Micro Focus

Fortify Static Code Analyzer

Software Version: 21.2.0

User Guide

Document Release Date: November 2021 Software Release Date: November 2021

Legal Notices

Micro Focus The Lawn

22-30 Old Bath Road Newbury, Berkshire RG14 1QN UK



The only warranties for products and services of Micro Focus and its affiliates and licensors (“Micro Focus”) are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Micro Focus shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice.

Restricted Rights Legend

Confidential computer software. Except as specifically indicated otherwise, a valid license from Micro Focus is required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license.

Copyright Notice

© Copyright 2003 - 2021 Micro Focus or one of its affiliates

Trademark Notices

All trademarks, service marks, product names, and logos included in this document are the property of their respective owners.

Documentation Updates

The title page of this document contains the following identifying information:

This document was produced on November 10, 2021. To check for recent updates or to verify that you are using the most recent edition of a document, go to:



Preface                                        12 Contacting Micro Focus Fortify Customer Support                    12 For More Information                                 12 About the Documentation Set                             12 Fortify Product Feature Videos                             12

Change Log                                       13

Chapter 1: Introduction                                 17

Fortify Static Code Analyzer                              17 About the Analyzers                                18

Licensing                                       19 Fortify Software Security Content                            20 Fortify ScanCentral SAST                               20 Fortify Scan Wizard                                  21

Related Documents                                 21 All Products                                   21 Micro Focus Fortify ScanCentral SAST                        22 Micro Focus Fortify Software Security Center                     22 Micro Focus Fortify Static Code Analyzer                       23

Chapter 2: Installing Fortify Static Code Analyzer                     25 Fortify Static Code Analyzer Tools                          25

About Installing Fortify Static Code Analyzer and Applications            27 Installing Fortify Static Code Analyzer and Applications              28 Installing Fortify Static Code Analyzer and Applications Silently (Unattended)      30 Installing Fortify Static Code Analyzer and Applications in Text-Based Mode on

Non-Windows Platforms                             32

Manually Installing Fortify Security Content                    33

Using Docker to Install and Run Fortify Static Code Analyzer             33 Creating a Dockerfile to Install Fortify Static Code Analyzer             33

Running the Container                             34 Example Docker Run Commands for Translation and Scan             35

About Upgrading Fortify Static Code Analyzer and Applications           35 Notes About Upgrading the Fortify Extension for Visual Studio           36

About Uninstalling Fortify Static Code Analyzer and Applications          36 Uninstalling Fortify Static Code Analyzer and Applications             36 Uninstalling Fortify Static Code Analyzer and Applications Silently          37 Uninstalling Fortify Static Code Analyzer and Applications in Text-Based Mode on Non-Windows Platforms                           38

Post-Installation Tasks                                38 Running the Post-Install Tool                           38 Migrating Properties Files                             38 Specifying a Locale                                39 Configuring for Security Content Updates                      39 Configuring the Connection to Fortify Software Security Center             40 Removing Proxy Server Settings                          40 Adding Trusted Certificates                            41

Chapter 3: Analysis Process Overview                          43

Analysis Process                                   43 Parallel Processing                                 44

Translation Phase                                  44

Mobile Build Sessions                                45 Mobile Build Session Version Compatibility                      45 Creating a Mobile Build Session                          45 Importing a Mobile Build Session                          46

Analysis Phase                                    46 Higher-Order Analysis                               47 Modular Analysis                                 47 Modular Command-Line Examples                        48 Regular Expression Analysis                             48

Translation and Analysis Phase Verification                     49

Chapter 4: Translating Java Code                            50

Java Command-Line Syntax                              50 Java Command-Line Options                            51

Java Command-Line Examples                          53

Handling Resolution Warnings                             53 Java Warnings                                   53

Translating Java EE Applications                         54 Translating Java Files                             54 Translating JSP Projects, Configuration Files, and Deployment Descriptors        54 Java EE Translation Warnings                         54

Translating Java Bytecode                              55

Troubleshooting JSP Translation and Analysis Issues                  56 Unable to Translate Some JSPs                         56 Increased Issues Counts in JSP-Related Categories                  56

