OpenText™ Application Security

Software Version: 25.2.0

Tools Guide

Document Release Date: May 2025

Software Release Date: May 2025

Tools Guide

Legal Notices

Open Text Corporation

275 Frank Tompa Drive, Waterloo, Ontario, Canada, N2L 0A1

Copyright Notice

The only warranties for products and services of Open Text and its affiliates and licensors (“Open Text”) are as may be set forth

in the express warranty statements accompanying such products and services. Nothing herein should be construed as

constituting an additional warranty. Open Text shall not be liable for technical or editorial errors or omissions contained herein.

The information contained herein is subject to change without notice.

Trademark Notices

“OpenText” and other Open Text trademarks and service marks are the property of Open Text or its affiliates. All other

trademarks or service marks are the property of their respective owners.

Documentation updates

The title page of this document contains the following identifying information:

l

Software Version number

l

Document Release Date, which changes each time the document is updated

l

Software Release Date, which indicates the release date of this version of the software

This document was produced for OpenText™ Application Security CE 25.2 on May 28, 2025.

OpenText™ Application Security (25.2.0)

Page 2 of 70

Tools Guide

Contents

Preface

6

Contacting Customer Support

For more information

Product feature videos

Change Log

7

Chapter 1: Getting Started

9

Product name changes

About OpenText Application Security Tools

Hardware requirements

Platforms and architectures

Software requirements

Service integrations for OpenText Application Security Tools

Secure Code Plugins

Authentication for connecting to Fortify Software Security Center

BIRT reports

About Installing OpenText Application Security Tools

Installing OpenText Application Security Tools

Installing OpenText™ Application Security Tools Silently (Unattended)

Installing OpenText™ Application Security Tools in Text-Based Mode on Non-Windows

Adding Trusted Certificates

About Upgrading OpenText Application Security Tools

Upgrading the Fortify Extension for Visual Studio

21

About Uninstalling OpenText™ Application Security Tools

Uninstalling OpenText™ Application Security Tools

Uninstalling OpenText™ Application Security Tools Silently

Uninstalling OpenText™ Application Security Tools in Text-Based Mode on Non-Windows

OpenText™ Application Security (25.2.0)

Page 3 of 70

Tools Guide

Locating Log Files

24

"Troubleshooting BIRTReportGenerator" on page 36

OpenText™ Application Security (25.2.0)

Page 32 of 70

Tools Guide

Chapter 3: Command-Line Tools

BIRTReportGenerator Command-Line Options

The following table describes the BIRTReportGenerator options.

BIRTReportGenerator Option

Description

(Required) Specifies the report template name. The valid

-template <template_name>

values for <template_name> are "CWE Top 25",

"CWE/SANS Top 25", "Developer Workbook", "DISA

CCI 2", "DISA STIG", "FISMA Compliance", GDPR,

MISRA, "OWASP API Top 10", "OWASP ASVS 4.0",

"OWASP MASVS 2.0", "OWASP Mobile Top 10",

"OWASP Top 10", "PCI DSS Compliance", and

"PCI SSF Compliance".

Note: You only need to enclose the report template

name in quotes if the <template_name> includes a

space. The template name values are case-

insensitive.

(Required) Specifies the audited project on which to

base the report.

-source <audited_proj>.fpr

-format pdf | doc | html

(Required) Specifies the generated report format.

Note: The format values are case-insensitive.

(Required) Specifies the file to which the report is

written.

-output <report_file.***>

-searchQuery <query>

Note: If you specify a file that already exists, that

file is overwritten.

Specifies a search query to filter issues before

generating the report. For example:

-searchQuery audited:false

For a description of the search query syntax, see the

OpenText™ Fortify Audit Workbench User Guide.

Include issues that are marked as suppressed.

-ShowSuppressed

OpenText™ Application Security (25.2.0)

Page 33 of 70

Tools Guide

Chapter 3: Command-Line Tools

BIRTReportGenerator Option

Description

Include issues that are marked as removed.

Include issues that are marked as hidden.

-ShowRemoved

-ShowHidden

Specifies a filter set to use to generate the report (for

-filterSet <filterset_name>

example, -filterSet "Quick View").

Specifies the version for the template. The template

version values are case-insensitive.

--Version <version>

Note:

l

Templates that are not listed here have only one

version available.

l

If you do not specify a version and multiple

versions are available, BIRTReportGenerator uses

the most recent version based on the external

metadata used when the FPR was created.

l

The BIRTReportGenerator help displays current

report versions. OpenText periodically

deprecates older report versions, however these

versions are still available for FPR files that were

created before the report version was

deprecated.

The valid values for the template versions are:

OpenText™ Application Security (25.2.0)

Page 34 of 70

Tools Guide

Chapter 3: Command-Line Tools

BIRTReportGenerator Option

Description

l

For the "CWE Top 25" template, the version is

"CWE Top 25 <version>" (for example, "CWE Top

25 2024")

l

For the "CWE/SANS Top 25" template, the version is

"<version> CWE/SANS Top 25" (for example,

"2011 CWE/SANS Top 25")

l

For the "DISA STIG" template, the version

is "DISA STIG <version>" (for example,

"DISA STIG 6.1")

l

For the "FISMA Compliance" template, the version is

"NIST 800-53 Rev <version>" (for example,

"NIST 800-53 Rev 5")

l

For the MISRA template, the available versions are

"MISRA C 2023" or "MISRA C++ 2008"

l

For the "OWASP Mobile Top 10" template, the version

is "OWASP Mobile Top 10 <version>" (for

example, "OWASP Mobile Top 10 2024")

l

For the "OWASP Top 10" template, the version is

"OWASP Top 10 <version>" (for example, "OWASP

Top 10 2021")

l

For the "PCI DSS Compliance" template, the version

is "PCI <version>" (for example, "PCI 4.0.1")

l

For the "PCI SSF Compliance" template, the version is

"PCI SSF <version>" (for example,

"PCI SSF 1.2")

Include the Description of Key Terminology section in

--IncludeDescOfKeyTerminology

the report.

Include the About Fortify Solutions section in the report.

--IncludeAboutFortify

--SecurityIssueDetails

Provide detailed descriptions of reported issues. This

option is not available for the Developer Workbook

template.

Use Fortify Priority Order instead of folder names to

categorize issues. This option is not available for the

Developer Workbook and PCI Compliance templates.

--UseFortifyPriorityOrder

OpenText™ Application Security (25.2.0)

Page 35 of 70

Tools Guide

Chapter 3: Command-Line Tools

BIRTReportGenerator Option

Description

Displays detailed information about the options.

-h | -help

Displays debug information that can be helpful to

troubleshoot issues with BIRTReportGenerator.

