OpenText™ Fortify Static Code Analyzer

Software Version: 24.2.0

User Guide

Document Release Date: May 2024

Software Release Date: May 2024

User Guide

Legal Notices

Open Text Corporation

275 Frank Tompa Drive, Waterloo, Ontario, Canada, N2L 0A1

Copyright Notice

The only warranties for products and services of Open Text and its affiliates and licensors (“Open Text”) are as may be set forth

in the express warranty statements accompanying such products and services. Nothing herein should be construed as

constituting an additional warranty. Open Text shall not be liable for technical or editorial errors or omissions contained herein.

The information contained herein is subject to change without notice.

Trademark Notices

“OpenText” and other Open Text trademarks and service marks are the property of Open Text or its affiliates. All other

trademarks or service marks are the property of their respective owners.

Documentation Updates

The title page of this document contains the following identifying information:

l

Software Version number

l

Document Release Date, which changes each time the document is updated

l

Software Release Date, which indicates the release date of this version of the software

This document was produced for OpenText™ Fortify Static Code Analyzer CE 24.2 on May 16, 2024. To check for recent

updates or to verify that you are using the most recent edition of a document, go to:

https://www.microfocus.com/support/documentation

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 2 of 232

User Guide

Contents

Preface

13

Contacting Customer Support

For More Information

About the Documentation Set

Fortify Product Feature Videos

Change Log

14

17

Chapter 1: Introduction

Fortify Static Code Analyzer

Renewing an Expired License

Fortify Software Security Content

Fortify ScanCentral SAST

Fortify Static Code Analyzer Applications and Tools

Sample Projects

Regular Expression Analysis

Regular expression (regex) analysis provides the ability for using regular expression rules to detect

vulnerabilities in both file content and file names. This analysis can detect vulnerable secrets such as

passwords, keys, and credentials in project files. The Configuration Analyzer includes the regex

analysis capability.

Important! Regex analysis is language agnostic and therefore it might detect vulnerabilities in

file types that Fortify Static Code Analyzer does not officially support.

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 49 of 232

User Guide

Chapter 3: Analysis Process Overview

Regex analysis recursively examines all file paths and path patterns included in the translation phase.

Every file, for each directory found is analyzed unless it is specifically excluded from the translation.

To manage the files that are included in regex analysis, the following options are available:

l

Exclude any file or directory with the -excludeoption in the translation phase.

For more information about this option, see "Translation Options" on page 135.

l

By default, regex analysis excludes all detectible binary files. To include binary files in the analysis,

add the following property to the fortify-sca.propertiesfile (or include this property on the

command line using the -Doption):

com.fortify.sca.regex.ExcludeBinaries = false

l

By default, regex analysis excludes files larger than 10 MB to ensure that the scan time is

acceptable. You can change the maximum file size (in megabytes) with the following property:

com.fortify.sca.regex.MaxSize = <max_file_size_mb>

To disable regex analysis, add the following property to the fortify-sca.propertiesfile or

include it on the command line:

com.fortify.sca.regex.Enable = false

See Also

"Mobile Build Sessions" on page 46

"Regex Analysis Properties " on page 195

Higher-Order Analysis

Higher-Order Analysis (HOA) improves the ability to track dataflow through higher-order code.

Higher-order code manipulates functions as values, generating them with anonymous function

expressions (lambda expressions), passing them as arguments, returning them as values, and

assigning them to variables and to fields of objects. These code patterns are common in modern

dynamic languages such as JavaScript, TypeScript, Python, Ruby, and Swift.

By default, Fortify Static Code Analyzer performs Higher-Order Analysis when you scan JavaScript,

TypeScript, Python, Ruby, and Swift code. For a description of the Higher-Order Analysis properties,

see "Translation and Analysis Phase Properties" on page 187.

Modular Analysis

This release includes a technology preview of modular analysis. With modular analysis, you can pre-

scan libraries (and sublibraries) separately from your core project. You can then include these pre-

scanned libraries when you scan the core project. Doing this might improve the core project analysis

performance because you are not rescanning the libraries every time you scan the core project.

Modular analysis also enables you to scan a project that references a library without requiring the

library's source code, Fortify Static Code Analyzer translated files, or custom rules used to scan the

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 50 of 232

User Guide

Chapter 3: Analysis Process Overview

library. This has the added benefit that you only need to audit issues in your core application. The

analysis results are more streamlined to code that you directly control and therefore you do not need

to worry about issues in code that you do not own.

Modular analysis is currently available for libraries and applications developed in Java and Jakarta EE

(Java EE).

Note: In this release, you might not see any performance improvements from modular analysis.

Fortify is working to optimize the performance of modular analysis in future releases.

You must rescan your libraries whenever you:

l

Update to a new version of Fortify Static Code Analyzer

l

Update your Fortify security content

l

Change the libraries

Modular Command-Line Examples

To translate and scan a library separately, type:

sourceanalyzer -b LibA MyLibs/A/*.java

sourceanalyzer -b LibA -scan-module

To translate and scan the core project and include multiple pre-scanned libraries:

sourceanalyzer -b MyProj MyProj/*.java

sourceanalyzer -b MyProj -scan -include-modules LibA,LibB

For a description of the options shown in the previous examples, see "Analysis Options" on page 137.

Translation and Analysis Phase Verification

Fortify Audit Workbench result certification indicates whether the code analysis from a scan is

complete and valid. The project summary in Fortify Audit Workbench shows the following specific

information about Fortify Static Code Analyzer scanned code:

l

List of files scanned, with file sizes and timestamps

l

Java class path used for the translation (if applicable)

l

Rulepacks used for the analysis

l

Fortify Static Code Analyzer runtime settings and command-line options

l

Any errors or warnings encountered during translation or analysis

l

Machine and platform information

Note: To obtain result certification, you must specify FPR for the analysis phase output format.

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 51 of 232

User Guide

Chapter 3: Analysis Process Overview

To view result certification information, open the FPR file in Fortify Audit Workbench and select Tools

> Project Summary > Certification. For more information, see the OpenText™ Fortify Audit

Workbench User Guide.

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 52 of 232

Chapter 4: Translating Java Code

This section describes how to translate Java code.

Fortify Static Code Analyzer supports analysis of Jakarta EE (Java EE) applications (including JSP

files, configuration files, and deployment descriptors), Java Bytecode, and Java code with Lombok

annotations.

This section contains the following topics:

Java Translation Command-Line Syntax

Handling Java Warnings

Translating Jakarta EE (Java EE) Applications

Translating Java Bytecode

Troubleshooting JSP Translation and Analysis Issues

Java Translation Command-Line Syntax

To translate Java code, all types defined in a library that are referenced in the code must have a

corresponding definition in the source code, a class file, or a JAR file. Include all source files on the

Fortify Static Code Analyzer command line.

If your project contains Java code that refers to Kotlin code, make sure that the Java and Kotlin code

are translated in the same Fortify Static Code Analyzer instance so that the Java references to Kotlin

elements are resolved correctly. Kotlin to Java interoperability does not support Kotlin files provided

by the –sourcepathoption. For more information about the –sourcepathoption, see "Java

Command-Line Options" on the next page

The basic command-line syntax to translate Java code is shown in the following example:

sourceanalyzer -b <build_id> -cp <classpath> <files>

With Java code, Fortify Static Code Analyzer can either:

l

Emulate the compiler, which might be convenient for build integration

l

Accept source files directly, which is convenient for command-line scans

For information about integrating Fortify Static Code Analyzer with Ant, see "Integrating with Ant" on

page 125.

To have Fortify Static Code Analyzer emulate the compiler, type:

sourceanalyzer -b <build_id> javac [<translation_options>]

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 53 of 232

User Guide

Chapter 4: Translating Java Code

To pass files directly to Fortify Static Code Analyzer, type:

sourceanalyzer -b <build_id> -cp <classpath> [<translation_options>]

where:

l

<translation_options> are options passed to the compiler.

l

-cp <classpath> specifies the class path to use for the Java source code.

Include all JAR dependencies normally used to build the project. Separate multiple paths with

semicolons (Windows) or colons (non-Windows).

Similar to javac, Fortify Static Code Analyzer loads classes in the order they appear in the class

path. If there are multiple classes with the same name in the list, Fortify Static Code Analyzer uses

the first loaded class. In the following example, if both A.jarand B.jarinclude a class called

MyData.class, Fortify Static Code Analyzer uses the MyData.classfrom A.jar.

sourceanalyzer -cp A.jar:B.jar myfile.java

Fortify strongly recommends that you avoid using duplicate classes with the -cpoption.

Fortify Static Code Analyzer loads JAR files in the following order:

a.

b.

c.

From the -cpoption

From jre/lib

From <sca_install_dir>/Core/default_jars

This enables you to override a library class by including the similarly-named class in a

JAR specified with the -cpoption.

For descriptions of all the available Java-specific command-line options, see "Java Command-Line

Options" below.

Java Command-Line Options

The following table describes the Java command-line options (for Java SE and Jakarta EE).

Java or Jakarta EE Option

Description

Specifies the application server to process JSP files.

-appserver

weblogic| websphere

Equivalent Property Name:

com.fortify.sca.AppServer

Specifies the application server’s home.

-appserver-home <dir>

l

For WebLogic, this is the path to the directory that

contains the server/libdirectory.

l

For WebSphere, this is the path to the directory that

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 54 of 232

User Guide

Chapter 4: Translating Java Code

Java or Jakarta EE Option

Description

contains the JspBatchCompilerscript.

Equivalent Property Name:

com.fortify.sca.AppServerHome

Specifies the version of the application server.

-appserver-version

Equivalent Property Name:

com.fortify.sca.AppServerVersion

Specifies the class path to use for analyzing Java source

code. The format is the same as javac: a semicolon- or colon-

separated list of directories. You can use Fortify Static Code

Analyzer file specifiers as shown in the following example:

-cp <dirs> |

-classpath <dirs>

-cp "build/classes:lib/*.jar"

For information about file specifiers, see "Specifying Files

and Directories" on page 148.

Equivalent Property Name:

com.fortify.sca.JavaClasspath

-extdirs <dirs>

Similar to the javac extdirsoption, accepts a semicolon- or

colon-separated list of directories. Any JAR files found in

these directories are included implicitly on the class path.

Equivalent Property Name:

com.fortify.sca.JavaExtdirs

Specifies one or more directories that contain compiled Java

sources.

-java-build-dir <dirs>

Indicates the JDK version for which the Java code is written.

See the Fortify Software System Requirements document

for supported versions. The default is version 11.

-source <version> |

-jdk <version>

Equivalent Property Name:

com.fortify.sca.JdkVersion

Specifies a directory that contains a JDK. Use this option to

specify a version that is not included in the Fortify Static

-custom-jdk-dir

Code Analyzer installation (<sca_install_

dir>/Core/bootcp/). See the Fortify Software System

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 55 of 232

User Guide

Chapter 4: Translating Java Code

Java or Jakarta EE Option

Description

Requirements document for supported versions.

Equivalent Property Name:

com.fortify.sca.CustomJdkDir

Displays any unresolved types, fields, and functions

referenced in translated Java source files at the end of the

translation. It lists only field and function references for

which the receiver type is a resolved Java type. Displays

each class, field, and function with the source information of

the first translated occurrence in the code. This information

is also written in the log file.

-show-unresolved-symbols

Equivalent Property Name:

com.fortify.sca.ShowUnresolvedSymbols

Specifies a semicolon- or colon-separated list of directories

that contain source code that is not included in the scan but

is used for name resolution. The source path is similar to

class path, except it uses source files instead of class files for

resolution. Only source files that are referenced by the

target file list are translated.

-sourcepath <dirs>

Equivalent Property Name:

com.fortify.sca.JavaSourcePath

Java Command-Line Examples

To translate a single file named MyServlet.javawith javaee.jaras the class path, type:

sourceanalyzer -b MyServlet -cp lib/javaee.jar MyServlet.java

To translate all .javafiles in the srcdirectory using all JAR files in the libdirectory as a class path,

type:

sourceanalyzer -b MyProject -cp "lib/*.jar" "src/**/*.java"

To translate and compile the MyCode.javafile with the javac compiler, type:

sourceanalyzer -b MyProject javac -classpath libs.jar MyCode.java

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 56 of 232

User Guide

Chapter 4: Translating Java Code

Handling Java Warnings

To see all warnings that were generated during translation, type the following command before you

start the scan phase:

sourceanalyzer -b <build_id> -show-build-warnings

Java Translation Warnings

You might see the following warnings for when translating Java code.

Warning

Description / Resolution

These warnings are typically caused by

missing resources. For example, some of

Unable to resolve type...

Unable to resolve function...

Unable to resolve field...

Unable to locate import...

Unable to resolve symbol...

the .jarand .classfiles required to

build the application might not have been

specified.

To resolve these warnings, make sure that

you include all the required files that your

application uses.

This warning is typically caused by

duplicate classes in the Java files.

Multiple definitions found for class...

To resolve these warnings, make sure that

the source files displayed in the warning

are not duplicates of the same file

included several times in the sources to

translate (for example if it contains two

versions of the same project). If a

duplicate exists, remove one of them from

the files to translate. Then Fortify Static

Code Analyzer can determine which

version of the class to use.

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 57 of 232

User Guide

Chapter 4: Translating Java Code

Translating Jakarta EE (Java EE) Applications

To translate Jakarta EE applications, Fortify Static Code Analyzer processes Java source files and

Jakarta EE components such as JSP files, deployment descriptors, and configuration files. While you

can process all the pertinent files in a Jakarta EE application in one step, your project might require

that you break the procedure into its components for integration in a build process or to meet the

needs of various stakeholders in your organization.

Translating Java Files

To translate Jakarta EE applications, use the same procedure used to translate Java files. For

examples, see "Java Command-Line Examples" on page 56.

Translating JSP Projects, Configuration Files, and Deployment

Descriptors

In addition to translating the Java files in your Jakarta EE (Java EE) application, you might also need

to translate JSP files, configuration files, and deployment descriptors. Your JSP files must be part of a

Web Application Archive (WAR). If your source directory is already organized in a WAR file format,

you can translate the JSP files directly from the source directory. If not, you might need to deploy

your application and translate the JSP files from the deployment directory.

For example:

sourceanalyzer -b MyJavaApp "/**/*.jsp" "/**/*.xml"

where /**/*.jsprefers to the location of your JSP project files and /**/*.xmlrefers to the location

of your configuration and deployment descriptor files.

Jakarta EE (Java EE) Translation Warnings

You might see the following warning in the translation of Jakarta EE applications:

Could not locate the root (WEB-INF) of the web application. Please build

your web application and try again. Failed to parse the following jsp

files:

<list_of_jsp_files>

This warning indicates that your web application is not deployed in the standard WAR directory

format or does not contain the full set of required libraries. To resolve the warning, make sure that

your web application is in an exploded WAR directory format with the correct WEB-INF/liband

WEB-INF/classesdirectories containing all the .jarand .classfiles required for your application.

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 58 of 232

User Guide

Chapter 4: Translating Java Code

Also verify that you have all the TLDfiles for all your tags and the corresponding JAR files with their

tag implementations.

Translating Java Bytecode

Fortify recommends that you do not translate Java bytecode and JSP/Java code in the same call to

sourceanalyzer. Use multiple invocations of sourceanalyzerwith the same build ID to translate a

project that contains both bytecode and JSP/Java code.

To translate bytecode:

1.

Add the following properties to the fortify-sca.propertiesfile (or include these properties

on the command line using the -Doption):

com.fortify.sca.fileextensions.class=BYTECODE

com.fortify.sca.fileextensions.jar=ARCHIVE

This specifies how Fortify Static Code Analyzer processes .classand .jarfiles.

2. Do one of the following:

l

Request that Fortify Static Code Analyzer decompile the bytecode classes to regular Java files

for inclusion in the translation.

Add the following property to the fortify-sca.propertiesfile:

com.fortify.sca.DecompileBytecode=true

or include this property on the command line for the translation phase with the -Doption:

sourceanalyzer -b MyProject -Dcom.fortify.sca.DecompileBytecode=true

-cp "lib/*.jar" "src/**/*.class"

l

Request that Fortify Static Code Analyzer translate bytecode without decompilation.

For best results, Fortify recommends that the bytecode be compiled with full debug

information (javac -g).

Include bytecode in the Fortify Static Code Analyzer translation phase by specifying the Java

bytecode files that you want to translate. For best performance, specify only the .jaror

.classfiles that require scanning. In the following example, the .classfiles are translated:

sourceanalyzer -b MyProject -cp "lib/*.jar" "src/**/*.class"

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 59 of 232

User Guide

Chapter 4: Translating Java Code

Troubleshooting JSP Translation and Analysis Issues

The following sections provide troubleshooting information for translating and scanning JSP.

Unable to Translate Some JSPs

Fortify Static Code Analyzer uses either the built-in compiler or your specific application server JSP

compiler to translate JSP files into Java files for analysis. If the JSP parser encounters problems when

Fortify Static Code Analyzer converts JSP files to Java files, you will see a message similar to the

following:

Failed to translate the following jsps into analysis model. Please see the

log file for any errors from the jsp parser and the user manual for hints

on fixing those

<list_of_jsp_files>

This typically happens for one or more of the following reasons:

l

The web application is not laid out in a proper deployable WAR directory format

l

Some JAR files or classes required for the application are missing

l

Some tag libraries or their definitions (TLD) for the application are missing

To obtain more information about the problem, perform the following steps:

1. Open the Fortify Static Code Analyzer log file in an editor.

2. Search for the following strings:

l

Jsp parser stdout:

l

Jsp parser stderr:

The JSP parser generates these errors. Resolve the errors and rerun Fortify Static Code Analyzer.

For more information about scanning Jakarta EE applications, see "Translating Jakarta EE (Java EE)

Applications" on page 58.

Increased Issues Counts in JSP-Related Categories

If the analysis results contain a considerable increase in the number of vulnerabilities in JSP-related

categories such as cross-site scripting compared with earlier Fortify Static Code Analyzer versions,

you can specify the -legacy-jsp-dataflowoption in the analysis phase (with the -scanoption).

This option enables additional filtering on JSP-related dataflow to reduce the number of spurious

false positives detected.

The equivalent property for this option that you can specify in the fortify-sca.propertiesfile is

com.fortify.sca.jsp.LegacyDataflow.

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 60 of 232

Chapter 5: Translating Kotlin Code

This section describes how to translate Kotlin code.

This section contains the following topics:

Kotlin Command-Line Syntax

61

63

64

Kotlin and Java Translation Interoperability

Translating Kotlin Scripts

Kotlin Command-Line Syntax

The translation of Kotlin code is similar to the translation of Java code. To translate Kotlin code, all

types defined in a library that are referenced in the code must have a corresponding definition in the

source code, a class file, or a JAR file. Include all source files on the Fortify Static Code Analyzer

command line.

The basic command-line syntax to translate Kotlin code is shown in the following example:

sourceanalyzer –b <build_id> -cp <classpath> [<translation_options>]

<files>

where

l

-cp <classpath> specifies the class path to use for the Kotlin source code.

Include all JAR dependencies normally used to build the project. Separate multiple paths with

semicolons (Windows) or colons (non-Windows).

Fortify Static Code Analyzer loads classes in the order they appear in the class path. If there are

multiple classes with the same name in the list, Fortify Static Code Analyzer uses the first loaded

class. In the following example, if both A.jarand B.jarinclude a class called MyData.class,

Fortify Static Code Analyzer uses the MyData.classfrom A.jar.

sourceanalyzer –cp "A.jar:B.jar" myfile.kt

Fortify strongly recommends that you avoid using duplicate classes with the -cpoption.

For descriptions of all the available Kotlin-specific command-line options, see "Kotlin Command-Line

Options" on the next page.

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 61 of 232

User Guide

Chapter 5: Translating Kotlin Code

Kotlin Command-Line Options

The following table describes the Kotlin-specific command-line options.

Kotlin Option

Description

Specifies the class path to use for translating Kotlin source

code, which is a semicolon- or colon-separated list of

directories. You can use Fortify Static Code Analyzer file

specifiers as shown in the following example:

-cp <paths> |

-classpath <dirs>

-cp "build/classes:lib/*.jar"

For information about file specifiers, see "Specifying Files

and Directories" on page 148.

Equivalent Property Name:

com.fortify.sca.JavaClasspath

Indicates the JDK version for which the Kotlin code is

written. See the Fortify Software System Requirements

document for supported versions. The default is version 11.

-source <version> |

-jdk <version>

Equivalent Property Name:

com.fortify.sca.JdkVersion

Specifies a semicolon- or colon-separated list of directories

that contain Java source code that is not included in the

scan but is used for name resolution. The source path is

similar to class path, except it uses source files instead of

class files for resolution. Only source files that are

referenced by the target file list are translated.

-sourcepath <dirs>

Equivalent Property Name:

com.fortify.sca.JavaSourcePath

-jvm-default <mode>

Specifies the generation of the DefaultImplsclass for

methods with bodies in Kotlin interfaces. The valid values

for <mode> are:

l

disable—Specifies to generate the DefaultImplsclass

for each interface that contains methods with bodies.

l

all—Specifies to generate the DefaultImplsclass if an

interface is annotated with

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 62 of 232

User Guide

Chapter 5: Translating Kotlin Code

Kotlin Option

Description

@JvmDefaultWithCompatibility.

l

all-compatibility—Specifies to generate the

DefaultImplsclass unless an interface is annotated

with @JvmDefaultWithoutCompatibility.

Equivalent Property Name:

com.fortify.sca.KotlinJvmDefault

Kotlin Command-Line Examples

To translate a single file named MyKotlin.ktwith A.jaras the class path, type:

sourceanalyzer -b MyProject -cp lib/A.jar MyKotlin.kt

To translate all .ktfiles in the srcdirectory using all JAR files in the libdirectory as a class path,

type:

sourceanalyzer -b MyProject -cp "lib/**/*.jar" "src/**/*.kt"

To translate a gradle project using gradlew, type:

sourceanalyzer -b MyProject gradlew clean assemble

To translate all files in the srcdirectory using Java dependencies from src/javaand all JAR files in

the libdirectory and subdirectories as a class path, type:

sourceanalyzer –b MyProject –cp "lib/**/*.jar" -sourcepath "src/java" "src"

Kotlin and Java Translation Interoperability

If your project contains Kotlin code that refers to Java code, you can provide Java files to the

translator the same way as Kotlin files that refers to another Kotlin file. You can provide them as part

of the translated project source or as –sourcepathparameters.

If your project contains Java code that refers to Kotlin code, make sure that the Java and Kotlin code

are translated in the same Fortify Static Code Analyzer instance so that the Java references to Kotlin

elements are resolved correctly. Kotlin to Java interoperability does not support Kotlin files provided

by the –sourcepathoption. For more information about the –sourcepathoption, see "Kotlin

Command-Line Options" on the previous page

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 63 of 232

User Guide

Chapter 5: Translating Kotlin Code

Translating Kotlin Scripts

Fortify Static Code Analyzer supports translation of Kotlin scripts excluding experimental script

customization. Script customization includes adding external properties, providing static or dynamic

dependencies, and so on. Script definitions (templates) are used to create custom scripts and the

template is applied to the script based on the *.ktsextension. Fortify Static Code Analyzer

translates *.ktsfiles but does not apply these templates.

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 64 of 232

Chapter 6: Translating Visual Studio Projects

Fortify Static Code Analyzer provides a build integration to support translation of the following Visual

Studio project types:

l

C/C++ projects

l

C# projects that target .NET Framework and .NET Core

l

ASP.NET applications that target ASP.NET framework and ASP.NET Core

l

Xamarin applications that target Android and iOS platforms

For a list of supported versions of relevant programming languages and frameworks, as well as Visual

Studio and MSBuild, see the Fortify Software System Requirements document.

This section contains the following topics:

Visual Studio Project Translation Prerequisites

Visual Studio Project Command-Line Syntax

65

67

69

Handling Special Cases for Translating Visual Studio Projects

Alternative Ways to Translate Visual Studio Projects

Visual Studio Project Translation Prerequisites

Fortify recommends that each project you translate is complete and that you perform the translation

in an environment where you can build it without errors. For a list of software environment

requirements, see the Fortify Software System Requirements document. A complete project contains

the following:

l

All necessary source code files (C/C++, C#, or VB.NET).

l

All required reference libraries.

This includes those from relevant frameworks, NuGet packages, and third-party libraries.

l

For C/C++ projects, include all necessary header files that do not belong to the Visual Studio or

MSBuild installation.

l

For ASP.NET and ASP.NET Core projects, include all the necessary ASP.NET page files.

The supported ASP.NET page types are ASAX, ASCX, ASHX, ASMX, ASPX, AXML, BAML, CSHTML,

Master, RAZOR, VBHTML, and XAML.

Visual Studio Project Command-Line Syntax

The basic syntax to translate a Visual Studio solution or project is to specify the corresponding build

option for your project as part of the Fortify Static Code Analyzer translation command. This starts a

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 65 of 232

User Guide

Chapter 6: Translating Visual Studio Projects

build integration that analyzes your solution and project files and automatically executes the

appropriate translation steps.

Important! To ensure that the build integration correctly pulls in all of the appropriate project

dependencies and resources, you must run the Fortify Static Code Analyzer command from a

command prompt with access to your build environment configuration. Fortify strongly

recommends you run this command from the Developer Command Prompt for Visual Studio to

ensure an optimal environment for the translation.

In the following examples, Fortify Static Code Analyzer translates all the projects contained in the

Visual Studio solution Sample.sln. You can also translate one or more specific projects by providing

a semicolon-separated list of projects.

l

For a .NET 6.0 or later solution on Windows or Linux, use the following commands to translate the

solution:

a. Optionally, run the following command to remove any intermediate files from previous project

builds:

dotnet clean Sample.sln

b. Optionally, run the following command to ensure that all required reference libraries are

downloaded and installed in the project. Run this command from the top-level folder of the

project:

dotnet restore Sample.sln

c. Run one of the following Fortify Static Code Analyzer commands depending on how your

project build is implemented. You can include any additional build parameters in this command:

sourceanalyzer –b MyProject dotnet msbuild Sample.sln

or

sourceanalyzer –b MyProject dotnet build Sample.sln

l

For a C, C++, and .NET Framework solution (4.8.x or earlier) on Windows, use the following

command to translate the solution:

sourceanalyzer –b MyProject msbuild /t:rebuild Sample.sln

Note: If you run Fortify Static Code Analyzer from a Windows Command Prompt instead of the

Visual Studio Developer Command Prompt, you must set up the environment and make sure

the path to the MSBuild executable required to build your project is included in the PATH

environment variable.

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 66 of 232

User Guide

Chapter 6: Translating Visual Studio Projects

After the translation is complete, you can perform the analysis phase and save the results in an

FPR file as shown in the following example:

sourceanalyzer –b MyProject -scan -f MyResults.fpr

Handling Special Cases for Translating Visual Studio

Projects

Running Translation from a Script

To perform the translation in a non-interactive mode such as with a script, establish an optimal

environment for translation by executing the following command before you run the Fortify Static

Code Analyzer translation:

cmd.exe /k <vs_install_dir>/Common7/Tools/VSDevCmd.bat

where <vs_install_dir> is the directory where you installed Visual Studio.

Translating Plain .NET and ASP.NET Projects

You can translate plain .NET and ASP.NET projects from the Windows Command Prompt as well as

from a Visual Studio environment. When you translate from the Windows Command Prompt, make

sure the path to the MSBuild executable required to build your project is included in PATH

environment variable.

Translating C/C++ and Xamarin Projects

You must translate C/C++ and Xamarin projects either from a Developer Command Prompt for Visual

Studio or from the Fortify Extension for Visual Studio.

Note: For Xamarin projects, there is no need to use a custom rule for the Xamarin.Android API if a

rule for the corresponding native Android API exists in the Fortify Secure Coding Rulepacks.

Doing so can cause duplicate issues to be reported.

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 67 of 232

User Guide

Chapter 6: Translating Visual Studio Projects

Translating Projects with Settings Containing Spaces

If your project is built with a configuration or other settings file that contains spaces, make sure to

enclose the setting values in quotes. For example, to translate a Visual Studio solution Sample.sln

that is built with configuration My Configuration, use the following command:

sourceanalyzer –b MySampleProj msbuild /t:rebuild

/p:Configuration="My Configuration" Sample.sln

Translating a Single Project from a Visual Studio Solution

If your Visual Studio solution contains multiple projects, you have the option to translate a single

project instead of the entire solution. Project files have a file name extension that ends with proj

such as .vcxprojand .csproj. To translate a single project, specify the project file instead of the

solution as the parameter for the MSBuild command.

The following example translates the Sample.vcxprojproject file:

sourceanalyzer –b MySampleProj msbuild /t:rebuild Sample.vcxproj

Analyzing Projects That Build Multiple Executable Files

If your Visual Studio or MSBuild project builds multiple executable files (such as files with the file

name extension *.exe), Fortify strongly recommends that you run the analysis phase separately for

each executable file to avoid false positive issues in the analysis results. To do this, use –binary-

nameoption when running the analysis phase and specify the executable file name or .NET assembly

name as the parameter.

The following example shows how to translate and analyze a Visual Studio solution Sample.slnthat

consists of two projects, Sample1 (a C++ project with no associated .NET assembly name) and

Sample2 (a .NET project with .NET assembly name Sample2). Each project builds a separate

executable file, Sample1.exeand Sample2.exe, respectively. The analysis results are saved in

Sample1.fprand Sample2.fprfiles.

sourceanalyzer -b MySampleProj msbuild /t:rebuild Sample.sln

sourceanalyzer -b MySampleProj -scan -binary-name Sample1.exe -f

Sample1.fpr

sourceanalyzer -b MySampleProj -scan -binary-name Sample2.exe -f

Sample2.fpr

For more information about the -binary-nameoption, see "Analysis Options" on page 137.

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 68 of 232

User Guide

Chapter 6: Translating Visual Studio Projects

Alternative Ways to Translate Visual Studio Projects

This section describes alternative methods of translating Visual Studio projects.

Alternative Translation Options for Visual Studio Solutions

The following are two alternative ways of translation available only for Visual Studio solutions:

l

Use the Fortify Extension for Visual Studio

The Fortify Extension for Visual Studio runs the translation and analysis (scan) phases together in

one step.

l

Append a devenv command to the Fortify Static Code Analyzer command

The following command translates the Visual Studio solution Sample.sln:

sourceanalyzer –b MySampleProj devenv Sample.sln /rebuild

Note that Fortify Static Code Analyzer converts a devenv invocation to the equivalent MSBuild

invocation, therefore in this case, the solution with this command is built by MSBuild instead of the

devenv tool.

Translating Without Explicitly Running Fortify Static Code

Analyzer

You have the option to translate your Visual Studio project without invoking Fortify Static Code

Analyzer directly. This requires the Fortify.targetsfile, which is located in <sca_install_

dir>\Core\private-bin\sca\MSBuildPluginin the DotNetand Frameworkdirectory. You can

specify the file using an absolute or relative path in the build command line that builds your project.

Use the path with the Dotnetor Frameworkdirectory depending on the build command you are

using: dotnet.exeor MSBuild.exerespectively. For example:

dotnet.exe msbuild /t:rebuild /p:CustomAfterMicrosoftCommonTargets=<sca_

install_dir>\Core\private-bin\sca\MSBuildPlugin\Dotnet\Fortify.targets

Sample.sln

or

msbuild.exe /t:rebuild

/p:CustomAfterMicrosoftCommonTargets=<sca_install_dir>\Core\private-

bin\sca\MSBuildPlugin\Framework\Fortify.targets Sample.sln

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 69 of 232

User Guide

Chapter 6: Translating Visual Studio Projects

There are several environment variables that you can set to configure the translation of your project.

Most of them have default values, which Fortify Static Code Analyzer uses if the variable is not set.

These variables are listed in the following table.

Environment

Variable

Description

Default Value

FORTIFY_

MSBUILD_

BUILDID

Specifies the Fortify Static Code Analyzer

build ID for translation. Make sure that you

set this value.

None

This is equivalent to the Fortify Static Code

Analyzer -boption.

FORTIFY_

MSBUILD_

DEBUG

Enables debug mode. This is equivalent to

False

the Fortify Static Code Analyzer –debug

option.

FORTIFY_

MSBUILD_

DEBUG_

Enables verbose debug mode. This is

equivalent to the Fortify Static Code

Analyzer –debug-verboseoption. Takes

VERBOSE

precedence over FORTIFY_MSBUILD_

DEBUG variable if both are set to true.

FORTIFY_

MSBUILD_MEM

Specifies the memory requirements for

Automatic allocation based on

physical memory available on

the system

translation in the form of the JVM -Xmx

option. For example, -Xmx2G.

FORTIFY_

MSBUILD_

SCALOG

Specifies the location (absolute path) of the

Fortify Static Code Analyzer log file.

