Micro Focus  
Fortify Static Code Analyzer Tools  
Software Version: 22.1.0  
Properties Reference Guide  
Document Release Date: June 2022  
Software Release Date: June 2022  
Properties Reference Guide  
Legal Notices  
Micro Focus  
The Lawn  
22-30 Old Bath Road  
Newbury, Berkshire RG14 1QN  
UK  
https://www.microfocus.com  
Warranty  
The only warranties for products and services of Micro Focus and its affiliates and licensors (“Micro Focus”) are set forth in the  
express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an  
additional warranty. Micro Focus shall not be liable for technical or editorial errors or omissions contained herein. The  
information contained herein is subject to change without notice.  
Restricted Rights Legend  
Confidential computer software. Except as specifically indicated otherwise, a valid license from Micro Focus is required for  
possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software  
Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard  
commercial license.  
Copyright Notice  
© Copyright 2015 - 2022 Micro Focus or one of its affiliates  
Trademark Notices  
All trademarks, service marks, product names, and logos included in this document are the property of their respective owners.  
Documentation Updates  
The title page of this document contains the following identifying information:  
l
Software Version number  
l
Document Release Date, which changes each time the document is updated  
l
Software Release Date, which indicates the release date of this version of the software  
This document was produced on May 11, 2022. To check for recent updates or to verify that you are using the most recent  
edition of a document, go to:  
https://www.microfocus.com/support/documentation  
Micro Focus Fortify Static Code Analyzer Tools (22.1.0)  
Page 2 of 31  
Properties Reference Guide  
Contents  
Preface  
4
4
4
4
4
Contacting Micro Focus Fortify Customer Support  
For More Information  
About the Documentation Set  
Fortify Product Feature Videos  
Change Log  
5
Chapter 1: Fortify Static Code Analyzer Applications and Java IDE Plugin Configuration  
Where to Find the Properties File  
6
6
7
Fortify Static Code Analyzer Applications and Java IDE Plugin Properties  
Chapter 2: Fortify Extension for Visual Studio Configuration  
Fortify Extension for Visual Studio Properties  
24  
24  
27  
Azure DevOps Server Configuration Property  
Chapter 3: Shared Properties  
Server Properties  
28  
28  
30  
Command-Line Tools Properties  
Send Documentation Feedback  
31  
Micro Focus Fortify Static Code Analyzer Tools (22.1.0)  
Page 3 of 31  
Properties Reference Guide  
Preface  
Preface  
Contacting Micro Focus Fortify Customer Support  
Visit the Support website to:  
l
Manage licenses and entitlements  
l
Create and manage technical assistance requests  
l
Browse documentation and knowledge articles  
l
Download software  
l
Explore the Community  
https://www.microfocus.com/support  
For More Information  
For more information about Fortify software products:  
https://www.microfocus.com/cyberres/application-security  
About the Documentation Set  
The Fortify Software documentation set contains installation, user, and deployment guides for all  
Fortify Software products and components. In addition, you will find technical notes and release notes  
that describe new features, known issues, and last-minute updates. You can access the latest versions  
of these documents from the following Micro Focus Product Documentation website:  
https://www.microfocus.com/support/documentation  
To be notified of documentation updates between releases, subscribe to Fortify Product  
Announcements on the Micro Focus Community:  
https://community.microfocus.com/cyberres/fortify/w/fortify-product-announcements  
Fortify Product Feature Videos  
You can find videos that highlight Fortify products and features on the Fortify Unplugged YouTube  
channel:  
https://www.youtube.com/c/FortifyUnplugged  
Micro Focus Fortify Static Code Analyzer Tools (22.1.0)  
Page 4 of 31  
 
 
 
 
 
Properties Reference Guide  
Change Log  
Change Log  
The following table lists changes made to this document. Revisions to this document are published  
between software releases only if the changes made affect product functionality.  
Software Release /  
Document Version  
Changes  
22.1.0  
Updated:  
l
"Server Properties" on page 28 - New read timeout property for  
updating Fortify security content  
Updated: Version and release date  
Updated:  
21.2.0  
21.1.0  
l
"Fortify Static Code Analyzer Applications and Java IDE Plugin  
Properties" on page 7 - New  
property: com.fortify.awb.forceGCOnProjectClose, updated  
property description for com.fortify.UseSourceProjectTemplate  
l
"Command-Line Tools Properties" on page 30 - Default value for  
com.fortify.log.console is now false  
20.2.0  
Updated: Minor edits  
Micro Focus Fortify Static Code Analyzer Tools (22.1.0)  
Page 5 of 31  
 
Chapter 1: Fortify Static Code Analyzer  
Applications and Java IDE Plugin  
Configuration  
This chapter describes the properties used to configure Micro Focus Fortify Static Code Analyzer  
applications and Java IDE plugins:  
l
Micro Focus Fortify Audit Workbench  
l
Micro Focus Fortify Custom Rules Editor  
l
Micro Focus Fortify Plugins for Eclipse, JetBrains IDEs, and Android Studio  
The following table lists the Fortify Static Code Analyzer application acronyms used in this chapter.  
Acronym  
AWB  
CRE  
Fortify Static Code Analyzer Application / Plugin / Extension  
Fortify Audit Workbench  
Fortify Custom Rules Editor  
ECP  
Fortify Complete Plugin for Eclipse  
ERP  
Fortify Remediation Plugin for Eclipse  
IAP  
Fortify Analysis Plugin for IntelliJ and Android Studio  
Fortify Remediation Plugin for JetBrains IDEs and Android Studio  
JRP  
Where to Find the Properties File  
The location of the properties files varies for the different Micro Focus Fortify Static Code Analyzer  
tools. The following table provides the location of the properties file for tools described in this  
chapter.  
