Micro Focus

Fortify Static Code Analyzer

Software Version: 19.1.0

User Guide

Document Release Date: May 2019

Software Release Date: May 2019
User Guide

Legal Notices
Micro Focus
The Lawn
22-30 Old Bath Road
Newbury, Berkshire RG14 1QN
UK
https://www.microfocus.com

Warranty
The only warranties for products and services of Micro Focus and its affiliates and licensors (“Micro Focus”) are set forth in
the express warranty statements accompanying such products and services. Nothing herein should be construed as
constituting an additional warranty. Micro Focus shall not be liable for technical or editorial errors or omissions contained
herein. The information contained herein is subject to change without notice.

Restricted Rights Legend

Confidential computer software. Except as specifically indicated otherwise, a valid license from Micro Focus is required for
possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software
Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard
commercial license.

Copyright Notice
© Copyright 2003 - 2019 Micro Focus or one of its affiliates

Trademark Notices
Adobe™ is a trademark of Adobe Systems Incorporated.
Microsoft® and Windows® are U.S. registered trademarks of Microsoft Corporation.
UNIX® is a registered trademark of The Open Group.

Documentation Updates
The title page of this document contains the following identifying information:
l Software Version number
l Document Release Date, which changes each time the document is updated
l Software Release Date, which indicates the release date of this version of the software
To check for recent updates or to verify that you are using the most recent edition of a document, go to:
https://www.microfocus.com/support-and-services/documentation

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 2 of 210

User Guide

Contents
Preface 11
Contacting Micro Focus Fortify Customer Support 11
For More Information 11
About the Documentation Set 11

Change Log 12

Chapter 1: Introduction 15
Fortify Static Code Analyzer 15
Fortify CloudScan 15
Fortify Scan Wizard 16
Fortify Software Security Content 16
About the Analyzers 17
Related Documents 18
All Products 19
Micro Focus Fortify CloudScan 20
Micro Focus Fortify Software Security Center 20
Micro Focus Fortify Static Code Analyzer 21

Chapter 2: Installing Fortify Static Code Analyzer 23

Fortify Static Code Analyzer Component Applications 23
About Downloading the Software 25
About Installing Fortify Static Code Analyzer and Applications 25
Installing Fortify Static Code Analyzer and Applications 26
Installing Fortify Static Code Analyzer and Applications Silently (Unattended) 27
Installing Fortify Static Code Analyzer and Applications in Text-Based Mode on
Non-Windows Platforms 29
Manually Installing Fortify Security Content 29
About Upgrading Fortify Static Code Analyzer and Applications 30
Notes About Upgrading the Fortify Extension for Visual Studio 30
About Uninstalling Fortify Static Code Analyzer and Applications 31
Uninstalling Fortify Static Code Analyzer and Applications 31

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 3 of 210

User Guide

Uninstalling Fortify Static Code Analyzer and Applications Silently 32

Uninstalling Fortify Static Code Analyzer and Applications in Text-Based Mode on Non-
Windows Platforms 32
Post-Installation Tasks 33
Running the Post-Install Tool 33
Migrating Properties Files 33
Specifying a Locale 33
Configuring for Security Content Updates 34
Configuring the Connection to Fortify Software Security Center 34
Removing Proxy Server Settings 35
Registering ASP.NET Applications 35

Chapter 3: Analysis Process Overview 36

Analysis Process 36
Parallel Processing 37
Translation Phase 37
Mobile Build Sessions 38
Mobile Build Session Version Compatibility 38
Creating a Mobile Build Session 38
Importing a Mobile Build Session 38
Analysis Phase 39
Incremental Analysis 39
Translation and Analysis Phase Verification 40

Chapter 4: Translating Java Code 41

Java Command-Line Syntax 41
Java Command-Line Options 42
Java Command-Line Examples 44
Handling Resolution Warnings 44
Java Warnings 44
Using FindBugs 45
Translating Java EE Applications 46
Translating the Java Files 46
Translating JSP Projects, Configuration Files, and Deployment Descriptors 46
Java EE Translation Warnings 46
Translating Java Bytecode 47

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 4 of 210

User Guide

Troubleshooting JSP Translation Issues 47

Chapter 5: Translating .NET Code 49

About Translating .NET Code 49
.NET Command-Line Syntax 50
Translating .NET Binaries 51
Binary .NET Translation Command-Line Options 52
Handling Translation Errors 55
.NET Translation Errors 56
ASP.NET Errors 56

Chapter 6: Translating C and C++ Code 57

C and C++ Code Translation Prerequisites 57
C and C++ Command-Line Syntax 57
Options for Code in Visual Studio Solution or MSBuild Project 58
Scanning Pre-processed C and C++ Code 58

Chapter 7: Translating JavaScript Technologies 59

Translating Pure JavaScript Projects 59
Skipping Translation of JavaScript Library Files 59
Translating JavaScript Projects with HTML Files 60
Including External JavaScript or HTML in the Translation 61
Translating AngularJS Code 62

Chapter 8: Translating Python Code 63

Python Translation Command-Line Syntax 63
Including Import Files 63
Including Namespace Packages 64
Using the Django Framework with Python 64
Python Command-Line Options 64
Python Command-Line Examples 66

Chapter 9: Translating Code for Mobile Platforms 67

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 5 of 210

User Guide

Translating Apple iOS Projects 67

iOS Project Translation Prerequisites 67
iOS Code Analysis Command-Line Syntax 68
Translating Android Projects 68
Android Project Translation Prerequisites 68
Android Code Analysis Command-Line Syntax 69
Filtering Issues Detected in Android Layout Files 69

Chapter 10: Translating Ruby Code 70

Ruby Command-Line Syntax 70
Ruby Command-Line Options 70
Adding Libraries 71
Adding Gem Paths 71

Chapter 11: Translating Apex and Visualforce Code 72

Apex Translation Prerequisites 72
Apex and Visualforce Command-Line Syntax 72
Apex and Visualforce Command-Line Options 73
Downloading Customized Salesforce Database Structure Information 73

Chapter 12: Translating COBOL Code 75

Preparing COBOL Source Files for Translation 75
COBOL Command-Line Syntax 76
COBOL Command-Line Options 77

Chapter 13: Translating Other Languages 78

Translating PHP Code 78
PHP Command-Line Options 78
Translating ABAP Code 79
INCLUDE Processing 80
Importing the Transport Request 80
Adding Fortify Static Code Analyzer to Your Favorites List 81
Running the Fortify ABAP Extractor 82
Uninstalling the Fortify ABAP Extractor 86
Translating Flex and ActionScript 86

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 6 of 210

User Guide

Flex and ActionScript Command-Line Options 87

ActionScript Command-Line Examples 88
Handling Resolution Warnings 89
ActionScript Warnings 89
Translating ColdFusion Code 89
ColdFusion Command-Line Syntax 89
ColdFusion Command-Line Options 90
Translating SQL 90
PL/SQL Command-Line Example 90
T-SQL Command-Line Example 91
Translating Scala Code 91
Translating ASP/VBScript Virtual Roots 91
Classic ASP Command-Line Example 93
VBScript Command-Line Example 93

Chapter 14: Integrating into a Build 94

Build Integration 94
Make Example 95
Devenv Example 95
Modifying a Build Script to Invoke Fortify Static Code Analyzer 95
Touchless Build Integration 96
Ant Integration 96
Gradle Integration 97
Maven Integration 97
Installing and Updating the Fortify Maven Plugin 97
Testing the Fortify Maven Plugin Installation 98
Using the Fortify Maven Plugin 99
MSBuild Integration 100
Using MSBuild Integration 100
Using the Touchless MSBuild Integration 101
Adding Custom Tasks to your MSBuild Project 102

Chapter 15: Command-Line Interface 111

Translation Options 111
Analysis Options 113

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 7 of 210

User Guide

Output Options 116

Other Options 119
Directives 121
Specifying Files 122

Chapter 16: Command-Line Utilities 124

Fortify Static Code Analyzer Utilities 124
About Updating Security Content 125
Updating Security Content 125
fortifyupdate Command-Line Options 126
Working with FPR Files from the Command Line 127
Merging FPR Files 127
Displaying Analysis Results Information from an FPR File 129
Extracting a Source Archive from an FPR File 133
Allocating More Memory for FPRUtility 134
Generating Reports from the Command Line 134
Generating a BIRT Report 135
Generating a Legacy Report 137
Checking the Fortify Static Code Analyzer Scan Status 138
SCAState Utility Command-Line Options 138

Chapter 17: Improving Performance 141

Hardware Considerations 141
Sample Scans 142
Tuning Options 143
Breaking Down Codebases 144
Quick Scan 145
Limiters 145
Using Quick Scan and Full Scan 145
Limiting Analyzers and Languages 146
Disabling Analyzers 146
Disabling Languages 146
Optimizing FPR Files 147
Filter Files 147
Excluding Issues from the FPR with Filter Sets 147

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 8 of 210

User Guide

Excluding Source Code from the FPR 148

Reducing the FPR File Size 149
Opening Large FPR Files 150
Monitoring Long Running Scans 151
Using the SCAState Utility 151
Using JMX Tools 152
Using JConsole 152
Using Java VisualVM 152

Chapter 18: Troubleshooting 153

Exit Codes 153
Translation Failed Message 154
Memory Tuning 154
Java Heap Exhaustion 155
Native Heap Exhaustion 155
Stack Overflow 156
Scanning Complex Functions 156
Dataflow Analyzer Limiters 157
Control Flow and Null Pointer Analyzer Limiters 158
Issue Non-Determinism 159
C/C++ Precompiled Header Files 159
Accessing Log Files 159
Configuring Log Files 160
Understanding Log Levels 160
Reporting Issues and Requesting Enhancements 161

Appendix A: Filtering the Analysis 162

Filter Files 162
Filter File Example 162

Appendix B: Fortify Scan Wizard 165

Preparing to use the Fortify Scan Wizard 165
Starting the Fortify Scan Wizard 166

Appendix C: Sample Files 167

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 9 of 210

User Guide

Basic Samples 167

Advanced Samples 169

Appendix D: Configuration Options 171

Fortify Static Code Analyzer Properties Files 171
Properties File Format 171
Precedence of Setting Properties 172
fortify-sca.properties 173
fortify-sca-quickscan.properties 205

Send Documentation Feedback 210

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 10 of 210

User Guide
Preface

Preface

Contacting Micro Focus Fortify Customer Support

If you have questions or comments about using this product, contact Micro Focus Fortify Customer
Support using one of the following options.
To Manage Your Support Cases, Acquire Licenses, and Manage Your Account
https://softwaresupport.softwaregrp.com
To Call Support
1.844.260.7219

For More Information

For more information about Fortify software products:
https://software.microfocus.com/solutions/application-security

About the Documentation Set

The Fortify Software documentation set contains installation, user, and deployment guides for all
Fortify Software products and components. In addition, you will find technical notes and release notes
that describe new features, known issues, and last-minute updates. You can access the latest versions of
these documents from the following Micro Focus Product Documentation website:
https://www.microfocus.com/support-and-services/documentation

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 11 of 210

User Guide
Change Log

Change Log
The following table lists changes made to this document. Revisions to this document are published
between software releases only if the changes made affect product functionality.

Software Release /
Document Version Changes

19.1.0 Added:
l This document now includes all content from the Micro Focus Fortify
Static Code Analyzer Installation Guide and the Micro Focus Fortify
Static Code Analyzer Performance Guide, which are no longer
published as of this release.
Updated:
l "Translating JavaScript Technologies" on page 59 - The Higher Order
Analyzer is now enabled by default for JavaScript and TypeScript
l "Using the Django Framework with Python" on page 64 and "Python
Command-Line Options" on page 64 - Added a description of a new
feature to automatically discover Django template locations
l "iOS Code Analysis Command-Line Syntax" on page 68 and "Android
Code Analysis Command-Line Syntax" on page 69 - Added examples
for translating property list files and configuration files
l "Importing the Transport Request" on page 80 - Clarified the supported
SAP version for the Fortify ABAP Extractor transport request and
added a suggestion if the import fails
l "Running the Fortify ABAP Extractor" on page 82 - Updated to provide
more details
l "Using the Fortify Maven Plugin" on page 99 - Clarified the two
different ways to analyze a maven project
l "Output Options" on page 116 - Added a description of the FVDL
output format and added options to exclude information from the
FVDL file
l "Sample Scans" on page 142 - Table updated to show data for the
current release

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 12 of 210

User Guide
Change Log

Software Release /
Document Version Changes

18.20 Added:
l "Uninstalling the Fortify ABAP Extractor" on page 86
Updated:
l "Translating .NET Code" on page 49 - Added Fortify Static Code
Analyzer MSBuild integration and changed manual command-line
option descriptions to specify that they to be used only for translating
binaries
l "Translating JavaScript Technologies" on page 59 - Includes new
information about how to translate and scan TypeScript code
l "Translating Python Code" on page 63 -Described new support for
namespace packages and other changes
l "Translating Code for Mobile Platforms" on page 67 - Expanded the
information for both iOS and Android projects
l "Using the Fortify Maven Plugin" on page 99 - Updated the command
syntax to translate code with the Fortify Maven Plugin
l "MSBuild Integration" on page 100 - Clarified the three different
methods of integrating Fortify Static Code Analyzer with MSBuild
l "Translation Options" on page 111 - Added TYPESCRIPT as a valid
value for the -noextension-type option
l "Generating a BIRT Report" on page 135 - Options added to support
new DISA STIG versions (4.5, 4.6, and 4.7), and added a new report
template DISA CCI 2.
l "Accessing Log Files" on page 159 - Logging updates
l "fortify-sca.properties" on page 173 - Added new properties:
com.fortify.sca.LogLevel and
com.fortify.sca.skip.libraries.typescript, added
typescript as a valid value for several properties

18.10 Updated:
Revision 1: June 1, l "Translating Python Code" on page 63 - Provided more information for
2018 the -python-path option and added examples

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 13 of 210

User Guide
Change Log

Software Release /
Document Version Changes

18.10 Added:
l "Translating AngularJS Code" on page 62 - Merged the AngularJS
Technical Preview information into this guide
l "Downloading Customized Salesforce Database Structure Information"
on page 73 for Apex translation
Updated:
l "Binary .NET Translation Command-Line Options" on page 52 and
"Fortify.TranslateTask" on page 104 - New options for Shared Projects
and Xamarin projects
l "Python Command-Line Options" on page 64 - New option for Python
version and other minor edits
l "Maven Integration" on page 97 - Branding changes for the Fortify
Maven Plugin group ID
l "Fortify.TranslateTask" on page 104 - Added Xamarin options for the
custom MSBuild translate task
l "fortify-sca.properties" on page 173 - New properties for .NET and
Python
l "About the Analyzers" on page 17 and "fortify-sca.properties" on
page 173 - Merged the Higher Order Analyzer Technical Preview
information into this guide
l Minor edits to incorporate branding changes

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 14 of 210

Chapter 1: Introduction
This guide provides instructions for using Micro Focus Fortify Static Code Analyzer to scan code on
most major programming platforms. This guide is intended for people responsible for security audits
and secure coding.
This section contains the following topics:
Fortify Static Code Analyzer 15
About the Analyzers 17
Related Documents 18

Fortify Static Code Analyzer

Fortify Static Code Analyzer is a set of software security analyzers that search for violations of security-
specific coding rules and guidelines in a variety of languages. The Fortify Static Code Analyzer language
technology provides rich data that enables the analyzers to pinpoint and prioritize violations so that
fixes are fast and accurate. Fortify Static Code Analyzer produces analysis information to help you
deliver more secure software, as well as make security code reviews more efficient, consistent, and
complete. Its design enables you to quickly incorporate new third-party and customer-specific security
rules.
At the highest level, using Fortify Static Code Analyzer involves:
1. Running Fortify Static Code Analyzer as a stand-alone process or integrating Fortify Static Code
Analyzer in a build tool
2. Translating the source code into an intermediate translated format
3. Scanning the translated code and producing security vulnerability reports
4. Auditing the results of the scan, either by opening the results (typically an FPR file) in Micro Focus
Fortify Audit Workbench or uploading them to Micro Focus Fortify Software Security Center for
analysis, or working directly with the results displayed on screen.
Note: For information about how to open and view results in Fortify Audit Workbench or Fortify
Software Security Center, see the Micro Focus Fortify Audit Workbench User Guide or the Micro
Focus Fortify Software Security Center User Guide respectively.

Fortify CloudScan
You can use Micro Focus Fortify CloudScan to manage your resources by offloading the processor-
intensive scanning phase of the Fortify Static Code Analyzer analysis from build machines to a cloud of
machines provisioned for this purpose. For some languages, Fortify CloudScan can perform both the
translation and the analysis (scan) phases in the cloud.

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 15 of 210

User Guide
Chapter 1: Introduction

After the translation phase is completed on the build machine, Fortify CloudScan generates a mobile
build session and moves it to an available machine for scanning. In addition to freeing up the build
machines, this process makes it easy to expand the system by adding more resources to the cloud as
needed, without having to interrupt the build process. In addition, users of Micro Focus Fortify
Software Security Center can direct Fortify CloudScan to output the FPR file directly to the server.
For detailed information about how to use Fortify CloudScan, see the Micro Focus Fortify CloudScan
Installation, Configuration, and Usage Guide.

Fortify Scan Wizard

Micro Focus Fortify Scan Wizard is a utility that enables you to quickly and easily prepare and scan
project code using Fortify Static Code Analyzer. With the Scan Wizard, you can run your scans locally,
or, if you are using Micro Focus Fortify CloudScan, in a cloud of computers provisioned to manage the
processor-intensive scan phase of the analysis.
For more information, see "Fortify Scan Wizard" on page 165.

Fortify Software Security Content

Fortify Static Code Analyzer uses a knowledge base of rules to enforce secure coding standards
applicable to the codebase for static analysis. Micro Focus Fortify Software Security Content is required
for both translation and analysis. You can download and install security content when you install Fortify
Static Code Analyzer (see "Installing Fortify Static Code Analyzer" on page 23). Alternatively, you can
download or import previously downloaded Fortify Security Content with the fortifyupdate utility as a
post-installation task (see "Manually Installing Fortify Security Content" on page 29).
Fortify Software Security Content (security content) consists of Secure Coding Rulepacks and external
metadata:
l Secure Coding Rulepacks describe general secure coding idioms for popular languages and public
APIs
l External metadata includes mappings from the Fortify categories to alternative categories (such as

CWE, OWASP Top 10, and PCI DSS)

Fortify provides the ability to write custom rules that add to the functionality of Fortify Static Code
Analyzer and the Secure Coding Rulepacks. For example, you might need to enforce proprietary
security guidelines or analyze a project that uses third-party libraries or other pre-compiled binaries that
are not already covered by the Secure Coding Rulepacks. You can also customize the external metadata
to map Fortify issues to different taxonomies, such as internal application security standards or
additional compliance obligations. For instructions on how to create your own custom rules or custom
external metadata, see the Micro Focus Fortify Static Code Analyzer Custom Rules Guide.
Fortify recommends that you periodically update the security content. You can use the fortifyupdate
utility to obtain the latest security content. For more information, see "Updating Security Content" on
page 125.