%LOCALAPPDATA%/Fortify/

sca/log/sca.log

This is equivalent to the Fortify Static Code

Analyzer -logfileoption.

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 70 of 232

Chapter 7: Translating C and C++ Code

This section describes how to translate C and C++ code.

Important! The chapter describes how to translate C and C++ code that is not a part of a Visual

Studio or MSBuild project. For instructions on translating Visual Studio or MSBuild projects, see

"Translating Visual Studio Projects" on page 65.

This section contains the following topics:

C and C++ Code Translation Prerequisites

C and C++ Command-Line Syntax

71

72

Scanning Pre-processed C and C++ Code

C/C++ Precompiled Header Files

C and C++ Code Translation Prerequisites

Make sure that you have any dependencies required to build the project available, including headers

for third-party libraries. Fortify Static Code Analyzer translation does not require object files and

static/dynamic library files.

Note: Fortify Static Code Analyzer might not support all non-standard C++ constructs.

If you use Gradle to build your C++ project, make sure that the C++ Application Plugin is added to

your Gradle file in one of the following formats:

apply plugin: 'cpp'

plugins {

id 'cpp-application'

}

For more information about integrating with Gradle, see "Build Integration" on page 123.

C and C++ Command-Line Syntax

Command-line options passed to the compiler affect preprocessor execution and can enable or

disable language features and extensions. For Fortify Static Code Analyzer to interpret your source

code in the same way as the compiler, the translation phase for C/C++ source code requires the

complete compiler command line. Prefix your original compiler command with the sourceanalyzer

command and options.

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 71 of 232

User Guide

Chapter 7: Translating C and C++ Code

The basic command-line syntax for translating a single file is:

sourceanalyzer -b <build_id> [<sca_options>] <compiler> [<compiler_

options>] <file>.c

where:

l

<sca_options> are options passed to Fortify Static Code Analyzer.

l

<compiler> is the name of the C/C++ compiler you use, such as gcc, g++, or cl. See the Fortify

Software System Requirements document for a list of supported C/C++ compilers.

l

<compiler_options> are options passed to the C/C++ compiler.

l

<file>.cmust be in ASCII or UTF-8 encoding.

Note: All Fortify Static Code Analyzer options must precede the compiler options.

The compiler command must successfully complete when executed on its own. If the compiler

command fails, then the Fortify Static Code Analyzer command prefixed to the compiler command

also fails.

For example, if you compile a file with the following command:

gcc -I. -o hello.o -c helloworld.c

then you can translate this file with the following command:

sourceanalyzer -b MyProject gcc -I. -o hello.o -c helloworld.c

Fortify Static Code Analyzer executes the original compiler command as part of the translation phase.

In the previous example, the command produces both the translated source suitable for scanning, and

the object file hello.ofrom the gccexecution. You can use the Fortify Static Code Analyzer -nc

option to disable the compiler execution.

Scanning Pre-processed C and C++ Code

If, before compilation, your C/C++ build executes a third-party C preprocessor that Fortify Static Code

Analyzer does not support, you must start the Fortify Static Code Analyzer translation on the

intermediate file. Fortify Static Code Analyzer touchless build integration automatically translates the

intermediate file provided that your build executes the unsupported preprocessor and supported

compiler as two commands connected by a temporary file rather than a pipe chain.

C/C++ Precompiled Header Files

Some C/C++ compilers support Precompiled Header Files, which can improve compilation

performance. Some compilers' implementations of this feature have subtle side-effects. When the

feature is enabled, the compiler might accept erroneous source code without warnings or errors. This

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 72 of 232

User Guide

Chapter 7: Translating C and C++ Code

can result in a discrepancy where Fortify Static Code Analyzer reports translation errors even when

your compiler does not.

If you use your compiler's Precompiled Header feature, disable Precompiled Headers, and then

perform a full build to make sure that your source code compiles cleanly.

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 73 of 232

Chapter 8: Translating JavaScript and

TypeScript Code

You can analyze JavaScript projects that contain JavaScript, TypeScript, JSX, and TSX source files, as

well as JavaScript embedded in HTML files.

Some JavaScript frameworks are transpiled (source-to-source compilation) to plain JavaScript, which

is generated code. Use the -excludecommand-line option to exclude this type of code.

When you translate JavaScript and TypeScript code, make sure that you specify all source files

together in one invocation. Fortify Static Code Analyzer does not support adding new files to the file

list associated with the build ID on subsequent invocations.

Fortify Static Code Analyzer does not translate minified JavaScript (*.min.js).

Note: There are some types of minified JavaScript files that Fortify Static Code Analyzer cannot

automatically detect for exclusion from the translation. Use the -excludecommand-line option

to exclude these files directly.

This section contains the following topics:

Translating Pure JavaScript Projects

74

Excluding Dependencies

75

76

78

Managing Translation of NPM Dependencies

Examples of Excluding NPM Dependencies

Translating JavaScript Projects with HTML Files

Including External JavaScript or HTML in the Translation

Translating Pure JavaScript Projects

The basic command-line syntax to translate JavaScript is:

sourceanalyzer –b <build_id> <js_file_or_dir>

where <js_file_or_dir> is either the name of the JavaScript file to be translated or a directory that

contains multiple JavaScript files. You can also translate multiple files by specifying *.jsfor the <js_

file_or_dir>.

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 74 of 232

User Guide

Chapter 8: Translating JavaScript and TypeScript Code

Excluding Dependencies

You can avoid translating specific dependencies by adding them to the appropriate property setting

in the fortify-sca.propertiesfile. Files specified in the following properties are not translated:

l

com.fortify.sca.skip.libraries.ES6

l

com.fortify.sca.skip.libraries.jQuery

l

com.fortify.sca.skip.libraries.javascript

l

com.fortify.sca.skip.libraries.typescript

Each property specifies a list of comma- or colon-separated file names (without path information).

The files specified in these properties apply to both local files and files on the internet. Suppose, for

example, that the JavaScript code includes the following local file reference:

8"></script>

By default, the com.fortify.sca.skip.libraries.jQueryproperty in the fortify-

sca.propertiesfile includes jquery-us.js, and therefore Fortify Static Code Analyzer does not

translate the file shown in the previous example.

You can use regular expressions for the file names. Note that Fortify Static Code Analyzer

automatically inserts the regular expression '(-?\d+\.\d+\.\d+)?'before .min.jsor .jsfor

each file name included in the com.fortify.sca.skip.libraries.jQueryproperty value.

Note: You can also exclude local files or entire directories with the -excludecommand-line

option. For more information about this option, see "Translation Options" on page 135.

To provide a thorough analysis, dependent files are included in the translation even if the

dependency is in a language that is disabled with the -disable-languageoption. For more

information about the option to disable languages, see "Translation Options" on page 135).

Managing Translation of NPM Dependencies

By default, Fortify Static Code Analyzer translates only the NPM dependencies that are imported in

the code. There are three options for managing the translation of NPM dependencies:

l

The com.fortify.sca.follow.importsproperty is enabled by default and directs Fortify

Static Code Analyzer to resolve all imported files (including NPM dependencies) used in the project

and include them in the translation. For resolution to find imported files within the project, Fortify

Static Code Analyzer uses an algorithm similar to Node.js (see the Node.js website for more

information).

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 75 of 232

User Guide

Chapter 8: Translating JavaScript and TypeScript Code

Setting this property to false prevents imported NPM dependencies that are not explicitly included

on the command-line from being included in the translation.

l

The com.fortify.sca.exclude.unimported.node.modulesproperty is enabled by default

and directs Fortify Static Code Analyzer to exclude node_modules directories that are not

referenced by the project. This property is enabled by default to avoid translating dependencies

that are not needed for the final project such as those only required for the build system.

Setting this property to false causes Fortify Static Code Analyzer to include in the translation all

modules discovered during resolution (with the com.fortify.sca.follow.importsproperty

enabled) that are not referenced by the project.

l

You can use the -excludeoption together with the two properties listed previously to specifically

exclude modules.

Use of this option takes precedence over the previously described property configurations.

Examples of Excluding NPM Dependencies

The following examples illustrate three different scenarios for excluding NPM dependencies. All these

examples use the following directory structure:

./

RootProjectDir

innerSrcDir

node_modules

innerProjectReferencedModule

index.ts

moduleNotReferencedByProject

index.ts

innerProject.ts (contains import from innerProjectReferencedModule)

node_modules

projectReferencedModule

index.ts

moduleNotReferencedByProject

index.ts

projectMain.ts (contains import from projectReferencedModule)

Example 1

This example shows the files are translated with the default behavior. In this case,

com.fortify.sca.follow.importsand

com.fortify.sca.exclude.unimported.node.modulesare both set to true.

sourceanalyzer RootProjectDir/

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 76 of 232

User Guide

Chapter 8: Translating JavaScript and TypeScript Code

The following files are included in the translation for Example 1:

./RootProjectDir/innerSrcDir/innerProject.ts

./RootProjectDir/innerSrcDir/node_

modules/innerProjectReferencedModule/index.ts

./RootProjectDir/projectMain.ts

./RootProjectDir/node_modules/projectReferencedModule/index.ts

Example 2

This example shows that in addition to modules referenced by the project, modules found during

resolution but not referenced by the project are also included in the translation.

sourceanalyzer RootProjectDir/ -

Dcom.fortify.sca.exclude.unimported.node.modules=false

The following files are included in the translation for Example 2:

./RootProjectDir/innerSrcDir/innerProject.ts

./RootProjectDir/innerSrcDir/node_

modules/innerProjectReferencedModule/index.ts

./RootProjectDir/innerSrcDir/node_

modules/moduleNotReferencedByProject/index.ts

./RootProjectDir/projectMain.ts

./RootProjectDir/node_modules/projectReferencedModule/index.ts

./RootProjectDir/node_modules/moduleNotReferencedByProject/index.ts

Example 3

This example shows use of the -exclude option to exclude all files under any node_modules

directory. The -excludeoption overrides resolution of modules based on the configuration of the

com.fortify.sca.follow.importsand

com.fortify.sca.exclude.unimported.node.modulesproperties.

sourceanalyzer RootProjectDir/ -exclude "**/node_modules/*.*"

The following files are included in the translation for Example 3:

./RootProjectDir/innerSrcDir/innerProject.ts

./RootProjectDir/projectMain.ts

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 77 of 232

User Guide

Chapter 8: Translating JavaScript and TypeScript Code

Translating JavaScript Projects with HTML Files

If the project contains HTML files in addition to JavaScript files, set the

com.fortify.sca.EnableDOMModelingproperty to true in the fortify-sca.propertiesfile or

on the command line as shown in the following example:

sourceanalyzer –b MyProject <js_file_or_dir>

-Dcom.fortify.sca.EnableDOMModeling=true

When you set the com.fortify.sca.EnableDOMModelingproperty to true, this can decrease false

negative reports of DOM-related attacks, such as DOM-related cross-site scripting issues.

Note: If you enable this option, Fortify Static Code Analyzer generates JavaScript code to model

the DOM tree structure in the HTML files. The duration of the analysis phase might increase

(because there is more translated code to analyze).

If you set the com.fortify.sca.EnableDOMModelingproperty to true, you can also specify

additional HTML tags for Fortify Static Code Analyzer to include in the DOM modeling with the

com.fortify.sca.DOMModeling.tagsproperty. By default, Fortify Static Code Analyzer includes

the following HTML tags: body, button, div, form, iframe, input, head, html, and p.

For example, to include the HTML tags uland liin the DOM model, use the following command:

sourceanalyzer –b MyProject <js_file_or_dir>

-Dcom.fortify.sca.DOMModeling.tags=ul,li

Including External JavaScript or HTML in the

Translation

To include external JavaScript or HTML files that are specified with the srcattribute, you can specify

which domains Fortify Static Code Analyzer can download and include in the translation phase. To do

this, specify one or more domains with the

com.fortify.sca.JavaScript.src.domain.whitelistproperty.

Note: You can also set this property globally in the fortify-sca.propertiesfile.

For example, you might have the following statement in your HTML file:

</script>

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 78 of 232

User Guide

Chapter 8: Translating JavaScript and TypeScript Code

If you are confident that the xyzdomain.comdomain is a safe location from which to download files,

then you can include them in the translation phase by adding the following property specification on

the command line:

-Dcom.fortify.sca.JavaScript.src.domain.whitelist="xyzdomain.com/foo"

Note: You can omit the www.prefix from the domain in the property value. For example, if the src

tag in the original HTML file specifies to download files from www.google.com, you can specify

just the google.comdomain.

To trust more than one domain, include each domain separated by the vertical bar character (|) as

shown in the following example:

-Dcom.fortify.sca.JavaScript.src.domain.whitelist=

"xyzdomain.com/foo|abcdomain.com|123.456domain.com”

If you are using a proxy server, then you need to include the proxy server information on the

command line as shown in the following example:

-Dhttp.proxyHost=example.proxy.com -Dhttp.proxyPort=8080

For a complete list of proxy server options, see the Networking Properties Java documentation.

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 79 of 232

Chapter 9: Translating Python Code

Fortify Static Code Analyzer translates Python applications, and processes files with the .py

extension as Python source code.

This section contains the following topics:

Python Translation Command-Line Syntax

Translating Python in a Virtual Environment

Including Imported Modules and Packages

Including Namespace Packages

Python Translation Command-Line Syntax

The basic command-line syntax to translate Python code is:

sourceanalyzer -b <build_id> -python-version <python_version>

-python-path <dirs> <files>

Note: When you translate Python code, make sure that you specify all source files together in one

invocation. Fortify Static Code Analyzer does not support adding new files to the file list

associated with the build ID on subsequent invocations.

Python Command-Line Options

The following table describes the Python options.

Python Option

Description

Specifies the Python source code version to scan. The valid values for

-python-version

<version> are 2and 3. The default value is 3.

Equivalent Property Name:

com.fortify.sca.PythonVersion

Disables the automatic calculation of a common root directory of all

project source files to use for importing modules and packages.

-python-no-auto-

root-calculation

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 80 of 232

User Guide

Chapter 9: Translating Python Code

Python Option

Description

Equivalent Property Name:

com.fortify.sca.PythonNoAutoRootCalculation

Specifies a semicolon-separated (Windows) or colon-separated (non-

-python-path

<dirs>

Windows) list of additional import directories. You can use the -python-

pathoption to specify all paths used to import packages or modules.

Include all paths to namespace package directories with this option.

Fortify Static Code Analyzer sequentially searches the specified paths for

each imported file and uses the first file encountered.

Equivalent Property Name:

com.fortify.sca.PythonPath

Specifies that Fortify Static Code Analyzer does not automatically

discover Django templates.

-django-disable-

autodiscover

Equivalent Property Name:

com.fortify.sca.DjangoDisableAutodiscover

Specifies a semicolon-separated (Windows) or colon-separated (non-

Windows) list of directories that contain Django templates. Fortify Static

Code Analyzer sequentially searches the specified paths for each Django

template file and uses the first template file encountered.

-django-template-

dirs <dirs>

Equivalent Property Name:

com.fortify.sca.DjangoTemplateDirs

See Also

"Python Properties" on page 204

Python Command-Line Examples

Translate Python 3 code on Windows:

sourceanalyzer -b Python3Proj -python-path

"C:\Python312\Lib;C:\Python312\Lib\site-packages" src/*.py

Translate Python 2 code on Windows:

sourceanalyzer -b MyPython2 -python-version 2 -python-path

"C:\Python27\Lib;C:\Python27\Lib\site-packages" src/*.py

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 81 of 232

User Guide

Chapter 9: Translating Python Code

Translate Python 3 code on non-Windows:

sourceanalyzer -b Python3Proj -python-path

/usr/lib/python3.12:/usr/local/lib/python3.12/site-packages src/*.py

Translate Python 2 code on non-Windows:

sourceanalyzer -b MyPython2 -python-version 2 -python-path

/usr/lib/python2.7:/usr/local/lib/python2.7/site-packages src/*.py

Translating Python in a Virtual Environment

This section describes how to translate Python projects in virtual environments. Make sure that all

project dependencies are installed in your virtual environment. To translate a Python project in a

virtual environment, include the -python-pathoption to specify the project dependencies.

Python Virtual Environment Example

To translate a Python project where the virtual environment name is myenvand the dependencies for

the project are installed in the myenv/lib/python<version>/site-packagesdirectory, type:

sourceanalyzer –b mybuild -python-path "myenv/lib/python<version>/site-

packages/" myproject/

Conda Environment Example

To translate a Python project where the conda environment name is myenvand the project

dependencies are installed in the <conda_install_

dir>/envs/myenv/lib/python<version>/site-packagesdirectory, type:

sourceanalyzer –b mybuild -python-path "<conda_install_

dir>/envs/myenv/lib/python<version>/site-packages/" myproject/

Including Imported Modules and Packages

To translate Python applications and prepare for a scan, Fortify Static Code Analyzer searches for any

imported modules and packages used by the application. Fortify Static Code Analyzer does not

respect the PYTHONPATHenvironment variable, which the Python runtime system uses to find

imported modules and packages.

Fortify Static Code Analyzer searches for imported modules and packages using the list of directories

in the following order:

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 82 of 232

User Guide

Chapter 9: Translating Python Code

1. The common root directory for all project source files. which Fortify Static Code Analyzer

calculates automatically. For example, if there are two project directories

PrimaryDir/project1/*and PrimaryDir/project2/*, the common root directory is

PrimaryDir.

To remove the common root directory as a search target for imported modules and packages,

include the -python-no-auto-root-calculationoption in the translation command.

2.

The directories specified with the -python-pathoption.

Fortify Static Code Analyzer includes a subset of modules from the standard Python library

(module "builtins", all modules originally written in C, and others) in the translation. Fortify Static

Code Analyzer first searches for a standard Python library module in the set included with Fortify

Static Code Analyzer and then in the paths specified with the -python-pathoption. If your

Python code imports any module that Fortify Static Code Analyzer cannot find, it produces a

warning. To make sure that all modules of the standard Python library are found, add the path to

your standard Python library in the -python-pathlist.

3. The current directory that contains the file Fortify Static Code Analyzer is translating. For

example, when Fortify Static Code Analyzer translates a PrimaryDir/project1/a.py, the

directory PrimaryDir/project1is added as the last directory to search for imported modules

and packages.

Including Namespace Packages

To translate namespace packages, include all the paths to the namespace package directories with

the -python-pathoption. For example, if you have two subpackages for a namespace package

package_namein multiple folders:

/path_1/package_name/subpackageA

/path_2/package_name/subpackageB

Include /path_1;/path_2with the -python-pathoption in the sourceanalyzer command line.

Translating Django

Fortify Static Code Analyzer supports the Django framework. To translate code created using the

Django framework, add the following properties to the <sca_install_

dir>/Core/config/fortify-sca.propertiesconfiguration file:

com.fortify.sca.limiters.MaxPassthroughChainDepth=8

com.fortify.sca.limiters.MaxChainDepth=8

By default, Fortify Static Code Analyzer attempts to discover Django templates in the project root

directory. Any Django templates found are automatically added to the translation. If you do not want

Fortify Static Code Analyzer to automatically discover Django templates, use the -django-disable-

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 83 of 232

User Guide

Chapter 9: Translating Python Code

autodiscoveroption. If your project requires Django templates, but the project is configured such

that Django templates are in an unexpected location, use the -django-template-dirsoption to

specify the directories that contain the templates in addition to the -django-disable-

autodiscoveroption.

You can specify additional locations of Django template files by adding the -django-template-

dirsoption to the sourceanalyzer command:

-django-template-dirs <dirs>

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 84 of 232

Chapter 10: Translating Code for Mobile

Platforms

Fortify Static Code Analyzer supports analysis of the following mobile application source languages:

l

Swift, Objective-C, and Objective-C++ for iOS applications developed using Xcode

l

Java for Android applications

For information about translating Xamarin applications, see "Translating Visual Studio Projects" on

page 65.

This section contains the following topics:

Translating Apple iOS Projects

Translating Android Projects

85

86

Translating Apple iOS Projects

This section describes how to translate Swift, Objective-C, and Objective-C++ source code for iOS

applications. Fortify Static Code Analyzer automatically integrates with the Xcode Command Line

Tool, Xcodebuild, to identify the project source files.

iOS Project Translation Prerequisites

The following are the prerequisites for translating iOS projects:

l

Objective-C++ projects must use the non-fragile Objective-C runtime (ABI version 2 or 3).

l

Use Apple’s xcode-selectcommand-line tool to set your Xcode path. Fortify Static Code

Analyzer uses the system global Xcode configuration to find the Xcode toolchain and headers.

l

Make sure that all source files required for a successful Xcode build are provided.

You can exclude files from the analysis using the -excludeoption (see "iOS Code Analysis

Command-Line Syntax" on the next page).

l

Make sure that you have any dependencies required to build the project available.

l

To translate Swift code, make sure that you have available all third-party modules, including

CocoaPods. Bridging headers must also be available. However, Xcode usually generates them

automatically during the build.

l

If your project includes property list files in binary format, you must first convert them to XML

format. You can do this with the Xcode putilcommand.

l

To translate Objective-C projects, ensure that the headers for third-party libraries are available.

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 85 of 232

User Guide

Chapter 10: Translating Code for Mobile Platforms

l

To translate WatchKit applications, make sure that you translate both the iPhone application target

and the WatchKit extension target.

iOS Code Analysis Command-Line Syntax

The command-line syntax to translate iOS code using Xcodebuild is:

sourceanalyzer -b <build_id> xcodebuild [<compiler_options>]

where <compiler_options> are the supported options that are passed to the Xcode compiler. You

must include the buildoption with any <compiler_options>. The Fortify Static Code Analyzer

Xcodebuild integration does not support the output format of alternate build commands such as

xcodebuild archive.

Note: Xcodebuild compiles the source code when you run this command.

To exclude files from the analysis, use the -excludeoption (see "Translation Options" on page 135).

All source files that match the exclude specification are not translated, even if they are included in the

Xcode build. The following is an example:

sourceanalyzer -b MyProject -exclude "**/TestFile.swift" xcodebuild clean

build

If your application uses any property list files (for example, <file>.plist), translate these files with

a separate sourceanalyzercommand. Use the same build ID that you used to translate the project

files. The following is an example:

sourceanalyzer -b MyProject <path_to_plist_files>

If your project uses CocoaPods, include -workspaceto build the project. For example:

sourceanalyzer -b DemoAppSwift xcodebuild clean build -workspace

DemoAppSwift.xcworkspace -scheme DemoAppSwift -sdk iphonesimulator

After the translation is complete, you can perform the analysis phase and save the results in an

FPR file, as shown in the following example:

sourceanalyzer -b DemoAppSwift -scan -f MyResults.fpr

Translating Android Projects

This section describes how to translate Java source code for Android applications. You can use Fortify

Static Code Analyzer to scan the code with Gradle from either:

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 86 of 232

User Guide

Chapter 10: Translating Code for Mobile Platforms

l

Your operating system's command line

l

A terminal window running in Android Studio

The way you use Gradle is the same for either method.

Note: You can also scan Android code directly from Android Studio with the Fortify Analysis

Plugin for IntelliJ IDEA and Android Studio. For more information, see the OpenText™ Fortify

Analysis Plugin for IntelliJ IDEA and Android Studio User Guide.

Android Project Translation Prerequisites

The following are the prerequisites for translating Android projects:

l

Android Studio and the relevant Android SDKs are installed on the system where you will run the

scans

l

Your Android project uses Gradle for builds.

If you have an older project that does not use Gradle, you must add Gradle support to the

associated Android Studio project

Use the same version of Gradle that is provided with the version of Android Studio that you use to

create your Android project

l

Make sure you have available all dependencies that are required to build the Android code in the

application's project

l

To translate your Android code from a command window that is not displayed within Android

Studio, make sure that Gradle Wrapper (gradlew) is defined on the system path

Android Code Analysis Command-Line Syntax

Use gradlew to scan Android projects, which is similar to using Gradle except that you use the Gradle

Wrapper. For information about how to translate your Android project using the Gradle Wrapper, see

"Using Gradle Integration" on page 127.

Filtering Issues Detected in Android Layout Files

If your Android project contains layout files (used to design the user interface), your project files

might include R.javasource files that are automatically generated by Android Studio. When you

scan the project, Fortify Static Code Analyzer can detect issues associated with these layout files.

Fortify recommends that Issues reported in any layout file be included in your standard audit so you

can carefully determine if any of them are false positives. After you identify issues in layout files that

you are not interested in, you can filter them out as described in "Filtering the Analysis" on page 180.

You can filter out the issues based on the Instance ID.

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 87 of 232

Chapter 11: Translating Go Code

This section describes how to translate Go code. Fortify Static Code Analyzer supports analysis of Go

code on Windows, Linux, and macOS.

This section contains the following topics:

Go Command-Line Syntax

Go Command-Line Options

Resolving Dependencies

88

90

Go Command-Line Syntax

For the best results, your project must be compilable and you must have all required dependencies

available.

The following entities are excluded from the translation (and the scan):

l

Vendor folder

l

All projects defined by any go.modfiles in subfolders, except the project defined by the go.modfile

under the %PROJECT_ROOT%

l

All files with the _test.gosuffix (unit tests)

The basic command-line syntax to translate Go code is:

sourceanalyzer -b <build_id> [-gopath <dir>] [-goroot <dir>] <files>

Go Command-Line Options

The following table describes the command-line options that are specifically for translating Go code.

Go Option

Description

Specifies the value of the GOPATH environment variable to use for

translating a Go project. If this option is not specified, then Fortify Static

Code Analyzer uses the existing value of the GOPATH system

environment variable.

-gopath <dir>

You must specify the gopath directory as an absolute path. The following

examples are valid values for <dir>:

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 88 of 232

User Guide

Chapter 11: Translating Go Code

Go Option

Description

/home/projects/go_workspace/my_proj

C:\projects\go_workspace\my_proj

The following example is an invalid value for <dir>:

go_workspace/my_proj

If this option and the GOPATH system environment variable is not set,

then the gopath defaults to a subdirectory named goin the user's home

directory ($HOME/goon Linux and %USERPROFILE%\goon Windows),

unless that directory contains a Go distribution.

When using modules, the GOPATH environment variable is not required

to resolve package imports as described in the go compiler command

documentation. However, GOPATH still determines the output directory

to use when downloading missing module dependencies.

Note: Fortify Static Code Analyzer does not fully support older Go

projects that rely solely on the GOPATH environment variable to

resolve package imports.

Equivalent Property Name

com.fortify.sca.GOPATH

Specifies the location of the Go installation. If this option is not specified,

the GOROOT system environment variable is used.

-goroot <dir>

If this option is not specified and the GOROOT system environment

variable is not set, then Fortify Static Code Analyzer uses the Go

compiler included in the Fortify Static Code Analyzer installation.

Equivalent Property Name

com.fortify.sca.GOROOT

Specifies one or more comma-separated proxy URLs. You can also

-goproxy <url>

specify director off(to disable network usage).

If this option is not specified and the GOPROXY system environment

variable is not set, then Fortify Static Code Analyzer uses

https://proxy.golang.org,direct.

Equivalent Property Name

com.fortify.sca.GOPROXY

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 89 of 232

User Guide

Chapter 11: Translating Go Code

See Also

"Go Properties" on page 205

Resolving Dependencies

Fortify Static Code Analyzer supports two dependency management systems built into Go:

l

Modules

Fortify Static Code Analyzer downloads all required dependencies using the native Go toolchain. If

access to the internet is restricted on the machine where you run Fortify Static Code Analyzer, then

do one of the following:

l

If you are using an artifact management system such as Artifactory, set the GOPROXY

environment variable or use the -goproxyoption described in "Go Command-Line Options" on

page 88.

l

Download all required dependencies using modules and vendoring.

l

GOPATH dependency resolution

If you are using a third-party dependency management system such as dep, you must download all

dependencies before you start the translation.

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 90 of 232

Chapter 12: Translating Dart and Flutter

Code

This section describes how to translate Dart and Flutter code. Fortify Static Code Analyzer supports

analysis of Dart and Flutter code on Windows, and Linux.

This section contains the following topics:

Dart and Flutter Translation Prerequisites

Dart and Flutter Command-Line Syntax

Dart and Flutter Command-Line Examples

91

92

Dart and Flutter Translation Prerequisites

The following are the prerequisites for translating Dart and Flutter projects:

l

Make sure that you have a supported Dart SDK (for Dart-only projects) and the Flutter SDK (for

Flutter projects) installed on your system. See the Fortify Software System Requirements

document for the supported Dart and Flutter SDK versions.

l

Download the project dependencies by running one of the following commands:

l

For Flutter projects, use flutter pub get.

l

For Dart-only projects, use dart pub get.

For example, to download the dependencies for a Flutter project that has the project root

myproject, run the following commands:

cd myproject

flutter pub get

Important! If the project includes nested packages with different pubspec.yamlfiles, you

must run dart pub getor flutter pub getfor each package root.

Important! Make sure that the following are included in the project directory:

l

The pubspec.yamlfile, which specifies the dependencies

l

The .dart_tooldirectory, which includes the package_config.jsonfile automatically

generated by the pubtool

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 91 of 232

User Guide

Chapter 12: Translating Dart and Flutter Code

Dart and Flutter Command-Line Syntax

The basic command-line syntax to translate Dart and Flutter code is:

sourceanalyzer –b <build_id> <translation_options> <dirs>

sourceanalyzer –b <build_id> <translation_options> <files>

Dart and Flutter Command-Line Examples

To translate a Dart or Flutter project with the my_appproject root directory:

sourceanalyzer -b myProject my_app/

To translate the a_widget.dartfile in the my_appproject root directory:

sourceanalyzer -b myProject my_app/a_widget.dart

To translate all dart source files in the my_dart_projdirectory:

sourceanalyzer -b myProject "my_dart_proj/**/*.dart"

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 92 of 232

Chapter 13: Translating Ruby Code

This section contains the following topics:

Ruby Command-Line Syntax

Ruby Command-Line Syntax

The basic command-line syntax to translate Ruby code is:

sourceanalyzer –b <build_id> <file>

where <file> is the name of the Ruby file you want to scan. To include multiple Ruby files, separate

them with a space, as shown in the following example:

sourceanalyzer –b <build_id> file1.rb file2.rb file3.rb

In addition to listing individual Ruby files, you can use the asterisk (*) wildcard to select all Ruby files

in a specified directory. For example, to find all the Ruby files in a directory called src, use the

following sourceanalyzercommand:

sourceanalyzer –b <build_id> src/*.rb

Note: When you translate Ruby code, make sure that you specify all source files together in one

invocation. Fortify Static Code Analyzer does not support adding new files to the file list

associated with the build ID on subsequent invocations.

Ruby Command-Line Options

The following table describes the Ruby translation options.

Ruby Option

Description

Specifies one or more paths to directories that contain Ruby libraries

(see "Adding Libraries " on the next page)

-ruby-path <dirs>

Equivalent Property Name:

com.fortify.sca.RubyLibraryPaths

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 93 of 232

User Guide

Chapter 13: Translating Ruby Code

Ruby Option

Description

Specifies the path(s) to a RubyGems location (see "Adding Gem Paths"

below)

-rubygem-path

<dirs>

Equivalent Property Name:

com.fortify.sca.RubyGemPaths

See Also

"Ruby Properties" on page 205

Adding Libraries

If your Ruby source code requires a specific library, add the Ruby library to the sourceanalyzer

command. Include all ruby libraries that are installed with ruby gems. For example, if you have a

utils.rbfile that resides in the /usr/share/ruby/myPersonalLibrarydirectory, then add the

following to the sourceanalyzercommand:

-ruby-path /usr/share/ruby/myPersonalLibrary

Separate multiple libraries with semicolons (Windows) or colons (non-Windows). The following is an

example of the option on non-Windows system:

-ruby-path /path/one:/path/two:/path/three

Adding Gem Paths

To add all RubyGems and their dependency paths, import all RubyGems. To obtain the Ruby gem

paths, run the gem envcommand. Under GEM PATHS, look for a directory similar to:

/home/myUser/gems/ruby-version

This directory contains another directory called gems, which contains directories for all the gem files

installed on the system. For this example, use the following in your command line:

-rubygem-path /home/myUser/gems/ruby-version/gems

If you have multiple gemsdirectories, separate them with semicolons (Windows) or colons (non-

Windows ) such as:

-rubygem-path /path/to/gems:/another/path/to/more/gems

Note: On Windows systems, separate the gemsdirectories with a semicolon.

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 94 of 232

Chapter 14: Translating COBOL Code

The COBOL translation runs on Windows systems only and supports modern COBOL dialects.

Alternatively, you can use the legacy COBOL translation (see "Using Legacy COBOL Translation" on

page 98).