Fortify Static Code  
Analyzer Tool  
AWB, CRE  
ECP  
Property File Location  
<sca_install_dir>/Core/config  
<eclipse_install_  
Micro Focus Fortify Static Code Analyzer Tools (22.1.0)  
Page 6 of 31  
 
 
Properties Reference Guide  
Chapter 1: Fortify Static Code Analyzer Applications and Java IDE Plugin Configuration  
Fortify Static Code  
Analyzer Tool  
Property File Location  
dir>/plugins/com.fortify.dev.ide.eclipse_  
<version>/Core/config  
ERP  
<eclipse_install_  
dir>/plugins/com.fortify.plugin.remediation_  
<version>/Core/config  
IAP  
JRP  
<userhome>/.<IDE_product_  
name>/config/plugins/FortifyAnalysis/config  
<userhome>/.<IDE_product_  
name>/config/plugins/Fortify/config  
Fortify Static Code Analyzer Applications and Java  
IDE Plugin Properties  
Some properties described in this section already exist in the fortify.properties file, and some of  
them you must add yourself. The colored boxes in the Details column indicate which Micro Focus  
Fortify Static Code Analyzer tools use the property. To find this properties file for the various  
products, see "Where to Find the Properties File" on the previous page.  
The following table describes the properties in the fortify.properties file.  
Property  
Details  
com.fortify.  
If set to true, disables the add folder functionality.  
audit.ui.DisableAddingFolders  
Default: false  
Tools Affected:  
AWB  
ECP  
ERP  
CRE  
IAP  
IAP  
JRP  
JRP  
com.fortify.  
audit.ui.DisableBugtrackers  
If set to true, disables bug tracker integration.  
Default: false  
Tools Affected:  
AWB  
ECP  
ERP  
CRE  
Micro Focus Fortify Static Code Analyzer Tools (22.1.0)  
Page 7 of 31  
 
Properties Reference Guide  
Chapter 1: Fortify Static Code Analyzer Applications and Java IDE Plugin Configuration  
Property  
Details  
com.fortify.  
If set to true, removes the ability to edit custom tags.  
audit.ui.DisableEditing  
CustomTags  
Default: false  
Tools Affected:  
AWB  
ECP  
ERP  
CRE  
IAP  
JRP  
JRP  
com.fortify.  
audit.ui.DisableSuppress  
If set to true, disables issue suppression.  
Default: false  
Tools Affected:  
AWB  
ECP  
ERP  
CRE  
IAP  
com.fortify.  
AuthenticationKey  
Specifies the directory used to store the Micro Focus Fortify  
Software Security Center client authentication token.  
Default: ${com.fortify.WorkingDirectory}/config/tools  
Tools Affected:  
AWB  
ECP  
ERP  
CRE  
IAP  
JRP  
com.fortify.  
awb.Debug  
If set to true, Fortify Audit Workbench runs in debug mode.  
Default: false  
Tools Affected:  
AWB  
ECP  
ERP  
CRE  
IAP  
JRP  
com.fortify.  
awb.javaExtensions  
Specifies the file extensions (comma-delimited) to treat as Java files  
during a scan.  
If this property is empty, Fortify Audit Workbench and the Fortify  
Complete Plugin for Eclipse recognize .java, .jsp, and .jspx files as  
Java files. The property is used only to determine whether a project  
includes Java files and to add Java-specific controls to the  
Advanced Scan wizard.  
Default: none  
Tools Affected:  
AWB  
ECP  
ERP  
CRE  
IAP  
JRP  
com.fortify.  
If set to true, garbage collection is run and heap space is released  
Micro Focus Fortify Static Code Analyzer Tools (22.1.0)  
Page 8 of 31  
Properties Reference Guide  
Chapter 1: Fortify Static Code Analyzer Applications and Java IDE Plugin Configuration  
Property  
Details  
awb.forceGCOnProjectClose  
when you close a project. This reduces the increased Java process  
memory consumption when working with small FPR files. When  
Fortify Audit Workbench runs with G1GC garbage collection, the  
Java process can return free memory back to the operating system  
when the project is closed.  
Default: false  
Tools Affected:  
AWB  
ECP  
ERP  
CRE  
IAP  
JRP  
com.fortify.  
awb.LinuxFontAdjust  
Specifies the font size to use on Linux platforms. Fortify Audit  
Workbench adds the specified size to original font size.  
Default: 0  
Tools Affected:  
AWB  
ECP  
ERP  
CRE  
IAP  
JRP  
com.fortify.  
awb.MacFontAdjust  
Specifies the size to tune font size for Mac platform. Fortify Audit  
Workbench adds the specified size to the original font size.  
Default: 2  
Tools Affected:  
AWB  
ECP  
ERP  
CRE  
IAP  
JRP  
com.fortify.  
awb.WindowsFontAdjust  
Specifies to tune font size for Windows platform. Fortify Audit  
Workbench adds the specified size to original font size.  
Default: 0  
Tools Affected:  
AWB  
ECP  
ERP  
CRE  
IAP  
JRP  
com.fortify.  
Debug  
If set to true, runs the Fortify Static Code Analyzer tools in debug  
mode.  
Default: false  
Tools Affected:  
AWB  
ECP  
ERP  
CRE  
IAP  
JRP  
com.fortify.  
If set to true, disables XML escaping in issue descriptions (for  
Micro Focus Fortify Static Code Analyzer Tools (22.1.0)  
Page 9 of 31  
Properties Reference Guide  
Chapter 1: Fortify Static Code Analyzer Applications and Java IDE Plugin Configuration  
Property  
Details  
DisableDescriptionXML  
Escaping  
example, changing &quot; in XML/FVDL to ").  
Default: false  
Tools Affected:  
AWB  
ECP  
ERP  
CRE  
IAP  
JRP  
com.fortify.  