Chapter 5: Translating Kotlin Code                           57

Kotlin Command-Line Syntax                             57 Kotlin Command-Line Options                           58 Kotlin Command-Line Examples                          59

Kotlin and Java Translation Interoperability                      59 Translating Kotlin Scripts                              59

Chapter 6: Translating Visual Studio and MSBuild Projects               60 Visual Studio and MSBuild Project Translation Prerequisites             60 Visual Studio and MSBuild Project Translation Command-Line Syntax          61

Handling Special Cases for Translating Visual Studio and MSBuild Projects       61 Running Translation from a Script                       61 Translating Plain .NET and ASP.NET Projects                   62 Translating C/C++ and Xamarin Projects                     62 Translating Projects with Settings Containing Spaces                62 Translating a Single Project from a Visual Studio Solution              62 Working with Multiple Targets and Projects for MSBuild Command          63 Analyzing Projects That Build Multiple Executable Files               63

Alternative Ways to Translate Visual Studio and MSBuild Projects          63 Alternative Translation Options for Visual Studio Solutions            64 Translating Without Explicitly Running Fortify Static Code Analyzer         64

Chapter 7: Translating C and C++ Code                         66

C and C++ Code Translation Prerequisites                       66 C and C++ Command-Line Syntax                          66 Scanning Pre-processed C and C++ Code                       67 C/C++ Precompiled Header Files                           67

Chapter 8: Translating JavaScript and TypeScript Code                   69 Translating Pure JavaScript Projects                         69 Excluding Dependencies                              69 Excluding NPM Dependencies                            70 Translating JavaScript Projects with HTML Files                    71 Including External JavaScript or HTML in the Translation                 71

Chapter 9: Translating Python Code                           73 Python Translation Command-Line Syntax                       73 Including Imported Modules and Packages                       73 Including Namespace Packages                            74 Using the Django Framework with Python                       74 Python Command-Line Options                           75 Python Command-Line Examples                           76

Chapter 10: Translating Code for Mobile Platforms                   77

Translating Apple iOS Projects                            77 iOS Project Translation Prerequisites                        77 iOS Code Analysis Command-Line Syntax                      78

Translating Android Projects                            78 Android Project Translation Prerequisites                     79 Android Code Analysis Command-Line Syntax                   79 Filtering Issues Detected in Android Layout Files                   79

Chapter 11: Translating Go Code                             80 Go Command-Line Syntax                              80 Go Command-Line Options                              80 Resolving Dependencies                               82

Chapter 12: Translating Ruby Code                           83

Ruby Command-Line Syntax                             83 Ruby Command-Line Options                           83

Adding Libraries                                   84 Adding Gem Paths                                  84

Chapter 13: Translating COBOL Code                         85 Preparing COBOL Source and Copybook Files for Translation              85

COBOL Command-Line Syntax                          86 Translating COBOL Source Files Without File Extensions               87 Translating COBOL Source Files with Arbitrary File Extensions            87

COBOL Command-Line Options                          88 Legacy COBOL Translation Command-Line Options                 88

Chapter 14: Translating Apex and Visualforce Code                   90 Apex Translation Prerequisites                          90 Apex and Visualforce Command-Line Syntax                     90 Apex and Visualforce Command-Line Options                    91 Downloading Customized Salesforce Database Structure Information           91

Chapter 15: Translating Other Languages and Configurations             93

Translating PHP Code                                93 PHP Command-Line Options                            94

Translating ABAP Code                               94 INCLUDE Processing                               95 Importing the Transport Request                          95 Adding Fortify Static Code Analyzer to your Favorites List               96 Running the Fortify ABAP Extractor                         97 Uninstalling the Fortify ABAP Extractor                       101

Translating Flex and ActionScript                          102 Flex and ActionScript Command-Line Options                   102 ActionScript Command-Line Examples                       103 Handling Resolution Warnings                          104 ActionScript Warnings                            104

Translating ColdFusion Code                            105

ColdFusion Command-Line Syntax                        105 ColdFusion Command-Line Options                       105

Translating SQL                                  106 PL/SQL Command-Line Example                          106 T-SQL Command-Line Example                          106