For a list of supported technologies for translating COBOL code, see the Fortify Software System

Requirements document. Fortify Static Code Analyzer does not currently support custom rules for

COBOL applications.

Note: To scan COBOL with Fortify Static Code Analyzer, you must have a Fortify Static Code

Analyzer license file that specifically includes COBOL scanning capabilities. Contact Customer

Support for more information about scanning COBOL and the required license file.

This section contains the following topics:

Preparing COBOL Source and Copybook Files for Translation

COBOL Command-Line Syntax

96

98

Using Legacy COBOL Translation

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 95 of 232

User Guide

Chapter 14: Translating COBOL Code

Preparing COBOL Source and Copybook Files for

Translation

Before you can analyze a COBOL program, you must copy the following program components to the

Windows system where you run Fortify Static Code Analyzer:

l

COBOL source code

Fortify strongly recommends that your COBOL source code files have extensions .CBL, .cbl, .COB,

or .cob. If your source code files do not have extensions or have non-standard extensions, you

must follow the instructions in "Translating COBOL Source Files Without File Extensions" on the

next page and "Translating COBOL Source Files with Arbitrary File Extensions" on the next page.

l

All copybook files that the COBOL source code uses

This includes All SQL INCLUDE files that the COBOL source code references (a SQL INCLUDE file is

technically a copybook file)

Important! The copybook files must have the extension .CPYor .cpy.

If your COBOL source code contains:

COPY FOO

or

EXEC SQL INCLUDE FOO END-EXEC

then FOOis the name of a COBOL copybook and the corresponding copybook file has the name

FOO.CPYor FOO.cpy.

Fortify recommends that you place your COBOL source code files in a directory called sourcesand

your copybook files in a directory called copybooks. Create these directories at the same level.

COBOL Command-Line Syntax

The basic syntax used to translate a single COBOL source code file is:

sourceanalyzer -b <build_id> <path>

The basic syntax used to scan a translated COBOL program and save the analysis results in an

FPR file is:

sourceanalyzer -b <build_id> -scan -f <results>.fpr

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 96 of 232

User Guide

Chapter 14: Translating COBOL Code

Translating COBOL Source Files Without File Extensions

If you have COBOL source files (not copybook files) retrieved from a mainframe without .COBor .CBL

file extensions (which is typical for COBOL file names), then you must include the following in the

translation command line:

-noextension-type COBOL

The following example command translates COBOL source code without file extensions:

sourceanalyzer -b MyProject -noextension-type COBOL -copydirs copybooks

sources

Translating COBOL Source Files with Arbitrary File Extensions

If you have COBOL source files with an arbitrary extension .xyz, then you must include the following

in the translation command line:

-Dcom.fortify.sca.fileextensions.xyz=COBOL

You must also include the expression *.xyzin the file or directory specifier, if any (see "Specifying

Files and Directories" on page 148).

COBOL Command-Line Options

The following table describes the COBOL command-line options. To use legacy COBOL translation,

see "Legacy COBOL Translation Command-Line Options" on the next page.

COBOL Option

Description

Specifies one or more semicolon-separated directories where Fortify

Static Code Analyzer looks for copybook files.

-copydirs <dirs>

Equivalent Property Name:

com.fortify.sca.CobolCopyDirs

Specifies the COBOL dialect. The valid values for <dialect> are

-dialect <dialect>

COBOL390and MICROFOCUS. The dialect value is case insensitive. The

default value is COBOL390.

Equivalent Property Name:

com.fortify.sca.CobolDialect

Specifies one or more semicolon-separated COBOL checker directives.

-checker-

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 97 of 232

User Guide

Chapter 14: Translating COBOL Code

COBOL Option

Description

directives

Note: This option is intended for advanced users of OpenText™

Server Express.

Equivalent property name:

com.fortify.sca.CobolCheckerDirectives

Using Legacy COBOL Translation

Use the legacy COBOL translation if either of the following is true:

l

You run Fortify Static Code Analyzer on a non-Windows operating system.

For supported non-Windows platforms and architectures, see the Fortify Software System

Requirements document.

l

Your COBOL dialect is different than what is supported by the default COBOL translation (see the

-dialectoption in "COBOL Command-Line Options" on the previous page).

Prepare the COBOL source code and copybook files as described in "Preparing COBOL Source and

Copybook Files for Translation" on page 96 and use the command-line syntax described in "COBOL

Command-Line Syntax" on page 96 . Note that the legacy COBOL translation accepts copybook files

with or without file extensions. If the copybook files have file extensions, use the -copy-extensions

command-line option (see "Legacy COBOL Translation Command-Line Options" below).

Legacy COBOL Translation Command-Line Options

The following table describes the command-line options for the legacy COBOL translation.

Legacy COBOL Option

Description

Specifies translation of COBOL code using legacy COBOL translation.

This option is required to enable legacy COBOL translation.

-cobol-legacy

Equivalent Property Name:

com.fortify.sca.CobolLegacy

Specifies one or more semicolon- or colon-separated directories where

Fortify Static Code Analyzer looks for copybook files.

-copydirs <dirs>

Equivalent Property Name:

com.fortify.sca.CobolCopyDirs

Specifies one or more semicolon- or colon-separated copybook file

-copy-extensions

<ext>

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 98 of 232

User Guide

Chapter 14: Translating COBOL Code

Legacy COBOL Option

Description

extensions.

Equivalent Property Name:

com.fortify.sca.CobolCopyExtensions

Specifies fixed-format COBOL to direct Fortify Static Code Analyzer to

only look for source code between columns 8–72 in all lines of code.

The default is free-format.

-fixed-format

IBM Enterprise COBOL code is typically fixed-format. The following are

indications that you might need the -fixed-formatoption:

l

The COBOL translation appears to hang indefinitely

l

Fortify Static Code Analyzer reports numerous parsing errors in the

COBOL translation

Equivalent Property Name:

com.fortify.sca.CobolFixedFormat

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 99 of 232

Chapter 15: Translating Salesforce Apex and

Visualforce Code

This section contains the following topics:

Apex and Visualforce Translation Prerequisites

Apex and Visualforce Command-Line Syntax

100

101

Apex and Visualforce Translation Prerequisites

To translate Apex and Visualforce projects, make sure that all the source code to scan is available on

the same machine where you have installed Fortify Static Code Analyzer.

To scan your custom Salesforce app, download it to your local computer from your Salesforce

organization (org) where you develop and deploy it. The downloaded version of your app consists of:

l

Apex classes in files with the .clsextension

l

Visualforce web pages in files with the .pageextension

l

Apex code files called database “trigger” functions are in files with the .triggerextension

l

Visualforce component files with the .componentextension

l

Objects with the .objectextension

Use the Ant Migration Tool available on the Salesforce website to download your app from your org in

the Salesforce cloud to your local computer. Make sure that the project manifest files are set up

correctly for the specified target in your build.xmlfile. For example, the following package.xml

manifest file provides Fortify Static Code Analyzer with all classes, custom objects, pages, and

components.

<?xml version="1.0" encoding="UTF-8"?>

<types>

<name>ApexClass</name>

</types>

<types>

<name>ApexTrigger</name>

</types>

<types>

<name>ApexPage</name>

</types>

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 100 of 232

User Guide

Chapter 15: Translating Salesforce Apex and Visualforce Code

<types>

<name>ApexComponent</name>

</types>

<types>

<name>CustomObject</name>

</types>

</Package>

Configure the retrieve targets using the Ant Migration Tool documentation. If your organization uses

any apps from the app exchange, make sure that these are downloaded as packaged targets.

Apex and Visualforce Command-Line Syntax

The basic command-line syntax to translate Apex and Visualforce code is:

sourceanalyzer -b <build_id> <files>

where <files> is an Apex or Visualforce file or a path to the source files.

Important! Supported file extensions for the source files are: .cls, .component, .trigger,

.object, and .page.

For descriptions of all the Apex- and Visualforce-specific command-line options, see Apex and

Visualforce Command-Line Options.

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 101 of 232

Chapter 16: Translating Other Languages

and Configurations

This section contains the following topics:

Analyzing Solidity Code

Translating ABAP Code

Translating Flex and ActionScript

Translating ColdFusion Code

Translating SQL

Translating Scala Code

Translating Infrastructure as Code (IaC)

Translating JSON

Translating YAML

Translating Dockerfiles

Translating ASP/VBScript Virtual Roots

Classic ASP Command-Line Example

VBScript Command-Line Example

Analyzing Solidity Code

The basic command-line syntax to analyze Solidity code is shown in the following example:

sourceanalyzer -b <build_id> <files>

sourceanalyzer -b <build_id> -scan -f <results>.fpr

Importing Dependencies

Fortify Static Code Analyzer translation only supports import statements for files with relative and

absolute paths. Import statements for libraries is not supported.

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 102 of 232

User Guide

Chapter 16: Translating Other Languages and Configurations

Managing Compiler Versions

Fortify Static Code Analyzer downloads compilers that are referenced in the code with the pragma

statement from the Solidity compiler repository. By default, Fortify Static Code Analyzer downloads

Solidity compilers to ${flight.workdir}/solidity.

If a file does not contain a pragma statement, then the default of ^0.8.0is used. You can specify

different default compiler version to use in the analysis by including the

flight.solidity.defaultCompilerVersionproperty on the command line. The version you

specify must exist in the Solidity compiler repository. For example:

sourceanalyzer -b MyProject ./

sourceanalyzer -b MyProject -scan -

Dflight.solidity.defaultCompilerVersion=0.8.16 -f MyResults.fpr

If a proxy is required for the connection to download Solidity compilers, include the proxy information

with -Dhttps.proxyHostand -Dhttps.proxyPort. For example:

sourceanalyzer -b MyProject ./

sourceanalyzer -b MyProject -scan -Dhttps.proxyHost=MyProxyHost -

Dhttps.proxyPort=1234 -f MyResults.fpr

You can add flight.solidity.defaultCompilerVersionto the fortify-sca.properties

file.

Translating PHP Code

The syntax to translate a single PHP file named MyPHP.phpis shown in the following example:

sourceanalyzer -b <build_id> MyPHP.php

To translate a file where the source or the php.inifile entry includes a relative path name (starts

with ./or ../), consider setting the PHP source root as shown in the following example:

sourceanalyzer -php-source-root <path> -b <build_id> MyPHP.php

For more information about the -php-source-rootoption, see the description in "PHP Command-

Line Options" on the next page.

Note: When you translate PHP code, make sure that you specify all source files together in one

invocation. Fortify Static Code Analyzer does not support adding new files to the file list

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 103 of 232

User Guide

Chapter 16: Translating Other Languages and Configurations

associated with the build ID on subsequent invocations.

PHP Command-Line Options

The following table describes the PHP-specific command-line options.

PHP Option

Description

Specifies an absolute path to the project root directory. The relative path

name first expands from the current directory. If the file is not found,

then the path expands from the specified PHP source root directory.

-php-source-root

<path>

Equivalent Property Name:

com.fortify.sca.PHPSourceRoot

Specifies the PHP version. The default version is 8.2. For a list of valid

-php-version

versions, see the Fortify Software System Requirements document.

Equivalent Property Name:

com.fortify.sca.PHPVersion

See Also

"PHP Properties" on page 207

Translating ABAP Code

Translating ABAP code is similar to translating other operating language code. However, it requires

additional steps to extract the code from the SAP database and prepare it for scanning. See

"Importing the Transport Request" on the next page for more information. This section assumes you

have a basic understanding of SAP and ABAP.

To translate ABAP code, the Fortify ABAP Extractor program downloads source files to the

presentation server, and optionally, starts Fortify Static Code Analyzer. You need to use an account

with permission to download files to the local system and execute operating system commands.

Because the extractor program is executed online, you might receive a max dialog work process

time reachedexception message if the volume of source files selected for extraction exceeds the

allowable process run time. To work around this, download large projects as a series of smaller

Extractor tasks. For example, if your project consists of four different packages, download each

package separately into the same project directory. If the exception occurs frequently, work with your

SAP Basis administrator to increase the maximum time limit (rdisp/max_wprun_time).

When a PACKAGE is extracted from ABAP, the Fortify ABAP Extractor extracts everything from

TDEVCwith a parentclfield that matches the package name. It then recursively extracts everything

else from TDEVCwith a parentclfield equal to those already extracted from TDEVC. The field

extracted from TDEVCis devclass.

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 104 of 232

User Guide

Chapter 16: Translating Other Languages and Configurations

The devclassvalues are treated as a set of program names and handled the same way as a program

name, which you can provide.

Programs are extracted from TRDIRby comparing the name field with either:

l

The program name specified in the selection screen

l

The list of values extracted from TDEVCif a package was provided

The rows from TRDIRare those for which the name field has the given program name and the

expression LIKEprogramnameis used to extract rows.

This final list of names is used with READ REPORTto get code out of the SAP system. This method

reads classes and methods out as well as merely REPORTS, for the record.

Each READ REPORTcall produces a file in the temporary folder on the local system. This set of files is

what Fortify Static Code Analyzer translates and scans, producing an FPR file that you can open with

Fortify Audit Workbench.

See Also

"ABAP Properties" on page 207

INCLUDE Processing

As source code is downloaded, the Fortify ABAP Extractor detects INCLUDEstatements in the source.

When found, it downloads the include targets to the local machine for analysis.

Importing the Transport Request

To scan ABAP code, you need to import the Fortify ABAP Extractor transport request on your SAP

Server. You can find the Fortify transport request in <sca_install_dir>/Tools/SAP_

Extractor.zip.

The Fortify ABAP Extractor package, SAP_Extractor.zip, contains the following files:

l

K900XXX.S9S(where the “XXX” is the release number)

l

R900XXX.S9S(where the “XXX” is the release number)

These files make up the SAP transport request that you must import into your SAP system from

outside your local Transport Domain. Have your SAP administrator or an individual authorized to

install transport requests on the system import the transport request.

The S95 files contain a program, a transaction (YSCA), and the program user interface. After you

import them into your system, you can extract your code from the SAP database and prepare it for

Fortify Static Code Analyzer scanning.

Installation Note

The Fortify ABAP Extractor transport request is supported on a system running SAP release 7.02, SP

level 0006. If you are running a different SAP version and you get the transport request import error:

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 105 of 232

User Guide

Chapter 16: Translating Other Languages and Configurations

Install release does not match the current version, then the transport request

installation has failed.

To try to resolve this issue, perform the following steps:

1. Re-run the transport request import.

The Import Transport Request dialog box opens.

2. Select the Options tab.

3. Select the Ignore Invalid Component Version check box.

4. Complete the import procedure.

If this does not resolve the issue or if your system is running on an SAP version with a different table

structure, Fortify recommends that you export your ABAP file structure using your own technology so

that Fortify Static Code Analyzer can scan the ABAP code.

Adding Fortify Static Code Analyzer to your Favorites List

Adding Fortify Static Code Analyzer to your Favorites list is optional, but doing so can make it quicker

to access and start Fortify Static Code Analyzer scans. The following steps assume that you use the

user menu in your day-to-day work. If your work is done from a different menu, add the Favorites link

to the menu that you use. Before you create the Fortify Static Code Analyzer entry, make sure that

the SAP server is running and you are in the SAP Easy Access area of your web-based client.

To add Fortify Static Code Analyzer to your Favorites list:

1.

From the SAP Easy Access menu, type S000in the transaction box.

The SAP Menu opens.

2. Right-click the Favorites folder and select Insert transaction.

The Manual entry of a transaction dialog box opens.

3.

Type YSCAin the Transaction Code box.

4. Click the green check mark icon.

The Extract ABAP code and launch SCA item appears in the Favorites list.

5. Click the Extract ABAP code and launch SCA link to start the Fortify ABAP Extractor.

Running the Fortify ABAP Extractor

To run the Fortify ABAP Extractor:

1. Start the Fortify ABAP Extractor from the Favorites link, the transaction code, or manually start

the Extractor object.

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 106 of 232

User Guide

Chapter 16: Translating Other Languages and Configurations

This opens the Fortify ABAP Extractor.

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 107 of 232

User Guide

Chapter 16: Translating Other Languages and Configurations

2. Select the code to download.

Provide the start and end name for the range of software components, packages, programs, or

BSP applications that you want to scan.

Note: You can specify multiple objects or ranges.

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 108 of 232

User Guide

Chapter 16: Translating Other Languages and Configurations

3. Provide the Fortify Static Code Analyzer-specific information described in the following table.

Field

Description

FPR File Path (Optional) Type or select the directory where you want to store the scan

results file (FPR). Include the name for the FPR file in the path name. You must

provide the FPR file path to automatically scan the downloaded code on the

same machine where you are running the extraction process.

Working

ActionScript Command-Line Examples

The following examples illustrate command-line syntax for typical scenarios for translating

ActionScript.

Example 1

The following example is for a simple application that contains only one MXML file and a single SWF

library (MyLib.swf):

sourceanalyzer -b MyFlexApp -flex-libraries lib/MyLib.swf -flex-sdk-root

/home/myself/flex-sdk/ -flex-source-roots . my/app/FlexApp.mxml

This identifies the location of the libraries to include and the Flex SDK and the Flex source root

locations. The single MXML file, located in /my/app/FlexApp.mxml, results in translating the MXML

application as a single ActionScript class called FlexAppand located in the my.apppackage.

Example 2

The following example is for an application in which the source files are relative to the srcdirectory.

It uses a single SWF library, MyLib.swf, and the Flex and framework libraries from the Flex SDK:

sourceanalyzer -b MyFlexProject -flex-sdk-root /home/myself/flex-sdk/

-flex-source-roots src/ -flex-libraries lib/MyLib.swf "src/**/*.mxml"

"src/**/*.as"

This example locates the Flex SDK and uses Fortify Static Code Analyzer file specifiers to include the

.asand .mxmlfiles in the srcfolder. It is not necessary to explicitly specify the .SWCfiles located in

the –flex-sdk-root, although this example does so for the purposes of illustration. Fortify Static

Code Analyzer automatically locates all .SWCfiles in the specified Flex SDK root, and it assumes that

these are libraries intended for use in translating ActionScript or MXML files.

Example 3

In this example, the Flex SDK root and Flex libraries are specified in the properties file because typing

the information for each sourceanalyzer run is time consuming and the data does not change often.

Divide the application into two sections and store them in folders: a main section folder and a modules

folder. Each folder contains a srcfolder where the paths start. File specifiers contain wild cards to

pick up all the .mxmland .asfiles in both srcfolders. An MXMLfile in

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 113 of 232

User Guide

Chapter 16: Translating Other Languages and Configurations

main/src/com/foo/util/Foo.mxmlis translated as an ActionScript class named Fooin the

package com.foo.util, for example, with the source roots specified here:

sourceanalyzer -b MyFlexProject -flex-source-roots main/src:modules/src

"./main/src/**/*.mxml" "./main/src/**/*.as" "./modules/src/**/*.mxml"

"./modules/src/**/*.as"

Handling Resolution Warnings

To see all warnings that were generated during translation, type the following command before you

start the scan phase:

sourceanalyzer -b <build_id> -show-build-warnings

ActionScript Warnings

You might receive a message similar to the following:

The ActionScript front end was unable to resolve the following imports:

a.b at y.as:2. foo.bar at somewhere.as:5. a.b at foo.mxml:8.

This error occurs when Fortify Static Code Analyzer cannot find all the required libraries. You might

need to specify additional SWC or SWF Flex libraries (using the -flex-librariesoption or the

com.fortify.sca.FlexLibrariesproperty) so that Fortify Static Code Analyzer can complete the

analysis.

Translating ColdFusion Code

To treat undefined variables in a CFML page as tainted, uncomment the following line in <sca_

install_dir>/Core/config/fortify-sca.properties:

#com.fortify.sca.CfmlUndefinedVariablesAreTainted=true

This instructs the Dataflow Analyzer to watch out for register-globals-style vulnerabilities. However,

enabling this property interferes with Dataflow Analyzer findings in which a variable in an included

page is initialized to a tainted value in an earlier-occurring included page.

ColdFusion Command-Line Syntax

Type the following to translate ColdFusion source code:

sourceanalyzer -b <build_id> -source-base-dir <dir> <files> | <file_

specifiers>

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 114 of 232

User Guide

Chapter 16: Translating Other Languages and Configurations

where:

l

<build_id> specifies the build ID for the project

l

<dir> specifies the root directory of the web application

l

<files> | <file_specifiers> specifies the CFML source code files

For a description of how to use <file_specifiers>, see "Specifying Files and Directories" on

page 148.

Note: Fortify Static Code Analyzer calculates the relative path to each CFML source file with the

-source-base-dirdirectory as the starting point. Fortify Static Code Analyzer uses these

relative paths when it generates instance IDs. If you move the entire application source tree to a

different directory, the Fortify Static Code Analyzer- generated instance IDs remain the same if

you specify an appropriate parameter for the -source-base-diroption.

ColdFusion (CFML) Command-Line Options

The following table describes the CFML options.

ColdFusion Option

Description

The web application root directory.

-source-base-dir <web_app_root_dir> <files>

| <file_specifiers>

Equivalent Property Name:

com.fortify.sca.SourceBaseDir

Translating SQL

On Windows (and Linux for .NET projects only), Fortify Static Code Analyzer assumes that files with

the .sqlextension are T-SQL rather than PL/SQL. If you have PL/SQL files with the .sqlextension

on Windows, you must configure Fortify Static Code Analyzer to treat them as PL/SQL.

To specify the SQL type for translation on Windows platforms, type one of the following translation

commands:

sourceanalyzer -b <build_id> -sql-language TSQL <files>

or

sourceanalyzer -b <build_id> -sql-language PL/SQL <files>

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 115 of 232

User Guide

Chapter 16: Translating Other Languages and Configurations

Alternatively, you can change the default behavior for files with the .sqlextension. In the fortify-

sca.propertiesfile, set the com.fortify.sca.fileextensions.sqlproperty to TSQLor

PLSQL.

See Also

"SQL Properties" on page 209

PL/SQL Command-Line Example

The following example translates two PL/SQL files:

sourceanalyzer -b MyProject x.pks y.pks

The following example translates all PL/SQL files in the sourcesdirectory:

sourceanalyzer -b MyProject "sources/**/*.pks"

T-SQL Command-Line Example

The following example translates two T-SQL files:

sourceanalyzer -b MyProject x.sql y.sql

The following example translates all T-SQL files in the sourcesdirectory:

sourceanalyzer -b MyProject "sources\**\*.sql"

Note: This example assumes the com.fortify.sca.fileextensions.sqlproperty in

fortify-sca.propertiesis set to TSQL.

Translating Scala Code

Translating Scala code requires the following:

l

The Scala compiler plugin

You can download this plugin from the Maven Central Repository.

l

A Lightbend license file

This license file is included with the Fortify Static Code Analyzer installation in the <sca_install_

dir>/plugins/lightbenddirectory

For instructions on how set up the license and translate Scala code, see the Lightbend documentation

at https://developer.lightbend.com/guides/fortify.

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 116 of 232

User Guide

Chapter 16: Translating Other Languages and Configurations

Important! If your project contains source code other than Scala, you must translate the Scala

code using the Scala Fortify compiler plugin, and then translate other source code with

sourceanalyzer using the same build ID before you run the analysis phase.

Translating Infrastructure as Code (IaC)

Fortify Static Code Analyzer translates Azure Resource Manager (ARM), Bicep, AWS CloudFormation,

and HCL templates.

Note: HCL analysis support is specific to Terraform and supported cloud provider Infrastructure

as Code (IaC) configurations.

For best results, make sure that the template files are deployment valid. The templates must not

contain:

l

Validation errors that are static and locally detectable (for example, type errors or references to

undefined variables or functions).

l

Predeployment errors that occur during template interpretation, but before any resources are

deployed or modified (for example, invalid array indexing operations).

l

Deployment errors that occur in the cloud (for example, dynamically referencing a non-existent

resource).

Fortify recommends that AWS CloudFormation file name extensions are .json, .yaml, .template,

or .txt. Fortify Static Code Analyzer supports other extensions only if they are not commonly used

by other languages or file types (such as .javaor .html).

By default, Fortify Static Code Analyzer translates files with the HCL extensions .hcland .tf.

ARM Translation Command-Line Examples

Translate an ARM template:

sourceanalyzer -b MyProject ArmTemplate.json

Translate all ARM templates in a directory:

sourceanalyzer -b MyProject "src/**/*.json"

Bicep Translation Command-Line Examples

Translate a single Bicep template:

sourceanalyzer -b MyProject BicepTemplate.bicep

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 117 of 232

User Guide

Chapter 16: Translating Other Languages and Configurations

Translate all Bicep templates in a directory:

sourceanalyzer -b MyProject "src/**/*.bicep"

AWS CloudFormation Translation Command-Line Examples

Translate AWS CloudFormation templates that have different extensions:

sourceanalyzer -b MyProject CFTemplateA.template CFTemplateB.yaml

CFTemplateC.json CFTemplateD.customext

Translate all AWS CloudFormation templates in a directory that have the .templateextension:

sourceanalyzer -b MyProject "src/**/*.template"

Translate all AWS CloudFormation templates in a directory that have either the .jsonor .yaml

extension:

sourceanalyzer -b MyProject "src/**/*.json" "src/**/*.yaml"

HCL Translation Command-Line Examples

Translate two HCL templates with different extensions:

sourceanalyzer -b MyProject HCLTemplateA.hcl HCLTemplateB.tf

Translate all HCL templates in a directory:

sourceanalyzer -b MyProject "src/**/*.tf" "src/**/*.hcl"

See Also

"Translating JSON" below

"Translating YAML" on the next page

Translating JSON

By default, Fortify Static Code Analyzer translates files with the JSON extension .jsonas JSON. The

following example translates a JSON file:

sourceanalyzer -b MyProject x.json

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 118 of 232

User Guide

Chapter 16: Translating Other Languages and Configurations

The following example translates all JSON files in the sourcesdirectory:

sourceanalyzer -b MyProject "sources/**/*.json"

Translating YAML

By default, Fortify Static Code Analyzer translates files with the YAML extensions .yamland .yml.

The following example translates two YAML files with different file extensions:

sourceanalyzer -b MyProject x.yaml y.yml

The following example translates all YAML files in the sourcesdirectory:

sourceanalyzer -b MyProject "sources/**/*.yaml" "sources/**/*.yml"

Translating Dockerfiles

By default, Fortify Static Code Analyzer translates the following files as Dockerfiles: Dockerfile*,

dockerfile*, *.Dockerfile, and *.dockerfile.

Note: You can modify the file name extension used to detect Dockerfiles using the

com.fortify.sca.fileextensionsproperty. See "Translation and Analysis Phase Properties"

on page 187.

Fortify Static Code Analyzer accepts the following escape characters in Dockerfiles: backslash (\) and

backquote (`). If the escape character is not set in the Dockerfile, then Fortify Static Code Analyzer

assumes that the backslash is the escape character.

The syntax to translate a directory that contains Dockerfiles is shown in the following example:

sourceanalyzer -b <build_id> <dir>

If the Dockerfile is malformed, Fortify Static Code Analyzer writes an error to the log file to indicate

that the file cannot be parsed and skips the analysis of the Dockerfile. The following is an example of

the error written to the log:

Unable to parse dockerfile ProjA.Dockerfile, error on Line 1:20: mismatched

input '\n' expecting {LINE_EXTEND, WHITESPACE}

Unable to parse config file

C:/Users/jsmith/MyProj/docker/dockerfile/ProjA.Dockerfile

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 119 of 232

User Guide

Chapter 16: Translating Other Languages and Configurations

Translating ASP/VBScript Virtual Roots

Fortify Static Code Analyzer allows you to handle ASP virtual roots. For web servers that use virtual

directories as aliases that map to physical directories, Fortify Static Code Analyzer enables you to use

an alias.

For example, you can have virtual directories named Includeand Librarythat refer to the physical

directories C:\WebServer\CustomerOne\incand C:\WebServer\CustomerTwo\Stuff,

respectively.

The following example shows the ASP/VBScript code for an application that uses virtual includes:

For this example, the previous ASP code refers to the file in the following physical location:

C:\Webserver\CustomerOne\inc\Task1\foo.inc

The real directory replaces the virtual directory name Includein this example.

Accommodating Virtual Roots

To provide the mapping of each virtual directory to Fortify Static Code Analyzer, you must set the

com.fortify.sca.ASPVirtualRoots.name_of_virtual_directoryproperty in your Fortify

Static Code Analyzer command-line invocation as shown in the following example:

sourceanalyzer -Dcom.fortify.sca.ASPVirtualRoots.<virtual_directory>=<full_

path_to_corresponding_physical_directory>

Note: On Windows, if the physical path includes spaces, you must enclose the property setting in

quotes:

sourceanalyzer "-Dcom.fortify.sca.ASPVirtualRoots.<virtual_

directory>=<full_path_to_corresponding_physical_directory>"

To expand on the example in the previous section, pass the following property value to Fortify Static

Code Analyzer:

-Dcom.fortify.sca.ASPVirtualRoots.Include="C:\WebServer\CustomerOne\inc"

-Dcom.fortify.sca.ASPVirtualRoots.Library="C:\WebServer\CustomerTwo\Stuff"

This maps Includeto C:\WebServer\CustomerOne\incand Libraryto

C:\WebServer\CustomerTwo\Stuff.

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 120 of 232

User Guide

Chapter 16: Translating Other Languages and Configurations

When Fortify Static Code Analyzer encounters the #includedirective:

Fortify Static Code Analyzer determines if the project contains a physical directory named Include. If

there is no such physical directory, Fortify Static Code Analyzer looks through its runtime properties

and finds the -Dcom.fortify.sca.ASPVirtualRoots.Include=

"C:\WebServer\CustomerOne\inc"setting. Fortify Static Code Analyzer then looks for this file:

C:\WebServer\CustomerOne\inc\Task1\foo.inc.

Alternatively, you can set this property in the fortify-sca.propertiesfile located in <sca_

install_dir>\Core\config. You must escape the backslash character (\) in the path of the

physical directory as shown in the following example:

com.fortify.sca.ASPVirtualRoots.Library=C:\\WebServer\\CustomerTwo\\Stuff

com.fortify.sca.ASPVirtualRoots.Include=C:\\WebServer\\CustomerOne\\inc

Note: The previous version of the ASPVirtualRoot property is still valid. You can use it on the

Fortify Static Code Analyzer command line as follows:

-Dcom.fortify.sca.ASPVirtualRoots=C:\WebServer\CustomerTwo\Stuff;

C:\WebServer\CustomerOne\inc

This prompts Fortify Static Code Analyzer to search through the listed directories in the order

specified when it resolves a virtual include directive.

Using Virtual Roots Example

You have a file as follows:

C:\files\foo\bar.asp

To specify this file, use the following include:

<!-- #include virtual="/foo/bar.asp">

Then set the virtual root in the sourceanalyzercommand as follows:

-Dcom.fortify.sca.ASPVirtualRoots=C:\files\foo

This strips the /foofrom the front of the virtual root. If you do not specify fooin the

com.fortify.sca.ASPVirtualRootsproperty, then Fortify Static Code Analyzer looks for

C:\files\bar.aspand fails.

The sequence to specify virtual roots is as follows:

1. Remove the first part of the path in the source.

2. Replace the first part of the path with the virtual root as specified on the command line.

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 121 of 232

User Guide

Chapter 16: Translating Other Languages and Configurations

Classic ASP Command-Line Example

To translate a single file classic ASP written in VBScript named MyASP.asp, type:

sourceanalyzer -b mybuild "MyASP.asp"

VBScript Command-Line Example

To translate a VBScript file named myApp.vb, type:

sourceanalyzer -b mybuild "myApp.vb"

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 122 of 232

Chapter 17: Integrating Fortify Static Code

Analyzer into a Build

You can integrate the analysis into supported build tools.

This section contains the following topics:

Modifying a Build Script to Start Fortify Static Code Analyzer

Using Touchless Build Integration

Integrating with Ant

Integrating with Bazel

Integrating with CMake

Integrating with Gradle

Integrating with Maven

Build Integration

You can translate entire projects with a single operation. Prefix your original build operation with the

sourceanalyzercommand followed by the Fortify Static Code Analyzer options.

The basic command-line syntax to translate a complete project is:

sourceanalyzer -b <build_id> [<sca_options>] <build_tool> [<build_tool_

options>]

where <build_tool> is the name of your build tool, such as make, gmake, msbuild, devenv, or

xcodebuild. See the Fortify Software System Requirements document for a list of supported build

tools. Fortify Static Code Analyzer executes your build tool and intercepts all compiler operations to

collect the specific command line used for each input.

Note: Fortify Static Code Analyzer only processes the compiler commands that the build tool

executes. If you do not clean your project before you execute the build, then Fortify Static Code

Analyzer only processes those files that the build tool re-compiles.