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 16 of 210

User Guide
Chapter 1: Introduction

About the Analyzers

Fortify Static Code Analyzer comprises eight vulnerability analyzers: Buffer, Configuration, Content,
Control Flow, Dataflow, Higher Order, Semantic, and Structural. Each analyzer accepts a different type
of rule specifically tailored to provide the information necessary for the corresponding type of analysis
performed. Rules are definitions that identify elements in the source code that might result in security
vulnerabilities or are otherwise unsafe.
The following table lists and describes each analyzer.

Analyzer Description

Buffer The Buffer Analyzer detects buffer overflow vulnerabilities that involve writing or
reading more data than a buffer can hold. The buffer can be either stack-allocated
or heap-allocated. The Buffer Analyzer uses limited interprocedural analysis to
determine whether or not there is a condition that causes the buffer to overflow. If
any execution path to a buffer leads to a buffer overflow, Fortify Static Code
Analyzer reports it as a buffer overflow vulnerability and points out the variables
that could cause the overflow. If the value of the variable causing the buffer
overflow is tainted (user-controlled), then Fortify Static Code Analyzer reports it as
well and displays the dataflow trace to show how the variable is tainted.

Configuration The Configuration Analyzer searches for mistakes, weaknesses, and policy violations
in application deployment configuration files. For example, the Configuration
Analyzer checks for reasonable timeouts in user sessions in a web application.

Content The Content Analyzer searches for security issues and policy violations in HTML
content. In addition to static HTML pages, the Content Analyzer performs these
checks on files that contain dynamic HTML, such as PHP, JSP, and classic ASP files.

Control Flow The Control Flow Analyzer detects potentially dangerous sequences of operations.
By analyzing control flow paths in a program, the Control Flow Analyzer determines
whether a set of operations are executed in a certain order. For example, the Control
Flow Analyzer detects time of check/time of use issues and uninitialized variables,
and checks whether utilities, such as XML readers, are configured properly before
being used.

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 17 of 210

User Guide
Chapter 1: Introduction

Analyzer Description

Dataflow The Dataflow Analyzer detects potential vulnerabilities that involve tainted data
(user-controlled input) put to potentially dangerous use. The Dataflow Analyzer
uses global, interprocedural taint propagation analysis to detect the flow of data
between a source (site of user input) and a sink (dangerous function call or
operation). For example, the Dataflow Analyzer detects whether a user-controlled
input string of unbounded length is copied into a statically sized buffer, and detects
whether a user-controlled string is used to construct SQL query text.

Higher Order The Higher Order Analyzer improves the ability to track dataflow through higher-
order code. Higher-order code manipulates functions as values, generating them
with anonymous function expressions (lambda expressions), passing them as
arguments, returning them as values, and assigning them to variables and to fields
of objects. These code patterns are common in modern dynamic languages such as
JavaScript, TypeScript, Python, Ruby, and Swift.
By default, the Higher Order Analyzer runs when you scan Python, Ruby, Swift,
JavaScript, and TypeScript code. For a description of the Higher Order Analyzer
properties, see "fortify-sca.properties" on page 173 and search for "higher-order
analysis."

Semantic The Semantic Analyzer detects potentially dangerous uses of functions and APIs at
the intra-procedural level. Its specialized logic searches for buffer overflow, format
string, and execution path issues, but is not limited to these categories. For example,
the Semantic Analyzer detects deprecated functions in Java and unsafe functions in
C/C++, such as gets().

Structural The Structural Analyzer detects potentially dangerous flaws in the structure or
definition of the program. By understanding the way programs are structured, the
Structural Analyzer identifies violations of secure programming practices and
techniques that are often difficult to detect through inspection because they
encompass a wide scope involving both the declaration and use of variables and
functions. For example, the Structural Analyzer detects assignment to member
variables in Java servlets, identifies the use of loggers that are not declared static
final, and flags instances of dead code that is never executed because of a predicate
that is always false.

Related Documents
This topic describes documents that provide information about Micro Focus Fortify software products.

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 18 of 210

User Guide
Chapter 1: Introduction

Note: You can find the Micro Focus Fortify Product Documentation at
https://www.microfocus.com/support-and-services/documentation. Apart from the Release Notes,
all guides are available in both PDF and HTML formats.

All Products
The following documents provide general information for all products. Unless otherwise noted, these
documents are available on the Micro Focus Product Documentation website.

Document / File Name Description

About Micro Focus Fortify Product This paper provides information about how to access Micro
Software Documentation Focus Fortify product documentation.
About_Fortify_Docs_<version>.pdf Note: This document is included only with the product
download.

Micro Focus Fortify Software System This document provides the details about the
Requirements environments and products supported for this version of
Fortify Software.
Fortify_Sys_Reqs_<version>.pdf

Micro Focus Fortify Software Release
Notes
FortifySW_RN_<version>.txt
This document provides an overview of the changes made
to Fortify Software for this release and important
information not included elsewhere in the product
documentation.

What’s New in Micro Focus Fortify This document describes the new features in Fortify
Software <version> Software products.
Fortify_Whats_New_<version>.pdf

Micro Focus Fortify Open Source and This document provides open source and third-party
Third-Party License Agreements software license agreements for software components used
in Fortify Software.
Fortify_OpenSrc_<version>.pdf

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 19 of 210

User Guide
Chapter 1: Introduction

Micro Focus Fortify CloudScan

The following documents provide information about Fortify CloudScan. Unless otherwise noted, these
documents are available on the Micro Focus Product Documentation website at
https://www.microfocus.com/documentation/fortify-software-security-center.

Document / File Name Description

Micro Focus Fortify CloudScan
Installation, Configuration, and Usage
Guide
CloudScan_Guide_<version>.pdf
This document provides information about how to
install, configure, and use Fortify CloudScan to
streamline the static code analysis process. It is written
for anyone who intends to install, configure, or use
Fortify CloudScan for offloading the scanning phase of
their Fortify Static Code Analyzer process.

Micro Focus Fortify Software Security Center

The following documents provide information about Fortify Software Security Center. Unless otherwise
noted, these documents are available on the Micro Focus Product Documentation website at
https://www.microfocus.com/documentation/fortify-software-security-center.

Document / File Name Description

Micro Focus Fortify Software Security
Center User Guide
SSC_Guide_<version>.pdf
This document provides Fortify Software Security Center
users with detailed information about how to deploy and
use Software Security Center. It provides all of the
information you need to acquire, install, configure, and use
Software Security Center.
It is intended for use by system and instance
administrators, database administrators (DBAs), enterprise
security leads, development team managers, and
developers. Software Security Center provides security
team leads with a high-level overview of the history and
current status of a project.

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 20 of 210

User Guide
Chapter 1: Introduction

Micro Focus Fortify Static Code Analyzer

The following documents provide information about Fortify Static Code Analyzer. Unless otherwise
noted, these documents are available on the Micro Focus Product Documentation website at
https://www.microfocus.com/documentation/fortify-static-code.

Document / File Name Description

Micro Focus Fortify Static Code
Analyzer User Guide
SCA_Guide_<version>.pdf
This document describes how to install and use Fortify
Static Code Analyzer to scan code on many of the major
programming platforms. It is intended for people
responsible for security audits and secure coding.

Micro Focus Fortify Static Code
Analyzer Custom Rules Guide
SCA_Cust_Rules_Guide_<version>.zip
This document provides the information that you need to
create custom rules for Fortify Static Code Analyzer. This
guide includes examples that apply rule-writing concepts to
real-world security issues.

Note: This document is included only with the product

download.

Micro Focus Fortify Audit Workbench
User Guide
AWB_Guide_<version>.pdf
This document describes how to use Fortify Audit
Workbench to scan software projects and audit analysis
results. This guide also includes how to integrate with bug
trackers, produce reports, and perform collaborative
auditing.

Micro Focus Fortify Plugins for Eclipse This document provides information about how to install
Installation and Usage Guide and use the Fortify Complete and the Fortify Remediation
Plugins for Eclipse.
Eclipse_Plugins_Guide_<version>.pdf

Micro Focus Fortify Plugins for IntelliJ, This document describes how to install and use both the
WebStorm, and Android Studio Fortify Analysis Plugin for IntelliJ IDEA and Android Studio
Installation and Usage Guide and the Fortify Remediation Plugin for IntelliJ IDEA,
Android Studio, and WebStorm.
IntelliJ_AndStud_Plugins_Guide_
<version>.pdf

Micro Focus Fortify Jenkins Plugin
Installation and Usage Guide
Jenkins_Plugin_Guide_<version>.pdf
This document describes how to install, configure, and use
the plugin. This documentation is available at
https://www.microfocus.com/documentation/fortify-
jenkins-plugin.

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 21 of 210

User Guide
Chapter 1: Introduction
Document / File Name
Micro Focus Fortify Security Assistant
Plugin for Eclipse User Guide
SecAssist_Eclipse_Guide_
<version>.pdf
Micro Focus Fortify Extension for
Visual Studio User Guide
VS_Ext_Guide_<version>.pdf
Micro Focus Fortify Static Code
Analyzer Tools Properties Reference
Guide
SCA_Tools_Props_Ref_<version>.pdf
Micro Focus Fortify Static Code Analyzer (19.1.0)
Description
This document describes how to install and use Fortify
Security Assistant plugin for Eclipse to provide alerts to
security issues as you write your Java code.
This document provides information about how to install
and use the Fortify extension for Visual Studio to analyze,
audit, and remediate your code to resolve security-related
issues in solutions and projects.
This document describes the properties used by Fortify
Static Code Analyzer tools.
Page 22 of 210
Chapter 2: Installing Fortify Static Code
Analyzer
This chapter describes how to install and uninstall Fortify Static Code Analyzer and Fortify Static Code
Analyzer tools. This chapter also describes basic post-installation tasks. See the Micro Focus Fortify
Software System Requirements document to be sure that your system meets the minimum
requirements for each software component installation.
This section contains the following topics:
Fortify Static Code Analyzer Component Applications 23
About Downloading the Software 25
About Installing Fortify Static Code Analyzer and Applications 25
About Upgrading Fortify Static Code Analyzer and Applications 30
About Uninstalling Fortify Static Code Analyzer and Applications 31
Post-Installation Tasks 33

Fortify Static Code Analyzer Component Applications

The installation consists of Fortify Static Code Analyzer, which analyzes your build code according to a
set of rules specifically tailored to provide the information necessary for the type of analysis performed.
A Fortify Static Code Analyzer installation might also include one or more of the component
applications.
The following table describes the components that are available for installation with the Fortify Static
Code Analyzer and Applications installer.

Component Description

Micro Focus Fortify Audit Provides a graphical user interface for Fortify Static Code Analyzer that
Workbench helps you organize, investigate, and prioritize analysis results so that
developers can fix security flaws quickly.

Micro Focus Fortify
Plugin for Eclipse
Adds the ability to scan and analyze the entire codebase of a project and
apply software security rules that identify the vulnerabilities in your Java
code from the Eclipse IDE. The results are displayed, along with
descriptions of each of the security issues and suggestions for their
elimination.

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 23 of 210

User Guide
Chapter 2: Installing Fortify Static Code Analyzer

Component Description

Micro Focus Fortify Adds the ability to run Fortify Static Code Analyzer scans on the entire
Analysis Plugin for IntelliJ codebase of a project and apply software security rules that identify the
and Android Studio vulnerabilities in your code from the IntelliJ and Android Studio IDEs.

Micro Focus Fortify
Extension for Visual
Studio
Adds the ability to scan and locate security vulnerabilities in your
solutions and projects and displays the scan results in Visual Studio. The
results include a list of issues uncovered, descriptions of the type of
vulnerability each issue represents, and suggestions on how to fix them.
This extension also includes remediation functionality that works with
audit results stored on a Micro Focus Fortify Software Security Center
server.

Micro Focus Fortify A tool to create and edit custom rules.

Custom Rules Editor

Micro Focus Fortify Scan A tool to quickly prepare a script that you can use to scan your code with
Wizard Fortify Static Code Analyzer and optionally, upload the results directly
to Fortify Software Security Center.

Note: This tool is installed automatically with Fortify Static Code

Analyzer.

The following table describes the components that are included in the Fortify Static Code Analyzer and
Applications package.

Component Description

Micro Focus Fortify Works with Fortify Software Security Center for developers who
Remediation Plugin for want to remediate issues detected in source code from the Eclipse
Eclipse IDE.

Micro Focus Fortify Works in the IntelliJ, WebStorm, and Android Studio IDEs and with
Remediation Plugin for Fortify Software Security Center to add remediation functionality to
IntelliJ, WebStorm, and your security analysis.
Android Studio

The following table describes the applications you can use with Fortify Static Code Analyzer in
continuous integration that are available from other marketplaces.

Component Description

Micro Focus Fortify Provides the ability to analyze a project with Fortify Static Code

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 24 of 210

User Guide
Chapter 2: Installing Fortify Static Code Analyzer

Component Description

Jenkins Plugin Analyzer, upload analysis results to Fortify Software Security Center,
and view details about the results from Jenkins.

Micro Focus Fortify Provides the ability to analyze a project with Fortify Static Code
Bamboo Plugin Analyzer, and upload analysis results to Fortify Software Security
Center with Bamboo.

About Downloading the Software

Fortify Static Code Analyzer and Applications is available as a downloadable application or package. For
details on how to acquire the software and a license for the Fortify Software, see the Micro Focus
Fortify Software System Requirements document.

About Installing Fortify Static Code Analyzer and

Applications
This section describes how to install Fortify Static Code Analyzer and applications. You need a Fortify
license file to complete the process. You can use the standard install wizard or you can perform the
installation silently. You can also perform a text-based installation on non-Windows systems. For best
performance, install Fortify Static Code Analyzer on the same local file system where the code that you
want to scan resides.

Note: On non-windows systems, you must install Fortify Static Code Analyzer and applications as a
user that has a home directory with write permission. Do not install Fortify Static Code Analyzer
and applications as a non-root user that has no home directory.

After you complete the installation, see "Post-Installation Tasks" on page 33 for additional steps you
can perform to complete your system setup. You can also configure settings for runtime analysis,
output, and performance of Fortify Static Code Analyzer and its components by updating the installed
configuration files. For information about the configuration options for Fortify Static Code Analyzer,
see "Configuration Options" on page 171. For information about configuration options for Fortify
Static Code Analyzer component applications, see the Micro Focus Fortify Static Code Analyzer Tools
Properties Reference Guide.

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 25 of 210

User Guide
Chapter 2: Installing Fortify Static Code Analyzer

Installing Fortify Static Code Analyzer and Applications

To install Fortify Static Code Analyzer and Applications:
1. Run the installer file that corresponds to your operating system:
l Windows: Fortify_SCA_and_Apps_<version>_windows_x64.exe
l macOS: Fortify_SCA_and_Apps_<version>_osx_x64.app.zip
l Linux: Fortify_SCA_and_Apps_<version>_linux_x64.run
l Solaris: Fortify_SCA_<version>_solaris_x86.run or
Fortify_SCA_<version>_solaris10_sparc.run
where <version> is the software release version.
2. Accept the license agreement, and then click Next.
3. Choose where to install Fortify Static Code Analyzer and applications, and then click Next.
Note: If you are using Micro Focus Fortify CloudScan, you must specify a location that does
not include spaces in the path.

4. (Optional) Select the components to install, and then click Next.

Note: Component selection is not available for all operating systems.

5. If you are installing the Fortify extension for Visual Studio 2015 or 2017, you are prompted to
specify whether to install the extensions for the current install user or for all users.
The default is to install the extensions for the current install user.
6. Specify the path to the fortify.license file, and then click Next.
7. Specify the settings required to update your security content.
To update the security content for your installation:
Note: For installations on non-Windows platforms and for deployment environments that do
not have access to the Internet during installation, you can update the security content using
the fortifyupdate utility. See "Manually Installing Fortify Security Content" on page 29.

a. Specify the URL address of the update server. To use the Fortify Rulepack update server for
security content updates, specify the URL as: https://update.fortify.com.
b. (Optional) Specify the proxy host and port number of the update server.
c. Click Next.
8. Specify if you want to migrate from a previous installation of Fortify Static Code Analyzer on your
system.
Migrating from a previous Fortify Static Code Analyzer installation preserves Fortify Static Code
Analyzer artifact files.
Note: You can also migrate Fortify Static Code Analyzer artifacts using the scapostinstall
command-line utility. For information on how to use the post-install tool to migrate from a

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 26 of 210

User Guide
Chapter 2: Installing Fortify Static Code Analyzer

previous Fortify Static Code Analyzer installation, see "Migrating Properties Files" on page 33.

To migrate artifacts from a previous installation:

a. In the SCA Migration step, select Yes, and then click Next.
b. Specify the location of the existing Fortify Static Code Analyzer installation on your system,
and then click Next.
9. Specify if you want to install sample source code projects, and then click Next.
See "Sample Files" on page 167 for descriptions of these samples.
Note: If you do not install the samples and decide later that you want to install them, you must
uninstall and then re-install Fortify Static Code Analyzer and Applications.

10. Click Next to proceed to install Fortify Static Code Analyzer and applications.
11. After Fortify Static Code Analyzer is installed, select Update security content after installation
if you want to update the security content, and then click Finish.
The Security Content Update Result window displays the security content update results.

Installing Fortify Static Code Analyzer and Applications Silently

(Unattended)
A silent installation enables you to complete the installation without any user prompts. To install
silently, you need to create an option file to provide the necessary information to the installer. Using the
silent installation, you can replicate the installation parameters on multiple machines. When you install
Fortify Static Code Analyzer and Applications silently, the installer does not download the Micro Focus
Fortify Software Security Content. For instructions on how to install the Fortify Security Content, see
"Manually Installing Fortify Security Content" on page 29.
To install Fortify Static Code Analyzer silently:
1. Create an options file.
a. Create a text file that contains the following line:

fortify_license_path=<license_file_location>

where <license_file_location> is the full path to your fortify.license file.

b. If you are using a different location for the Fortify Security Content updates than the default of
https://update.fortify.com, add the following line:

UpdateServer=<update_server_url>

c. If you require a proxy server, add the following lines:

UpdateProxyServer=<proxy_server>
UpdateProxyPort=<port_number>

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 27 of 210

User Guide
Chapter 2: Installing Fortify Static Code Analyzer

d. If you do not want to install the sample source code projects, add the following line:

InstallSamples=0

e. Add more information, as needed, to the options file.

For list of installation options that you can add to your options file, type the installer file name
and the --help option. This command displays the command-line options preceded with a
double dash and optional file parameters enclosed in angle brackets. For example, if you want to
see the progress of the install displayed at the command line, add
unattendedmodeui=minimal to your options file.
The following options file example specifies the location of the license file, the location and
proxy information for obtaining the Fortify Security Content, a request to migrate from a
previous release, installation of Audit Workbench, installation of Micro Focus Fortify Extension
for Visual Studio 2017 for all users, and the location of the Fortify Static Code Analyzer and
Applications installation directory:

fortify_license_path=C:\Users\admin\Desktop\fortify.license
UpdateServer=https://internalserver.abc.com
UpdateProxyServer=webproxy.abc.company.com
UpdateProxyPort=8080
MigrateSCA=1
enable-components=AWB_group,VS2017
VS_all_users=1
installdir=C:\Fortify

2. Save the options file in the same directory as the installer using the same name as the installation
file with the .options file extension.
For example, if the installer file name is: Fortify_SCA_and_Apps_<version>_windows_
x64.exe, then save your options file with the name Fortify_SCA_and_Apps_<version>_
windows_x64.exe.options.
3. Run the silent install command for your operating system:

Windows Fortify_SCA_and_Apps_<version>_windows_x64.exe --mode unattended

Linux ./Fortify_SCA_and_Apps_<version>_linux_x64.run --mode unattended

macOS You must uncompress the zip file before you run the command.
Fortify_SCA_and_Apps_<version>_osx_x64.app/Contents/
MacOS/installbuilder.sh --mode unattended --optionfile <full_
path_to_option_file>

Solaris ./Fortify_SCA_<version>_<platform>.run --mode unattended

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 28 of 210

User Guide
Chapter 2: Installing Fortify Static Code Analyzer

Installing Fortify Static Code Analyzer and Applications in Text-

Based Mode on Non-Windows Platforms
You perform a text-based installation on the command line. During the installation, you are prompted
for information required to complete the installation. Text-based installations are not supported on
Windows systems.
To perform a text-based installation of Fortify Static Code Analyzer and Applications, run the text-
based install command for your operating system as listed in the following table.