Translating Scala Code                              107 Translating Dockerfiles                              107 Translating ASP/VBScript Virtual Roots                       108 Classic ASP Command-Line Example                        110 VBScript Command-Line Example                         110

Chapter 16: Integrating into a Build                          111

Build Integration                                   111 Make Example                                  112

Modifying a Build Script to Invoke Fortify Static Code Analyzer              112 Touchless Build Integration                             113 Ant Integration                                  113

Gradle Integration                                 113 Including Verbose and Debug Options                       114

Maven Integration                                115 Installing and Updating the Fortify Maven Plugin                  115 Testing the Fortify Maven Plugin Installation                    115 Using the Fortify Maven Plugin                          116

Chapter 17: Command-Line Interface                           118 Translation Options                                 118 Analysis Options                                   120 Output Options                                   123 Other Options                                    126

Directives                                      128 LIM License Directives                               129

Specifying Files and Directories                           130 Chapter 18: Command-Line Utilities                          132

Fortify Static Code Analyzer Utilities                        132

About Updating Security Content                          133 Updating Security Content                            134 fortifyupdate Command-Line Options                       134

Working with FPR Files from the Command Line                    135 Merging FPR Files                               136 Displaying Analysis Results Information from an FPR File               138 Extracting a Source Archive from an FPR File                    141 Altering FPR Files                                143 FPRUtility Alter FPR File Options                        143 Allocating More Memory for FPRUtility                       143

Generating Reports from the Command Line                      143 Generating a BIRT Report                            144 Troubleshooting BIRTReportGenerator                      147 Generating a Legacy Report                           147

Checking the Fortify Static Code Analyzer Scan Status                148 SCAState Utility Command-Line Options                    149

Chapter 19: Improving Performance                           151 Hardware Considerations                               151 Sample Scans                                    152 Tuning Options                                   153

Quick Scan                                     154 Limiters                                     154 Using Quick Scan and Full Scan                           155

Configuring Scan Speed with Speed Dial                       155 Breaking Down Codebases                             156

Limiting Analyzers and Languages                          157 Disabling Analyzers                               157 Disabling Languages                               158

Optimizing FPR Files                                158 Filter Files                                    158 Excluding Issues from the FPR with Filter Sets                    159 Excluding Source Code from the FPR                        160 Reducing the FPR File Size                            160

Opening Large FPR Files                             161

Monitoring Long Running Scans                            163 Using the SCAState Utility                             163 Using JMX Tools                                 163 Using JConsole                                163 Using Java VisualVM                              164

Chapter 20: Troubleshooting                              165 Exit Codes                                     165

Memory Tuning                                   166 Java Heap Exhaustion                               166 Native Heap Exhaustion                              167 Stack Overflow                                  167

Scanning Complex Functions                            168 Dataflow Analyzer Limiters                           169 Control Flow and Null Pointer Analyzer Limiters                   170

Issue Non-Determinism                               170 Locating the Log Files                                171

Configuring Log Files                                171 Understanding Log Levels                            172

Reporting Issues and Requesting Enhancements                  173

Appendix A: Filtering the Analysis                            174 Filter Files                                     174 Filter File Example                                  174

Appendix B: Fortify Scan Wizard                            177 Preparing to use Fortify Scan Wizard                         177 Starting Fortify Scan Wizard                             179

Appendix C: Sample Projects                               180 Basic Samples                                    180 Advanced Samples                                  182

Appendix D: Configuration Options                           184

Fortify Static Code Analyzer Properties Files                      184 Properties File Format                              184 Precedence of Setting Properties                         185

fortify-sca.properties                               186 fortify-sca-quickscan.properties                           209

Appendix E: Fortify Java Annotations                         213

Dataflow Annotations                                214 Source Annotations                                214 Passthrough Annotations                             214 Sink Annotations                                 215 Validate Annotations                               216

Field and Variable Annotations                           216 Password and Private Annotations                        216 Non-Negative and Non-Zero Annotations                     217

Other Annotations                                 217 Check Return Value Annotation                          217 Dangerous Annotations                              217

Send Documentation Feedback                            218



Contacting Micro Focus Fortify Customer Support

Visit the Support website to: