js,

jquery.color.svg-names.min.js,

jquery.color.plus-names.js,

jquery.color.plus-names.min.js,

jquery.tools.min.js

l

javascript: bootstrap.js,

bootstrap.min.js,

typescript.js,

typescriptServices.js

l

typescript: typescript.d.ts,

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 202 of 223

User Guide

Appendix C: Configuration Options

Property Name

Description

typescriptServices.d.ts

If set to true, files included with an import statement are included in the

JavaScript translation.

com.fortify.sca.

follow.imports

Value Type: Boolean

Default: true

If set to true, only imported node_modules are included in the JavaScript

translation.

com.fortify.sca.

exclude.unimported.node.modules

Value Type: Boolean

Default: true

Python Properties

The properties for the fortify-sca.properties file in the following table apply to the translation

of Python code.

Property Name

Description

Specifies a semicolon-separated (Windows) or colon-separated (non-Windows) list

of additional import directories. Fortify Static Code Analyzer does not respect

PYTHONPATH environment variable that the Python runtime system uses to find

import files. Use this property to specify the additional import directories.

com.fortify.sca.

PythonPath

Value Type: String (path)

Default: (none)

Command-Line Option: -python-path

com.fortify.sca.

PythonVersion

Specifies the Python source code version to scan. The valid values are 2 and 3.

Value Type: Number

Default: 2

Command-Line Option: -python-version

If set to true, disables the automatic calculation of a common root directory of all

project files to use for importing modules and packages For more details, see

"Including Imported Modules and Packages" on page 75.

com.fortify.sca.

PythonNoAutoRootCalculation

Value Type: Boolean

Default: false

Command-Line Option: -python-no-auto-root-calculation

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 203 of 223

User Guide

Appendix C: Configuration Options

Property Name

Description

Specifies semicolon-separated (Windows) or colon-separated (non-Windows) list of

paths for Django templates. Fortify Static Code Analyzer does not use the

com.fortify.sca.

DjangoTemplateDirs

TEMPLATE_DIRS setting from the Django settings.py file.

Value Type: String (paths)

Default: (none)

Command-Line Option: -django-template-dirs

Specifies that Fortify Static Code Analyzer does not automatically discover Django

templates.

com.fortify.sca.

DjangoDisableAutodiscover

Value Type: Boolean

Default: (none)

Command-Line Option: -django-disable-autodiscover

See Also

"Translating Python Code" on page 75

Go Properties

The properties for the fortify-sca.properties file in the following table apply to the translation

of Go code.

Property Name

Description

Specifies the root directory of your project/workspace.

Value Type: String

com.fortify.sca.

GOPATH

Default: (GOPATH system environment variable)

Specifies the location of the Go installation.

Value Type: String

com.fortify.sca.

GOROOT

Default: (GOROOT system environment variable)

com.fortify.sca.

GOPROXY

Specifies one or more comma-separated proxy URLs. You can also specify direct or off.

Value Type: String

Default: (GOPROXY system environment variable)

See Also

"Translating Go Code" on page 82

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 204 of 223

User Guide

Appendix C: Configuration Options

Ruby Properties

The properties for the fortify-sca.properties file in the following table apply to the translation

of Ruby code.

Property Name

Description

Specifies one or more paths to directories that contain Ruby libraries.

Value Type: String (path)

com.fortify.sca.

RubyLibraryPaths

Default: (none)

Command-Line Option: -ruby-path

Specifies one or more paths to RubyGems locations. Set this value if the project has associated

gems to scan.

com.fortify.sca.

RubyGemPaths

Value Type: String (path)

Default: (none)

Command-Line Option: -rubygem-path

See Also

"Translating Ruby Code" on page 85

COBOL Properties

The properties for the fortify-sca.properties file in the following table apply to the translation

of COBOL code.

Property Name

Description

Specifies one or more semicolon- or colon-separated directories where Fortify Static Code

Analyzer looks for copybook files.

com.fortify.sca.

CobolCopyDirs

Value Type: String (path)

Default: (none)

Command-Line Option: -copydirs

com.fortify.sca.

CobolDialect

Specifies the COBOL dialect. The valid values for dialect are COBOL390 or MICROFOCUS.

The dialect value is case-insensitive.