-debug

Troubleshooting BIRTReportGenerator

Occasionally, you might encounter an out of memory error when you generate a report. You might see

a message similar to the following in the command-line output:

java.lang.OutOfMemoryError: GC overhead limit exceeded

To increase the memory allocated for BIRTReportGenerator, add the -Xmx option to the

BIRTReportGenerator command. In the following example, 32 GB is allocated to

BIRTReportGenerator to run a report:

BIRTReportGenerator -template "DISA STIG" -source myproject.fpr -format PDF

-output myproject_report.pdf -Xmx32G

Generating a Legacy Analysis Report

Use the ReportGenerator command-line tool to generate legacy reports. The legacy reports include

user-configurable report templates. The basic command-line syntax to generate a legacy analysis

report is:

ReportGenerator -source <audited_proj>.fpr -format <format> -f <report_

file_name>

The following is an example of how to generate a PDF report using the Fortify Scan Summary

template and additional options:

ReportGenerator -source auditedProj.fpr -format pdf -template

ScanReport.xml -showSuppressed -user Alex -f MyFortifyReport.pdf

ReportGenerator Command-Line Options

The following table describes the ReportGenerator options.

ReportGenerator Option

Description

(Required) Specifies the audited project on which to base the

report.

-source <audited_proj>.fpr

OpenText™ Application Security (25.2.0)

Page 36 of 70

Tools Guide

Chapter 3: Command-Line Tools

ReportGenerator Option

Description

(Required) Specifies the generated report format.

(Required) Specifies the file to which the report is written.

-format pdf | xml

-f <report_file.***>

Note: If you specify a file that already exists, that file is

overwritten.

Specifies the report template. If not specified,

-template <template_name>

ReportGenerator uses the default template. The default

template is located in <tools_install_dir>

/Core/config/reports/DefaultReportDefinition.xm

l.

Note: Enclose the <template_name> in quotes if it

contains any spaces.

See the OpenText™ Fortify Audit Workbench User Guide for a

description of the available report templates and how to

customize them.

Specifies a user name to add to the report.

Include issues marked as suppressed.

Include issues marked as removed.

Include issues marked as hidden.

-user <username>

-showSuppressed

-showRemoved

-showHidden

Specifies a filter set to use to generate the report (for

-filterSet <filterset_

name>

example, -filterset "Quick View").

Displays status messages to the console.

-verbose

-debug

Displays debug information that can be helpful to

troubleshoot issues with ReportGenerator.

Displays detailed information about the options.

-h

OpenText™ Application Security (25.2.0)

Page 37 of 70

Tools Guide

Chapter 3: Command-Line Tools

Working with FPR Files from the Command Line

Use the FPRUtility command-line tool located in <tools_install_dir>/bin to perform the

following tasks:

l

"Merging FPR Files" below

l

"Displaying Analysis Results Information from an FPR File" on page 40

l

"Extracting a Source Archive from an FPR File" on page 44

l

"Altering FPR Files" on page 46

l

"Allocating More Memory for FPRUtility" on page 46

Merging FPR Files

The FPRUtility -merge option combines the analysis results from two FPR files into a single FPR file.

The values of the primary project are used to resolve conflicts. When you merge two FPR files, copies

of both the primary analysis results and the secondary analysis results are stored in the merged FPR.

When you open a merged FPR in Fortify Audit Workbench or Fortify Software Security Center,

removed issues are determined as those that exist in the secondary analysis results but not in the

primary analysis results. Similarly, new issues are those that exist in the primary analysis results, but

not in the secondary analysis results.

To merge FPR files:

FPRUtility -merge -project <primary>.fpr -source <secondary>.fpr \

-f <merged>.fpr

To merge FPR files and set instance ID migrator options:

FPRUtility -merge -project <primary>.fpr -source <secondary>.fpr \

-f <merged>.fpr -iidmigratorOptions "<iidmigrator_options>"

FPRUtility Data Merge Options

The following table lists the FPRUtility options that apply to merging data.

FPRUtility Option

Description

Merges the specified project and source FPR files.

-merge

Specifies the primary FPR file to merge. Conflicts are resolved

using the values in this file.

-project <primary>.fpr

Specifies the secondary FPR file to merge. The primary project

-source <secondary>.fpr

OpenText™ Application Security (25.2.0)

Page 38 of 70

Tools Guide

Chapter 3: Command-Line Tools

FPRUtility Option

Description

overrides values if conflicts exist.

Specifies the name of the merged FPR file to contain the result

of the merged files.

-f <merged>.fpr

Note: When you specify this option, neither of the original

FPR files are modified. If you do not use this option, the

primary FPR is overwritten with the merged results.

Forces the migration, even if OpenText SAST and the Rulepack

versions of the two projects are the same.

-forceMigration

Specifies to ignore the analysis dates in the primary and

secondary FPR files for the merge. Otherwise, the secondary

FPR is always updated with the primary FPR .

-ignoreAnalysisDates

Specifies to use the filter sets and folders from the issue

template in the secondary FPR.

-useSourceIssueTemplate

Specifies an instance ID mapping file. This enables you to modify

mappings manually rather than using the migration results.

Supply your own instance ID mapping file.

-useMigrationFile

<mapping_file>

Specifies instance ID migrator options. Separate included

options with spaces and enclosed them in quotes. Some valid

options are:

-iidmigratorOptions

<iidmigrator_options>

l

-i provides a case-sensitive file name comparison of the

merged files

l

-u <scheme_file> tells iidmigrator to read the matching

scheme from <scheme_file> for instance ID migration

Note: Wrap <-iidmigrator_options> in single quotes

('-u <scheme_file>') when working from a Cygwin

command prompt.

Windows example:

FPRUtility -merge -project <primary>.fpr

-source <secondary>.fpr -f <merged>.fpr

-iidmigratorOptions "-u scheme_file"

OpenText™ Application Security (25.2.0)

Page 39 of 70

Tools Guide

Chapter 3: Command-Line Tools

FPRUtility Option

Description

Displays debug information that can be helpful to troubleshoot

issues with FPRUtility.

-debug

FPRUtility Data Merge Exit Codes

Upon completion of the -merge command, FPRUtility provides one of the exit codes described in the

following table.

Exit Code Description

0

5

The merge completed successfully.

The merge failed.

Displaying Analysis Results Information from an FPR File

The FPRUtility -information option displays information about the analysis results. You can obtain

information to:

l

Validate signatures

l

Examine any errors associated with the FPR

l

Obtain the number of issues for each analyzer, vulnerability category, or custom grouping

l

Obtain lists of issues (including some basic information). You can filter these lists.

l

Obtain the list of analyzed files and the number of lines of code (LOC) for each file. You can also

compare the LOC with another FPR.

To display signature information for the analysis:

FPRUtility -information -signature -project <project>.fpr -f <output>.txt

To display a full analysis error report for the FPR:

FPRUtility -information -errors -project <project>.fpr -f <output>.txt

To display the number of issues per vulnerability category or analyzer:

FPRUtility -information -categoryIssueCounts -project <project>.fpr

FPRUtility -information -analyzerIssueCounts -project <project>.fpr

OpenText™ Application Security (25.2.0)

Page 40 of 70

Tools Guide

Chapter 3: Command-Line Tools

To display the number of issues for a custom grouping based on a search:

FPRUtility -information -search -query <search_expression> \

[-categoryIssueCounts] [-analyzerIssueCounts] \

[-includeSuppressed] [-includeRemoved] \

-project <project>.fpr -f <output>.txt

Note: By default, the result does not include suppressed and removed issues. To include

suppressed or removed issues, use the -includeSuppressed or -includeRemoved options.