For information about integrating with Xcodebuild, see "iOS Code Analysis Command-Line Syntax" on

page 86. For information about integration with MSBuild, see "Translating Visual Studio Projects" on

page 65.

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 123 of 232

User Guide

Chapter 17: Integrating Fortify Static Code Analyzer into a Build

Successful build integration requires that the build tool:

l

Executes a Fortify Static Code Analyzer-supported compiler

l

Executes the compiler on the operating system path search, not with a hardcoded path (This

requirement does not apply to xcodebuild integration.)

l

Executes the compiler, rather than executing a sub-process that then executes the compiler

If you cannot meet these requirements in your environment, see "Modifying a Build Script to Start

Fortify Static Code Analyzer" below.

Make Example

If you build your project with the following build commands:

make clean

make

make install

then you can simultaneously translate and compile the entire project with the following example

commands:

make clean

sourceanalyzer -b MyProject make

make install

Modifying a Build Script to Start Fortify Static Code

Analyzer

As an alternative to build integration, you can modify your build script to prefix each compiler, linker,

and archiver operation with the sourceanalyzercommand. For example, a makefile often defines

variables for the names of these tools:

CC=gcc

CXX=g++

LD=ld

AR=ar

You can prepend the tool references in the makefile with the sourceanalyzercommand and the

appropriate Fortify Static Code Analyzer options.

CC=sourceanalyzer -b mybuild gcc

CXX=sourceanalyzer -b mybuild g++

LD=sourceanalyzer -b mybuild ld

AR=sourceanalyzer -b mybuild ar

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 124 of 232

User Guide

Chapter 17: Integrating Fortify Static Code Analyzer into a Build

When you use the same build ID for each operation, Fortify Static Code Analyzer automatically

combines each of the separately-translated files into a single translated project.

Using Touchless Build Integration

Fortify Static Code Analyzer includes a generic build tool called touchlessthat enables translation

of projects using build systems that Fortify Static Code Analyzer does not directly support. The

command-line syntax for touchless build integration is:

sourceanalyzer -b <build_id> touchless <build_command>

For example, you might use a python script called build.pyto compute dependencies and execute

appropriately-ordered C compiler operations. Then to execute your build, run the following command:

python build.py

Fortify Static Code Analyzer does not have native support for such a build design. However, you can

use the touchless build tool to translate and build the entire project with the single command:

sourceanalyzer -b <build_id> touchless python build.py

The same requirements for successful build integration with supported build systems described

earlier in this chapter (see "Build Integration" on page 123) apply to touchless integration with

unsupported build systems.

Integrating with Ant

You can translate Java source files for projects that use an Ant build file. You can apply this

integration on the command line without modifying the Ant build.xmlfile. When the build runs,

Fortify Static Code Analyzer intercepts all javactask invocations and translates the Java source files

as they are compiled. Make sure that you pass any properties to Ant by adding them to the ANT_

OPTS environment variable. Do not include them in the sourceanalyzer command.

Note: You must translate any JSP files, configuration files, or any other non-Java source files that

are part of the application in a separate step.

To use the Ant integration, make sure that the sourceanalyzerexecutable is on the system PATH.

Prepend your Ant command-line with the sourceanalyzercommand as follows:

sourceanalyzer -b <build_id> ant [<ant_options>]

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 125 of 232

User Guide

Chapter 17: Integrating Fortify Static Code Analyzer into a Build

Integrating with Bazel

You can translate projects written in Java or Python that are built with Bazel. When the build runs,

Fortify Static Code Analyzer translates the source files as they are compiled. See the Fortify Software

System Requirements document for supported Bazel versions.

Make sure the following requirements are met before you run the Fortify Static Code Analyzer Bazel

integration:

l

Your Bazel build runs without errors.

l

The sourceanalyzerexecutable is on the system PATH.

After the build is complete, always run the Fortify Static Code Analyzer analysis phase with the

same version of Fortify Static Code Analyzer that is on the system PATH.

To run the translation phase for the configured Java or Python, go to the Bazel workspace directory,

and then run the Fortify Static Code Analyzer command with the target you want to build. Prepend

the Bazel build command line with the sourceanalyzercommand as follows:

sourceanalyzer -b <build_id> <sca_options> bazel build <target>

Note: If you have multiple Fortify Static Code Analyzer installations, make sure that the version

you want to use for your Bazel projects is defined before all other Fortify Static Code Analyzer

versions on the system PATH.

Examples

Translate a project for a specific target:

sourceanalyzer -b MyProjectA bazel build //proja:my-prj

Translate target abcin package proja/abc:

sourceanalyzer -b MyProjectA bazel build //proja/abc

or

sourceanalyzer -b MyProjectA bazel build //proja/abc:abc

Translate all targets in the package proja/abc:

sourceanalyzer -b MyProjectA bazel build //proja/abc:all

Translate all targets within the projb/directory:

sourceanalyzer -b MyProjectB bazel build //projb/...

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 126 of 232

User Guide

Chapter 17: Integrating Fortify Static Code Analyzer into a Build

Specify a specific JDK version for the translation:

sourceanalyzer -b MyProjectC -jdk 17 bazel build //projc:my-java-prj

Specify Python project dependencies for the translation:

sourceanalyzer -b MyProjectD -python-path /usr/local/lib/python3.6/ bazel

build //projd:my-python-app

Fortify Static Code Analyzer Bazel integration does not support multiple targets and related actions

such as excluding targets.

See Also

"Java Command-Line Options" on page 54

"Python Command-Line Options" on page 80

Integrating with CMake

On non-Windows systems, you can translate projects that are built with CMake by incorporating a

JSON compilation database in the Fortify Static Code Analyzer command. This is only supported for

Makefile and Ninja generators (see the CMake Reference Documentation for more information).

To integrate Fortify Static Code Analyzer with a CMake build:

1.

Generate a compile_commands.jsonfile for your CMake project.

Add -DCMAKE_EXPORT_COMPILE_COMMANDS=yesto the cmakeconfigure command. For

example:

cmake -G Ninja -DCMAKE_EXPORT_COMPILE_COMMANDS=yes

2.

Include the JSON compilation database in your sourceanalyzercommand as follows:

sourceanalyzer -b <build_id> compile_commands.json

Integrating with Gradle

Fortify Static Code Analyzer provides translation integration with projects that are built with Gradle.

You can either integrate without modifying your build script or you can use the Fortify Static Code

Analyzer Gradle plugin.

Using Gradle Integration

You can translate projects that are built with Gradle without any modification of the build.gradle

file. When the build runs, Fortify Static Code Analyzer translates the source files as they are compiled.

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 127 of 232

User Guide

Chapter 17: Integrating Fortify Static Code Analyzer into a Build

Alternatively, you can use the Fortify Static Code Analyzer Gradle Plugin to perform the analysis from

within your Gradle build script (see "Using the Fortify Static Code Analyzer Gradle Plugin" on the next

page).

See the Fortify Software System Requirements document for platforms and languages supported

specifically for Gradle integration. Any files in the project in unsupported languages for Gradle

integration are not translated (with no error reporting). These files are therefore not analyzed, and

any existing potential vulnerabilities can go undetected.

To integrate Fortify Static Code Analyzer into your Gradle build, make sure that the

sourceanalyzerexecutable is on the system PATH. Always use the sourceanalyzerexecutable

from the system PATH for all Gradle commands to build the project.

Note: If you have multiple Fortify Static Code Analyzer installations, make sure that the version

you want to use for your Gradle projects is defined before all other Fortify Static Code Analyzer

versions on the system PATH.

Prepend the Gradle command line with the sourceanalyzercommand as follows:

sourceanalyzer -b <build_id> <sca_options> gradle [<gradle_options>]

<gradle_tasks>

Examples

sourceanalyzer -b MyProject gradle clean build

sourceanalyzer -b MyProject gradle --info assemble

If your build file name is different than build.gradle, then include the build file name with the --

build-fileoption as shown in the following example:

sourceanalyzer -b MyProject gradle --build-file sample.gradle clean

assemble

You can also use the Gradle Wrapper (gradlew) as shown in the following example:

sourceanalyzer -b MyProject gradlew [<gradle_options>]

If your application uses XML or property configuration files, translate these files with a separate

sourceanalyzercommand. Use the same build ID that you used for the project files. The following

are examples:

sourceanalyzer -b MyProject <path_to_xml_files>

sourceanalyzer -b MyProject <path_to_properties_files>

After translating the project with gradle or gradlew, you can then perform the analysis phase and

save the results in an FPR file as shown in the following example:

sourceanalyzer -b MyProject -scan -f MyResults.fpr

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 128 of 232

User Guide

Chapter 17: Integrating Fortify Static Code Analyzer into a Build

Including Verbose and Debug Options

If you use the Fortify Static Code Analyzer -verboseoption, then you must also include the -gradle

option. Use of this option applies to both Gradle and the Gradle Wrapper. For example:

sourceanalyzer -b MyProject -gradle -verbose gradle assemble

As part of the gradle integration, Fortify Static Code Analyzer temporarily updates the original build

file build.gradle. If you include the -debugoption, Fortify Static Code Analyzer saves a copy of the

original build file as build.gradle.orig). After the analysis with the -debugoption is complete,

rename the build.gradle.origfile back to build.gradleand run sourceanalyzer again without

the -debugoption.

Troubleshooting Gradle Integration

If you use configuration caching (--configuration-cacheoption) in your Gradle build with Fortify

Static Code Analyzer Gradle integration, the build reports the following messages:

Configuration cache problems found in this build.

You also might see a failure message such as the following:

FAILURE: Build failed with an exception...

You can safely ignore this failure message with respect to the Fortify Static Code Analyzer translation

because the project is translated. You can verify that the project is translated using the -show-files

option. For example:

sourceanalyzer -b mybuild -show-files

Using the Fortify Static Code Analyzer Gradle Plugin

The Fortify Static Code Analyzer installation includes a Gradle plugin located in <sca_install_

dir>/plugins/gradle. To use the Fortify Static Code Analyzer Gradle Plugin, you need to first

configure the plugin for your Java or Kotlin project and then use the plugin to analyze your project.

The Gradle plugin provides three Fortify Static Code Analyzer tasks for the analysis: sca.clean,

sca.translate, and sca.scan. See the Fortify Software System Requirements document for platforms

and languages supported specifically for Fortify Static Code Analyzer Gradle plugin.

Note: If you have multiple Fortify Static Code Analyzer installations, make sure that the version

you want to use for your Gradle projects is defined before all other Fortify Static Code Analyzer

versions on the system PATH.

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 129 of 232

User Guide

Chapter 17: Integrating Fortify Static Code Analyzer into a Build

To configure the Fortify Static Code Analyzer Gradle Plugin:

1. Edit the Gradle settings file to specify the path to the plugin:

l

Groovy DSL (settings.gradle):

pluginManagement {

repositories {

gradlePluginPortal()

maven {

url = uri("file://<sca_plugin_path>")

}

l

Kotlin DSL (settings.gradle.kts):

pluginManagement {

repositories {

maven(url = uri("file://<sca_plugin_path>"))

gradlePluginPortal()

}

2. Add entries to the build script as shown in the following examples:

l

Groovy DSL (build.gradle):

id 'com.fortify.sca.plugins.gradlebuild' version '24.2'

and

SCAPluginExtension {

buildId = "mybuild"

options = ["-encoding", "utf-8", "-logfile", "mybuild.log",

"-debug-verbose"]

}

l

Kotlin DSL (build.gradle.kts):

plugins {

id ("com.fortify.sca.plugins.gradlebuild") version "24.2"

...

}

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 130 of 232

User Guide

Chapter 17: Integrating Fortify Static Code Analyzer into a Build

and

SCAPluginExtension {

buildId = "mybuild"

options = listOf("-encoding", "utf-8", "-logfile", "mybuild.log",

"-debug-verbose")

}

3. Save and close the Gradle settings and Gradle build files.

Analyze a Java or Kotlin project with following command sequence:

l

To remove all existing Fortify Static Code Analyzer temporary files for an existing Java or Kotlin

project build, run the following:

gradlew sca.clean

l

To run the translation phase for the configured Java or Kotlin project, run the following:

gradlew sca.translate

l

To analyze the configured Java or Kotlin project, run the following:

gradlew sca.scan

This task runs successfully if Fortify Static Code Analyzer has already translated the project using

the Fortify Static Code Analyzer Gradle Plugin.

Working with Java or Kotlin Projects that have Subprojects

If you have a Java or Kotlin multi-project build (with subprojects), then you must configure the Fortify

Static Code Analyzer Gradle plugin using an allprojectsblock. This is shown in the following

examples.

Groovy DSL (build.gradle)

allprojects {

apply plugin: "com.fortify.sca.plugins.gradlebuild"

SCAPluginExtension {

buildId = "mybuild"

options = ["-encoding", "utf-8", "-logfile", "mybuild.log",

"-debug-verbose"]

...

}

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 131 of 232

User Guide

Chapter 17: Integrating Fortify Static Code Analyzer into a Build

Kotlin DSL (build.gradle.kts):

allprojects {

apply(plugin = "com.fortify.sca.plugins.gradlebuild")

SCAPluginExtension {

buildId = "mybuild"

options = listOf("-encoding", "utf-8", "-logfile", "mybuild.log",

"-debug-verbose")

...

}

See Also

"Using Gradle Integration" on page 127

Integrating with Maven

Fortify Static Code Analyzer includes a Maven plugin that provides a way to add the following

capabilities to your Maven project builds:

l

Fortify Static Code Analyzer clean, translate, scan

l

Fortify Static Code Analyzer export mobile build session (MBS) for a Fortify Static Code Analyzer

translated project

l

Send translated code to Fortify ScanCentral SAST

l

Upload results to Fortify Software Security Center

You can use the plugin directly or integrate its functionality into your build process.

Installing and Updating the Fortify Maven Plugin

The Fortify Maven Plugin is located in <sca_install_dir>/plugins/maven. This directory

contains a binary and a source version of the plugin in both zip and tarball archives. To install the

plugin, extract the version (binary or source) that you want to use, and then follow the instructions in

the included README.TXTfile. Perform the installation in the directory where you extracted the

archive.

For information about supported versions of Maven, see the Fortify Software System Requirements

document.

If you have a previous version of the Fortify Maven Plugin installed, then install the latest version.

Uninstalling the Fortify Maven Plugin

To uninstall the Fortify Maven Plugin, manually delete all files from the <maven_local_

repo>/repository/com/fortify/ps/maven/plugindirectory.

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 132 of 232

User Guide

Chapter 17: Integrating Fortify Static Code Analyzer into a Build

Testing the Fortify Maven Plugin Installation

After you install the Fortify Maven Plugin, use one of the included sample files to be sure your

installation works properly.

To test the Fortify Maven Plugin using the Eightball sample file:

1.

Add the directory that contains the sourceanalyzerexecutable to the path environment

variable.

For example:

export set PATH=$PATH:/<sca_install_dir>/bin

or

set PATH=%PATH%;<sca_install_dir>/bin

2.

3.

Type sourceanalyzer -versionto test the path setting.

Fortify Static Code Analyzer displays the version information if the path setting is correct.

Navigate to the sample Eightball directory: <root_dir>/samples/EightBall.

4. Type the following command:

mvn com.fortify.sca.plugins.maven:sca-maven-plugin:<ver>:clean

where <ver> is the version of the Fortify Maven Plugin you are using. If the version is not

specified, Maven uses the latest version of the Fortify Maven Plugin installed in the local

repository.

Note: To see the version of the Fortify Maven Plugin, open the pom.xmlfile that you

extracted in <root_dir> in a text editor. The Fortify Maven Plugin version is specified in the

<version>element.

5. If the command in step 4 completed successfully, then the Fortify Maven Plugin is installed

correctly. The Fortify Maven Plugin is not installed correctly if you get the following error

message:

[ERROR] Error resolving version for plugin

'com.fortify.sca.plugins.maven:sca-maven-plugin' from the repositories

Check the Maven local repository and try to install the Fortify Maven Plugin again.

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 133 of 232

User Guide

Chapter 17: Integrating Fortify Static Code Analyzer into a Build

Using the Fortify Maven Plugin

There are two ways to perform a Fortify analysis on a maven project:

l

As a Maven Plugin

In this method, you perform the Fortify analysis tasks as goals with the mvncommand. For example,

use the following command to translate source code:

mvn com.fortify.sca.plugins.maven:sca-maven-plugin:<ver>:translate

To analyze your code this way, see the documentation included with the Fortify Maven Plugin. The

following table describes where to find the documentation after you install the Fortify Maven

Plugin.

Package Type Documentation Location

Binary

Source

<root_dir>/docs/index.html

<root_dir>/sca-maven-plugin/target/site/index.html

l

In a Fortify Static Code Analyzer build integration

In this method, prepend the maven command used to build your project with the sourceanalyzer

command and any Fortify Static Code Analyzer options. To analyze your files as part of a Fortify

Static Code Analyzer build integration:

a. Clean out the previous build:

sourceanalyzer -b MyProject -clean

b. Translate the code:

sourceanalyzer -b MyProject [<sca_options>] [<mvn_command_with_

options>]

For example:

sourceanalyzer -b MyProject mvn package

See "Command-Line Interface" on page 135 for descriptions of available Fortify Static Code

Analyzer options.

c. Complete the analysis by running the scan and saving the results in an FPR file as shown in the

following example:

sourceanalyzer -b MyProject [<sca_scan_options>] -scan -f

MyResults.fpr

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 134 of 232

Chapter 18: Command-Line Interface

This chapter describes general Fortify Static Code Analyzer command-line options and how to specify

source files for analysis. Command-line options that are specific to a language are described in the

chapter for that language.

This section contains the following topics:

Specifying Files and Directories

Translation Options

The following table describes the translation options.

Translation Option

Description

Specifies a build ID. Fortify Static Code Analyzer uses a build ID to

-b <build_id>

track the files that are compiled and combined as part of a build, and

then later, to scan those files.

Equivalent Property Name:

com.fortify.sca.BuildID

Specifies a colon-separated list of languages to exclude from the

-disable-language

translation phase. The valid language values are abap,

actionscript, apex, cfml, cobol, configuration, cpp, dart,

dotnet, golang, java, javascript, jsp, kotlin, objc, php,

plsql, python, ruby, scala, sql, swift, tsql, typescript, and

vb.

Equivalent Property Name:

com.fortify.sca.DISabledLanguages

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 135 of 232

User Guide

Chapter 18: Command-Line Interface

Translation Option

Description

Specifies a colon-separated list of languages to translate. The valid

-enable-language

language values are abap, actionscript, apex, cfml, cobol,

configuration, cpp, dart, dotnet, golang, java, javascript,

jsp, kotlin, objc, php, plsql, python, ruby, scala, sql, swift,

tsql, typescript, and vb.

Equivalent Property Name:

com.fortify.sca.EnabledLanguages

Specifies the files to exclude from the translation. Files excluded

from translation are also not scanned. Separate multiple file paths

with semicolons (Windows) or colons (non-Windows). For example:

-exclude

<file_specifiers>

sourceanalyzer –cp "**/*.jar" "**/*"

-exclude "**/Test/*.java"

This example excludes all Java files in any Testsubdirectory. See

"Specifying Files and Directories" on page 148 for more information

on how to use file specifiers.

Note: When you integrate the translation with most compilers or

build tools, Fortify Static Code Analyzer translates all source files

that the compiler or build tool processes even if this option

specifies to exclude them. However, the Fortify Static Code

Analyzer xcodebuild and MSBuild integrations do support the

-excludeoption.

Equivalent Property Name:

com.fortify.sca.exclude

Specifies the source file encoding type. Fortify Static Code Analyzer

enables you to scan a project that contains differently encoded

source files. To work with a multi-encoded project, you must specify

-encoding <encoding_

name>

the -encodingoption in the translation phase, when Fortify Static

Code Analyzer first reads the source code file. Fortify Static Code

Analyzer remembers this encoding in the build session and

propagates it into the FVDL file.

Valid encoding names are from the java.nio.charset.Charset.

Typically, if you do not specify the encoding type, Fortify Static Code

Analyzer uses file.encodingfrom the

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 136 of 232

User Guide

Chapter 18: Command-Line Interface

Translation Option

Description

java.io.InputStreamReaderconstructor with no encoding

parameter. In a few cases (for example with the ActionScript parser),

Fortify Static Code Analyzer defaults to UTF-8encoding.

Equivalent Property Name:

com.fortify.sca.InputFileEncoding

When specified before a compiler command line, Fortify Static Code

Analyzer translates the source file but does not run the compiler.

-nc

Specifies the file type for source files that have no extension. The

-noextension-type

<file_type>

valid file type values are ABAP, ACTIONSCRIPT, APEX, APEX_OBJECT,

APEX_TRIGGER, ARCHIVE, ASPNET, ASP, ASPX, BITCODE, BSP,

BYTECODE, CFML, COBOL, CSHARP, DART, DOCKERFILE, FLIGHT,

GENERIC, GO, HOCON, HTML, INI, JAVA, JAVA_PROPERTIES,

JAVASCRIPT, JSP, JSPX, KOTLIN, MSIL, MXML, OBJECT, PHP, PLSQL,

PYTHON, RUBY, RUBY_ERB, SCALA, SWIFT, SWC, SWF, TLD, SQL, TSQL,

TYPESCRIPT, VB, VB6, VBSCRIPT, VISUAL_FORCE, VUE, and XML.

Specifies the directory to store intermediate files generated in the

translation and analysis phases. Fortify Static Code Analyzer makes

extensive use of intermediate files located in this project root

directory. In some cases, you can achieve better performance for

analysis by making sure this directory is on local storage rather than

on a network drive.

-project-root

Equivalent Property Name:

com.fortify.sca.ProjectRoot

Analysis Options

The following table describes the analysis options.

Analysis Option

Description

Specifies the build ID used in a prior translation command.

-b <build_id>

Equivalent Property Name:

com.fortify.sca.BuildID

Causes Fortify Static Code Analyzer to perform a security analysis for

-scan

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 137 of 232

User Guide

Chapter 18: Command-Line Interface

Analysis Option

Description

the specified build ID.

Note: Do not use this option together with the -scan-module

option in the same sourceanalyzer command.

-scan-policy

<policy_name>

Specifies a scan policy for the scan. The valid policy names are classic,

security, and devops. For more information, see "Applying a Scan

|

-sc<policy_name>

Policy to the Analysis" on page 48.

Equivalent Property Name:

com.fortify.sca.ScanPolicy

Causes Fortify Static Code Analyzer to perform a security analysis for

the specified build ID as a separate module.

-scan-module

Note: Do not use this option together with the -scanoption in the

same sourceanalyzer command.

Equivalent Property Name:

com.fortify.sca.ScanScaModule

Specifies the libraries previously scanned as separate modules in a

comma- or colon-separated list of build IDs to include in the project scan.

-include-modules

Equivalent Property Name:

com.fortify.sca.IncludeScaModules

Specifies the analyzers you want to enable with a colon- or comma-

-analyzers

<analyzer_list>

separated list of analyzers. The valid analyzer names are buffer,

content, configuration, controlflow, dataflow, nullptr,

semantic, and structural. You can use this option to disable

analyzers that are not required for your security requirements.

Equivalent Property Name:

com.fortify.sca.DefaultAnalyzers

Uses speed dial to scan the project with a scan precision level. The lower

the scan precision level, the faster the scan performance. The valid

-p <level> |

-scan-precision

<level>

values are 1, 2, 3, and 4. For more information, see "Configuring Scan

Speed with Speed Dial" on page 161.

Equivalent Property Name:

com.fortify.sca.PrecisionLevel

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 138 of 232

User Guide

Chapter 18: Command-Line Interface

Analysis Option

Description

Specifies the directory to store intermediate files generated in the

translation and analysis phases. Fortify Static Code Analyzer makes

extensive use of intermediate files located in this project root directory.

In some cases, you can achieve better performance for analysis by

making sure this directory is on local storage rather than on a network

drive.

-project-root

Equivalent Property Name:

com.fortify.sca.ProjectRoot

Specifies the issue template file to use for the scan. This only affects

scans on the local machine. If you upload the FPR to Fortify Software

Security Center, it uses the issue template assigned to the application

version.

-project-template

<file>

Equivalent Property Name:

com.fortify.sca.ProjectTemplate

Quickly scan the project for critical- and high-priority issues using the

-quick

fortify-sca-quickscan.propertiesfile, which provides a less in-

depth analysis. By default, quick scan disables the Buffer Analyzer and

the Control Flow Analyzer. In addition, it applies the Quick View filter set.

For more information, see "Quick Scan" on page 160.

Equivalent Property Name:

com.fortify.sca.QuickScanMode

Specifies a results filter file. For more information, see "Filtering the

Analysis" on page 180.

-filter <file>

-bin <binary> |

Equivalent Property Name:

com.fortify.sca.FilterFile

Specifies a subset of source files to scan. Only the source files that were

linked in the named binary at build time are included in the scan. You can

use this option multiple times to specify the inclusion of multiple binaries

in the scan.

-binary-name

Equivalent Property Name:

com.fortify.sca.BinaryName

Disables all rules of the specified type in the default Rulepacks. You can

use this option multiple times to specify multiple rule types.

-disable-default-

rule-type

<type>

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 139 of 232

User Guide

Chapter 18: Command-Line Interface

Analysis Option

Description

The <type> parameter is the XML tag minus the suffix Rule. For

example, use DataflowSourcefor DataflowSourceRule elements. You

can also specify specific sections of characterization rules, such as

Characterization:Control flow, Characterization:Issue, and

Characterization:Generic.

The <type> parameter is case-insensitive.

Disables rules in default Rulepacks that lead directly to issues. Fortify

Static Code Analyzer still loads rules that characterize the behavior of

functions.

-no-default-issue-

rules

Note: This is equivalent to disabling the following rule types:

DataflowSink, Semantic, Controlflow, Structural, Configuration,

Content, Statistical, Internal, and Characterization:Issue.

Equivalent Property Name:

com.fortify.sca.NoDefaultIssueRules

Disables loading of rules from the default Rulepacks. Fortify Static Code

Analyzer processes the Rulepacks for description elements and language

libraries, but processes no rules.

-no-default-rules

Equivalent Property Name:

com.fortify.sca.NoDefaultRules

Disables source rules in the default Rulepacks.

-no-default-

source-rules

Note: Characterization source rules are not disabled.

Equivalent Property Name:

com.fortify.sca.NoDefaultSourceRules

Disables sink rules in the default Rulepacks.

-no-default-sink-

rules

Note: Characterization sink rules are not disabled.

Equivalent Property Name:

com.fortify.sca.NoDefaultSinkRules

Specifies a custom Rulepack or directory. You can use this option

multiple times to specify multiple Rulepack files. If you specify a

directory, Fortify Static Code Analyzer includes all the files in the

-rules <file> |

<dir>

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 140 of 232

User Guide

Chapter 18: Command-Line Interface

Analysis Option

Description

directory with the .binand .xmlextensions.

Equivalent Property Name:

com.fortify.sca.RulesFile

Output Options

The following table describes the output options. Apply all these options during the analysis phase

(with the -scanoption). You can specify the build-label, build-project, and build-version

options during the translation phase and they are overridden if specified again for the analysis phase.

Output Option

Description

Specifies the file to which analysis results are written. If you do not

specify an output file, Fortify Static Code Analyzer writes the output to

the terminal.

-f <file> |

-output-file

<file>

Equivalent Property Name:

com.fortify.sca.ResultsFile

-format <format>

Controls the output format. Valid options are fpr, fvdl, fvdl.zip,

text, and auto. The default is auto, which selects the output format

based on the file name extension of the file provided with the -foption.

The FVDL is an XML file that contains the detailed Fortify Static Code

Analyzer analysis results. This includes vulnerability details, rule

descriptions, code snippets, command-line options used in the scan, and

any scan errors or warnings.

The FPR is a package of the analysis results that includes the FVDL file

as well as extra information such as a copy of the source code used in the

scan, the external metadata, and custom rules (if applicable). Fortify

Audit Workbench is automatically associated with the .fprextension.

Note: If you use result certification, you must specify the fprformat.

See the OpenText™ Fortify Audit Workbench User Guide for

information about result certification.

You can prevent some information from being included in the FPR or

FVDL file to improve scan time or output file size. See other options in

this table and see "Optimizing FPR Files" on page 164.

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 141 of 232

User Guide

Chapter 18: Command-Line Interface

Output Option

Description

Equivalent Property Name:

com.fortify.sca.Renderer

-append

Appends results to the file specified with the -foption. The resulting

FPR file contains the issues from the earlier scan as well as issues from

the current scan. The build information and program data (lists of

sources and sinks) sections are also merged. To use this option, the

output file format must be fpror fvdl. For information on the -format

output option, see the description in this table.

The engine data, which includes Fortify Software Security

Content information, command-line options, system properties,

warnings, errors, and other information about the execution of Fortify

Static Code Analyzer (as opposed to information about the program

being analyzed), is not merged. Because engine data is not merged with

the -appendoption, Fortify does not certify results generated with -

append.

If this option is not specified, Fortify Static Code Analyzer adds any new

findings to the FPR file, and labels the older result as previousfindings.

In general, only use the -appendoption when it is impossible to analyze

an entire application at once.

Equivalent Property Name:

com.fortify.sca.OutputAppend

Specifies a label for the project to include in the analysis results. You can

include this option during the translation or the analysis phase. Fortify

Static Code Analyzer does not use this label for code analysis.

-build-label

<label>

Equivalent Property Name:

com.fortify.sca.BuildLabel

Specifies a name for the project to include in the analysis results. You can

include this option during the translation or the analysis phase. Fortify

Static Code Analyzer does not use this name for code analysis.

-build-project

<project_name>

Equivalent Property Name:

com.fortify.sca.BuildProject

Specifies a version for the project to include in the analysis results. You

can include this option during the translation or the analysis phase.

-build-version

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 142 of 232

User Guide

Chapter 18: Command-Line Interface

Output Option

Description

Fortify Static Code Analyzer does not use this version for code analysis.

Equivalent Property Name:

com.fortify.sca.BuildVersion

Excludes source files from the analysis results file.

-disable-source-

bundling

Equivalent Property Name:

com.fortify.sca.FPRDisableSourceBundling

Excludes the Fortify Software Security Content descriptions from the

analysis results file.

-fvdl-no-

descriptions

Equivalent Property Name:

com.fortify.sca.FVDLDisableDescriptions

Excludes engine data from the analysis results file. The engine data

includes Fortify Software Security Content information, command-line

options, system properties, warnings, errors, and other information about

the Fortify Static Code Analyzer execution.

-fvdl-no-

enginedata

Equivalent Property Name:

com.fortify.sca.FVDLDisableEngineData

Excludes program data from the analysis results file. This removes the

taint source information from the Functions view in Fortify Audit

Workbench.

-fvdl-no-progdata

Equivalent Property Name:

com.fortify.sca.FVDLDisableProgramData

Excludes the code snippets from the analysis results file.

-fvdl-no-snippets

Equivalent Property Name:

com.fortify.sca.FVDLDisableSnippets

Other Options

The following table describes other options.

Other Option

Description

Reads command-line options from the specified file.

@<file>

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 143 of 232

User Guide

Chapter 18: Command-Line Interface

Other Option

Description

Note: By default, this file uses the JVM system encoding. You can

change the encoding by using the

com.fortify.sca.CmdlineOptionsFileEncodingproperty

specified in the fortify-sca.propertiesfile. For more

information about this property, see "Translation and Analysis Phase

Properties" on page 187.

Prints a summary of command-line options.

-h|

-?|

-help

Includes debug information in the Fortify Support log file, which is only

useful for Customer Support to help troubleshoot.

-debug

Equivalent Property Name:

com.fortify.sca.Debug

-debug-verbose

This is the same as the -debugoption, but it includes more details,

specifically for parse errors.

Equivalent Property Name:

com.fortify.sca.DebugVerbose

Includes performance information in the Fortify Support log.

-debug-mem

-verbose

Equivalent Property Name:

com.fortify.sca.DebugTrackMem

Sends verbose status messages to the console and to the Fortify

Support log file.

Equivalent Property Name:

com.fortify.sca.Verbose

Specifies the log file that Fortify Static Code Analyzer creates.

-logfile <file>

Equivalent Property Name:

com.fortify.sca.LogFile

Directs Fortify Static Code Analyzer to overwrite the log file for each run

of sourceanalyzer. Without this option, Fortify Static Code Analyzer

appends information to the log file.

-clobber-log

Equivalent Property Name:

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 144 of 232

User Guide

Chapter 18: Command-Line Interface

Other Option

Description

com.fortify.sca.ClobberLogFile

Disables the command-line progress information.

-quiet

Equivalent Property Name:

com.fortify.sca.Quiet

Displays the Fortify Static Code Analyzer version and versions of various

independent modules included with Fortify Static Code Analyzer (all

other functionality is contained in Fortify Static Code Analyzer).

