Micro Focus

Fortify Static Code Analyzer Tools

Software Version: 21.2.0


Properties Reference Guide


Document Release Date: November 2021 Software Release Date: November 2021



Legal Notices

Micro Focus The Lawn

22-30 Old Bath Road Newbury, Berkshire RG14 1QN UK

https://www.microfocus.com

Warranty

The only warranties for products and services of Micro Focus and its affiliates and licensors (“Micro Focus”) are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Micro Focus shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice.

Restricted Rights Legend

Confidential computer software. Except as specifically indicated otherwise, a valid license from Micro Focus is required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license.


Copyright Notice

© Copyright 2015 - 2021 Micro Focus or one of its affiliates

Trademark Notices

All trademarks, service marks, product names, and logos included in this document are the property of their respective owners.

Documentation Updates

The title page of this document contains the following identifying information:


This document was produced on November 02, 2021. To check for recent updates or to verify that you are using the most recent edition of a document, go to:

https://www.microfocus.com/support/documentation


Contents


Preface                                           4 Contacting Micro Focus Fortify Customer Support                      4 For More Information                                   4 About the Documentation Set                               4 Fortify Product Feature Videos                               4


Change Log                                          5


Chapter 1: Fortify Static Code Analyzer Applications and Java IDE Plugin Configuration     6 Where to Find the Properties File                       6 Fortify Static Code Analyzer Applications and Java IDE Plugin Properties         7


Chapter 2: Fortify Extension for Visual Studio Configuration                 26 Fortify Extension for Visual Studio Properties                     26 Azure DevOps Server Configuration Property                     29


Chapter 3: Shared Properties                                 30 Server Properties                                    30 Command-Line Tools Properties                             32


Send Documentation Feedback                              33

Preface


Preface


Contacting Micro Focus Fortify Customer Support

Visit the Support website to:

The following table lists the Fortify Static Code Analyzer application acronyms used in this chapter.


Acronym

Fortify Static Code Analyzer Application / Plugin / Extension

AWB

Fortify Audit Workbench

CRE

Fortify Custom Rules Editor

ECP

Fortify Complete Plugin for Eclipse

ERP

Fortify Remediation Plugin for Eclipse

IAP

Fortify Analysis Plugin for IntelliJ and Android Studio

JRP

Fortify Remediation Plugin for JetBrains IDEs and Android Studio


Where to Find the Properties File

The location of the properties files varies for the different Micro Focus Fortify Static Code Analyzer tools. The following table provides the location of the properties file for tools described in this chapter.


Fortify Static Code Analyzer Tool


Property File Location

AWB, CRE

<sca_install_dir>/Core/config

ECP

<eclipse_install_ dir>/plugins/com.fortify.dev.ide.eclipse_


Fortify Static Code Analyzer Tool


Property File Location


<version>/Core/config

ERP

<eclipse_install_ dir>/plugins/com.fortify.plugin.remediation_

<version>/Core/config

IAP

<userhome>/.<IDE_product_ name>/config/plugins/FortifyAnalysis/config

JRP

<userhome>/.<IDE_product_ name>/config/plugins/Fortify/config


Fortify Static Code Analyzer Applications and Java IDE Plugin Properties

Some properties described in this section already exist in the fortify.properties file, and some of them you must add yourself. The colored boxes in the Details column indicate which Micro Focus Fortify Static Code Analyzer tools use the property. To find this properties file for the various products, see "Where to Find the Properties File" on the previous page.

AWB

ECP

ERP

CRE

IAP

JRP

AWB

ECP

ERP

CRE

IAP

JRP

The following table describes the properties in the fortify.properties file.


Property

Details

com.fortify. audit.ui.DisableAddingFolders

If set to true, disables the add folder functionality.

Default: false

Tools Affected:

com.fortify. audit.ui.DisableBugtrackers

If set to true, disables bug tracker integration.

Default: false

Tools Affected:


Property

Details

com.fortify. audit.ui.DisableEditing CustomTags

If set to true, removes the ability to edit custom tags.

Default: false

Tools Affected:

com.fortify. audit.ui.DisableSuppress

If set to true, disables issue suppression.

Default: false

Tools Affected:

com.fortify. AuthenticationKey

Specifies the directory used to store the Micro Focus Fortify Software Security Center client authentication token.