DisableExternalEntry  
Correlation  
If set to true, parses URL in the ExternalEntries/Entry element in  
audit.fvdl.  
Default: false  
<ExternalEntries>  
<Entry name="HTML Form" type="URL">  
<URL>/auth/PerformChangePass.action</URL>  
<SourceLocation path="pages/content/  
ChangePass.jsp" line="16" lineEnd="16"  
colStart="0" colEnd="0"  
snippet=  
"1572130B944CEC7A3D98775A499AE8FA#pages/  
content/ChangePass.jsp:16:16"/>  
</Entry>  
</ExternalEntries>  
Tools Affected:  
AWB  
ECP  
ERP  
CRE  
IAP  
JRP  
com.fortify.  
If set to true, disables computing minimum virtual call confidence.  
DisableMinVirtCallConfidence  
Computation  
Fortify Audit Workbench and the Fortify Complete Plugin for  
Eclipse use this attribute to compute minimum virtual call  
confidence and enable issue filtering. For example, you can use it to  
filter out all issues that contain virtual call with confidence lower  
than 0.46.  
Default: false  
Tools Affected:  
AWB  
ECP  
ERP  
CRE  
IAP  
JRP  
com.fortify.  
If set to true, disables removed issue persistence (clears removed  
DisableRemovedIssue  
Persistance  
issues from the results file).  
Default: false  
Tools Affected:  
Micro Focus Fortify Static Code Analyzer Tools (22.1.0)  
Page 10 of 31  
Properties Reference Guide  
Chapter 1: Fortify Static Code Analyzer Applications and Java IDE Plugin Configuration  
Property  
Details  
AWB  
ECP  
ERP  
CRE  
IAP  
JRP  
com.fortify.  
If set to true, disables rendering issue description into report.  
DisableReportCategory  
Rendering  
Default: false  
Tools Affected:  
AWB  
ECP  
ERP  
CRE  
IAP  
JRP  
com.fortify.  
If set to true, displays the event ID in the issue node tooltip in the  
DisplayEventID  
Issues view.  
Default: false  
Tools Affected:  
AWB  
ECP  
ERP  
CRE  
IAP  
JRP  
com.fortify.  
If set to true, runs the plugin in debug mode.  
eclipse.Debug  
Default: false  
Tools Affected:  
AWB  
ECP  
ERP  
CRE  
IAP  
JRP  
com.fortify.  
InstallationUserName  
Specifies the default user name for logging in to Fortify Software  
Security Center for the first time.  
Default: ${user.name}  
Tools Affected:  
AWB  
ECP  
ERP  
CRE  
IAP  
JRP  
com.fortify.  
locale  
Specifies the locale (for rules and metadata only). Possible values  
are:  
en (English)  
es (Spanish)  
ja (Japanese)  
ko (Korean)  
pt_BR (Brazilian Portuguese)  
zh_CN (Simplified Chinese)  
Micro Focus Fortify Static Code Analyzer Tools (22.1.0)  
Page 11 of 31  
Properties Reference Guide  
Chapter 1: Fortify Static Code Analyzer Applications and Java IDE Plugin Configuration  
Property  
Details  
zh_TW (Traditional Chinese)  
Default: en  
Tools Affected:  
AWB  
ECP  
ERP  
CRE  
IAP  
JRP  
com.fortify.  
If set to true, verifies signature in FPR.  
model.CheckSig  
If com.fortify.model.UseIssueParseFilters is set to true,  
then com.fortify.model.MinimalLoad is set to true,  
com.fortify.model.IssueCutoffStartIndex is not null,  
com.fortify.model.IssueCutoffEndIndex is not null,  
com.fortify.model.IssueCutoffByCategoryStartIndex is  
not null or  
com.fortify.model.IssueCutoffByCategoryEndIndex is not  
null, com.fortify.model.CheckSig is false, and the signature  
in FPRs are not verified.  
Default: true (normal) / false (minimum load)  
Tools Affected:  
AWB  
ECP  
ERP  
CRE  
IAP  
JRP  
com.fortify.  
Specifies the custom prefix for the description header. It prepends  
model.CustomDescriptions  
Header  
the text in the Description/Recommendation header, so that  
you see “My Recommendations” instead of “Custom  
Recommendations.”  
Note: To update description headers, Fortify recommends that  
you use the <CustomDescriptionRule> rule with the  
<Header> element text instead.  
Default: none  
Tools Affected:  
AWB  
ECP  
ERP  
CRE  
IAP  
JRP  
com.fortify.  
If set to true, does not shorten the build ID, even if the build ID  
model.DisableChopBuildID  
exceeds 250 characters.  
Default: false  
Tools Affected:  
Micro Focus Fortify Static Code Analyzer Tools (22.1.0)  
Page 12 of 31  
Properties Reference Guide  
Chapter 1: Fortify Static Code Analyzer Applications and Java IDE Plugin Configuration  
Property  
Details  
AWB  
ECP  
ERP  
CRE  
IAP  
JRP  
com.fortify.  
model.DisableContextPool  
If set to true, disables loading of the ContextPool section of the  
audit.fvdl file.  
You can configure this property if  
com.fortify.model.MinimalLoad is not set to true. If  
com.fortify.model.MinimalLoad is set to true, then  
com.fortify.model.DisableContextPool is automatically set  
to true.  
Default: false  
Tools Affected:  
AWB  
ECP  
ERP  
CRE  
IAP  
JRP  
com.fortify.  
model.DisableDescription  
If set to true, disables loading the Description section from  
audit.fvdl.  
You can configure this property if  
com.fortify.model.MinimalLoad is not set to true. If  
com.fortify.model.MinimalLoad is true, then  
com.fortify.model.DisableDescription is automatically set  
to true.  
Default: false  
Tools Affected:  
AWB  
ECP  
ERP  
CRE  
IAP  
JRP  
com.fortify.  
