 |
Software Version: 21.2.0
Document Release Date: November 2021 Software Release Date: November 2021
Legal Notices
Micro Focus The Lawn
22-30 Old Bath Road Newbury, Berkshire RG14 1QN UK
Warranty
The only warranties for products and services of Micro Focus and its affiliates and licensors (“Micro Focus”) are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Micro Focus shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice.
Restricted Rights Legend
Confidential computer software. Except as specifically indicated otherwise, a valid license from Micro Focus is required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license.
Copyright Notice
© Copyright 2003 - 2021 Micro Focus or one of its affiliates
Trademark Notices
All trademarks, service marks, product names, and logos included in this document are the property of their respective owners.
Documentation Updates
The title page of this document contains the following identifying information:
Software Version number
Document Release Date, which changes each time the document is updated
Software Release Date, which indicates the release date of this version of the software
This document was produced on November 10, 2021. To check for recent updates or to verify that you are using the most recent edition of a document, go to:
https://www.microfocus.com/support/documentation
Preface 12 Contacting Micro Focus Fortify Customer Support 12 For More Information 12 About the Documentation Set 12 Fortify Product Feature Videos 12
Chapter 1: Introduction 17
Fortify Static Code Analyzer 17 About the Analyzers 18
Licensing 19 Fortify Software Security Content 20 Fortify ScanCentral SAST 20 Fortify Scan Wizard 21
Related Documents 21 All Products 21 Micro Focus Fortify ScanCentral SAST 22 Micro Focus Fortify Software Security Center 22 Micro Focus Fortify Static Code Analyzer 23
Chapter 2: Installing Fortify Static Code Analyzer 25 Fortify Static Code Analyzer Tools 25
About Installing Fortify Static Code Analyzer and Applications 27 Installing Fortify Static Code Analyzer and Applications 28 Installing Fortify Static Code Analyzer and Applications Silently (Unattended) 30 Installing Fortify Static Code Analyzer and Applications in Text-Based Mode on
Non-Windows Platforms 32
Manually Installing Fortify Security Content 33
Using Docker to Install and Run Fortify Static Code Analyzer 33 Creating a Dockerfile to Install Fortify Static Code Analyzer 33
Running the Container 34 Example Docker Run Commands for Translation and Scan 35
About Upgrading Fortify Static Code Analyzer and Applications 35 Notes About Upgrading the Fortify Extension for Visual Studio 36
About Uninstalling Fortify Static Code Analyzer and Applications 36 Uninstalling Fortify Static Code Analyzer and Applications 36 Uninstalling Fortify Static Code Analyzer and Applications Silently 37 Uninstalling Fortify Static Code Analyzer and Applications in Text-Based Mode on Non-Windows Platforms 38
Post-Installation Tasks 38 Running the Post-Install Tool 38 Migrating Properties Files 38 Specifying a Locale 39 Configuring for Security Content Updates 39 Configuring the Connection to Fortify Software Security Center 40 Removing Proxy Server Settings 40 Adding Trusted Certificates 41
Chapter 3: Analysis Process Overview 43
Analysis Process 43 Parallel Processing 44
Translation Phase 44
Mobile Build Sessions 45 Mobile Build Session Version Compatibility 45 Creating a Mobile Build Session 45 Importing a Mobile Build Session 46
Analysis Phase 46 Higher-Order Analysis 47 Modular Analysis 47 Modular Command-Line Examples 48 Regular Expression Analysis 48
Translation and Analysis Phase Verification 49
Chapter 4: Translating Java Code 50
Java Command-Line Syntax 50 Java Command-Line Options 51
Java Command-Line Examples 53
Handling Resolution Warnings 53 Java Warnings 53
Translating Java EE Applications 54 Translating Java Files 54 Translating JSP Projects, Configuration Files, and Deployment Descriptors 54 Java EE Translation Warnings 54
Translating Java Bytecode 55
Troubleshooting JSP Translation and Analysis Issues 56 Unable to Translate Some JSPs 56 Increased Issues Counts in JSP-Related Categories 56
Chapter 5: Translating Kotlin Code 57
Kotlin Command-Line Syntax 57 Kotlin Command-Line Options 58 Kotlin Command-Line Examples 59
Kotlin and Java Translation Interoperability 59 Translating Kotlin Scripts 59
Chapter 6: Translating Visual Studio and MSBuild Projects 60 Visual Studio and MSBuild Project Translation Prerequisites 60 Visual Studio and MSBuild Project Translation Command-Line Syntax 61
Handling Special Cases for Translating Visual Studio and MSBuild Projects 61 Running Translation from a Script 61 Translating Plain .NET and ASP.NET Projects 62 Translating C/C++ and Xamarin Projects 62 Translating Projects with Settings Containing Spaces 62 Translating a Single Project from a Visual Studio Solution 62 Working with Multiple Targets and Projects for MSBuild Command 63 Analyzing Projects That Build Multiple Executable Files 63
Alternative Ways to Translate Visual Studio and MSBuild Projects 63 Alternative Translation Options for Visual Studio Solutions 64 Translating Without Explicitly Running Fortify Static Code Analyzer 64
Chapter 7: Translating C and C++ Code 66
C and C++ Code Translation Prerequisites 66 C and C++ Command-Line Syntax 66 Scanning Pre-processed C and C++ Code 67 C/C++ Precompiled Header Files 67
Chapter 8: Translating JavaScript and TypeScript Code 69 Translating Pure JavaScript Projects 69 Excluding Dependencies 69 Excluding NPM Dependencies 70 Translating JavaScript Projects with HTML Files 71 Including External JavaScript or HTML in the Translation 71
Chapter 9: Translating Python Code 73 Python Translation Command-Line Syntax 73 Including Imported Modules and Packages 73 Including Namespace Packages 74 Using the Django Framework with Python 74 Python Command-Line Options 75 Python Command-Line Examples 76
Chapter 10: Translating Code for Mobile Platforms 77
Translating Apple iOS Projects 77 iOS Project Translation Prerequisites 77 iOS Code Analysis Command-Line Syntax 78
Translating Android Projects 78 Android Project Translation Prerequisites 79 Android Code Analysis Command-Line Syntax 79 Filtering Issues Detected in Android Layout Files 79
Chapter 11: Translating Go Code 80 Go Command-Line Syntax 80 Go Command-Line Options 80 Resolving Dependencies 82
Chapter 12: Translating Ruby Code 83
Ruby Command-Line Syntax 83 Ruby Command-Line Options 83
Adding Libraries 84 Adding Gem Paths 84
Chapter 13: Translating COBOL Code 85 Preparing COBOL Source and Copybook Files for Translation 85
COBOL Command-Line Syntax 86 Translating COBOL Source Files Without File Extensions 87 Translating COBOL Source Files with Arbitrary File Extensions 87
COBOL Command-Line Options 88 Legacy COBOL Translation Command-Line Options 88
Chapter 14: Translating Apex and Visualforce Code 90 Apex Translation Prerequisites 90 Apex and Visualforce Command-Line Syntax 90 Apex and Visualforce Command-Line Options 91 Downloading Customized Salesforce Database Structure Information 91
Chapter 15: Translating Other Languages and Configurations 93
Translating PHP Code 93 PHP Command-Line Options 94
Translating ABAP Code 94 INCLUDE Processing 95 Importing the Transport Request 95 Adding Fortify Static Code Analyzer to your Favorites List 96 Running the Fortify ABAP Extractor 97 Uninstalling the Fortify ABAP Extractor 101
Translating Flex and ActionScript 102 Flex and ActionScript Command-Line Options 102 ActionScript Command-Line Examples 103 Handling Resolution Warnings 104 ActionScript Warnings 104
Translating ColdFusion Code 105
ColdFusion Command-Line Syntax 105 ColdFusion Command-Line Options 105
Translating SQL 106 PL/SQL Command-Line Example 106 T-SQL Command-Line Example 106
Translating Scala Code 107 Translating Dockerfiles 107 Translating ASP/VBScript Virtual Roots 108 Classic ASP Command-Line Example 110 VBScript Command-Line Example 110
Chapter 16: Integrating into a Build 111
Build Integration 111 Make Example 112
Modifying a Build Script to Invoke Fortify Static Code Analyzer 112 Touchless Build Integration 113 Ant Integration 113
Gradle Integration 113 Including Verbose and Debug Options 114
Maven Integration 115 Installing and Updating the Fortify Maven Plugin 115 Testing the Fortify Maven Plugin Installation 115 Using the Fortify Maven Plugin 116
Chapter 17: Command-Line Interface 118 Translation Options 118 Analysis Options 120 Output Options 123 Other Options 126
Directives 128 LIM License Directives 129
Specifying Files and Directories 130 Chapter 18: Command-Line Utilities 132
Fortify Static Code Analyzer Utilities 132
About Updating Security Content 133 Updating Security Content 134 fortifyupdate Command-Line Options 134
Working with FPR Files from the Command Line 135 Merging FPR Files 136 Displaying Analysis Results Information from an FPR File 138 Extracting a Source Archive from an FPR File 141 Altering FPR Files 143 FPRUtility Alter FPR File Options 143 Allocating More Memory for FPRUtility 143
Generating Reports from the Command Line 143 Generating a BIRT Report 144 Troubleshooting BIRTReportGenerator 147 Generating a Legacy Report 147
Checking the Fortify Static Code Analyzer Scan Status 148 SCAState Utility Command-Line Options 149
Chapter 19: Improving Performance 151 Hardware Considerations 151 Sample Scans 152 Tuning Options 153
Quick Scan 154 Limiters 154 Using Quick Scan and Full Scan 155
Configuring Scan Speed with Speed Dial 155 Breaking Down Codebases 156
Limiting Analyzers and Languages 157 Disabling Analyzers 157 Disabling Languages 158
Optimizing FPR Files 158 Filter Files 158 Excluding Issues from the FPR with Filter Sets 159 Excluding Source Code from the FPR 160 Reducing the FPR File Size 160
Opening Large FPR Files 161
Monitoring Long Running Scans 163 Using the SCAState Utility 163 Using JMX Tools 163 Using JConsole 163 Using Java VisualVM 164
Chapter 20: Troubleshooting 165 Exit Codes 165
Memory Tuning 166 Java Heap Exhaustion 166 Native Heap Exhaustion 167 Stack Overflow 167
Scanning Complex Functions 168 Dataflow Analyzer Limiters 169 Control Flow and Null Pointer Analyzer Limiters 170
Issue Non-Determinism 170 Locating the Log Files 171
Configuring Log Files 171 Understanding Log Levels 172
Reporting Issues and Requesting Enhancements 173
Appendix A: Filtering the Analysis 174 Filter Files 174 Filter File Example 174
Appendix B: Fortify Scan Wizard 177 Preparing to use Fortify Scan Wizard 177 Starting Fortify Scan Wizard 179
Appendix C: Sample Projects 180 Basic Samples 180 Advanced Samples 182
Appendix D: Configuration Options 184
Fortify Static Code Analyzer Properties Files 184 Properties File Format 184 Precedence of Setting Properties 185
fortify-sca.properties 186 fortify-sca-quickscan.properties 209
Appendix E: Fortify Java Annotations 213
Dataflow Annotations 214 Source Annotations 214 Passthrough Annotations 214 Sink Annotations 215 Validate Annotations 216
Field and Variable Annotations 216 Password and Private Annotations 216 Non-Negative and Non-Zero Annotations 217
Other Annotations 217 Check Return Value Annotation 217 Dangerous Annotations 217
Send Documentation Feedback 218
Preface
Contacting Micro Focus Fortify Customer Support
Visit the Support website to:
Manage licenses and entitlements
Create and manage technical assistance requests
Browse documentation and knowledge articles
Download software
Explore the Community https://www.microfocus.com/support
For more information about Fortify software products: https://www.microfocus.com/cyberres/application-security
The Fortify Software documentation set contains installation, user, and deployment guides for all Fortify Software products and components. In addition, you will find technical notes and release notes that describe new features, known issues, and last-minute updates. You can access the latest versions of these documents from the following Micro Focus Product Documentation website:
https://www.microfocus.com/support/documentation
To be notified of documentation updates between releases, subscribe to Fortify Product Announcements on the Micro Focus Community:
https://community.microfocus.com/cyberres/fortify/w/fortify-product-announcements
Fortify Product Feature Videos
You can find videos that highlight Fortify products and features on the Fortify Unplugged YouTube channel:
https://www.youtube.com/c/FortifyUnplugged
The following table lists changes made to this document. Revisions to this document are published between software releases only if the changes made affect product functionality.
Software Release / Document Version | Changes |
21.2.0 | Added: Updated: PCI SSF Compliance report version 1.1 |
"Adding Trusted Certificates" on page 41 - Information about connecting Fortify Static Code Analyzer and its tools to other Fortify products that require communication over HTTPS
"Regular Expression Analysis" on page 48 - New ability to analyze files using regular expression rules
"Licensing" on page 19 and "LIM License Directives" on page 129 - New ability to use the Fortify License and Infrastructure Manager (LIM) to manage concurrent licenses
"Installing Fortify Static Code Analyzer and Applications" on page 28 -Added instructions for using a Fortify License and Infrastructure Manager (LIM) server, and added installers for AIX and Solaris operating systems
"Including Imported Modules and Packages" on page 73 - Fortify Static Code Analyzer can now import modules and packages from an automatically calculated common root directory
"Translating Scala Code" on page 107 - Removed the requirement of a Lightbend Enterprise Suite license purchase to analyze Scala code
"Translation Options" on page 118 - MSBuild and xcodebuild integrations now support the -exclude option
"Generating a BIRT Report" on page 144 - Added support for
"Preparing to use Fortify Scan Wizard" on page 177 - New ability to have Fortify ScanCentral SAST perform the complete analysis remotely
"Advanced Samples" on page 182 - Removed three samples: webgoat, riches,java, and riches.net
Software Release / Document Version | Changes |
21.1.0 | Added: Updated: Removed: |
"fortify-sca.properties" on page 186 - Added descriptions of new properties for using a license managed by the Fortify License and Infrastructure Manager (LIM) and for regular expression analysis
"Translating Kotlin Scripts" on page 59 - New support for translating Kotlin scripts
"Troubleshooting BIRTReportGenerator" on page 147 - Information added for resolving out of memory issues
"Translating Java Bytecode" on page 55 - New option to decompile Java bytecode for inclusion in the translation phase
"Translating Visual Studio and MSBuild Projects" on page 60 - Updates made for MSBuild integration
"Go Command-Line Options" on page 80 - Option added to specify Go proxy URLs
"Translating COBOL Code" on page 85 - Updated for Micro Focus Visual COBOL support
"Translating Dockerfiles" on page 107 - Updated the description of files that are analyzed as Dockerfiles
"Analysis Options" on page 120 and "Configuration Options" on page 184 - Removed options and properties related to FindBugs
"Working with FPR Files from the Command Line" on page 135 -Enhancements made to FPRUtility
"Generating a BIRT Report" on page 144 - New report versions available
"Configuring Scan Speed with Speed Dial" on page 155 - Added new precision levels 3 and 4
Using FindBugs - No longer supported
Software Release / Document Version | Changes |
20.2.0 | Added: previously available in the javaAnnotations sample README.txt to this guide Updated: |
20.1.2 | Added: Gradle Wrapper |
20.1.0 | Updated: |
"About Installing Fortify Static Code Analyzer and Applications" on page 27 and "Using Docker to Install and Run Fortify Static Code Analyzer" on page 33
"Fortify Java Annotations" on page 213 - Incorporated information
"Translating Visual Studio and MSBuild Projects" on page 60 - Updated to reflect the translation improvements made over the past couple releases (former chapter title: Translating .NET Code)
"Translating COBOL Code" on page 85 - Describes the changes introduced for analyzing COBOL code
"Running the Fortify ABAP Extractor" on page 97 - New option to export SAP standard code in addition to custom code
"Generating a BIRT Report" on page 144 - New supported report template added: OWASP ASVS 4.0
"Sample Projects" on page 180 - Added two new samples
All references to Fortify ScanCentral were replaced with Fortify ScanCentral SAST (product name change)
"Translating Kotlin Code" on page 57 Updated:
"Gradle Integration" on page 113 - Added information about using the
"About Installing Fortify Static Code Analyzer and Applications" on page 27 - Removed all mentions of Solaris as this operating system is no
Software Release / Document Version | Changes |
longer supported Removed: |
"Installing Fortify Static Code Analyzer and Applications Silently (Unattended)" on page 30 - Added more information to the instructions for different operating systems
"Generating a BIRT Report" on page 144 - Added support for new report: CWE Top 25 2019
"Generating a Legacy Report" on page 147 - Removed RTF as a possible output format
All references to Fortify CloudScan were replaced with Fortify ScanCentral (product name change)
Incremental Analysis - Feature to be removed in the next release
This guide provides instructions for using Micro Focus Fortify Static Code Analyzer to scan code on most major programming platforms. This guide is intended for people responsible for security audits and secure coding.