-version|

-v

Enables automatic allocation of memory based on the physical memory

available on the system. This is the default memory allocation setting.

-autoheap

Specifies the maximum amount of memory Fortify Static Code Analyzer

uses.

-Xmx<size>M| G

Heap sizes between 32 GB and 48 GB are not advised due to internal

JVM implementations. Heap sizes in this range perform worse than at 32

GB. The JVM optimizes heap sizes smaller than 32 GB. If your scan

requires more than 32 GB, then you need 64 GB or more. As a guideline,

assuming no other memory intensive processes are running, do not

allocate more than 2/3 of the available memory.

When you specify this option, make sure that you do not allocate more

memory than is physically available, because this degrades performance.

As a guideline, and the assumption that no other memory intensive

processes are running, do not allocate more than 2/3 of the available

memory.

Note: Specifying this option overrides the default memory allocation

obtained with the -autoheapoption.

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 145 of 232

User Guide

Chapter 18: Command-Line Interface

Directives

Use only one directive at a time and do not use any directive in conjunction with translation or

analysis commands. Use the directives described in the following table to list information about

previous translation commands.

Directive

Description

Deletes all Fortify Static Code Analyzer intermediate files and build

records. If you specify a build ID, only files and build records that relate

to that build ID are deleted.

-clean

Displays all objects created but not used in the production of any other

binaries. If fully integrated into the build, it lists all the binaries

produced.

-show-binaries

Displays a list of all known build IDs.

-show-build-ids

-show-build-tree

When you scan with the -binoption, displays all files used to create

the binary and all files used to create those files in a tree layout. If the

-binoption is not present, the tree is displayed for each binary.

Note: This option can generate an extensive amount of

information.

-show-build-warnings Use with the -boption to display any errors and warnings that

occurred in the translation phase on the console.

Note: Fortify Audit Workbench also displays these errors and

warnings in the results Certification tab.

-show-files

-show-loc

Displays the files included in the specified build ID. When the -bin

option is present, displays only the source files that went into the

binary.

Use with the -boption to display the number of lines in the translated

code.

LIM License Directives

Fortify Static Code Analyzer provides directives to manage the usage of your LIM license. You can

store or clear the LIM license pool credentials. You can also request (and release) a detached lease for

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 146 of 232

User Guide

Chapter 18: Command-Line Interface

offline analysis if the specified license pool permits detached leases.

Note: By default, Fortify Static Code Analyzer requires an HTTPS connection to the LIM server

and you must have a trusted certificate. For more information, see "Adding Trusted Certificates"

on page 42.

Use the directives described in the following table for a license managed by the LIM.

Directive

Description

Stores your LIM license pool credentials so that Fortify Static Code

Analyzer uses the LIM for licensing. The proxy information is optional.

Fortify Static Code Analyzer stores the pool password and the proxy

-store-license-pool-

credentials "<lim_

url>|<lim_pool_

name>|<lim_pool_

pwd>|<proxy_

credentials provided with this directive in the fortify-

sca.propertiesfile as encrypted data. If your license pool

credentials change after you have installed Fortify Static Code

Analyzer, you can run this directive again to save the new credentials.

url>|<proxy_

user>|<proxy_pwd>"

Example:

sourceanalyzer -store-license-pool-credentials

"https://<ip_address>:<port>|TeamA|mypassword"

Associated Property Names:

com.fortify.sca.lim.Url

com.fortify.sca.lim.PoolName

com.fortify.sca.lim.PoolPassword

com.fortify.sca.lim.ProxyUrl

com.fortify.sca.lim.ProxyUsername

com.fortify.sca.lim.ProxyPassword

-clear-license-pool- Removes the LIM license pool credentials from the fortify-

credentials

sca.propertiesfile. If your license pool credentials change, you can

remove them with this directive, and then use the -store-license-

pool-credentialsdirective to save the new credentials.

Requests a detached lease from the LIM license pool for exclusive use

on this system for the specified duration (in minutes). This enables

you to run Fortify Static Code Analyzer even when disconnected from

your corporate intranet.

-request-detached-

lease <duration>

Note: To use this directive, the license pool must be configured to

allow detached leases.

Releases a detached lease back to the license pool.

-release-detached-

lease

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 147 of 232

User Guide

Chapter 18: Command-Line Interface

Specifying Files and Directories

File specifiers are expressions that allow you to pass a long list of files or a directory to Fortify Static

Code Analyzer using wildcard characters. Fortify Static Code Analyzer recognizes two types of

wildcard characters: a single asterisk character (*) matches part of a file name, and double asterisk

characters (**) recursively matches directories. You can specify one or more files, one or more file

specifiers, or a combination of files and file specifiers.

Note: File specifiers do not apply to C, C++, or Objective-C++.

The following table describes examples of file and directory specifiers.

File / Directory Specifier

Description

Matches all files in the named directory and any

subdirectories or the named directory when used for a

directory parameter.

<dir>

<dir>/**/*

<dir>/**/Example.java

Matches any file named Example.javafound in the named

directory or any subdirectories.

Matches any file with the specified extension found in the

named directory.

<dir>/*.java

<dir>/*.jar

Matches any file with the specified extension found in the

named directory or any subdirectories.

<dir>/**/*.kt

<dir>/**/*.jar

Matches all directories and files found in the named directory

<dir>/**/beta/**

<dir>/**/classes/

**/test/**

that have betain the path, including betaas a file name.

Matches all directories and files with the name classes

found in the named directory and any subdirectories.

Matches all files in the current directory tree that have a

testelement in the path, including testas a file name.

**/webgoat/*

Matches all files in any webgoatdirectory in the current

directory tree.

Matches:

l

/src/main/java/org/owasp/webgoat

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 148 of 232

User Guide

Chapter 18: Command-Line Interface

File / Directory Specifier

Description

l

/test/java/org/owasp/webgoat

Does not match (assignmentsdirectory does not match)

l

/test/java/org/owasp/webgoat/assignments

Note: Windows and many Linux shells automatically expand parameters that contain the asterisk

character (*), so you must enclose file-specifier expressions in quotes. Also, on Windows, you can

use the backslash character (\) as the directory separator instead of the forward slash (/).

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 149 of 232

Chapter 19: Command-Line Tools

Fortify Static Code Analyzer command-line tools enable you to manage Fortify Security Content,

perform post-installation configurations, and monitor scans. These tools are located in <sca_

install_dir>/bin. The tools for Windows are provided as .bator .cmdfiles. The following table

describes the command-line tools installed with Fortify Static Code Analyzer.

Note: By default, log files for Fortify Static Code Analyzer tools are written to the following

directory:

l

Windows: C:\Users\<username>\AppData\Local\Fortify\<tool_name>-

<version>\log

l

Non-Windows: <userhome>/.fortify/<tool_name>-<version>/log

More

Tool

Description

Information

fortifyupdate

Compares installed security content to the current version

and makes any required updates

"About Updating

Security Content"

on the next page

FPRUtility

With this tool you can:

l

Merge audited projects

l

Verify FPR signatures

l

Display information from an FPR file

l

Combine or split source code files and audit projects into

FPR files

l

Alter an FPR

scapostinstall

SCAState

This tool enables you to migrate properties files from a

previous version of Fortify Static Code Analyzer, specify a

locale, and specify a proxy server for security content

updates and for Fortify Software Security Center.

"Running the

Post-Install Tool"

on page 39

Provides state analysis information on the JVM during the

analysis phase

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 150 of 232

User Guide

Chapter 19: Command-Line Tools

This section contains the following topics:

About Updating Security Content

151

154

Checking the Fortify Static Code Analyzer Scan Status

About Updating Security Content

You can use the fortifyupdate command-line tool to download the latest Fortify Secure Coding

Rulepacks and metadata from Fortify.

The fortifyupdate tool gathers information about the existing security content in your Fortify

installation and contacts the Fortify Rulepack update server with this information. The server returns

new or updated security content, and removes any obsolete security content from your Fortify Static

Code Analyzer installation. If your installation is current, a message is displayed to that effect.

Updating Security Content

Use the fortifyupdate command-line tool to either download security content or import a local copy of

the security content. This tool is located in the <sca_install_dir>/bindirectory.

The default read timeout for this tool is 180 seconds. To change the timeout setting, add the

rulepackupdate.SocketReadTimeoutSecondsproperty in the server.properties

configuration file. For more information, see the OpenText™ Fortify Static Code Analyzer Applications

and Tools Guide.

The basic command-line syntax for fortifyupdate is shown in the following example:

fortifyupdate [<options>]

To update your Fortify Static Code Analyzer installation with the latest Fortify Secure Coding

Rulepacks and external metadata from the Fortify Rulepack update server, type the following

command:

fortifyupdate

To update security content from the local system:

fortifyupdate -import <my_local_rules>.zip

To update security content from a Fortify Software Security Center server using credentials:

fortifyupdate -url <ssc_url> -sscUser <username> -sscPassword <password>

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 151 of 232

User Guide

Chapter 19: Command-Line Tools

fortifyupdate Command-Line Options

The following table describes the fortifyupdate options.

fortifyupdate Option

Description

Specifies to accept the public key. When this is

specified, you are not prompted to provide a public key.

Use this option to accept the public key if you are

-acceptKey

updating from a non-standard location using the -url

option.

Specifies to use the SSL certificate provided by the

server.

-acceptSSLCertificate

Imports the ZIP file that contains security content. By

-import <file>.zip

default, Rulepacks are imported into the <sca_

install_dir>/Core/config/rulesdirectory.

Specifies a core directory where fortifyupdate stores

the update. If this is not specified, the fortifyupdate

performs the update in the <sca_install_dir>.

-coreDir <dir>

Important! Make sure that you copy the contents

of the <sca_install_dir>/config/keysfolder

and paste it to a config/keysfolder in this

directory before you run fortifyupdate.

Specifies to only update external metadata.

Specifies to only update Rulepacks.

-includeMetadata

-includeRules

Specifies a locale. English is the default if no security

content exists for the specified locale. The valid values

are:

-locale <locale>

l

en(English)

l

es(Spanish)

l

ja(Japanese)

l

ko(Korean)

l

pt_BR(Brazilian Portuguese)

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 152 of 232

User Guide

Chapter 19: Command-Line Tools

fortifyupdate Option

Description

l

zh_CN(Simplified Chinese)

l

zh_TW(Traditional Chinese)

Note: The values are not case-sensitive.

Alternatively, you can specify a default locale for

security content updates in the fortify.properties

configuration file. For more information, see the

OpenText™ Fortify Static Code Analyzer Applications

and Tools Guide .

Specifies a proxy server network name or IP address.

Specifies a proxy server port number.

-proxyhost <host>

-proxyport <port>

Specifies a user name if the proxy server requires

authentication.

-proxyUsername

Specifies the password if the proxy server requires

authentication.

-proxyPassword

Displays the currently installed Rulepacks including any

custom rules and custom metadata.

-showInstalledRules

Displays the currently installed external metadata.

-showInstalledExternalMetadata

Specifies a URL from which to download the security

content. The default URL is

-url <url>

https://update.fortify.co mor the value set for

the rulepackupdate.serverproperty in the

server.propertiesconfiguration file.

For more information about the server.properties

configuration file, see the OpenText™ Fortify Static

Code Analyzer Applications and Tools Guide .

You can download the security content from a Fortify

Software Security Center server by providing a Fortify

Software Security Center URL.

Specify one of the following types of credentials if you are updating security content from Fortify

Software Security Center with the -urloption:

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 153 of 232

User Guide

Chapter 19: Command-Line Tools

fortifyupdate Option

Description

Specifies a Fortify Software Security Center user

account by user name and password.

-sscUsername

-sscPassword

Specifies a Fortify Software Security

-sscAuthToken

Center authentication token of type

UnifiedLoginToken, CIToken, or ToolsConnectToken.

Checking the Fortify Static Code Analyzer Scan

Status

Use the SCAState tool to see up-to-date state analysis information during the analysis phase.

To check Fortify Static Code Analyzer state:

1. Start a Fortify Static Code Analyzer scan.

2. Open another command window.

3. Type the following at the command prompt:

SCAState [<options>]

SCAState Command-Line Options

The following table describes the SCAState options.

SCAState Option

Description

Displays all available information.

-a|

--all

Displays information that is useful to debug SCAState behavior.

Prints a thread dump for every thread.

-debug

-ftd|

--full-thread-dump

Displays the help information for the SCAState tool.

-h|

--help

Specifies the file to which the heap dump is written. The file is

interpreted relative to the remote scan’s working directory; this is

not necessarily the same directory where you are running

-hd<filename> |

--heap-dump<filename>

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 154 of 232

User Guide

Chapter 19: Command-Line Tools

SCAState Option

Description

SCAState.

Displays the ongoing status of a running scan. This is the default.

If possible, this information is displayed in a separate terminal

window.

-liveprogress

Causes the Fortify Static Code Analyzer state information to

display in the current terminal window instead of in a separate

window.

-nogui

Displays information about the source code being scanned,

including how many source files and functions it contains.

-pi|

--program-info

Specifies the currently running Fortify Static Code

-pid <process_id>

Analyzer process ID. Use this option if there are multiple Fortify

Static Code Analyzer processes running simultaneously.

To obtain the process ID on Windows systems:

1. Open a command window.

2.

Type tasklistat the command prompt.

A list of processes is displayed.

3.

Find the java.exeprocess in the list and note its PID.

To find the process ID on Linux systems:

l

Type ps aux | grep sourceanalyzerat the command

prompt.

Displays scan information up to the point at which the command is

issued. This includes the elapsed time, the current phase of the

analysis, and the number of results already obtained.

-progress

Displays configuration settings (this does not include sensitive

information such as passwords).

-properties

-scaversion

Displays the Fortify Static Code Analyzer version number for the

sourceanalyzer that is currently running.

Prints a thread dump for the main scanning thread.

-td|

--thread-dump

Displays information from the timers and counters that are

-timers

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 155 of 232

User Guide

Chapter 19: Command-Line Tools

SCAState Option

Description

instrumented in Fortify Static Code Analyzer.

Displays the SCAState version.

-version

-vminfo

Displays the following statistics that JVM standard MXBeans

provides: ClassLoadingMXBean, CompilationMXBean,

GarbageCollectorMXBeans, MemoryMXBean,

OperatingSystemMXBean, RuntimeMXBean, and ThreadMXBean.

<none>

Displays scan progress information (this is the same as -

progress).

Note: Fortify Static Code Analyzer writes Java process information to the location of the TMP

system environment variable. On Windows systems, the TMP system environment variable

location is C:\Users\<username>\AppData\Local\Temp. If you change this TMP system

environment variable to point to a different location, SCAState cannot locate the

sourceanalyzerJava process and does not return the expected results. To resolve this issue,

change the TMP system environment variable to match the new TMP location. Fortify

recommends that you run SCAState as an administrator on Windows.

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 156 of 232

Chapter 20: Improving Performance

This chapter provides guidelines and tips to optimize memory usage and performance when

analyzing different types of codebases with Fortify Static Code Analyzer.

This section contains the following topics:

Hardware Considerations

Sample Scans

Tuning Options

Quick Scan

Configuring Scan Speed with Speed Dial

Breaking Down Codebases

Limiting Analyzers and Languages

Optimizing FPR Files

Monitoring Long Running Scans

Antivirus Software

The use of antivirus software can negatively impact Fortify Static Code Analyzer performance. If you

notice long scan times, Fortify recommends that you temporarily exclude the internal Fortify Static

Code Analyzer files from your antivirus software scan. You can also do the same for the directories

where the source code resides, however the performance impact on the Fortify analysis is less than

with the internal directories.

By default, Fortify Static Code Analyzer creates internal files in the following location:

l

Windows: c:\Users\<username>\AppData\Local\Fortify\sca<version>

l

Non-Windows: <userhome>/.fortify/sca<version>

where <version> is the version of Fortify Static Code Analyzer you are using.

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 157 of 232

User Guide

Chapter 20: Improving Performance

Hardware Considerations

The variety of source code makes accurate predictions of memory usage and scan times impossible.

The factors that affect memory usage and performance consists of many different factors including:

l

Code type

l

Codebase size and complexity

l

Ancillary languages used (such as JSP, JavaScript, and HTML)

l

Number of vulnerabilities

l

Type of vulnerabilities (analyzer used)

Fortify developed the following set of "best guess" hardware recommendations based on real-world

application scan results. The following table lists these recommendations based on the complexity of

the application. In general, increasing the number of available cores might improve scan times.

Application

Complexity

RAM

(GB)

CPU Cores

Description

Simple

4

8

16 A standalone system that runs on a server or desktop

such as a batch job or a command-line tool.

Medium

32 A standalone system that works with complex

computer models such as a tax calculation system or

a scheduling system.

Complex

16

32

128 A three-tiered business system with transactional

data processing such as a financial system or a

commercial website.

Very Complex

256 A system that delivers content such as an application

server, database server, or content management

system.

Note: TypeScript and JavaScript scans increase the analysis time significantly. If the total lines of

code in an application consist of more than 20% TypeScript or JavaScript, use the next highest

recommendation.

The Fortify Software System Requirements document describes the system requirements. However,

for large and complex applications, Fortify Static Code Analyzer requires more capable hardware. This

includes:

l

Disk I/O—Fortify Static Code Analyzer is I/O intensive and therefore the faster the hard drive, the

more savings on the I/O transactions. Fortify recommends a 7,200 RPM drive, although a 10,000

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 158 of 232

User Guide

Chapter 20: Improving Performance

RPM drive (such as the WD Raptor) or an SSD drive is better.

l

Memory—See "Memory Tuning" on page 172 for more information about how to determine the

amount of memory required for optimal performance.

l

CPU—Fortify recommends a 2.1 GHz or faster processor.

Sample Scans

These sample scans were performed using Fortify Static Code Analyzer version 24.2.0 on dedicated

virtual machines. These scans were run using Fortify Security Content 2024 Update 1. The following

table shows the scan times you can expect for several common open-source projects.

Translation Analysis (Scan)

Total

Language

Project Name

Time (mm:ss)

Issues

LOC System Configuration

.NET (C#)

SharpZipLib

01:51

02:03

799

41,773 Windows VM with

8 CPUs and 32 GB of

RAM

C/C++

Java

nasm 0.98.38

WebGoat 8

00:38

00:39

00:14

03:30

01:08

01:47

871

284

535

35,960 Linux VM with 8 CPUs

and 32 GB of RAM

23,412

Java

WordPress for

Android

35,167

JavaScript

PHP

Hackademic-next

CakePHP

01:08

00:21

00:39

02:31

00:24

02:49

03:01

02:35

09:37

01:50

775

5,720

1,350

272

212,510

136,463

206,728

562,731

PHP

phpBB 3

Python 3

Swift

numpy-1.13.3

MediaBrowser

10

17,611 macOS VM with 4 CPUs

and 16 GB of RAM

TypeScript

prisma

01:31

05:00

88

148,730 Linux VM with 8 CPUs

and 32 GB of RAM

Tuning Options

Fortify Static Code Analyzer can take a long time to process complex projects. The time is spent in

different phases:

l

Translation

l

Analysis

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 159 of 232

User Guide

Chapter 20: Improving Performance

Fortify Static Code Analyzer can produce large analysis result files (FPRs), which can take a long time

to audit and upload to Fortify Software Security Center. This is referred to as the following phase:

l

Audit/Upload

The following table lists tips on how to improve performance in the different time-consuming phases.

Phase

Option

Description

More Information

Translation

Translate and scan on

build-session different machines

"Mobile Build Sessions" on

page 46

-export-

-import-

build-session

Analysis

Run a quick scan

"Quick Scan" below

-quick

Set the scan precision

"Configuring Scan Speed with

Speed Dial" on the next page

-scan-

precision

Analysis

Scan the files related to "Breaking Down Codebases" on

a binary page 163

-bin

Analysis

Set maximum heap size "Memory Tuning" on page 172

-Xmx<size>M| G

-Xss<size>M| G

Set stack size for each

thread

"Memory Tuning" on page 172

Analysis

Apply a filter using a

filter file

"Using Filter Files" on page 164

-filter

<file>

Audit/Upload

Analysis

Exclude source files

from the FPR file

"Excluding Source Code from the

FPR" on page 165

-disable-

source-

bundling

Audit/Upload

Quick Scan

Quick scan mode provides a way to quickly scan your projects for critical- and high-priority issues.

Fortify Static Code Analyzer performs the scan faster by reducing the depth of the analysis. It also

applies the Quick View filter set. Quick scan settings are configurable. For more details about the

configuration of quick scan mode, see "fortify-sca-quickscan.properties" on page 214.

Quick scans are a great way to get many applications through an assessment so that you can quickly

find issues and begin remediation. The performance improvement you get depends on the complexity

and size of the application. Although the scan is faster than a full scan, it does not provide as robust a

result set. Fortify recommends that you run full scans whenever possible.

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 160 of 232

User Guide

Chapter 20: Improving Performance

Limiters

The depth of the Fortify Static Code Analyzer analysis sometimes depends on the available resources.

Fortify Static Code Analyzer uses a complexity metric to trade off these resources with the number of

vulnerabilities that it can find. Sometimes, this means giving up on a particular function when it does

not look like Fortify Static Code Analyzer has enough resources available.

Fortify Static Code Analyzer enables the user to control the “cutoff” point by using Fortify Static Code

Analyzer limiter properties. The different analyzers have different limiters. You can run a predefined

set of these limiters using a quick scan. See the "fortify-sca-quickscan.properties" on page 214 for

descriptions of the limiters.

To enable quick scan mode, use the -quickoption with -scanoption. With quick scan mode enabled,

Fortify Static Code Analyzer applies the properties from the <sca_install_

dir>/Core/config/fortify-sca-quickscan.propertiesfile, in addition to the standard <sca_

install_dir>/Core/config/fortify-sca.propertiesfile. You can adjust the limiters that

Fortify Static Code Analyzer uses by editing the fortify-sca-quickscan.propertiesfile. If you

modify fortify-sca.properties, it also affects quick scan behavior. Fortify recommends that you

do performance tuning in quick scan mode, and leave the full scan in the default settings to produce a

highly accurate scan. For description of the quick scan mode properties, see "Fortify Static Code

Analyzer Properties Files" on page 185.

Using Quick Scan and Full Scan

l

Run full scans periodically—A periodic full scan is important as it might find issues that quick

scan mode does not detect. Run a full scan at least once per software iteration. If possible, run a full

scan periodically when it will not interrupt the development workflow, such as on a weekend.

l

Compare quick scan with a full scan—To evaluate the accuracy impact of a quick scan, perform a

quick scan and a full scan on the same codebase. Open the quick scan results in Fortify Audit

Workbench and merge it into the full scan. Group the issues by New Issue to produce a list of

issues detected in the full scan but not in the quick scan.

l

Quick scans and Fortify Software Security Center—To avoid overwriting the results of a full

scan, by default Fortify Software Security Center ignores uploaded FPR files scanned in quick scan

mode. However, you can configure a Fortify Software Security Center application version so that

FPR files scanned in quick scan are processed. For more information, see analysis results

processing rules in the OpenText™ Fortify Software Security Center User Guide.

Configuring Scan Speed with Speed Dial

You can configure the speed and depth of the scan by specifying a precision level for the analysis

phase. You can use these precision levels to adjust the scan time to fit for example, into a pipeline and

quickly find a set of vulnerabilities while the developer is still working on the code. Although scans

with the speed dial settings are faster than a full scan, it does not provide as robust a result set.

Fortify recommends that you run full scans whenever possible.

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 161 of 232

User Guide

Chapter 20: Improving Performance

The precision level controls the depth and precision of the scan by associating configuration

properties with each level. The configuration properties files for each level are in the <sca_install_

dir>/Core/config/scalesdirectory. There is one file for each level: (level-<precision_

level>.properties). You can modify the settings in these files to create your own specific

precision levels.

Notes:

l

By default, Fortify Software Security Center blocks uploaded analysis results that were created

with a precision level less than four. However, you can configure your Fortify Software Security

Center application version so that uploaded audit projects scanned with these precision levels

are processed.

l

If you merge a speed dial scan with a full scan, this might remove issues from previous scans

that still exist in your application (and would be detected again with a full scan).

To specify the speed dial setting for a scan, include the -scan-precision(or -p) option in the scan

phase as shown in the following example:

sourceanalyzer -b MyProject -scan -scan-precision <level> -f MyResults.fpr

Note: You cannot use the speed dial setting and the -quickoption in the same scan command.

The following table describes the four precision levels.

Precision

Level

Description

1

This is the quickest scan and is recommended if you are scanning a few files. By

default, a scan with this precision level disables the Buffer Analyzer, Control Flow

Analyzer, Dataflow Analyzer, and Null Pointer Analyzer.

2

3

By default, a scan with this precision level enables all analyzers. The scan runs

quicker by performing with reduced limiters. This results in fewer issues detected.

This precision level improves intermediate development scan speeds by up to 50%

(with a reduction in reported issues). Specifically, this level improves the scan time

for typed languages such as Java and C/C++.

4

This is equivalent to a full scan.

You can also specify the scan precision level with the com.fortify.sca.PrecisionLevelproperty

in the fortify-sca.propertiesfile. For example:

com.fortify.sca.PrecisionLevel=1

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 162 of 232

User Guide

Chapter 20: Improving Performance

Breaking Down Codebases

It is more efficient to break down large projects into independent modules. For example, if you have a

portal application that consists of several modules that are independent of each other or have few

interactions, you can translate and scan the modules separately. The caveat to this is that you might

lose dataflow issue detection if some interactions exist.

For C/C++, you might reduce the scan time by using the –binoption with the –scanoption. You need

to pass the binary file as the parameter (such as -bin <filename>.exe -scanor -bin

<filename>.dll -scan). Fortify Static Code Analyzer finds the related files associated with the

binary and scans them. This is useful if you have several binaries in a makefile.

The following table lists some useful Fortify Static Code Analyzer command-line options to break

down codebases.

Option

Description

Specifies a subset of source files to scan. Only the source files that were

linked in the named binary at build time are included in the scan. You can

use this option multiple times to specify the inclusion of multiple binaries

in the scan.

-bin <binary>

Displays all objects that were created but not used in the production of

any other binaries. If fully integrated into the build, it lists all the binaries

produced.

-show-binaries

-show-build-tree

When used with the -binoption, displays all files used to create the

binary and all files used to create those files in a tree layout. If the -bin

option is not present, Fortify Static Code Analyzer displays the tree for

each binary.

Limiting Analyzers and Languages

Occasionally, you might find that a significant amount of the scan time is spent either running one

analyzer or analyzing a particular language. It is possible that this analyzer or language is not

important to your security requirements. You can limit the specific analyzers that run and the specific

languages that Fortify Static Code Analyzer translates.

Disabling Analyzers

To disable specific analyzers, include the -analyzersoption to Fortify Static Code Analyzer at scan

time with a comma- or colon-separated list of analyzers to enable. The valid parameter values for the

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 163 of 232

User Guide

Chapter 20: Improving Performance

-analyzersoption are buffer, content, configuration, controlflow, dataflow, nullptr,

semantic, and structural.

For example, to run a scan that only includes the Dataflow, Control Flow, and Buffer analyzers, use the

following scan command:

sourceanalyzer -b MyProject -analyzers dataflow:controlflow:buffer -scan -f

MyResults.fpr

You can also do the same thing by setting com.fortify.sca.DefaultAnalyzersin the Fortify

Static Code Analyzer property file <sca_install_dir>/Core/config/fortify-

sca.properties. For example, to achieve the equivalent of the previous scan command, set the

following in the properties file:

com.fortify.sca.DefaultAnalyzers=dataflow:controlflow:buffer

Disabling Languages

To disable specific languages, include the -disable-languageoption in the translation phase,

which specifies a list of languages that you want to exclude. The valid language values are abap,

actionscript, apex, cfml, cobol, configuration, cpp, dart, dotnet, golang, java,

javascript, jsp, kotlin, objc, php, plsql, python, ruby, scala, sql, swift, tsql, typescript,

and vb.

For example, to perform a translation that excludes SQL and PHP files, use the following command:

sourceanalyzer -b MyProject <src_files> -disable-language sql:php

You can also disable languages by setting the com.fortify.sca.DISabledLanguagesproperty in

the Fortify Static Code Analyzer properties file <sca_install_dir>/Core/config/fortify-

sca.properties. For example, to achieve the equivalent of the previous translation command, set

the following in the properties file:

com.fortify.sca.DISabledLanguages=sql:php

Optimizing FPR Files

This chapter describes how to handle performance issues related to the audit results (FPR) file. This

includes reducing the scan time, reducing FPR file size, and tips for opening large FPR files.

Using Filter Files

You can use a file to filter out specific vulnerability instances, rules, and vulnerability categories from

the analysis results. If you determine that a certain issue category or rule is not relevant for a

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 164 of 232

User Guide

Chapter 20: Improving Performance

particular scan, you can stop Fortify Static Code Analyzer from adding them to the FPR. Using a filter

file can reduce both the scan time and analysis results file size.

For example, if you are scanning a simple program that just reads a specified file, you might not want

to see path manipulation issues, because these are not likely planned as part of the functionality. To

filter out path manipulation issues, create a file that contains a single line:

Path Manipulation

Save this file as filter.txt. Use the -filteroption in the analysis phase as shown in the following

example:

sourceanalyzer -b MyProject -scan -filter filter.txt -f MyResults.fpr

The analysis output in MyResults.fprdoes not include any issues with the category Path

Manipulation. For more information and an example of a filter file, see "Excluding Issues with Filter

Files" on page 180.

Using Filter Sets

Filters in an issue template determine how the results from Fortify Static Code Analyzer are shown. In

addition to filters, filter sets enable you to have a selection of filters used at any one time. Each FPR

has an issue template associated with it. You can use filter sets to reduce the number of issues based

on conditions you specify with filters in an issue template. This can dramatically reduce the size of an

FPR.

To do this, use Fortify Audit Workbench to create a filter in a filter set, and then run the Fortify Static

Code Analyzer scan with the filter set and the containing issue template. For more information and a

basic example of how to create a filter set, see "Excluding Issues with Filters Sets" on page 184.

Note: Although filtering issues with a filter set can reduce the size of the FPR, they do not usually

reduce the scan time. Fortify Static Code Analyzer examines the filter set after it calculates the

issues to determine whether to write them to the FPR file. The filters in a filter set determine the

rule types that Fortify Static Code Analyzer loads.

Excluding Source Code from the FPR

You can reduce the size of the FPR file by excluding the source code information from the FPR. This is

especially valuable for large source files or codebases. Typically, you do not get a scan time reduction

for small source files using this method.

There are properties you can use to prevent Fortify Static Code Analyzer from including source code

in the FPR. You can set either property in the <sca_install_dir>/Core/config/fortify-

sca.propertiesfile or specify an option on the command line. The following table describes these

settings.

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 165 of 232

User Guide

Chapter 20: Improving Performance

Property Name

Description

Excludes source code from the FPR.

com.fortify.sca.

FPRDisableSourceBundling=true

Command-Line Option:

-disable-source-bundling

Excludes code snippets from the FPR.

com.fortify.sca.

FVDLDisableSnippets=true

Command-Line Option:

–fvdl-no-snippets

The following command-line example uses both options to exclude both the source code and code

snippets from the FPR:

sourceanalyzer -b MyProject -disable-source-bundling

-fvdl-no-snippets -scan -f MySourcelessResults.fpr

Reducing the FPR File Size

There are a few ways to reduce the size of FPR files. The quickest way to do this without affecting

results is to exclude the source code from the FPR as described in "Excluding Source Code from the

FPR" on the previous page. You can also reduce the size of a merged FPR with the FPRUtility (see the

OpenText™ Fortify Static Code Analyzer Applications and Tools Guide).

There are a few other properties that you can use to select what is excluded from the FPR. You can

set these properties in the <sca_install_dir>/Core/config/fortify-sca.propertiesfile or

specify an option on the command line for the analysis (scan) phase.

Property Name

Description

Excludes the metatable from the FPR. Fortify Audit

Workbench uses the metatable to map information

in Functions view.

com.fortify.sca.

FPRDisableMetatable

=true

Command-Line Option:

-disable-metatable

Excludes rule descriptions from the FPR. If you do

not use custom descriptions, the descriptions in the

Fortify Taxonomy (https://vulncat.fortify.com) are

used.

com.fortify.sca.

FVDLDisableDescriptions

=true

Command-Line Option:

-fvdl-no-descriptions

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 166 of 232

User Guide

Chapter 20: Improving Performance

Property Name

Description

Excludes engine data from the FPR. This is useful if

your FPR contains many warnings when you open

the file in Fortify Audit Workbench.

com.fortify.sca.