To display information for issues in CSV format:

FPRUtility -information -listIssues \

-search [-queryAll | -query <search_expression>] \

[-categoryIssueCounts] [-analyzerIssueCouts] \

[-includeSuppressed] [-includeRemoved] \

-project <project>.fpr -f <output>.csv -outputFormat CSV

To display information for all issues from the most recent scan (excluding suppressed and removed

issues) using the Quick View filter set:

FPRUtility -information -listIssues \

-search -queryAllExistingUnsuppressed \

-filterSet "Quick View" \

[-categoryIssueCounts] [-analyzerIssueCouts] \

-project <project>.fpr -f <output>.txt

To display a comparison of the number of lines of code for analyzed files in two FPRs:

FPRUtility -information -loc -project <project>.fpr \

-compareTo <oldproject>.fpr -f <output>.txt

FPRUtility Information Options

The following table lists the FPRUtility options that apply to project information.

FPRUtility Option

Description

Displays information for the project.

-information

Specify one of the following options to indicate what information to display:

Displays the signature for analysis results and rules.

Displays the migration mappings report.

-signature

-mappings

OpenText™ Application Security (25.2.0)

Page 41 of 70

Tools Guide

Chapter 3: Command-Line Tools

FPRUtility Option

Description

Displays a full error report for the FPR.

-errors

Displays the OpenText SAST and OpenText Secure Coding Rulepacks

versions used in the static scan.

-versions

Displays all functions that the static analyzer encountered in CSV format.

-functionsMeta

To filter which functions are displayed, include -

excludeCoveredByRules, and -excludeFunctionsWithSource.

Displays the number of issues for each vulnerability category.

Displays the number of issues for each analyzer.

-categoryIssueCounts

-analyzerIssueCounts

-search <query_option>

l

Use -search -query <search_expression> to display the number

of issues in the result of your specified search expression. To display the

number of issues per vulnerability category or analyzer, add the optional

-categoryIssueCounts and -analyzerIssueCounts options to the

search option. Use the -includeSuppressed and -includeRemoved

options to include suppressed or removed issues.

l

Use -search -queryAll to search all the issues in the FPR including

suppressed and removed issues.

l

Use -search -queryAllExistingUnsuppressed to search all the

issues in the FPR excluding suppressed and removed issues.

Displays the list of analyzed files each with the number of lines of code

(LOC) in the following format:

-loc

<filename>: <total_loc> (<executable_loc>)

where <total_loc> is the approximate number of lines that contain code

constructs (comments are excluded).

Note: Ignore the <executable_loc> metric. It is no longer used.

For FPR files created using OpenText SAST version 24.2 and later, the

<executable_loc> value always matches the <total_loc> value. Also,

<total_loc> includes all lines of code (including comments and blank

lines).

Use -compareTo <project>.fpr with this option to compare the

number of lines of code with another FPR. The comparison output includes

the following information:

l

+ indicates new analyzed files

l

- indicates removed analyzed files

OpenText™ Application Security (25.2.0)

Page 42 of 70

Tools Guide

Chapter 3: Command-Line Tools

FPRUtility Option

Description

l

* indicates files with a different number of lines of code. The difference

in the number of lines of code is shown next to the executable

LOC number as in (+N or -N). For example:

* ProjectA/main.jsp: 115 +15 (85 +15)

In the previous example, the comparison shows that the number of lines

of code in main.jsp is different between the two FPR files. There are 15

additional total LOC.

Specifies the FPR from which to extract the results information.

Displays the location for each issue in one of the following formats:

-project <project>.fpr

-listIssues

<sink_filename>:<line_num> or

<sink_filename>:<line_num> (<category> | <analyzer>)

You can also use the -listIssues option with -search and with both

issueCounts grouping options. If you group by -categoryIssueCounts,

then the output includes (<analyzer>) and if you group by

-analyzerIssueCounts, then the output includes (<category>).

If you specify the -outputFormat CSV option, then each issue is displayed

on one line in the format:

"<instanceid>", "<category>",

"<sink_filename>:<line_num>", "<analyzer>"

Displays only the issues and counts that pass the filters specified in the

filter set. Filter sets are ignored without this option.

-filterSet <filterset_

name>

Important! You must use -search with this option.

-f <output>

Specifies the output file. The default is System.out.

Specifies the output format. The default value is TEXT.

-outputFormat TEXT | CSV

-debug

Displays debug information that can be helpful to troubleshoot issues

with FPRUtility.

OpenText™ Application Security (25.2.0)

Page 43 of 70

Tools Guide

Chapter 3: Command-Line Tools

FPRUtility Signature Exit Codes

Upon completion of the -information -signature command, FPRUtility provides one of the exit

codes described in the following table.

Exit Code Description

0

1

2

3

The project is signed, and all the signatures are valid.

The project is signed, and some, but not all, of the signatures passed the validity test.

The project is signed but none of the signatures are valid.

The project had no signatures to validate.

Extracting a Source Archive from an FPR File

The FPRUtility -sourceArchive option creates a source archive (FSA) file from a specified FPR file

and removes the source code from the FPR file. You can extract the source code from an FPR file,

merge an existing source archive (FSA) back into an FPR file, or recover source files from a source

archive.

To archive data:

FPRUtility -sourceArchive -extract -project <project>.fpr -f <output_

archive>.fsa

To archive data to a directory:

FPRUtility -sourceArchive -extract -project <project>.fpr \

-recoverSourceDirectory -f <output_dir>

To add an archive to an FPR file:

FPRUtility -sourceArchive -mergeArchive -project <project>.fpr \

-source <old_source_archive>.fsa -f <project_with_archive>.fpr

To recover files that are missing from an FPR file:

FPRUtility -sourceArchive -fixSecondaryFileSources \

-payload <source_archive>.zip -project <project>.fpr -f <output>.fpr

OpenText™ Application Security (25.2.0)

Page 44 of 70

Tools Guide

Chapter 3: Command-Line Tools

FPRUtility Source Archive Options

The following table lists the FPRUtility options that apply to working with the source archive.

FPRUtility Option

Description

Creates an FSA file so that you can extract a source

archive.

-sourceArchive

One of:

Use the -extract option to extract the contents of

the FPR file.

-extract

-mergeArchive

-fixSecondaryFileSources

Use the -mergeArchive option to merge the

contents of the FPR file with an existing archived file

(-source option).

Use the -fixSecondaryFileSources option to

recover source files from a source archive (-

payload option) missing from an FPR file.

Specifies the FPR to archive.

-project <project>.fpr

-recoverSourceDirectory

Use with the -extract option to extract the source

as a directory with restored source files.

Specifies the name of the existing archive. Use only if

you are merging an FPR file with an existing archive

-source <old_source_archive>.fsa

-payload <source_archive>.zip

(-mergeArchive option).