This section contains the following topics:
Fortify Static Code Analyzer 17 Licensing 19 Fortify Software Security Content 20 Fortify ScanCentral SAST 20 Fortify Scan Wizard 21 Related Documents 21
Fortify Static Code Analyzer is a set of software security analyzers that search for violations of security-specific coding rules and guidelines in a variety of languages. The Fortify Static Code Analyzer language technology provides rich data that enables the analyzers to pinpoint and prioritize violations so that fixes are fast and accurate. Fortify Static Code Analyzer produces analysis information to help you deliver more secure software, and make security code reviews more efficient, consistent, and complete. Its design enables you to incorporate customer-specific security rules.
For a list of supported languages, libraries, compilers, and build tools, see the Micro Focus Fortify Software System Requirements document.
At the highest level, using Fortify Static Code Analyzer involves:
Running Fortify Static Code Analyzer as a stand-alone process or integrating Fortify Static Code Analyzer in a build tool
Translating the source code into an intermediate translated format
Scanning the translated code and producing security vulnerability reports
Auditing the results of the scan, either by opening the results (typically an FPR file) in Micro Focus Fortify Audit Workbench or uploading them to Micro Focus Fortify Software Security Center for analysis, or working directly with the results displayed on screen.
Note: For information about how to open and view results in Fortify Audit Workbench or Fortify Software Security Center, see the Micro Focus Fortify Audit Workbench User Guide or the Micro Focus Fortify Software Security Center User Guide respectively.
Fortify Static Code Analyzer comprises seven vulnerability analyzers: Buffer, Configuration, Content, Control Flow, Dataflow, Semantic, and Structural. Each analyzer accepts a different type of rule specifically tailored to provide the information necessary for the corresponding type of analysis performed. Rules are definitions that identify elements in the source code that might result in security vulnerabilities or are otherwise unsafe.
The following table lists and describes each analyzer.
Analyzer | Description |
Buffer | The Buffer Analyzer detects buffer overflow vulnerabilities that involve writing or reading more data than a buffer can hold. The buffer can be either stack-allocated or heap-allocated. The Buffer Analyzer uses limited interprocedural analysis to determine whether there is a condition that causes the buffer to overflow. If any execution path to a buffer leads to a buffer overflow, Fortify Static Code Analyzer reports it as a buffer overflow vulnerability and points out the variables that could cause the overflow. If the value of the variable causing the buffer overflow is tainted (user-controlled), then Fortify Static Code Analyzer reports it as well and displays the dataflow trace to show how the variable is tainted. |
Configuration | The Configuration Analyzer searches for mistakes, weaknesses, and policy violations in application deployment configuration files. For example, the Configuration Analyzer checks for reasonable timeouts in user sessions in a web application. The Configuration Analyzer also performs regular expression analysis (see "Regular Expression Analysis" on page 48). |
Content | The Content Analyzer searches for security issues and policy violations in HTML content. In addition to static HTML pages, the Content Analyzer performs these checks on files that contain dynamic HTML, such as PHP, JSP, and classic ASP files. |
Control Flow | The Control Flow Analyzer detects potentially dangerous sequences of operations. By analyzing control flow paths in a program, the Control Flow Analyzer determines whether a set of operations are executed in a certain order. For example, the Control Flow Analyzer detects time of check/time of use issues and uninitialized variables, and checks whether utilities, such as XML readers, are configured properly before being used. |
Analyzer | Description |
Dataflow | The Dataflow Analyzer detects potential vulnerabilities that involve tainted data (user-controlled input) put to potentially dangerous use. The Dataflow Analyzer uses global, interprocedural taint propagation analysis to detect the flow of data between a source (site of user input) and a sink (dangerous function call or operation). For example, the Dataflow Analyzer detects whether a user-controlled input string of unbounded length is copied into a statically sized buffer, and detects whether a user-controlled string is used to construct SQL query text. |
Null Pointer | The Null Pointer Analyzer detects dereferences of pointer variables that are assigned the null value. The Null Pointer Analyzer detection is performed at the intra-procedural level. Issues are detected only when the null assignment, the dereference, and all the paths between them occur within a single function. |
Semantic | The Semantic Analyzer detects potentially dangerous uses of functions and APIs at the intra-procedural level. Its specialized logic searches for buffer overflow, format string, and execution path issues, but is not limited to these categories. For example, the Semantic Analyzer detects deprecated functions in Java and unsafe functions in C/C++, such as gets(). |
Structural | The Structural Analyzer detects potentially dangerous flaws in the structure or definition of the program. By understanding the way programs are structured, the Structural Analyzer identifies violations of secure programming practices and techniques that are often difficult to detect through inspection because they encompass a wide scope involving both the declaration and use of variables and functions. For example, the Structural Analyzer detects assignment to member variables in Java servlets, identifies the use of loggers that are not declared static final, and flags instances of dead code that is never executed because of a predicate that is always false. |
Fortify Static Code Analyzer requires a license to perform both the translation and analysis
(scan) phases of security analysis (for more information about these phases, see "Analysis Process" on page 43). For details on how to obtain a license for Fortify Static Code Analyzer, see the Micro Focus Fortify Software System Requirements document.
You must have a Fortify license file (fortify.license) and optionally you can use the Micro Focus Fortify License and Infrastructure Manager (LIM) to manage concurrent licenses for Fortify Static Code Analyzer. With a LIM managed concurrent license, multiple installations of Fortify Static Code Analyzer can share a single license (see Micro Focus Fortify License and Infrastructure Manager Installation and
Usage Guide for more information). For more information about managing your LIM license, see "LIM License Directives" on page 129.
Fortify Software Security Content
Fortify Static Code Analyzer uses a knowledge base of rules to enforce secure coding standards applicable to the codebase for static analysis. Micro Focus Fortify Software Security Content is required for both translation and analysis. You can download and install security content when you install Fortify Static Code Analyzer (see "Installing Fortify Static Code Analyzer" on page 25). Alternatively, you can download or import previously downloaded Fortify Security Content with the fortifyupdate utility as a post-installation task (see "Manually Installing Fortify Security Content" on page 33).
Fortify Software Security Content (security content) consists of Secure Coding Rulepacks and external metadata:
Secure Coding Rulepacks describe general secure coding idioms for popular languages and public APIs
External metadata includes mappings from the Fortify categories to alternative categories (such as CWE, OWASP Top 10, and PCI)
Fortify provides the ability to write custom rules that add to the functionality of Fortify Static Code Analyzer and the Secure Coding Rulepacks. For example, you might need to enforce proprietary security guidelines or analyze a project that uses third-party libraries or other pre-compiled binaries that are not already covered by the Secure Coding Rulepacks. You can also customize the external metadata to map Fortify issues to different taxonomies, such as internal application security standards or additional compliance obligations. For instructions on how to create your own custom rules or custom external metadata, see the Micro Focus Fortify Static Code Analyzer Custom Rules Guide.
Fortify recommends that you periodically update the security content. You can use the fortifyupdate utility to obtain the latest security content. For more information, see "Updating Security Content" on page 134.
You can use Micro Focus Fortify ScanCentral SAST to manage your resources by offloading the Fortify Static Code Analyzer scan phase from build machines to a collection of machines provisioned for this purpose. For most languages, Fortify ScanCentral SAST can perform both the translation and the analysis (scan) phases. Users of Micro Focus Fortify Software Security Center can direct Fortify ScanCentral SAST to output the FPR file directly to the server.
You can analyze your code in one of two ways:
Perform the translation phase on a local build machine and generate a mobile build session (MBS). Start the scan with Fortify ScanCentral SAST using the MBS file. In addition to freeing up the build machines, this process makes it easy to expand the system by adding more resources as needed, without having to interrupt the build process. In addition,
If your application is written in a language supported for Fortify ScanCentral SAST translation, you can offload the translation and analysis (scan) phase of the analysis to Fortify ScanCentral SAST. For information about the specific supported languages, see the Micro Focus Fortify Software System Requirements document.
For detailed information about how to use Fortify ScanCentral SAST, see the Micro Focus Fortify ScanCentral SAST Installation, Configuration, and Usage Guide.
Micro Focus Fortify Scan Wizard is a utility that enables you to easily generate a script to perform Fortify Static Code Analyzer commands for Windows or Linux/macOS systems. You can run this generated script to analyze your code with Fortify Static Code Analyzer. You can specify to run your analysis locally, or use Micro Focus Fortify ScanCentral SAST to run all or part of the analysis remotely. For more information, see "Fortify Scan Wizard" on page 177.
This topic describes documents that provide information about Micro Focus Fortify software products.
The following documents provide general information for all products. Unless otherwise noted, these documents are available on the Micro Focus Product Documentation website.
Document / File Name | Description |
About Micro Focus Fortify Product Software Documentation About_Fortify_Docs_<version>.pdf | This paper provides information about how to access Micro Focus Fortify product documentation. Note: This document is included only with the product download. |
Micro Focus Fortify License and Infrastructure Manager Installation and Usage Guide LIM_Guide_<version>.pdf | This document describes how to install, configure, and use the Fortify License and Infrastructure Manager (LIM), which is available for installation on a local Windows server and as a container image on the Docker platform. |
Document / File Name | Description |
Micro Focus Fortify Software System Requirements Fortify_Sys_Reqs_<version>.pdf | This document provides the details about the environments and products supported for this version of Fortify Software. |
Micro Focus Fortify Software Release Notes FortifySW_RN_<version>.pdf | This document provides an overview of the changes made to Fortify Software for this release and important information not included elsewhere in the product documentation. |
What’s New in Micro Focus Fortify Software <version> Fortify_Whats_New_<version>.pdf | This document describes the new features in Fortify Software products. |
Micro Focus Fortify ScanCentral SAST
The following document provides information about Fortify ScanCentral SAST. Unless otherwise noted, these documents are available on the Micro Focus Product Documentation website at https://www.microfocus.com/documentation/fortify-software-security-center.
Document / File Name | Description |
Micro Focus Fortify ScanCentral SAST Installation, Configuration, and Usage Guide SC_SAST_Guide_<version>.pdf | This document provides information about how to install, configure, and use Fortify ScanCentral SAST to streamline the static code analysis process. It is written for anyone who intends to install, configure, or use Fortify ScanCentral SAST to offload the resource-intensive translation and scanning phases of their Fortify Static Code Analyzer process. |
Micro Focus Fortify Software Security Center
The following document provides information about Fortify Software Security Center. Unless otherwise noted, these documents are available on the Micro Focus Product Documentation website at https://www.microfocus.com/documentation/fortify-software-security-center.
Document / File Name | Description |
Micro Focus Fortify Software Security Center User Guide | This document provides Fortify Software Security Center users with detailed information about how to deploy and use |
Document / File Name | Description |
SSC_Guide_<version>.pdf | Software Security Center. It provides all of the information you need to acquire, install, configure, and use Software Security Center. It is intended for use by system and instance administrators, database administrators (DBAs), enterprise security leads, development team managers, and developers. Software Security Center provides security team leads with a high-level overview of the history and current status of a project. |
Micro Focus Fortify Static Code Analyzer
The following documents provide information about Fortify Static Code Analyzer. Unless otherwise noted, these documents are available on the Micro Focus Product Documentation website at https://www.microfocus.com/documentation/fortify-static-code.
Document / File Name | Description |
Micro Focus Fortify Static Code Analyzer User Guide SCA_Guide_<version>.pdf | This document describes how to install and use Fortify Static Code Analyzer to scan code on many of the major programming platforms. It is intended for people responsible for security audits and secure coding. |
Micro Focus Fortify Static Code Analyzer Custom Rules Guide SCA_Cust_Rules_Guide_<version>.zip | This document provides the information that you need to create custom rules for Fortify Static Code Analyzer. This guide includes examples that apply rule-writing concepts to real-world security issues. Note: This document is included only with the product download. |
Micro Focus Fortify Audit Workbench User Guide AWB_Guide_<version>.pdf | This document describes how to use Fortify Audit Workbench to scan software projects and audit analysis results. This guide also includes how to integrate with bug trackers, produce reports, and perform collaborative auditing. |
Micro Focus Fortify Plugins for Eclipse User Guide Eclipse_Plugins_Guide_<version>.pdf | This document provides information about how to install and use the Fortify Complete and the Fortify Remediation Plugins for Eclipse. |
Document / File Name | Description |
Micro Focus Fortify Plugins for JetBrains IDEs and Android Studio User Guide JetBrains_AndStud_Plugins_Guide_ <version>.pdf | This document describes how to install and use both the Fortify Analysis Plugin for IntelliJ IDEA and Android Studio and the Fortify Remediation Plugin for IntelliJ IDEA, Android Studio, and other JetBrains IDEs. |
Micro Focus Fortify Extension for Visual Studio User Guide VS_Ext_Guide_<version>.pdf | This document provides information about how to install and use the Fortify extension for Visual Studio to analyze, audit, and remediate your code to resolve security-related issues in solutions and projects. |
Micro Focus Fortify Static Code Analyzer Tools Properties Reference Guide SCA_Tools_Props_Ref_<version>.pdf | This document describes the properties used by Fortify Static Code Analyzer tools. |
Chapter 2: Installing Fortify Static Code Analyzer
This chapter describes how to install and uninstall Fortify Static Code Analyzer and Fortify Static Code Analyzer tools. This chapter also describes basic post-installation tasks. See the Micro Focus Fortify Software System Requirements document to be sure that your system meets the minimum requirements for each software component installation.
This section contains the following topics:
Fortify Static Code Analyzer Tools 25 About Installing Fortify Static Code Analyzer and Applications 27 Using Docker to Install and Run Fortify Static Code Analyzer 33 About Upgrading Fortify Static Code Analyzer and Applications 35 About Uninstalling Fortify Static Code Analyzer and Applications 36 Post-Installation Tasks 38
Fortify Static Code Analyzer Tools
The installation consists of Fortify Static Code Analyzer, which analyzes your build code according to a set of rules specifically tailored to provide the information necessary for the type of analysis performed. A Fortify Static Code Analyzer installation might also include one or more applications.
The following table describes the tools that are available for installation with the Fortify Static Code Analyzer and Applications installer.