Linux ./Fortify_SCA_and_Apps_<version>_linux_x64.run --mode text

macOS You must uncompress the provided zip file before you run the command.

Fortify_SCA_and_Apps_<version>_osx_x64.app/Contents/
MacOS/installbuilder.sh --mode text

Solaris ./Fortify_SCA_<version>_<platform>.run --mode unattended

Manually Installing Fortify Security Content

You can install Micro Focus Fortify Software Security Content (Secure Coding Rulepacks and
metadata) automatically during the Windows installation procedure. However, you can also download
Fortify Security Content from the Fortify Rulepack update server, and then use the fortifyupdate utility
to install it. This option is provided for installations on non-Windows platforms and for deployment
environments that do not have access to the Internet during installation.
Use the fortifyupdate utility to install Fortify Security Content from either a remote server or a locally
downloaded file.
To install security content:
1. Open a command window.
2. Navigate to the <sca_install_dir>/bin directory.
3. At the command prompt, type fortifyupdate.
If you have previously downloaded the Fortify Security Content from the Fortify Customer Portal,
run fortifyupdate with the -import option and the path to the directory where you
downloaded the zip file.
You can also use this same utility to update your security content. For more information about the
fortifyupdate utility, see "Updating Security Content" on page 125.

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 29 of 210

User Guide
Chapter 2: Installing Fortify Static Code Analyzer

About Upgrading Fortify Static Code Analyzer and

Applications
To upgrade Fortify Static Code Analyzer and Applications, you can either:
l Uninstall the existing version and then install the new version
l Install the new version without uninstalling the existing version. You can have multiple versions of

Fortify Static Code Analyzer installed on the same system.

If you have multiple versions installed on the same system, the most recently installed version is
invoked when you run the command from the command line. Scanning source code from the Secure
Code Plugins also uses the most recently installed version of Fortify Static Code Analyzer.
When you install the new version, you are asked if you want to migrate settings from a previous
installation. This migration preserves Fortify Static Code Analyzer artifact files.

Notes About Upgrading the Fortify Extension for Visual Studio

If you have administrative privileges and are upgrading from a previous version of the Fortify Static
Code Analyzer for any supported version of Visual Studio, the installer will overwrite the existing Micro
Focus Fortify Extension for Visual Studio. If the previous version was installed without administrative
privileges, the installer will also overwrite the existing Fortify Extension for Visual Studio without
requiring administrative privileges.

Note: If you do not have administrative privileges and you are upgrading the Fortify Extension for
Visual Studio 2015 or 2017 that was previously installed using an administrative privileged user
account, you must first uninstall the Fortify Extension for Visual Studio from Visual Studio 2015 or
2017 using an administrative privilege account.

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 30 of 210

User Guide
Chapter 2: Installing Fortify Static Code Analyzer

About Uninstalling Fortify Static Code Analyzer and

Applications
This section describes how to uninstall Fortify Static Code Analyzer and Applications. You can use the
standard install wizard or you can perform the uninstallation silently. You can also perform a text-based
uninstallation on non-Windows systems.

Uninstalling Fortify Static Code Analyzer and Applications

Uninstalling on Windows Platforms
To uninstall the Fortify Static Code Analyzer and applications software:
1. Select Start > Control Panel > Add or Remove Programs.
2. From the list of programs, select Fortify SCA and Applications <version>, and then click
Remove.
3. You are prompted to indicate whether to remove all application settings. Do one of the following:
l Click Yes to remove the application setting folders for the tools associated with the version of

Fortify Static Code Analyzer that you are uninstalling. The Fortify Static Code Analyzer
(sca<version>) folder is not removed.
l Click No to retain the application settings on your system.
Uninstalling on Other Platforms
To uninstall Fortify Static Code Analyzer software on macOS, Unix, and Linux platforms:
1. Back up your configuration, including any important files you have created.
2. Run the uninstall command located in the <sca_install_dir> for your operating system:
Unix or Linux Uninstall_FortifySCAandApps_<version>.exe

macOS Uninstall_FortifySCAandApps_<version>.app

3. You are prompted to indicate whether to remove all application settings. Do one of the following:
l Click Yes to remove the application setting folders for the tools associated with the version of

Fortify Static Code Analyzer that you are uninstalling. The Fortify Static Code Analyzer
(sca<version>) folder is not removed.
l Click No to retain the application settings on your system.

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 31 of 210

User Guide
Chapter 2: Installing Fortify Static Code Analyzer

Uninstalling Fortify Static Code Analyzer and Applications Silently

To uninstall Fortify Static Code Analyzer silently:
1. Navigate to the installation directory.
2. Type one of the following commands based on your operating system:

Windows Uninstall_FortifySCAandApps_<version>.exe --mode unattended

Unix or ./Uninstall_FortifySCAandApps_<version>.run --mode unattended

Linux

macOS Uninstall_FortifySCAandApps_
<version>.app/Contents/MacOS/installbuilder.sh
--mode unattended

Note: The uninstaller removes the application setting folders associated with the version of Fortify
Static Code Analyzer that you are uninstalling.

Uninstalling Fortify Static Code Analyzer and Applications in

Text-Based Mode on Non-Windows Platforms
To uninstall Fortify Static Code Analyzer in text-based mode, run the text-based install command for
your operating system, as follows:
1. Navigate to the installation directory.
2. Type one of the following commands based on your operating system:

Unix or ./Uninstall_FortifySCAandApps_<version>.run --mode text

Linux

macOS Uninstall_FortifySCAandApps_
<version>.app/Contents/MacOS/installbuilder.sh --mode text

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 32 of 210

User Guide
Chapter 2: Installing Fortify Static Code Analyzer

Post-Installation Tasks
Post-installation tasks prepare you to start using Fortify Static Code Analyzer and tools.

Running the Post-Install Tool

To run the Fortify Static Code Analyzer post-install tool:
1. Navigate to the bin directory from the command line.
2. At the command prompt, type scapostinstall.
3. Type one of the following:
l To display settings, type s.
l To return to a previous prompt, type r.
l To exit the tool, type q.

Migrating Properties Files

To migrate properties files from a previous version of Fortify Static Code Analyzer to the current
version of Fortify Static Code Analyzer installed on your system:
1. Navigate to the bin directory from the command line.
2. At the command prompt, type scapostinstall.
3. Type 1 to select Migration.
4. Type 1 to select SCA Migration.
5. Type 1 to select Migrate from an existing Fortify installation.
6. Type 1 to select Set previous Fortify installation directory.
7. Type the previous install directory.
8. Type s to confirm the settings.
9. Type 2 to perform the migration.
10. Type y to confirm.

Specifying a Locale
English is the default locale for a Fortify Static Code Analyzer installation.
To change the locale for your Fortify Static Code Analyzer installation:
1. Navigate to the bin directory from the command line.
2. At the command prompt, type scapostinstall.
3. Type 2 to select Settings.

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 33 of 210

User Guide
Chapter 2: Installing Fortify Static Code Analyzer

4. Type 1 to select General.

5. Type 1 to select Locale.
6. Type one of the following locale codes:
l English: en
l Spanish: es
l Japanese: ja
l Korean: ko
l Brazilian Portuguese: pt_BR
l Simplified Chinese: zh_CN
l Traditional Chinese: zh_TW

Configuring for Security Content Updates

Specify how you want to obtain Micro Focus Fortify Software Security Content. You must also specify
proxy information if it is required to reach the server.
To specify settings for Fortify Security Content updates:
1. Navigate to the bin directory from the command line.
2. At the command prompt, type scapostinstall.
3. Type 2 to select Settings.
4. Type 2 to select Fortify Update.
5. To change the Fortify Rulepack update server URL, type 1 and then type the URL.
The default Fortify Rulepack update server URL is https://update.fortify.com.
6. To specify a proxy for Fortify Security Content updates, do the following:
a. Type 2 to select Proxy Server Host, and then type the name of the proxy server.
b. Type 3 to select Proxy Server Port, and then type the proxy server port number.
c. (Optional) You can also specify the proxy server user name (option 4) and password
(option 5).

Configuring the Connection to Fortify Software Security Center

Specify how to connect to Micro Focus Fortify Software Security Center. If your network uses a proxy
server to reach the Fortify Software Security Center server, you must specify the proxy information.
To specify settings for connecting to Fortify Software Security Center:
1. Navigate to the bin directory from the command line.
2. At the command prompt, type scapostinstall.
3. Type 2 to select Settings.
4. Type 3 to select Software Security Center Settings.

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 34 of 210

User Guide
Chapter 2: Installing Fortify Static Code Analyzer

5. Type 1 to select Server URL, and then type the Fortify Software Security Center server URL.
For example, https://mywebserver/ssc.
6. To specify proxy settings for the connection, do the following:
a. Type 2 to select Proxy Server, and then type the proxy server path.
b. Type 3 to select Proxy Server Port, and then type the proxy server port number.
c. To specify the proxy server username and password, use option 4 for the username and
option 5 for the password.
7. (Optional) You can also specify the following:
l Whether to update security content from your Fortify Software Security Center server

(option 6)
l The Fortify Software Security Center user name (option 7)

Removing Proxy Server Settings

If you previously specified proxy server settings for the Fortify Security Content update server or Micro
Focus Fortify Software Security Center and it is no longer required, you can remove these settings.
To remove the proxy settings for Fortify Security Content updates or Fortify Software Security Center:
1. Navigate to the bin directory from the command line.
2. At the command prompt, type scapostinstall.
3. Type 2 to select Settings.
4. Type 2 to select Fortify Update or type 3 to select Software Security Center Settings.
5. Type the number that corresponds to the proxy setting you want to remove, and then type -
(hyphen) to remove the setting.
6. Repeat step 5 for each proxy setting you want to remove.

Registering ASP.NET Applications

If you are using the .NET Framework, you might need to register ASP.NET applications. If the Internet
Information Services (IIS) server is installed first, then ASP.NET 4 is automatically registered with IIS
when the .NET Framework is installed; otherwise, you must register.
To register the ASPNET user, run the following command:

aspnet_regiis -i
Find this command in the .NET Framework installation directory. For example, it is often located in:

C:\Windows\Microsoft.NET\Framework64\v4.0.30319

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 35 of 210

Chapter 3: Analysis Process Overview
This section contains the following topics:
Analysis Process 36
Translation Phase 37
Mobile Build Sessions 38
Analysis Phase 39
Translation and Analysis Phase Verification 40

Analysis Process
There are four distinct phases that make up the analysis process:
1. Build Integration—Choose whether to integrate Fortify Static Code Analyzer into your build tool.
For descriptions of build integration options, see "Integrating into a Build" on page 94.
2. Translation—Gathers source code using a series of commands and translates it into an
intermediate format associated with a build ID. The build ID is usually the name of the project you
are translating. For more information, see "Translation Phase" on the next page.
3. Analysis—Scans source files identified in the translation phase and generates an analysis results
file (typically in the Fortify Project Results (FPR) format). FPR files have the .fpr file extension.
For more information, see "Analysis Phase" on page 39.
4. Verification of translation and analysis—Verifies that the source files were scanned using the
correct Rulepacks and that no errors were reported. For more information, see "Translation and
Analysis Phase Verification" on page 40.
The following is an example of the sequence of commands you use to translate and analyze code:

sourceanalyzer -b <build_id> -clean

sourceanalyzer -b <build_id> ...
sourceanalyzer -b <build_id> -scan -f <results>.fpr

The three commands in the previous example illustrates the following steps in the analysis process:
1. Remove all existing Fortify Static Code Analyzer temporary files for the specified build ID.
Always begin an analysis with this step to analyze a project with a previously used build ID.
2. Translate the project code.
This step can consist of multiple calls to sourceanalyzer with the same build ID.
3. Analyze the project code and produce the Fortify Project Results file (FPR).

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 36 of 210

User Guide
Chapter 3: Analysis Process Overview

Parallel Processing
Fortify Static Code Analyzer runs in parallel analysis mode to reduce the scan time of large projects. This
takes advantage of all CPU cores available on your system. When you run Fortify Static Code Analyzer,
avoid running other substantial processes during the Fortify Static Code Analyzer execution because it
expects to have the full resources of your hardware available for the scan.

Translation Phase
To successfully translate a project that is normally compiled, make sure that you have any dependencies
required to build the project available. The chapters for each source code type describe any specific
requirements.
The basic command-line syntax to perform the first step of the analysis process, file translation, is:

sourceanalyzer -b <build_id> ... <files>

or

sourceanalyzer -b <build_id> ... <compiler_command>

The translation phase consists of one or more invocations of Fortify Static Code Analyzer using the
sourceanalyzer command. Fortify Static Code Analyzer uses a build ID (-b option) to tie the
invocations together. Subsequent invocations of sourceanalyzer add any newly specified source or
configuration files to the file list associated with the build ID.
After translation, you can use the -show-build-warnings directive to list any warnings and errors
that occurred in the translation phase:

sourceanalyzer -b <build_id> -show-build-warnings

To view the files associated with a particular build ID, use the -show-files directive:

sourceanalyzer -b <build_id> -show-files

The following chapters describe how to translate different types of source code:
l "Translating Java Code" on page 41
l "Translating .NET Code" on page 49
l "Translating C and C++ Code" on page 57
l "Translating JavaScript Technologies" on page 59
l "Translating Python Code" on page 63
l "Translating Code for Mobile Platforms" on page 67
l "Translating Ruby Code" on page 70
l "Translating Apex and Visualforce Code" on page 72

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 37 of 210

User Guide
Chapter 3: Analysis Process Overview

l "Translating COBOL Code" on page 75

l "Translating Other Languages" on page 78

Mobile Build Sessions

With a Fortify Static Code Analyzer mobile build session (MBS), you can translate a project on one
machine and scan it on another. A mobile build session (MBS file) includes all the files needed for the
analysis phase. To improve scan time, you can perform the translation on the original computer and
then move the build session (MBS file) to a better equipped computer for the scan. The developers can
run translations on their own computers and use only one powerful computer to run large scans.
You must have the Fortify Security Content (Rulepacks) installed on both the system where you are
performing the translation and the system where you are performing the analysis.

Mobile Build Session Version Compatibility

The Fortify Static Code Analyzer version on the translate machine must be compatible with the Fortify
Static Code Analyzer version on the analysis machine. The version number format is:
major.minor.patch.buildnumber (for example, 19.1.0.0240). The major and minor portions of the Fortify
Static Code Analyzer version numbers on both the translation and the analysis machines must match.
For example, 19.1.0 and 19.1.x are compatible.

Note: Before version 16.10, the major portion of the Fortify Static Code Analyzer version number
was not the same as the Micro Focus Fortify Software Security Center version number.

To determine the Fortify Static Code Analyzer version number, type sourceanalyzer -version on
the command line.

Creating a Mobile Build Session

On the machine where you performed the translation, issue the following command to generate a
mobile build session:

sourceanalyzer -b <build_id> -export-build-session <file>.mbs

where <file>.mbs is the file name you provide for the Fortify Static Code Analyzer mobile build
session.

Importing a Mobile Build Session

After you move the <file>.mbs file to the machine where you want to perform the scan, import the
mobile build session into the Fortify Static Code Analyzer project root directory.

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 38 of 210

User Guide
Chapter 3: Analysis Process Overview

Note: If necessary, you can obtain the build ID and Fortify Static Code Analyzer version from an
MBS file with the following command:

sourceanalyzer -import-build-session <file>.mbs

-Dcom.fortify.sca.ExtractMobileInfo=true

To import the mobile build session, type the following command:

sourceanalyzer -import-build-session <file>.mbs

After you import your Fortify Static Code Analyzer mobile build session, you can proceed to the
analysis phase. Perform a scan with the same build ID that was used in the translation.
You cannot merge multiple mobile build sessions into a single MBS file. Each exported build session
must have a unique build ID. However, after all of the build IDs are imported on the same Fortify Static
Code Analyzer installation, you can scan multiple build IDs in one scan with the -b option (see "Analysis
Phase" below).

Analysis Phase
The analysis phase scans the intermediate files created during translation and creates the vulnerability
results file (FPR).
The analysis phase consists of one invocation of sourceanalyzer. You specify the build ID and
include the -scan directive with any other required analysis or output options (see "Analysis Options"
on page 113 and "Output Options" on page 116).
An example of the basic command-line syntax for the analysis phase is:

sourceanalyzer -b <build_id> -scan -f results.fpr

Note: By default, Fortify Static Code Analyzer includes the source code in the FPR file.

To combine multiple builds into a single scan command, add the additional builds to the command line:

sourceanalyzer -b <build_id1> -b <build_id2> -b <build_id3> -scan -f

results.fpr

Incremental Analysis
With incremental analysis, you can run a full analysis on a project, and then run subsequent incremental
scans to analyze only the code that changed since the initial full scan. This reduces the scan time for
subsequent incremental scans on the project.
Incremental analysis supports the Configuration and the Semantic analyzers. You can run incremental
analysis on projects written in the following languages: Java, C/C++, C#, and Visual Basic.

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 39 of 210

User Guide
Chapter 3: Analysis Process Overview

When you use incremental analysis, consider the following:

l You must use the same build ID that you used in the initial complete analysis in all subsequent
incremental scans.
l When you specify the same FPR file name for the initial complete scan and the subsequent scans, all

issues are automatically merged with the previous scan.

When Fortify Static Code Analyzer merges the issue results, issues fixed in prior incremental scans
are shown as removed, existing issues are shown as updated, and any new issues are shown as new.
Otherwise all the issues found in the subsequent scan are shown as new and there is no record of
previously fixed issues or existing issues. For more information about viewing results by these
groupings in Micro Focus Fortify Audit Workbench, see the Micro Focus Fortify Audit Workbench
User Guide.
To use incremental analysis, translate the code, and then run the initial full scan with the
-incremental-base option. For example:

sourceanalyzer -b <build_id> ...

sourceanalyzer -b <build_id> -scan -incremental-base -f <results>.fpr

After you modify the project source code, translate the entire project, and then run any subsequent
scans with the -incremental option. Specify the same <build_id> that you specified in the initial full
scan. For example: 

sourceanalyzer -b <build_id> ...

sourceanalyzer -b <build_id> -scan -incremental -f <results>.fpr

Translation and Analysis Phase Verification

Micro Focus Fortify Audit Workbench result certification indicates whether the code analysis from a
scan is complete and valid. The project summary in Fortify Audit Workbench shows the following
specific information about Fortify Static Code Analyzer scanned code:
l List of files scanned, with file sizes and timestamps
l Java class path used for the translation (if applicable)
l Rulepacks used for the analysis
l Fortify Static Code Analyzer runtime settings and command-line options
l Any errors or warnings encountered during translation or analysis
l Machine and platform information
Note: To obtain result certification, you must specify FPR for the analysis phase output format.