Use with the -fixSecondaryFileSources option

to specify the source archive from which to recover

source files.

Specifies the output file. You can generate an FPR, a

directory, or an FSA file.

-f <project_with_archive>.fpr |

<output_archive>.fsa |

<output_dir>

Displays debug information that can be helpful to

troubleshoot issues with FPRUtility.

-debug

OpenText™ Application Security (25.2.0)

Page 45 of 70

Tools Guide

Chapter 3: Command-Line Tools

Altering FPR Files

Use the FPRUtility -trimToLastScan option to remove the previous scan results from a merged

project (FPR). This reduces the size of the FPR file when you no longer need the previous scan results.

This can also reduce the time it takes to open an FPR in Fortify Audit Workbench.

To remove the previous scan from the FPR:

FPRUtility -trimToLastScan -project <merged_project>.fpr [-f <output>.fpr]

FPRUtility Alter FPR File Options

FPRUtility Option

Description

Removes the previous scan results from a merged

project.

-trimToLastScan

Specifies the merged FPR to alter. If this project is not a

merged project, then the FPR file remains unchanged.

-project <merged_project>.fpr

-f <output>.fpr

Specifies the name of the altered output file.

If you do not specify this option, then the merged FPR is

altered.

Allocating More Memory for FPRUtility

Performing tasks with large and complex FPR files might trigger out-of-memory errors. By default,

1000 MB is allocated for FPRUtility. To increase the memory, add the -Xmx option to the command

line. For example, to allocate 2 GB for FPRUtility, use the following command:

FPRUtility -Xmx2G -merge -project <primary>.fpr -source <secondary>.fpr \

-f <output>.fpr

OpenText™ Application Security (25.2.0)

Page 46 of 70

Chapter 4: Configuration Options

The OpenText™ Application Security Tools installer places a set of properties files on your system.

Properties files contain configurable settings for OpenText SAST applications and tools. Some

properties described in this chapter already exist in the properties file, and some of them you must

add yourself. You can modify any of the properties in the configuration file with a text editor.

This section contains the following topics:

Properties File Format

47

63

66

Configuration Options for Java-Based Applications and IDE Plugins

Configuration Options for Fortify Extension for Visual Studio

Shared Configuration Options

Properties File Format

In a properties file, each property consists of a pair of strings: the first string is the property name and

the second string is the property value.

com.fortify.log.console=false

As shown above, the property disables console logging. The property name is

com.fortify.log.console and the value is set to false.

Configuration Options for Java-Based Applications

and IDE Plugins

This section describes the properties to configure the following Java-based OpenText SAST

applications.

l

Fortify Audit Workbench

l

Fortify Custom Rules Editor

l

Fortify Plugins for Eclipse, IntelliJ IDEA, and Android Studio

The following table lists the OpenText SAST application acronyms used in this section.

Acronym

Fortify Application / Plugin / Extension

AWB

Fortify Audit Workbench

OpenText™ Application Security (25.2.0)

Page 47 of 70

Tools Guide

Chapter 4: Configuration Options

Acronym

CRE

Fortify Application / Plugin / Extension

Fortify Custom Rules Editor

ECP

Fortify Plugin for Eclipse

IAP

Fortify Analysis Plugin for IntelliJ IDEA and Android Studio

Where to Find the Properties File

The location of the properties file fortify.properties varies for the different OpenText SAST

applications. The following table provides the location of the properties file for the applications

described in this chapter.

Fortify

Application

Property File Location

AWB, CRE

<tools_install_dir>/Core/config

Note: After you specify the location of the OpenText SAST executable from

Fortify Audit Workbench, the location of the properties file changes to <sca_

install_dir>/Core/config for AWB.

ECP

IAP

<eclipse_install_dir>/plugins/com.fortify.dev.ide.eclipse_

<version>/Core/config

or if Eclipse was installed with an installer:

<userhome>/.p2/pool/plugins/com.fortify.dev.ide.eclipse_

<version>/Core/config

<IDE_product_plugins_dir>/Core/config

The following is an example location on Windows:

C:\Users\<username>\AppData\Roaming\JetBrains\Idea<version>

\plugins\Fortify\config

Java-Based Applications and IDE Plugin Properties

Some properties described in this section already exist in the fortify.properties file, and some of

them you must add yourself. The colored boxes in the Details column indicate which OpenText SAST

applications use the property. To find this properties file for the various products, see "Where to Find

the Properties File" above.

OpenText™ Application Security (25.2.0)

Page 48 of 70

Tools Guide

Chapter 4: Configuration Options

The following table describes the properties in the fortify.properties file.

Property

Details

com.fortify.

If set to true, disables the add folder functionality.

audit.ui.DisableAddingFolders

Default: false

Tools Affected:

AWB

ECP

CRE

IAP

com.fortify.

audit.ui.DisableBugtrackers

If set to true, disables bug tracker integration.

Default: false

Tools Affected:

AWB

ECP

CRE

com.fortify.

audit.ui.DisableEditing

CustomTags

If set to true, removes the ability to edit custom tags.

Default: false

Tools Affected:

AWB

ECP

CRE

com.fortify.

audit.ui.DisableSuppress

If set to true, disables issue suppression.

Default: false

Tools Affected:

AWB

ECP

CRE

com.fortify.

AuthenticationKey

Specifies the directory to store the encrypted Fortify Software Security

Center authentication token.

Default: ${com.fortify.WorkingDirectory}/config/tools

Tools Affected:

AWB

ECP

CRE

IAP

com.fortify.

awb.Debug

If set to true, Fortify Audit Workbench runs in debug mode.

Default: false

Tools Affected:

AWB

ECP

CRE

IAP

OpenText™ Application Security (25.2.0)

Page 49 of 70

Tools Guide

Chapter 4: Configuration Options

Property

Details

com.fortify.

awb.javaExtensions

Specifies the file extensions (comma-delimited) to treat as Java files

during a scan.

If this property is empty, Fortify Audit Workbench and the Fortify Plugin

for Eclipse recognize .java, .jsp, and .jspx files as Java files. The

property only determines whether a project includes Java files and to add

Java-specific controls to the Advanced Scan wizard.

Default: none

Tools Affected:

AWB

ECP

CRE

IAP

com.fortify.

If set to true, garbage collection is run and heap space is released when

awb.forceGCOnProjectClose

you close a project. This reduces the increased Java process memory

consumption when working with small FPR files. When Fortify Audit

Workbench runs with G1GC garbage collection, the Java process can

return free memory back to the operating system when the project is

closed.

Default: false

Tools Affected:

AWB

ECP

CRE

IAP

com.fortify.

awb.LinuxFontAdjust

Specifies the font size to use on Linux platforms. Fortify Audit Workbench

adds the specified size to original font size.

Default: 0

Tools Affected:

AWB

ECP

CRE

IAP

com.fortify.

awb.MacFontAdjust

Specifies to tune font size for the macOS platform. Fortify Audit

Workbench adds the specified size to the original font size.