Value Type: String

Default: COBOL390

Command-Line Option: -dialect

Specifies one or more semicolon-separated COBOL checker directives.

Value Type: String

com.fortify.sca.

CobolCheckerDirectives

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 205 of 223

User Guide

Appendix C: Configuration Options

Property Name

Description

Default: (none)

Command-Line Option: -checker-directives

If set to true, enables legacy COBOL translation.

Value Type: Boolean

com.fortify.sca.

CobolLegacy

Default: false

Command-Line Option: -cobol-legacy

If set to true, specifies fixed-format COBOL to direct Fortify Static Code Analyzer to only

look for source code between columns 8-72 in all lines of code (legacy COBOL translation

only).

com.fortify.sca.

CobolFixedFormat

Value Type: Boolean

Default: false

Command-Line Option: -fixed-format

Specifies one or more semicolon- or colon-separated copybook file extensions (legacy

COBOL translation only).

com.fortify.sca.

CobolCopyExtensions

Value Type: String

Default: (none)

Command-Line Option: -copy-extensions

See Also

"Translating COBOL Code" on page 87

Apex Properties

The properties for the fortify-sca.properties file in the following table apply to the translation

of Apex and Visualforce code.

Property Name

Description

com.fortify.sca.

Apex

If set to true, Fortify Static Code Analyzer uses Apex translation for files with the .cls extension

and Visualforce translation for files with the .component extension.

Value Type: Boolean

Default: false

Command-Line Option: -apex

com.fortify.sca.

ApexVersion

Specifies the Apex source code version to scan. The valid value is 55.

Value Type: Number

Default: 55

Command-Line Option: -apex-version

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 206 of 223

User Guide

Appendix C: Configuration Options

PHP Properties

The properties for the fortify-sca.properties file in the following table apply to the translation

of PHP code.

Property Name

Description

Specifies the PHP version. For a list of valid versions, see the Micro Focus Fortify Software System

Requirements document.

com.fortify.sca.

PHPVersion

Value Type: String

Default: 7.4

Command-Line Option: -php-version

Specifies the PHP source root.

Value Type: Boolean

com.fortify.sca.

PHPSourceRoot

Default: (none)

Command-Line Option: -php-source-root

See Also

"Translating PHP Code" on page 95

ABAP Properties

The properties described in the following table apply to the translation of ABAP code.

Property Name

Description

If set to true, Fortify Static Code Analyzer adds ABAP statements to debug messages.

com.fortify.sca.

AbapDebug

Value Type: Boolean

Default: (none)

When Fortify Static Code Analyzer encounters an ABAP 'INCLUDE' directive, it looks in the named

directory.

com.fortify.sca.

AbapIncludes

Value Type: String (path)

Default: (none)

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 207 of 223

User Guide

Appendix C: Configuration Options

Flex and ActionScript Properties

The properties for the fortify-sca.properties file in the following table apply to the translation

of Flex and ActionScript code.

Property Name

Description

Specifies a semicolon-separated (Windows) or colon-separated (non-Windows) of libraries to "link"

com.fortify.sca.

FlexLibraries

to. This list must include flex.swc, framework.swc, and playerglobal.swc (which are usually

located in the frameworks/libs directory in your Flex SDK root). Use this property primarily to

resolve ActionScript.

Value Type: String (path)

Default: (none)

Command-Line Option: -flex-libraries

Specifies the root location of a valid Flex SDK. The folder must contain a frameworks folder that

com.fortify.sca.

FlexSdkRoot

contains a flex-config.xml file. It must also contain a bin folder that contains an mxmlc

executable.

Value Type: String (path)

Default: (none)

Command-Line Option: -flex-sdk-root

Specifies any additional source directories for a Flex project. Separate multiple directories with

semicolons (Windows) or colons (non-Windows).

com.fortify.sca.

FlexSourceRoots

Value Type: String (path)

Default: (none)

Command-Line Option: -flex-source-root

ColdFusion (CFML) Properties

The properties for the fortify-sca.properties file in the following table apply to the translation

of CFML code.

Property Name

Description

If set to true, Fortify Static Code Analyzer treats undefined variables in CFML

pages as tainted. This serves as a hint to the Dataflow Analyzer to watch out

for register-globals-style vulnerabilities. However, enabling this property

interferes with dataflow findings where a variable in an included page is

initialized to a tainted value in an earlier-occurring included page.

com.fortify.sca.