Tool | Description |
Micro Focus Fortify Audit Workbench | Provides a graphical user interface for Fortify Static Code Analyzer that helps you organize, investigate, and prioritize analysis results so that developers can fix security flaws quickly. |
Micro Focus Fortify Plugin for Eclipse | Adds the ability to scan and analyze the entire codebase of a project and apply software security rules that identify the vulnerabilities in your Java code from the Eclipse IDE. The results are displayed, along with descriptions of each of the security issues and suggestions for their elimination. |
Tool | Description |
Micro Focus Fortify Analysis Plugin for IntelliJ and Android Studio | Adds the ability to run Fortify Static Code Analyzer scans on the entire codebase of a project and apply software security rules that identify the vulnerabilities in your code from the IntelliJ and Android Studio IDEs. |
Micro Focus Fortify Extension for Visual Studio | Adds the ability to scan and locate security vulnerabilities in your solutions and projects and displays the scan results in Visual Studio. The results include a list of issues uncovered, descriptions of the type of vulnerability each issue represents, and suggestions on how to fix them. This extension also includes remediation functionality that works with audit results stored on a Micro Focus Fortify Software Security Center server. |
Micro Focus Fortify Custom Rules Editor | A tool to create and edit custom rules. |
Micro Focus Fortify Scan Wizard | A tool to quickly prepare a script that you can use to scan your code with Fortify Static Code Analyzer and optionally, upload the results directly to Fortify Software Security Center. Note: This tool is installed automatically with Fortify Static Code Analyzer. |
Command-line utilities | There are several command-line utilities that are installed automatically with Fortify Static Code Analyzer. For more information, see "Command-Line Utilities" on page 132. |
The following table describes the tools that are included in the Fortify Static Code Analyzer and Applications package. You install these tools separately from the Fortify Static Code Analyzer and Applications installer.
Tool | Description |
Micro Focus Fortify Remediation Plugin for Eclipse | Works with Fortify Software Security Center for developers who want to remediate issues detected in source code from the Eclipse IDE. |
Micro Focus Fortify Remediation Plugin for JetBrains IDEs and Android Studio | Works in several JetBrains IDEs and Android Studio together with Fortify Software Security Center to add remediation functionality to your security analysis. |
Tool | Description |
Micro Focus Fortify Security Assistant Plugin for Eclipse | Provides alerts to potential security issues as you write your Java code. It provides detailed information about security risks and recommendations for how to secure the potential issue. |
About Installing Fortify Static Code Analyzer and Applications
This section describes how to install Fortify SCA and Applications. You must provide a Fortify license file and optionally LIM license pool credentials for the Fortify Static Code Analyzer installation. The following table lists the different methods of installing Fortify SCA and Applications.
Installation Method | Instructions |
Perform the installation using a standard install wizard | "Installing Fortify Static Code Analyzer and Applications" on the next page |
Perform the installation silently (unattended) | "Installing Fortify Static Code Analyzer and Applications Silently (Unattended)" on page 30 |
Perform a text-based installation on non-Windows systems | |
Perform the installation using Docker | "Using Docker to Install and Run Fortify Static Code Analyzer" on page 33 |
For best performance, install Fortify Static Code Analyzer on the same local file system where the code that you want to scan resides.
After you complete the installation, see "Post-Installation Tasks" on page 38 for additional steps you can perform to complete your system setup. You can also configure settings for runtime analysis, output, and performance of Fortify Static Code Analyzer and its components by updating the installed configuration files. For information about the configuration options for Fortify Static Code Analyzer, see "Configuration Options" on page 184. For information about configuration options for Fortify Static Code Analyzer component applications, see the Micro Focus Fortify Static Code Analyzer Tools Properties Reference Guide.
Installing Fortify Static Code Analyzer and Applications
To install Fortify Static Code Analyzer and Applications:
Run the installer file for your operating system:
Windows: Fortify_SCA_and_Apps_<version>_windows_x64.exe
Linux: Fortify_SCA_and_Apps_<version>_linux_x64.run
macOS: Fortify_SCA_and_Apps_<version>_osx_x64.app.zip
AIX: Fortify_SCA_<version>_aix_x64.run
Solaris: Fortify_SCA_<version>_solaris_x86.run or Fortify_SCA_<version>_ solaris10_sparc.run
where <version> is the software release version.
Accept the license agreement, and then click Next.
Choose where to install Fortify Static Code Analyzer and applications, and then click Next.
(Optional) Select the components to install, and then click Next.
Specify the path to the fortify.license file, and then click Next.
(Optional) On the LIM license page, select Yes to use the Fortify License and Infrastructure Manager (LIM) for managing your concurrent licenses, and then click Next.
com.fortify.sca.lim.WaitForInitialLicense in the fortify-sca.properties file (see "fortify-sca.properties" on page 186).
Type the LIM server URL, the license pool name, and the pool password.
Click Next. The LIM Proxy Settings page opens.
If connection to the LIM server requires a proxy server, type the proxy host (hostname or IP address of your proxy server) and optionally a port number.
Click Next.
Specify the settings required to update your security content. To update the security content for your installation:
Type the URL of the update server. To use the Fortify Rulepack update server for security content updates, keep the URL as: https://update.fortify.com.
(Optional) If connection to the update server requires a proxy server, type the proxy host and port number.
Click Next.
Specify if you want to migrate from a previous installation of Fortify Static Code Analyzer on your system.
Migrating from a previous Fortify Static Code Analyzer installation preserves Fortify Static Code Analyzer artifact files. For more information, see "About Upgrading Fortify Static Code Analyzer and Applications" on page 35.
Note: You can also migrate Fortify Static Code Analyzer artifacts using the scapostinstall command-line utility. For information on how to use the post-install tool to migrate from a previous Fortify Static Code Analyzer installation, see "Migrating Properties Files" on page 38.
To migrate artifacts from a previous installation:
In the SCA Migration page, select Yes, and then click Next.
Specify the location of the existing Fortify Static Code Analyzer installation on your system, and then click Next.
If you are installing the Fortify extension for Visual Studio, you are prompted to specify whether to install the extensions for the current install user or for all users.
The default is to install the extensions for the current install user.
Specify if you want to install sample source code projects, and then click Next. See "Sample Projects" on page 180 for descriptions of these samples.
Click Next to proceed to install Fortify Static Code Analyzer and applications.
After Fortify Static Code Analyzer is installed, select Update security content after installation
if you want to update the security content, and then click Finish.
The Security Content Update Result window displays the security content update results.
Installing Fortify Static Code Analyzer and Applications Silently (Unattended)
A silent installation enables you to complete the installation without any user prompts. To install silently, you need to create an option file to provide the necessary information to the installer. Using the silent installation, you can replicate the installation parameters on multiple machines. When you install Fortify Static Code Analyzer and Applications silently, the installer does not download the Micro Focus Fortify Software Security Content. For instructions on how to install the Fortify security content, see "Manually Installing Fortify Security Content" on page 33.
To install Fortify Static Code Analyzer silently:
Create an options file.
Create a text file that contains the following line:
fortify_license_path=<license_file_location>
where <license_file_location> is the full path to your fortify.license file.
To use a LIM license server, add the following lines with your LIM license pool credentials to the options file :
lim_url=<lim_url> lim_pool_name=<license_pool_name> lim_pool_password=<license_pool_pwd>
If you are using a different location for the Fortify Security Content updates than the default of
https://update.fortify.com, add the following line:
UpdateServer=<update_server_url>
added to the <sca_install_dir>/Core/config/server.properties file to use when you manually install Fortify security content.
If you require a proxy server, add the following lines:
UpdateProxyServer=<proxy_server> UpdateProxyPort=<port_number>
If you do not want to install the sample source code projects, add the following line.
InstallSamples=0
Add more installation instructions, as needed, to the options file.
To obtain a list of installation options that you can add to your options file, open a command
prompt, and then type the installer file name and the --help option. This command displays each available command-line option preceded with a double dash and the available parameters enclosed in angle brackets. For example, if you want to see the progress of the install displayed
at the command line, add unattendedmodeui=minimal to your options file.
o
o
The command-line options are case-sensitive.
The installation options are not the same on all supported operating systems. Run the installer with --help to see the options available for your operating system.
For the enable-components option on Windows, you can specify the AWB_group parameter to install Fortify Audit Workbench, Fortify Custom Rules Editor, and associate FPR files with Fortify Audit Workbench. To install specific plugins, list each plugin by parameter name (the
Plugins_group parameter does not install all plugins and you do not need to include it).
The following example Windows options file specifies the location of the license file, the location and proxy information for obtaining the Fortify Security Content, a request to migrate from a previous release, installation of Audit Workbench, installation of Micro Focus Fortify Extension for Visual Studio 2019 for all users, and the location of the Fortify SCA and Applications installation directory:
fortify_license_path=C:\Users\admin\Desktop\fortify.license UpdateServer=https://internalserver.abc.com UpdateProxyServer=webproxy.abc.company.com UpdateProxyPort=8080
MigrateSCA=1
enable-components=AWB_group,VS2019 VS_all_users=1 installdir=C:\Fortify
The following options file example is for Linux and macOS:
fortify_license_path=/opt/Fortify/fortify.license UpdateServer=https://internalserver.abc.com UpdateProxyServer=webproxy.abc.company.com UpdateProxyPort=8080
MigrateSCA=1 installdir=/opt/Fortify
Save the options file.
Run the silent install command for your operating system.
Windows | Fortify_SCA_and_Apps_<version>_windows_x64.exe --mode unattended --optionfile <full_path_to_options_file> |
Linux | ./Fortify_SCA_and_Apps_<version>_linux_x64.run --mode unattended --optionfile <full_path_to_options_file> |
macOS | You must uncompress the ZIP file before you run the command. Fortify_SCA_and_Apps_<version>_osx_x64.app/Contents/ MacOS/installbuilder.sh --mode unattended --optionfile <full_ path_to_options_file> |
AIX and Solaris | ./Fortify_SCA_<version>_<platform>.run --mode unattended --optionfile <full_path_to_options_file> |
The installer creates an installer log file when the installation is complete. This log file is in the following location depending on your operating system.
Windows | C:\Users\<username>\AppData\Local\Temp\FortifySCAandApps- <version>-install.log |
Linux | /tmp/FortifySCAandApps-<version>-install.log |
macOS | /tmp/FortifySCAandApps-<version>-install.log |
AIX and Solaris | /tmp/FortifySCA-<version>-install.log |
Installing Fortify Static Code Analyzer and Applications in Text-Based Mode on Non-Windows Platforms
You perform a text-based installation on the command line. During the installation, you are prompted for information required to complete the installation. Text-based installations are not supported on Windows systems.
To perform a text-based installation of Fortify Static Code Analyzer and Applications, run the text-based install command for your operating system as listed in the following table.
Linux | ./Fortify_SCA_and_Apps_<version>_linux_x64.run --mode text |
macOS | You must uncompress the provided ZIP file before you run the command. Fortify_SCA_and_Apps_<version>_osx_x64.app/Contents/ MacOS/installbuilder.sh --mode text |
AIX and Solaris | ./Fortify_SCA_<version>_<platform>.run --mode text |
Manually Installing Fortify Security Content
You can install Micro Focus Fortify Software Security Content (Secure Coding Rulepacks and metadata) automatically during the Windows installation procedure. However, you can also download Fortify security content from the Fortify Rulepack update server, and then use the fortifyupdate utility to install it. This option is provided for installations on non-Windows platforms and for deployment environments that do not have access to the Internet during installation.
Use the fortifyupdate utility to install Fortify security content from either a remote server or a locally downloaded file.
To install security content:
Open a command window.
Navigate to the <sca_install_dir>/bin directory.
At the command prompt, type fortifyupdate.
If you have previously downloaded the Fortify security content from the Fortify Rulepack update
server, run fortifyupdate with the -import option and the path to the directory where you downloaded the ZIP file.
You can also use this same utility to update your security content. For more information about the fortifyupdate utility, see "Updating Security Content" on page 134.
Using Docker to Install and Run Fortify Static Code Analyzer
You can install Fortify Static Code Analyzer in a Docker image and then run Fortify Static Code Analyzer as a Docker container.
Creating a Dockerfile to Install Fortify Static Code Analyzer
This topic describes how to create a Dockerfile to install Fortify Static Code Analyzer in Docker image. The Dockerfile must include the following instructions:
Set a Linux system to use for the base image.
Copy the Fortify SCA and Applications installer, the Fortify license file, and installation options file to the Docker image using the COPY instruction.
For instructions on how to create an installation options file, see "Installing Fortify Static Code Analyzer and Applications Silently (Unattended)" on page 30.
Run the Fortify SCA and Applications installer using the RUN instruction.
You must run the installer in unattended mode. For more information, see "Installing Fortify Static Code Analyzer and Applications Silently (Unattended)" on page 30.
Run fortifyupdate to download the Fortify Security Content using the RUN instruction.
For more information about this utility, see "Manually Installing Fortify Security Content" on the previous page.
To configure the image so you can run Fortify Static Code Analyzer, set the entry point to the location of the installed sourceanalyzer executable using the ENTRYPOINT instruction.
The default sourceanalyzer installation path is: /opt/Fortify/Fortify_SCA_and_Apps_
<version>/bin/sourceanalyzer.
The following is an example of a Dockerfile to install Fortify SCA and Applications:
FROM registry.suse.com/suse/sles12sp4 COPY fortify.license ./
COPY Fortify_SCA_and_Apps_21.1.0_linux_x64.run ./ COPY installerSettings ./
RUN zypper -n install rpm-build
RUN ./Fortify_SCA_and_Apps_21.1.0_linux_x64.run --mode unattended \
--optionfile ./installerSettings && \
/opt/Fortify/Fortify_SCA_and_Apps_21.1.0/bin/fortifyupdate && \
rm Fortify_SCA_and_Apps_21.1.0_linux_x64.run fortify.license installerSettings ENTRYPOINT [ "/opt/Fortify/Fortify_SCA_and_Apps_21.1.0/bin/sourceanalyzer" ]
To create the docker image using the Dockerfile from the current directory, you must use the docker build command. For example:
docker build -t <image_name>
This topic describes how to run the Fortify Static Code Analyzer image as a container and provides example Docker run commands for translation and scan.
To run the Fortify Static Code Analyzer image as a container, you must mount two directories from the host file system to the container:
The directory that contains the source files you want to analyze.
A temporary directory to store the SCA build session between the translate and scan phases and to share the output files (logs, FPR) with the host.
Specify this directory using the –project-root command-line option in both the Fortify Static Code Analyzer translate and scan commands.
The following example commands mount the input directory /sources in /src and the temporary directory in /scratch_docker. The image name in the example is fortify-sca.
Important! Include the Fortify Static Code Analyzer –fcontainer option in both the translate and scan commands so that Fortify Static Code Analyzer detects and uses only the memory dedicated to the container. Otherwise, by default Fortify Static Code Analyzer detects the total
system memory because -autoheap is enabled.
Example Docker Run Commands for Translation and Scan
The following example mounts the temporary directory and the sources directory, and then runs Fortify Static Code Analyzer from the container for the translation phase:
docker run -v /scratch_local/:/scratch_docker -v /sources/:/src
-it fortify-sca –b MyProject -project-root /scratch_docker -fcontainer [<sca_options>] /src
The following example mounts the temporary directory, and then runs Fortify Static Code Analyzer from the container for the analysis phase:
docker run -v /scratch_local/:/scratch_docker
-it fortify-sca –b MyProject -project-root /scratch_docker –scan -fcontainer [<sca_options>] –f /scratch_docker/results.fpr
The results.fpr file is created in the host's /scratch_local directory.
About Upgrading Fortify Static Code Analyzer and Applications
To upgrade Fortify Static Code Analyzer and Applications, install the new version in a different location than where your current version is installed and choose to migrate settings from the previous installation. This migration preserves and updates the Fortify Static Code Analyzer artifact files located in the <sca_install_dir>/Core/config directory.
If you choose not to migrate any settings from a previous release, Fortify recommends that you save a backup of the following data if it has been modified:
<sca_install_dir>/Core/config/rules folder
<sca_install_dir>/Core/config/customrules folder
<sca_install_dir>/Core/config/ExternalMetadata folder
<sca_install_dir>/Core/config/CustomExternalMetadata folder
<sca_install_dir>/Core/config/server.properties file
<sca_install_dir>/Core/config/scales folder
After you install the new version, you can uninstall the previous version. For more information, see "About Uninstalling Fortify Static Code Analyzer and Applications" below.
Notes About Upgrading the Fortify Extension for Visual Studio
If you have administrative privileges and are upgrading from a previous version of the Fortify Static Code Analyzer for any supported version of Visual Studio, the installer will overwrite the existing Micro Focus Fortify Extension for Visual Studio. If the previous version was installed without administrative privileges, the installer will also overwrite the existing Fortify Extension for Visual Studio without requiring administrative privileges.