Default: 2

Tools Affected:

AWB

ECP

CRE

IAP

com.fortify.

awb.WindowsFontAdjust

Specifies to tune the font size for the Windows platform. Fortify Audit

Workbench adds the specified size to original font size.

Default: 0

OpenText™ Application Security (25.2.0)

Page 50 of 70

Tools Guide

Chapter 4: Configuration Options

Property

Details

Tools Affected:

AWB

ECP

CRE

IAP

com.fortify.

Debug

If set to true, runs the OpenText SAST applications in debug mode.

Default: false

Tools Affected:

AWB

ECP

CRE

IAP

com.fortify.

DisableDescriptionXML

Escaping

If set to true, disables XML escaping in issue descriptions (for example,

changing " in XML/FVDL to ").

Default: false

Tools Affected:

AWB

ECP

CRE

IAP

com.fortify.

If set to true, parses URL in the ExternalEntries/Entry element in the

DisableExternalEntry

Correlation

FVDL file.

Default: false

<URL>/auth/PerformChangePass.action</URL>

<SourceLocation path="pages/content/

ChangePass.jsp" line="16" lineEnd="16"

colStart="0" colEnd="0"

snippet=

"1572130B944CEC7A3D98775A499AE8FA#pages/

content/ChangePass.jsp:16:16"/>

</Entry>

</ExternalEntries>

Tools Affected:

AWB

ECP

CRE

IAP

com.fortify.

If set to true, disables computing minimum virtual call confidence.

DisableMinVirtCallConfidence

Computation

Fortify Audit Workbench and the Fortify Plugin for Eclipse use this

attribute to compute minimum virtual call confidence and enable issue

filtering. For example, you can use it to filter out all issues that contain a

virtual call with confidence lower than 0.46.

OpenText™ Application Security (25.2.0)

Page 51 of 70

Tools Guide

Chapter 4: Configuration Options

Property

Details

Default: false

Tools Affected:

AWB

ECP

CRE

IAP

com.fortify.

If set to true, disables removed issue persistence (clears removed issues

DisableRemovedIssue

Persistance

from the FPR file).

Default: false

Tools Affected:

AWB

ECP

CRE

IAP

com.fortify.

If set to true, disables rendering issue description into reports.

DisableReportCategory

Rendering

Default: false

Tools Affected:

AWB

ECP

CRE

IAP

com.fortify.

If set to true, displays the event ID in the issue node tooltip in the Issues

DisplayEventID

view.

Default: false

Tools Affected:

AWB

ECP

CRE

IAP

com.fortify.

If set to true, runs the plugin in debug mode.

eclipse.Debug

Default: false

Tools Affected:

AWB

ECP

CRE

IAP

com.fortify.

InstallationUserName

Specifies the default user name for logging in to Fortify Software Security

Center for the first time.

Default: ${user.name}

Tools Affected:

AWB

ECP

CRE

IAP

OpenText™ Application Security (25.2.0)

Page 52 of 70

Tools Guide

Chapter 4: Configuration Options

Property

Details

com.fortify.

locale

Specifies the locale (for rules and metadata only). The possible values are:

en (English)

es (Spanish)

ja (Japanese)

ko (Korean)

pt_BR (Brazilian Portuguese)

zh_CN (Simplified Chinese)

zh_TW (Traditional Chinese)

Default: en

Tools Affected:

AWB

ECP

CRE

IAP

com.fortify.

If set to true, verifies the signature in the FPR file.

model.CheckSig

If com.fortify.model.UseIssueParseFilters is set to true, then

com.fortify.model.MinimalLoad is set to true,

com.fortify.model.IssueCutoffStartIndex is not null,

com.fortify.model.IssueCutoffEndIndex is not null,

com.fortify.model.IssueCutoffByCategoryStartIndex is not null

or com.fortify.model.IssueCutoffByCategoryEndIndex is not

null, com.fortify.model.CheckSig is false, and the signature in FPRs

are not verified.

Default: true (normal) / false (minimum load)

Tools Affected:

AWB

ECP

CRE

IAP

com.fortify.

Specifies a custom prefix for the description header. It prepends the text

model.CustomDescriptions

Header

in the Description/Recommendation header, so that you see “My

Recommendations” instead of “Custom Recommendations.”

Note: To update description headers, OpenText recommends that

you use the <CustomDescriptionRule> rule with the <Header>

element text instead.

Default: none

OpenText™ Application Security (25.2.0)

Page 53 of 70

Tools Guide

Chapter 4: Configuration Options

Property

Details

Tools Affected:

AWB

ECP

CRE

IAP

com.fortify.

If set to true, does not shorten the build ID, even if the build ID exceeds

model.DisableChopBuildID

250 characters.

Default: false

Tools Affected:

AWB

ECP

CRE

IAP

com.fortify.

If set to true, disables loading the ContextPool section of the FVDL file.

model.DisableContextPool

You can configure this property if com.fortify.model.MinimalLoad is

not set to true. If com.fortify.model.MinimalLoad is set to true,

then com.fortify.model.DisableContextPool is automatically set to

true.

Default: false

Tools Affected:

AWB

ECP

CRE

IAP

com.fortify.

If set to true, disables loading the Description section from the

model.DisableDescription

FVDL file.

You can configure this property if com.fortify.model.MinimalLoad is

not set to true. If com.fortify.model.MinimalLoad is true, then

com.fortify.model.DisableDescription is automatically set to

true.

Default: false

Tools Affected:

AWB

ECP

CRE

IAP

com.fortify.

If set to true, disables loading the EngineData section of the FVDL file to

model.DisableEngineData

save memory when large FPR files are opened. This data is displayed on

the Analysis Information tab of Project Summary view. The property is

useful if too many analysis warnings occur during a scan. However,

OpenText recommends that you instead set a limit for

com.fortify.model.MaxEngineErrorCount to open FPR files that

have many OpenText SAST warnings.

OpenText™ Application Security (25.2.0)

Page 54 of 70

Tools Guide

Chapter 4: Configuration Options

Property

Details

Also see "com.fortify.model.MaxEngineErrorCount " on page 58

Default: false

Tools Affected:

AWB

ECP

CRE

IAP

com.fortify.

If set to true, disables use of the code navigation features in Fortify Audit

model.DisableProgramInfo

Workbench.

You can configure this property if com.fortify.model.MinimalLoad is

not true. If com.fortify.model.MinimalLoad is set to true, then this

property is automatically set to true.

Also see "com.fortify.model.MinimalLoad " on page 59

Default: false

Tools Affected:

AWB

ECP

CRE

IAP

com.fortify.

model.DisableProgramPoint

If set to true, disables loading of the ProgramPoint section from the

runtime.fvdl file.

Default: false

Tools Affected:

AWB

ECP

CRE

IAP

com.fortify.

If set to true, disables replacing the conditional description.

model.DisableReplacement

Parsing

You can configure this property if com.fortify.model.MinimalLoad is

not set to true. If com.fortify.model.MinimalLoad is true, then this

property is automatically set to true.