CfmlUndefinedVariablesAreTainted

Value Type: Boolean

Default: false

If set to true, make CFML files case-insensitive for applications developed

com.fortify.sca.

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 208 of 223

User Guide

Appendix C: Configuration Options

Property Name

Description

using a case-insensitive file system and scanned on case-sensitive file

systems.

CaseInsensitiveFiles

Value Type: Boolean

Default: (not enabled)

Specifies the base directory for ColdFusion projects.

Value Type: String (path)

com.fortify.sca.

SourceBaseDir

Default: (none)

Command-Line Option: -source-base-dir

SQL Properties

The properties for the fortify-sca.properties file in the following table apply to the translation

of SQL code.

Property Name

Description

com.fortify.sca.

SqlLanguage

Specifies the SQL language variant. The valid SQL language type values are PLSQL (for Oracle

PL/SQL) and TSQL (for Microsoft T-SQL).

Value Type: String

Default: TSQL

Command-Line Option: -sql-language

See Also

"Translating SQL" on page 108

Output Properties

The properties for the fortify-sca.properties file in the following table apply to the analysis

output.

Property Name

Description

The file to which results are written.

Value Type: String

com.fortify.sca.

ResultsFile

Default: (none)

Command-Line Option: -f

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 209 of 223

User Guide

Appendix C: Configuration Options

Property Name

Description

Example: com.fortify.sca.ResultsFile=MyResults.fpr

com.fortify.sca.

Renderer

Controls the output format. The valid values are fpr, fvdl, text, and auto. The default

of auto selects the output format based on the file extension of the file provided with

the -f option.

Value Type: String

Default: auto

Command-Line Option: -format

If set to true, Fortify Static Code Analyzer appends results to an existing results file.

Value Type: Boolean

com.fortify.sca.

OutputAppend

Default: false

Command-Line Option: -append

If set to true, Fortify Static Code Analyzer prints results as they become available. This

com.fortify.sca.

ResultsAsAvailable

is helpful if you do not specify the -f option (to specify an output file) and print to

stdout.

Value Type: Boolean

Default: false

Specifies a label for the scanned project. Fortify Static Code Analyzer does not use this

label but includes it in the results.

com.fortify.sca.

BuildLabel

Value Type: String

Default: (none)

Command-Line Option: -build-label

Specifies a name for the scanned project. Fortify Static Code Analyzer does not use this

name but includes it in the results.

com.fortify.sca.

BuildProject

Value Type: String

Default: (none)

Command-Line Option: -build-project

Specifies a version number for the scanned project. Fortify Static Code Analyzer does

not use this version number but it is included in the results.

com.fortify.sca.

BuildVersion

Value Type: String

Default: (none)

Command-Line Option: -build-version

Output information in a format that scripts or Fortify Static Code Analyzer tools can use

rather than printing output interactively. Instead of a single line to display scan

progress, a new line is printed below the previous one on the console to display updated

progress.

com.fortify.sca.

MachineOutputMode

Value Type: Boolean

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 210 of 223

User Guide

Appendix C: Configuration Options

Property Name

Description

Default: (not enabled)

Command-Line Option: -machine-output

Sets the number of lines of code to display surrounding an issue. The two lines of code

on each side of the line where the error occurs are always included. By default, five lines

are displayed.

com.fortify.sca.

SnippetContextLines

Value Type: Number

Default: 2

If set to true, excludes Fortify security content descriptions from the analysis results file

(FVDL).

com.fortify.sca.

FVDLDisableDescriptions

Value Type: Boolean

Default: false

Command-Line Option: -fvdl-no-descriptions

If set to true, excludes engine data from the analysis results file (FVDL).

Value Type: Boolean

com.fortify.sca.

FVDLDisableEngineData

Default: false

Command-Line Option:-fvdl-no-enginedata

If set to true, excludes label evidence from the analysis results file (FVDL).

Value Type: Boolean

com.fortify.sca.

FVDLDisableLabelEvidence

Default: false

com.fortify.sca.

FVDLDisableProgramData

If set to true, excludes the ProgramData section from the analysis results file (FVDL).