FVDLDisableEngineData

=true

Command-Line Option:

Note: If you exclude engine data from the FPR,

you must merge the FPR with the current audit

project locally before you upload it to Fortify

Software Security Center. Fortify Software

Security Center cannot merge it on the server

because the FPR does not contain the Fortify

Static Code Analyzer version.

-fvdl-no-enginedata

Excludes the program data from the FPR. This

removes the Taint Sources information from the

Functions view in Fortify Audit Workbench. This

property typically only has a minimal effect on the

overall size of the FPR file.

com.fortify.sca.

FVDLDisableProgramData

=true

Command-Line Option:

-fvdl-no-progdata

Opening Large FPR Files

To reduce the time required to open a large FPR file in Fortify Audit Workbench, you can set some

properties in the <sca_install_dir>/Core/config/fortify.propertiesfile. For more

information about these properties, see the OpenText™ Fortify Static Code Analyzer Applications and

Tools Guide. The following table describes the properties you can use to reduce the time to open

large FPR files.

Property Name

Description

Disables use of the code navigation features

in Fortify Audit Workbench.

com.fortify.

model.DisableProgramInfo=true

Sets the start and end index for issue cutoff.

com.fortify.

model.IssueCutOffStartIndex

=<num> (inclusive)

The IssueCutOffStartIndexproperty is

inclusive and IssueCutOffEndIndexis

exclusive so that you can specify a subset of

issues you want to see. For example, to see

the first 100 issues, specify the following:

com.fortify.

model.IssueCutOffEndIndex

=<num> (exclusive)

com.fortify.model.

IssueCutOffStartIndex=0

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 167 of 232

User Guide

Chapter 20: Improving Performance

Property Name

Description

com.fortify.model.

IssueCutOffEndIndex=101

Because the IssueCutOffStartIndexis 0

by default, you do not need to specify this

property.

Sets the start index for issue cutoff by

category. These two properties are similar to

the previous cutoff properties except these

are specified for each category. For example,

to see the first five issues for every category,

specify the following:

com.fortify.

model.IssueCutOffByCategoryStartIndex=

<num> (inclusive)

com.fortify.

model.IssueCutOffByCategoryEndIndex=

<num> (exclusive)

com.fortify.model.

IssueCutOffByCategoryEndIndex=6

Minimizes the data loaded from the FPR. This

also restricts usage of the Functions view and

might prevent Fortify Audit Workbench from

loading the source from the FPR.

com.fortify.

model.MinimalLoad=true

Specifies the number of Fortify Static Code

Analyzer reported warnings to load from the

FPR. For projects with many scan warnings,

reducing this number from a default of 3000

can speed up the load time of large FPR files.

com.fortify.

model.MaxEngineErrorCount=

<num>

Specifies the JVM heap memory size for

Fortify Audit Workbench to start external

command-line tools such as iidmigrator and

fortifyupdate.

com.fortify.

model.ExecMemorySetting

Monitoring Long Running Scans

When you run Fortify Static Code Analyzer, large and complex scans can often take a long time to

complete. During the scan it is not always clear what is happening. While Fortify recommends that you

provide your debug logs to the Customer Support team, there are a couple of ways to see what Fortify

Static Code Analyzer is doing and how it is performing in real-time.

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 168 of 232

User Guide

Chapter 20: Improving Performance

Using the SCAState Tool

The SCAState command-line tool enables you to see up-to-date state analysis information during the

analysis phase. The SCAState tool is located in the <sca_install_dir>/bindirectory. In addition

to a live view of the analysis, it also provides a set of timers and counters that show where Fortify

Static Code Analyzer spends its time during the analysis phase. For more information about how to

use SCAState, see the "Checking the Fortify Static Code Analyzer Scan Status" on page 154.

Using JMX Tools

You can use tools to monitor Fortify Static Code Analyzer with JMX technology. These tools can

provide a way to track Fortify Static Code Analyzer performance over time. For more information

about these tools, see the full Oracle documentation available at: http://docs.oracle.com.

Note: These are third-party tools and Fortify does not provide or support them.

Using JConsole

JConsole is an interactive monitoring tool that complies with the JMX specification. The disadvantage

of JConsole is that you cannot save the output.

To use JConsole, you must first set some additional JVM parameters. Set the following environment

variable:

export SCA_VM_OPTS="-Dcom.sun.management.jmxremote

-Dcom.sun.management.jmxremote.port=9090

-Dcom.sun.management.jmxremote.ssl=false

-Dcom.sun.management.jmxremote.authenticate=false"

After the JMX parameters are set, start a Fortify Static Code Analyzer scan. During the scan, start

JConsole to monitor Fortify Static Code Analyzer locally or remotely with the following command:

jconsole <host_name>:9090

Using Java VisualVM

Java VisualVM offers the same capabilities as JConsole. It also provides more detailed information on

the JVM and enables you to save the monitor information to an application snapshot file. You can

store these files and open them later with Java VisualVM.

Similar to JConsole, before you can use Java VisualVM, you must set the same JVM parameters

described in "Using JConsole" above.

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 169 of 232

User Guide

Chapter 20: Improving Performance

After the JVM parameters are set, start the scan. You can then start Java VisualVM to monitor the

scan either locally or remotely with the following command:

jvisualvm <host_name>:9090

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 170 of 232

Chapter 21: Troubleshooting

This section contains the following topics:

Scanning Complex Functions

Issue Non-Determinism

Locating the Log Files

Configuring Log Files

Reporting Issues and Requesting Enhancements

Exit Codes

The following table describes the possible Fortify Static Code Analyzer exit codes.

Exit

Code Description

0

1

2

Success

Generic failure

Invalid input files

(this might indicate that an attempt was made to translate a file that has an extension

that Fortify Static Code Analyzer does not support)

3

4

Process timed out

Analysis completed with numbered warning messages written to the console and/or to

the log file

5

Analysis completed with numbered error messages written to the console and/or to the

log file

6

7

Scan phase was unable to generate issue results

Unable to detect a valid license or the LIM license expired at run time

By default, Fortify Static Code Analyzer only returns exit codes 0, 1, 2, 3, or 7.

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 171 of 232

User Guide

Chapter 21: Troubleshooting

You can extend the default exit code options by setting the com.fortify.sca.ExitCodeLevel

property in the <sca_install_dir>/Core/Config/fortify-sca.propertiesfile.

The valid values are:

l

nothing—Returns any of the default exit codes (0, 1, 2, 3, or 7).

l

warnings—Returns exit codes 4 and 5 in addition to the default exit codes.

l

errors—Returns exit code 5 in addition to the default exit codes.

l

no_output_file—Returns exit code 6 in addition to the default exit codes.

Memory Tuning

The amount of physical RAM required for a scan depends on the complexity of the code. By default,

Fortify Static Code Analyzer automatically allocates the memory it uses based on the physical

memory available on the system. This is generally sufficient. As described in "Output Options" on

page 141, you can adjust the Java heap size with the -Xmx command-line option.

This section describes suggestions for what you can do if you encounter OutOfMemory errors during

the analysis.

Note: You can set the memory allocation options discussed in this section to run for all scans by

setting the SCA_VM_OPTSenvironment variable.

Java Heap Exhaustion

Java heap exhaustion is the most common memory problem that might occur during Fortify Static

Code Analyzer scans. It is caused by allocating too little heap space to the Java virtual machine that

Fortify Static Code Analyzer uses to scan the code. You can identify Java heap exhaustion from the

following symptom.

Symptom

One or more of these messages appears in the Fortify Static Code Analyzer log file and in the

command-line output:

There is not enough memory available to complete analysis. For details on

making more memory available, please consult the user manual.

java.lang.OutOfMemoryError: Java heap space

java.lang.OutOfMemoryError: GC overhead limit exceeded

Resolution

To resolve a Java heap exhaustion problem, allocate more heap space to the Fortify Static Code

Analyzer Java virtual machine when you start the scan. To increase the heap size, use the -Xmx

command-line option when you run the Fortify Static Code Analyzer scan. For example, -Xmx1G

makes 1 GB available. Before you use this parameter, determine the maximum allowable value for

Java heap space. The maximum value depends on the available physical memory.

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 172 of 232

User Guide

Chapter 21: Troubleshooting

Heap sizes between 32 GB and 48 GB are not advised due to internal JVM implementations. Heap

sizes in this range perform worse than at 32 GB. Heap sizes smaller than 32 GB are optimized by the

JVM. If your scan requires more than 32 GB, then you need 64 GB or more. As a guideline, assuming

no other memory intensive processes are running, do not allocate more than 2/3 of the available

memory.

If the system is dedicated to running Fortify Static Code Analyzer, you do not need to change it.

However, if the system resources are shared with other memory-intensive processes, subtract an

allowance for those other processes.

Note: You do not need to account for other resident but not active processes (while Fortify Static

Code Analyzer is running) that the operating system might swap to disk. Allocating more physical

memory to Fortify Static Code Analyzer than is available in the environment might cause

“thrashing,” which typically slows down the scan along with everything else on the system.

Native Heap Exhaustion

Native heap exhaustion is a rare scenario where the Java virtual machine can allocate the Java

memory regions on startup, but is left with so few resources for its native operations (such as garbage

collection) that it eventually encounters a fatal memory allocation failure that immediately terminates

the process.

Symptom

You can identify native heap exhaustion by abnormal termination of the Fortify Static Code Analyzer

process and the following output on the command line:

# A fatal error has been detected by the Java Runtime Environment:

#

# java.lang.OutOfMemoryError: requested ... bytes for GrET ...

Because this is a fatal Java virtual machine error, it is usually accompanied by an error log created in

the working directory with the file name hs_err_pidNNN.log.

Resolution

Because the problem is a result of overcrowding within the process, the resolution is to reduce the

amount of memory used for the Java memory regions (Java heap). Reducing this value should reduce

the crowding problem and allow the scan to complete successfully.

Stack Overflow

Each thread in a Java application has its own stack. The stack holds return addresses,

function/method call arguments, and so on. If a thread tends to process large structures with

recursive algorithms, it might need a large stack for all those return addresses. With the JVM, you can

set that size with the -Xssoption.

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 173 of 232

User Guide

Chapter 21: Troubleshooting

Symptoms

This message typically appears in the Fortify Static Code Analyzer log file, but might also appear in

the command-line output:

java.lang.StackOverflowError

Resolution

The default stack size is 16 MB. To increase the stack size, pass the -Xssoption to the

sourceanalyzercommand. For example, -Xss32Mincreases the stack to 32 MB.

Scanning Complex Functions

During a Fortify Static Code Analyzer scan, the Dataflow Analyzer might encounter a function for

which it cannot complete the analysis and reports the following message:

Function <name> is too complex for <analyzer> analysis and will be skipped

(<identifier>)

where:

l

<name> is the name of the source code function

l

<analyzer> is the name of the analyzer

l

<identifier> is the type of complexity, which is one of the following:

l

l: Too many distinct locations

l

m: Out of memory

l

s: Stack size too small

l

t: Analysis taking too much time

l

v: Function visits exceed the limit

The depth of analysis Fortify Static Code Analyzer performs sometimes depends on the available

resources. Fortify Static Code Analyzer uses a complexity metric to trade off these resources against

the number of vulnerabilities that it can find. Sometimes, this means giving up on a particular function

when Fortify Static Code Analyzer does not have enough resources available. This is normally when

you see the "Function too complex" messages.

When you see this message, it does not necessarily mean that Fortify Static Code Analyzer completely

ignored the function in the program. For example, the Dataflow Analyzer typically visits a function

many times before completing the analysis, and might not have run into this complexity limit in the

previous visits. In this case, the results include everything learned from the previous visits.

You can control the "give up" point using Fortify Static Code Analyzer properties called limiters.

Different analyzers have different limiters.

The following sections provide a discussion of a resolution for this issue.

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 174 of 232

User Guide

Chapter 21: Troubleshooting

Dataflow Analyzer Limiters

There are three types of complexity identifiers for the Dataflow Analyzer:

l

l: Too many distinct locations

l

m: Out of memory

l

s: Stack size too small

l

v: Function visits exceed the limit

To resolve the issue identified by s, increase the stack size for by setting -Xssto a value greater than

16 MB.

To resolve the complexity identifier of m, increase the physical memory for Fortify Static Code

Analyzer.

To resolve the complexity identifier of l, you can adjust the following limiters in the Fortify Static

Code Analyzer property file <sca_install_dir>/Core/config/fortify-sca.propertiesor on

the command line.

Property Name

Default Value

1000

com.fortify.sca.

limiters.MaxTaintDefForVar

4000

4

com.fortify.sca.

limiters.MaxTaintDefForVarAbort

com.fortify.sca.

limiters.MaxFieldDepth

The MaxTaintDefForVarlimiter is a dimensionless value expressing the complexity of a function,

while MaxTaintDefForVarAbortis the upper bound for it. Use the MaxFieldDepthlimiter to

measure the precision when the Dataflow Analyzer analyzes any given object. Fortify Static Code

Analyzer always tries to analyze objects at the highest precision possible.

If a given function exceeds the MaxTaintDefForVarlimit at a given precision, the Dataflow Analyzer

analyzes that function with lower precision (by reducing the MaxFieldDepthlimiter). When you

reduce the precision, it reduces the complexity of the analysis. When the precision cannot be reduced

any further, Fortify Static Code Analyzer then proceeds with analysis at the lowest precision until

either it finishes, or the complexity exceeds the MaxTaintDefForVarAbortlimiter. In other words,

Fortify Static Code Analyzer tries harder at the lowest precision to get at least some results from the

function. If Fortify Static Code Analyzer reaches the MaxTaintDefForVarAbortlimiter, it gives up

on the function entirely and you get the "Function too complex" warning.

To resolve the complexity identifier of v, you can adjust the property

com.fortify.sca.limiters.MaxFunctionVisits. This property sets the maximum number of

times the taint propagation analyzer visits functions. The default is 50.

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 175 of 232

User Guide

Chapter 21: Troubleshooting

Control Flow and Null Pointer Analyzer Limiters

There are two types of complexity identifiers for both Control Flow and Null Pointer analyzers:

l

m: Out of memory

l

t: Analysis taking too much time

Due to the way that the Dataflow Analyzer handles function complexity, it does not take an indefinite

amount of time. Control Flow and Null Pointer analyzers, however, can take an exceptionally long time

when analyzing complex functions. Therefore, Fortify Static Code Analyzer provides a way to abort

the analysis when this happens, and then you get the "Function too complex" message with a

complexity identifier of t.

To change the maximum amount of time these analyzers spend to analyze functions, you can adjust

the following property values in the Fortify Static Code Analyzer property file <sca_install_

dir>/Core/config/fortify-sca.propertiesor on the command line.

Property Name

Description

Default Value

Sets the time limit (in milliseconds) for Control 600000

com.fortify.sca.

CtrlflowMaxFunctionTime

Flow analysis on a single function.

(10 minutes)

Sets the time limit (in milliseconds) for Null

Pointer analysis on a single function.

300000

(5 minutes)

com.fortify.sca.

NullPtrMaxFunctionTime

To resolve the complexity identifier of m, increase the physical memory for Fortify Static Code

Analyzer.

Note: If you increase these limiters or time settings, it makes the analysis of complex functions

take longer. It is difficult to characterize the exact performance implications of a particular value

for the limiters/time, because it depends on the specific function in question. If you never want to

see the "Function too complex" warning, you can set the limiters/time to an extremely high value,

however it can cause unacceptable scan time.

Issue Non-Determinism

Running in parallel analysis mode might introduce issue non-determinism. If you experience any

problems, contact Customer Support, and disable parallel analysis mode. Disabling parallel analysis

mode results in sequential analysis, which can be substantially slower but provides deterministic

results across multiple scans.

To disable parallel analysis mode:

1.

Open the fortify-sca.propertiesfile located in the <sca_install_dir>/Core/config

directory in a text editor.

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 176 of 232

User Guide

Chapter 21: Troubleshooting

2.

Change the value for the com.fortify.sca.MultithreadedAnalysisproperty to false.

com.fortify.sca.MultithreadedAnalysis=false

Locating the Log Files

By default, Fortify Static Code Analyzer creates log files in the following location:

l

Windows: C:\Users\<username>\AppData\Local\Fortify\sca<version>\log

l

Non-Windows: <userhome>/.fortify/sca<version>/log

where <version> is the version of Fortify Static Code Analyzer that you are using.

The following table describes the Fortify Static Code Analyzer default log files.

File Names

Description

The standard log provides a log of informational

messages, warnings, and errors that occurred in the run of

sourceanalyzer.

sca.log

scaX.log

The Fortify Support log provides:

sca_FortifySupport.log

scaX_FortifySupport.log

l

The same log messages as the standard log file, but

with additional details

l

Additional detailed messages that are not included in

the standard log file

This log file is helpful to Customer Support or the

development team to troubleshoot any issues.

If you encounter warnings or errors that you cannot resolve, provide the Fortify Support log file to

Customer Support.

Configuring Log Files

You can configure the information that Fortify Static Code Analyzer writes to the log files by setting

logging properties (see "Logging Properties" on page 212). You can configure the following log file

settings:

l

The location and name of the log file

Property: com.fortify.sca.LogFile

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 177 of 232

User Guide

Chapter 21: Troubleshooting

l

Log level (see "Understanding Log Levels" below)

Property: com.fortify.sca.LogLevel

l

Whether to overwrite the log files for each run of sourceanalyzer

Property: com.fortify.sca.ClobberLogFile

Command-line option: -clobber-log

Understanding Log Levels

The log level you select gives you all log messages equal to and greater than it. The following table

lists the log levels in order from least to greatest. For example, the default log level of INFO includes

log messages with the following levels: INFO, WARN, ERROR, and FATAL. You can set the log level

with the com.fortify.sca.LogLevelproperty in the <sca_install_

dir>/Core/config/fortify-sca.propertiesfile or on the command-line using the -Doption.

Log Level

Description

DEBUG

Includes information that Customer Support or the development team can use

to troubleshoot an issue

INFO

Basic information about the translation or scan process

WARN

Information about issues where the translation or scan did not stop, but might

require your attention for accurate results

ERROR

FATAL

Information about an issue that might require attention

Information about an error that caused the translation or scan to abort

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 178 of 232

User Guide

Chapter 21: Troubleshooting

Reporting Issues and Requesting Enhancements

Feedback is critical to the success of this product. To request enhancements or patches, or to report

issues, visit Customer Support at https://www.microfocus.com/support.

Include the following information when you contact customer support:

l

Product: Fortify Static Code Analyzer

l

Version number of Fortify Static Code Analyzer and any independent Fortify Static Code Analyzer

modules: To determine the version numbers, run the following:

sourceanalyzer -version

l

Platform: (for example, Red Hat Enterprise Linux <version>)

l

Operating system: (such as Linux)

To request an enhancement, include a description of the feature enhancement.

To report an issue, provide enough detail so that support can duplicate the issue. The more

descriptive you are, the faster support can analyze and resolve the issue. Also include the log files, or

the relevant portions of them, from when the issue occurred.

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 179 of 232

Appendix A: Filtering the Analysis

This section describes two methods of filtering out vulnerabilities from the analysis results (FPR)

during the scan phase. You can use a filter file to remove issues based on specific vulnerability

instances, rules, and vulnerability categories. You can also use a filter set (created in Fortify Audit

Workbench) to remove issues that are hidden from view in an issue template.

Caution! Fortify recommends that you only use filter files if you are an advanced user. Do not use

filter files for standard audits, because auditors typically want to see and evaluate all issues that

Fortify Static Code Analyzer finds.

This section contains the following topics:

Excluding Issues with Filter Files

Excluding Issues with Filters Sets

180

184

Excluding Issues with Filter Files

You can create a file to filter out particular vulnerability instances, rules, and vulnerability categories

when you run the sourceanalyzercommand. You specify the file with the -filteranalysis option.

A filter file is a text file that you can create with any text editor. You specify only the filter items that

you do not want in this file.

Note: The filter types described in this section apply to both filter files and scan policy files (see

"Applying a Scan Policy to the Analysis" on page 48).

The following table lists the available filter types and provides examples for each.

Filter Type

Notes

Examples

See Also

"Filter File Example" below

Filter File Example

As an example, the following output is from a scan of the EightBall.javasample. This sample

project is included in the Fortify_SCA_Samples_<version>.ziparchive in the

basic/eightballdirectory.

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 181 of 232

User Guide

Appendix A: Filtering the Analysis

The following commands are executed to produce the analysis results:

sourceanalyzer -b eightball EightBall.java

sourceanalyzer -b eightball -scan

The following results show five detected issues:

[F7A138CDE5235351F6A4405BA4AD7C53 : low : Unchecked Return Value : semantic

]

EightBall.java(12) : Reader.read()

[6291C6A33303ED270C269917AA8A1005 : high : Path Manipulation : dataflow ]

EightBall.java(12) : ->new FileReader(0)

EightBall.java(8) : <=> (filename)

EightBall.java(8) : <->Integer.parseInt(0->return)

EightBall.java(6) : <=> (filename)

EightBall.java(4) : ->EightBall.main(0)

[176CC0B182267DD538992E87EF41815F : critical : Path Manipulation : dataflow

]

EightBall.java(12) : ->new FileReader(0)

EightBall.java(6) : <=> (filename)

EightBall.java(4) : ->EightBall.main(0)

[E4B3ACF92911ED6D98AAC15876739EC7 : high : Unreleased Resource : Streams :

controlflow ]

EightBall.java(12) : start -> loaded : new FileReader(...)

EightBall.java(14) : loaded -> end_of_scope : end scope : Resource

leaked

EightBall.java(12) : start -> loaded : new FileReader(...)

EightBall.java(12) : java.io.IOException thrown

EightBall.java(12) : loaded -> loaded : throw

EightBall.java(12) : loaded -> end_of_scope : end scope : Resource

leaked : java.io.IOException thrown

[BB9F74FFA0FF75C9921D0093A0665BEB : low : J2EE Bad Practices : Leftover

Debug Code : structural ]

EightBall.java(4)

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 182 of 232

User Guide

Appendix A: Filtering the Analysis

The following is an example filter file that performs the following:

l

Remove all results related to the J2EE Bad Practice category

l

Remove the Path Manipulation based on its instance ID

l

Remove any dataflow issues that were generated from a specific rule ID

#This is a category to filter from scan output

J2EE Bad Practices

#This is an instance ID of a specific issue to be filtered

#from scan output

6291C6A33303ED270C269917AA8A1005

#This is a specific Rule ID that leads to the reporting of a

#specific issue in the scan output: in this case the

#dataflow sink for a Path Manipulation issue.

823FE039-A7FE-4AAD-B976-9EC53FFE4A59

To test the filtered output, copy the above text and paste it into a file with the name test_

filter.txt.

To apply the filtering in the test_filter.txtfile, execute the following command:

sourceanalyzer -b eightball -scan -filter test_filter.txt

The filtered analysis produces the following results:

[176CC0B182267DD538992E87EF41815F : critical : Path Manipulation : dataflow

]

EightBall.java(12) : ->new FileReader(0)

EightBall.java(6) : <=> (filename)

EightBall.java(4) : ->EightBall.main(0)

[E4B3ACF92911ED6D98AAC15876739EC7 : high : Unreleased Resource : Streams :

controlflow ]

EightBall.java(12) : start -> loaded : new FileReader(...)

EightBall.java(14) : loaded -> end_of_scope : end scope : Resource

leaked

EightBall.java(12) : start -> loaded : new FileReader(...)

EightBall.java(12) : java.io.IOException thrown

EightBall.java(12) : loaded -> loaded : throw

EightBall.java(12) : loaded -> end_of_scope : end scope : Resource

leaked : java.io.IOException thrown

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 183 of 232

User Guide

Appendix A: Filtering the Analysis

Excluding Issues with Filters Sets

You can use filter sets in an issue template created in Fortify Audit Workbench to filter issues from

the analysis results. When you apply a filter set that hides issues from view during the analysis phase,

Fortify Static Code Analyzer does not write the hidden issues to the FPR. To do this, use Fortify Audit

Workbench to create a filter set, and then run the Fortify Static Code Analyzer scan with the filter set

and the issue template, which contains the filter set. For more detailed instructions about how to

create filters and filter sets in Fortify Audit Workbench, see the OpenText™ Fortify Audit Workbench

User Guide.

The following example describes the basic steps for how to create and use a filter in an issue template

to remove issues from an FPR:

1. Suppose you use OWASP Top 10 2021 and you only want to see issues categorized within this

standard. In Fortify Audit Workbench, create a new filter set called OWASP_Filter

2.

In Fortify Audit Workbench, create a visibility filter in the OWASP_Filterfilter set:

If [OWASP Top 10 2021] does not contain A Then hide issue

This filter looks through the issues and if an issue does not map to an OWASP Top 10 2021

category with ‘A’ in the name, then it hides it. Because all OWASP Top 10 2021 categories start

with ‘A’ (A01, A02, …, A10), then any category without the letter ‘A’ is not in the OWASP Top 10

2021. The filter hides the issues from view in Fortify Audit Workbench, but they are still in the

FPR.

3.

In Fortify Audit Workbench, export the issue template to a file called IssueTemplate.xml.

4. Using Fortify Static Code Analyzer, specify the filter set in the analysis phase with the following

command:

sourceanalyzer -b MyProject -scan -project-template IssueTemplate.xml

-Dcom.fortify.sca.FilterSet=OWASP_Filter -f MyFilteredResults.fpr

Although filtering issues with a filter set can reduce the size of the FPR, it does not usually reduce the

scan time. Fortify Static Code Analyzer examines the filter set after it calculates the issues to

determine whether to write them to the FPR file. The filters in a filter set determine the rule types that

Fortify Static Code Analyzer loads.

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 184 of 232

Appendix B: Configuration Options

The Fortify Static Code Analyzer installer places a set of properties files on your system. Properties

files contain configurable settings for Fortify Static Code Analyzer runtime analysis, output, and

performance.

This section contains the following topics:

Fortify Static Code Analyzer Properties Files

fortify-sca.properties

fortify-sca-quickscan.properties

fortify-rules.properties

Fortify Static Code Analyzer Properties Files

The properties files are located in the <sca_install_dir>/Core/configdirectory. The installed

properties files contain default values. Fortify recommends that you consult with your project leads

before you make changes to the properties in the properties files. You can modify any of the

properties in the configuration file with any text editor. You can also specify the property on the

command line with the -Doption.

The following table lists the Fortify Static Code Analyzer properties files. Property files for the Fortify

Static Code Analyzer applications and tools are described in the OpenText™ Fortify Static Code

Analyzer Applications and Tools Guide.

Properties File Name

Description

More Information

Defines the Fortify Static Code Analyzer

configuration properties.

"fortify-sca.properties"

on page 187

fortify-

sca.properties

Defines the configuration properties

applicable for a Fortify Static Code

Analyzer quick scan.

"fortify-sca-

quickscan.properties"

on page 214

fortify-sca-

quickscan.properties

Defines the configuration properties that

determine rule behavior.

"fortify-

rules.properties" on

page 217

fortify-

rules.properties

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 185 of 232

User Guide

Appendix B: Configuration Options

Properties File Format

In the properties file, each property consists of a pair of strings: the first string is the property name

and the second string is the property value.

com.fortify.sca.fileextensions.htm=HTML

As shown above, the property sets the translation to use for .htmfiles. The property name is

com.fortify.sca.fileextensions.htmand the value is set to HTML.

Note: When you specify a path for Windows systems as the property value, you must escape any

backslash character (\) with a backslash (for example:

com.fortify.sca.ASPVirtualRoots.Library=C:\\WebServer\\CustomerA\\inc).

Disabled properties are commented out of the properties file. To enable these properties, remove the

comment symbol (#) and save the properties file. In the following example, the

com.fortify.sca.LogFileproperty is disabled in the properties file and is not part of the

configuration:

# default location for the log file

#com.fortify.sca.LogFile=${com.fortify.sca.ProjectRoot}/sca/log/sca.log

Precedence of Setting Properties

Fortify Static Code Analyzer uses properties settings in a specific order. You can override any

previously set properties with the values that you specify. Keep this order in mind when making

changes to the properties files.

The following table lists the order of precedence for Fortify Static Code Analyzer properties.

Order Property Specification

Description

1

Properties specified on the command line have the highest

priority and you can specify them in any scan.

Command line with the -D

option

2

Fortify Static Code

Analyzer quick scan

configuration file

Note: You can specify either quick scan or a scan

precision level. Therefore, these property settings both

have second priority.

Properties specified in the quick scan configuration file

(fortify-sca-quickscan.properties) have the

second priority, but only if you include the -quickoption

to enable quick scan mode.

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 186 of 232

User Guide

Appendix B: Configuration Options

Order Property Specification

Description

Fortify Static Code

Analyzer scan precision

property files

Properties specified in the scan precision property files

have the second priority, but only if you include the -scan-

precisionoption to enable scan precision.

3

Fortify Static Code

Analyzer configuration

file

Properties specified in the Fortify Static Code Analyzer

configuration file (fortify-sca.properties) have the

lowest priority. Edit this file to change the property values

on a more permanent basis for all scans.

Fortify Static Code Analyzer also relies on some properties that have internally defined default values.

fortify-sca.properties

The following sections describe the properties available for use in the fortify-sca.properties

file. See "fortify-sca-quickscan.properties" on page 214 for additional properties that you can use in

this properties file. Each property description includes the value type, the default value, the

equivalent command-line option (if applicable), and an example.

Translation and Analysis Phase Properties

The properties for the fortify-sca.propertiesfile in the following table are general properties

that apply to the translation and/or analysis (scan) phase.

Property Name

Description

Translation and Scan

Specifies the build ID of the build.

Value Type: String

com.fortify.sca.

BuildID

Default: (none)

Command-Line Option: -b

com.fortify.sca.

CmdlineOptionsFileEncod

ing

Specifies the encoding of the command-line options file provided with @<filename> (see

"Other Options" on page 143). You can use this property, for example, to specify Unicode

file paths in the options file. Valid encoding names are from the

java.nio.charset.Charset

Note: This property is only valid in the fortify-sca.propertiesfile and does not

work in the fortify-sca-quickscan.properitesfile or with the -Doption.

Value Type: String

Default: JVM system default encoding

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 187 of 232

User Guide

Appendix B: Configuration Options

Property Name

Description

Example: com.fortify.sca.CmdlineOptionsFileEncoding=UTF-8

Specifies a colon-separated list of languages to exclude from the translation phase. The

com.fortify.sca.

DISabledLanguages

valid language values are abap, actionscript, apex, cfml, cobol, configuration,

cpp, dart, dotnet, golang, java, javascript, jsp, kotlin, objc, php, plsql, python,

ruby, scala, sql, swift, tsql, typescript, and vb.

Value Type: String

Default: (none)

Command-Line Option: -disable-language

Specifies a colon-separated list of languages to translate. The valid language values are

com.fortify.sca.

EnabledLanguages

abap, actionscript, apex, cfml, cobol, configuration, cpp, dart, dotnet, golang,

java, javascript, jsp, kotlin, objc, php, plsql, python, ruby, scala, sql, swift,

tsql, typescript, and vb.

Value Type: String

Default: All languages in the specified source are translated unless explicitly excluded

with the com.fortify.sca.DISabledLanguagesproperty.

Command-Line Option: -enable-language

Specifies the directory to store intermediate files generated in the translation and analysis

phases. Fortify Static Code Analyzer makes extensive use of intermediate files located in

this project root directory. In some cases, you achieve better performance for analysis by

making sure this directory is on local storage rather than on a network drive.

com.fortify.sca.

ProjectRoot

Value Type: String (path)

Default (Windows): ${win32.LocalAppdata}\Fortify

Note: ${win32.LocalAppdata}is a special variable that points to the windows

Local Application Data shell folder.

Default (Non-Windows): $home/.fortify

Command-Line Option: -project-root

Example: com.fortify.sca.ProjectRoot=

C:\Users\<username>\AppData\Local\

Translation

Specifies how to translate specific file name extensions of languages that do not require

com.fortify.sca.

fileextensions.java

build integration. The valid extension types are ABAP, ACTIONSCRIPT, APEX, APEX_

OBJECT, APEX_TRIGGER, ARCHIVE, ASPNET, ASP, ASPX, BITCODE, BSP, BYTECODE, CFML,

COBOL, CSHARP, DART, DOCKERFILE, FLIGHT, GENERIC, GO, HOCON, HTML, INI, JAVA, JAVA_

PROPERTIES, JAVASCRIPT, JSP, JSPX, KOTLIN, MSIL, MXML, OBJECT, PHP, PLSQL, PYTHON,

RUBY, RUBY_ERB, SCALA, SWIFT, SWC, SWF, TLD, SQL, TSQL, TYPESCRIPT, VB, VB6,

VBSCRIPT, VISUAL_FORCE, VUE, and XML.

com.fortify.sca.

fileextensions.cs

com.fortify.sca.

fileextensions.js

com.fortify.sca.

fileextensions.py

Value Type: String (valid language type)

Default: See the fortify-sca.propertiesfile for the complete list.