Also see "com.fortify.model.MinimalLoad " on page 59

Default: false

Tools Affected:

AWB

ECP

CRE

IAP

com.fortify.

If set to true, disables loading the Snippets section from the FVDL file.

model.DisableSnippets

You can configure this property if com.fortify.model.MinimalLoad is

set to false. If com.fortify.model.MinimalLoad is set to true, then

OpenText™ Application Security (25.2.0)

Page 55 of 70

Tools Guide

Chapter 4: Configuration Options

Property

Details

com.fortify.model.DisableSnippets is automatically set to true.

Default: false

Tools Affected:

AWB

ECP

CRE

IAP

com.fortify.

If set to true, disables loading the UnifiedInductionPool section from

model.DisableUnified

Inductions

the FVDL file.

You can configure this property if com.fortify.model.MinimalLoad is

not set to true. If com.fortify.model.MinimalLoad is set to true,

then com.fortify.model.DisableUnifiedInductions is

automatically set to true.

Default: false

Tools Affected:

AWB

ECP

CRE

IAP

com.fortify.

If set to true, disables loading the UnifiedNodePool section from the

model.DisableUnifiedPool

FVDL file.

You can configure this property if com.fortify.model.MinimalLoad

is set to false. If com.fortify.model.MinimalLoad is true, then

com.fortify.model.DisableUnifiedPool is automatically set to

true. If the value is not specified or false, this property is set to none.

Default: false

Tools Affected:

AWB

ECP

CRE

IAP

com.fortify.

If set to true, disables loading the UnifiedTracePool section from the

model.DisableUnifiedTrace

FVDL file.

You can configure this property if com.fortify.model.MinimalLoad is

not set to true. If com.fortify.model.MinimalLoad is true, then

com.fortify.model.DisableUnifiedTrace is automatically set to

true.

Default: false

Tools Affected:

AWB

ECP

CRE

IAP

OpenText™ Application Security (25.2.0)

Page 56 of 70

Tools Guide

Chapter 4: Configuration Options

Property

Details

com.fortify.

If set to true, takes data flow source into consideration for issue

model.EnableSource

Correlation

correlation. The default is false because correlations with runtime results

might not be reliable with this setting enabled.

Default: false

Tools Affected:

AWB

ECP

CRE

IAP

com.fortify.

model.ExecMemorySetting

Specifies the JVM heap memory size in megabytes that Fortify Audit

Workbench uses to start external utilities.

Default:

600—iidmigrator

300—fortifyupdate

Tools Affected:

AWB

ECP

CRE

IAP

com.fortify.

If set to true, forces running Instance ID migration during a merge.

model.ForceIIDMigration

Default: false

Tools Affected:

AWB

ECP

CRE

IAP

com.fortify.

model.FullReportFilenames

If set to true, uses the full file name in reports.

Default: false

Tools Affected: Also used the FPRUtility command-line tool

AWB

ECP

CRE

com.fortify.

model.IIDmigratorOptions

Specifies iidmigrator options (space-delimited values).

Default: none

Tools Affected:

AWB

ECP

CRE

com.fortify.

Specifies the start index for issue cutoff by category.

model.IssueCutoffByCategory

StartIndex

Default: 0

OpenText™ Application Security (25.2.0)

Page 57 of 70

Tools Guide

Chapter 4: Configuration Options

Property

Details

Tools Affected:

AWB

ECP

CRE

IAP

com.fortify.

model.IssueCutoffByCategory

EndIndex

Specifies the end index for issue cutoff by category.

Default: java.lang.Integer.MAX_VALUE

Tools Affected:

AWB

ECP

CRE

com.fortify.

model.IssueCutoffStartIndex

Specifies the start index for issue cutoff. Select the first issue (by number)

to load.

Default: 0

Tools Affected:

AWB

ECP

CRE

IAP

com.fortify.

model.IssueCutoffEndIndex

Specifies the end index for issue cutoff. Select the last issue (by number)

to load.

Default: java.lang.Integer.MAX_VALUE

Tools Affected:

AWB

ECP

CRE

IAP

com.fortify.

Specifies how many reported OpenText SAST warnings to load. To allow

model.MaxEngineErrorCount

an unlimited number, specify -1.

OpenText recommends that you keep the default value of 3000 because

this can speed up the load time of large FPR files.

Default: 3000

Tools Affected: Also used by FPRUtility

AWB

ECP

CRE

IAP

com.fortify.

Specifies the merge resolve strategy to one of the following:

model.MergeResolveStrategy

l

DefaultToMasterValue (use primary project)

l

DefaultToImportValue (use secondary project)

l

NoStrategy (prompt for project to use)

OpenText™ Application Security (25.2.0)

Page 58 of 70

Tools Guide

Chapter 4: Configuration Options

Property

Details

Default: DefaultToMasterValue

Tools Affected:

AWB

ECP

CRE

IAP

com.fortify.

model.MinimalLoad

If set to true, minimizes the data loaded from an FPR file.

Default: false

Tools Affected:

AWB

ECP

CRE

com.fortify.

Specifies the number of threads used to process FPR files.

model.NProcessingThreads

If the com.fortify.model.PersistDataToDisk property is set to

true, this value defaults to one thread.

If the number specified exceeds the number of available processors, then

OpenText SAST tools use the number of available processors as the

number of threads to process FPR files.

Also see: "com.fortify.model.PersistDataToDisk " below

Default: Number of available processors

Tools Affected: Also used by FPRUtility

AWB

ECP

CRE

IAP

com.fortify.

If set to true, enables a persistence strategy to reduce the memory

model.PersistDataToDisk

footprint and uses the disk drive to swap FPR data out of memory.

Default: false

Tools Affected:

AWB

ECP

CRE

IAP

com.fortify.

model.PersistenceBlockSize

This property specifies the number of attribute values that comprise a

single block of attributes. These blocks are cached to disk and read back in

as needed. A larger number decreases the total number of cache files, but

increases the file size and the amount of memory that is read in each time.

Default: 250

Tools Affected:

OpenText™ Application Security (25.2.0)

Page 59 of 70

Tools Guide

Chapter 4: Configuration Options

Property

Details

AWB

ECP

CRE

IAP

com.fortify.

model.PersistenceQueue

Capacity

This property specifies the maximum number of attribute value blocks

that can exist in the producer/consumer queue.

Default: queue is unbounded

Tools Affected:

AWB

ECP

CRE

IAP

com.fortify.

model.PriorityImpact

Threshold

Specifies the threshold for issue impact. The valid values are 0.0F–5.0F. If

the impact of an issue is greater than or equal to the threshold, the issue is

considered High. If the impact of an issue is less than the threshold, the

issue is considered Low. Issues are then categorized as follows:

l

Critical—High Impact and High Likelihood

l

High—High Impact and Low Likelihood

l

Medium—Low Impact and High Likelihood

l

Low—Low Impact and Low Likelihood

Also see "com.fortify.model.PriorityLikelihoodThreshold" below

Default: 2.5F

Tools Affected:

AWB

ECP

CRE

IAP

com.fortify.

model.PriorityLikelihood

Threshold

Specifies the threshold for issue likelihood. The valid values are 0.0F–5.0F.