Default:

${com.fortify.WorkingDirectory}/config/tools

Tools Affected:

com.fortify. awb.Debug

If set to true, Fortify Audit Workbench runs in debug mode.

Default: false

Tools Affected:

com.fortify. awb.javaExtensions

Specifies the file extensions (comma-delimited) to treat as Java files during a scan.

If this property is empty, Fortify Audit Workbench and the Fortify

Complete Plugin for Eclipse recognize .java, .jsp, and .jspx files as Java files. The property is used only to determine whether a project includes Java files and to add Java-specific controls to the

Advanced Scan wizard.

Default: none

AWB

ECP

ERP

CRE

IAP

JRP

AWB

ECP

ERP

CRE

IAP

JRP

AWB

ECP

ERP

CRE

IAP

JRP

AWB

ECP

ERP

CRE

IAP

JRP



Property


com.fortify. awb.forceGCOnProjectClose


com.fortify. awb.LinuxFontAdjust


com.fortify. awb.MacFontAdjust


com.fortify. awb.WindowsFontAdjust


Details

Tools Affected:


AWB

ECP

ERP

CRE

IAP

JRP

If set to true, garbage collection is run and heap space is released when you close a project. This reduces the increased Java process memory consumption when working with small FPR files. When

Fortify Audit Workbench runs with G1GC garbage collection, the Java process can return free memory back to the operating system when the project is closed.

Default: false

Tools Affected:


AWB

ECP

ERP

CRE

IAP

JRP

Specifies the font size to use on Linux platforms. Fortify Audit Workbench adds the specified size to original font size.

Default: 0

Tools Affected:


AWB

ECP

ERP

CRE

IAP

JRP

Specifies the size to tune font size for Mac platform. Fortify Audit Workbench adds the specified size to the original font size.

Default: 2

Tools Affected:


AWB

ECP

ERP

CRE

IAP

JRP

Specifies to tune font size for Windows platform. Fortify Audit Workbench adds the specified size to original font size.

Default: 0

Tools Affected:


AWB

ECP

ERP

CRE

IAP

JRP


Property

Details

com.fortify. Debug

If set to true, runs the Fortify Static Code Analyzer tools in debug mode.

Default: false

Tools Affected:

com.fortify. DisableDescriptionXML Escaping

If set to true, disables XML escaping in issue descriptions (for example, changing &quot; in XML/FVDL to ").

Default: false

Tools Affected:

com.fortify. DisableExternalEntry Correlation

If set to true, parses URL in the ExternalEntries/Entry element in

audit.fvdl.

Default: false


<ExternalEntries>

<Entry name="HTML Form" type="URL">

<URL>/auth/PerformChangePass.action</URL>

<SourceLocation path="pages/content/ ChangePass.jsp" line="16" lineEnd="16" colStart="0" colEnd="0"

snippet= "1572130B944CEC7A3D98775A499AE8FA#pages/

content/ChangePass.jsp:16:16"/>

</Entry>

</ExternalEntries>


Tools Affected:

com.fortify. DisableMinVirtCallConfidence Computation

If set to true, disables computing minimum virtual call confidence.

Fortify Audit Workbench and the Fortify Complete Plugin for Eclipse use this attribute to compute minimum virtual call

AWB

ECP

ERP

CRE

IAP

JRP

AWB

ECP

ERP

CRE

IAP

JRP

AWB

ECP

ERP

CRE

IAP

JRP



Property


com.fortify. DisableRemovedIssue Persistance


com.fortify. DisableReportCategory Rendering


com.fortify. DisplayEventID


com.fortify. eclipse.Debug


Details

confidence and enable issue filtering. For example, you can use it to filter out all issues that contain virtual call with confidence lower than 0.46.

Default: false

Tools Affected:


AWB

ECP

ERP

CRE

IAP

JRP

If set to true, disables removed issue persistence (clears removed issues from the results file).

Default: false

Tools Affected:


AWB

ECP

ERP

CRE

IAP

JRP

If set to true, disables rendering issue description into report.

Default: false

Tools Affected:


AWB

ECP

ERP

CRE

IAP

JRP

If set to true, displays the event ID in the issue node tooltip in the Issues view.