To view result certification information, open the FPR file in Fortify Audit Workbench and select Tools
> Project Summary > Certification. For more information, see the Micro Focus Fortify Audit
Workbench User Guide.

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 40 of 210

Chapter 4: Translating Java Code
This section contains the following topics:
Java Command-Line Syntax 41
Handling Resolution Warnings 44
Using FindBugs 45
Translating Java EE Applications 46
Translating Java Bytecode 47
Troubleshooting JSP Translation Issues 47

Java Command-Line Syntax

To translate Java code, all types defined in a library that are referenced in the code must have a
corresponding definition in the source code, a class file, or a JAR file. Include all source files on the
Fortify Static Code Analyzer command line.
The basic command-line syntax to translate Java code is shown in the following example:

sourceanalyzer -b <build_id> -cp <classpath> <files>

With Java code, Fortify Static Code Analyzer can either:

l Emulate the compiler, which might be convenient for build integration
l Accept source files directly, which is more convenient for command-line scans

For information about integrating Fortify Static Code Analyzer with Ant, see "Ant Integration" on
page 96.
To have Fortify Static Code Analyzer emulate the compiler, type:

sourceanalyzer -b <build_id> javac [<translation_options>]

To pass files directly to Fortify Static Code Analyzer, type:

sourceanalyzer -b <build_id> -cp <classpath> [<translation_options>]

<files> | <file_specifiers>

where:
l <translation_options> are options passed to the compiler.
l -cp <classpath> specifies the class path to use for the Java source code.

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 41 of 210

User Guide
Chapter 4: Translating Java Code

A class path is the path that the Java runtime environment searches for classes and other resource
files. Include all JAR dependencies normally used to build the project. The format is the same as what
javac expects (colon- or semicolon-separated list of paths).
Similar to javac, Fortify Static Code Analyzer loads classes in the order they appear in the class path.
If there are multiple classes with the same name in the list, Fortify Static Code Analyzer uses the first
loaded class. In the following example, if both A.jar and B.jar include a class called
MyData.class, Fortify Static Code Analyzer uses the MyData.class from A.jar.

sourceanalyzer -cp A.jar:B.jar myfile.java

Fortify strongly recommends that you avoid using duplicate classes with the -cp option.
Fortify Static Code Analyzer loads JAR files in the following order:
a. From the -cp option
b. From jre/lib
c. From <sca_install_dir>/Core/default_jars
This enables you to override a library class by including the similarly-named class in a JAR specified
with the -cp option.
For a descriptions of all the available Java-specific command-line options, see "Java Command-Line
Options" below.

Java Command-Line Options

The following table describes the Java command-line options (for Java SE and Java EE).

Java/Java EE Option Description

-appserver Specifies the application server to process JSP files.

weblogic | websphere
Equivalent property name:
com.fortify.sca.AppServer

-appserver-home <path> Specifies the application server’s home.

l For WebLogic, this is the path to the directory that
contains the server/lib directory.
l For WebSphere, this is the path to the directory that

contains the JspBatchCompiler script.

Equivalent property name:
com.fortify.sca.AppServerHome

-appserver-version Specifies the version of the application server. See the Micro
<version> Focus Fortify Software System Requirements document for
supported versions.

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 42 of 210

User Guide
Chapter 4: Translating Java Code

Java/Java EE Option Description

Equivalent property name:

com.fortify.sca.AppServerVersion

-cp <paths> | Specifies the class path to use for analyzing Java source code.
-classpath <paths> The format is the same as javac: a colon- or semicolon-
separated list of directories. You can use Fortify Static Code
Analyzer file specifiers as shown in the following example:

-cp "build/classes:lib/*.jar"

For information about file specifiers, see "Specifying Files" on

page 122.
Equivalent property name:
com.fortify.sca.JavaClasspath

-extdirs <dirs> Similar to the javac extdirs option, accepts a colon- or

semicolon-separated list of directories. Any JAR files found in
these directories are included implicitly on the class path.
Equivalent property name:
com.fortify.sca.JavaExtdirs

-java-build-dir <dirs> Specifies one or more directories that contain compiled Java
sources. You must specify this for FindBugs results as
described in "Analysis Options" on page 113.

-source <version> |  Indicates the JDK version for which the Java code is written.
-jdk <version> See the Micro Focus Fortify Software System Requirements
document for supported versions. The default is Java 8.
Equivalent property name:
com.fortify.sca.JdkVersion

-sourcepath <paths> Specifies a colon- or semicolon-separated list of directories

that contain source code that is not included in the scan but is
used for name resolution. The source path is similar to class
path, except it uses source files instead of class files for
resolution. Only source files that are referenced by the target
file list are translated.
Equivalent property name:
com.fortify.sca.JavaSourcePath

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 43 of 210

User Guide
Chapter 4: Translating Java Code

Java Command-Line Examples

To translate a single file named MyServlet.java with javaee.jar as the class path, type:

sourceanalyzer -b MyServlet -cp lib/javaee.jar MyServlet.java

To translate all .java files in the src directory using all JAR files in the lib directory as a class path,
type:

sourceanalyzer -b MyProject -cp "lib/*.jar" "src/**/*.java"

To translate and compile the MyCode.java file with the javac compiler, type:

sourceanalyzer -b MyProject javac -classpath libs.jar MyCode.java

Handling Resolution Warnings

To see all warnings that were generated during translation, type the following command before you
start the scan phase:

sourceanalyzer -b <build_id> -show-build-warnings

Java Warnings
You might see the following warnings for Java:

Unable to resolve type...

Unable to resolve function...

Unable to resolve field...

Unable to locate import...

Unable to resolve symbol...

Multiple definitions found for function...

Multiple definitions found for class...

These warnings are typically caused by missing resources. For example, some of the .jar and .class
files required to build the application might not have been specified. To resolve the warnings, make sure
that you include all of the required files that your application uses.

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 44 of 210

User Guide
Chapter 4: Translating Java Code

Using FindBugs
FindBugs (http://findbugs.sourceforge.net) is a static analysis tool that detects quality issues in Java
code. You can run FindBugs with Fortify Static Code Analyzer and the results are integrated into the
analysis results file. Unlike Fortify Static Code Analyzer, which runs on Java source files, FindBugs runs
on Java bytecode. Therefore, before you run an analysis on your project, first compile the project and
produce the class files.
To see an example of how to run FindBugs automatically with Fortify Static Code Analyzer, compile the
sample code Warning.java as follows:
1. Go to the following directory:

<sca_install_dir>/Samples/advanced/findbugs

2. Type the following commands to compile the sample:

mkdir build

javac -d build Warning.java

3. Scan the sample with FindBugs and Fortify Static Code Analyzer as follows:

sourceanalyzer -b findbugs_sample -java-build-dir build Warning.java

sourceanalyzer -b findbugs_sample -scan -findbugs -f findbugs_

sample.fpr

4. Examine the analysis results in Micro Focus Fortify Audit Workbench:

auditworkbench findbugs_sample.fpr

The output contains the following issue categories:

l Bad casts of Object References (1)
l Dead local store (2)

l Equal objects must have equal hashcodes (1)

l Object model violation (1)

l Unwritten field (2)

l Useless self-assignment (2)

If you group by analyzer, you can see that the Structural Analyzer produced one issue and FindBugs
produced eight. The Object model violation issue Fortify Static Code Analyzer detected on line
25 is similar to the Equal objects must have equal hash codes issue that FindBugs detected.
In addition, FindBugs produces two sets of issues (Useless self-assignment and Dead local
store) about the same vulnerabilities on lines 6 and 7. To avoid overlapping results, use the -filter
option during the scan to apply the filter.txt filter file. Note that the filtering is not complete

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 45 of 210

User Guide
Chapter 4: Translating Java Code

because each tool filters at a different level of granularity. To see how to avoid overlapping results, scan
the sample code using filter.txt as follows:

sourceanalyzer -b findbugs_sample -scan -findbugs -filter filter.txt

-f findbugs_sample.fpr

Translating Java EE Applications

To translate Java EE applications, Fortify Static Code Analyzer processes Java source files and
Java EE components such as JSP files, deployment descriptors, and configuration files. While you can
process all the pertinent files in a Java EE application in one step, your project might require that you
break the procedure into its components for integration in a build process or to meet the needs of
various stakeholders in your organization.

Translating the Java Files

To translate Java EE applications, use the same procedure used to translate Java files. For examples, see
"Java Command-Line Examples" on page 44.

Translating JSP Projects, Configuration Files, and Deployment

Descriptors
In addition to translating the Java files in your Java EE application, you might also need to translate JSP
files, configuration files, and deployment descriptors. Your JSP files must be part of a Web Application
Archive (WAR). If your source directory is already organized in a WAR layout, you can translate the JSP
files directly from the source directory. If not, you might need to deploy your application and translate
the JSP files from the deployment directory.
For example:

sourceanalyzer -b <build_id> "/**/*.jsp" "/**/*.xml"

where /**/*.jsp refers to the location of your JSP project files and /**/*.xml refers to the location
of your configuration and deployment descriptor files.

Java EE Translation Warnings

You might see the following warning in the translation of Java EE applications:

Could not locate the root (WEB-INF) of the web application. Please build
your web application and try again. Failed to parse the following jsp
files:

<list_of_jsp_files>

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 46 of 210

User Guide
Chapter 4: Translating Java Code

This warning indicates that your web application is not deployed in the standard WAR directory format
or does not contain the full set of required libraries. To resolve the warning, make sure that your web
application is in an exploded WAR directory format with the correct WEB-INF/lib and
WEB-INF/classes directories containing all of the .jar and .class files required for your
application. Also verify that you have all of the TLD files for all of your tags and the corresponding JAR
files with their tag implementations.

Translating Java Bytecode

In addition to translating source code, you can translate the bytecode in your project. You must specify
two configuration properties and include the bytecode files in the Fortify Static Code Analyzer
translation phase.
For best results, Fortify recommends that the bytecode be compiled with full debug information
(javac -g).
Fortify recommends that you do not translate Java bytecode and JSP/Java code in the same call to
sourceanalyzer. Use multiple invocations of sourceanalyzer with the same build ID to translate a
project that contains both bytecode and JSP/Java code.
To include bytecode in the Fortify Static Code Analyzer translation:
1. Add the following properties to the fortify-sca.properties file (or include these properties
on the command line using the -D option):
com.fortify.sca.fileextensions.class=BYTECODE
com.fortify.sca.fileextensions.jar=ARCHIVE

This specifies how Fortify Static Code Analyzer processes .class and .jar files.
2. In the Fortify Static Code Analyzer translation phase, specify the Java bytecode files that you want
to translate. For best performance, specify only the .jar or .class files that require scanning.
In the following example, the .class files are translated:

sourceanalyzer -b MyProject -cp "lib/*.jar" "src/**/*.class"

Troubleshooting JSP Translation Issues

Fortify Static Code Analyzer uses either the built-in compiler or your specific application server JSP
compiler to translate JSP files into Java files for analysis. If the JSP parser encounters problems when
Fortify Static Code Analyzer converts JSP files to Java files, you will see a message similar to the
following:

Failed to translate the following jsps into analysis model. Please see the
log file for any errors from the jsp parser and the user manual for hints
on fixing those
<list_of_jsp_files>

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 47 of 210

User Guide
Chapter 4: Translating Java Code

This typically happens for one or more of the following reasons:

l The web application is not laid out in a proper deployable WAR directory format
l You are missing some JAR files or classes required for the application

l You are missing some tag libraries or their definitions (TLD) for the application

To obtain more information about the problem, perform the following steps:
1. Open the Fortify Static Code Analyzer log file in an editor.
2. Search for the strings Jsp parser stdout: and Jsp parser stderr:.
The JSP parser generates these errors. Resolve the errors and rerun Fortify Static Code Analyzer.
For more information about scanning Java EE applications, see "Translating Java EE Applications" on
page 46.

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 48 of 210

Chapter 5: Translating .NET Code
This chapter describes how to use Fortify Static Code Analyzer to translate .NET and
ASP.NET applications built with Visual Studio or MSBuild. Fortify Static Code Analyzer analyzes code
written in C#, VB.NET, and ASP.NET (including .cshtml, .vbhtml, and .xaml files). See the Micro
Focus Fortify Software System Requirements document for supported source code languages and
versions of Visual Studio.
This section contains the following topics:
About Translating .NET Code 49
.NET Command-Line Syntax 50
Translating .NET Binaries 51
Handling Translation Errors 55

About Translating .NET Code

There are four different methods of translating .NET applications.
l Use the Micro Focus Fortify Extension for Visual Studio to translate and analyze your project or
solution directly from the Visual Studio IDE. See the Micro Focus Fortify Extension for Visual Studio
User Guide for more information.
l Use Fortify Static Code Analyzer build integrations to translate and analyze your project or solution
from the command line (see".NET Command-Line Syntax" on the next page).
l Include Fortify Static Code Analyzer as part of your MSBuild project. You can either:
l Use touchless MSBuild integration to launch Fortify Static Code Analyzer as part of your MSBuild

project. For more information, see "Using the Touchless MSBuild Integration" on page 101.
l Add custom tasks to your MSBuild project to invoke Fortify Static Code Analyzer. For
information, see "Adding Custom Tasks to your MSBuild Project" on page 102.
l Use the Fortify Static Code Analyzer command line to translate binaries (see "Translating .NET
Binaries" on page 51. With this method, you must provide all the needed information with the
.NET options (see "Binary .NET Translation Command-Line Options" on page 52).
Important! Fortify strongly recommends that you use either the Micro Focus Fortify Extension for
Visual Studio from the IDE , the Fortify Static Code Analyzer build integrations, or MSBuild
touchless integration because these are the only three methods where Fortify Static Code Analyzer
automatically detects all the project information for the best translation of your project or solution.
Fortify Static Code Analyzer does not automatically detect all required project information if you
use custom MSBuild tasks or translate binaries. Therefore, for these two methods you must provide
all the necessary information by specifying appropriate command-line options (see "Binary .NET

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 49 of 210

User Guide
Chapter 5: Translating .NET Code

Translation Command-Line Options" on page 52) or custom MSBuild task parameters (see

"Fortify.TranslateTask" on page 104).

Fortify recommends that you translate complete .NET projects. To prepare your application for analysis,
you need:
l All the C#, VB.NET, and ASP.NET source files
The supported types of ASP.NET files are: ASPX, ASCX, ASAX, ASHX, ASMX, AXML, BAML,
CSHTML, Master, VBHTML, and XAML.
l All reference DLLs used by your project.
This includes those from the .NET framework, NuGet packages, and third-party DLLs.
Important! The first time you translate a .NET Core, an ASP.NET Core, a .NET Standard, or a .NET
Portable project, run the dotnet restore command from the Developer Command Prompt for
Visual Studio first to ensure that all the necessary reference libraries are installed locally.

Note: Fortify Static Code Analyzer does not support .NET Core 1.0 projects that use
project.json and <project_name>.xproj configuration files. If your .NET Core 1.0 project
contains these files, do one of the following before Fortify Static Code Analyzer translation:
l Convert project.json and .xproj files to the .csproj format
l Migrate your project to .NET Core 1.1 or later

.NET Command-Line Syntax

You can translate your .NET projects or solutions from the command line by wrapping the build
command with an invocation of Fortify Static Code Analyzer.
The following examples demonstrate the command-line syntax to translate a solution called
Sample1.sln with devenv and MSBuild commands:

sourceanalyzer -b <build_id> devenv Sample1.sln /rebuild

sourceanalyzer -b <build_id> msbuild /t:rebuild Sample1.sln

Note: Fortify Static Code Analyzer converts devenv invocations and command-line options to
MSBuild invocations, and therefore the previous two command lines examples are actually
equivalent.

This performs the translation phase on all files built with Visual Studio or MSBuild.
You must run the devenv command-line example from the Developer Command Prompt for Visual
Studio. You can run the MSBuild command-line example from the Developer Command Prompt for
Visual Studio or from the Windows Command Prompt, except for Xamarin projects. When you run from
the Windows Command Prompt, the path to the MSBuild executable must be included in your PATH
environment variable.

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 50 of 210

User Guide
Chapter 5: Translating .NET Code

Important! You must translate Xamarin projects from Developer Command Prompt for Visual
Studio even if you use MSBuild integration.

You can then perform the analysis phase, as shown in the following example:

sourceanalyzer -b <build_id> -scan -f <results>.fpr

If you are scanning a .NET solution that builds more than one executable, Fortify recommends that you
scan each executable separately after the solution is translated. To do this, use the -binary-name
option and specify the executable (file name or assembly name) as the parameter (see "Analysis
Options" on page 113).

Translating .NET Binaries

To translate binaries instead of source files, completely rebuild your project with the Debug
configuration option enabled. Make sure PDB files are available for the binaries you intend to translate.
To translate binaries from a simple .NET project or solution, which does not contain multiple sub-
projects, run Fortify Static Code Analyzer from the command line as follows:

sourceanalyzer -b <build_id> -dotnet-version <version> -libdirs <libs>

<project_binaries> <project_aspnet_pages>

Note: You can improve translation by providing information using the command-line options
described in "Binary .NET Translation Command-Line Options" on the next page.

If your project contains multiple sub-projects, you must translate built from each sub-project separately.

Important! Do not translate binaries from all or multiple sub-projects with a single Fortify Static
Code Analyzer invocation.
To scan all sub-projects together after the translation, use the same build ID when you translate
binaries from each sub-project, as follows:

sourceanalyzer -dotnet-version <version> -b <build_id>

-libdirs <paths> <project_1_binaries> <project_1_aspnet_pages>
...
sourceanalyzer -dotnet-version <version> -b <build_id>
-libdirs <paths> <project_n_binaries> <project_n_aspnet_pages>
where <project_1_binaries> represents binaries built from the first sub-project inside your
main project or solution, <project_1_aspnet_pages> represents ASP.NET pages that belong to the
first sub-project, and so on.

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 51 of 210

User Guide
Chapter 5: Translating .NET Code

Binary .NET Translation Command-Line Options

The following table describes the .NET command-line options used only for translating binaries (see
"Translating .NET Binaries" on the previous page).

.NET Option Description

-dotnet-version Specifies the .NET framework version. See the Micro Focus Fortify
<version> Software System Requirements for a list of supported versions. If you
specify a value outside the supported version range, Fortify Static Code
Analyzer uses the latest supported version. This adds the location of the
.NET framework libraries (DLLs) for the specified .NET framework version
to the list of DLLs/paths specified by the -libdirs option, unless the –
libdirs-only option is specified.
Equivalent property name:
com.fortify.sca.DotnetVersion

-dotnet-core- Specifies the .NET Core version. This adds the location of .NET framework
version <version> libraries (DLLs) for the specified .NET framework version to the list of
DLLs/paths specified by the -libdirs option, unless the -libdirs-only
option is specified.
Equivalent property name:
com.fortify.sca.DotnetCoreVersion

-dotnet-std- Specifies the .NET Standard version. This adds the location of .NET
version <version> framework libraries (DLLs) for the specified .NET framework version to the
list of DLLs/paths specified by the -libdirs option, unless the
-libdirs-only option is specified.
Equivalent property name:
com.fortify.sca.DotnetStdVersion

-libdirs <dlls> Specifies a semicolon-separated list of directories where referenced system

| <paths> or third-party DLLs are located. You can also specify paths to specific DLLs
with this option.
Equivalent property name:
com.fortify.sca.DotnetLibdirs

-libdirs-only Sets the list of directories or paths to only those specified by the -libdirs
option. Otherwise, Fortify Static Code Analyzer includes the location of the
.NET framework libraries (DLLs) that correspond to the .NET framework

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 52 of 210

User Guide
Chapter 5: Translating .NET Code

.NET Option Description

version specified with the –dotnet-version option.