About Uninstalling Fortify Static Code Analyzer and Applications
This section describes how to uninstall Fortify Static Code Analyzer and Applications. You can use the standard install wizard, or you can perform the uninstallation silently. You can also perform a text-based uninstallation on non-Windows systems.
Uninstalling Fortify Static Code Analyzer and Applications
To uninstall the Fortify Static Code Analyzer and applications software:
Select Start > Control Panel > Add or Remove Programs.
You are prompted to indicate whether to remove all application settings. Do one of the following:
Click Yes to remove the application setting folders for the tools installed with the version of Fortify Static Code Analyzer that you are uninstalling. The Fortify Static Code Analyzer (sca<version>) folder is not removed.
Click No to retain the application settings on your system.
To uninstall Fortify Static Code Analyzer software on Linux and macOS platforms:
Back up your configuration, including any important files you have created.
Run the uninstall command located in the <sca_install_dir> for your operating system:
Linux | Uninstall_FortifySCAandApps_<version> |
macOS | Uninstall_FortifySCAandApps_<version>.app |
You are prompted to indicate whether to remove all application settings. Do one of the following:
Click Yes to remove the application setting folders for the tools installed with the version of Fortify Static Code Analyzer that you are uninstalling. The Fortify Static Code Analyzer (sca<version>) folder is not removed.
Click No to retain the application settings on your system.
Uninstalling Fortify Static Code Analyzer and Applications Silently
To uninstall Fortify Static Code Analyzer silently:
Navigate to the installation directory.
Type one of the following commands based on your operating system:
Windows | Uninstall_FortifySCAandApps_<version>.exe --mode unattended |
Linux | ./Uninstall_FortifySCAandApps_<version> --mode unattended |
macOS | Uninstall_FortifySCAandApps_ <version>.app/Contents/MacOS/installbuilder.sh --mode unattended |
AIX and Solaris | ./Uninstall_FortifySCA_<version> --mode unattended |
Uninstalling Fortify Static Code Analyzer and Applications in Text-Based Mode on Non-Windows Platforms
To uninstall Fortify Static Code Analyzer in text-based mode, run the text-based install command for your operating system, as follows:
Navigate to the installation directory.
Type one of the following commands based on your operating system:
Linux | ./Uninstall_FortifySCAandApps_<version> --mode text |
macOS | Uninstall_FortifySCAandApps_ <version>.app/Contents/MacOS/installbuilder.sh --mode text |
AIX and Solaris | ./Uninstall_FortifySCA_<version> --mode text |
Post-installation tasks prepare you to start using Fortify Static Code Analyzer and tools.
Running the Post-Install Tool
To run the Fortify Static Code Analyzer post-install tool:
Navigate to the <sca_install_dir>/bin directory from the command line.
At the command prompt, type scapostinstall.
Type one of the following:
To display settings, type s.
To return to a previous prompt, type r.
To exit the tool, type q.
To migrate properties files from a previous version of Fortify Static Code Analyzer to the current version of Fortify Static Code Analyzer installed on your system:
Navigate to the <sca_install_dir>/bin directory from the command line.
At the command prompt, type scapostinstall.
Type 1 to select Migration.
Type 1 to select SCA Migration.
Type 1 to select Migrate from an existing Fortify installation.
Type 1 to select Set previous Fortify installation directory.
Type the previous install directory.
Type s to confirm the settings.
Type 2 to perform the migration.
Type y to confirm.
English is the default locale for a Fortify Static Code Analyzer installation. To change the locale for your Fortify Static Code Analyzer installation:
Navigate to the bin directory from the command line.
At the command prompt, type scapostinstall.
Type 2 to select Settings.
Type 1 to select General.
Type 1 to select Locale.
Type one of the following locale codes:
English: en
Spanish: es
Japanese: ja
Korean: ko
Brazilian Portuguese: pt_BR
Simplified Chinese: zh_CN
Traditional Chinese: zh_TW
Configuring for Security Content Updates
Specify how you want to obtain Micro Focus Fortify Software Security Content. You must also specify proxy information if it is required to reach the server.
To specify settings for Fortify Security Content updates:
Navigate to the bin directory from the command line.
At the command prompt, type scapostinstall.
Type 2 to select Settings.
Type 2 to select Fortify Update.
To change the Fortify Rulepack update server URL, type 1, and then type the URL. The default Fortify Rulepack update server URL is https://update.fortify.com.
To specify a proxy for Fortify Security Content updates, do the following:
Type 2 to select Proxy Server Host, and then type the name of the proxy server.
Type 3 to select Proxy Server Port, and then type the proxy server port number.
(Optional) You can also specify the proxy server user name (option 4) and password (option 5).
Configuring the Connection to Fortify Software Security Center
Specify how to connect to Micro Focus Fortify Software Security Center. If your network uses a proxy server to reach the Fortify Software Security Center server, you must specify the proxy information.
To specify settings for connecting to Fortify Software Security Center:
Navigate to the bin directory from the command line.
At the command prompt, type scapostinstall.
Type 2 to select Settings.
Type 3 to select Software Security Center Settings.
Type 1 to select Server URL, and then type the Fortify Software Security Center server URL.
To specify proxy settings for the connection, do the following:
Type 2 to select Proxy Server, and then type the proxy server path.
Type 3 to select Proxy Server Port, and then type the proxy server port number.
To specify the proxy server username and password, use option 4 for the username and option 5 for the password.
(Optional) You can also specify the following:
Whether to update security content from your Fortify Software Security Center server (option 6)
The Fortify Software Security Center user name (option 7)
Removing Proxy Server Settings
If you previously specified proxy server settings for the Fortify Security Content update server or Micro Focus Fortify Software Security Center and it is no longer required, you can remove these settings.
To remove the proxy settings for Fortify Security Content updates or Fortify Software Security Center:
Navigate to the bin directory from the command line.
At the command prompt, type scapostinstall.
Type 2 to select Settings.
Type 2 to select Fortify Update or type 3 to select Software Security Center Settings.
Type the number that corresponds to the proxy setting you want to remove, and then type -
(hyphen) to remove the setting.
Repeat step 5 for each proxy setting you want to remove.
Connection from Fortify Static Code Analyzer and its tools to other Fortify products and external systems might require communication over HTTPS. Some examples include:
Fortify Static Code Analyzer by default requires an HTTPS connection to communicate with the LIM server for license management.
The property com.fortify.sca.lim.RequireTrustedSSLCert determines whether the connection with the LIM server requires a trusted SSL certificate. For more information about this property, see "fortify-sca.properties" on page 186.
The fortifyupdate utility uses an HTTPS connection either automatically during a Windows system installation or manually (see "Manually Installing Fortify Security Content" on page 33) to update Fortify security content.
The Fortify Static Code Analyzer Tools (such as Fortify Audit Workbench, Fortify Scan Wizard, and the Fortify Extension for Visual Studio) typically require an HTTPS connection to communicate with Fortify Software Security Center. By default, these tools do not trust self- or locally-signed certificates.
Fortify Static Code Analyzer configured as a ScanCentral SAST sensor uses an HTTPS connection to communicate with the Controller.
When using HTTPS, Fortify Static Code Analyzer and its tools will by default apply standard checks to the presented SSL server certificate, including a check to determine if the certificate is trusted. If your organization runs its own certificate authority (CA) and the Fortify Static Code Analyzer Tools need to trust connections where the server presents a certificate issued by this CA, you must configure the Fortify Static Code Analyzer Tools to trust the CA. Otherwise, the use of HTTPS connections might fail.
You must add the trusted certificate of the CA to the Fortify Static Code Analyzer keystore. The Fortify
Static Code Analyzer keystore is in the <sca_install_dir>/jre/lib/security/cacerts file. You can use the keytool command to add the trusted certificate to the keystore.
To add a trusted certificate to the Fortify Static Code Analyzer keystore:
Open a command prompt, and then run the following command:
<sca_install_dir>/jre/bin/keytool -importcert -alias <alias_name> -cacerts -file <cert_file>
where:
<alias_name> is a unique name for the certificate you are adding.
<cert_file> is the name of the file containing the trusted root certificate in PEM or DER format.
Enter the keystore password.
Note: The default password is changeit.
When prompted to trust this certificate, select yes.
Chapter 3: Analysis Process Overview
This section contains the following topics:
Analysis Process 43 Translation Phase 44 Mobile Build Sessions 45 Analysis Phase 46 Translation and Analysis Phase Verification 49
There are four distinct phases that make up the analysis process:
file (typically in the Fortify Project Results (FPR) format). FPR files have the .fpr file extension. For more information, see "Analysis Phase" on page 46.
The following is an example of the sequence of commands you use to translate and analyze code:
sourceanalyzer -b <build_id> -clean sourceanalyzer -b <build_id> ...
sourceanalyzer -b <build_id> -scan -f MyResults.fpr
The three commands in the previous example illustrate the following steps in the analysis process:
Remove all existing Fortify Static Code Analyzer temporary files for the specified build ID. Always begin an analysis with this step to analyze a project with a previously used build ID.
Translate the project code.
This step can consist of multiple calls to sourceanalyzer with the same build ID (except for dynamic languages including JavaScript/TypeScript, PHP, Python, and Ruby).
Analyze the project code and produce the Fortify Project Results file (FPR).
Fortify Static Code Analyzer runs in parallel analysis mode to reduce the scan time of large projects. This takes advantage of all CPU cores available on your system. When you run Fortify Static Code Analyzer, avoid running other CPU intensive processes during the Fortify Static Code Analyzer execution because it expects to have the full resources of your hardware available for the scan.
To successfully translate a project that is normally compiled, make sure that you have any dependencies required to build the project available. The chapters for each source code type describe any specific requirements.
The basic command-line syntax to perform the first step of the analysis process, file translation, is:
sourceanalyzer -b <build_id> ... <files>
or
sourceanalyzer -b <build_id> ... <compiler_command>
The translation phase consists of one or more invocations of Fortify Static Code Analyzer using the
sourceanalyzer command. Fortify Static Code Analyzer uses a build ID (-b option) to tie the invocations together. Subsequent invocations of sourceanalyzer add any newly specified source or configuration files to the file list associated with the build ID.
After translation, you can use the -show-build-warnings directive to list any warnings and errors that occurred in the translation phase:
sourceanalyzer -b <build_id> -show-build-warnings
To view the files associated with a build ID, use the -show-files directive:
sourceanalyzer -b <build_id> -show-files
The following chapters describe how to translate different types of source code:
"Translating C and C++ Code" on page 66
"Translating Other Languages and Configurations" on page 93
With a Fortify Static Code Analyzer mobile build session (MBS), you can translate a project on one machine and scan it on another. A mobile build session (MBS file) includes all the files needed for the analysis phase. To improve scan time, you can perform the translation on the build computer, and then move the build session (MBS file) to a better equipped computer for the scan. The developers can run translations on their own computers and use only one powerful computer to run large scans.
You must have the same version of Fortify Security Content (Rulepacks) installed on both the system where you are performing the translation and the system where you are performing the analysis.
Mobile Build Session Version Compatibility
The Fortify Static Code Analyzer version on the translate machine must be compatible with the Fortify Static Code Analyzer version on the analysis machine. The version number format is
<major>.<minor>.<patch>.<build_number> (for example, 21.2.0.0240). The <major> and <minor> portions of the Fortify Static Code Analyzer version numbers on both the translation and the analysis machines must match. For example, 21.2.0 and 21.1.x are compatible.
To determine the Fortify Static Code Analyzer version number, type sourceanalyzer -v on the command line.
Creating a Mobile Build Session
On the machine where you performed the translation, issue the following command to generate a mobile build session:
sourceanalyzer -b <build_id> -export-build-session <file>.mbs
where <file>.mbs is the file name you provide for the Fortify Static Code Analyzer mobile build session.
Importing a Mobile Build Session
After you move the <file>.mbs file to the machine where you want to perform the scan, import the mobile build session into the Fortify Static Code Analyzer project root directory.
sourceanalyzer -import-build-session <file>.mbs
-Dcom.fortify.sca.ExtractMobileInfo=true
To import the mobile build session, type the following command:
sourceanalyzer -import-build-session <file>.mbs
After you import your Fortify Static Code Analyzer mobile build session, you can proceed to the analysis phase. Perform a scan with the same build ID that was used in the translation.
You cannot merge multiple mobile build sessions into a single MBS file. Each exported build session must have a unique build ID. However, after all the build IDs are imported on the same Fortify Static
Code Analyzer installation, you can scan multiple build IDs in one scan with the -b option (see "Analysis Phase" below).
The analysis phase scans the intermediate files created during translation and creates the vulnerability results file (FPR).
The analysis phase consists of one invocation of sourceanalyzer. You specify the build ID and include the -scan directive with any other required analysis or output options (see "Analysis Options" on page 120 and "Output Options" on page 123).
An example of the basic command-line syntax for the analysis phase is:
sourceanalyzer -b MyProject -scan -f MyResults.fpr
To combine multiple builds into a single scan command, add the additional builds to the command line:
sourceanalyzer -b MyProject1 -b MyProject2 -b MyProject3 -scan -f MyResults.fpr
The use of antivirus software can negatively impact Fortify Static Code Analyzer performance. If you notice long scan times, Fortify recommends that you temporarily exclude the internal Fortify Static Code Analyzer files from your antivirus software scan. You can also do the same for the directories
where the source code resides, however the performance impact on the Fortify analysis is less than with the internal directories.
By default, Fortify Static Code Analyzer creates internal files in the following location:
On Windows: c:\Users\<username>\AppData\Local\Fortify\sca<version>
On non-Windows: <userhome>/.fortify/sca<version>
where <version> is the version of Fortify Static Code Analyzer you are using.
Higher-Order Analysis (HOA) improves the ability to track dataflow through higher-order code. Higher-order code manipulates functions as values, generating them with anonymous function expressions (lambda expressions), passing them as arguments, returning them as values, and assigning them to variables and to fields of objects. These code patterns are common in modern dynamic languages such as JavaScript, TypeScript, Python, Ruby, and Swift.
By default, Fortify Static Code Analyzer performs Higher-Order Analysis when you scan JavaScript, TypeScript, Python, Ruby, and Swift code. For a description of the Higher-Order Analysis properties, see "fortify-sca.properties" on page 186 and search for "higher-order analysis."
This release includes a technology preview of modular analysis. With modular analysis, you can pre-scan libraries (and sublibraries) separately from your core project. You can then include these pre-scanned libraries when you scan the core project. Doing this might improve the core project analysis performance because you are not rescanning the libraries every time you scan the core project. Modular analysis also enables you to scan a project that references a library without requiring the library's source code, Fortify Static Code Analyzer translated files, or custom rules used to scan the library. This has the added benefit that you only need to audit issues in your core application. The analysis results are more streamlined to code that you directly control and therefore you do not need to worry about issues in code that you do not own.
Modular analysis is currently available for libraries and applications developed in Java and Java EE.
You must rescan your libraries whenever you:
Update to a new version of Fortify Static Code Analyzer
Update your Fortify security content
Change the libraries
Modular Command-Line Examples
To translate and scan a library separately, type:
sourceanalyzer -b LibA MyLibs/A/*.java
sourceanalyzer -b LibA -scan-module
To translate and scan the core project and include multiple pre-scanned libraries:
sourceanalyzer -b MyProj MyProj/*.java
sourceanalyzer -b MyProj -scan -include-modules LibA,LibB
For a description of the options shown in the previous examples, see "Analysis Options" on page 120.
Regular expression (regex) analysis provides the ability to use regular expression rules for detecting vulnerabilities in both file content and file names. This analysis can detect vulnerable secrets such as passwords, keys, and credentials in project files. The Configuration Analyzer includes the regex analysis capability.
Regex analysis recursively examines all file paths and path patterns included in the translation phase. Every file, for each directory found is analyzed unless it's specifically excluded from the translation. To manage the files that are included in regex analysis, the following options are available:
Exclude any file or directory with the -exclude option in the translation phase. For more information about this option, see "Translation Options" on page 118.