If the likelihood of an issue is greater than or equal to the threshold, the

issue is considered High. If the likelihood of an issue is less than the

threshold, the issue is considered Low. Issues are then categorized as

follows:

l

Critical—High Impact and High Likelihood

l

High—High Impact and Low Likelihood

l

Medium—Low Impact and High Likelihood

l

Low—Low Impact and Low Likelihood

Also see "com.fortify.model.PriorityImpactThreshold " above

Default: 2.5F

Tools Affected:

OpenText™ Application Security (25.2.0)

Page 60 of 70

Tools Guide

Chapter 4: Configuration Options

Property

Details

AWB

ECP

CRE

IAP

com.fortify.

model.report.useSystemLocale

If set to true, uses the system locale for report output. If set to false,

uses com.fortify.locale in the fortify.properties file. If a value is

not specified, the tool uses java.util.Locale.getDefault().

Default: false

Tools Affected:

AWB

ECP

CRE

IAP

com.fortify.

Specifies the character limit for each issue code snippet in reports.

model.ReportLineLimit

Default: 500

Tools Affected:

AWB

ECP

CRE

IAP

com.fortify.

model.UseIIDMigrationFile

Specifies the full path of the instance ID migration file to use.

Default: none

Tools Affected: Also used by FPRUtility

AWB

ECP

CRE

IAP

com.fortify.

If set to true, respects the settings in the

model.UseIssueParseFilters

IssueParseFilters.properties configuration file. This file is in the

following directories:

AWB—<tools_install_dir>/Core/config

ECP—<eclipse_install_dir>/plugins/com.fortify.

dev.ide.eclipse_<version>/Core/config

Default: false

Tools Affected:

AWB

ECP

CRE

IAP

com.fortify.

If set to true, uses attributes of old issues during instance ID migration

model.UseOldIIDMigration

Attributes

while merging similar issues of old and new scans.

Default: false

Tools Affected:

OpenText™ Application Security (25.2.0)

Page 61 of 70

Tools Guide

Chapter 4: Configuration Options

Property

Details

AWB

ECP

CRE

IAP

com.fortify.

Specifies how many removed issues to keep when you save an FPR.

RemovedIssuePersistanceLimit

Default: 1000

Tools Affected:

AWB

ECP

CRE

IAP

com.fortify.

Specifies the file path to sourceanalyzer.exe.

SCAExecutablePath

Tools Affected:

AWB

ECP

CRE

IAP

com.fortify.

search.defaultSyntaxVer

Specifies whether to use the AND and OR operators in searches. These are

enabled in search syntax by default.

l

To block the use of the AND and OR operators, set the value to 1.

l

To use ANDs and ORs without parentheses, set the value to 2.

Default: 2

Tools Affected:

AWB

ECP

CRE

IAP

com.fortify.

If set to true, stores original plain text issue descriptions (before parsing)

StoreOriginalDescriptions

as well as the parsed ones with tags replaced with specific values.

Default: false

Tools Affected:

AWB

ECP

CRE

IAP

com.fortify.

Specifies taint flags to exclude (comma-delimited values).

taintFlagBlacklist

Default: none

Tools Affected:

AWB

ECP

CRE

IAP

com.fortify.

tools.iidmigrator.scheme

Set this property to migrate instance IDs created with different versions of

OpenText SAST using a custom matching scheme. This is handled by

OpenText SAST. If you need a custom matching scheme, contact

OpenText™ Application Security (25.2.0)

Page 62 of 70

Tools Guide

Chapter 4: Configuration Options

Property

Details

Customer Support.

Default: none

Tools Affected:

AWB

ECP

CRE

IAP

com.fortify.

UseSourceProjectTemplate

This property determines the issue template to use when merging analysis

information from two audit projects. If set to true, it forces the use of filter

sets and folders from the issue template associated with the original scan

results (secondary project). The issue template from the new scan results

(primary project) is used by default.

Default: false

Tools Affected: Also used by FPRUtility

AWB

ECP

CRE

IAP

com.fortify.

WorkingDirectory

Specifies the working directory that contains all user configuration and

working files for all OpenText SAST applications and Java IDE plugins. To

configure this property, you must have write access to the directory.

Defaults:

l

Windows—${win32.LocalAppdata}/Fortify

l

Non-Windows—${user.home}/.fortify

Tools Affected:

AWB

ECP

CRE

IAP

Configuration Options for Fortify Extension for Visual

Studio

This section describes the properties Fortify Extension for Visual Studio uses . The properties are

listed in alphabetical order based on the files in which they belong.

Fortify Extension for Visual Studio Properties

Some properties described here already exist in the fortify.properties file, and some of them

you must add yourself. The following table describes the properties in the <tools_install_

dir>/Core/config/fortify.properties file.

OpenText™ Application Security (25.2.0)

Page 63 of 70

Tools Guide

Chapter 4: Configuration Options

Property

Details

com.fortify.

audit.ui.DisableBugtrackers

If set to true, disables bug tracker integration.

Default: false

com.fortify.

audit.ui.DisableSuppress

If set to true, disables issue suppression.

Default: false

com.fortify.

AuthenticationKey

Specifies the directory used to store the encrypted Fortify Software

Security Center authentication token.

Default: ${com.fortify.WorkingDirectory}/config/VS<vs_

version>-<extension_version>

com.fortify.

Debug

If set to true, runs all OpenText SAST tools in debug mode.

Default: false

com.fortify.

Specifies the custom prefix for the description header. It prepends the

model.CustomDescriptionsHeader

text in the Description/Recommendation header, so that you see

“My Recommendations” instead of “Custom Recommendations.”

Note: To update description headers, OpenText recommends that

you use the <CustomDescriptionRule> rule with the <Header>

element text instead.

Default: none

com.fortify.

model.ForceIIDMigration

If set to true, forces running Instance ID migration during a merge.

Default: false

com.fortify.

model.PriorityImpactThreshold

Specifies the threshold for issue impact. The valid values are 0.0F–

5.0F. If the impact of an issue is greater than or equal to the threshold,

the issue is considered High. If the impact of an issue is less than the

threshold, the issue is considered Low. Issues are then categorized as

follows:

l

Critical—High Impact and High Likelihood

l

High—High Impact and Low Likelihood

l

Medium—Low Impact and High Likelihood

l

Low—Low Impact and Low Likelihood

Also see "com.fortify.model.PriorityLikelihoodThreshold " below

Default: 2.5F

com.fortify.

model.PriorityLikelihoodThreshold

Specifies the threshold for issue likelihood. The valid values are 0.0F–

5.0F. If the likelihood of an issue is greater than or equal to the

OpenText™ Application Security (25.2.0)

Page 64 of 70

Tools Guide

Chapter 4: Configuration Options

Property

Details

threshold, the issue is considered High. If the likelihood of an issue is

less than the threshold, the issue is considered Low. Issues are then

categorized as follows:

l

Critical—High Impact and High Likelihood

l

High—High Impact and Low Likelihood

l

Medium—Low Impact and High Likelihood

l

Low—Low Impact and Low Likelihood

Also see "com.fortify.model.PriorityImpactThreshold" on the previous

page

Default: 2.5F

com.fortify.