Value Type: Boolean

Default: false

Command-Line Option: -fvdl-no-progdata

If set to true, excludes code snippets from the analysis results file (FVDL).

Value Type: Boolean

com.fortify.sca.

FVDLDisableSnippets

Default: false

Command-Line Option: -fvdl-no-snippets

Specifies location of the style sheet for the analysis results.

Value Type: String (path)

com.fortify.sca.

FVDLStylesheet

Default:

${com.fortify.Core}/resources/sca/fvdl2html.xsl

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 211 of 223

User Guide

Appendix C: Configuration Options

Mobile Build Sessions (MBS) Properties

The properties for the fortify-sca.properties file in the following table apply to MBS files.

Property Name

Description

If set to true, Fortify Static Code Analyzer copies source files into the build session directory.

com.fortify.sca.

MobileBuildSessions

Value Type: Boolean

Default: false

If set to true, Fortify Static Code Analyzer extracts the build ID and the Fortify Static Code

Analyzer version number from the mobile build session.

com.fortify.sca.

ExtractMobileInfo

Note: Fortify Static Code Analyzer does not extract the mobile build with this property.

Value Type: Boolean

Default: false

See Also

"Mobile Build Sessions" on page 45

Logging Properties

The properties for the fortify-sca.properties file in the following table apply to log files.

Property Name

Description

Specifies the default log file name and location.

Value Type: String (path)

Default:

com.fortify.sca.

LogFile

${com.fortify.sca.ProjectRoot}/log/sca.log

and ${com.fortify.sca.ProjectRoot}/log/sca_FortifySupport.log

Command-Line Option: -logfile

com.fortify.sca.

LogLevel

Specifies the minimum log level for both log files. The valid values are DEBUG,

INFO, WARN, ERROR, and FATAL. For more information, see "Locating the Log

Files" on page 176 and "Configuring Log Files" on page 17 6 .

Value Type: String

Default: INFO

If set to true, Fortify Static Code Analyzer overwrites the log file for each run of

sourceanalyzer.

com.fortify.sca.

ClobberLogFile

Value Type: Boolean

Default: false

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 212 of 223

User Guide

Appendix C: Configuration Options

Property Name

Description

Command-Line Option: -clobber-log

If set to true, Fortify Static Code Analyzer writes performance-related data to the

Fortify Support log file after the scan is complete. This value is automatically set

to true when in debug mode.

com.fortify.sca.

PrintPerformanceDataAfterScan

Value Type: Boolean

Default: false

See Also

"Configuring Log Files" on page 176

Debug Properties

The properties for the fortify-sca.properties file in the following table apply to debug settings.

Property Name

Description

Includes debug information in the Fortify Support log file, which is only useful for Micro

Focus Fortify Customer Support to help troubleshoot.

com.fortify.sca.

Debug

Value Type: Boolean

Default: false

Command-Line Option: -debug

com.fortify.sca.

DebugVerbose

This is the same as the com.fortify.sca.Debug property, but it includes more details,

specifically for parse errors.

Value Type: Boolean

Default: (not enabled)

Command-Line Option: -debug-verbose

If set to true, includes verbose messages in the Fortify Support log file.

Value Type: Boolean

com.fortify.sca.

Verbose

Default: false

Command-Line Option: -verbose

If set to true, enables additional performance information to be written to the Fortify

Support log.

com.fortify.sca.

DebugTrackMem

Value Type: Boolean

Default: (not enabled)

Command-Line Option: -debug-mem

If set to true, enables additional timers to track performance.

Value Type: Boolean

com.fortify.sca.

CollectPerformanceData

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 213 of 223

User Guide

Appendix C: Configuration Options

Property Name

Description

Default: (not enabled)

If set to true, disables the command-line progress information.

com.fortify.sca.

Quiet

Value Type: Boolean

Default: false

Command-Line Option: -quiet

If set to true, Fortify Static Code Analyzer monitors its memory use and warns when JVM

garbage collection becomes excessive.

com.fortify.sca.

MonitorSca

Value Type: Boolean

Default: true

fortify-sca-quickscan.properties

Fortify Static Code Analyzer offers a less in-depth scan known as a quick scan. This option scans the

project in quick scan mode, using the property values in the fortify-sca-quickscan.properties

file. By default, a quick scan reduces the depth of the analysis and applies the Quick View filter set.