Equivalent property name:
com.fortify.sca.DotnetLibdirsOnly

-dotnet-output- Specifies the output directory where the binary (EXE or DLL) built from the
dir <path> project is placed.
Equivalent property name:
com.fortify.sca.DotnetOutputDir

-nuget-cache-dir (.NET Core and .NET Standard projects only) Overrides the default path
<path> to the NuGet cache directory. You might need this option when you
translate .NET Core or .NET Standard projects and a custom location for
the NuGet cache is specified in project settings. The default path is the
.nuget/packages folder in the current user’s home directory (Windows
environment variable: USERPROFILE).
Equivalent property name:
com.fortify.sca.NugetCacheDir

-dotnetwebroot (.NET Web projects only) Specifies the home directory of an ASP.NET

<root_dir> project.
Equivalent property name:
com.fortify.sca.DotnetWebRoot

-dotnet-website (.NET Web projects only) Indicates that the project is an ASP.NET

website.

Note: Do not specify this option for ASP.NET Web Applications or any
other kind of ASP.NET project except Website.

Equivalent property name:

com.fortify.sca.WebSiteProject

-dotnet-applibs (.NET Web projects only) Specifies a semicolon-separated list of

<dlls> additional reference DLLs needed to translate ASP.NET pages. Typically,
these are the application assemblies built from the source code of the same
sub-project to which target ASP.NET pages belong.
Equivalent property name:
com.fortify.sca.DotnetWebAppLibs

-aspnetcore (.NET Web projects only) Indicates a web project (ASP.NET or ASP.NET

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 53 of 210

User Guide
Chapter 5: Translating .NET Code

.NET Option Description

Core) that targets the .NET Core or .NET Standard framework.

Equivalent property name:
com.fortify.sca.AspNetCore

-dotnet-assembly- Specifies the name of the target .NET assembly as specified in Visual Studio
name <assembly_ project settings.
name>
Equivalent property name:
com.fortify.sca.DotnetAssemblyName

-dotnet-preproc- Specifies a semicolon-separated list of preprocessor symbols used in

symbols <symbols> building the project binaries. For example:

-dotnet-preproc-symbols "DEBUG;TRACE"

Equivalent property name:

com.fortify.sca.DotnetPreprocessorSymbols

-cs-extern-alias (C# projects only) Specifies a list of external aliases for a specified DLL file
<aliases_path_ in the following format: alias1,alias2,..=<path_to_dll>. If multiple
pairs> DLLs are assigned external aliases, specify multiple -cs-extern-alias
options on the command line.
Equivalent property name:
com.fortify.sca.DotnetAlias

-vb-compile- (VB.NET projects only) Specifies any special compilation options used in
options <compile_ building the project binaries, such as OptionStrict, OptionInfer, and
options> OptionExplicit.
The format for <compile_options> is a comma-separated list of:
<option>=On | Off. For example:

-vb-compile-options
"OptionStrict=On,OptionExplicit=Off"

Equivalent property name:

com.fortify.sca.VBCompileOptions

-vb-imports (VB.NET projects only) Specifies a semicolon-separated list of

<namespaces> namespaces imported for the entire project.
Equivalent property name:
com.fortify.sca.VBGlobalImports

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 54 of 210

User Guide
Chapter 5: Translating .NET Code

.NET Option Description

-vb-mytype (VB.NET projects only) Specifies the value for the _MYTYPE preprocessor
<symbol> symbol that is specified in the <MyType> tag in the project settings. This is
required if the project references My namespace.
Equivalent property name:
com.fortify.sca.VBMyType

-vb-root (VB.NET and Silverlight projects only) Specifies the root namespace for
<namespace> the project as specified in Visual Studio project settings.
Equivalent property name:
com.fortify.sca.VBRootNamespace

-xamarin-android- (Required for Xamarin.Android projects) Specifies the target Android

version <version> SDK version for Xamarin Android projects. If you specify an Android
SDK version that is not available, Fortify Static Code Analyzer uses the
latest installed version. This adds Xamarin.Android reference libraries
(DLLs) for the specified Android SDK version to the list of DLLs/paths
specified by the -libdirs option, unless the -libdirs-only option is
included.
Equivalent property name:
com.fortify.sca.XamarinAndroidVersion

-xamarin-ios- (Required for Xamarin.iOS projects) Specifies the target iOS SDK version
version <version> for Xamarin iOS projects. If you specify an iOS SDK version that is not
available, Fortify Static Code Analyzer uses the latest installed version. This
adds Xamarin.iOS reference libraries (DLLs) for the specified iOS SDK
version to the list of DLLs/paths specified by the -libdirs option, unless
the -libdirs-only option is included.
Equivalent property name:
com.fortify.sca.XamariniOSVersion

Handling Translation Errors

To see all warnings that Fortify Static Code Analyzer generated during translation, type the following
command before you start the scan phase:

sourceanalyzer -b <build_id> -show-build-warnings

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 55 of 210

User Guide
Chapter 5: Translating .NET Code

.NET Translation Errors

You might see the following error for .NET:

Translator execution failed. Please consult the Troubleshooting section of

the User Manual. Translator returned status <large_negative_number>

This error indicates that Fortify Static Code Analyzer could not successfully translate of all the source
files in your project. Rerun the translation with the -debug-verbose option and provide the Fortify
Support log to Micro Focus Fortify Customer Support for investigation.

ASP.NET Errors
Any error reported for ASP.NET translation is prefixed with ASP.Net Translation: and is followed
by detailed information about the error. This error indicates that Fortify Static Code Analyzer could not
successfully translate all the ASP.NET pages in your project. Report this issue to Micro Focus Fortify
Customer Support for investigation.

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 56 of 210

Chapter 6: Translating C and C++ Code
This section contains the following topics:
C and C++ Code Translation Prerequisites 57
C and C++ Command-Line Syntax 57
Scanning Pre-processed C and C++ Code 58

C and C++ Code Translation Prerequisites

Make sure that you have any dependencies required to build the project available, including headers for
third-party libraries. Fortify Static Code Analyzer translation does not require object files and
static/dynamic library files.

C and C++ Command-Line Syntax

Command-line options passed to the compiler affect preprocessor execution and can enable or disable
language features and extensions. For Fortify Static Code Analyzer to interpret your source code in the
same way as the compiler, the translation phase for C/C++ source code requires the complete compiler
command line. Prefix your original compiler command with the sourceanalyzer command and
options.
The basic command-line syntax for translating a single file is:

sourceanalyzer -b <build_id> [<sca_options>] <compiler> [<compiler_

options>] <file>.c

where:
l <compiler> is the name of the C/C++ compiler you use, such as gcc, g++, or cl. See the Micro
Focus Fortify Software System Requirements document for a list of supported C/C++ compilers.
l <sca_options> are options passed to Fortify Static Code Analyzer.
l <compiler_options> are options passed to the C/C++ compiler.
l <file>.c must be in ASCII or UTF-8 encoding.
Note: All Fortify Static Code Analyzer options must precede the compiler options.

The compiler command must successfully complete when executed on its own. If the compiler command
fails, then the Fortify Static Code Analyzer command prefixed to the compiler command also fails.

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 57 of 210

User Guide
Chapter 6: Translating C and C++ Code

For example, if you compile a file with the following command:

gcc -I. -o hello.o -c helloworld.c

then you can translate this file with the following command:

sourceanalyzer -b <build_id> gcc -I. -o hello.o -c helloworld.c

Fortify Static Code Analyzer executes the original compiler command as part of the translation phase. In
the previous example, the command produces both the translated source suitable for scanning, and the
object file hello.o from the gcc execution. You can use the Fortify Static Code Analyzer -nc option
to disable the compiler execution.

Options for Code in Visual Studio Solution or MSBuild Project

If your C/C++ code is part of a Visual Studio solution or MSBuild project, you can translate it using one
of the following three methods:
l Use Micro Focus Fortify Extension for Visual Studio to translate and analyze your solution or project
directly from Visual Studio. See the Micro Focus Fortify Extension for Visual Studio User Guide for
more information.
l Use Fortify Static Code Analyzer build integration to translate your project or solution from the
Developer Command Prompt for Visual Studio. Wrap your build command with an invocation of
Fortify Static Code Analyzer, as shown in the following command line examples:

sourceanalyzer -b <build_id> devenv <solution_file> /rebuild

sourceanalyzer -b <build_id> msbuild /t:rebuild <solution_or_project_

file>

l Use touchless MSBuild integration to run Fortify Static Code Analyzer as part of your MSBuild
project. For more information, see "Using the Touchless MSBuild Integration" on page 101.

Scanning Pre-processed C and C++ Code

If, before compilation, your C/C++ build executes a third-party C preprocessor that Fortify Static Code
Analyzer does not support, you must invoke the Fortify Static Code Analyzer translation on the
intermediate file. Fortify Static Code Analyzer touchless build integration automatically translates the
intermediate file provided that your build executes the unsupported preprocessor and supported
compiler as two commands connected by a temporary file rather than a pipe chain.

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 58 of 210

Chapter 7: Translating JavaScript
Technologies
You can analyze JavaScript projects that can contain either pure JavaScript source files or a combination
of JavaScript and HTML files.
This section contains the following topics:
Translating Pure JavaScript Projects 59
Skipping Translation of JavaScript Library Files 59
Translating JavaScript Projects with HTML Files 60
Including External JavaScript or HTML in the Translation 61
Translating AngularJS Code 62

Translating Pure JavaScript Projects

The basic command-line syntax to translate JavaScript is:

sourceanalyzer –b <build_id> <js_file_or_dir>

where <js_file_or_dir> is the either the name of the JavaScript file to be translated or a directory
that contains multiple JavaScript files. You can also translate multiple files by specifying *.js for the
<js_file_or_dir>.

Skipping Translation of JavaScript Library Files

You can avoid translating specific JavaScript library files by adding them to the appropriate property
setting in the fortify-sca.properties file. Files specified in the following properties are not
translated:
l com.fortify.sca.skip.libraries.AngularJS
l com.fortify.sca.skip.libraries.ES6
l com.fortify.sca.skip.libraries.jQuery
l com.fortify.sca.skip.libraries.javascript
l com.fortify.sca.skip.libraries.typescript
Each property specifies a list of comma- or colon-separated file names (without path information).

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 59 of 210

User Guide
Chapter 7: Translating JavaScript Technologies

The files specified in these properties apply to both local files and files on the internet. Suppose, for
example, that the JavaScript code includes the following JavaScript library file reference:

<script
src="http://ajax.googleapis.com/ajax/libs/angularjs/1.4.8/angular.min.js">
</script>

By default, the com.fortify.sca.skip.libraries.AngularJS property in the fortify-

sca.properties file includes angular.min.js, and therefore Fortify Static Code Analyzer does not
translate the file shown in the previous example. Also, any local copy of the angular.min.js file is not
translated.
You can use regular expressions for the file names. Note that Fortify Static Code Analyzer automatically
inserts the regular expression '(-?\d+\.\d+\.\d+)?' before .min.js or .js for each file name
included in the com.fortify.sca.skip.libraries.jQuery property value.

Note: You can also exclude local files or entire directories with the -exclude command-line option.
For more information about this option, see "Translation Options" on page 111.

Translating JavaScript Projects with HTML Files

If the project contains HTML files in addition to JavaScript files, set the
com.fortify.sca.EnableDOMModeling property to true in the fortify-sca.properties file or
on the command line as follows:

sourceanalyzer –b <build_id> <js_file_or_dir>

-Dcom.fortify.sca.EnableDOMModeling=true

When you set the com.fortify.sca.EnableDOMModeling property to true, this can decrease false
negative reports of DOM-related attacks, such as DOM-related cross-site scripting issues.

Note: If you enable this option, Fortify Static Code Analyzer generates JavaScript code to model
the DOM tree structure in the HTML files. The duration of the analysis phase might increase
(because there is more translated code to analyze).

If you set the com.fortify.sca.EnableDOMModeling property to true, you can also specify
additional HTML tags for Fortify Static Code Analyzer to include in the DOM modeling with the
com.fortify.sca.DOMModeling.tags property. By default, Fortify Static Code Analyzer includes
the following HTML tags: body, button, div, form, iframe, input, head, html, and p.
For example, to include the HTML tags ul and li in the DOM model, use the following command:

sourceanalyzer –b <build_id> <js_file_or_dir>

-Dcom.fortify.sca.DOMModeling.tags=ul,li

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 60 of 210

User Guide
Chapter 7: Translating JavaScript Technologies

Including External JavaScript or HTML in the

Translation
To include external JavaScript or HTML files that are specified with the src attribute, you can whitelist
specific domains to have Fortify Static Code Analyzer download and include them in translation. To do
this, specify one or more domains with the
com.fortify.sca.JavaScript.src.domain.whitelist property.

Note: You can also set this property globally in the fortify-sca.properties file.
For example, you might have the following statement in your HTML file:

<script src='http://xyzdomain.com/foo/bar.js' language='text/javascript'/>

If you are confident that the xyzdomain.com domain is a safe location from which to download files,
then you can include them in the translation phase by adding the following property specification on
the command line:

-Dcom.fortify.sca.JavaScript.src.domain.whitelist="xyzdomain.com/foo"

Note: You can omit the www. prefix from the domain in the whitelist property value. For example, if
the src tag in the original HTML file specifies to download files from www.google.com, you can
whitelist just the google.com domain.

To whitelist more than one domain, include each domain separated by the vertical bar character (|) as
shown in the following example:

-Dcom.fortify.sca.JavaScript.src.domain.whitelist=
"xyzdomain.com/foo|abcdomain.com|123.456domain.com”

If you are using a proxy server, then you need to include the proxy server information on the command
line as shown in the following example:

-Dhttp.proxyHost=example.proxy.com -Dhttp.proxyPort=8080

For a complete list of proxy server options, see the Networking Properties Java documentation.

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 61 of 210

User Guide
Chapter 7: Translating JavaScript Technologies

Translating AngularJS Code

Fortify Static Code Analyzer supports the following application architectures in the analysis of
AngularJS code:
l MVC
l Partials

l UI  Router
Fortify Static Code Analyzer can detect AngularJS specific configuration-related issues. It can also find
dataflow issues, such as Cross-Site Scripting: DOM, in small AngularJS projects.
To translate AngularJS, set the following property in the fortify-sca.properties file to true (or
include this property setting on the command line with the -D option):

com.fortify.sca.EnableDOMModeling=true

Important! Only set the com.fortify.sca.EnableDOMModeling property to true if you are

translating AngularJS code (version 1.x). Do not set this property to true when you translate
Angular code (version 2 and later).

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 62 of 210

Chapter 8: Translating Python Code
Fortify Static Code Analyzer translates Python applications, and processes files with the .py extension
as Python source code.
This section contains the following topics:
Python Translation Command-Line Syntax 63
Including Import Files 63
Including Namespace Packages 64
Using the Django Framework with Python 64
Python Command-Line Options 64
Python Command-Line Examples 66

Python Translation Command-Line Syntax

The basic command-line syntax to translate Python code is:

sourceanalyzer -b <build_id> -python-version <python_version> -

python-path <paths> <files>

Including Import Files

To translate Python applications and prepare for a scan, Fortify Static Code Analyzer searches for any
import files used by the application. Fortify Static Code Analyzer does not respect the PYTHONPATH
environment variable, which the Python runtime system uses to find imported files. Therefore, you can
provide this information to Fortify Static Code Analyzer by specifying all the paths used to import
packages or modules with the -python-path option.
Fortify Static Code Analyzer includes a subset of modules from the standard Python library (module
"builtins", all modules originally written in C, and others) in the translation. Fortify Static Code Analyzer
first searches for a standard Python library module in the set included with Fortify Static Code Analyzer
and then in the paths specified with the -python-path option. If your Python code imports any
module that Fortify Static Code Analyzer cannot find, it produces a warning. Fortify recommends that
you add to the -python-path list the path to the standard Python library that is shipped with your
Python release.

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 63 of 210

User Guide
Chapter 8: Translating Python Code

Including Namespace Packages

To translate namespace packages, include all the paths to the namespace package directories in the
-python-path option. For example, if you have two subpackages for a namespace package package_
name in multiple folders as in this example:

/path_1/package_name/subpackageA
/path_2/package_name/subpackageB

Include the following with the -python-path option: /path_1;/path_2.

Using the Django Framework with Python

Fortify Static Code Analyzer supports the Django framework.
To translate code created using the Django framework, add the following properties to the <sca_
install_dir>/Core/config/fortify-sca.properties configuration file:

com.fortify.sca.limiters.MaxPassThroughChainDepth=8

com.fortify.sca.limiters.MaxChainDepth=8

By default, Fortify Static Code Analyzer attempts to discover Django templates in the project root
folder. Any Django templates found are automatically added to the translation. If you do not want
Fortify Static Code Analyzer to automatically discover Django templates, use the
-django-disable-autodiscover option. If your project requires Django templates, but the project
is configured such that Django templates are in an unexpected location, use the
-django-template-dirs option to specify the directories that contain the templates in addition to
the -django-disable-autodiscover option.
You can specify additional locations of Django template files by adding the -django-template-dirs
option to the sourceanalyzer command:

-django-template-dirs <template_dir_paths>

Python Command-Line Options

The following table describes the Python options.

Python Option Description

-python-version Specifies the Python source code version you want to scan. The valid
<version> values for <version> are 2 and 3. The default value is 2.

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 64 of 210

User Guide
Chapter 8: Translating Python Code

Python Option Description

Equivalent property name:

com.fortify.sca.PythonVersion

-python-path <paths> Specifies a colon-separated (non-Windows) or semicolon-separated 

(Windows) list of additional import directories. You can use the
-python-path option to specify all paths used to import packages or
modules. Include all paths to namespace package directories with this
option. Fortify Static Code Analyzer sequentially searches the
specified paths for each imported file and uses the first file
encountered.
Equivalent property name:
com.fortify.sca.PythonPath

-python-legacy Specifies to translate python 2 code with the legacy Python translator.
Only use this option if the translation without the option fails and
Micro Focus Fortify Customer Support has recommended that you
use it.

Important! Do not use this option to translate python 3 code

(meaning do not include -python-version 3 with this option).