By default, regex analysis excludes all detectible binary files. To include binary files in the analysis, add the following property to the fortify-sca.properties file (or include this property on the command line using the -D option):
com.fortify.sca.regex.ExcludeBinaries = false
By default, regex analysis excludes files larger than 10 MB to ensure that the scan time is acceptable. You can change the maximum file size (in megabytes) with the following property:
com.fortify.sca.regex.MaxSize = <max_file_size_mb>
To disable regex analysis, add the following property to the fortify-sca.properties file or include it on the command line:
com.fortify.sca.regex.Enable = false
Translation and Analysis Phase Verification
Micro Focus Fortify Audit Workbench result certification indicates whether the code analysis from a scan is complete and valid. The project summary in Fortify Audit Workbench shows the following specific information about Fortify Static Code Analyzer scanned code:
List of files scanned, with file sizes and timestamps
Java class path used for the translation (if applicable)
Rulepacks used for the analysis
Fortify Static Code Analyzer runtime settings and command-line options
Any errors or warnings encountered during translation or analysis
Machine and platform information
To view result certification information, open the FPR file in Fortify Audit Workbench and select Tools
> Project Summary > Certification. For more information, see the Micro Focus Fortify Audit Workbench User Guide.
Chapter 4: Translating Java Code
This section describes how to translate Java code.
Fortify Static Code Analyzer supports analysis of Java EE applications (including JSP files, configuration files, and deployment descriptors), Java Bytecode, and Java code with Lombok annotations.
This section contains the following topics:
Java Command-Line Syntax 50 Handling Resolution Warnings 53 Translating Java EE Applications 54 Translating Java Bytecode 55 Troubleshooting JSP Translation and Analysis Issues 56
To translate Java code, all types defined in a library that are referenced in the code must have a corresponding definition in the source code, a class file, or a JAR file. Include all source files on the Fortify Static Code Analyzer command line.
If your project contains Java code that refers to Kotlin code, make sure that the Java and Kotlin code are translated in the same Fortify Static Code Analyzer instance so that the Java references to Kotlin elements are resolved correctly. Kotlin to Java interoperability does not support Kotlin files provided by
the –sourcepath option. For more information about the –sourcepath option, see "Java Command-Line Options" on the next page
The basic command-line syntax to translate Java code is shown in the following example:
sourceanalyzer -b <build_id> -cp <classpath> <files>
With Java code, Fortify Static Code Analyzer can either:
Emulate the compiler, which might be convenient for build integration
Accept source files directly, which is convenient for command-line scans
For information about integrating Fortify Static Code Analyzer with Ant, see "Ant Integration" on page 113.
To have Fortify Static Code Analyzer emulate the compiler, type:
sourceanalyzer -b <build_id> javac [<translation_options>]
To pass files directly to Fortify Static Code Analyzer, type:
sourceanalyzer -b <build_id> -cp <classpath> [<translation_options>]
<files> | <file_specifiers>
where:
<translation_options> are options passed to the compiler.
-cp <classpath> specifies the class path to use for the Java source code.
Include all JAR dependencies normally used to build the project. Separate multiple paths with semicolons (Windows) or colons (non-Windows).
Similar to javac, Fortify Static Code Analyzer loads classes in the order they appear in the class path. If there are multiple classes with the same name in the list, Fortify Static Code Analyzer uses the first loaded class. In the following example, if both A.jar and B.jar include a class called MyData.class, Fortify Static Code Analyzer uses the MyData.class from A.jar.
sourceanalyzer -cp A.jar:B.jar myfile.java
Fortify strongly recommends that you avoid using duplicate classes with the -cp option. Fortify Static Code Analyzer loads JAR files in the following order:
From the -cp option
From jre/lib
From <sca_install_dir>/Core/default_jars
This enables you to override a library class by including the similarly-named class in a JAR specified with the -cp option.
For descriptions of all the available Java-specific command-line options, see "Java Command-Line Options" below.
The following table describes the Java command-line options (for Java SE and Java EE).
Java/Java EE Option | Description |
-appserver weblogic | websphere | Specifies the application server to process JSP files. Equivalent Property Name: com.fortify.sca.AppServer |
-appserver-home <dir> | Specifies the application server’s home. |
For WebLogic, this is the path to the directory that contains the server/lib directory.
For WebSphere, this is the path to the directory that
Java/Java EE Option | Description |
contains the JspBatchCompiler script. Equivalent Property Name: com.fortify.sca.AppServerHome | |
-appserver-version <version> | Specifies the version of the application server. Equivalent Property Name: com.fortify.sca.AppServerVersion |
-cp <dirs> | -classpath <dirs> | Specifies the class path to use for analyzing Java source code. The format is the same as javac: a semicolon- or colon-separated list of directories. You can use Fortify Static Code Analyzer file specifiers as shown in the following example: -cp "build/classes:lib/*.jar" For information about file specifiers, see "Specifying Files and Directories" on page 130. Equivalent Property Name: com.fortify.sca.JavaClasspath |
-extdirs <dirs> | Similar to the javac extdirs option, accepts a semicolon- or colon-separated list of directories. Any JAR files found in these directories are included implicitly on the class path. Equivalent Property Name: com.fortify.sca.JavaExtdirs |
-java-build-dir <dirs> | Specifies one or more directories that contain compiled Java sources. |
-source <version> | -jdk <version> | Indicates the JDK version for which the Java code is written. See the Micro Focus Fortify Software System Requirements document for supported versions. The default is Java 1.8. Equivalent Property Name: com.fortify.sca.JdkVersion |
-sourcepath <dirs> | Specifies a semicolon- or colon-separated list of directories that contain source code that is not included in the scan but is used for name resolution. The source path is similar to class path, except it uses source files instead of class files for |
Java/Java EE Option | Description |
resolution. Only source files that are referenced by the target file list are translated. Equivalent Property Name: com.fortify.sca.JavaSourcePath |
To translate a single file named MyServlet.java with javaee.jar as the class path, type:
sourceanalyzer -b MyServlet -cp lib/javaee.jar MyServlet.java
To translate all .java files in the src directory using all JAR files in the lib directory as a class path, type:
sourceanalyzer -b MyProject -cp "lib/*.jar" "src/**/*.java"
To translate and compile the MyCode.java file with the javac compiler, type:
sourceanalyzer -b MyProject javac -classpath libs.jar MyCode.java
To see all warnings that were generated during translation, type the following command before you start the scan phase:
sourceanalyzer -b <build_id> -show-build-warnings
You might see the following warnings for Java:
Unable to resolve type... Unable to resolve function... Unable to resolve field...
Unable to locate import... Unable to resolve symbol...
Multiple definitions found for function...
Multiple definitions found for class...
These warnings are typically caused by missing resources. For example, some of the .jar and .class files required to build the application might not have been specified. To resolve the warnings, make sure that you include all the required files that your application uses.
Translating Java EE Applications
To translate Java EE applications, Fortify Static Code Analyzer processes Java source files and
Java EE components such as JSP files, deployment descriptors, and configuration files. While you can process all the pertinent files in a Java EE application in one step, your project might require that you break the procedure into its components for integration in a build process or to meet the needs of various stakeholders in your organization.
To translate Java EE applications, use the same procedure used to translate Java files. For examples, see "Java Command-Line Examples" on the previous page.
Translating JSP Projects, Configuration Files, and Deployment Descriptors
In addition to translating the Java files in your Java EE application, you might also need to translate JSP files, configuration files, and deployment descriptors. Your JSP files must be part of a Web Application Archive (WAR). If your source directory is already organized in a WAR file format, you can translate the JSP files directly from the source directory. If not, you might need to deploy your application and translate the JSP files from the deployment directory.
For example:
sourceanalyzer -b MyJavaApp "/**/*.jsp" "/**/*.xml"
where /**/*.jsp refers to the location of your JSP project files and /**/*.xml refers to the location of your configuration and deployment descriptor files.
You might see the following warning in the translation of Java EE applications:
Could not locate the root (WEB-INF) of the web application. Please build your web application and try again. Failed to parse the following jsp files:
<list_of_jsp_files>
This warning indicates that your web application is not deployed in the standard WAR directory format or does not contain the full set of required libraries. To resolve the warning, make sure that your web application is in an exploded WAR directory format with the correct WEB-INF/lib and WEB-INF/classes directories containing all the .jar and .class files required for your application. Also
verify that you have all the TLD files for all your tags and the corresponding JAR files with their tag implementations.
Fortify recommends that you do not translate Java bytecode and JSP/Java code in the same call to
sourceanalyzer. Use multiple invocations of sourceanalyzer with the same build ID to translate a project that contains both bytecode and JSP/Java code.
In addition to translating source code, you can translate the Java bytecode in your project. To translate bytecode, you have the following two options:
Request that Fortify Static Code Analyzer decompile the bytecode classes to regular Java files for inclusion in the translation.
To have the bytecode decompiled for the translation, add the following property to the fortify-sca.properties file (or include this property on the command line using the -D option):
com.fortify.sca.DecompileBytecode=true
Request that Fortify Static Code Analyzer translate bytecode without decompilation.
For best results, Fortify recommends that the bytecode be compiled with full debug information (javac -g).
To include bytecode in the Fortify Static Code Analyzer translation:
Add the following properties to the fortify-sca.properties file (or include these properties on the command line using the -D option):
com.fortify.sca.fileextensions.class=BYTECODE com.fortify.sca.fileextensions.jar=ARCHIVE
This specifies how Fortify Static Code Analyzer processes .class and .jar files.
In the Fortify Static Code Analyzer translation phase, specify the Java bytecode files that you
want to translate. For best performance, specify only the .jar or .class files that require scanning.
In the following example, the .class files are translated:
sourceanalyzer -b MyProject -cp "lib/*.jar" "src/**/*.class"
Troubleshooting JSP Translation and Analysis Issues
The following sections provide troubleshooting information for translating and scanning JSP.
Unable to Translate Some JSPs
Fortify Static Code Analyzer uses either the built-in compiler or your specific application server JSP compiler to translate JSP files into Java files for analysis. If the JSP parser encounters problems when Fortify Static Code Analyzer converts JSP files to Java files, you will see a message similar to the following:
Failed to translate the following jsps into analysis model. Please see the log file for any errors from the jsp parser and the user manual for hints on fixing those
<list_of_jsp_files>
This typically happens for one or more of the following reasons:
The web application is not laid out in a proper deployable WAR directory format
Some JAR files or classes required for the application are missing
Some tag libraries or their definitions (TLD) for the application are missing To obtain more information about the problem, perform the following steps:
Open the Fortify Static Code Analyzer log file in an editor.
Search for the following strings:
Jsp parser stdout:
Jsp parser stderr:
The JSP parser generates these errors. Resolve the errors and rerun Fortify Static Code Analyzer.
For more information about scanning Java EE applications, see "Translating Java EE Applications" on page 54.
Increased Issues Counts in JSP-Related Categories
If the analysis results contain a considerable increase in the number of vulnerabilities in JSP-related categories such as cross-site scripting compared with earlier Fortify Static Code Analyzer versions, you
can specify the -legacy-jsp-dataflow option in the analysis phase (with the -scan option). This option enables additional filtering on JSP-related dataflow to reduce the number of spurious false positives detected.
The equivalent property for this option that you can specify in the fortify-sca.properties file is
com.fortify.sca.jsp.LegacyDataflow.
Chapter 5: Translating Kotlin Code
This section describes how to translate Kotlin code. This section contains the following topics:
Kotlin Command-Line Syntax 57 Kotlin and Java Translation Interoperability 59 Translating Kotlin Scripts 59
The translation of Kotlin code is similar to the translation of Java code. To translate Kotlin code, all types defined in a library that are referenced in the code must have a corresponding definition in the source code, a class file, or a JAR file. Include all source files on the Fortify Static Code Analyzer command line.
The basic command-line syntax to translate Kotlin code is shown in the following example:
sourceanalyzer –b <build_id> -cp <classpath> [<translation_options>]
<files>
where
-cp <classpath> specifies the class path to use for the Kotlin source code.
Include all JAR dependencies normally used to build the project. Separate multiple paths with semicolons (Windows) or colons (non-Windows).
Fortify Static Code Analyzer loads classes in the order they appear in the class path. If there are multiple classes with the same name in the list, Fortify Static Code Analyzer uses the first loaded class. In the following example, if both A.jar and B.jar include a class called MyData.class, Fortify Static Code Analyzer uses the MyData.class from A.jar.
sourceanalyzer –cp "A.jar:B.jar" myfile.kt
Fortify strongly recommends that you avoid using duplicate classes with the -cp option.
For descriptions of all the available Kotlin-specific command-line options, see "Kotlin Command-Line Options" on the next page.
The following table describes the Kotlin-specific command-line options.
Kotlin Option | Description |
-cp <paths> | -classpath <dirs> | Specifies the class path to use for translating Kotlin source code, which is a semicolon- or colon-separated list of directories. You can use Fortify Static Code Analyzer file specifiers as shown in the following example: -cp "build/classes:lib/*.jar" For information about file specifiers, see "Specifying Files and Directories" on page 130. Equivalent Property Name: com.fortify.sca.JavaClasspath |
-source <version> | -jdk <version> | Indicates the JDK version for which the Kotlin code is written. See the Micro Focus Fortify Software System Requirements document for supported versions. The default is Java 1.8. Equivalent Property Name: com.fortify.sca.JdkVersion |
-sourcepath <dirs> | Specifies a semicolon- or colon-separated list of directories that contain Java source code that is not included in the scan but is used for name resolution. The source path is similar to class path, except it uses source files instead of class files for resolution. Only source files that are referenced by the target file list are translated. Equivalent Property Name: com.fortify.sca.JavaSourcePath |
To translate a single file named MyKotlin.kt with A.jar as the class path, type:
sourceanalyzer -b MyProject -cp lib/A.jar MyKotlin.kt
To translate all .kt files in the src directory using all JAR files in the lib directory as a class path, type:
sourceanalyzer -b MyProject -cp "lib/**/*.jar" "src/**/*.kt"
To translate and scan a gradle project using gradlew, type:
sourceanalyzer -b MyProject gradlew clean assemble
sourceanalyzer -b MyProject -scan –f MyResults.fpr
To translate all files in the src directory using Java dependencies from src/java and all JAR files in the lib directory and subdirectories as a class path, type:
sourceanalyzer –b MyProject –cp "lib/**/*.jar" -sourcepath "src/java" "src"
Kotlin and Java Translation Interoperability
If your project contains Kotlin code that refers to Java code, you can provide Java files to the translator the same way as Kotlin files that refers to another Kotlin file. You can provide them as part of the translated project source or as –sourcepath parameters.
If your project contains Java code that refers to Kotlin code, make sure that the Java and Kotlin code are translated in the same Fortify Static Code Analyzer instance so that the Java references to Kotlin elements are resolved correctly. Kotlin to Java interoperability does not support Kotlin files provided by the –sourcepath option. For more information about the –sourcepath option, see "Kotlin
Command-Line Options" on the previous page
Fortify Static Code Analyzer supports translation of Kotlin scripts excluding the experimental script customization. Script customization includes adding external properties, providing static or dynamic dependencies, and so on. Script definitions (templates) are used to create custom scripts and the template is applied to the script based on the *.kts file extension. Fortify Static Code Analyzer translates *.kts files but does not apply these templates.
Chapter 6: Translating Visual Studio and MSBuild Projects
Fortify Static Code Analyzer supports translation of the following types of projects built with Visual Studio or MSBuild:
C/C++ projects
.NET projects written in C# or Visual Basic (VB.NET)
This includes projects that target .NET, .NET Framework, .NET Core, and .NET Standard
ASP.NET applications
This includes applications that make use of the ASP.NET Core framework
Xamarin applications that target Android and iOS platforms
For the list of supported versions of relevant programming languages and frameworks, as well as Visual Studio and MSBuild, see the Micro Focus Fortify Software System Requirements document.