Specifies the full path of the instance ID migration file to use.

model.UseIIDMigrationFile

Default: none

com.fortify.

Specifies file path to sourceanalyzer.exe.

SCAExecutablePath

com.fortify.

search.defaultSyntaxVer

Specifies whether to use the AND and OR operators in searches. These

are enabled in search syntax by default.

l

To block the use of the AND and OR operators, set the value to 1.

l

To use ANDs and ORs without parentheses, set the value to 2.

Default: 2

com.fortify.

tools.iidmigrator.scheme

Set this property to migrate instance IDs created with different

versions of OpenText SAST using a custom matching scheme. This is

handled by OpenText SAST. If you need a custom matching scheme,

contact Customer Support.

Default: none

com.fortify.

visualstudio.vm.args

Specifies JVM options.

Default: -Xmx256m

com.fortify.

VS.Debug

If set to true, runs the Fortify Extension for Visual Studio in debug

mode.

Default: false

com.fortify.

VS.DisableCIntegration

If set to true, disables C/C++ build integration in Visual Studio.

Default: false

OpenText™ Application Security (25.2.0)

Page 65 of 70

Tools Guide

Chapter 4: Configuration Options

Property

Details

com.fortify.

VS.disableMigrationCheck

If set to true, disables instance ID migration checking.

Default: false

com.fortify.

VS.DisableReferenceLibDirs

AndExcludes

If set to true, disables using references added to a project.

Default: false

com.fortify.

VS.ListProjectProperties

If set to true, lists the Visual Studio project properties in a log file.

Default: false

com.fortify.

VS.NETFrameworkRoot

Specifies the file path to the .NET Framework root.

Default: none

com.fortify.

WorkingDirectory

Specifies the working directory that contains all user configuration and

working files for Fortify Extension for Visual Studio. To configure this

property, you must have write access to the directory.

Default: ${win32.LocalAppdata}/Fortify

Azure DevOps Server Configuration Property

The property for the Azure DevOps Server is stored in the TFSconfiguration.properties. This

file is located in the Fortify working directory in the config\VS<vs_version>-<sca_version>

directory.

Note: The TFSconfiguration.properties file is created only after the first time you

configure a connection to your Azure DevOps Server from the Fortify Extension for Visual Studio.

The following property is in the TFSconfiguration.properies file:

server.url

Details: Specifies the Azure DevOps Server location.

Default: none

Shared Configuration Options

This section describes the properties shared by OpenText SAST applications and command-line tools.

Server Properties

Because some values in this file are encrypted (such as proxy user name and password), you must use

the scapostinstall tool to configure these properties. For information about how to use the

OpenText™ Application Security (25.2.0)

Page 66 of 70

Tools Guide

Chapter 4: Configuration Options

scapostinstall tool, see the OpenText™ Static Application Security Testing User Guide.

Other properties are updated using command-line tools, and standalone applications (such as Fortify

Audit Workbench). OpenText recommends that you use these tools to edit the properties in this file

instead of editing the file manually.

The following table describes the properties in the <tools_install_

dir>/Core/config/server.properties file.

Note: After you specify the location of the OpenText SAST executable from Fortify Audit

Workbench or Fortify Extension for Visual Studio, the location of the properties file changes to

<sca_install_dir>/Core/config.

Property

Details

autoupgrade.server

Specifies the automatic update server. This enables users to

check for new versions of the OpenText SAST and the

OpenText™ Application Security Tools installer on a Fortify

Software Security Center server and run the installer if an

update is available.

Default: http://localhost:8180/ssc/update-

site/installers

install.auto.upgrade

If set to true, enables Fortify Audit Workbench automatic

update feature.

Default: false

oneproxy.http.proxy.port

oneproxy.http.proxy.server

oneproxy.https.proxy.port

Specifies the proxy server port to access bug trackers.

Default: none

Specifies the proxy server name to access bug trackers.

Default: none

Specifies the proxy server port to access bug trackers

through an SSL connection.

Default: none

oneproxy.https.proxy.server

rp.update.from.manager

Specifies the proxy server name to access bug trackers

through an SSL connection.

Default: none

If set to true, updates security content from Fortify

Software Security Center instead of from the Fortify

Rulepack update server.

Default: false

OpenText™ Application Security (25.2.0)

Page 67 of 70

Tools Guide

Chapter 4: Configuration Options

Property

Details

rulepack.auto.update

If set to true, updates security content automatically.

Default: false

rulepack.days

Specifies the interval (in days) between security content

updates.

Default: 15

rulepackupdate.proxy.port

Specifies the proxy server port to access the Fortify

Rulepack update server (uploadclient.proxy.port is

used if rp.update.from.manager is set to true).

Also see "rp.update.from.manager " on the previous page

Default: none

rulepackupdate.proxy.server

Specifies proxy server name to access the Fortify Rulepack

update server (uploadclient.proxy.server is used if

rp.update.from.manager is set to true).

Also see "rp.update.from.manager " on the previous page

Default: none

rulepackupdate.server

Specifies the Fortify Rulepack update server location.

Default: https://update.fortify.com

rulepackupdate.SocketReadTimeoutSeconds

Specifies the socket read timeout value to use when

updating Fortify security content with the fortifyupdate

utility.

Default: 180 seconds

uploadclient.proxy.port

uploadclient.proxy.server

uploadclient.server

Specifies the proxy server port to access the Fortify

Software Security Center server.

Default: none

Specifies the proxy server name to access the Fortify

Software Security Center server.

Default: none

Specifies the URL of the Fortify Software Security Center

server.

Default: http://localhost:8180/ssc

OpenText™ Application Security (25.2.0)

Page 68 of 70

Tools Guide

Chapter 4: Configuration Options

Command-Line Tools Properties

The following table describes the properties in the <tools_install_

dir>/Core/config/fortify.properties file that the command-line tools use.

Property

Details

com.fortify.log.console

Specifies whether logging messages are written to the console. Logging

information is always written to the log file.

Default: false

OpenText™ Application Security (25.2.0)

Page 69 of 70

Send Documentation Feedback

If you have comments about this document, you can contact the documentation team by email.

Note: If you are experiencing a technical issue with our product, do not email the documentation

team. Instead, contact Customer Support at https://www.microfocus.com/support so they can

assist you.

If an email client is configured on this computer, click the link above to contact the documentation

team and an email window opens with the following information in the subject line:

Feedback on Tools Guide (Application Security 25.2.0)

Just add your feedback to the email and click send.

If no email client is available, copy the information above to a new message in a web mail client, and

send your feedback to fortifydocteam@opentext.com.

We appreciate your feedback!

OpenText™ Application Security (25.2.0)

Page 70 of 70