If set to true, disables loading the EngineData section of  
model.DisableEngineData  
audit.fvdl to save memory when large FPR files are opened. This  
data is displayed on the Analysis Information tab of Project  
Summary view. The property is useful if too many analysis  
warnings occur during a scan. However, Fortify recommends that  
you instead set a limit for  
com.fortify.model.MaxEngineErrorCount to open FPR files  
that have many Fortify Static Code Analyzer warnings.  
Default: false  
Tools Affected:  
AWB  
ECP  
ERP  
CRE  
IAP  
JRP  
Micro Focus Fortify Static Code Analyzer Tools (22.1.0)  
Page 13 of 31  
Properties Reference Guide  
Chapter 1: Fortify Static Code Analyzer Applications and Java IDE Plugin Configuration  
Property  
Details  
com.fortify.  
You can configure this property if  
model.DisableProgramInfo  
com.fortify.model.MinimalLoad is not true. If  
com.fortify.model.MinimalLoad is set to true, then this  
property is automatically set to true.  
If set to true, prevents loading of metatable from the  
ProgramData section of FPR files. If set to false, loads metatable  
from the FPR file.  
Default: false  
Tools Affected:  
AWB  
ECP  
ERP  
CRE  
IAP  
JRP  
com.fortify.  
model.DisableProgramPoint  
If set to true, disables loading of the ProgramPoint section from  
the runtime.fvdl file.  
Default: false  
Tools Affected:  
AWB  
ECP  
ERP  
CRE  
IAP  
JRP  
com.fortify.  
If set to true, disables replacing conditional description.  
model.DisableReplacement  
Parsing  
You can configure this property if  
com.fortify.model.MinimalLoad is not set to true. If  
com.fortify.model.MinimalLoad is true, then this property is  
automatically set to true.  
Default: false  
Tools Affected:  
AWB  
ECP  
ERP  
CRE  
IAP  
JRP  
com.fortify.  
model.DisableSnippets  
If set to true, disables loading the Snippets section from the  
audit.fvdl file.  
You can configure this property if  
com.fortify.model.MinimalLoad is set to false. If  
com.fortify.model.MinimalLoad is set to true, then  
com.fortify.model.DisableSnippets is automatically set to  
true.  
Default: false  
Tools Affected:  
Micro Focus Fortify Static Code Analyzer Tools (22.1.0)  
Page 14 of 31  
Properties Reference Guide  
Chapter 1: Fortify Static Code Analyzer Applications and Java IDE Plugin Configuration  
Property  
Details  
AWB  
ECP  
ERP  
CRE  
IAP  
JRP  
com.fortify.  
model.DisableUnified  
Inductions  
If set to true, disables loading the UnifiedInductionPool  
section from the audit.fvdl file.  
You can configure this property if  
com.fortify.model.MinimalLoad is not set to true. If  
com.fortify.model.MinimalLoad is set to true, then  
com.fortify.model.DisableUnifiedInductions is  
automatically set to true.  
Default: false  
Tools Affected:  
AWB  
ECP  
ERP  
CRE  
IAP  
JRP  
com.fortify.  
model.DisableUnifiedPool  
If set to true, disables loading the UnifiedNodePool section from  
the audit.fvdl file.  
You can configure this property if  
com.fortify.model.MinimalLoad is set to false. If  
com.fortify.model.MinimalLoad is true, then  
com.fortify.model.DisableUnifiedPool is automatically set  
to true. If the value is not specified or false, this property is set to  
none.  
Default: false  
Tools Affected:  
AWB  
ECP  
ERP  
CRE  
IAP  
JRP  
com.fortify.  
model.DisableUnifiedTrace  
If set to true, disables loading the UnifiedTracePool section  
from the audit.fvdl file.  
You can configure this property if  
com.fortify.model.MinimalLoad is not set to true. If  
com.fortify.model.MinimalLoad is true, then  
com.fortify.model.DisableUnifiedTrace is automatically set  
to true.  
Default: false  
Tools Affected:  
AWB  
ECP  
ERP  
CRE  
IAP  
JRP  
Micro Focus Fortify Static Code Analyzer Tools (22.1.0)  
Page 15 of 31  
Properties Reference Guide  
Chapter 1: Fortify Static Code Analyzer Applications and Java IDE Plugin Configuration  
Property  
Details  
com.fortify.  
If set to true, enables backward compatibility with pre-2.5  
model.EnablePathElement  
BaseIndexShift  
migrated projects.  
Default: none  
Tools Affected:  
AWB  
ECP  
ERP  
CRE  
IAP  
JRP  
com.fortify.  
If set to true, takes data flow source into consideration for issue  
model.EnableSource  
Correlation  
correlation. The default is false because correlations with runtime  
results might not be reliable with this setting enabled.  
Default: false  
Tools Affected:  
AWB  
ECP  
ERP  
CRE  
IAP  
JRP  
com.fortify.  
model.ExecMemorySetting  
Specifies the JVM heap memory size used by Fortify Audit  
Workbench to launch external utilities.  
Default:  
600—iidmigrator  
300—fortifyupdate  
Tools Affected:  
AWB  
ECP  
ERP  
CRE  
IAP  
JRP  
com.fortify.  
If set to true, forces running Instance ID migration during a merge.  
model.ForceIIDMigration  
Default: false  
Tools Affected:  
AWB  
ECP  
ERP  
CRE  
IAP  
JRP  
com.fortify.  
If set to true, uses full file name in reports.  
model.FullReportFilenames  
Default: false  
Tools Affected:  
AWB  
ECP  
ERP  
CRE  
IAP  
JRP  
com.fortify.  