This section contains the following topics:
Visual Studio and MSBuild Project Translation Prerequisites 60 Visual Studio and MSBuild Project Translation Command-Line Syntax 61 Handling Special Cases for Translating Visual Studio and MSBuild Projects 61 Alternative Ways to Translate Visual Studio and MSBuild Projects 63
Visual Studio and MSBuild Project Translation Prerequisites
Fortify recommends that each project you translate is complete and that you perform the translation in an environment where you can build it without errors. A complete project contains the following:
All necessary source code files (C/C++, C#, or VB.NET)
All required reference libraries
This includes those from relevant frameworks, NuGet packages, and third-party libraries.
For C/C++ projects, include all necessary header files that do not belong to the Visual Studio or MSBuild installation
For ASP.NET and ASP.NET Core projects, include all the necessary ASP.NET page files
The supported ASP.NET page types are ASAX, ASCX, ASHX, ASMX, ASPX, AXML, BAML, CSHTML, Master, RAZOR, VBHTML, and XAML.
Visual Studio and MSBuild Project Translation Command-Line Syntax
The basic syntax to translate Visual Studio or MSBuild projects is to append an MSBuild command that builds the project to the Fortify Static Code Analyzer command. The following command translates a Visual Studio solution called Sample.sln:
sourceanalyzer –b <build_id> msbuild /t:rebuild Sample.sln
This command builds and translates the solution or project. Fortify strongly recommends you run this command from the Developer Command Prompt for Visual Studio to ensure an optimal environment for the translation.
environment, Fortify recommends that you run the dotnet restore command before you run the Fortify Static Code Analyzer translation. You must run this command from the top-level folder of the project. This ensures that all required reference libraries are downloaded and installed in the project.
After the translation is complete, you can perform the analysis phase as shown in the following example:
sourceanalyzer –b <build_id> -scan -f <results>.fpr
Handling Special Cases for Translating Visual Studio and MSBuild Projects
Running Translation from a Script
As stated previously, Fortify recommends that you run the Fortify Static Code Analyzer translation of Visual Studio and MSBuild projects from the Developer Command Prompt for Visual Studio. To perform the translation in a non-interactive mode such as with a script, establish an optimal environment for translation by executing the following command before you run the Fortify Static Code Analyzer translation:
cmd.exe /k <vs_install_dir>/Common7/Tools/VSDevCmd.bat
where <vs_install_dir> is the directory where you installed Visual Studio.
Translating Plain .NET and ASP.NET Projects
You can translate plain .NET and ASP.NET projects from the Windows Command Prompt as well as from a Visual Studio environment. When you translate from the Windows Command Prompt, make sure the path to the MSBuild executable required to build your project is included in PATH environment variable.
Translating C/C++ and Xamarin Projects
You must translate C/C++ and Xamarin projects either from a Developer Command Prompt for Visual Studio or from the Micro Focus Fortify Extension for Visual Studio.
Translating Projects with Settings Containing Spaces
If your project is built with a configuration or other settings file that contains spaces, make sure to do the following in the MSBuild command:
Enclose the setting value in quotes (in addition to the quotes around the appropriate command-line option)
Quotes are escaped
For example, to translate a Visual Studio solution Sample.sln that is built with configuration My Configuration, use the following command:
sourceanalyzer –b MySampleProj msbuild /t:rebuild "/p:Configuration=\"My Configuration\"" Sample.sln
Translating a Single Project from a Visual Studio Solution
If your Visual Studio solution contains multiple projects, you have the option to translate a single project instead of the entire solution. Project files have a file name extension that ends with proj such
as .vcxproj and .csproj. To translate a single project, specify the project file instead of the solution as the parameter for the MSBuild command.
The following example translates the Sample.vcxproj project file:
sourceanalyzer –b MySampleProj msbuild /t:rebuild Sample.vcxproj
Working with Multiple Targets and Projects for MSBuild Command
Recent versions of MSBuild enable you to build multiple targets and specific projects using an extended syntax of the /t option. However, Fortify recommends that you avoid this syntax for translating Visual
Studio or MSBuild projects. Specifying a single rebuild target is sufficient to translate any supported Visual Studio and MSBuild project.
If you cannot use a single rebuild target to translate your project, Fortify provides limited support of multiple targets and projects specified for the MSBuild command. To use this feature, add the –multiple-msbuild-targets option to the Fortify Static Code Analyzer command, as shown in the following example:
sourceanalyzer –b MySampleProj -multiple-msbuild-targets msbuild
/t:Project1:build;Project2:build Sample.sln
Analyzing Projects That Build Multiple Executable Files
If your Visual Studio or MSBuild project builds multiple executable files (such as files with the file name extension *.exe), Fortify strongly recommends that you run the analysis phase separately for each executable file to avoid false positive issues in the analysis results. To do this, use –binary-name
option when running the analysis phase and specify the executable file name or .NET assembly name as
the parameter.
The following example shows how to translate and analyze a Visual Studio solution Sample.sln that consists of two projects, Sample1 (a C++ project with no associated .NET assembly name) and Sample2
(a .NET project with .NET assembly name Sample2). Each project builds a separate executable file,
Sample1.exe and Sample2.exe, respectively.
sourceanalyzer -b MySampleProj msbuild /t:rebuild Sample.sln sourceanalyzer -b MySampleProj -scan -binary-name Sample1.exe -f Sample1.fpr
sourceanalyzer -b MySampleProj -scan -binary-name Sample2 -f Sample2.fpr
For more information about the -binary-name option, see "Analysis Options" on page 120.
Alternative Ways to Translate Visual Studio and MSBuild Projects
This section describes alternative methods of translating Visual Studio and MSBuild projects.
Alternative Translation Options for Visual Studio Solutions
The following are two alternative ways of translation available only for Visual Studio solutions:
Use the Micro Focus Fortify Extension for Visual Studio
The Fortify Extension for Visual Studio runs the translation and analysis (scan) phases together in one step.
Append a devenv command to the Fortify Static Code Analyzer command
The following command translates a Visual Studio solution called Sample.sln:
sourceanalyzer –b MySampleProj devenv Sample.sln /rebuild
Note that Fortify Static Code Analyzer converts a devenv invocation to the equivalent MSBuild invocation, therefore in this case, the solution with this command is built by MSBuild instead of the devenv tool.
Translating Without Explicitly Running Fortify Static Code Analyzer
You have the option to translate your Visual Studio or MSBuild project without invoking Fortify Static Code Analyzer directly. This requires the Fortify.targets file, which is located in the <sca_
install_dir>\Core\private-bin\sca\MSBuildPlugin directory. You can specify the file using an absolute or relative path in the MSBuild command line that builds your project. For example:
msbuild /t:rebuild
/p:CustomAfterMicrosoftCommonTargets=<sca_install_dir>\Core\private-bin\sca\MSBuildPlugin\Fortify.targets Sample.sln
There are several environment variables that you can set to configure the translation of your project. Most of them have default values, which Fortify Static Code Analyzer uses if the variable is not set. These variables are listed in the following table.
Environment Variable | Description | Default Value |
FORTIFY_ MSBUILD_ BUILDID | Specifies the Fortify Static Code Analyzer build ID for translation. Make sure that you set this value. This is equivalent to the Fortify Static Code Analyzer -b option. | None |
FORTIFY_ MSBUILD_ | Enables debug mode. This is equivalent to the Fortify Static Code Analyzer –debug | False |
Environment Variable | Description | Default Value |
DEBUG | option. | |
FORTIFY_ MSBUILD_ DEBUG_ VERBOSE | Enables verbose debug mode. This is equivalent to the Fortify Static Code Analyzer –debug-verbose option. Takes precedence over FORTIFY_MSBUILD_ DEBUG variable if both are set to true. | False |
FORTIFY_ MSBUILD_MEM | Specifies the memory requirements translation in the form of the JVM -Xmx option. For example, -Xmx2G. | Automatic allocation based on physical memory available on the system |
FORTIFY_ MSBUILD_ SCALOG | Specifies the location (absolute path) of the Fortify Static Code Analyzer log file. This is equivalent to the Fortify Static Code Analyzer -logfile option. | %LOCALAPPDATA%/Fortify/ sca/log/sca.log |
Chapter 7: Translating C and C++ Code
This section describes how to translate C and C++ code.
Important! The chapter describes how to translate C and C++ code that is not a part of a Visual Studio or MSBuild project. For instructions on translating Visual Studio or MSBuild projects, see "Translating Visual Studio and MSBuild Projects" on page 60.
This section contains the following topics:
C and C++ Code Translation Prerequisites 66 C and C++ Command-Line Syntax 66 Scanning Pre-processed C and C++ Code 67 C/C++ Precompiled Header Files 67
C and C++ Code Translation Prerequisites
Make sure that you have any dependencies required to build the project available, including headers for third-party libraries. Fortify Static Code Analyzer translation does not require object files and static/dynamic library files.
If you use Gradle to build your C++ project, make sure that the C++ Application Plugin is added to your Gradle file in one of the following formats:
apply plugin: 'cpp'
plugins {
id 'cpp-application'
}
For more information about integrating with Gradle, see "Build Integration" on page 111.
C and C++ Command-Line Syntax
Command-line options passed to the compiler affect preprocessor execution and can enable or disable language features and extensions. For Fortify Static Code Analyzer to interpret your source code in the same way as the compiler, the translation phase for C/C++ source code requires the complete compiler
command line. Prefix your original compiler command with the sourceanalyzer command and options.
The basic command-line syntax for translating a single file is:
sourceanalyzer -b <build_id> [<sca_options>] <compiler> [<compiler_ options>] <file>.c
where:
<sca_options> are options passed to Fortify Static Code Analyzer.
<compiler> is the name of the C/C++ compiler you use, such as gcc, g++, or cl. See the Micro Focus Fortify Software System Requirements document for a list of supported C/C++ compilers.
<compiler_options> are options passed to the C/C++ compiler.
<file>.c must be in ASCII or UTF-8 encoding.
The compiler command must successfully complete when executed on its own. If the compiler command fails, then the Fortify Static Code Analyzer command prefixed to the compiler command also fails.
For example, if you compile a file with the following command:
gcc -I. -o hello.o -c helloworld.c
then you can translate this file with the following command:
sourceanalyzer -b MyProject gcc -I. -o hello.o -c helloworld.c
Fortify Static Code Analyzer executes the original compiler command as part of the translation phase. In the previous example, the command produces both the translated source suitable for scanning, and the
object file hello.o from the gcc execution. You can use the Fortify Static Code Analyzer -nc option to disable the compiler execution.
Scanning Pre-processed C and C++ Code
If, before compilation, your C/C++ build executes a third-party C preprocessor that Fortify Static Code Analyzer does not support, you must invoke the Fortify Static Code Analyzer translation on the intermediate file. Fortify Static Code Analyzer touchless build integration automatically translates the intermediate file provided that your build executes the unsupported preprocessor and supported compiler as two commands connected by a temporary file rather than a pipe chain.
C/C++ Precompiled Header Files
Some C/C++ compilers support Precompiled Header Files, which can improve compilation performance. Some compilers' implementations of this feature have subtle side-effects. When the feature is enabled, the compiler might accept erroneous source code without warnings or errors. This can result in a
discrepancy where Fortify Static Code Analyzer reports translation errors even when your compiler does not.
If you use your compiler's Precompiled Header feature, disable Precompiled Headers, and then perform a full build to make sure that your source code compiles cleanly.
Chapter 8: Translating JavaScript and TypeScript Code
You can analyze JavaScript projects that contain JavaScript, TypeScript, JSX, and TSX source files, as well as JavaScript embedded in HTML files.
Some JavaScript frameworks are transpiled (source-to-source compilation) to plain JavaScript. This generated code is optimized., minimized, or both. Therefore, you might want to exclude it from translation because it would be challenging to fix any vulnerabilities Fortify Static Code Analyzer might report in this code. Use the -exclude command-line option to manually exclude this type of code.
Fortify Static Code Analyzer does not translate minified JavaScript (*.min.js).
This section contains the following topics:
Translating Pure JavaScript Projects 69 Excluding Dependencies 69 Excluding NPM Dependencies 70 Translating JavaScript Projects with HTML Files 71 Including External JavaScript or HTML in the Translation 71
Translating Pure JavaScript Projects
The basic command-line syntax to translate JavaScript is:
sourceanalyzer –b <build_id> <js_file_or_dir>
where <js_file_or_dir> is the either the name of the JavaScript file to be translated or a directory that contains multiple JavaScript files. You can also translate multiple files by specifying *.js for the
Excluding Dependencies
You can avoid translating specific dependencies by adding them to the appropriate property setting in the fortify-sca.properties file. Files specified in the following properties are not translated:
com.fortify.sca.skip.libraries.ES6
com.fortify.sca.skip.libraries.jQuery
com.fortify.sca.skip.libraries.javascript
com.fortify.sca.skip.libraries.typescript
Each property specifies a list of comma- or colon-separated file names (without path information).
The files specified in these properties apply to both local files and files on the internet. Suppose, for example, that the JavaScript code includes the following local file reference:
<script src="js/jquery-ui.js" type="text/javascript" charset="utf-8"></script>
By default, the com.fortify.sca.skip.libraries.jQuery property in the fortify-sca.properties file includes jquery-us.js, and therefore Fortify Static Code Analyzer does not translate the file shown in the previous example.
You can use regular expressions for the file names. Note that Fortify Static Code Analyzer automatically inserts the regular expression '(-?\d+\.\d+\.\d+)?' before .min.js or .js for each file name included in the com.fortify.sca.skip.libraries.jQuery property value.
Note: You can also exclude local files or entire directories with the -exclude command-line option. For more information about this option, see "Translation Options" on page 118.
By default, Fortify Static Code Analyzer translates only the NPM dependences that are imported in the code. You can change this behavior with the following two properties:
The com.fortify.sca.follow.imports property directs Fortify Static Code Analyzer to resolve all imported files and include them in the translation.
This property is enabled by default. Setting this property to false prevents NPM dependencies that are not explicitly included on the command-line from being included in the translation.
The com.fortify.sca.exclude.unimported.node.modules property directs Fortify Static Code Analyzer to exclude all files in any node_modules directory from the translation except files that
are specifically imported by the com.fortify.sca.follow.imports property.
This property is enabled by default to avoid translating dependencies that are not needed for the final project such as those only required for the build system.
Translating JavaScript Projects with HTML Files
If the project contains HTML files in addition to JavaScript files, set the
com.fortify.sca.EnableDOMModeling property to true in the fortify-sca.properties file or on the command line as shown in the following example:
sourceanalyzer –b MyProject <js_file_or_dir>
-Dcom.fortify.sca.EnableDOMModeling=true
When you set the com.fortify.sca.EnableDOMModeling property to true, this can decrease false negative reports of DOM-related attacks, such as DOM-related cross-site scripting issues.
If you set the com.fortify.sca.EnableDOMModeling property to true, you can also specify additional HTML tags for Fortify Static Code Analyzer to include in the DOM modeling with the
com.fortify.sca.DOMModeling.tags property. By default, Fortify Static Code Analyzer includes the following HTML tags: body, button, div, form, iframe, input, head, html, and p.
For example, to include the HTML tags ul and li in the DOM model, use the following command:
sourceanalyzer –b MyProject <js_file_or_dir>
-Dcom.fortify.sca.DOMModeling.tags=ul,li
Including External JavaScript or HTML in the Translation
To include external JavaScript or HTML files that are specified with the src attribute, you can specify which domains Fortify Static Code Analyzer can download and include in the translation phase. To do this, specify one or more domains with the
com.fortify.sca.JavaScript.src.domain.whitelist property.
Note: You can also set this property globally in the fortify-sca.properties file.