The Quick View filter set provides only critical and high priority issues.

Note: Properties in this file are only used if you specify the -quick option on the command line

for your scan.

The following table provides two sets of default values: the default value for quick scans and the

default value for normal scans. If only one default value is shown, the value is the same for both

normal scans and quick scans.

Property Name

Description

Sets the time limit (in milliseconds) for Control Flow analysis on a single

function.

com.fortify.sca.

CtrlflowMaxFunctionTime

Value Type: Integer

Quick Scan Default: 30000

Default: 600000

Specifies a comma- or colon-separated list of analyzers to disable during a

com.fortify.sca.

DisableAnalyzers

scan. The valid analyzer names are buffer, content, configuration,

controlflow, dataflow, nullptr, semantic, and structural.

Value Type: String

Quick Scan Default: controlflow:buffer

Default: (none)

Specifies the filter set to use. You can use this property with an issue

com.fortify.sca.

FilterSet

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 214 of 223

User Guide

Appendix C: Configuration Options

Property Name

Description

template to filter at scan-time instead of post-scan. See

com.fortify.sca.ProjectTemplate described in "Translation and

Analysis Phase Properties" on page 188 to specify an issue template that

contains the filter set to use.

When set to Quick View, this property runs rules that have a potentially

high impact and a high likelihood of occurring and rules that have a

potentially high impact and a low likelihood of occurring. Filtered issues are

not written to the FPR and therefore this can reduce the size of an FPR. For

more information about filter sets, see the Micro Focus Fortify Audit

Workbench User Guide.

Value Type: String

Quick Scan Default: Quick View

Default: (none)

Disables the creation of the metatable, which includes information for the

Function view in Micro Focus Fortify Audit Workbench. This metatable

enables right-click on a variable in the source window to show the

declaration. If C/C++ scans take an extremely long time, setting this property

to true can potentially reduce the scan time by hours.

com.fortify.sca.

FPRDisableMetatable

Value Type: Boolean

Quick Scan Default: true

Default: false

Command-Line Option: -disable-metatable

Disables source code inclusion in the FPR file. Prevents Fortify Static Code

Analyzer from generating marked-up source code files during a scan. If you

plan to upload FPR files that are generated as a result of a quick scan to

com.fortify.sca.

FPRDisableSourceBundling

Fortify Software Security Center, you must set this property to false.

Value Type: Boolean

Quick Scan Default: true

Default: false

Command-Line Option: -disable-source-bundling

Sets the time limit (in milliseconds) for Null Pointer analysis for a single

function. The standard default is five minutes. If this value is set to a shorter

limit, the overall scan time decreases.

com.fortify.sca.

NullPtrMaxFunctionTime

Value Type: Integer

Quick Scan Default:10000

Default:300000

Disables path tracking for Control Flow analysis. Path tracking provides more

detailed reporting for issues, but requires more scan time. To disable this for

com.fortify.sca.

TrackPaths

JSP only, set it to NoJSP. Specify None to disable all functions.

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 215 of 223

User Guide

Appendix C: Configuration Options

Property Name

Description

Value Type: String

Quick Scan Default: (none)

Default: NoJSP

Specifies the size limit for complex calculations in the Buffer Analyzer. Skips

calculations that are larger than the specified size value in the Buffer

Analyzer to improve scan time.

com.fortify.sca.

limiters.ConstraintPredicateSize

Value Type: Integer

Quick Scan Default: 10000

Default: 500000

Controls the maximum call depth through which the Dataflow Analyzer tracks

tainted data. Increase this value to increase the coverage of dataflow

analysis, which results in longer scan times.

com.fortify.sca.

limiters.MaxChainDepth

Note: Call depth refers to the maximum call depth on a dataflow path

between a taint source and sink, rather than call depth from the

program entry point, such as main().

Value Type: Integer

Quick Scan Default: 3

Default: 5

Sets the number of times taint propagation analyzer visits functions.

com.fortify.sca.

limiters.MaxFunctionVisits

Value Type: Integer

Quick Scan Default: 5

Default: 50

Controls the maximum number of paths to report for a single dataflow

vulnerability. Changing this value does not change the results that are found,

only the number of dataflow paths displayed for an individual result.

com.fortify.sca.

limiters.MaxPaths

Note: Fortify does not recommend setting this property to a value

larger than 5 because it might increase the scan time.