Specifies iidmigrator options (space-delimited values) run by  
model.IIDmigratorOptions  
FPRUtility, Fortify Audit Workbench, or the Fortify Complete Plugin  
Micro Focus Fortify Static Code Analyzer Tools (22.1.0)  
Page 16 of 31  
Properties Reference Guide  
Chapter 1: Fortify Static Code Analyzer Applications and Java IDE Plugin Configuration  
Property  
Details  
for Eclipse.  
Default: none  
Tools Affected:  
AWB  
ECP  
ERP  
CRE  
IAP  
JRP  
JRP  
JRP  
com.fortify.  
model.IssueCutoffByCategory  
StartIndex  
Specifies the start index for issue cutoff by category.  
Default: 0  
Tools Affected:  
AWB  
ECP  
ERP  
CRE  
IAP  
com.fortify.  
model.IssueCutoffByCategory  
EndIndex  
Specifies the end index for issue cutoff by category.  
Default: java.lang.Integer.MAX_VALUE  
Tools Affected:  
AWB  
ECP  
ERP  
CRE  
IAP  
com.fortify.  
model.IssueCutoffStartIndex  
Specifies the start index for issue cutoff. Select the first issue (by  
number) to be loaded.  
Default: 0  
Tools Affected:  
AWB  
ECP  
ERP  
CRE  
IAP  
JRP  
com.fortify.  
model.IssueCutoffEndIndex  
Determines the end index for issue cutoff. Select the last issue (by  
number) to be loaded.  
Default: java.lang.Integer.MAX_VALUE  
Tools Affected:  
AWB  
ECP  
ERP  
CRE  
IAP  
JRP  
com.fortify.  
Determines how many reported Fortify Static Code Analyzer  
model.MaxEngineErrorCount  
warnings to load. To allow an unlimited number, specify -1.  
Fortify recommends that you keep the default value of 3000  
because this can speed up the load time of large FPR files.  
Default: 3000  
Micro Focus Fortify Static Code Analyzer Tools (22.1.0)  
Page 17 of 31  
Properties Reference Guide  
Chapter 1: Fortify Static Code Analyzer Applications and Java IDE Plugin Configuration  
Property  
Details  
Tools Affected: Also used by FPRUtility  
AWB  
ECP  
ERP  
CRE  
IAP  
JRP  
com.fortify.  
Specifies merge resolve strategy from:  
model.MergeResolveStrategy  
l
DefaultToMasterValue (use primary project)  
DefaultToImportValue (use secondary project)  
NoStrategy (prompt for project to use)  
l
l
Default: DefaultToMasterValue  
Tools Affected:  
AWB  
ECP  
ERP  
CRE  
IAP  
JRP  
JRP  
com.fortify.  
model.MinimalLoad  
If set to true, minimizes the data loaded from an FPR file.  
Default: false  
Tools Affected:  
AWB  
ECP  
ERP  
CRE  
IAP  
com.fortify.  
Specifies the number of threads to process FPR files.  
model.NProcessingThreads  
If com.fortify.model.PersistDataToDisk is set to true,  
defaults to 1 thread.  
If the number specified exceeds the number of available processors:  
int maxThreads=java.lang.Runtime.getRuntime  
().availableProcessors(), then Fortify Static Code Analyzer  
tools use the number of available processors as the number of  
threads to process FPR files.  
Default: Number of available processors  
Tools Affected: Also used by FPRUtility  
AWB  
ECP  
ERP  
CRE  
IAP  
JRP  
com.fortify.  
If set to true, enables a persistence strategy to reduce the memory  
model.PersistDataToDisk  
footprint and uses the disk drive to swap FPR data out of memory.  
Default: false  
Micro Focus Fortify Static Code Analyzer Tools (22.1.0)  
Page 18 of 31  
Properties Reference Guide  
Chapter 1: Fortify Static Code Analyzer Applications and Java IDE Plugin Configuration  
Property  
Details  
Tools Affected:  
AWB  
ECP  
ERP  
CRE  
IAP  
JRP  
com.fortify.  
If com.fortify.model.PersistenceStrategy is set to CUSTOM,  
model.PersistenceBlockSize  
com.fortify.model.PersistenceBlockSize specifies the  
number of attribute values that comprise a single block of  
attributes. These blocks are cached to disk and read back in as  
needed. A larger number decreases the total number of cache files,  
but increases the file size and the amount of memory that is read in  
each time.  
Default: 250  
Tools Affected:  
AWB  
ECP  
ERP  
CRE  
IAP  
JRP  
com.fortify.  
If com.fortify.model.PersistenceStrategy is set to CUSTOM,  
model.PersistenceQueue  
Capacity  
this property specifies the maximum number of attribute value  
blocks that can exist in the producer/consumer queue.  
Default: queue is unbounded  
Tools Affected:  
AWB  
ECP  
ERP  
CRE  
IAP  
JRP  
com.fortify.  
model.PriorityImpact  
Threshold  
Specifies the threshold for issue impact. The valid values are 0.0F–  
5.0F. If the impact of an issue is greater than or equal to the  
threshold, the issue is considered High. If the impact of an issue is  
less than the threshold, the issue is considered Low. Issues are then  
categorized as follows:  
l
Critical—High Impact and High Likelihood  
l
High—High Impact and Low Likelihood  
l
Medium—Low Impact and High Likelihood  
l
Low—Low Impact and Low Likelihood  
Also see com.fortify.model.PriorityLikelihoodThreshold  
Default: 2.5F  
Tools Affected:  
AWB  
ECP  
ERP  
CRE  
IAP  
JRP  
Micro Focus Fortify Static Code Analyzer Tools (22.1.0)  
Page 19 of 31  
 
Properties Reference Guide  
Chapter 1: Fortify Static Code Analyzer Applications and Java IDE Plugin Configuration  
Property  
Details  
com.fortify.  
model.PriorityLikelihood  
Threshold  
Specifies the threshold for issue likelihood. The valid values are  
0.0F–5.0F. If the likelihood of an issue is greater than or equal to  
the threshold, the issue is considered High. If the likelihood of an  
issue is less than the threshold, the issue is considered Low. Issues  
are then categorized as follows:  
l
Critical—High Impact and High Likelihood  
l
High—High Impact and Low Likelihood  
l
Medium—Low Impact and High Likelihood  
l
Low—Low Impact and Low Likelihood  
Also see com.fortify.model.PriorityImpactThreshold  
Default: 2.5F  
Tools Affected:  
AWB  
ECP  
ERP  
CRE  
IAP  
JRP  
com.fortify.  
If set to true, uses system locale for report output. If set to false,  
model.report.useSystemLocale  
uses com.fortify.locale in the fortify.properties file. If a  
value is not specified, the tool uses  
java.util.Locale.getDefault().  
Default: false  
Tools Affected:  
AWB  
ECP  
ERP  
CRE  
IAP  
JRP  
com.fortify.  
Specifies the character limit for each issue code snippet in reports.  
model.ReportLineLimit  
Default: 500  
Tools Affected:  
AWB  
ECP  
ERP  
CRE  
IAP  
JRP  
com.fortify.  
model.UseIIDMigrationFile  
Specifies the full path of the instance ID migration file to use.  
Default: none  
Tools Affected: Also used by FPRUtility  
AWB  
ECP  
ERP  
CRE  
IAP  
JRP  
com.fortify.  
If set to true, respects the settings in the  
model.UseIssueParseFilters  
Micro Focus Fortify Static Code Analyzer Tools (22.1.0)  
Page 20 of 31  
 
Properties Reference Guide  
Chapter 1: Fortify Static Code Analyzer Applications and Java IDE Plugin Configuration  
Property  
Details  
IssueParseFilters.properties configuration file. This file is in  
the following directories:  
AWB<sca_install_dir>/Core/config  
ECP<eclipse_install_dir>/plugins/com.fortify.  
dev.ide.eclipse_<version>/Core/config  
Default: false  
Tools Affected:  
AWB  
ECP  
ERP  
CRE  
IAP  
JRP  
com.fortify.  
If set to true, uses attributes of old issues during instance ID  
model.UseOldIIDMigration  
Attributes  
migration while merging similar issues of old and new scans.  
Default: false  
Tools Affected:  
AWB  
ECP  
ERP  
CRE  
IAP  
JRP  
com.fortify.  
If set to true or if no value is specified, the remediation plugins use  
remediation.PaginateIssues  
pagination during issue download.  
If set to false, these plugins download all issues at once.  
Default: false  
Tools Affected:  
AWB  
ECP  
ERP  
CRE  
IAP  
JRP  
com.fortify.  
If com.fortify.remediation.PaginateIssues is set to true,  
remediation.PaginationCount  
specifies the page count.  
Default: 1000  
Tools Affected:  
AWB  
ECP  
ERP  
CRE  
IAP  
JRP  
com.fortify.  
Specifies how many removed issues to keep when you save an FPR.  
RemovedIssuePersistanceLimit  
Default: 1000  
Tools Affected:  
AWB  
ECP  
ERP  
CRE  
IAP  
JRP  
Micro Focus Fortify Static Code Analyzer Tools (22.1.0)  
Page 21 of 31  
Properties Reference Guide  
Chapter 1: Fortify Static Code Analyzer Applications and Java IDE Plugin Configuration  
Property  
Details  
com.fortify.  
Specifies file path to sourceanalyzer.exe.  
SCAExecutablePath  
Note: The Fortify Static Code Analyzer and Applications  
installer sets this property during installation and it only  
requires modification if you manually move the executable  
files.  
Default: <sca_install_dir>/bin/sourceanalyzer.exe  
Tools Affected:  
AWB  
ECP  
ERP  
CRE  
IAP  
JRP  
com.fortify.  
search.defaultSyntaxVer  
Determines whether to use the AND and OR operators in searches.  
These are enabled in search syntax by default.  
l
To block the use of the AND and OR operators, set the value to  
1.  
l
To use ANDs and ORs without parentheses, set the value to 2.  
Default: 2  
Tools Affected:  
AWB  
ECP  
ERP  
CRE  
IAP  
JRP  
com.fortify.  
If set to true, stores original plain text issue descriptions (before  
StoreOriginalDescriptions  
parsing) as well as the parsed ones with tags replaced with specific  
values.  
Default: false  
Tools Affected:  
AWB  
ECP  
ERP  
CRE  
IAP  
JRP  
com.fortify.  
Specifies taint flags to exclude (comma-delimited values).  
taintFlagBlacklist  
Default: none  
Tools Affected:  
AWB  
ECP  
ERP  
CRE  
IAP  
JRP  
com.fortify.  
tools.iidmigrator.scheme  
Set this property to migrate instance IDs created with different  
versions of Fortify Static Code Analyzer using a custom matching  
scheme. This is generally handled by Fortify Static Code Analyzer. If  
Micro Focus Fortify Static Code Analyzer Tools (22.1.0)  
Page 22 of 31  
Properties Reference Guide  
Chapter 1: Fortify Static Code Analyzer Applications and Java IDE Plugin Configuration  
Property  
Details  
you need a custom matching scheme, contact Micro Focus Fortify  
Customer Support.  
Default: none  
Tools Affected:  
AWB  
ECP  
ERP  
CRE  
IAP  
JRP  
com.fortify.  
UseSourceProjectTemplate  
This property determines the issue template to use when merging  
analysis information from two audit projects. If set to true, it forces  
the use of filter sets and folders from the issue template associated  
with the original scan results (secondary project). The issue  
template from the new scan results (primary project) are used by  
default.  
Default: false  
Tools Affected: Also used by FPRUtility  
AWB  
ECP  
ERP  
CRE  
IAP  
JRP  
com.fortify.  
WorkingDirectory  
Specifies the working directory that contains all user configuration  
and working files for all Fortify Static Code Analyzer components.  
To configure this property, you must have write access to the  
directory.  
Defaults:  
l
Windows—${win32.LocalAppdata}/Fortify  
l
Non-Windows—${user.home}/.fortify  
Tools Affected:  
AWB  
ECP  
ERP  
CRE  
IAP  
JRP  
Micro Focus Fortify Static Code Analyzer Tools (22.1.0)  
Page 23 of 31  
Chapter 2: Fortify Extension for Visual  
Studio Configuration  
This section describes the properties used by the Micro Focus Fortify Extension for Visual Studio. The  
properties are listed in alphabetical order based on the files in which they belong.  
This section contains the following topics:  
Fortify Extension for Visual Studio Properties  
Azure DevOps Server Configuration Property  
24  
27  
Fortify Extension for Visual Studio Properties  
Some properties described here already exist in the fortify.properties file, and some of them  
you must add yourself. The following table describes the properties in the <sca_install_  
dir>/Core/config/fortify.properties file.  
Property  
Details  
com.fortify.  
audit.ui.DisableBugtrackers  
If set to true, disables bug tracker integration.  
Default: false  
com.fortify.  
audit.ui.DisableSuppress  
If set to true, disables issue suppression.  
Default: false  
com.fortify.  
AuthenticationKey  
Specifies the directory used to store the Micro Focus Fortify Software  
Security Center client authentication token.  
Default: ${com.fortify.WorkingDirectory}/config/tools  
com.fortify.  
Debug  
If set to true, runs all Fortify Static Code Analyzer tools in debug  
mode.  
Default: false  
com.fortify.  
Specifies the custom prefix for the description header. It prepends the  
model.CustomDescriptionsHeader  
text in the Description/Recommendation header, so that you see  
“My Recommendations” instead of “Custom Recommendations.”  
Note: To update description headers, Fortify recommends that  
you use the <CustomDescriptionRule> rule with the <Header>  
element text instead.  
Micro Focus Fortify Static Code Analyzer Tools (22.1.0)  
Page 24 of 31  
 
 
Properties Reference Guide  
Chapter 2: Fortify Extension for Visual Studio Configuration  
Property  
Details  
Default: none  
com.fortify.  
model.ForceIIDMigration  
If set to true, forces running Instance ID migration during a merge.  
Default: false  
com.fortify.  
model.PriorityImpactThreshold  
Specifies the threshold for issue impact. The valid values are 0.0F–  
5.0F. If the impact of an issue is greater than or equal to the threshold,  
the issue is considered High. If the impact of an issue is less than the  
threshold, the issue is considered Low. Issues are then categorized as  
follows:  
l
Critical—High Impact and High Likelihood  
l
High—High Impact and Low Likelihood  
l
Medium—Low Impact and High Likelihood  
l
Low—Low Impact and Low Likelihood  
Also see com.fortify.model.PriorityLikelihoodThreshold  
Default: 2.5F  
com.fortify.  
model.PriorityLikelihoodThreshold  
Specifies the threshold for issue likelihood. The valid values are 0.0F–  
5.0F. If the likelihood of an issue is greater than or equal to the  
threshold, the issue is considered High. If the likelihood of an issue is  
less than the threshold, the issue is considered Low. Issues are then  
categorized as follows:  
l
Critical—High Impact and High Likelihood  
l
High—High Impact and Low Likelihood  
l
Medium—Low Impact and High Likelihood  
l
Low—Low Impact and Low Likelihood  
Also see com.fortify.model.PriorityImpactThreshold  
Default: 2.5F  
com.fortify.  
Specifies the full path of the instance ID migration file to use.  
model.UseIIDMigrationFile  
Default: none  
com.fortify.  
Specifies file path to sourceanalyzer.exe.  
SCAExecutablePath  
Note: The Fortify Static Code Analyzer and Applications installer  
sets this property during installation and it only requires  
modification if you manually move the executable files.  
Default: <sca_install_dir>/bin/sourceanalyzer.exe  
Micro Focus Fortify Static Code Analyzer Tools (22.1.0)  
Page 25 of 31  
 
 
Properties Reference Guide  
Chapter 2: Fortify Extension for Visual Studio Configuration  
Property  
Details  
com.fortify.  
search.defaultSyntaxVer  
Determines whether to use the AND and OR operators in searches.  
These are enabled in search syntax by default.  
l
To block the use of the AND and OR operators, set the value to 1.  
l
To use ANDs and ORs without parentheses, set the value to 2.  
Default: 2  
com.fortify.  
tools.iidmigrator.scheme  
Set this property to migrate instance IDs created with different  
versions of Fortify Static Code Analyzer using a custom matching  
scheme. This is generally handled by Fortify Static Code Analyzer. If  
you need a custom matching scheme, contact Micro Focus Fortify  
Customer Support.  
Default: none  
com.fortify.  
visualstudio.vm.args  
Specifies JVM options.  
Default: -Xmx256m  
com.fortify.  
VS.Debug  
If set to true, runs the Fortify Extension for Visual Studio in debug  
mode.  
Default: false  
com.fortify.  
VS.DisableCIntegration  
If set to true, disables C/C++ build integration in Visual Studio.  
Default: false  
com.fortify.  
VS.disableMigrationCheck  
If set to true, disables instance ID migration checking.  
Default: false  
com.fortify.  
VS.DisableReferenceLibDirs  
AndExcludes  
If set to true, disables using references added to a project.  
Default: false  
com.fortify.  
VS.ListProjectProperties  
If set to true, lists the Visual Studio project properties in a log file.  
Default: false  
com.fortify.  
VS.NETFrameworkRoot  
Specifies the file path to the .NET Framework root.  
Default: none  
com.fortify.  
WorkingDirectory  
Specifies the working directory that contains all user configuration and  
working files for all Fortify Static Code Analyzer components. To  
configure this property, you must have write access to the directory.  
Default: ${win32.LocalAppdata}/Fortify  
Micro Focus Fortify Static Code Analyzer Tools (22.1.0)  
Page 26 of 31  
Properties Reference Guide  
Chapter 2: Fortify Extension for Visual Studio Configuration  
Azure DevOps Server Configuration Property  
The property for the Azure DevOps Server is stored in the TFSconfiguration.properties. This  
file is located in the Fortify working directory in the config\VS<vs_version>-<sca_version>  
directory.  
Note: The TFSconfiguration.properties file is created only after the first time you  
configure a connection to your Azure DevOps Server from the Fortify Extension for Visual Studio.  
The following property is in the TFSconfiguration.properies file:  
server.url  
Details: Specifies the Azure DevOps Server location.  
Default: none  
Micro Focus Fortify Static Code Analyzer Tools (22.1.0)  
Page 27 of 31  
 
Chapter 3: Shared Properties  
This chapter describes the properties shared by Micro Focus Fortify Static Code Analyzer  
command-line tools, standalone applications, and plugins.  
This section contains the following topics:  
Server Properties  
28  
30  
Command-Line Tools Properties  
Server Properties  
Because some values in this file are encrypted (such as proxy user name and password), you must use  
the scapostinstall tool to configure these properties. For information about how to use the  
scapostinstall tool, see the Micro Focus Fortify Static Code Analyzer User Guide.  
Other properties are updated using command-line tools, standalone applications (such as Fortify  
Audit Workbench), and remediation plugins. Fortify recommends that you use these tools to edit the  
properties in this file instead of editing the file manually.  
The following table describes the properties in the <sca_install_  
dir>/Core/config/server.properties file.  
Property  
Details  
autoupgrade.server  
Specifies the Fortify Static Code Analyzer and Applications  
automatic update server. This enables users to check for new  
versions of the Fortify Static Code Analyzer and Applications  
installer on a web server and run the installer if an update is  
available.  
Default: http://localhost:8180/ssc/update-  
site/installers  
install.auto.upgrade  
If set to true, enables Fortify Audit Workbench automatic  
update feature.  
Default: false  
oneproxy.http.proxy.port  
oneproxy.http.proxy.server  
Specifies the proxy server port to access bug trackers.  
Default: none  
Specifies the proxy server name to access bug trackers.  
Default: none  
Micro Focus Fortify Static Code Analyzer Tools (22.1.0)  
Page 28 of 31  
 
 
Properties Reference Guide  
Chapter 3: Shared Properties  
Property  
Details  
oneproxy.https.proxy.port  
Specifies the proxy server port to access bug trackers  
through an SSL connection.  
Default: none  
oneproxy.https.proxy.server  
rp.update.from.manager  
Specifies the proxy server name to access bug trackers  
through an SSL connection.  
Default: none  
If set to true, updates security content from the Fortify  
Software Security Center instead of from the Fortify  
Rulepack update server.  
Default: false  
rulepack.auto.update  
rulepack.days  
If set to true, updates security content automatically.  
Default: false  
Specifies the interval (in days) between security content  
updates.  
Default: 15  
rulepackupdate.proxy.port  
rulepackupdate.proxy.server  
Specifies the proxy server port to access the Fortify  
Rulepack update server (uploadclient.proxy.port is  
used if rp.update.from.manager is set to true).  
Default: none  
Specifies proxy server name to access the Fortify Rulepack  
update server (uploadclient.proxy.server is used if  
rp.update.from.manager is set to true).  
Default: none  
rulepackupdate.server  
Specifies the Fortify Rulepack update server location.  
Default: https://update.fortify.com  
rulepackupdate.SocketReadTimeoutSeconds  
Specifies the socket read timeout value to use when  
updating Fortify security content with the fortifyupdate  
utility.  
Default: 180 seconds  
uploadclient.proxy.port  
Specifies the proxy server port to access the Fortify Software  
Security Center server.  
Default: none  
Micro Focus Fortify Static Code Analyzer Tools (22.1.0)  
Page 29 of 31  
Properties Reference Guide  
Chapter 3: Shared Properties  
Property  
Details  
uploadclient.proxy.server  
Specifies the proxy server name to access the Fortify  
Software Security Center server.  
Default: none  
uploadclient.server  
Specifies the URL of the Fortify Software Security Center  
server.  
Default: http://localhost:8180/ssc  
Command-Line Tools Properties  
The following table describes the properties in the <sca_install_  
dir>/Core/config/fortify.properties file that are used by the command-line tools.  
Property  
Details  
com.fortify.log.console  
Specifies whether logging messages are written to the console. Logging  
information is always written to the log file.  
Default: false  
Micro Focus Fortify Static Code Analyzer Tools (22.1.0)  
Page 30 of 31  
 
Send Documentation Feedback  
If you have comments about this document, you can contact the documentation team by email.  
Note: If you are experiencing a technical issue with our product, do not email the documentation  
team. Instead, contact Micro Focus Fortify Customer Support at  
https://www.microfocus.com/support so they can assist you.  
If an email client is configured on this computer, click the link above to contact the documentation  
team and an email window opens with the following information in the subject line:  
Feedback on Properties Reference Guide (Fortify Static Code Analyzer Tools 22.1.0)  
Just add your feedback to the email and click send.  
If no email client is available, copy the information above to a new message in a web mail client, and  
send your feedback to fortifydocteam@microfocus.com.  
We appreciate your feedback!  
Micro Focus Fortify Static Code Analyzer Tools (22.1.0)  
Page 31 of 31