For example, you might have the following statement in your HTML file:
<script src='http://xyzdomain.com/foo/bar.js' language='text/javascript'/>
</script>
If you are confident that the xyzdomain.com domain is a safe location from which to download files, then you can include them in the translation phase by adding the following property specification on the command line:
-Dcom.fortify.sca.JavaScript.src.domain.whitelist="xyzdomain.com/foo"
Note: You can omit the www. prefix from the domain in the property value. For example, if the src tag in the original HTML file specifies to download files from www.google.com, you can specify just the google.com domain.
To trust more than one domain, include each domain separated by the vertical bar character (|) as shown in the following example:
-Dcom.fortify.sca.JavaScript.src.domain.whitelist= "xyzdomain.com/foo|abcdomain.com|123.456domain.com”
If you are using a proxy server, then you need to include the proxy server information on the command line as shown in the following example:
-Dhttp.proxyHost=example.proxy.com -Dhttp.proxyPort=8080
For a complete list of proxy server options, see the Networking Properties Java documentation.
Chapter 9: Translating Python Code
Fortify Static Code Analyzer translates Python applications, and processes files with the .py extension as Python source code.
This section contains the following topics:
Python Translation Command-Line Syntax 73 Including Imported Modules and Packages 73 Including Namespace Packages 74 Using the Django Framework with Python 74 Python Command-Line Options 75 Python Command-Line Examples 76
Python Translation Command-Line Syntax
The basic command-line syntax to translate Python code is:
sourceanalyzer -b <build_id> -python-version <python_version>
-python-path <dirs> <files>
Including Imported Modules and Packages
To translate Python applications and prepare for a scan, Fortify Static Code Analyzer searches for any imported modules and packages used by the application. Fortify Static Code Analyzer does not respect
the PYTHONPATH environment variable, which the Python runtime system uses to find imported modules and packages.
Fortify Static Code Analyzer searches for imported modules and packages using the list of directories in the following order:
The common root directory for all project source files. which Fortify Static Code Analyzer calculates automatically. For example, if there are two project directories PrimaryDir/project1/* and PrimaryDir/project2/*, the common root directory is PrimaryDir.
To remove the common root directory as a search target for imported modules and packages, include the -python-no-auto-root-calculation option in the translation command.
The directories specified with the -python-path option.
Fortify Static Code Analyzer includes a subset of modules from the standard Python library (module "builtins", all modules originally written in C, and others) in the translation. Fortify Static Code Analyzer first searches for a standard Python library module in the set included with Fortify
Static Code Analyzer and then in the paths specified with the -python-path option. If your Python code imports any module that Fortify Static Code Analyzer cannot find, it produces a warning. To make sure that all modules of the standard Python library are found, add the path to
your standard Python library in the -python-path list.
The current directory that contains the file Fortify Static Code Analyzer is translating. For example, when Fortify Static Code Analyzer translates a PrimaryDir/project1/a.py, the directory
PrimaryDir/project1 is added as the last directory to search for imported modules and packages.
To translate namespace packages, include all the paths to the namespace package directories in the -python-path option. For example, if you have two subpackages for a namespace package package_ name in multiple folders as in this example:
/path_1/package_name/subpackageA
/path_2/package_name/subpackageB
Include the following with the -python-path option: /path_1;/path_2.
Using the Django Framework with Python
Fortify Static Code Analyzer supports the Django framework. To translate code created using the Django framework, add the following properties to the <sca_install_ dir>/Core/config/fortify-sca.properties configuration file:
com.fortify.sca.limiters.MaxPassthroughChainDepth=8
com.fortify.sca.limiters.MaxChainDepth=8
By default, Fortify Static Code Analyzer attempts to discover Django templates in the project root folder. Any Django templates found are automatically added to the translation. If you do not want Fortify Static Code Analyzer to automatically discover Django templates, use the -django-disable-autodiscover option. If your project requires Django templates, but the project is configured such that Django templates are in an unexpected location, use the -django-template-dirs option to
specify the directories that contain the templates in addition to the -django-disable-autodiscover option.
You can specify additional locations of Django template files by adding the -django-template-dirs
option to the sourceanalyzer command:
-django-template-dirs <dirs>
The following table describes the Python options.
Python Option | Description |
-python-version <version> | Specifies the Python source code version you want to scan. The valid values for <version> are 2 and 3. The default value is 2. Equivalent Property Name: com.fortify.sca.PythonVersion |
-python-no-auto-root-calculation | Disables the automatic calculation of a common root directory of all project source files to use for importing modules and packages. Equivalent Property Name: com.fortify.sca.PythonNoAutoRootCalculation |
-python-path <dirs> | Specifies a semicolon-separated (Windows) or colon-separated (non-Windows) list of additional import directories. You can use the -python-path option to specify all paths used to import packages or modules. Include all paths to namespace package directories with this option. Fortify Static Code Analyzer sequentially searches the specified paths for each imported file and uses the first file encountered. Equivalent Property Name: com.fortify.sca.PythonPath |
-django-disable-autodiscover | Specifies that Fortify Static Code Analyzer does not automatically discover Django templates. Equivalent Property Name: com.fortify.sca.DjangoDisableAutodiscover |
Python Option | Description |
-django-template-dirs <dirs> | Specifies a semicolon-separated (Windows) or colon-separated (non-Windows) list of directories that contain Django templates. Fortify Static Code Analyzer sequentially searches the specified paths for each Django template file and uses the first template file encountered. Equivalent Property Name: com.fortify.sca.DjangoTemplateDirs |
To translate Python 3 code, type:
sourceanalyzer -b Python3Proj -python-version 3 -python-path
/usr/lib/python3.4:/usr/local/lib/python3.4/site-packages src/*.py
To translate Python 2 code, type:
sourceanalyzer -b MyPython2 -python-path
/usr/lib/python2.7:/usr/local/lib/python2.7/site-packages src/*.py
Chapter 10: Translating Code for Mobile Platforms
Fortify Static Code Analyzer supports analysis of the following mobile application source languages:
Swift, Objective-C, and Objective-C++ for iOS applications developed using Xcode
Java for Android applications
For information about translating Xamarin applications, see "Translating Visual Studio and MSBuild Projects" on page 60.
This section contains the following topics:
Translating Apple iOS Projects 77 Translating Android Projects 78
Translating Apple iOS Projects
This section describes how to translate Swift, Objective-C, and Objective-C++ source code for iOS applications. Fortify Static Code Analyzer automatically integrates with the Xcode Command Line Tool, Xcodebuild, to identify the project source files.
iOS Project Translation Prerequisites
The following are the prerequisites for translating iOS projects:
Objective-C++ projects must use the non-fragile Objective-C runtime (ABI version 2 or 3).
Use Apple’s xcode-select command-line tool to set your Xcode path. Fortify Static Code Analyzer uses the system global Xcode configuration to find the Xcode toolchain and headers.
Make sure that all source files required for a successful Xcode build are provided.
You can exclude files from the analysis using the -exclude option (see "iOS Code Analysis Command-Line Syntax" on the next page).
Make sure that you have any dependencies required to build the project available.
To translate Swift code, make sure that you have available all third-party modules, including CocoaPods. Bridging headers must also be available. However, Xcode usually generates them automatically during the build.
If your project includes property list files in binary format, you must first convert them to XML format. You can do this with the Xcode putil command.
To translate Objective-C projects, ensure that the headers for third-party libraries are available.
To translate WatchKit applications, make sure that you translate both the iPhone application target and the WatchKit extension target.
iOS Code Analysis Command-Line Syntax
The command-line syntax to translate iOS code using Xcodebuild is:
sourceanalyzer -b <build_id> xcodebuild [<compiler_options>]
where <compiler_options> are the supported options that are passed to the Xcode compiler.
To exclude files from the analysis, use the -exclude option (see "Translation Options" on page 118). All source files that match the exclude specification are not translated, even if they are included in the Xcode build. The following is an example:
sourceanalyzer -b MyProject -exclude "**/TestFile.swift" xcodebuild clean build
If your application uses any property list files (for example, <file>.plist), translate these files with a separate sourceanalyzer command. Use the same build ID that you used to translate the project files. The following is an example:
sourceanalyzer -b MyProject <path_to_plist_files>
If your project uses CocoaPods, include -workspace to build the project. For example:
sourceanalyzer -b DemoAppSwift xcodebuild clean build -workspace DemoAppSwift.xcworkspace -scheme DemoAppSwift -sdk iphonesimulator
You can then perform the analysis phase, as shown in the following example:
sourceanalyzer -b DemoAppSwift -scan -f MyResults.fpr
This section describes how to translate Java source code for Android applications. You can use Fortify Static Code Analyzer to scan the code with Gradle from either:
Your operating system's command line
A terminal window running in Android Studio
The way you use Gradle is the same for either method.
Note: You can also scan Android code directly from Android Studio with the Micro Focus Fortify Analysis Plugin for IntelliJ and Android Studio. For more information, see the Micro Focus Fortify Plugins for JetBrains IDEs and Android Studio User Guide.
Android Project Translation Prerequisites
The following are the prerequisites for translating Android projects:
Android Studio and the relevant Android SDKs are installed on the system where you will run the scans
Your Android project uses Gradle for builds.
If you have an older project that does not use Gradle, you must add Gradle support to the associated Android Studio project
Use the same version of Gradle that is provided with the version of Android Studio that you use to create your Android project
Make sure you have available all dependencies that are required to build the Android code in the application's project
To translate your Android code from a command window that is not displayed within Android Studio, make sure that Gradle Wrapper (gradlew) is defined on the system path
Android Code Analysis Command-Line Syntax
Use gradlew to scan Android projects, which is similar to using Gradle except that you use the Gradle Wrapper. For information about how to translate your Android project using the Gradle Wrapper, see "Gradle Integration" on page 113.
Filtering Issues Detected in Android Layout Files
If your Android project contains layout files (used to design the user interface), your project files might
include R.java source files that are automatically generated by Android Studio. When you scan the project, Fortify Static Code Analyzer can detect issues associated with these layout files.
Fortify recommends that Issues reported in any layout file be included in your standard audit so you can carefully determine if any of them are false positives. After you identify issues in layout files that you are not interested in, you can filter them out as described in "Filtering the Analysis" on page 174. You can filter out the issues based on the Instance ID.
Chapter 11: Translating Go Code
This section describes how to translate Go code. This section contains the following topics:
Go Command-Line Syntax 80 Go Command-Line Options 80 Resolving Dependencies 82
For best results, your project must be compilable and you must have all required dependencies available. The following entities are excluded from the translation (and the scan):
Vendor folder
All projects defined by any go.mod files in subfolders, except the project defined by the go.mod file under the %PROJECT_ROOT%
All files with the _test.go suffix (unit tests)
The basic command-line syntax to translate Go code is:
sourceanalyzer -b <build_id> [-gopath <dir>] [-goroot <dir>] <files>
The following table describes the command-line options that are specifically for translating Go code.
Go Option | Description |
-gopath <dir> | Specifies the root directory of your project. Make sure that the directory structure adheres to the Go workspace hierarchy (https://golang.org/doc/gopath_code.html). If this option is not specified, then the GOPATH system environment variable is used. You must specify the gopath directory as an absolute path. The following examples are valid values for <dir>: /home/projects/go_workspace/my_proj C:\projects\go_workspace\my_proj |
Go Option | Description |
The following example is an invalid value for <dir>: go_workspace/my_proj If this option and the GOPATH system environment variable is not set, then the gopath defaults to a subdirectory named go in the user's home directory ($HOME/go on Linux and %USERPROFILE%\go on Windows), unless that directory contains a Go distribution. Equivalent Property Name com.fortify.sca.GOPATH | |
-goroot <dir> | Specifies the location of the Go installation. If this option is not specified, the GOROOT system environment variable is used. If this option is not specified and the GOROOT system environment variable is not set, then Fortify Static Code Analyzer uses the Go compiler included in the Fortify Static Code Analyzer installation. Equivalent Property Name com.fortify.sca.GOROOT |
-goproxy <url> | Specifies one or more comma-separated proxy URLs. You can also specify direct or off (to disable network usage). If this option is not specified and the GOPROXY system environment variable is not set, then Fortify Static Code Analyzer uses https://proxy.golang.org,direct. Equivalent Property Name com.fortify.sca.GOPROXY |
Fortify Static Code Analyzer supports two dependency management systems built into Go:
Modules
Fortify Static Code Analyzer downloads all required dependencies using the native Go toolchain. If access to the internet is restricted on the machine where you run Fortify Static Code Analyzer, then do one of the following:
If you are using an artifact management system such as Artifactory, set the GOPROXY
environment variable or use the -goproxy option described in "Go Command-Line Options" on page 80.
Download all required dependencies using modules and vendoring.
GOPATH dependency resolution
If you are using a third-party dependency management system such as dep, you must download all dependencies before you start the translation.
Chapter 12: Translating Ruby Code
This section contains the following topics:
Ruby Command-Line Syntax 83 Adding Libraries 84 Adding Gem Paths 84
The basic command-line syntax to translate Ruby code is:
sourceanalyzer –b <build_id> <file>
where <file> is the name of the Ruby file you want to scan. To include multiple Ruby files, separate them with a space, as shown in the following example:
sourceanalyzer –b <build_id> file1.rb file2.rb file3.rb
In addition to listing individual Ruby files, you can use the asterisk (*) wildcard to select all Ruby files in a specified directory. For example, to find all the Ruby files in a directory called src, use the following sourceanalyzer command:
sourceanalyzer –b <build_id> src/*.rb
The following table describes the Ruby translation options.
Ruby Option | Description |
-ruby-path <dirs> | Specifies one or more paths to directories that contain Ruby libraries (see "Adding Libraries " on the next page) Equivalent Property Name: com.fortify.sca.RubyLibraryPaths |
User Guide
Chapter 12: Translating Ruby Code
Ruby Option | Description |
-rubygem-path <dirs> | Specifies the path(s) to a RubyGems location (see "Adding Gem Paths" below) Equivalent Property Name: com.fortify.sca.RubyGemPaths |
If your Ruby source code requires a specific library, add the Ruby library to the sourceanalyzer
command. Include all ruby libraries that are installed with ruby gems. For example, if you have a
utils.rb file that resides in the /usr/share/ruby/myPersonalLibrary directory, then add the following to the sourceanalyzer command:
-ruby-path /usr/share/ruby/myPersonalLibrary
Separate multiple libraries with semicolons (Windows) or colons (non-Windows). The following is an example of the option on non-Windows system:
-ruby-path /path/one:/path/two:/path/three
To add all RubyGems and their dependency paths, import all RubyGems. To obtain the Ruby gem paths, run the gem env command. Under GEM PATHS, look for a directory similar to:
/home/myUser/gems/ruby-version
This directory contains another directory called gems, which contains directories for all the gem files installed on the system. For this example, use the following in your command line:
-rubygem-path /home/myUser/gems/ruby-version/gems
If you have multiple gems directories, separate them with semicolons (Windows) or colons (non-Windows ) such as:
-rubygem-path /path/to/gems:/another/path/to/more/gems
Note: On Windows systems, separate the gems directories with a semicolon.
Chapter 13: Translating COBOL Code
In the previous release, Fortify Static Code Analyzer introduced updated COBOL code translation, which is now the default translation method. The previous translation method, referred to now as legacy COBOL translation is still available for use with a command-line option. Use the legacy COBOL translation method if either of the following is true:
You run Fortify Static Code Analyzer on a non-Windows operating system
Your COBOL dialect is unsupported.
The following sections describe the default COBOL code translation. Information that pertains only to the legacy COBOL translation is indicated as such.
For a list of supported technologies for translating COBOL code, see the Micro Focus Fortify Software System Requirements document. Fortify Static Code Analyzer does not currently support custom rules for COBOL applications.
This section contains the following topics:
Preparing COBOL Source and Copybook Files for Translation 85 COBOL Command-Line Syntax 86 COBOL Command-Line Options 88
Preparing COBOL Source and Copybook Files for Translation
Fortify Static Code Analyzer supports translation of COBOL source files on Windows systems only.
Legacy COBOL Translation: Fortify Static Code Analyzer supports translation of COBOL source files on the supported platforms and architectures listed in the Micro Focus Fortify Software System Requirements document.