Equivalent property name:

com.fortify.sca.PythonLegacy

-django-template-dirs Specifies a colon-separated (non-Windows) or semicolon-separated 

<paths> (Windows) list of directories that contain Django templates. Fortify
Static Code Analyzer sequentially searches the specified paths for
each Django template file and uses the first template file encountered.
Equivalent property name:
com.fortify.sca.DjangoTemplateDirs

-django-disable- Specifies that Fortify Static Code Analyzer does not automatically
autodiscover discover Django templates.
Equivalent property name:
com.fortify.sca.DjangoDisableAutodiscover

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 65 of 210

User Guide
Chapter 8: Translating Python Code

Python Command-Line Examples

To translate Python 3 code, type:

sourceanalyzer -b Python3Proj -python-version 3 -python-path

/usr/lib/python3.4:/usr/local/lib/python3.4/site-packages src/*.py

To translate Python 2 code, type:

sourceanalyzer -b MyPython2 -python-path

/usr/lib/python2.7:/usr/local/lib/python2.7/site-packages src/*.py

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 66 of 210

Chapter 9: Translating Code for Mobile
Platforms
Fortify Static Code Analyzer supports analysis of the following mobile application source languages: 
l Swift, Objective-C, and Objective-C++ for iOS applications developed using Xcode
l Java for Android applications

This section contains the following topics:

Translating Apple iOS Projects 67
Translating Android Projects 68

Translating Apple iOS Projects

This section describes how to translate Swift, Objective-C, and Objective-C++ source code for iOS
applications. Fortify Static Code Analyzer automatically integrates with the Xcode Command Line Tool,
Xcodebuild, to identify the project source files.

iOS Project Translation Prerequisites

The following are the prerequisites for translating iOS projects:
l Objective-C++ projects must use the non-fragile Objective-C runtime (ABI version 2 or 3).
l Use Apple’s xcode-select command-line tool to set your Xcode path. Fortify Static Code Analyzer
uses the system global Xcode configuration to find the Xcode toolchain and headers.
l Make sure that you have available any dependencies required to build the project.
l To translate Swift code, make sure that you have available all third-party modules, including
CocoaPods. Bridging headers must also be available. However, Xcode usually generates them
automatically during the build.
l If your project includes property list files in binary format, you must first convert them to XML format.
You can do this with the Xcode putil command.
l To translate Objective-C projects, ensure that the headers for third-party libraries are available.
l To translate WatchKit applications, make sure that you translate both the iPhone application target
and the WatchKit extension target.

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 67 of 210

User Guide
Chapter 9: Translating Code for Mobile Platforms

iOS Code Analysis Command-Line Syntax

The command-line syntax to translate iOS code using Xcodebuild is:

sourceanalyzer -b <build_id> xcodebuild [<compiler_options>]

where <compiler_options> are the supported options that are passed to the Xcode compiler.
Note: Xcodebuild compiles the source code when you run this command.

If your application uses any property list files (for example, <file>.plist), translate these files with a
separate sourceanalyzer command. Use the same build ID that you used to translate the project files.
The following is an example:

sourceanalyzer -b <build_id> <path_to_plist_files>

If your project uses CocoaPods, include -workspace to build the project. For example:

sourceanalyzer -b DemoAppSwift xcodebuild clean build -workspace

DemoAppSwift.xcworkspace -scheme DemoAppSwift -sdk iphonesimulator

You can then perform the analysis phase, as shown in the following example:

sourceanalyzer -b DemoAppSwift -scan -f result.fpr

Translating Android Projects

This section describes how to translate Java source code for Android applications. You can use Fortify
Static Code Analyzer to scan the code with Gradle from either:
l Your operating system's command line
l A terminal window running in Android Studio

The way you use Gradle is the same for either method.

Note: You can also scan Android code directly from Android Studio with the Micro Focus Fortify
Analysis Plugin for IntelliJ and Android Studio. For more information, see the Micro Focus Fortify
Plugins for IntelliJ, WebStorm, and Android Studio User Guide.

Android Project Translation Prerequisites

The following are the prerequisites for translating Android projects:
l Android Studio and the relevant Android SDKs are installed on the system where you will run the
scans

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 68 of 210

User Guide
Chapter 9: Translating Code for Mobile Platforms

l Your Android project uses Gradle for builds.

If you have an older project that does not use Gradle, you must add Gradle support to the associated
Android Studio project
Use the same version of Gradle that is provided with the version of Android Studio that you use to
create your Android project
l Make sure you have available all dependencies that are required to build the Android code in the
application's project
l To translate your Android code from a command window that is not displayed within Android
Studio, make sure that Gradle Wrapper (gradlew) is defined on the system path

Android Code Analysis Command-Line Syntax

You use Gradlew to scan Android code, which is similar to using Gradle as described in "Gradle
Integration" on page 97 except that you use the Gradle Wrapper.
The command-line syntax to translate Android code is:

sourceanalyzer -b <build_id> gradlew [<options>]

where <options> are the supported gradlew options such as build or build clean.
If your application uses XML or property configuration files, translate these files with a separate
sourceanalyzer command. Use the same build ID that you used for the project files. The following
are examples:

sourceanalyzer -b <build_id> <path_to_xml_files>

sourceanalyzer -b <build_id> <path_to_properties_files>

You can then perform the analysis phase, as shown in the following example:

sourceanalyzer -b <build_id> -scan -f result.fpr

Filtering Issues Detected in Android Layout Files

If your Android project contains layout files (used to design the user interface), your project files might
include R.java source files that are automatically generated by Android Studio. When you scan the
project, Fortify Static Code Analyzer can detect issues associated with these layout files.
Fortify recommends that Issues reported in any layout file be included in your standard audit so you can
carefully determine if any of them are false positives. After you identify issues in layout files that you are
not interested in, you can filter them out as described in "Filtering the Analysis" on page 162. You can
filter out the issues based on the Instance ID.

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 69 of 210

Chapter 10: Translating Ruby Code
This section contains the following topics:
Ruby Command-Line Syntax 70
Adding Libraries 71
Adding Gem Paths 71

Ruby Command-Line Syntax

The basic command-line syntax to translate Ruby code is:

sourceanalyzer –b <build_id> <file>

where <file> is the name of the Ruby file you want to scan. To include multiple Ruby files, separate
them with a space, as shown in the following example:

sourceanalyzer –b <build_id> file1.rb file2.rb file3.rb

In addition to listing individual Ruby files, you can use the asterisk (*) wildcard to select all Ruby files in a
specified directory. For example, to find all of the Ruby files in a directory called src, use the following
sourceanalyzer command:

sourceanalyzer –b <build_id> src/*.rb

Ruby Command-Line Options

The following table describes the Ruby translation options.

Ruby Option Description

-ruby-path Specifies one or more paths to directories that contain Ruby libraries (see
"Adding Libraries " on the next page)
Equivalent property name:
com.fortify.sca.RubyLibraryPaths

-rubygem-path Specifies the path(s) to a RubyGems location (see "Adding Gem Paths" on the
next page)
Equivalent property name:
com.fortify.sca.RubyGemPaths

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 70 of 210

User Guide
Chapter 10: Translating Ruby Code

Adding Libraries
If your Ruby source code requires a specific library, add the Ruby library to the sourceanalyzer
command. Include all ruby libraries that are installed with ruby gems. For example, if you have a
utils.rb file that resides in the /usr/share/ruby/myPersonalLibrary directory, then add the
following to the sourceanalyzer command:

-ruby-path /usr/share/ruby/myPersonalLibrary

To use multiple libraries, use a delimited list. On Windows, separate the paths with a semicolon; and on
all other platforms use a colon, as in the following non-Windows example:

-ruby-path /path/one:/path/two:/path/three

Adding Gem Paths

To add all RubyGems and their dependency paths, import all RubyGems. To obtain the Ruby gem paths,
run the gem env command. Under GEM PATHS, look for a directory similar to:

/home/myUser/gems/ruby-version

This directory contains another directory called gems, which contains directories for all the gem files
installed on the system. For this example, use the following in your command line:

-rubygem-path /home/myUser/gems/ruby-version/gems

If you have multiple gems directories, add them by specifying a delimited list of paths such as:

-rubygem-path /path/to/gems:/another/path/to/more/gems

Note: On Windows systems, separate the gems directories with a semicolon.

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 71 of 210

Chapter 11: Translating Apex and
Visualforce Code
This section contains the following topics:
Apex Translation Prerequisites 72
Apex and Visualforce Command-Line Syntax 72
Apex and Visualforce Command-Line Options 73
Downloading Customized Salesforce Database Structure Information 73

Apex Translation Prerequisites

l All the source code to scan is available on the same machine where you have installed Fortify Static
Code Analyzer
To scan your custom Salesforce app, download it to your local computer from your Salesforce
organization (org) where you develop and deploy it. The downloaded version of your app consists
of:
l Apex classes in files with the .cls extension
l Visualforce web pages in files with the .page extension
l Apex code files called database “trigger” functions are in files with the .trigger extension
Use the Force.com Migration Tool available on the Salesforce website to download your app from
your org in the Salesforce cloud to your local computer.
l If you customized the standard Salesforce database structures to support your app, then you must
also download a description of the changes so that Fortify Static Code Analyzer knows how your
modified version of Salesforce interacts with your app. See "Downloading Customized Salesforce
Database Structure Information" on the next page.

Apex and Visualforce Command-Line Syntax

The basic command-line syntax to translate Apex and Visualforce code is:

sourceanalyzer -b <build_id> -apex <files>

where <files> is an Apex or Visualforce file or a path to the source files.

Important! Supported file extensions for the source code files are: .cls, .trigger, .page, and
.component.

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 72 of 210

User Guide
Chapter 11: Translating Apex and Visualforce Code

For descriptions of all the Apex- and Visualforce-specific command-line options, see "Apex and
Visualforce Command-Line Options" below.

Apex and Visualforce Command-Line Options

The following table describes the Apex and Visualforce translation command-line options.

Apex or Visualforce Option Description

-apex Directs Fortify Static Code Analyzer to use the Apex and
Visualforce translation for files with the .cls extension.
Without this option, Fortify Static Code Analyzer translates
*.cls files as Visual Basic code.

Note: Alternatively, you can set the

com.fortify.sca.fileextension.cls property to
APEX either on the command line (include
-Dcom.fortify.sca.fileextensions.cls=APEX)
or in the <sca_install_
dir>/Core/config/fortify-sca.properties file.

Equivalent property name:

com.fortify.sca.Apex

-apex-sobject-path <path>
Specifies the location of the custom sObject JSON file
sobjects.json.
For instructions on how to use the sf_extractor tool, see
"Downloading Customized Salesforce Database Structure
Information" below.
Equivalent property name:
com.fortify.sca.ApexObjectPath

Downloading Customized Salesforce Database

Structure Information
Use the sf_extractor tool to download a description of any customized Salesforce database structures.
Fortify Static Code Analyzer requires this information to perform a more complete analysis. The sf_
extractor creates a custom sObject JSON file that you include with the sourceanalyzer translation phase.
(For information about how to provide this information to Fortify Static Code Analyzer, see "Apex and
Visualforce Command-Line Options" above.)

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 73 of 210

User Guide
Chapter 11: Translating Apex and Visualforce Code

The following table describes the contents of the sf_extractor.zip file, which is located in <sca_
install_dir>/Tools.

Folder or File Name Description

lib Folder containing JAR dependencies

src Source code

partner.wsdl Partner WSDL file version 37.0

sf_extractor.jar Compiled JAR file (dependencies included)

The command-line syntax to run sf_extractor is:

java -jar sf_extractor.jar <username> <password> <security_token> <org>

where:
l <username> is your Salesforce cloud user name. For example, [email protected].
l <password> is your Salesforce cloud password.
l <security_token> is the 25 alphanumeric character security token
l <org> is y if you are using a sandbox org or n if you are using a production org
The sf_extractor tool uses the credentials to access the Salesforce SOAP API. It downloads all the
sObjects with additional information from the current org, and then it downloads information about
fields in the sObjects. This is required to properly resolve types represented in current org.
This tool produces an sobjects.json file that you provide to Fortify Static Code Analyzer in the
translation command using the -apex-sobject-path option.

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 74 of 210

Chapter 12: Translating COBOL Code
This section contains the following topics:
Preparing COBOL Source Files for Translation 75
COBOL Command-Line Syntax 76
COBOL Command-Line Options 77

For a list of supported technologies for translating COBOL code, see the Micro Focus Fortify Software
System Requirements document. Fortify Static Code Analyzer does not currently support custom rules
for COBOL applications.

Note: To scan COBOL with Fortify Static Code Analyzer, you must have a specialized Fortify license
specific for COBOL scanning capabilities. Contact Micro Focus Fortify Customer Support for more
information about scanning COBOL and the required license.

Preparing COBOL Source Files for Translation

Fortify Static Code Analyzer runs only on the supported systems listed in the Micro Focus Fortify
Software System Requirements document, not on mainframe computers. Before you can scan a COBOL
program, you must copy the following program components to the system where you run Fortify Static
Code Analyzer:
l COBOL source code
l All copybook files that the COBOL source code uses

l All SQL INCLUDE files that the COBOL source code references

Fortify Static Code Analyzer processes only top-level COBOL sources. Do not include copybook or SQL
INCLUDE files in the directory or the subdirectory where the COBOL sources reside. Fortify
recommends that you place your COBOL source code in a folder called sources/ and your copybooks
in a folder called copybooks/. Create these folders at the same level. Emulate the following structure
with the translation command:

sourceanalyzer -b <build_id> -noextension-type COBOL -copydirs copybooks/

sources/

If your COBOL source code contains:

COPY FOO

where FOO is a copybook file or a SQL INCLUDE file, then the corresponding file in the copybooks
folder or the SQL INCLUDE folder, as specified with the -copydirs option, must be FOO. The COPY

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 75 of 210

User Guide
Chapter 12: Translating COBOL Code

command can also take a directory-file-path structure rather than a just a file name. Follow the same
translation command structure, using a directory-file-path structure instead of just the file name.

Preparing COBOL Source Code Files

If you have COBOL source files retrieved from a mainframe without COB or CBL file extensions (which
is typical for COBOL file names), then you must include the following in the translation command line:

-noextension-type COBOL <path>

Specify the directory and folder with all COBOL files as the parameter to the sourceanalyzer
command, and Fortify Static Code Analyzer translates all the files in that directory and folder without
any need for COBOL file extensions.

Preparing COBOL Copybook Files

Fortify Static Code Analyzer does not identify copybooks by the file extension. All copybook files must
therefore retain the names used in the COBOL source code COPY statements. Do not place copybook
files in the same folder as the main COBOL source files, but instead, put them in a directory named
copybooks/ at the same level as the folder that contains your COBOL source files.
If the copybooks have file extensions, use the -copy-extensions option to specify the copybook file
extensions. For more information, see "COBOL Command-Line Options" on the next page.

COBOL Command-Line Syntax

Free-format COBOL is the default translation and scan mode for Fortify Static Code Analyzer. Fortify
Static Code Analyzer supports the analysis of fixed-format COBOL. When you analyze fixed-format
COBOL, you must include the -fixed-format command-line option for both the translation and scan
commands. For more information, see "COBOL Command-Line Options" on the next page.
The basic syntax to translate a single free-format COBOL source code file is:

sourceanalyzer -b <build_id>

The basic syntax to scan a translated free-format COBOL program is:

sourceanalyzer -b <build_id> -scan -f <result>.fpr

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 76 of 210

User Guide
Chapter 12: Translating COBOL Code

COBOL Command-Line Options
The following table describes the COBOL command-line options.

COBOL Option Description

-copy-extensions <ext> Specifies one or more colon-separated copybook file

extensions.

-copydirs <path> Directs Fortify Static Code Analyzer to search a list of colon-
separated paths for copybooks and SQL INCLUDE files.

-fixed-format Specifies fixed-format COBOL to direct Fortify Static Code

Analyzer to only look for source code between columns 8-72
in all lines of code. Use this option for both the translation
and the scan commands.
If your COBOL code is IBM Enterprise COBOL, then it is most
likely fixed-format. The following are indications that you
might need the -fixed-format option:
l The COBOL translation appears to hang indefinitely
l Fortify Static Code Analyzer reports a lot of parsing errors
in the COBOL translation
Equivalent property name:
com.fortify.sca.CobolFixedFormat

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 77 of 210

Chapter 13: Translating Other Languages
This section contains the following topics:
Translating PHP Code 78
Translating ABAP Code 79
Translating Flex and ActionScript 86
Translating ColdFusion Code 89
Translating SQL 90
Translating Scala Code 91
Translating ASP/VBScript Virtual Roots 91
Classic ASP Command-Line Example 93
VBScript Command-Line Example 93

Translating PHP Code

The syntax to translate a single PHP file named MyPHP.php is shown in the following example:

sourceanalyzer -b <build_id> MyPHP.php

To translate a file where the source or the php.ini file entry includes a relative path name (starts with
./ or ../), consider setting the PHP source root as shown in the following example:

sourceanalyzer -php-source-root <path> -b <build_id> MyPHP.php

For more information about the -php-source-root option, see the description in "PHP Command-
Line Options" below.

PHP Command-Line Options
The following table describes the PHP-specific command-line options.

PHP Option Description

-php-source-root Specifies an absolute path to the project root directory. The relative path
<path> name first expands from the current directory. If the file is not found, then
the path expands from the specified PHP source root directory.

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 78 of 210

User Guide
Chapter 13: Translating Other Languages

PHP Option Description

Equivalent property name:

com.fortify.sca.PHPSourceRoot

-php-version Specifies the PHP version. The default version is 7.0. For a list of valid
<version> versions, see the Micro Focus Fortify Software System Requirements.
Equivalent property name:
com.fortify.sca.PHPVersion

Translating ABAP Code

Translating ABAP code is similar to translating other operating language code. However, it requires
additional steps to extract the code from the SAP database and prepare it for scanning. See "Importing
the Transport Request" on the next page for more information. This section assumes you have a basic
understanding of SAP and ABAP.
To translate ABAP code, the Fortify ABAP Extractor program downloads source files to the
presentation server, and optionally, invokes Fortify Static Code Analyzer. You need to use an account
with permission to download files to the local system and execute operating system commands.
Because the extractor program is executed online, you might receive a max dialog work process
time reached exception message if the volume of source files selected for extraction exceeds the
allowable process run time. To work around this, download large projects as a series of smaller Extractor
tasks. For example, if your project consists of four different packages, download each package
separately into the same project directory. If the exception occurs frequently, work with your SAP Basis
administrator to increase the maximum time limit (rdisp/max_wprun_time).
When a PACKAGE is extracted from ABAP, the Fortify ABAP Extractor extracts everything from TDEVC
with a parentcl field that matches the package name. It then recursively extracts everything else from
TDEVC with a parentcl field equal to those already extracted from TDEVC. The field extracted from
TDEVC is devclass.
The devclass values are treated as a set of program names and handled the same way as a program
name, which you can provide.
Programs are extracted from TRDIR by comparing the name field with either:
l The program name specified in the selection screen
l The list of values extracted from TDEVC if a package was provided
The rows from TRDIR are those for which the name field has the given program name and the
expression LIKEprogramname is used to extract rows.
This final list of names is used with READ REPORT to get code out of the SAP system. This method does
read classes and methods out as well as merely REPORTS, for the record.

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 79 of 210

User Guide
Chapter 13: Translating Other Languages

Each READ REPORT call produces a file in the temporary folder on the local system. This set of files is
what Fortify Static Code Analyzer translates and scans, producing an FPR file that you can open with
Micro Focus Fortify Audit Workbench.

INCLUDE Processing
As source code is downloaded, the Fortify ABAP Extractor detects INCLUDE statements in the source.
When found, it downloads the include targets to the local machine for analysis.