Value Type: Integer

Quick Scan Default: 1

Default: 5

Sets a complexity limit for the Dataflow Analyzer. Dataflow incrementally

decreases precision of analysis on functions that exceed this complexity

metric for a given precision level.

com.fortify.sca.

limiters.MaxTaintDefForVar

Value Type: Integer

Quick Scan Default: 250

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 216 of 223

User Guide

Appendix C: Configuration Options

Property Name

Description

Default: 1000

Sets a hard limit for function complexity. If complexity of a function exceeds

this limit at the lowest precision level, the analyzer skips analysis of the

function.

com.fortify.sca.

limiters.MaxTaintDefForVarAbort

Value Type: Integer

Quick Scan Default: 500

Default: 4000

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 217 of 223

Appendix D: Fortify Java Annotations

Fortify provides two versions of the Java Fortify annotations library.

l

Annotations with the retention policy set to CLASS (FortifyAnnotations-CLASS.jar).

With this version of the library, Fortify annotations are propagated to the bytecode during

compilation.

l

Annotations with the retention policy set to SOURCE (FortifyAnnotations-SOURCE.jar).

With this version of the library, Fortify annotations are not propagated to the bytecode after the

code that uses them is compiled.

If you use Fortify products to analyze bytecode of your applications (for example, with Fortify on

Demand assessments), then use the version with the annotation retention policy set to CLASS. If you

use Fortify products to analyze the source code of your applications, you can use either version of the

library. However, Fortify strongly recommends that you use the library with retention policy set to

SOURCE.

Important! Leaving Fortify annotations in production code is a security risk because they can

leak information about potential security problems in the code. Fortify recommends that you use

annotations with the retention policy set to CLASS only for internal Fortify analysis, and never

use them in your application production builds.

This section outlines the annotations available. A sample application is included in the Fortify_SCA_

Samples_<version>.zip archive in the advanced/javaAnnotations directory. A README.txt

file included in the directory describes the sample application, problems that might arise from it, and

how to fix these problems using the Fortify Java Annotations.

There are two limitations with Fortify Java annotations:

l

Each annotation can specify only one input and/or one output.

l

You can apply only one annotation of each type to the same target.

Fortify provides three main types of annotations:

l

"Dataflow Annotations" on the next page

l

"Field and Variable Annotations" on page 221

l

"Other Annotations" on page 222

You also can write rules to support your own custom annotations. Contact Micro Focus Fortify

Customer Support for more information.

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 218 of 223

User Guide

Appendix D: Fortify Java Annotations

Dataflow Annotations

There are four types of Dataflow annotations, similar to Dataflow rules: Source, Sink, Passthrough, and

Validate. All are applied to methods and specify the inputs and/or outputs by parameter name or the

strings this and return. Additionally, you can apply the Dataflow Source and Sink annotations to

the function arguments.

Source Annotations

The acceptable values for the annotation parameter are this, return, or a function parameter name.

For example, you can assign taint to an output of the target method.

@FortifyDatabaseSource("return")

String [] loadUserProfile(String userID) {

...

}

For example, you can assign taint to an argument of the target method.

void retrieveAuthCode(@FortifyPrivateSource String authCode) {

...

}

In addition to specific source annotations, Fortify provides a generic untrusted taint source called

FortifySource.

The following is a complete list of source annotations:

l

FortifySource

l

FortifyDatabaseSource

l

FortifyFileSystemSource

l

FortifyNetworkSource

l

FortifyPCISource

l

FortifyPrivateSource

l

FortifyWebSource

Passthrough Annotations

Passthrough annotations transfer any taint from an input to an output of the target method. It can

also assign or remove taint from the output, in the case of FortifyNumberPassthrough and

FortifyNotNumberPassthrough. The acceptable values for the in annotation parameter are this

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 219 of 223

User Guide

Appendix D: Fortify Java Annotations

or a function parameter name. The acceptable values for the out annotation parameter are this,

return, or a function parameter name.

@FortifyPassthrough(in="a",out="return")

String toLowerCase(String a) {

...

