User Guide
Chapter 19: Improving Performance
-analyzers option are buffer, content, configuration, controlflow, dataflow, nullptr,
semantic, and structural.
For example, to run a scan that only includes the Dataflow, Control Flow, and Buffer analyzers, use the
following scan command:
sourceanalyzer -b MyProject -analyzers dataflow:controlflow:buffer -scan -f
MyResults.fpr
You can also do the same thing by setting com.fortify.sca.DefaultAnalyzers in the Fortify
Static Code Analyzer property file <sca_install_dir>/Core/config/fortify-
sca.properties. For example, to achieve the equivalent of the previous scan command, set the
following in the properties file:
com.fortify.sca.DefaultAnalyzers=dataflow:controlflow:buffer
Disabling Languages
To disable specific languages, include the -disable-language option in the translation phase,
which specifies a list of languages that you want to exclude. The valid language values are abap,
actionscript, apex, cfml, cobol, configuration, cpp, dotnet, golang, java, javascript, jsp,
kotlin, objc, php, plsql, python, ruby, scala, sql, swift, tsql, typescript, and vb.
For example, to perform a translation that excludes SQL and PHP files, use the following command:
sourceanalyzer -b MyProject <src_files> -disable-language sql:php
You can also disable languages by setting the com.fortify.sca.DISabledLanguages property in
the Fortify Static Code Analyzer properties file <sca_install_dir>/Core/config/fortify-
sca.properties. For example, to achieve the equivalent of the previous translation command, set
the following in the properties file:
com.fortify.sca.DISabledLanguages=sql:php
Optimizing FPR Files
This chapter describes how to handle performance issues related to the audit results (FPR) file. This
includes reducing the scan time, reducing FPR file size, and tips for opening large FPR files.
Using Filter Files
You can use a file to filter out specific vulnerability instances, rules, and vulnerability categories from
the analysis results. If you determine that a certain issue category or rule is not relevant for a
particular scan, you can stop Fortify Static Code Analyzer from adding them to the FPR. Using a filter
file can reduce both the scan time and analysis results file size.
Micro Focus Fortify Static Code Analyzer (22.2.0)
Page 164 of 223