Importing the Transport Request

To scan ABAP code, you need to import the Fortify ABAP Extractor transport request on your SAP
Server.
The Fortify transport request is located in the SAP_Extractor.zip package. The package is located in
the Tools directory:

<sca_install_dir>/Tools/SAP_Extractor.zip

The Fortify ABAP Extractor package, SAP_Extractor.zip, contains the following files:
l K9000XX.NSP (where the “XX” is the release number)
l R9000XX.NSP (where the “XX” is the release number)
These files make up the SAP transport request that you must import into your SAP system from
outside your local Transport Domain. Have your SAP administrator or an individual authorized to install
transport requests on the system import the transport request.
The NSP files contain a program, a transaction (YSCA), and the program user interface. After you
import them into your system, you can extract your code from the SAP database and prepare it for
Fortify Static Code Analyzer scanning.
Installation Note
The Fortify ABAP Extractor transport request is supported on a system running SAP release 7.02, SP
level 0006. If you are running a different SAP version and you get the transport request import error:
Install release does not match the current version, then the transport request
installation has failed.
To try to resolve this issue, perform the following steps:
1. Re-run the transport request import.
The Import Transport Request dialog box opens.
2. Click the Options tab.
3. Select the Ignore Invalid Component Version check box.
4. Complete the import procedure.
If this does not resolve the issue or if your system is running on an SAP version with a different table
structure, Fortify recommends that you export your ABAP file structure using your own technology so
that Fortify Static Code Analyzer can scan the ABAP code.

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 80 of 210

User Guide
Chapter 13: Translating Other Languages

Adding Fortify Static Code Analyzer to Your Favorites List

Adding Fortify Static Code Analyzer to your Favorites list is optional, but doing so can make it quicker
to access and launch Fortify Static Code Analyzer scans. The following steps assume that you use the
user menu in your day-to-day work. If your work is done from a different menu, add the Favorites link
to the menu that you use. Before you create the Fortify Static Code Analyzer entry, make sure that the
SAP server is running and you are in the SAP Easy Access area of your web-based client.
1. From the SAP Easy Access menu, type S000 in the transaction box.
The SAP Menu opens.
2. Right-click the Favorites folder and select Insert transaction.
The Manual entry of a transaction dialog box opens.

3. Type YSCA in the Transaction Code box.

4. Click the green check mark button .
The Extract ABAP code and launch SCA item appears in the Favorites list.

5. Click the Extract ABAP code and launch SCA link to launch the Fortify ABAP Extractor.

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 81 of 210

User Guide
Chapter 13: Translating Other Languages

Running the Fortify ABAP Extractor

To run the Fortify ABAP Extractor:
1. Start the program from the Favorites link, the transaction code, or manually start the Extractor
object.

This opens the Fortify ABAP Extractor.

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 82 of 210

User Guide
Chapter 13: Translating Other Languages

2. Select the code to download.

Provide the start and end name for the range of software components, packages, programs, or
BSP applications that you want to scan.

Note: You can specify multiple objects or ranges.

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 83 of 210

User Guide
Chapter 13: Translating Other Languages

2. Provide the Fortify Static Code Analyzer specific information described in the following table.

Field Description

FPR File (Optional) Type or select the directory where you want to store the scan results
Path file (FPR). Include the name for the FPR file in the path name. You must provide
the FPR file path if you want to automatically scan the downloaded code on the
same machine where you are running the extraction process.

Working Type or select the directory where you want to store the extracted source code.
Directory

Build-ID (Optional) Type the build ID for the scan. Fortify Static Code Analyzer uses the
build ID to identify the translated source code, which is necessary to scan the
code. You must specify the build ID if you want to automatically translate the
downloaded code on the same machine where you are running the extraction
process.

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 84 of 210

User Guide
Chapter 13: Translating Other Languages

Field Description

Translation (Optional) Type any additional Fortify Static Code Analyzer command-line

Parameters translation options. You must specify translation parameters if you want to
automatically translate the downloaded code on the same machine where you are
running the extraction process or you want to customize the translation options.

Scan (Optional) Type any Fortify Static Code Analyzer command-line scan options.
Parameters You must specify scan parameters if you want to scan the downloaded code
automatically on the same machine where you are running the process or you
want to customize the scan options.

ZIP File (Optional) Type a ZIP file name if you want your output in a compressed
Name package.

Maximum A global SAP-function F is not downloaded unless F was explicitly selected or

Call-chain unless F can be reached through a chain of function calls that start in explicitly-
Depth selected code and whose length is this number or less. Fortify recommends that
you do not specify a value greater than 2 unless directed to do so by Micro Focus
Fortify Customer Support.

3. Provide action information described in the following table.

Field Description

Download Select this check box to have Fortify Static Code Analyzer download the source
code extracted from your SAP database.

Build Select this check box to have Fortify Static Code Analyzer translate all
downloaded ABAP code and store it using the specified build ID. This action
requires that you have an installed version of Fortify Static Code Analyzer on
the machine where you are running the Fortify ABAP Extractor. It is often easier
to move the downloaded source code to a predefined Fortify Static Code
Analyzer machine.

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 85 of 210

User Guide
Chapter 13: Translating Other Languages

Field Description

Scan Select this check box to have Fortify Static Code Analyzer run a scan of the
specified build ID. This action requires that the translate (build) action was
previously performed. This action requires that you have an installed version of
Fortify Static Code Analyzer on the machine where you are running the Fortify
ABAP Extractor. It is often easier to move the downloaded source code to a
predefined Fortify Static Code Analyzer machine.

Launch Select this check box to start Micro Focus Fortify Audit Workbench and open
AWB the specified FPR file.

Create ZIP Select this check box to compress the output. You can also manually compress
the output after the source code extracted from your SAP database.

Process in Select this check box to have the processing occur in the background.
Background

4. Click Execute.

Uninstalling the Fortify ABAP Extractor

To uninstall the ABAP extractor:
1. In ABAP Workbench, open the Object Navigator.
2. Select package Y_FORTIFY_ABAP.
3. Expand the Programs tab.
4. Right-click the following element, and then select Delete.
l Program: Y_FORTIFY_SCA

Translating Flex and ActionScript

The basic command-line syntax for translating ActionScript is:

sourceanalyzer -b <build_id> -flex-libraries <libs> <files>

where:
<libs> is a semicolon-separated list (Windows) or a colon-separated list (non-Windows systems) of
library names to which you want to "link" and <files> are the files to translate.

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 86 of 210

User Guide
Chapter 13: Translating Other Languages

Flex and ActionScript Command-Line Options

Use the following command-line options to translate Flex files. You can also specify this information in
the properties configuration file (fortify-sca.properties) as noted in each description.

Flex and ActionScript

Option Description

-flex-sdk-root The location of the root of a valid Flex SDK. This folder must contain a
frameworks folder that contains a flex-config.xml file. It must also
contain a bin folder that contains an MXMLC executable.
Equivalent property name:
com.fortify.sca.FlexSdkRoot

-flex-libraries A colon- or semicolon-separated list (colon on most platforms, semicolon

on Windows) of library names that you want to “link” to. In most cases, this
list includes flex.swc, framework.swc, and playerglobal.swc
(usually found in frameworks/libs/ in your Flex SDK root).

Note: You can specify SWC or SWF files as Flex libraries (SWZ is not
currently supported).

Equivalent property name:

com.fortify.sca.FlexLibraries

-flex-source-roots A colon- or semicolon-separated list of root directories in which MXML

sources are located. Normally, these contain a subfolder named com. For
instance, if a Flex source root is given that is pointing to foo/bar/src,
then foo/bar/src/com/fortify/manager/util/Foo.mxml is
transformed into an object named com.fortify.manager.util.Foo
(an object named Foo in the package com.fortify.manager.util).
Equivalent property name:
com.fortify.sca.FlexSourceRoots

Note: -flex-sdk-root and –flex-source-roots are primarily for MXML translation, and are
optional if you are scanning pure ActionScript. Use –flex-libraries for resolving all
ActionScript.

Fortify Static Code Analyzer translates MXML files into ActionScript and then runs them through an
ActionScript parser. The generated ActionScript is simple to analyze; not rigorously correct like the Flex
runtime model. As a consequence, you might get parse errors with MXML files. For instance, the XML
parsing could fail, translation to ActionScript could fail, and the parsing of the resulting ActionScript

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 87 of 210

User Guide
Chapter 13: Translating Other Languages

could also fail. If you see any errors that do not have a clear connection to the original source code,
notify Micro Focus Fortify Customer Support.

ActionScript Command-Line Examples

The following examples illustrate command-line syntax for typical scenarios for translating ActionScript.
Example 1
The following example is for a simple application that contains only one MXML file and a single SWF
library (MyLib.swf):

sourceanalyzer -b MyFlexApp -flex-libraries lib/MyLib.swf -flex-sdk-root

/home/myself/flex-sdk/ -flex-source-roots . my/app/FlexApp.mxml

This identifies the location of the libraries to include, and also identifies the Flex SDK and the Flex
source root locations. The single MXML file, located in /my/app/FlexApp.mxml, results in translating
the MXML application as a single ActionScript class called FlexApp and located in the my.app package.
Example 2
The following example is for an application in which the source files are relative to the src directory. It
uses a single SWF library, MyLib.swf, and the Flex and framework libraries from the Flex SDK:

sourceanalyzer -b MyFlexProject -flex-sdk-root /home/myself/flex-sdk/

-flex-source-roots src/ -flex-libraries lib/MyLib.swf "src/**/*.mxml"
"src/**/*.as"
This example locates the Flex SDK and uses Fortify Static Code Analyzer file specifiers to include the
.as and .mxml files in the src folder. It is not necessary to explicitly specify the .SWC files located in
the –flex-sdk-root, although this example does so for the purposes of illustration. Fortify Static
Code Analyzer automatically locates all .SWC files in the specified Flex SDK root, and it assumes that
these are libraries intended for use in translating ActionScript or MXML files.
Example 3
In this example, the Flex SDK root and Flex libraries are specified in a properties file because typing in
the data is time consuming and the data is generally constant. Divide the application into two sections
and store them in folders: a main section folder and a modules folder. Each folder contains a src folder
where the paths start. File specifiers contain wild cards to pick up all the .mxml and .as files in both src
folders. An MXML file in main/src/com/foo/util/Foo.mxml is translated as an ActionScript class
named Foo in the package com.foo.util, for example, with the source roots specified here:

sourceanalyzer -b MyFlexProject -flex-source-roots main/src:modules/src

"./main/src/**/*.mxml" "./main/src/**/*.as" "./modules/src/**/*.mxml"
"./modules/src/**/*.as"

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 88 of 210

User Guide
Chapter 13: Translating Other Languages

Handling Resolution Warnings

To see all warnings that were generated during translation, type the following command before you
start the scan phase:

sourceanalyzer -b <build_id> -show-build-warnings

ActionScript Warnings
You might receive a message similar to the following:

The ActionScript front end was unable to resolve the following imports:
a.b at y.as:2. foo.bar at somewhere.as:5. a.b at foo.mxml:8.

This error occurs when Fortify Static Code Analyzer cannot find all of the required libraries. You might
need to specify additional SWC or SWF Flex libraries (-flex-libraries option or
com.fortify.sca.FlexLibraries property) so that Fortify Static Code Analyzer can complete the
analysis.

Translating ColdFusion Code

To treat undefined variables in a CFML page as tainted, uncomment the following line in <sca_
install_dir>/Core/config/fortify-sca.properties:

#com.fortify.sca.CfmlUndefinedVariablesAreTainted=true

This instructs the Dataflow Analyzer to watch out for register-globals-style vulnerabilities. However,
enabling this property interferes with Dataflow Analyzer findings in which a variable in an included page
is initialized to a tainted value in an earlier-occurring included page.

ColdFusion Command-Line Syntax

Type the following to translate ColdFusion source code:

sourceanalyzer -b <build_id> -source-base-dir <dir> <files> | <file_

specifiers>

where:
l <build_id> specifies the build ID for the project
l <dir> specifies the root directory of the web application
l <files> | <file_specifiers> specifies the CFML source code files
For a description of how to use <file_specifiers>, see "Specifying Files" on page 122.

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 89 of 210

User Guide
Chapter 13: Translating Other Languages

Note: Fortify Static Code Analyzer calculates the relative path to each CFML source file with the
-source-base-dir directory as the starting point. Fortify Static Code Analyzer uses these
relative paths when it generates instance IDs. If you move the entire application source tree to a
different directory, the Fortify Static Code Analyzer- generated instance IDs remain the same
provided that you specify an appropriate parameter for the -source-base-dir option.

ColdFusion Command-Line Options

The following table describes the ColdFusion options.

ColdFusion Option Description

-source-base-dir <web_app_root_dir> <files> | The web application root directory.

<file_specifiers> Equivalent property name:
com.fortify.sca.SourceBaseDir

Translating SQL
On Windows platforms, Fortify Static Code Analyzer assumes that files with the .sql extension are T-
SQL rather than PL/SQL. If you have PL/SQL files with the .sql extension on Windows, you must
configure Fortify Static Code Analyzer to treat them as PL/SQL.
To specify the SQL type for translation on Windows platforms, type one of the following translation
commands:

sourceanalyzer -b <build_id> -sql-language TSQL <files>

or

sourceanalyzer -b <build_id> -sql-language PL/SQL <files>

Alternatively, you can change the default behavior for files with the .sql extension. In the fortify-
sca.properties file, set the com.fortify.sca.fileextensions.sql property to TSQL or
PLSQL.

PL/SQL Command-Line Example

The following example shows the syntax to translate two PL/SQL files:

sourceanalyzer -b MyProject x.pks y.pks

The following example shows how to translate all PL/SQL files in the sources directory:

sourceanalyzer -b MyProject "sources/**/*.pks"

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 90 of 210

User Guide
Chapter 13: Translating Other Languages

T-SQL Command-Line Example

The following example shows the command to translate two T-SQL files:

sourceanalyzer -b MyProject x.sql y.sql

The following example shows how to translate all T-SQL files in the sources directory:

sourceanalyzer -b MyProject "sources\**\*.sql"

Note: This example assumes the com.fortify.sca.fileextensions.sql property in

fortify-sca.properties is set to TSQL.

Translating Scala Code

To translate Scala code, you must have a standard Lightbend Enterprise Suite license. Download the
Scala translation plugin from Lightbend. For instructions on how to download and translate Scala code,
see the Lightbend documentation at https://developer.lightbend.com/guides/fortify.

Important! If your project contains source code other than Scala, you must translate the Scala
code using the Lightbend's Scala translation plugin, and then translate the other source code with
sourceanalyzer using the same build ID before you run the scan phase.

Translating ASP/VBScript Virtual Roots

Fortify Static Code Analyzer allows you to handle ASP virtual roots. For web servers that use virtual
directories as aliases that map to physical directories, Fortify Static Code Analyzer enables you to use an
alias.
For example, you can have virtual directories named Include and Library that refer to the physical
directories C:\WebServer\CustomerOne\inc and C:\WebServer\CustomerTwo\Stuff,
respectively.
The following example shows the ASP/VBScript code for an application that uses virtual includes:

<!--#include virtual="Include/Task1/foo.inc"-->

For this example, the previous ASP code refers to the file in the following physical location:

C:\Webserver\CustomerOne\inc\Task1\foo.inc

The real directory replaces the virtual directory name Include in this example.

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 91 of 210

User Guide
Chapter 13: Translating Other Languages

Accommodating Virtual Roots

To provide the mapping of each virtual directory to Fortify Static Code Analyzer, you must set the
com.fortify.sca.ASPVirtualRoots.name_of_virtual_directory property in your Fortify
Static Code Analyzer command-line invocation as shown in the following example:

sourceanalyzer -Dcom.fortify.sca.ASPVirtualRoots.<virtual_
directory>=<full_path_to_corresponding_physical_directory>

Note: On Windows, if the physical path includes spaces, you must enclose the property setting in
quotes:
sourceanalyzer "-Dcom.fortify.sca.ASPVirtualRoots.<virtual_
directory>=<full_path_to_corresponding_physical_directory>"
To expand on the example in the previous section, pass the following property value to Fortify Static
Code Analyzer:

-Dcom.fortify.sca.ASPVirtualRoots.Include="C:\WebServer\CustomerOne\inc"

-Dcom.fortify.sca.ASPVirtualRoots.Library="C:\WebServer\CustomerTwo\Stuff"

This maps Include to C:\WebServer\CustomerOne\inc and Library to

C:\WebServer\CustomerTwo\Stuff.
When Fortify Static Code Analyzer encounters the #include directive:

<!-- #include virtual="Include/Task1/foo.inc" -->

Fortify Static Code Analyzer determines if the project contains a physical directory named Include. If
there is no such physical directory, Fortify Static Code Analyzer looks through its runtime properties
and finds the -Dcom.fortify.sca.ASPVirtualRoots.Include=
"C:\WebServer\CustomerOne\inc" setting. Fortify Static Code Analyzer then looks for this file:
C:\WebServer\CustomerOne\inc\Task1\foo.inc.
Alternatively, you can set this property in the fortify-sca.properties file located in <sca_
install_dir>\Core\config. You must escape the backslash character (\) in the path of the physical
directory as shown in the following example:

com.fortify.sca.ASPVirtualRoots.Library=C:\\WebServer\\CustomerTwo\\Stuff

com.fortify.sca.ASPVirtualRoots.Include=C:\\WebServer\\CustomerOne\\inc

Note: The previous version of the ASPVirtualRoot property is still valid. You can use it on the
Fortify Static Code Analyzer command line as follows:
-Dcom.fortify.sca.ASPVirtualRoots=C:\WebServer\CustomerTwo\Stuff;
C:\WebServer\CustomerOne\inc

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 92 of 210

User Guide
Chapter 13: Translating Other Languages

This prompts Fortify Static Code Analyzer to search through the listed directories in the order specified
when it resolves a virtual include directive.

Using Virtual Roots Example

You have a file as follows:

C:\files\foo\bar.asp

To specify this file, use the following include:

<!-- #include virtual="/foo/bar.asp">

Then set the virtual root in the sourceanalyzer command as follows:

-Dcom.fortify.sca.ASPVirtualRoots=C:\files\foo

This strips the /foo from the front of the virtual root. If you do not specify foo in the
com.fortify.sca.ASPVirtualRoots property, then Fortify Static Code Analyzer looks for
C:\files\bar.asp and fails.
The sequence to specify virtual roots is as follows:
1. Remove the first part of the path in the source.
2. Replace the first part of the path with the virtual root as specified on the command line.

Classic ASP Command-Line Example

To translate a single file classic ASP written in VBScript named MyASP.asp, type:

sourceanalyzer -b mybuild "MyASP.asp"

VBScript Command-Line Example

To translate a VBScript file named myApp.vb, type:

sourceanalyzer -b mybuild "myApp.vb"

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 93 of 210

Chapter 14: Integrating into a Build
You can integrate the analysis into supported build tools.
This section contains the following topics:
Build Integration 94
Modifying a Build Script to Invoke Fortify Static Code Analyzer 95
Touchless Build Integration 96
Ant Integration 96
Gradle Integration 97
Maven Integration 97
MSBuild Integration 100

Build Integration
You can translate entire projects in a single operation. Prefix your original build operation with the
sourceanalyzer command followed by the Fortify Static Code Analyzer options. For information
about integrating with Xcodebuild, see "iOS Code Analysis Command-Line Syntax" on page 68.
The command-line syntax to translate a complete project is:

sourceanalyzer -b <build_id> [<sca_options>] <build_tool> [<build_tool_

options>]

where <build_tool> is the name of your build tool, such as make, gmake, devenv, or xcodebuild. See
the Micro Focus Fortify Software System Requirements document for a list of supported build tools.
Fortify Static Code Analyzer executes your build tool and intercepts all compiler operations to collect
the specific command line used for each input.