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 188 of 232

User Guide

Appendix B: Configuration Options

Property Name

Description

Examples:

com.fortify.sca.

fileextensions.rb

com.fortify.sca.fileextensions.java=JAVA

com.fortify.sca.fileextensions.cs=CSHARP

com.fortify.sca.fileextensions.js=TYPESCRIPT

com.fortify.sca.fileextensions.py=PYTHON

com.fortify.sca.fileextensions.swift=SWIFT

com.fortify.sca.fileextensions.razor=ASPNET

com.fortify.sca.fileextensions.php=PHP

com.fortify.sca.fileextensions.tf=HCL

com.fortify.sca.

fileextensions.aspx

com.fortify.sca.

fileextensions.php

Note: This is a partial list.

For the complete list, see

the properties file.

You can also specify a value of oracle:<path_to_script> to programmatically supply

a language type. Provide a script that accepts one command-line parameter of a file name

that matches the specified extension. The script must write the valid Fortify Static Code

Analyzer file type (see previous list) to stdout and exit with a return value of zero. If the

script returns a non-zero return code or the script does not exist, the file is not translated

and Fortify Static Code Analyzer writes a warning to the log file.

Example:

com.fortify.sca.fileextensions.jsp=

oracle:<path_to_script>

Specifies custom-named compilers.

com.fortify.sca.

compilers.javac=

com.fortify.sca.

util.compilers.JavacCom

piler

Value Type: String (compiler)

Default: See the Compilers section in the fortify-sca.propertiesfile for the

complete list.

com.fortify.sca.

compilers.c++=

com.fortify.sca.

util.compilers.GppCompi

ler

Example:

To tell Fortify Static Code Analyzer that “my-gcc” is a gcc compiler:

com.fortify.sca.

compilers.my-gcc=

com.fortify.sca.util.compilers.

GccCompiler

com.fortify.sca.

compilers.make=

com.fortify.sca.

util.compilers.Touchles

sCompiler

Notes:

l

Compiler names can begin or end with an asterisk (*), which matches zero or more

com.fortify.sca.

compilers.mvn=

com.fortify.sca.

util.compilers.MavenAda

pter

characters.

l

Execution of clang/clang++ is not supported with the gcc/g++ command names.

You can specify the following: com.fortify.sca.compilers.g++=

com.fortify.sca.util.compilers.GppCompiler

Note: This is a partial list.

For the complete list,

see the properties file.

If set to true, Fortify Static Code Analyzer includes

com.fortify.sca.

UseAntListener

com.fortify.dev.ant.SCAListenerin the compiler options.

Value Type: Boolean

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 189 of 232

User Guide

Appendix B: Configuration Options

Property Name

Description

Default: false

Specifies one or more files to exclude from translation. Separate multiple files with

semicolons (Windows) or colons (non-Windows). See "Specifying Files and Directories" on

page 148 for more information on how to use file specifiers.

com.fortify.sca.

exclude

Note: Fortify Static Code Analyzer only uses this property during translation without

build integration. When you integrate with most compilers or build tools, Fortify

Static Code Analyzer translates all source files that the compiler or build tool

processes even if they are specified with this property. However, the Fortify Static

Code Analyzer xcodebuild and MSBuild integrations do support the -exclude

option.

Value Type: String

Default: Not enabled

Command-Line Option: -exclude

Example: com.fortify.sca.exclude=file1.x;file2.x

Specifies the source file encoding type. Fortify Static Code Analyzer allows you to scan a

project that contains differently encoded source files. To work with a multi-encoded

com.fortify.sca.

InputFileEncoding

project, you must specify the -encodingoption in the translation phase, when Fortify

Static Code Analyzer first reads the source code file. Fortify Static Code Analyzer

remembers this encoding in the build session and propagates it into the FVDL file.

Typically, if you do not specify the encoding type, Fortify Static Code Analyzer uses

file.encodingfrom the java.io.InputStreamReaderconstructor with no encoding

parameter. In a few cases (for example with the ActionScript parser), Fortify Static Code

Analyzer defaults to UTF-8.

Value Type: String

Default: (none)

Command-Line Option: -encoding

Example:

com.fortify.sca.InputFileEncoding=UTF-16

com.fortify.sca.

RegExecutable

On Windows platforms, specifies the path to the reg.exesystem utility. Specify the paths

in Windows syntax, not Cygwin syntax, even when you run Fortify Static Code Analyzer

from within Cygwin. Escape backslashes with an additional backslash.

Value Type: String (path)

Default: reg

Example:

com.fortify.sca.RegExecutable=

C:\\Windows\\System32\\reg.exe

Specifies whether the xcodebuild touchless adapter continues translation if the

xcodebuild subprocess exited with a non-zero exit code. If set to false, translation stops

after encountering a non-zero xcodebuild exit code and the Fortify Static Code Analyzer

com.fortify.sca.

xcode.TranslateAfterErr

or

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 190 of 232

User Guide

Appendix B: Configuration Options

Property Name

Description

touchless build halts with the same exit code. If set to true, the Fortify Static Code

Analyzer touchless build executes translation of the build file identified prior to the

xcodebuild exit, and Fortify Static Code Analyzer exits with an exit code of zero (unless

some other error also occurs).

Regardless of this setting, if xcodebuild exits with a non-zero code, then the xcodebuild

exit code, stdout, and stderr are written to the log file.

Value Type: Boolean

Default: false

Scan

If set to true, Fortify Static Code Analyzer generates implied methods when it encounters

implementation by inheritance.

com.fortify.sca.

AddImpliedMethods

Value Type: Boolean

Default: true

If set to true, enables alias analysis.

Value Type: Boolean

com.fortify.sca.

alias.Enable

Default: true

Specifies whether to enable Control Flow Analyzer timeouts.

Value Type: Boolean

com.fortify.sca.

analyzer.controlflow.En

ableTimeOut

Default: true

Specifies a subset of source files to scan. Only the source files that were linked in the

named binary at build time are included in the scan.

com.fortify.sca.

BinaryName

Value Type: String (path)

Default: (none)

Command-Line Option: -binor -binary-name

Specifies a comma- or colon-separated list of the types of analysis to perform. The valid

com.fortify.sca.

DefaultAnalyzers

values for this property are buffer, content, configuration, controlflow,

dataflow, , nullptr, semantic, and structural.

Value Type: String

Default: This property is commented out and all analysis types are used in scans.

Command-Line Option: -analyzers

If set to true, disables function pointers during the scan.

Value Type: Boolean

com.fortify.sca.

DisableFunctionPointers

Default: false

Specifies a comma- or colon-separated list of analyzers to use for a scan in addition to the

com.fortify.sca.

EnableAnalyzer

default analyzers. The valid values for this property are buffer, content,

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 191 of 232

User Guide

Appendix B: Configuration Options

Property Name

Description

configuration, controlflow, dataflow, nullptr, semantic, and structural.

Value Type: String

Default: (none)

Extends the default exit code options. See "Exit Codes" on page 171 for a description of

the exit codes and the valid values for this property.

com.fortify.sca.

ExitCodeLevel

Specifies the path to a filter file for the scan. See "Excluding Issues with Filter Files" on

page 180 for more information.

com.fortify.sca.

FilterFile

Value Type: String (path)

Default: (none)

Command-Line Option: -filter

Specifies a comma-separated list of IIDs to be filtered out using a filter file.

com.fortify.sca.

FilteredInstanceIDs

Value Type: String

Default: (none)

Example:

com.fortify.sca.FilteredInstanceIDs=CA4E1623A2424919B98EC19FCA279FFA,

4418B3DC072647158B3758E6183C14CD

If set to true, higher-order analysis is enabled.

com.fortify.sca.

hoa.Enable

Value Type: Boolean

Default: true

Specifies a comma- or colon-separated list of build IDs for libraries pre-scanned as

separate modules to use in the project scan. Each build ID must denote an existing

scanned library.

com.fortify.sca.

IncludeScaModules

Value Type: String (build IDs)

Default: (none)

Command-Line Option: -include-modules

Example:

com.fortify.sca.IncludeScaModules=LibA,LibB

Specifies the cutoff level for severity suppression. Fortify Static Code Analyzer ignores

any issues found with a lower severity value than the one specified for this property.

com.fortify.sca.

LowSeverityCutoff

Value Type: Number

Default: 1.0

Specifies the length of a taint path between input and output parameters in a function call.

com.fortify.sca.

MaxPassthroughChainDept

h

Value Type: Integer

Default: 4

Specifies whether Fortify Static Code Analyzer runs in parallel analysis mode.

com.fortify.sca.

MultithreadedAnalysis

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 192 of 232

User Guide

Appendix B: Configuration Options

Property Name

Description

Value Type: Boolean

Default: true

Specifies a comma-separated list of languages for which to run higher-order analysis.

com.fortify.sca.

Phase0HigherOrder.Langu

ages

Valid values are python, swift, ruby, javascript, and typescript.

Value Type: String

Default: python,ruby,swift,javascript,typescript

Specifies the total time (in seconds) for higher-order analysis. When the analyzer reaches

the hard timeout limit, it exits immediately.

com.fortify.sca.

Phase0HigherOrder.Timeo

ut.Hard

Fortify recommends this timeout limit in case some issue causes the analysis to run too

long. Fortify recommends that you set the hard timeout to about 50% longer than the soft

timeout, so that either the fixpoint pass limiter or the soft timeout occurs first.

Value Type: Number

Default: 2700

Specifies the scan precision. Scans with a lower precision level are performed faster. The

com.fortify.sca.

PrecisionLevel

valid values are 1, 2, 3, and 4.

Value Type: Number

Default: (none)

Command-Line Option: -scan-precision| -p

Specifies the issue template file to use for the scan. This only affects scans on the local

machine. If you upload the FPR to Fortify Software Security Center, it uses the issue

template assigned to the application version.

com.fortify.sca.

ProjectTemplate

Value Type: String

Default: (none)

Command-Line Option: -project-template

Example:

com.fortify.sca.ProjectTemplate=

test_issuetemplate.xml

If set to true, Fortify Static Code Analyzer performs a quick scan. Fortify Static Code

com.fortify.sca.

QuickScanMode

Analyzer uses the settings from fortify-sca-quickscan.properties, instead of the

fortify-sca.propertiesconfiguration file.

Value Type: Boolean

Default: (not enabled)

Command-Line Option: -quick

Specifies the scan policy for prioritizing reported vulnerabilities (see "Applying a Scan

com.fortify.sca.

ScanPolicy

Policy to the Analysis" on page 48). The valid scan policy values are classic, security,

and devops.

Value Type: String

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 193 of 232

User Guide

Appendix B: Configuration Options

Property Name

Description

Default: security

Command-Line Option: -scor -scan-policy

If set to true, Fortify Static Code Analyzer performs modular scan of this project, which

com.fortify.sca.

ScanScaModule

enables use of this library's build ID with the include-modulesoption (or the

com.fortify.sca.IncludeScaModulesproperty) in subsequent scans. For more

information, see "Configuring Scan Speed with Speed Dial" on page 161.

This property is ignored if the -scancommand-line option is specified.

Value Type: Boolean

Default: false

Command-Line Option: -scan-module

If set to true, Fortify Static Code Analyzer ignores low severity issues found in a scan.

Value Type: Boolean

com.fortify.sca.

SuppressLowSeverity

Default: true

Specifies the number of threads for parallel analysis mode. Add this property only if you

need to reduce the number of threads used because of a resource constraint. If you

experience an increase in scan time or problems with your scan, a reduction in the number

of threads used might solve the problem.

com.fortify.sca.

ThreadCount

Value type: Integer

Default: (number of available processor cores)

The amount of time (in seconds) that type inference can spend to analyze a single

function. Unlimited if set to zero or is not specified.

com.fortify.sca.

TypeInferenceFunctionTi

meout

Value Type: Long

Default: 60

Comma- or colon-separated list of languages that use type inference. This setting

improves the precision of the analysis for dynamically-typed languages.

com.fortify.sca.

TypeInferenceLanguages

Value Type: String

Default: javascript,python,ruby,typescript

Specifies the total amount of time (in seconds) that type inference can spend in phase 0

(the interprocedural analysis). Unlimited if set to zero or is not specified.

com.fortify.sca.

TypeInferencePhase0Time

out

Value Type: Long

Default: 300

Specifies a colon-separated list of functions to hide from all analyzers.

com.fortify.sca.

UniversalBlacklist

Value Type: String

Default: .*yyparse.*

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 194 of 232

User Guide

Appendix B: Configuration Options

Regex Analysis Properties

The properties for the fortify-sca.propertiesfile in the following table apply to regular

expression analysis.

Property Name

Description

If set to true, regular expression analysis is enabled.

com.fortify.sca.

regex.Enable

Value Type: Boolean

Default: true

If set to true, binary files are excluded from a regular expression analysis.

com.fortify.sca.

regex.ExcludeBinaries

Value Type: Boolean

Default: true

Specifies the maximum size (in megabytes) for files that are scanned in a regular expression

analysis. Files that exceed this file size maximum are excluded from a regular expression

analysis.

com.fortify.sca.

regex.MaxSize

Value Type: Number

Default: 10

LIM License Properties

The properties for the fortify-sca.propertiesfile in the following table apply to licensing with

the LIM.

Property Name

Description

Specifies the LIM server API URL. Do not edit this value directly with a text editor. Use

the command-line option to change this value.

com.fortify.sca.

lim.Url

Value Type: String

Default: (none)

Command-Line Option: -store-license-pool-credentials

Example: https://<ip_address>:<port>

Specifies the LIM license pool name. Do not edit this value directly with a text editor.

Use the command-line option to change this value.

com.fortify.sca.

lim.PoolName

Value Type: String

Default: (none)

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 195 of 232

User Guide

Appendix B: Configuration Options

Property Name

Description

Command-Line Option: -store-license-pool-credentials

Specifies the LIM license pool password (encrypted). Do not edit this value directly

with a text editor. Use the command-line option to change this value.

com.fortify.sca.

lim.PoolPassword

Value Type: String

Default: (none)

Command-Line Option: -store-license-pool-credentials

Specifies the proxy server used to connect to the LIM server.

com.fortify.sca.

lim.ProxyUrl

Value Type: String

Default: (none)

Examples:

http://proxy.example.com:8080

https://proxy.example.com

Command-Line Option: -store-license-pool-credentials

Specifies an encrypted user name for proxy authentication to connect to the LIM

server. Do not edit this value directly with a text editor. Use the command-line option

to change this value.

com.fortify.sca.

lim.ProxyUsername

Value Type: String

Default: (none)

Command-Line Option: -store-license-pool-credentials

Specifies an encrypted password for proxy authentication to connect to the LIM

server. Do not edit this value directly with a text editor. Use the command-line option

to change this value.

com.fortify.sca.

lim.ProxyPassword

Value Type: String

Default: (none)

Command-Line Option: -store-license-pool-credentials

If set to true, any attempt to connect to the LIM server without a trusted certificate

fails. If this property is set to false, a warning message displays for any attempt to

connect to the LIM server without a trusted certificate.

com.fortify.sca.

lim.RequireTrustedSSLCert

Value Type: Boolean

Default: true

If set to true and LIM license pool credentials are stored, Fortify Static Code Analyzer

waits for a LIM license to become available before starting a translation or scan. If this

property is set to false, Fortify Static Code Analyzer aborts if it cannot obtain a LIM

license.

com.fortify.sca.

lim.WaitForInitialLicense

Value Type: Boolean

Default: true

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 196 of 232

User Guide

Appendix B: Configuration Options

See Also

"LIM License Directives" on page 146

Rule Properties

The properties for the fortify-sca.propertiesfile in the following table apply to rules (and

custom rules) and Rulepacks.

Property Name

Description

Sets the directory used to search for the Fortify provided encrypted rules files.

com.fortify.sca.

DefaultRulesDir

Value Type: String (path)

Default:

${com.fortify.Core}/config/rules

Specifies a custom Rulepack or directory. If you specify a directory, all of the files in the

com.fortify.sca.

RulesFile

directory with the .binand .xmlextensions are included.

Value Type: String (path)

Default: (none)

Command-Line Option: -rules

Sets the directory used to search for custom rules.

Value Type: String (path)

com.fortify.sca.

CustomRulesDir

Default:

${com.fortify.Core}/config/customrules

com.fortify.sca.

Specifies a list of file extensions for rules files. Any files in <sca_install_

RulesFileExtensions

dir>/Core/config/rules(or a directory specified with the -rulesoption) whose

extension is in this list is included. The .binextension is always included, regardless of the

value of this property. The delimiter for this property is the system path separator.

Value Type: String

Default: .xml

If set to true, rules from the default Rulepacks are not loaded. Fortify Static Code Analyzer

processes the Rulepacks for description elements and language libraries, but no rules are

processed.

com.fortify.sca.

NoDefaultRules

Value Type: Boolean

Default: (none)

Command-Line Option: -no-default-rules

If set to true, disables rules in default Rulepacks that lead directly to issues. Fortify Static

Code Analyzer still loads rules that characterize the behavior of functions. This can be helpful

when creating custom issue rules.

com.fortify.sca.

NoDefaultIssueRules

Value Type: Boolean

Default: (none)

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 197 of 232

User Guide

Appendix B: Configuration Options

Property Name

Description

Command-Line Option: -no-default-issue-rules

If set to true, disables source rules in the default Rulepacks. This can be helpful when

creating custom source rules.

com.fortify.sca.

NoDefaultSourceRules

Note: Characterization source rules are not disabled.

Value Type: Boolean

Default: (none)

Command-Line Option: -no-default-source-rules

If set to true, disables sink rules in the default Rulepacks. This can be helpful when creating

custom sink rules.

com.fortity.sca.

NoDefaultSinkRules

Note: Characterization sink rules are not disabled.

Value Type: Boolean

Default: (none)

Command-Line Option: -no-default-sink-rules

Java and Kotlin Properties

The properties for the fortify-sca.propertiesfile in the following table apply to the translation

of Java and Kotlin code.

Property Name

Description

Specifies the class path used to analyze Java or Kotlin source code. Separate multiple

paths with semicolons (Windows) or colons (non-Windows).

com.fortify.sca.

JavaClasspath

Value Type: String (paths)

Default: (none)

Command-Line Option: -cpor -classpath

Specifies the Java source code version for Java or Kotlin translation.

Value Type: String

com.fortify.sca.

JdkVersion

Default: 11

Command-Line Option: -jdkor -source

Specifies a directory that contains a JDK version that is not included in the Fortify Static

com.fortify.sca.

CustomJdkDir

Code Analyzer installation (<sca_install_dir>/Core/bootcp/).

Value Type: String (path)

Default: (none)

Command-Line Option: -custom-jdk-dir

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 198 of 232

User Guide

Appendix B: Configuration Options

Property Name

Description

Specifies a semicolon- (Windows) or colon-separated (non-Windows) list of Java or Kotlin

source file directories that are not included in the scan but are used for name resolution.

The source path is similar to class path, except it uses source files rather than class files for

resolution.

com.fortify.sca.

JavaSourcepath

Value Type: String (paths)

Default: (none)

Command-Line Option: -sourcepath

com.fortify.sca.

Appserver

Specifies the application server to process JSP files. The valid values are weblogicor

websphere.

Value Type: String

Default: (none)

Command-Line Option: -appserver

Specifies the application server's home directory. For WebLogic, this is the path to the

com.fortify.sca.

AppserverHome

directory that contains server/lib. For WebSphere, this is the path to the directory that

contains the JspBatchCompilerscript.

Value Type: String (path)

Default: (none)

Command-Line Option: -appserver-home

Specifies the version of the WebLogic or WebSphere application server.

Value Type: String

com.fortify.sca.

AppserverVersion

Default: (none)

Command-Line Option: -appserver-version

Specifies directories to include implicitly on the class path for WebLogic and WebSphere

application servers.

com.fortify.sca.

JavaExtdirs

Value Type: String

Default: (none)

Command-Line Option: -extdirs

If set to true, Fortify Static Code Analyzer only translates Java source files that are

referenced by the target file list. Otherwise, Fortify Static Code Analyzer translates all files

included in the source path.

com.fortify.sca.

JavaSourcepathSearch

Value Type: Boolean

Default: true

Specifies semicolon- or colon-separated list of directories of commonly used JAR files. JAR

com.fortify.sca.

DefaultJarsDirs

files located in these directories are appended to the end of the class path option (-cp).

Value Type: String

Default: default_jars

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 199 of 232

User Guide

Appendix B: Configuration Options

Property Name

Description

If set to true, Java bytecode is decompiled for the translation.

com.fortify.sca.

DecompileBytecode

Value Type: Boolean

Default: false

If set to true, the JSP parser uses JSP security manager.

Value Type: Boolean

com.fortify.sca.

jsp.UseSecurityManager

Default: true

Specifies the encoding for JSPs.

Value Type: String (encoding)

com.fortify.sca.

jsp.DefaultEncoding

Default: ISO-8859-1

If set to true, enables additional filtering on JSP-related dataflow to reduce the amount of

spurious false positives detected.

com.fortify.sca.

jsp.LegacyDataflow

Value Type: Boolean

Default: false

Command-Line Option: -legacy-jsp-dataflow

com.fortify.sca.

KotlinJvmDefault

Specifies the generation of the DefaultImplsclass for methods with bodies in Kotlin

interfaces. The valid values are:

l

disable—Specifies to generate the DefaultImplsclass for each interface that

contains methods with bodies.

l

all—Specifies to generate the DefaultImplsclass if an interface is annotated with

@JvmDefaultWithCompatibility.

l

all-compatibility—Specifies to generate the DefaultImplsclass unless an

interface is annotated with @JvmDefaultWithoutCompatibility.

Value Type: String

Default: disable

If set to true, displays any unresolved types, fields, and functions referenced in translated

Java source files at the end of the translation.

com.fortify.sca.

ShowUnresolvedSymbols

Value Type: Boolean

Default: false

Command-Line Option: -show-unresolved-symbols

See Also

"Translating Java Code" on page 53

"Translating Kotlin Code" on page 61

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 200 of 232

User Guide

Appendix B: Configuration Options

Visual Studio and MSBuild Projects Properties

The properties for the fortify-sca.propertiesfile in the following table apply to the translation

of .NET projects and solutions.

Property Name

Description

Sets various .NET options.

Value Type: Boolean and String

Defaults and Examples:

WinForms.

TransformDataBindings

WinForms.

TransformMessageLoops

WinForms.TransformDataBindings=true

WinForms.

TransformChangeNotificationPattern

WinForms.TransformMessageLoops=true

WinForms.

CollectionMutationMonitor.Label

WinForms.TransformChangeNotificationPattern=true

WinForms.CollectionMutationMonitor.Label=

WinFormsDataSource

WinForms.

ExtractEventHandlers

WinForms.ExtractEventHandlers=true

Specifies a semicolon-separated list of full paths to virtual roots used.

com.fortify.sca.

ASPVirtualRoots.<virtual_path>

Value Type: String

Default: (none)

Example:

com.fortify.sca.ASPVirtualRoots.Library=

c:\\WebServer\\CustomerTwo\\Stuff

com.fortify.sca.ASPVirtualRoots.Include=

c:\\WebServer\\CustomerOne\\inc

If set to true, disables ASP external entries in the scan.

com.fortify.sca.

DisableASPExternalEntries

Value Type: Boolean

Default: false

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 201 of 232

User Guide

Appendix B: Configuration Options

JavaScript and TypeScript Properties

The properties for the fortify-sca.propertiesfile in the following table apply to the translation

of JavaScript and TypeScript code.

Property Name

Description

If set to true, Fortify Static Code Analyzer generates JavaScript code to model

the DOM tree that an HTML file generated during the translation phase and

identifies DOM-related issues (such as cross-site scripting issues). Enable this

property if the code you are translating includes HTML files that have

embedded or referenced JavaScript code.

com.fortify.sca.

EnableDOMModeling

Note: Enabling this property can increase the translation time.

Value Type: Boolean

Default: false

com.fortify.sca.

DOMModeling.tags

If you set the com.fortify.sca.EnableDOMModelingproperty to true, you

can specify additional coma-separated HTML tags names for Fortify Static

Code Analyzer to include in the DOM modeling.

Value Type: String

Default: body, button, div, form, iframe, input, head, html, and p.

Example:

com.fortify.sca.DOMModeling.tags=ul,li

Specifies trusted domain names where Fortify Static Code Analyzer can

download referenced JavaScript files for the scan. Delimit the URLs with

vertical bars.

com.fortify.sca.

JavaScript.src.domain.whitelist

Value Type: String

Default: (none)

Example: com.fortify.sca.JavaScript.

src.domain.whitelist=

http://www.xyz.com|http://www.123.org

If set to true, JavaScript code embedded in JSP, JSPX, PHP, and HTML files is

not extracted and not scanned.

com.fortify.sca.

DisableJavascriptExtraction

Value Type: Boolean

Default: false

If set to true, enables translation for minified JavaScript files.

Value Type: Boolean

com.fortify.sca.

EnableTranslationMinifiedJS

Default: false

Specifies a list of comma- or colon-separated JavaScript or TypeScript

technology library files that are not translated. You can use regular

com.fortify.sca.

skip.libraries.ES6

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 202 of 232

User Guide

Appendix B: Configuration Options

Property Name

Description

com.fortify.sca.

expressions in the file names. Note that the regular expression '(-

skip.libraries.jQuery

\d\.\d\.\d)?'is automatically inserted before .min.jsor .jsfor each file

name included in the com.fortify.sca.skip.libraries.jQueryproperty

value.

com.fortify.sca.

skip.libraries.javascript

Value Type: String

com.fortify.sca.

skip.libraries.typescript

Defaults:

l

ES6: es6-shim.min.js,system-polyfills.js,

shims_for_IE.js

l

jQuery: jquery.js,jquery.min.js,

jquery-migrate.js,jquery-migrate.min.js,

jquery-ui.js,jquery-ui.min.js,

jquery.mobile.js,jquery.mobile.min.js,

jquery.color.js,jquery.color.min.js,

jquery.color.svg-names.js,

jquery.color.svg-names.min.js,

jquery.color.plus-names.js,

jquery.color.plus-names.min.js,

jquery.tools.min.js

l

javascript: bootstrap.js,

bootstrap.min.js,

typescript.js,

typescriptServices.js

l

typescript: typescript.d.ts,

typescriptServices.d.ts

If set to true, files included with an import statement are included in the

translation.

com.fortify.sca.

follow.imports

Value Type: Boolean

Default: true

If set to true, only imported node_modules are included in the translation.

com.fortify.sca.

exclude.unimported.node.modules

Value Type: Boolean

Default: true

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 203 of 232

User Guide

Appendix B: Configuration Options

Python Properties

The properties for the fortify-sca.propertiesfile in the following table apply to the translation

of Python code.

Property Name

Description

Specifies a semicolon-separated (Windows) or colon-separated (non-Windows) list

of additional import directories. Fortify Static Code Analyzer does not respect

PYTHONPATH environment variable that the Python runtime system uses to find

import files. Use this property to specify the additional import directories.

com.fortify.sca.

PythonPath

Value Type: String (path)

Default: (none)

Command-Line Option: -python-path

com.fortify.sca.

PythonVersion

Specifies the Python source code version to scan. The valid values are 2and 3.

Value Type: Number

Default: 3

Command-Line Option: -python-version

If set to true, disables the automatic calculation of a common root directory of all

project files to use for importing modules and packages For more details, see

"Including Imported Modules and Packages" on page 82.

com.fortify.sca.

PythonNoAutoRootCalculation

Value Type: Boolean

Default: false

Command-Line Option: -python-no-auto-root-calculation

Specifies semicolon-separated (Windows) or colon-separated (non-Windows) list of

paths for Django templates. Fortify Static Code Analyzer does not use the

com.fortify.sca.

DjangoTemplateDirs

TEMPLATE_DIRS setting from the Django settings.pyfile.

Value Type: String (paths)

Default: (none)

Command-Line Option: -django-template-dirs

Specifies that Fortify Static Code Analyzer does not automatically discover Django

templates.

com.fortify.sca.

DjangoDisableAutodiscover

Value Type: Boolean

Default: (none)

Command-Line Option: -django-disable-autodiscover

See Also

"Translating Python Code" on page 80

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 204 of 232

User Guide

Appendix B: Configuration Options

Go Properties

The properties for the fortify-sca.propertiesfile in the following table apply to the translation

of Go code.

Property Name

Description

Specifies the root directory of your project/workspace.

Value Type: String

com.fortify.sca.

GOPATH

Default: (GOPATH system environment variable)

Specifies the location of the Go installation.

Value Type: String

com.fortify.sca.

GOROOT

Default: (GOROOT system environment variable)

com.fortify.sca.

GOPROXY

Specifies one or more comma-separated proxy URLs. You can also specify director off.

Value Type: String

Default: (GOPROXY system environment variable)

See Also

"Translating Go Code" on page 88

Ruby Properties

The properties for the fortify-sca.propertiesfile in the following table apply to the translation

of Ruby code.

Property Name

Description

Specifies one or more paths to directories that contain Ruby libraries.

Value Type: String (path)

com.fortify.sca.

RubyLibraryPaths

Default: (none)

Command-Line Option: -ruby-path

Specifies one or more paths to RubyGems locations. Set this value if the project has associated

gems to scan.

com.fortify.sca.

RubyGemPaths

Value Type: String (path)

Default: (none)

Command-Line Option: -rubygem-path

See Also

"Translating Ruby Code" on page 93

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 205 of 232

User Guide

Appendix B: Configuration Options

COBOL Properties

The properties for the fortify-sca.propertiesfile in the following table apply to the translation

of COBOL code.

Property Name

Description

Specifies one or more semicolon- or colon-separated directories where Fortify Static Code

Analyzer looks for copybook files.

com.fortify.sca.

CobolCopyDirs

Value Type: String (path)

Default: (none)

Command-Line Option: -copydirs

com.fortify.sca.

CobolDialect

Specifies the COBOL dialect. The valid values for dialect are COBOL390or MICROFOCUS.

The dialect value is case-insensitive.

Value Type: String

Default: COBOL390

Command-Line Option: -dialect

Specifies one or more semicolon-separated COBOL checker directives.

Value Type: String

com.fortify.sca.

CobolCheckerDirectives

Default: (none)

Command-Line Option: -checker-directives

If set to true, enables legacy COBOL translation.

Value Type: Boolean

com.fortify.sca.

CobolLegacy

Default: false

Command-Line Option: -cobol-legacy

If set to true, specifies fixed-format COBOL to direct Fortify Static Code Analyzer to only

look for source code between columns 8-72 in all lines of code (legacy COBOL translation

only).

com.fortify.sca.

CobolFixedFormat

Value Type: Boolean

Default: false

Command-Line Option: -fixed-format

Specifies one or more semicolon- or colon-separated copybook file extensions (legacy

COBOL translation only).

com.fortify.sca.

CobolCopyExtensions

Value Type: String

Default: (none)

Command-Line Option: -copy-extensions

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 206 of 232

User Guide

Appendix B: Configuration Options

See Also

"Translating COBOL Code" on page 95

PHP Properties

The properties for the fortify-sca.propertiesfile in the following table apply to the translation

of PHP code.

Property Name

Description

Specifies the PHP version. For a list of valid versions, see the Fortify Software System

Requirements document.

com.fortify.sca.

PHPVersion

Value Type: String

Default: 8.2

Command-Line Option: -php-version

Specifies the PHP source root.

Value Type: Boolean

com.fortify.sca.

PHPSourceRoot

Default: (none)

Command-Line Option: -php-source-root

See Also

"Translating PHP Code" on page 103

ABAP Properties

The properties described in the following table apply to the translation of ABAP code.

Property Name

Description

If set to true, Fortify Static Code Analyzer adds ABAP statements to debug messages.

com.fortify.sca.

AbapDebug

Value Type: Boolean

Default: (none)

When Fortify Static Code Analyzer encounters an ABAP 'INCLUDE' directive, it looks in the named

directory.

com.fortify.sca.

AbapIncludes

Value Type: String (path)

Default: (none)

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 207 of 232

User Guide

Appendix B: Configuration Options

Flex and ActionScript Properties

The properties for the fortify-sca.propertiesfile in the following table apply to the translation

of Flex and ActionScript code.

Property Name

Description

Specifies a semicolon-separated (Windows) or colon-separated (non-Windows) of libraries to "link"

com.fortify.sca.

FlexLibraries

to. This list must include flex.swc, framework.swc, and playerglobal.swc(which are usually

located in the frameworks/libsdirectory in your Flex SDK root). Use this property primarily to

resolve ActionScript.