}

Use FortifyNumberPassthrough to indicate that the data is purely numeric. Numeric data cannot

cause certain types of issues, such as cross-site scripting, regardless of the source. Using

FortifyNumberPassthrough can reduce false positives of this type. If a program decomposes

character data into a numeric type (int, int[], and so on), you can use FortifyNumberPassthrough.

If a program concatenates numeric data into character or string data, then use

FortifyNotNumberPassthrough.

The following is a complete list of passthrough annotations:

l

FortifyPassthrough

l

FortifyNumberPassthrough

l

FortifyNotNumberPassthrough

Sink Annotations

Sink annotations report an issue when taint of the appropriate type reaches an input of the target

method. Acceptable values for the annotation parameter are this or a function parameter name.

@FortifyXSSSink("a")

void printToWebpage(int a) {

...

}

You can also apply the annotation to the function argument or the return parameter. In the following

example, an issue is reported when taint reaches the argument a.

void printToWebpage(int b, @FortifyXSSSink String a) {

...

}

The following is a complete list of the sink annotations:

l

FortifySink

l

FortifyCommandInjectionSink

l

FortifyPCISink

l

FortifyPrivacySink

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 220 of 223

User Guide

Appendix D: Fortify Java Annotations

l

FortifySQLSink

l

FortifySystemInfoSink

l

FortifyXSSSink

Validate Annotations

Validate annotations remove taint from an output of the target method. Acceptable values for the

annotation parameter are this, return, or a function parameter name.

@FortifyXSSValidate("return")

String xssCleanse(String a) {

...

}

The following is a complete list of validate sink annotations:

l

FortifyValidate

l

FortifyCommandInjectionValidate

l

FortifyPCIValidate

l

FortifyPrivacyValidate

l

FortifySQLValidate

l

FortifySystemInfoValidate

l

FortifyXSSValidate

Field and Variable Annotations

You can apply these annotations to fields and (in most cases) variables.

Password and Private Annotations

Use password and private annotations to indicate whether the target field or variable is a password or

private data.

@FortifyPassword String x;

@FortifyNotPassword String pass;

@FortifyPrivate String y;

@FortifyNotPrivate String cc;

In the previous example, string x will be identified as a password and checked for privacy violations

and hardcoded passwords. The string pass will not be identified as a password. Without the

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 221 of 223

User Guide

Appendix D: Fortify Java Annotations

annotation, it might cause false positives. The FortifyPrivate and FortifyNotPrivate

annotations work similarly, only they do not cause privacy violation issues.

Non-Negative and Non-Zero Annotations

Use these annotations to indicate disallowed values for the target field or variable.

@FortifyNonNegative int index;

@FortifyNonZero double divisor;

In the previous example, an issue is reported if a negative value is assigned to index or zero is

assigned to divisor.

Other Annotations

Check Return Value Annotation

Use the FortifyCheckReturnValue annotation to add a target method to the list of functions that

require a check of the return values.

@FortifyCheckReturnValue

int openFile(String filename){

...

}

Dangerous Annotations

With the FortifyDangerous annotation, any use of the target function, field, variable, or class is

reported. Acceptable values for the annotation parameter are CRITICAL, HIGH, MEDIUM, or LOW.

These values indicat how to categorize the issue based on the Fortify Priority Order values).

@FortifyDangerous{"CRITICAL"}

public class DangerousClass {

@FortifyDangerous{"HIGH"}

String dangerousField;

@FortifyDangerous{"LOW"}

int dangerousMethod() {

...

}

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 222 of 223

Send Documentation Feedback

If you have comments about this document, you can contact the documentation team by email.

Note: If you are experiencing a technical issue with our product, do not email the documentation

team. Instead, contact Micro Focus Fortify Customer Support at

https://www.microfocus.com/support so they can assist you.

If an email client is configured on this computer, click the link above to contact the documentation

team and an email window opens with the following information in the subject line:

Feedback on User Guide (Fortify Static Code Analyzer 22.2.0)

Just add your feedback to the email and click send.

If no email client is available, copy the information above to a new message in a web mail client, and

send your feedback to fortifydocteam@microfocus.com.

We appreciate your feedback!

Micro Focus Fortify Static Code Analyzer (22.2.0)

Page 223 of 223