Before you can analyze a COBOL program, you must copy the following program components to the Windows system where you run Fortify Static Code Analyzer:
COBOL source code
Fortify recommends that your COBOL source code files have extensions .CBL, .cbl, .COB or .cob. Therefore, there is no need to manage extension specification from the command line as described in "Translating COBOL Source Files Without File Extensions" on the next page and "Specifying Files and Directories" on page 130.
All copybook files that the COBOL source code uses
All SQL INCLUDE files that the COBOL source code references (a SQL INCLUDE file is technically a copybook file)
Important! The copybook files must have the file extension .CPY or .cpy.
If your COBOL source code contains:
COPY FOO
or
EXEC SQL INCLUDE FOO END-EXEC
then FOO is the name of a COBOL copybook and the corresponding copybook file has the name
FOO.CPY or FOO.cpy.
The corresponding copybook file has the name FOO with or without a file extension. If the copybook files have file extensions, use the -copy-extensions command-line option. For more information, see "Legacy COBOL Translation Command-Line Options" on page 88.
The COPY command can also accept a directory-file-path structure instead of a file name.
Fortify recommends that you place your COBOL source code files in a directory called sources and your copybook files in a directory called copybooks. Create these directories at the same level.
COBOL Command-Line Syntax
The basic syntax used to translate a single COBOL source code file is:
sourceanalyzer -b <build_id> <path>
The basic syntax used to scan a translated COBOL program is:
sourceanalyzer -b <build_id> -scan -f <results>.fpr
you must specify the -fixed-format command-line option. For more information, see "Legacy COBOL Translation Command-Line Options" on the next page.
"Specifying Files and Directories" on page 130
Translating COBOL Source Files Without File Extensions
If you have COBOL source files retrieved from a mainframe without .COB or .CBL file extensions (which is typical for COBOL file names), then you must include the following in the translation command line:
-noextension-type COBOL
The following example command translates COBOL source code without file extensions:
sourceanalyzer -b MyProject -noextension-type COBOL -copydirs copybooks sources
Translating COBOL Source Files with Arbitrary File Extensions
If you have COBOL source files with an arbitrary extension .xyz, then you must include the following in the translation command line:
-Dcom.fortify.sca.fileextensions.xyz=COBOL
You must also include the expression *.xyz in the file or directory specifier, if any (see "Specifying Files and Directories" on page 130).
The following table describes the COBOL command-line options.
COBOL Option | Description |
-copydirs <dirs> | Specifies one or more semicolon-separated directories where Fortify Static Code Analyzer looks for copybook files. Equivalent Property Name: com.fortify.sca.CobolCopyDirs |
-cobol-dialect <dialect> | Specifies the COBOL dialect. The valid values for dialect are COBOL390 or MICROFOCUS. The dialect value is case insensitive. The default value is COBOL390. Equivalent Property Name: com.fortify.sca.CobolDialect |
-checker-directives <directives> | Specifies one or more semicolon-separated COBOL checker directives. Note: This option is intended for advanced users of Micro Focus Server Express. Equivalent property name: com.fortify.sca.CobolCheckerDirectives |
Legacy COBOL Translation Command-Line Options
The following table describes the command-line options for the legacy COBOL translation.
Legacy COBOL Option | Description |
-cobol-legacy | Specifies translation of COBOL code using legacy COBOL translation. This option is required to enable legacy COBOL translation. Equivalent Property Name: com.fortify.sca.CobolLegacy |
-copydirs <dirs> | Specifies one or more semicolon- or colon-separated directories where Fortify Static Code Analyzer looks for copybook files. Equivalent Property Name: |
Legacy COBOL Option | Description |
com.fortify.sca.CobolCopyDirs | |
-copy-extensions <ext> | Specifies one or more semicolon- or colon-separated copybook file extensions. Equivalent Property Name: com.fortify.sca.CobolCopyExtensions |
-fixed-format | Specifies fixed-format COBOL to direct Fortify Static Code Analyzer to only look for source code between columns 8–72 in all lines of code. IBM Enterprise COBOL code is typically fixed-format. The following are indications that you might need the -fixed-format option: Equivalent Property Name: com.fortify.sca.CobolFixedFormat |
The COBOL translation appears to hang indefinitely
Fortify Static Code Analyzer reports numerous parsing errors in the COBOL translation
Chapter 14: Translating Apex and Visualforce Code
This section contains the following topics:
Apex Translation Prerequisites 90 Apex and Visualforce Command-Line Syntax 90 Apex and Visualforce Command-Line Options 91 Downloading Customized Salesforce Database Structure Information 91
All the source code to scan is available on the same machine where you have installed Fortify Static Code Analyzer
To scan your custom Salesforce app, download it to your local computer from your Salesforce organization (org) where you develop and deploy it. The downloaded version of your app consists of:
Apex classes in files with the .cls extension
Visualforce web pages in files with the .page extension
Apex code files called database “trigger” functions are in files with the .trigger extension
Use the Force.com Migration Tool available on the Salesforce website to download your app from your org in the Salesforce cloud to your local computer.
If you customized the standard Salesforce database structures to support your app, then you must also download a description of the changes so that Fortify Static Code Analyzer knows how your modified version of Salesforce interacts with your app. See "Downloading Customized Salesforce Database Structure Information" on the next page.
Apex and Visualforce Command-Line Syntax
The basic command-line syntax to translate Apex and Visualforce code is:
sourceanalyzer -b <build_id> -apex <files>
where <files> is an Apex or Visualforce file or a path to the source files.
Important! Supported file extensions for the source code files are: .cls, .trigger, .page, and
.component.
For descriptions of all the Apex- and Visualforce-specific command-line options, see "Apex and Visualforce Command-Line Options" below.
Apex and Visualforce Command-Line Options
The following table describes the Apex and Visualforce translation command-line options.
Apex or Visualforce Option | Description |
-apex | Directs Fortify Static Code Analyzer to use the Apex and Visualforce translation for files with the .cls extension. Without this option, Fortify Static Code Analyzer translates *.cls files as Visual Basic code. Note: Alternatively, you can set the com.fortify.sca.fileextensions.cls property to APEX either on the command line (include -Dcom.fortify.sca.fileextensions.cls=APEX) or in the <sca_install_dir>/Core/config/fortify-sca.properties file. Equivalent Property Name: com.fortify.sca.Apex |
-apex-sobject-path <path> | Specifies the location of the custom sObject JSON file sobjects.json. For instructions on how to use the sf_extractor tool, see "Downloading Customized Salesforce Database Structure Information" below. Equivalent Property Name: com.fortify.sca.ApexObjectPath |
Downloading Customized Salesforce Database Structure Information
Use the sf_extractor tool to download a description of any customized Salesforce database structures. Fortify Static Code Analyzer requires this information to perform a more complete analysis. The sf_ extractor creates a custom sObject JSON file that you include with the sourceanalyzer translation phase. (For information about how to provide this information to Fortify Static Code Analyzer, see "Apex and Visualforce Command-Line Options" above.)
The following table describes the contents of the sf_extractor.zip file, which is located in <sca_ install_dir>/Tools.
Folder or File Name | Description |
lib | Folder containing JAR dependencies |
src | Source code |
partner.wsdl | Partner WSDL file version 37.0 |
sf_extractor.jar | Compiled JAR file (dependencies included) |
The command-line syntax to run sf_extractor is:
java -jar sf_extractor.jar <username> <password> <security_token> <org>
where:
<username> is your Salesforce cloud user name. For example, test@test.test.
<password> is your Salesforce cloud password.
<security_token> is the 25 alphanumeric character security token.
<org> is y if you are using a sandbox org or n if you are using a production org.
The sf_extractor tool uses the credentials to access the Salesforce SOAP API. It downloads all the sObjects with additional information from the current org, and then it downloads information about fields in the sObjects. This is required to properly resolve types represented in current org.
This tool produces an sobjects.json file that you provide to Fortify Static Code Analyzer in the translation command using the -apex-sobject-path option.
Chapter 15: Translating Other Languages and Configurations
This section contains the following topics:
Translating PHP Code 93 Translating ABAP Code 94 Translating Flex and ActionScript 102 Translating ColdFusion Code 105 Translating SQL 106 Translating Scala Code 107 Translating Dockerfiles 107 Translating ASP/VBScript Virtual Roots 108 Classic ASP Command-Line Example 110 VBScript Command-Line Example 110
The syntax to translate a single PHP file named MyPHP.php is shown in the following example:
sourceanalyzer -b <build_id> MyPHP.php
To translate a file where the source or the php.ini file entry includes a relative path name (starts with
./ or ../), consider setting the PHP source root as shown in the following example:
sourceanalyzer -php-source-root <path> -b <build_id> MyPHP.php
For more information about the -php-source-root option, see the description in "PHP Command-Line Options" on the next page.
The following table describes the PHP-specific command-line options.
PHP Option | Description |
-php-source-root <path> | Specifies an absolute path to the project root directory. The relative path name first expands from the current directory. If the file is not found, then the path expands from the specified PHP source root directory. Equivalent Property Name: com.fortify.sca.PHPSourceRoot |
-php-version <version> | Specifies the PHP version. The default version is 7.4. For a list of valid versions, see the Micro Focus Fortify Software System Requirements document. Equivalent Property Name: com.fortify.sca.PHPVersion |
Translating ABAP code is similar to translating other operating language code. However, it requires additional steps to extract the code from the SAP database and prepare it for scanning. See "Importing the Transport Request" on the next page for more information. This section assumes you have a basic understanding of SAP and ABAP.
To translate ABAP code, the Fortify ABAP Extractor program downloads source files to the presentation server, and optionally, invokes Fortify Static Code Analyzer. You need to use an account with permission to download files to the local system and execute operating system commands.
Because the extractor program is executed online, you might receive a max dialog work process time reached exception message if the volume of source files selected for extraction exceeds the allowable process run time. To work around this, download large projects as a series of smaller Extractor tasks. For example, if your project consists of four different packages, download each package separately into the same project directory. If the exception occurs frequently, work with your SAP Basis
administrator to increase the maximum time limit (rdisp/max_wprun_time).
When a PACKAGE is extracted from ABAP, the Fortify ABAP Extractor extracts everything from TDEVC with a parentcl field that matches the package name. It then recursively extracts everything else from TDEVC with a parentcl field equal to those already extracted from TDEVC. The field extracted from TDEVC is devclass.
The devclass values are treated as a set of program names and handled the same way as a program name, which you can provide.
Programs are extracted from TRDIR by comparing the name field with either:
The program name specified in the selection screen
The list of values extracted from TDEVC if a package was provided
The rows from TRDIR are those for which the name field has the given program name and the expression LIKEprogramname is used to extract rows.
This final list of names is used with READ REPORT to get code out of the SAP system. This method does read classes and methods out as well as merely REPORTS, for the record.
Each READ REPORT call produces a file in the temporary folder on the local system. This set of files is what Fortify Static Code Analyzer translates and scans, producing an FPR file that you can open with Micro Focus Fortify Audit Workbench.
As source code is downloaded, the Fortify ABAP Extractor detects INCLUDE statements in the source. When found, it downloads the include targets to the local machine for analysis.
Importing the Transport Request
To scan ABAP code, you need to import the Fortify ABAP Extractor transport request on your SAP Server. You can find the Fortify transport request in <sca_install_dir>/Tools/SAP_ Extractor.zip.
The Fortify ABAP Extractor package, SAP_Extractor.zip, contains the following files:
K900XXX.S9S (where the “XXX” is the release number)
R900XXX.S9S (where the “XXX” is the release number)
These files make up the SAP transport request that you must import into your SAP system from outside your local Transport Domain. Have your SAP administrator or an individual authorized to install transport requests on the system import the transport request.
The S95 files contain a program, a transaction (YSCA), and the program user interface. After you import them into your system, you can extract your code from the SAP database and prepare it for Fortify Static Code Analyzer scanning.
Installation Note
The Fortify ABAP Extractor transport request is supported on a system running SAP release 7.02, SP level 0006. If you are running a different SAP version and you get the transport request import error:
Install release does not match the current version, then the transport request installation has failed.
To try to resolve this issue, perform the following steps:
Re-run the transport request import.
The Import Transport Request dialog box opens.
Select the Options tab.
Select the Ignore Invalid Component Version check box.
Complete the import procedure.
If this does not resolve the issue or if your system is running on an SAP version with a different table structure, Fortify recommends that you export your ABAP file structure using your own technology so that Fortify Static Code Analyzer can scan the ABAP code.
Adding Fortify Static Code Analyzer to your Favorites List
Adding Fortify Static Code Analyzer to your Favorites list is optional, but doing so can make it quicker to access and launch Fortify Static Code Analyzer scans. The following steps assume that you use the user menu in your day-to-day work. If your work is done from a different menu, add the Favorites link to the menu that you use. Before you create the Fortify Static Code Analyzer entry, make sure that the SAP server is running and you are in the SAP Easy Access area of your web-based client.
To add Fortify Static Code Analyzer to your Favorites list:
From the SAP Easy Access menu, type S000 in the transaction box. The SAP Menu opens.
Right-click the Favorites folder and select Insert transaction. The Manual entry of a transaction dialog box opens.
Type YSCA in the Transaction Code box.
Click the green check mark button
.
The Extract ABAP code and launch SCA item appears in the Favorites list.
Click the Extract ABAP code and launch SCA link to launch the Fortify ABAP Extractor.
Running the Fortify ABAP Extractor
To run the Fortify ABAP Extractor:
Start the program from the Favorites link, the transaction code, or manually start the Extractor object.
This opens the Fortify ABAP Extractor.
Select the code to download.
Provide the start and end name for the range of software components, packages, programs, or BSP applications that you want to scan.
Provide the Fortify Static Code Analyzer-specific information described in the following table.
Field | Description |
FPR File Path | (Optional) Type or select the directory where you want to store the scan results file (FPR). Include the name for the FPR file in the path name. You must provide the FPR file path if you want to automatically scan the downloaded code on the same machine where you are running the extraction process. |
Working Directory | Type or select the directory where you want to store the extracted source code. |
Build-ID | (Optional) Type the build ID for the scan. Fortify Static Code Analyzer uses the build ID to identify the translated source code, which is necessary to scan the code. You must specify the build ID if you want to automatically translate the |
Field | Description |
downloaded code on the same machine where you are running the extraction process. | |
Translation Parameters | (Optional) Type any additional Fortify Static Code Analyzer command-line translation options. You must specify translation parameters if you want to automatically translate the downloaded code on the same machine where you are running the extraction process or you want to customize the translation options. |
Scan Parameters | (Optional) Type any Fortify Static Code Analyzer command-line scan options. You must specify scan parameters if you want to scan the downloaded code automatically on the same machine where you are running the process or you want to customize the scan options. |
ZIP File Name | (Optional) Type a ZIP file name if you want your output in a compressed package. |
Maximum Call-chain Depth | A global SAP-function F is not downloaded unless F was explicitly selected or unless F can be reached through a chain of function calls that start in explicitly-selected code and whose length is this number or less. Fortify recommends that you do not specify a value greater than 2 unless directed to do so by Micro Focus Fortify Customer Support. |
Provide action information described in the following table.
Field | Description |
Download | Select this check box to have Fortify Static Code Analyzer download the |
Field | Description |
source code extracted from your SAP database. | |
Build | Select this check box to have Fortify Static Code Analyzer translate all downloaded ABAP code and store it using the specified build ID. This action requires that you have an installed version of Fortify Static Code Analyzer on the machine where you are running the Fortify ABAP Extractor. It is often easier to move the downloaded source code to a predefined Fortify Static Code Analyzer machine. |
Scan | Select this check box to have Fortify Static Code Analyzer run a scan of the specified build ID. This action requires that the translate (build) action was previously performed. This action requires that you have an installed version of Fortify Static Code Analyzer on the machine where you are running the Fortify ABAP Extractor. It is often easier to move the downloaded source code to a predefined Fortify Static Code Analyzer machine. |