Default: false

Tools Affected:


AWB

ECP

ERP

CRE

IAP

JRP

If set to true, runs the plugin in debug mode.

Default: false

Tools Affected:


AWB

ECP

ERP

CRE

IAP

JRP


Property

Details

com.fortify. InstallationUserName

Specifies the default user name for logging in to Fortify Software Security Center for the first time.

Default: ${user.name}

Tools Affected:

com.fortify. locale

Specifies the locale (for rules and metadata only). Possible values are:

en (English) es (Spanish) ja (Japanese) ko (Korean)

pt_BR (Brazilian Portuguese) zh_CN (Simplified Chinese) zh_TW (Traditional Chinese) Default: en

Tools Affected:

com.fortify. model.CheckSig

If set to true, verifies signature in FPR.

If com.fortify.model.UseIssueParseFilters is set to true, then com.fortify.model.MinimalLoad is set to true, com.fortify.model.IssueCutoffStartIndex is not null, com.fortify.model.IssueCutoffEndIndex is not null, com.fortify.model.IssueCutoffByCategoryStartIndex

is not null or

com.fortify.model.IssueCutoffByCategoryEndIndex is not null, com.fortify.model.CheckSig is false, and the signature in FPRs are not verified.

Default: true (normal) / false (minimum load)

AWB

ECP

ERP

CRE

IAP

JRP

AWB

ECP

ERP

CRE

IAP

JRP


Property

Details


Tools Affected:

com.fortify. model.CustomDescriptions Header

Specifies the custom prefix for the description header. It prepends

the text in the Description/Recommendation header, so that you see “My Recommendations” instead of “Custom Recommendations.”


Note: To update description headers, Fortify recommends that you use the <CustomDescriptionRule> rule with the

<Header> element text instead.

Default: none

Tools Affected:

com.fortify. model.DisableChopBuildID

If set to true, does not shorten the build ID, even if the build ID exceeds 250 characters.

Default: false

Tools Affected:

com.fortify. model.DisableContextPool

If set to true, disables loading of the ContextPool section of the

audit.fvdl file.

You can configure this property if com.fortify.model.MinimalLoad is not set to true. If com.fortify.model.MinimalLoad is set to true, then

com.fortify.model.DisableContextPool is automatically

set to true. Default: false Tools Affected:

AWB

ECP

ERP

CRE

IAP

JRP

AWB

ECP

ERP

CRE

IAP

JRP

AWB

ECP

ERP

CRE

IAP

JRP

AWB

ECP

ERP

CRE

IAP

JRP


Property

Details

com.fortify. model.DisableDescription

If set to true, disables loading the Description section from

audit.fvdl.

You can configure this property if com.fortify.model.MinimalLoad is not set to true. If com.fortify.model.MinimalLoad is true, then

com.fortify.model.DisableDescription is automatically

set to true. Default: false Tools Affected:

com.fortify. model.DisableEngineData

If set to true, disables loading the EngineData section of audit.fvdl to save memory when large FPR files are opened. This data is displayed on the Analysis Information tab of Project

Summary view. The property is useful if too many analysis warnings occur during a scan. However, Fortify recommends that you instead set a limit for

com.fortify.model.MaxEngineErrorCount to open FPR files that have many Fortify Static Code Analyzer warnings.

Default: false

Tools Affected:

com.fortify. model.DisableProgramInfo

You can configure this property if com.fortify.model.MinimalLoad is not true. If com.fortify.model.MinimalLoad is set to true, then this

property is automatically set to true.

If set to true, prevents loading of metatable from the ProgramData section of FPR files. If set to false, loads metatable from the FPR file.

Default: false

AWB

ECP

ERP

CRE

IAP

JRP

AWB

ECP

ERP

CRE

IAP

JRP


Property

Details


Tools Affected:

com.fortify. model.DisableProgramPoint

If set to true, disables loading of the ProgramPoint section from the runtime.fvdl file.

Default: false

Tools Affected:

com.fortify. model.DisableReplacement Parsing

If set to true, disables replacing conditional description. You can configure this property if

com.fortify.model.MinimalLoad is not set to true. If

com.fortify.model.MinimalLoad is true, then this property is automatically set to true.

Default: false

Tools Affected:

com.fortify. model.DisableSnippets

If set to true, disables loading the Snippets section from the

audit.fvdl file.