Value Type: String (path)

Default: (none)

Command-Line Option: -flex-libraries

Specifies the root location of a valid Flex SDK. The folder must contain a frameworks folder that

com.fortify.sca.

FlexSdkRoot

contains a flex-config.xmlfile. It must also contain a binfolder that contains an mxmlc

executable.

Value Type: String (path)

Default: (none)

Command-Line Option: -flex-sdk-root

Specifies any additional source directories for a Flex project. Separate multiple directories with

semicolons (Windows) or colons (non-Windows).

com.fortify.sca.

FlexSourceRoots

Value Type: String (path)

Default: (none)

Command-Line Option: -flex-source-root

ColdFusion (CFML) Properties

The properties for the fortify-sca.propertiesfile in the following table apply to the translation

of CFML code.

Property Name

Description

If set to true, Fortify Static Code Analyzer treats undefined variables in CFML

pages as tainted. This serves as a hint to the Dataflow Analyzer to watch out

for register-globals-style vulnerabilities. However, enabling this property

interferes with dataflow findings where a variable in an included page is

initialized to a tainted value in an earlier-occurring included page.

com.fortify.sca.

CfmlUndefinedVariablesAreTainted

Value Type: Boolean

Default: false

If set to true, make CFML files case-insensitive for applications developed

com.fortify.sca.

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 208 of 232

User Guide

Appendix B: Configuration Options

Property Name

Description

using a case-insensitive file system and scanned on case-sensitive file

systems.

CaseInsensitiveFiles

Value Type: Boolean

Default: (not enabled)

Specifies the base directory for ColdFusion projects.

Value Type: String (path)

com.fortify.sca.

SourceBaseDir

Default: (none)

Command-Line Option: -source-base-dir

SQL Properties

The properties for the fortify-sca.propertiesfile in the following table apply to the translation

of SQL code.

Property Name

Description

com.fortify.sca.

SqlLanguage

Specifies the SQL language variant. The valid SQL language type values are PLSQL(for Oracle

PL/SQL) and TSQL(for Microsoft T-SQL).

Value Type: String

Default: TSQL

Command-Line Option: -sql-language

See Also

"Translating SQL" on page 115

Output Properties

The properties for the fortify-sca.propertiesfile in the following table apply to the analysis

output.

Property Name

Description

The file to which results are written.

Value Type: String

com.fortify.sca.

ResultsFile

Default: (none)

Command-Line Option: -f

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 209 of 232

User Guide

Appendix B: Configuration Options

Property Name

Description

Example: com.fortify.sca.ResultsFile=MyResults.fpr

com.fortify.sca.

Renderer

Controls the output format. The valid values are fpr, fvdl, text, and auto. The default

of autoselects the output format based on the extension of the file provided with the -

foption.

Value Type: String

Default: auto

Command-Line Option: -format

If set to true, Fortify Static Code Analyzer appends results to an existing results file.

Value Type: Boolean

com.fortify.sca.

OutputAppend

Default: false

Command-Line Option: -append

If set to true, Fortify Static Code Analyzer prints results as they become available. This

com.fortify.sca.

ResultsAsAvailable

is helpful if you do not specify the -foption (to specify an output file) and print to

stdout.

Value Type: Boolean

Default: false

Specifies a label for the scanned project. Fortify Static Code Analyzer does not use this

label but includes it in the results.

com.fortify.sca.

BuildLabel

Value Type: String

Default: (none)

Command-Line Option: -build-label

Specifies a name for the scanned project. Fortify Static Code Analyzer does not use this

name but includes it in the results.

com.fortify.sca.

BuildProject

Value Type: String

Default: (none)

Command-Line Option: -build-project

Specifies a version number for the scanned project. Fortify Static Code Analyzer does

not use this version number but it is included in the results.

com.fortify.sca.

BuildVersion

Value Type: String

Default: (none)

Command-Line Option: -build-version

Output information in a format that scripts or Fortify Static Code Analyzer tools can use

rather than printing output interactively. Instead of a single line to display scan

progress, a new line is printed below the previous one on the console to display updated

progress.

com.fortify.sca.

MachineOutputMode

Value Type: Boolean

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 210 of 232

User Guide

Appendix B: Configuration Options

Property Name

Description

Default: (not enabled)

Command-Line Option: -machine-output

Sets the number of lines of code to display surrounding an issue. Snippets always

include the two lines of code on each side of the line where the error occurs. By default,

five lines of code are displayed.

com.fortify.sca.

SnippetContextLines

Value Type: Number

Default: 2

If set to true, excludes Fortify security content descriptions from the analysis results file

(FVDL).

com.fortify.sca.

FVDLDisableDescriptions

Value Type: Boolean

Default: false

Command-Line Option: -fvdl-no-descriptions

If set to true, excludes engine data from the analysis results file (FVDL).

Value Type: Boolean

com.fortify.sca.

FVDLDisableEngineData

Default: false

Command-Line Option:-fvdl-no-enginedata

If set to true, excludes label evidence from the analysis results file (FVDL).

Value Type: Boolean

com.fortify.sca.

FVDLDisableLabelEvidence

Default: false

com.fortify.sca.

FVDLDisableProgramData

If set to true, excludes the ProgramDatasection from the analysis results file (FVDL).

Value Type: Boolean

Default: false

Command-Line Option: -fvdl-no-progdata

If set to true, excludes code snippets from the analysis results file (FVDL).

Value Type: Boolean

com.fortify.sca.

FVDLDisableSnippets

Default: false

Command-Line Option: -fvdl-no-snippets

Specifies location of the style sheet for the analysis results.

Value Type: String (path)

com.fortify.sca.

FVDLStylesheet

Default:

${com.fortify.Core}/resources/sca/fvdl2html.xsl

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 211 of 232

User Guide

Appendix B: Configuration Options

Mobile Build Sessions (MBS) Properties

The properties for the fortify-sca.propertiesfile in the following table apply to MBS files.

Property Name

Description

If set to true, Fortify Static Code Analyzer copies source files into the build session directory.

com.fortify.sca.

MobileBuildSessions

Value Type: Boolean

Default: false

If set to true, Fortify Static Code Analyzer extracts the build ID and the Fortify Static Code

Analyzer version number from the mobile build session.

com.fortify.sca.

ExtractMobileInfo

Note: Fortify Static Code Analyzer does not extract the mobile build with this property.

Value Type: Boolean

Default: false

See Also

"Mobile Build Sessions" on page 46

Proxy Properties

The properties for the fortify-sca.propertiesfile in the following table apply to proxy settings.

Property Name

Description

Specifies a proxy host name.

Value Type: String

Default: (none)

com.fortify.sca.

https.proxyHost

Specifies a proxy port number.

Value Type: Number

Default: (none)

com.fortify.sca.

https.proxyPort

Logging Properties

The properties for the fortify-sca.propertiesfile in the following table apply to log files.

Property Name

Description

Specifies the default log file name and location.

com.fortify.sca.

LogFile

Value Type: String (path)

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 212 of 232

User Guide

Appendix B: Configuration Options

Property Name

Description

Default:

${com.fortify.sca.ProjectRoot}/log/sca.log

and ${com.fortify.sca.ProjectRoot}/log/sca_FortifySupport.log

Command-Line Option: -logfile

com.fortify.sca.

LogLevel

Specifies the minimum log level for both log files. The valid values are DEBUG,

INFO, WARN, ERROR, and FATAL. For more information, see "Locating the Log

Files" on page 177 and "Configuring Log Files" on page 177 .

Value Type: String

Default: INFO

If set to true, Fortify Static Code Analyzer overwrites the log file for each run of

sourceanalyzer.

com.fortify.sca.

ClobberLogFile

Value Type: Boolean

Default: false

Command-Line Option: -clobber-log

If set to true, Fortify Static Code Analyzer writes performance-related data to the

Fortify Support log file after the scan is complete. This value is automatically set

to true when in debug mode.

com.fortify.sca.

PrintPerformanceDataAfterScan

Value Type: Boolean

Default: false

See Also

"Configuring Log Files" on page 177

Debug Properties

The properties for the fortify-sca.propertiesfile in the following table apply to debug settings.

Property Name

Description

Includes debug information in the Fortify Support log file, which is only useful for

Customer Support to help troubleshoot.

com.fortify.sca.

Debug

Value Type: Boolean

Default: false

Command-Line Option: -debug

com.fortify.sca.

DebugVerbose

This is the same as the com.fortify.sca.Debugproperty, but it includes more details,

specifically for parse errors.

Value Type: Boolean

Default: (not enabled)

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 213 of 232

User Guide

Appendix B: Configuration Options

Property Name

Description

Command-Line Option: -debug-verbose

If set to true, includes verbose messages in the Fortify Support log file.

Value Type: Boolean

com.fortify.sca.

Verbose

Default: false

Command-Line Option: -verbose

If set to true, additional performance information is written to the Fortify Support log.

Value Type: Boolean

com.fortify.sca.

DebugTrackMem

Default: (not enabled)

Command-Line Option: -debug-mem

If set to true, enables additional timers to track performance.

Value Type: Boolean

com.fortify.sca.

CollectPerformanceData

Default: (not enabled)

If set to true, disables the command-line progress information.

com.fortify.sca.

Quiet

Value Type: Boolean

Default: false

Command-Line Option: -quiet

If set to true, Fortify Static Code Analyzer monitors its memory use and warns when JVM

garbage collection becomes excessive.

com.fortify.sca.

MonitorSca

Value Type: Boolean

Default: true

fortify-sca-quickscan.properties

Fortify Static Code Analyzer offers a less in-depth scan known as a quick scan. This option scans the

project in quick scan mode, using the property values in the fortify-sca-quickscan.properties

file. By default, a quick scan reduces the depth of the analysis and applies the Quick View filter set.

The Quick View filter set provides only critical and high priority issues.

Note: Properties in this file are only used if you specify the -quickoption on the command line

for your scan.

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 214 of 232

User Guide

Appendix B: Configuration Options

The following table provides two sets of default values: the default value for quick scans and the

default value for normal scans. If only one default value is shown, the value is the same for both

normal scans and quick scans.

Property Name

Description

Sets the time limit (in milliseconds) for Control Flow analysis on a single

function.

com.fortify.sca.

CtrlflowMaxFunctionTime

Value Type: Integer

Quick Scan Default: 30000

Default: 600000

Specifies a comma- or colon-separated list of analyzers to disable during a

com.fortify.sca.

DisableAnalyzers

scan. The valid analyzer names are buffer, content, configuration,

controlflow, dataflow, nullptr, semantic, and structural.

Value Type: String

Quick Scan Default: controlflow:buffer

Default: (none)

Specifies the filter set to use. You can use this property with an issue

template to filter at scan-time instead of post-scan. See

com.fortify.sca.

FilterSet

com.fortify.sca.ProjectTemplatedescribed in "Translation and

Analysis Phase Properties" on page 187 to specify an issue template that

contains the filter set to use.

When set to Quick View, this property runs rules that have a potentially

high impact and a high likelihood of occurring and rules that have a

potentially high impact and a low likelihood of occurring. Filtered issues are

not written to the FPR and therefore this can reduce the size of an FPR. For

more information about filter sets, see the OpenText™ Fortify Audit

Workbench User Guide.

Value Type: String

Quick Scan Default: Quick View

Default: (none)

Disables the creation of the metatable, which includes information for the

Function view in Fortify Audit Workbench. This metatable enables right-click

on a variable in the source window to show the declaration. If C/C++ scans

take an extremely long time, setting this property to true can potentially

reduce the scan time by hours.

com.fortify.sca.

FPRDisableMetatable

Value Type: Boolean

Quick Scan Default: true

Default: false

Command-Line Option: -disable-metatable

Disables source code inclusion in the FPR file. Prevents Fortify Static Code

com.fortify.sca.

FPRDisableSourceBundling

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 215 of 232

User Guide

Appendix B: Configuration Options

Property Name

Description

Analyzer from generating marked-up source code files during a scan. If you

plan to upload FPR files that are generated as a result of a quick scan to

Fortify Software Security Center, you must set this property to false.

Value Type: Boolean

Quick Scan Default: true

Default: false

Command-Line Option: -disable-source-bundling

Sets the time limit (in milliseconds) for Null Pointer analysis for a single

function. The standard default is five minutes. If this value is set to a shorter

limit, the overall scan time decreases.

com.fortify.sca.

NullPtrMaxFunctionTime

Value Type: Integer

Quick Scan Default: 10000

Default: 300000

Disables path tracking for Control Flow analysis. Path tracking provides more

detailed reporting for issues, but requires more scan time. To disable this for

com.fortify.sca.

TrackPaths

JSP only, set it to NoJSP. Specify Noneto disable all functions.

Value Type: String

Quick Scan Default: (none)

Default: NoJSP

Specifies the size limit for complex calculations in the Buffer Analyzer. Skips

calculations that are larger than the specified size value in the Buffer

Analyzer to improve scan time.

com.fortify.sca.

limiters.ConstraintPredicateSize

Value Type: Integer

Quick Scan Default: 10000

Default: 500000

Controls the maximum call depth through which the Dataflow Analyzer tracks

tainted data. Increase this value to increase the coverage of dataflow

analysis, which results in longer scan times.

com.fortify.sca.

limiters.MaxChainDepth

Note: Call depth refers to the maximum call depth on a dataflow path

between a taint source and sink, rather than call depth from the

program entry point, such as main().

Value Type: Integer

Quick Scan Default: 3

Default: 5

Sets the number of times taint propagation analyzer visits functions.

com.fortify.sca.

limiters.MaxFunctionVisits

Value Type: Integer

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 216 of 232

User Guide

Appendix B: Configuration Options

Property Name

Description

Quick Scan Default: 5

Default: 50

Controls the maximum number of paths to report for a single dataflow

vulnerability. Changing this value does not change the results that are found,

only the number of dataflow paths displayed for an individual result.

com.fortify.sca.

limiters.MaxPaths

Note: Fortify does not recommend setting this property to a value

larger than 5 because it might increase the scan time.

Value Type: Integer

Quick Scan Default: 1

Default: 5

Sets a complexity limit for the Dataflow Analyzer. Dataflow incrementally

decreases precision of analysis on functions that exceed this complexity

metric for a given precision level.

com.fortify.sca.

limiters.MaxTaintDefForVar

Value Type: Integer

Quick Scan Default: 250

Default: 1000

Sets a hard limit for function complexity. If complexity of a function exceeds

this limit at the lowest precision level, the analyzer skips analysis of the

function.

com.fortify.sca.

limiters.MaxTaintDefForVarAbort

Value Type: Integer

Quick Scan Default: 500

Default: 4000

fortify-rules.properties

This topic describes the properties available for use in the fortify-rules.propertiesfile. Use

these properties to modify behavior of individual rules or provide information that can improve how

rules identify weaknesses.

Property Name

Description

The regular expression to match password identifiers across all

languages unless a language-specific rules property is set.

com.fortify.sca.rules.

password_regex.global

Value Type: String

Default: (?i)(s|_)?

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 217 of 232

User Guide

Appendix B: Configuration Options

Property Name

Description

email|email(_)?smtp)?(_|\.)?pass(wd|word|phrase)

Regular expression to match password identifiers in ABAP code.

Setting this property overrides the global regex password rules

property.

com.fortify.sca.rules

.password_regex.abap

Value Type: String

Default: (value for com.fortify.sca.rules.password_

regex.global)

Regular expression to match password identifiers in ActionScript

code. Setting this property overrides the global regex password

rules property.

com.fortify.sca.rules.

password_

regex.actionscript

Value Type: String

Default: (value for com.fortify.sca.rules.password_

regex.global)

Regular expression to match password identifiers in Salesforce

Apex code. Setting this property overrides the global regex

password rules property.

com.fortify.sca.rules.

password_regex.apex

Value Type: String

Default: (value for com.fortify.sca.rules.password_

regex.global)

Regular expression to match password identifiers in ColdFusion

(CFML) code. Setting this property overrides the global regex

password rules property.

com.fortify.sca.rules.

password_regex.cfml

Value Type: String

Default: (none)

Regular expression to match password identifiers in COBOL code.

Setting this property overrides the global regex password rules

property.

com.fortify.sca.rules.

password_regex.cobol

Value Type: String

Default: (value for com.fortify.sca.rules.password_

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 218 of 232

User Guide

Appendix B: Configuration Options

Property Name

Description

regex.global)

Regular expression to match password identifiers in XML. Setting

this property overrides the global regex password rules property.

Do not use regular expression modifiers. The value is case-

insensitive.

com.fortify.sca.rules.

password_regex.config

Value Type: String

Default: (s|_)?

email|email(_)?smtp)?(_|\.)?pass(wd|word|phrase)

Regular expression to match password identifiers in C and C++

code. Setting this property overrides the global regex password

rules property.

com.fortify.sca.rules.

password_regex.cpp

Value Type: String

Default: (value for com.fortify.sca.rules.password_

regex.global)

Regular expression to match password identifiers in .NET code.

Setting this property overrides the global regex password rules

property.

com.fortify.sca.rules.

password_regex.dotnet

Value Type: String

Default: (value for com.fortify.sca.rules.password_

regex.global)

Regular expression to match password identifiers in Dockerfiles.

Setting this property overrides the global regex password rules

property.

com.fortify.sca.rules.

password_regex.docker

Value Type: String

Default: .*pass(wd|word|phrase).*

Regular expression to match password identifiers in Go code.

Setting this property overrides the global regex password rules

property.

com.fortify.sca.rules.

password_regex.golang

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 219 of 232

User Guide

Appendix B: Configuration Options

Property Name

Description

Value Type: String

Default: (value for com.fortify.sca.rules.password_

regex.global)

Regular expression to match password identifiers in Java code.

Setting this property overrides the global regex password rules

property.

com.fortify.sca.rules.

password_regex.java

Value Type: String

Default: (value for com.fortify.sca.rules.password_

regex.global)

Regular expression to match password identifiers in JavaScript

and TypeScript code. Setting this property overrides the global

regex password rules property.

com.fortify.sca.rules.

password_

regex.javascript

Value Type: String

Default: (value for com.fortify.sca.rules.password_

regex.global)

Regular expression to match password identifiers in JSON.

Setting this property overrides the global regex password rules

property.

com.fortify.sca.rules.

password_regex.json

Value Type: String

Default: (?i).*pass(wd|word|phrase).*

Regular expression used to match password identifiers in JSP

code. Setting this property overrides the global regex password

rules property.

com.fortify.sca.rules.

password_regex.jsp

Value Type: String

Default: (value for com.fortify.sca.rules.password_

regex.global)

Regular expression to match password identifiers in Objective-C

and Objective-C++ code. Setting this property overrides the

global regex password rules property.

com.fortify.sca.rules.

password_regex.objc

Value Type: String

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 220 of 232

User Guide

Appendix B: Configuration Options

Property Name

Description

Default: (?i)(s|_)?

email|email(_)?smtp)?(_|\.)?token|pin|pass

(wd|word|phrase))

Regular expression to match password identifiers in PHP code.

Setting this property overrides the global regex password rules

property.

com.fortify.sca.rules.

password_regex.php

Value Type: String

Default: (value for com.fortify.sca.rules.password_

regex.global)

Regular expression to match password identifiers in Properties

files. Setting this property overrides the global regex password

rules property.

com.fortify.sca.rules.

password_

regex.properties

Value Type: String

Default: (value for com.fortify.sca.rules.password_

regex.global)

Regular expression to match password identifiers in PowerShell

files. Setting this property overrides the global regex password

rules property.

com.fortify.sca.rules.

password_

regex.powershell

Value Type: String

Default: (value for com.fortify.sca.rules.password_

regex.global)

Regular expression to match password identifiers in Python code.

Setting this property overrides the global regex password rules

property.

com.fortify.sca.rules.

password_regex.python

Value Type: String

Default: (value for com.fortify.sca.rules.password_

regex.global)

Regular expression to match password identifiers in Ruby code.

Setting this property overrides the global regex password rules

com.fortify.sca.rules.

password_regex.ruby

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 221 of 232

User Guide

Appendix B: Configuration Options

Property Name

Description

property.

Value Type: String

Default: (value for com.fortify.sca.rules.password_

regex.global)

Regular expression to match password identifiers in SQL code.

Setting this property overrides the global regex password rules

property.

com.fortify.sca.rules.

password_regex.sql

Value Type: String

Default: (value for com.fortify.sca.rules.password_

regex.global)

Regular expression to match password identifiers in Swift code.

Setting this property overrides the global regex password rules

property.

com.fortify.sca.rules.

password_regex.swift

Value Type: String

Default: (?i)(s|_)?

email|email(_)?smtp)?(_|\.)?(token|pin|pass

(wd|word|phrase))

Regular expression to match password identifiers in VB6 code.

Setting this property overrides the global regex password rules

property.

com.fortify.sca.rules.

password_regex.vb

Value Type: String

Default: (value for com.fortify.sca.rules.password_

regex.global)

Regular expression to match password identifiers in YAML.

Setting this property overrides the global regex password rules

property.

com.fortify.sca.rules.

password_regex.yaml

Value Type: String

Default: (?i).*pass(wd|word|phrase).*

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 222 of 232

User Guide

Appendix B: Configuration Options

Property Name

Description

The regular expression to match key identifiers across all

languages unless a language-specific regex key rules property is

set.

com.fortify.sca.rules.

key_regex.global

Value Type: String

Default: (?i)((enc|dec)

(ryption|rypt)?|crypto|secret|private)(_)?key

Regular expression to match key identifiers in ABAP code. Setting

this property overrides the global regex key rules property.

com.fortify.sca.rules.

key_regex.abap

Value Type: String

Default: (value for com.fortify.sca.rules.key_

regex.global)

Regular expression to match key identifiers in ActionScript code.

Setting this property overrides the global regex key rules

property.

com.fortify.sca.rules.

key_regex.actionscript

Value Type: String

Default: (value for com.fortify.sca.rules.key_

regex.global)

Regular expression to match key identifiers in CFML code. Setting

this property overrides the global regex key rules property.

com.fortify.sca.rules.

key_regex.cfml

Value Type: String

Default: (value for com.fortify.sca.rules.key_

regex.global)

Regular expression to match key identifiers in C and C++ code.

Setting this property overrides the global regex key rules

property.

com.fortify.sca.rules.

key_regex.cpp

Value Type: String

Default: (value for com.fortify.sca.rules.key_

regex.global)

Regular expression to match key identifiers in Go code. Setting

this property overrides the global regex key rules property.

com.fortify.sca.rules.

key_regex.golang

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 223 of 232

User Guide

Appendix B: Configuration Options

Property Name

Description

Value Type: String

Default: (value for com.fortify.sca.rules.key_

regex.global)

Regular expression to match key identifiers in Java code. Setting

this property overrides the global regex key rules property.

com.fortify.sca.rules.

key_regex.java

Value Type: String

Default: (value for com.fortify.sca.rules.key_

regex.global)

Regular expression to match key identifiers in JavaScript and

TypeScript code. Setting this property overrides the global regex

key rules property.

com.fortify.sca.rules.

key_regex.javascript

Value Type: String

Default: (value for com.fortify.sca.rules.key_

regex.global)

Regular expression to match key identifiers in JSP code. Setting

this property overrides the global regex key rules property.

com.fortify.sca.rules.

key_regex.jsp

Value Type: String

Default: (value for com.fortify.sca.rules.key_

regex.global)

Regular expression used to match key identifiers in Objective-C

and Objective-C++ code. Setting this property overrides the

global regex key rules property.

com.fortify.sca.rules.

key_regex.objc

Value Type: String

Default: (value for com.fortify.sca.rules.key_

regex.global)

Regular expression to match key identifiers in PHP code. Setting

this property overrides the global regex key rules property.

com.fortify.sca.rules.

key_regex.php

Value Type: String

Default: (value for com.fortify.sca.rules.key_

regex.global)

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 224 of 232

User Guide

Appendix B: Configuration Options

Property Name

Description

Regular expression to match key identifiers in Python code.

Setting this property overrides the global regex key rules

property.

com.fortify.sca.rules.

key_regex.python

Value Type: String

Default: (value for com.fortify.sca.rules.key_

regex.global)

Regular expression used to match key identifiers in Ruby code.

Setting this property overrides the global regex key rules

property.

com.fortify.sca.rules.

key_regex.ruby

Value Type: String

Default: (value for com.fortify.sca.rules.key_

regex.global)

Regular expression to match key identifiers in SQL code. Setting

this property overrides the global regex key rules property.

com.fortify.sca.rules.

key_regex.sql

Default: (value for com.fortify.sca.rules.key_

regex.global)

Regular expression used to match key identifiers in Swift code.

Setting this property overrides the global regex key rules

property.

com.fortify.sca.rules.

key_regex.swift

Value Type: String

Default: (value for com.fortify.sca.rules.key_

regex.global)

Regular expression to match key identifiers in Visual Basic 6 code.

Setting this property overrides the global regex key rules

property.

com.fortify.sca.rules.

key_regex.vb

Value Type: String

Default: (value for com.fortify.sca.rules.key_

regex.global)

Name of the serverless function called when no JSON/YAML

cloud build config file exists.

com.fortify.sca.rules.

GCPFunctionName

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 225 of 232

User Guide

Appendix B: Configuration Options

Property Name

Description

Value Type: String

Default: (none)

If set to true, the scanned cloud function is an HTTP trigger.

com.fortify.sca.rules.

GCPHttpTrigger

Value Type: Boolean

Default: false

If set to true and Fortify Static Code Analyzer scans an

application with a supported framework, produces a results file to

be imported into OpenText™ Fortify WebInspect to improve

results.

com.fortify.sca.rules.

enable_wi_correlation

Value Type: Boolean

Default: false

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 226 of 232

Appendix C: Fortify Java Annotations

Fortify provides two versions of the Java Fortify annotations library.

l

Annotations with the retention policy set to CLASS (FortifyAnnotations-CLASS.jar).

With this version of the library, Fortify annotations are propagated to the bytecode during

compilation.

l

Annotations with the retention policy set to SOURCE (FortifyAnnotations-SOURCE.jar).

With this version of the library, Fortify annotations are not propagated to the bytecode after the

code that uses them is compiled.

If you use Fortify products to analyze bytecode of your applications (for example, with OpenText™

Fortify on Demand assessments), then use the version with the annotation retention policy set to

CLASS. If you use Fortify products to analyze the source code of your applications, you can use either

version of the library. However, Fortify strongly recommends that you use the library with a retention

policy set to SOURCE.

Important! Leaving Fortify annotations in production code is a security risk because they can

leak information about potential security problems in the code. Fortify recommends that you use

annotations with the retention policy set to CLASS only for internal Fortify analysis, and never

use them in your application production builds.

This section outlines the annotations available. A sample application is included in the Fortify_SCA_

Samples_<version>.ziparchive in the advanced/javaAnnotationsdirectory. A README.txt

file included in the directory describes the sample application, problems that might arise from it, and

how to fix these problems using Fortify Java Annotations.

There are two limitations with Fortify Java annotations:

l

Each annotation can specify only one input and/or one output.

l

You can apply only one annotation of each type to the same target.

Fortify provides three main types of annotations:

l

"Dataflow Annotations" on the next page

l

"Field and Variable Annotations" on page 230

l

"Other Annotations" on page 231

You also can write rules to support your own custom annotations. Contact Customer Support for more

information.

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 227 of 232

User Guide

Appendix C: Fortify Java Annotations

Dataflow Annotations

There are four types of Dataflow annotations, similar to Dataflow rules: Source, Sink, Passthrough, and

Validate. All are applied to methods and specify the inputs and/or outputs by parameter name or the

strings thisand return. Additionally, you can apply the Dataflow Source and Sink annotations to

the function arguments.

Source Annotations

The acceptable values for the annotation parameter are this, return, or a function parameter name.

For example, you can assign taint to an output of the target method.

@FortifyDatabaseSource("return")

String [] loadUserProfile(String userID) {

...

}

For example, you can assign taint to an argument of the target method.

void retrieveAuthCode(@FortifyPrivateSource String authCode) {

...

}

In addition to specific source annotations, Fortify provides a generic untrusted taint source called

FortifySource.

The following is a complete list of source annotations:

l

FortifySource

l

FortifyDatabaseSource

l

FortifyFileSystemSource

l

FortifyNetworkSource

l

FortifyPCISource

l

FortifyPrivateSource

l

FortifyWebSource

Passthrough Annotations

Passthrough annotations transfer any taint from an input to an output of the target method. It can

also assign or remove taint from the output, in the case of FortifyNumberPassthroughand

FortifyNotNumberPassthrough. The acceptable values for the inannotation parameter are this

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 228 of 232

User Guide

Appendix C: Fortify Java Annotations

or a function parameter name. The acceptable values for the outannotation parameter are this,

return, or a function parameter name.

@FortifyPassthrough(in="a",out="return")

String toLowerCase(String a) {

...

}

Use FortifyNumberPassthroughto indicate that the data is purely numeric. Numeric data cannot

cause certain types of issues, such as cross-site scripting, regardless of the source. Using

FortifyNumberPassthroughcan reduce false positives of this type. If a program decomposes

character data into a numeric type (int, int[], and so on), you can use FortifyNumberPassthrough.

If a program concatenates numeric data into character or string data, then use

FortifyNotNumberPassthrough.

The following is a complete list of passthrough annotations:

l

FortifyPassthrough

l

FortifyNumberPassthrough

l

FortifyNotNumberPassthrough

Sink Annotations

Sink annotations report an issue when taint of the appropriate type reaches an input of the target

method. Acceptable values for the annotation parameter are thisor a function parameter name.

@FortifyXSSSink("a")

void printToWebpage(int a) {

...

}

You can also apply the annotation to the function argument or the return parameter. In the following

example, an issue is reported when taint reaches the argument a.

void printToWebpage(int b, @FortifyXSSSink String a) {

...

}

The following is a complete list of the sink annotations:

l

FortifySink

l

FortifyCommandInjectionSink

l

FortifyPCISink

l

FortifyPrivacySink

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 229 of 232

User Guide

Appendix C: Fortify Java Annotations

l

FortifySQLSink

l

FortifySystemInfoSink

l

FortifyXSSSink

Validate Annotations

Validate annotations remove taint from an output of the target method. Acceptable values for the

annotation parameter are this, return, or a function parameter name.

@FortifyXSSValidate("return")

String xssCleanse(String a) {

...

}

The following is a complete list of validate sink annotations:

l

FortifyValidate

l

FortifyCommandInjectionValidate

l

FortifyPCIValidate

l

FortifyPrivacyValidate

l

FortifySQLValidate

l

FortifySystemInfoValidate

l

FortifyXSSValidate

Field and Variable Annotations

You can apply these annotations to fields and (in most cases) variables.

Password and Private Annotations

Use password and private annotations to indicate whether the target field or variable is a password or

private data.

@FortifyPassword String x;

@FortifyNotPassword String pass;

@FortifyPrivate String y;

@FortifyNotPrivate String cc;

In the previous example, string x will be identified as a password and checked for privacy violations

and hardcoded passwords. The string pass will not be identified as a password. Without the

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 230 of 232

User Guide

Appendix C: Fortify Java Annotations

annotation, it might cause false positives. The FortifyPrivateand FortifyNotPrivate

annotations work similarly, only they do not cause privacy violation issues.

Non-Negative and Non-Zero Annotations

Use these annotations to indicate disallowed values for the target field or variable.

@FortifyNonNegative int index;

@FortifyNonZero double divisor;

In the previous example, an issue is reported if a negative value is assigned to indexor zero is

assigned to divisor.

Other Annotations

Check Return Value Annotation

Use the FortifyCheckReturnValueannotation to add a target method to the list of functions that

require a check of the return values.

@FortifyCheckReturnValue

int openFile(String filename){

...

}

Dangerous Annotations

With the FortifyDangerousannotation, any use of the target function, field, variable, or class is

reported. Acceptable values for the annotation parameter are CRITICAL, HIGH, MEDIUM, or LOW.

These values indicat how to categorize the issue based on the Fortify Priority Order values).

@FortifyDangerous{"CRITICAL"}

public class DangerousClass {

@FortifyDangerous{"HIGH"}

String dangerousField;

@FortifyDangerous{"LOW"}

int dangerousMethod() {

...

}

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 231 of 232

Send Documentation Feedback

If you have comments about this document, you can contact the documentation team by email.

Note: If you are experiencing a technical issue with our product, do not email the documentation

team. Instead, contact Customer Support at https://www.microfocus.com/support so they can

assist you.

If an email client is configured on this computer, click the link above to contact the documentation

team and an email window opens with the following information in the subject line:

Feedback on User Guide (Fortify Static Code Analyzer 24.2.0)

Just add your feedback to the email and click send.

If no email client is available, copy the information above to a new message in a web mail client, and

send your feedback to fortifydocteam@opentext.com.

We appreciate your feedback!

OpenText™ Fortify Static Code Analyzer (24.2.0)

Page 232 of 232