You can configure this property if com.fortify.model.MinimalLoad is set to false. If com.fortify.model.MinimalLoad is set to true, then

com.fortify.model.DisableSnippets is automatically set to

true.

Default: false

Tools Affected:

com.fortify. model.DisableUnified

If set to true, disables loading the UnifiedInductionPool

section from the audit.fvdl file.

AWB

ECP

ERP

CRE

IAP

JRP

AWB

ECP

ERP

CRE

IAP

JRP

AWB

ECP

ERP

CRE

IAP

JRP

AWB

ECP

ERP

CRE

IAP

JRP


Property

Details

Inductions

You can configure this property if com.fortify.model.MinimalLoad is not set to true. If com.fortify.model.MinimalLoad is set to true, then

com.fortify.model.DisableUnifiedInductions is

automatically set to true.

Default: false

Tools Affected:

com.fortify. model.DisableUnifiedPool

If set to true, disables loading the UnifiedNodePool section from the audit.fvdl file.

You can configure this property if com.fortify.model.MinimalLoad is set to false. If com.fortify.model.MinimalLoad is true, then

com.fortify.model.DisableUnifiedPool is automatically

set to true. If the value is not specified or false, this property is set to none.

Default: false

Tools Affected:

com.fortify. model.DisableUnifiedTrace

If set to true, disables loading the UnifiedTracePool section from the audit.fvdl file.

You can configure this property if com.fortify.model.MinimalLoad is not set to true. If com.fortify.model.MinimalLoad is true, then

com.fortify.model.DisableUnifiedTrace is automatically

set to true. Default: false Tools Affected:

AWB

ECP

ERP

CRE

IAP

JRP

AWB

ECP

ERP

CRE

IAP

JRP

AWB

ECP

ERP

CRE

IAP

JRP


Property

Details

com.fortify. model.EnablePathElement BaseIndexShift

If set to true, enables backward compatibility with pre-2.5 migrated projects.

Default: none

Tools Affected:

com.fortify. model.EnableSource Correlation

If set to true, takes data flow source into consideration for issue correlation. The default is false because correlations with runtime results might not be reliable with this setting enabled.

Default: false

Tools Affected:

com.fortify. model.ExecMemorySetting

Specifies the JVM heap memory size used by Fortify Audit Workbench to launch external utilities.

Default: 600—iidmigrator 300—fortifyupdate

Tools Affected:

com.fortify. model.ForceIIDMigration

If set to true, forces running Instance ID migration during a merge.

Default: false

Tools Affected:

com.fortify. model.FullReportFilenames

If set to true, uses full file name in reports.

Default: false

AWB

ECP

ERP

CRE

IAP

JRP

AWB

ECP

ERP

CRE

IAP

JRP

AWB

ECP

ERP

CRE

IAP

JRP

AWB

ECP

ERP

CRE

IAP

JRP



Property


com.fortify. model.IIDmigratorOptions


com.fortify. model.IssueCutoffByCategory StartIndex


com.fortify. model.IssueCutoffByCategory EndIndex


com.fortify. model.IssueCutoffStartIndex


com.fortify. model.IssueCutoffEndIndex


Details

Tools Affected:


AWB

ECP

ERP

CRE

IAP

JRP

Specifies iidmigrator options (space-delimited values) run by FPRUtility, Fortify Audit Workbench, or the Fortify Complete Plugin for Eclipse.

Default: none

Tools Affected:


AWB

ECP

ERP

CRE

IAP

JRP

Specifies the start index for issue cutoff by category.

Default: 0

Tools Affected:


AWB

ECP

ERP

CRE

IAP

JRP

Specifies the end index for issue cutoff by category.

Default: java.lang.Integer.MAX_VALUE

Tools Affected:


AWB

ECP

ERP

CRE

IAP

JRP

Specifies the start index for issue cutoff. Select the first issue (by number) to be loaded.

Default: 0

Tools Affected:


AWB

ECP

ERP

CRE

IAP

JRP

Determines the end index for issue cutoff. Select the last issue (by number) to be loaded.

Default: java.lang.Integer.MAX_VALUE

Tools Affected:


Property

Details



com.fortify. model.MaxEngineErrorCount

Determines how many reported Fortify Static Code Analyzer warnings to load. To allow an unlimited number, specify -1.

Fortify recommends that you keep the default value of 3000

because this can speed up the load time of large FPR files.

Default: 3000

Tools Affected: Also used by FPRUtility

com.fortify. model.MergeResolveStrategy

Specifies merge resolve strategy from:


  • DefaultToMasterValue (use primary project)

  • DefaultToImportValue (use secondary project)

  • NoStrategy (prompt for project to use)


Default: DefaultToMasterValue

Tools Affected:

com.fortify. model.MinimalLoad

If set to true, minimizes the data loaded from an FPR file.

Default: false

Tools Affected:

com.fortify. model.NProcessingThreads

Specifies the number of threads to process FPR files.

If com.fortify.model.PersistDataToDisk is set to true, defaults to 1 thread.

If the number specified exceeds the number of available

processors: int

maxThreads=java.lang.Runtime.getRuntime ().availableProcessors(), then Fortify Static Code

AWB

ECP

ERP

CRE

IAP

JRP

AWB

ECP

ERP

CRE

IAP

JRP

AWB

ECP

ERP

CRE

IAP

JRP

AWB

ECP

ERP

CRE

IAP

JRP


Property

Details


Analyzer tools use the number of available processors as the number of threads to process FPR files.

Default: Number of available processors

Tools Affected: Also used by FPRUtility

com.fortify. model.PersistDataToDisk

If set to true, enables a persistence strategy to reduce the memory footprint and uses the disk drive to swap FPR data out of memory.

Default: false

Tools Affected:

com.fortify. model.PersistenceBlockSize

If com.fortify.model.PersistenceStrategy is set to CUSTOM, com.fortify.model.PersistenceBlockSize specifies the number of attribute values that comprise a single

block of attributes. These blocks are cached to disk and read back in as needed. A larger number decreases the total number of cache files, but increases the file size and the amount of memory that is read in each time.

Default: 250

Tools Affected:

com.fortify. model.PersistenceQueue Capacity

If com.fortify.model.PersistenceStrategy is set to CUSTOM, this property specifies the maximum number of attribute value blocks that can exist in the producer/consumer queue.

Default: queue is unbounded

Tools Affected:

AWB

ECP

ERP

CRE

IAP

JRP

AWB

ECP

ERP

CRE

IAP

JRP

AWB

ECP

ERP

CRE

IAP

JRP

AWB

ECP

ERP

CRE

IAP

JRP


Property

Details

com.fortify. model.PriorityImpact Threshold

Specifies the threshold for issue impact. The valid values are 0.0F–5.0F. If the impact of an issue is greater than or equal to the threshold, the issue is considered High. If the impact of an issue is less than the threshold, the issue is considered Low. Issues are then categorized as follows:

  • Critical—High Impact and High Likelihood

  • High—High Impact and Low Likelihood

  • Medium—Low Impact and High Likelihood

  • Low—Low Impact and Low Likelihood


Also see com.fortify.model.PriorityLikelihoodThreshold

Default: 2.5F

Tools Affected:

com.fortify. model.PriorityLikelihood Threshold

Specifies the threshold for issue likelihood. The valid values are 0.0F–5.0F. If the likelihood of an issue is greater than or equal to the threshold, the issue is considered High. If the likelihood of an issue is less than the threshold, the issue is considered Low. Issues are then categorized as follows:

  • Critical—High Impact and High Likelihood

  • High—High Impact and Low Likelihood

  • Medium—Low Impact and High Likelihood

  • Low—Low Impact and Low Likelihood


Also see com.fortify.model.PriorityImpactThreshold

Default: 2.5F

Tools Affected:

com.fortify. model.report.useSystemLocale

If set to true, uses system locale for report output. If set to false, uses com.fortify.locale in the fortify.properties file. If a value is not specified, the tool

AWB

ECP

ERP

CRE

IAP

JRP

AWB

ECP

ERP

CRE

IAP

JRP


Property

Details


uses java.util.Locale.getDefault().

Default: false

Tools Affected:

com.fortify. model.ReportLineLimit

Specifies the character limit for each issue code snippet in reports.

Default: 500

Tools Affected:

com.fortify. model.UseIIDMigrationFile

Specifies the full path of the instance ID migration file to use.

Default: none

Tools Affected: Also used by FPRUtility

com.fortify. model.UseIssueParseFilters

If set to true, respects the settings in the IssueParseFilters.properties configuration file. This file is in the following directories:

AWB<sca_install_dir>/Core/config

ECP<eclipse_install_dir>/plugins/com.fortify. dev.ide.eclipse_<version>/Core/config

Default: false

Tools Affected:

com.fortify. model.UseOldIIDMigration Attributes

If set to true, uses attributes of old issues during instance ID migration while merging similar issues of old and new scans.

Default: false

Tools Affected:

AWB

ECP

ERP

CRE

IAP

JRP

AWB

ECP

ERP

CRE

IAP

JRP

AWB

ECP

ERP

CRE

IAP

JRP

AWB

ECP

ERP

CRE

IAP

JRP



Property


com.fortify. remediation.PaginateIssues


com.fortify. remediation.PaginationCount


com.fortify. RemovedIssuePersistanceLimit


com.fortify. SCAExecutablePath


Details


AWB

ECP

ERP

CRE

IAP

JRP

If set to true or if no value is specified, the remediation plugins use pagination during issue download.

If set to false, these plugins download all issues at once.

Default: false

Tools Affected:


AWB

ECP

ERP

CRE

IAP

JRP

If com.fortify.remediation.PaginateIssues is set to

true, specifies the page count.

Default: 1000

Tools Affected:


AWB

ECP

ERP

CRE

IAP

JRP

Specifies how many removed issues to keep when you save an FPR.

Default: 1000

Tools Affected:


AWB

ECP

ERP

CRE

IAP

JRP

Specifies file path to sourceanalyzer.exe.


Note: The Fortify Static Code Analyzer and Applications installer sets this property during installation and it only requires modification if you manually move the executable files.

Default: <sca_install_dir>/bin/sourceanalyzer.exe

Tools Affected:


AWB

ECP

ERP

CRE

IAP

JRP


Property

Details

com.fortify. search.defaultSyntaxVer

Determines whether to use the AND and OR operators in searches. These are enabled in search syntax by default.

  • To block the use of the AND and OR operators, set the value to 1.

  • To use ANDs and ORs without parentheses, set the value to 2.


Default: 2

Tools Affected:

com.fortify. StoreOriginalDescriptions

If set to true, stores original plain text issue descriptions (before parsing) as well as the parsed ones with tags replaced with specific values.

Default: false

Tools Affected:

com.fortify. taintFlagBlacklist

Specifies taint flags to exclude (comma-delimited values).

Default: none

Tools Affected:

com.fortify. tools.iidmigrator.scheme

Set this property to migrate instance IDs created with different versions of Fortify Static Code Analyzer using a custom matching scheme. This is generally handled by Fortify Static Code Analyzer. If you need a custom matching scheme, contact Micro Focus Fortify Customer Support.

Default: none

Tools Affected:

com.fortify.

This property determines the issue template to use when merging

AWB

ECP

ERP

CRE

IAP

JRP

AWB

ECP

ERP

CRE

IAP

JRP

AWB

ECP

ERP

CRE

IAP

JRP

AWB

ECP

ERP

CRE

IAP

JRP


Property

Details

UseSourceProjectTemplate

analysis information from two audit projects. If set to true, it forces the use of filter sets and folders from the issue template associated with the original scan results (secondary project). The issue template from the new scan results (primary project) are used by default.

Default: false

Tools Affected: Also used by FPRUtility

com.fortify. WorkingDirectory

Specifies the working directory that contains all user configuration and working files for all Fortify Static Code Analyzer components. To configure this property, you must have write access to the directory.

Defaults:

  • Windows—${win32.LocalAppdata}/Fortify

  • Non-Windows—${user.home}/.fortify

Tools Affected:

AWB

ECP

ERP

CRE

IAP

JRP

AWB

ECP

ERP

CRE

IAP

JRP

Chapter 2: Fortify Extension for Visual Studio Configuration

This section describes the properties used by the Micro Focus Fortify Extension for Visual Studio. The properties are listed in alphabetical order based on the files in which they belong.

This section contains the following topics:

Fortify Extension for Visual Studio Properties                         26 Azure DevOps Server Configuration Property                         29


Fortify Extension for Visual Studio Properties

Some properties described here already exist in the fortify.properties file, and some of them you must add yourself. The following table describes the properties in the <sca_install_ dir>/Core/config/fortify.properties file.


Property

Details

com.fortify. audit.ui.DisableBugtrackers

If set to true, disables bug tracker integration.

Default: false

com.fortify. audit.ui.DisableSuppress

If set to true, disables issue suppression.

Default: false

com.fortify. AuthenticationKey

Specifies the directory used to store the Micro Focus Fortify Software Security Center client authentication token.

Default:

${com.fortify.WorkingDirectory}/config/tools

com.fortify. Debug

If set to true, runs all Fortify Static Code Analyzer tools in debug mode.

Default: false

com.fortify. model.CustomDescriptionsHeader

Specifies the custom prefix for the description header. It

prepends the text in the Description/Recommendation header, so that you see “My Recommendations” instead of “Custom Recommendations.”


Property

Details


Note: To update description headers, Fortify recommends that you use the

<CustomDescriptionRule> rule with the <Header>

element text instead.


Default: none

com.fortify. model.ForceIIDMigration

If set to true, forces running Instance ID migration during a merge.

Default: false

com.fortify. model.PriorityImpactThreshold

Specifies the threshold for issue impact. The valid values are 0.0F–5.0F. If the impact of an issue is greater than or equal to the threshold, the issue is considered High. If the impact of an issue is less than the threshold, the issue is considered Low.

Issues are then categorized as follows:

  • Critical—High Impact and High Likelihood

  • High—High Impact and Low Likelihood

  • Medium—Low Impact and High Likelihood

  • Low—Low Impact and Low Likelihood


Also see com.fortify.model.PriorityLikelihoodThreshold

Default: 2.5F

com.fortify. model.PriorityLikelihoodThreshold

Specifies the threshold for issue likelihood. The valid values are 0.0F–5.0F. If the likelihood of an issue is greater than or equal to the threshold, the issue is considered High. If the likelihood of an issue is less than the threshold, the issue is considered Low. Issues are then categorized as follows:

  • Critical—High Impact and High Likelihood

  • High—High Impact and Low Likelihood

  • Medium—Low Impact and High Likelihood

  • Low—Low Impact and Low Likelihood


Also see com.fortify.model.PriorityImpactThreshold

Default: 2.5F


Property

Details

com.fortify. model.UseIIDMigrationFile

Specifies the full path of the instance ID migration file to use.

Default: none

com.fortify. SCAExecutablePath

Specifies file path to sourceanalyzer.exe.


Note: The Fortify Static Code Analyzer and Applications installer sets this property during installation and it only requires modification if you manually move the executable files.


Default: <sca_install_ dir>/bin/sourceanalyzer.exe

com.fortify. search.defaultSyntaxVer

Determines whether to use the AND and OR operators in searches. These are enabled in search syntax by default.

  • To block the use of the AND and OR operators, set the value to 1.

  • To use ANDs and ORs without parentheses, set the value

to 2.


Default: 2

com.fortify. tools.iidmigrator.scheme

Set this property to migrate instance IDs created with different versions of Fortify Static Code Analyzer using a custom matching scheme. This is generally handled by Fortify Static Code Analyzer. If you need a custom matching scheme, contact Micro Focus Fortify Customer Support.

Default: none

com.fortify. visualstudio.vm.args

Specifies JVM options.

Default: -Xmx256m

com.fortify. VS.Debug

If set to true, runs the Fortify Extension for Visual Studio in debug mode.

Default: false

com.fortify. VS.DisableCIntegration

If set to true, disables C/C++ build integration in Visual Studio.

Default: false


Property

Details

com.fortify. VS.disableMigrationCheck

If set to true, disables instance ID migration checking.

Default: false

com.fortify. VS.DisableReferenceLibDirs AndExcludes

If set to true, disables using references added to a project.

Default: false

com.fortify. VS.ListProjectProperties

If set to true, lists the Visual Studio project properties in a log file.

Default: false

com.fortify. VS.NETFrameworkRoot

Specifies the file path to the .NET Framework root.

Default: none

com.fortify. WorkingDirectory

Specifies the working directory that contains all user configuration and working files for all Fortify Static Code Analyzer components. To configure this property, you must have write access to the directory.

Default: ${win32.LocalAppdata}/Fortify


Azure DevOps Server Configuration Property

The property for the Azure DevOps Server is stored in the TFSconfiguration.properties. This file is located in the Fortify working directory in the config\VS<vs_version>-<sca_version> directory.


Note: The TFSconfiguration.properties file is created only after the first time you configure a connection to your Azure DevOps Server from the Fortify Extension for Visual Studio.

The following property is in the TFSconfiguration.properies file:

server.url

Details: Specifies the Azure DevOps Server location.

Default: none

Chapter 3: Shared Properties

This chapter describes the properties shared by Micro Focus Fortify Static Code Analyzer command-line tools, standalone applications, and plugins.

This section contains the following topics:

Server Properties                                        30 Command-Line Tools Properties                                 32


Server Properties

Because some values in this file are encrypted (such as proxy user name and password), you must use the scapostinstall tool to configure these properties. For information about how to use the scapostinstall tool, see the Micro Focus Fortify Static Code Analyzer User Guide.

Other properties are updated using command-line tools, standalone applications (such as Fortify Audit Workbench), and remediation plugins. Fortify recommends that you use these tools to edit the properties in this file instead of editing the file manually.

The following table describes the properties in the <sca_install_ dir>/Core/config/server.properties file.


Property

Details

autoupgrade.server

Specifies the Fortify Static Code Analyzer and Applications automatic update server. This enables users to check for new versions of the Fortify Static Code Analyzer and Applications installer on a web server and run the installer if an update is available.

Default: http://localhost:8180/ssc/update-site/installers

install.auto.upgrade

If set to true, enables Fortify Audit Workbench automatic update feature.

Default: false

oneproxy.http.proxy.port

Specifies the proxy server port to access bug trackers.

Default: none

oneproxy.http.proxy.server

Specifies the proxy server name to access bug trackers.


Property

Details


Default: none

oneproxy.https.proxy.port

Specifies the proxy server port to access bug trackers through an SSL connection.

Default: none

oneproxy.https.proxy.server

Specifies the proxy server name to access bug trackers through an SSL connection.

Default: none

rp.update.from.manager

If set to true, updates security content from the Fortify Software Security Center instead of from the Fortify Rulepack update server.

Default: false

rulepack.auto.update

If set to true, updates security content automatically.

Default: false

rulepack.days

Specifies the interval (in days) between security content updates.

Default: 15

rulepackupdate.proxy.port

Specifies the proxy server port to access the Fortify Rulepack update server (uploadclient.proxy.port is used if rp.update.from.manager is set to true).

Default: none

rulepackupdate.proxy.server

Specifies proxy server name to access the Fortify Rulepack update server (uploadclient.proxy.server is used if rp.update.from.manager is set to true).

Default: none

rulepackupdate.server

Specifies the Fortify Rulepack update server location.

Default: https://update.fortify.com

uploadclient.proxy.port

Specifies the proxy server port to access the Fortify Software Security Center server.

Default: none

uploadclient.proxy.server

Specifies the proxy server name to access the Fortify Software


Property

Details


Security Center server.

Default: none

uploadclient.server

Specifies the URL of the Fortify Software Security Center server.

Default: http://localhost:8180/ssc


Command-Line Tools Properties

The following table describes the properties in the <sca_install_ dir>/Core/config/fortify.properties file that are used by the command-line tools.


Property

Details

com.fortify.log.console

Specifies whether logging messages are written to the console. Logging information is always written to the log file.

Default: false

Send Documentation Feedback

If you have comments about this document, you can contact the documentation team by email.


Note: If you are experiencing a technical issue with our product, do not email the documentation team. Instead, contact Micro Focus Fortify Customer Support at https://www.microfocus.com/support so they can assist you.

If an email client is configured on this computer, click the link above to contact the documentation team and an email window opens with the following information in the subject line:

Feedback on Properties Reference Guide (Fortify Static Code Analyzer Tools 21.2.0)

Just add your feedback to the email and click send.

If no email client is available, copy the information above to a new message in a web mail client, and send your feedback to fortifydocteam@microfocus.com.

We appreciate your feedback!