Note: Fortify Static Code Analyzer only processes the compiler commands that the build tool
executes. If you do not clean your project before you execute the build, then Fortify Static Code
Analyzer only processes those files that the build tool re-compiles.

Successful build integration requires that the build tool:

l Executes a Fortify Static Code Analyzer-supported compiler
l Executes the compiler on the operating system path search, not with a hardcoded path (This
requirement does not apply to xcodebuild integration.)
l Executes the compiler, rather than executing a sub-process that then executes the compiler

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 94 of 210

User Guide
Chapter 14: Integrating into a Build

If you cannot meet these requirements in your environment, see "Modifying a Build Script to Invoke
Fortify Static Code Analyzer" below.

Make Example
If you build your project with the following build commands:

make clean
make
make install

then you can simultaneously translate and compile the entire project with the following commands:

make clean
sourceanalyzer -b <build_id> make
make install

Devenv Example
If you build a Visual Studio project with the following build command:

devenv MyProject.sln /rebuild

then you can translate and compile the project with the command:

sourceanalyzer -b <build_id> devenv MyProject.sln /rebuild

Note: Fortify Static Code Analyzer converts devenv invocations and command-line options to
MSBuild invocations. For more information, see ".NET Command-Line Syntax" on page 50.

Modifying a Build Script to Invoke Fortify Static Code

Analyzer
As an alternative to build integration, you can modify your build script to prefix each compiler, linker,
and archiver operation with the sourceanalyzer command. For example, a makefile often defines
variables for the names of these tools:

CC=gcc
CXX=g++
LD=ld
AR=ar

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 95 of 210

User Guide
Chapter 14: Integrating into a Build

You can prepend the tool references in the makefile with the sourceanalyzer command and the
appropriate Fortify Static Code Analyzer options.

CC=sourceanalyzer -b mybuild gcc

CXX=sourceanalyzer -b mybuild g++
LD=sourceanalyzer -b mybuild ld
AR=sourceanalyzer -b mybuild ar

When you use the same build ID for each operation, Fortify Static Code Analyzer automatically
combines each of the separately-translated files into a single translated project.

Touchless Build Integration

Fortify Static Code Analyzer includes a generic build tool called touchless that enables translation of
projects using build systems that Fortify Static Code Analyzer does not directly support. The command-
line syntax for touchless build integration is:

sourceanalyzer -b <build_id> touchless <build_command>

For example, you might use a python script called build.py to compute dependencies and execute
appropriately-ordered C compiler operations. Then to execute your build, run the following command:

python build.py

Fortify Static Code Analyzer does not have native support for such a build design. However, you can
use the touchless build tool to translate and build the entire project with the single command:

sourceanalyzer -b <build_id> touchless python build.py

The same requirements for successful build integration with supported build systems described earlier
in this chapter (see "Build Integration" on page 94) apply to touchless integration with unsupported
build systems.

Ant Integration
Fortify Static Code Analyzer provides an easy way to translate Java source files for projects that use an
Ant build file. You can apply this integration on the command line without modifying the Ant
build.xml file. When the build runs, Fortify Static Code Analyzer intercepts all javac task invocations
and translates the Java source files as they are compiled.

Note: You must translate any JSP files, configuration files, or any other non-Java source files that
are part of the application in a separate step.

To use the Ant integration, make sure that the sourceanalyzer executable is on the system PATH.

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 96 of 210

User Guide
Chapter 14: Integrating into a Build

Prepend your Ant command-line with the sourceanalyzer command as follows:

sourceanalyzer -b <build_id> ant [<ant_options>]

Gradle Integration
You can translate projects that are built with Gradle without any modification of the build.gradle
file. When the build runs, Fortify Static Code Analyzer translates the source files as they are compiled.
See the Micro Focus Fortify Software System Requirements document for platforms and languages
supported specifically for Gradle integration. Any files in the project in unsupported languages for
Gradle integration are not translated (with no error reporting). These files are therefore not analyzed
and any existing potential vulnerabilities can go undetected.
To integrate Fortify Static Code Analyzer into your Gradle build, make sure that the sourceanalyzer
executable is on the system PATH. Prepend the Gradle command line with the sourceanalyzer
command as follows:

sourceanalyzer -b <build_id> <sca_options> gradle [<gradle_options>]

<gradle tasks>

For example:

sourceanalyzer -b buildxyz gradle clean build

sourceanalyzer -b buildxyz gradle --info assemble

Note: If you use the Fortify Static Code Analyzer -verbose option, then you must also include the
-gradle option. For example:

sourceanalyzer -b buildxyz -gradle -verbose gradle assemble

Maven Integration
Fortify Static Code Analyzer includes a Maven plugin that provides a way to add Fortify Static Code
Analyzer clean, translate, scan, Micro Focus Fortify CloudScan, and FPR upload capabilities to your
Maven project builds. You can use the plugin directly or integrate its functionality into your build
process.

Installing and Updating the Fortify Maven Plugin

The Fortify Maven Plugin is located in <sca_install_dir>/plugins/maven. This directory contains
a binary and a source version of the plugin in both zip and tarball archives. To install the plugin, extract
the version (binary or source) that you want to use, and then follow the instructions in the included
README.TXT file. Perform the installation in the directory where you extracted the archive.

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 97 of 210

User Guide
Chapter 14: Integrating into a Build

For information about supported versions of Maven, see the Micro Focus Fortify Software System
Requirements document.
If you have a previous version of the Fortify Maven Plugin installed, and then install the latest version.

Uninstalling the Fortify Maven Plugin

To uninstall the Fortify Maven Plugin, manually delete all files from the <maven_local_
repo>/repository/com/fortify/ps/maven/plugin directory.

Testing the Fortify Maven Plugin Installation

After you install the Fortify Maven Plugin, use one of the included sample files to be sure your
installation works properly.
To test the Fortify Maven Plugin using the Eightball sample file:
1. Add the directory that contains the sourceanalyzer executable to the path environment
variable.
For example:

export set PATH=$PATH:/<sca_install_dir>/bin

or

set PATH=%PATH%;<sca_install_dir>/bin

2. Type sourceanalyzer -version to test the path setting.

Fortify Static Code Analyzer version information is displayed if the path setting is correct.
3. Navigate to the sample Eightball directory: <root_dir>/samples/EightBall.
4. Type the following command:

mvn com.fortify.sca.plugins.maven:sca-maven-plugin:<ver>:clean

where <ver> is the version of the Fortify Maven Plugin you are using. If the version is not
specified, Maven uses the latest version of the Fortify Maven Plugin that is installed in the local
repository.
Note: To see the version of the Fortify Maven Plugin, open the pom.xml file that you
extracted in <root_dir> in a text editor. The Fortify Maven Plugin version is specified in the
<version> element.

5. If the command in step 4 completed successfully, then the Fortify Maven Plugin is installed
correctly. The Fortify Maven Plugin is not installed correctly if you get the following error message:

[ERROR] Error resolving version for plugin

'com.fortify.sca.plugins.maven:sca-maven-plugin' from the repositories

Check the Maven local repository and try to install the Fortify Maven Plugin again.

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 98 of 210

User Guide
Chapter 14: Integrating into a Build

Using the Fortify Maven Plugin

There are two ways to perform a Fortify analysis on a maven project:
l As a Maven Plugin
In this method, you perform the Fortify analysis tasks as goals with the mvn command. For example,
the following command is used to translate source code:

mvn com.fortify.sca.plugins.maven:sca-maven-plugin:<ver>:translate

To analyze your code this way, see the documentation included with the Fortify Maven Plugin. The
following table describes where to find the documentation after the Fortify Maven Plugin is properly
installed.

Package Type Documentation Location

Binary <root_dir>/docs/index.html

Source <root_dir>/sca-maven-plugin/target/site/index.html

l In a Fortify Static Code Analyzer build integration

In this method, prepend the maven command used to build your project with the sourceanalyzer
command and any Fortify Static Code Analyzer options. To analyze your files as part of a Fortify
Static Code Analyzer build integration:
a. Clean out the previous build:

sourceanalyzer -b <build_id> -clean

b. Translate the code:

sourceanalyzer -b <build_id> [<sca_options>] [<mvn_command_with_

options>]

For example:

sourceanalyzer -b buildxyz mvn package

The following additional example includes the Fortify Static Code Analyzer option to exclude
selected files from the analysis. To specify the files you want to exclude, add the -exclude
option to the translate step as shown in the following example:

sourceanalyzer -b buildxyz -exclude "fileA;fileB;fileC;" mvn package

Note: On Windows, separate the file names with a semicolon; and on all other platforms use
a colon.

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 99 of 210

User Guide
Chapter 14: Integrating into a Build

See "Command-Line Interface" on page 111 for descriptions of available Fortify Static Code
Analyzer options.
c. Complete the analysis by running the scan:

sourceanalyzer -b <build_id> [<sca_scan_options>] -scan -f <file>.fpr

MSBuild Integration
Fortify Static Code Analyzer enables you to translate your source code as part of your MSBuild build
process. With the Fortify Static Code Analyzer MSBuild integration, you can translate files on machines
where Visual Studio is not installed. See the Micro Focus Fortify Software System Requirements
document for the supported MSBuild versions. The MSBuild executable allows for translation of the
following project types:
l C/C++ console applications
l C/C++ libraries
l .NET, .NET Core, .NET Standard, and .NET Portable projects:
l Libraries

l Console applications
l Websites
l ASP.NET, ASP.NET Core web applications
l .NET Azure applications
l .NET  Xamarin applications
This section describes three ways to run a Fortify Static Code Analyzer analysis as part of your MSBuild
project.

Using MSBuild Integration

The simplest way to translate your MSBuild project is to append the MSBuild command that you
normally run to build your project to the Fortify Static Code Analyzer command line. The following is an
example of this command line.

sourceanalyzer –b <build_id> [<sca_options>] msbuild <msbuild_options>

<solution_or_project_file>

You can provide a single project file or the entire solution for translation. For most project types, you
can run this command line from either the Windows Command Prompt or the Developer Command
Prompt for Visual Studio. The only exceptions are Xamarin and C/C++ projects and solutions, which you
must translate from Developer Command Prompt for Visual Studio.

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 100 of 210
User Guide
Chapter 14: Integrating into a Build

Using the Touchless MSBuild Integration

The touchless MSBuild integration is another method to integrate Fortify Static Code Analyzer into the
MSBuild process. This method enables you to translate your MSBuild project without explicitly invoking
Fortify Static Code Analyzer from the command line.
The touchless MSBuild integration requires the FortifyMSBuildTouchless.dll located in the
<sca_install_dir>/Core/lib directory, which you provide to the MSBuild process with the
/logger option. There are several Windows environment variables that you can set to configure the
translation of your MSBuild projects. Most of these variables have default values. If the variables are not
set, Fortify Static Code Analyzer uses the defaults.

Important! The FORTIFY_MSBUILD_BUILDID variable does not have default value. Make sure
that you set this variable before you use touchless MSBuild integration to translate your project.

The following table lists the Windows environment variables that you can set for touchless MSBuild
integration.

Environment
Variable Description Default Value

FORTIFY_ Specifies the Fortify Static Code Analyzer None

MSBUILD_ build ID
BUILDID

FORTIFY_ Puts the logger and Fortify Static Code False

MSBUILD_ Analyzer into debug mode
DEBUG

FORTIFY_ Puts Fortify Static Code Analyzer into False

MSBUILD_ verbose debug mode. In this mode, additional
DEBUG_ debug information is logged as compared to
VERBOSE the standard debug mode set by the
FORTIFY_MSBUILD_DEBUG variable. Set
this variable when you report translation
failures or errors to Micro Focus Fortify
Customer Support.

Note: If both debug environment

variables are set to true, this variable
takes precedence over FORTIFY_
MSBUILD_DEBUG.

FORTIFY_ Specifies the memory used to run Fortify Automatic allocation based on

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 101 of 210
User Guide
Chapter 14: Integrating into a Build

Environment
Variable Description Default Value

MSBUILD_ Static Code Analyzer (for example, physical memory available on the
MEM -Xmx2000M) system

FORTIFY_ Specifies the location for the MSBuild log file ${win32.LocalAppdata}
MSBUILD_ /Fortify/MSBuildPlugin/Log/
LOG MSBuildPlugin.log

FORTIFY_ Specifies the location (absolute path) for the Location specified by the
MSBUILD_ Fortify Static Code Analyzer log file com.fortify.sca.LogFile
SCALOG property in the fortify-
sca.properties file

FORTIFY_ Specifies whether the plugin logs every False

MSBUILD_ message passed to it (this creates a large
LOGALL amount of information)

For most project types, you can run the commands described in this section from either the Windows
Command Prompt or the Developer Command Prompt for Visual Studio. You can provide a single
project or the entire solution for the command.

Important! You must translate Xamarin and C/C++ projects from the Developer Command Prompt
for Visual Studio.

The following is an example of the command to run the build and a Fortify Static Code Analyzer
analysis:

msbuild <msbuild_options> /logger:"<sca_install_

dir>\Core\lib\FortifyMSBuildTouchless.dll" <solution_or_project_file>

Adding Custom Tasks to your MSBuild Project

As an alternative to using MSBuild integration or touchless MSBuild integration (see "Using MSBuild
Integration" on page 100 and "Using the Touchless MSBuild Integration" on the previous page
respectively), you can add custom tasks to your MSBuild project to invoke Fortify Static Code Analyzer.

Note: MSBuild custom tasks are only supported with .NET projects.

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 102 of 210
User Guide
Chapter 14: Integrating into a Build

To add a custom task to an MSBuild project:

1. Create a task to identify and locate the FortifyMSBuildTasks.dll:

<UsingTask TaskName="Fortify.TranslateTask" AssemblyFile="<sca_install_

dir>\Core\lib\FortifyMSBuildTasks.dll" />

2. Create a new target or add a custom target to an existing target to invoke the custom task.
The following sections describe the parameters and provide examples for the different custom tasks
that you can add to an MSBuild project:
l "Fortify.CleanTask" below - Remove any existing temporary files for the specified build ID
l "Fortify.TranslateTask" on the next page - Translate the source code
l "Fortify.ScanTask" on page 106 - Scan the source files
l "Fortify.SSCTask" on page 108 - Upload an FPR to Micro Focus Fortify Software Security Center
l "Fortify.CloudScanTask" on page 109 - Upload an FPR to Micro Focus Fortify CloudScan or Fortify
Software Security Center

Fortify.CleanTask
The following table describes the parameters for the Fortify.CleanTask.

Parameter Description

Required Parameters

BuildID Build ID

Optional Parameters

Debug Whether to enable debug mode for the task and Fortify Static Code Analyzer

The following example shows the Fortify.CleanTask task in an MSBuild project:

<UsingTask TaskName="Fortify.CleanTask"
AssemblyFile="<sca_install_dir>\Core\lib\FortifyMSBuildTasks.dll" />

<Target Name="FortifyBuild" AfterTargets="AfterBuild"

Outputs="dummy.out">
<CleanTask BuildID="MyProj" />
</Target>

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 103 of 210
User Guide
Chapter 14: Integrating into a Build

Fortify.TranslateTask
You must customize these tasks to each sub-project of your MSBuild project so that each sub-project is
translated separately. This is similar to manual translation described in "Translating .NET Binaries" on
page 51.
The following table describes the parameters for the Fortify.TranslateTask.

Parameter Description

Required Parameters

BuildID The build ID for the translation

TargetsFolder Directory where the source code or binary files to be translated reside

Include at least one of the following six parameters.

Note: Do not combine the DotNetVersion, DotNetCoreVersion, DotNetStandardVersion,

XamarinAndroidVersion, and XamariniOSVersion parameters within the same task.

DotNetVersion The .NET framework version

DotNetCoreVersion The .NET Core version

DotNetStandardVersion The .NET Standard version

XamarinAndroidVersion The target Android SDK version for Xamarin Android projects

XamariniOSVersion The target iOS SDK version for Xamarin iOS projects

References Semicolon-separated list of directories where referenced system or third-

party DLLs are located (you can also specify paths to specific DLLs with
this option)

Optional Parameters

DotNetSharedFiles Semicolon-separated list of the source files for all Shared Projects
included in the project you are translating

DotNetOutputDir Output directory where the binary (EXE or DLL) built from the project is
placed

ReferencesOnly Sets the list of directories or paths to only those specified by the
References parameter

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 104 of 210
User Guide
Chapter 14: Integrating into a Build

Parameter Description

NugetCacheDir (.NET Core and .NET Standard projects only) A custom location for

the NuGet cache directory

WebRootFolder (.NET Web projects only) Home directory of an ASP.NET project

AspNetPages (.NET Web projects only) Semicolon-separated list of paths to an

ASP.NET pages

Important! Use this parameter only to specify ASP.NET pages

that belong to the current sub-project but are located outside of
the folder specified by the TargetsFolder parameter.

DotNetWebsite (.NET Web projects only) Whether the project is an ASP.NET Website

(Do not use this parameter for ASP.NET Web Applications or any other
kind of ASP.NET project except Website.)

DotNetAppLibs (.NET Web projects only) Semicolon-separated list of additional

reference DLLs needed to translate ASP.NET pages (typically, these are
the assemblies built from the source files that belong to the same sub-
project as the target ASP.NET pages)

DotNetCodeBehind (.NET Web projects only) Semicolon-separated list of source files that

are bound to ASP.NET pages (referred to as code-behind files)

AspNetCore (.NET Web projects only) Whether the web project (ASP.NET or

ASP.NET Core) targets the .NET Core or .NET Standard framework.

AssemblyName Name of the target .NET assembly as specified in Visual Studio project
settings

PreprocessorSymbols Semicolon-separated list of preprocessor symbols used in the source code

Exclude Semicolon-separated list of folders and specific files to skip during the
translation (You can use the asterisk (*) wildcard character such as *.dll
in this parameter's value.)

JVMSettings Memory settings to pass to Fortify Static Code Analyzer

LogFile Location of the Fortify Static Code Analyzer log file

Debug Whether to enable debug mode for the task and Fortify Static Code
Analyzer

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 105 of 210
User Guide
Chapter 14: Integrating into a Build

Parameter Description

ExternalAliases (C# projects only) Semicolon-separated list of external aliases for a

specified DLL file

VBCompileOptions (VB.NET projects only) Any special compilation options required for the
correct translation of the source code

VBImports (VB.NET projects only) Semicolon-separated list of namespaces

imported for all source files in the project

VBMyType (VB.NET projects only) Value for the _MYTYPE preprocessor symbol
specified in the <MyType> tag in the project settings

VBRootFolder (VB.NET and Silverlight projects only) Root namespace for the project
as specified in the Visual Studio project settings

The following example shows the Fortify.TranslateTask task in an MSBuild project:

<UsingTask TaskName="Fortify.TranslateTask"
AssemblyFile="<sca_install_dir>\Core\lib\FortifyMSBuildTasks.dll" />

<Target Name="FortifyBuild" AfterTargets="AfterBuild" Outputs="dummy.out">

<TranslateTask
TargetsFolder="$(OutDir)"
BuildID="MyProj"
DotNetVersion="4.6"
JVMSettings="-Xmx2000M"
LogFile="trans_task.log"
Debug="true" />
</Target>

The FortifyBuild target is invoked after the AfterBuild target is run. The AfterBuild target is
one of several default targets defined in the MSBuild target file. You must specify all required
parameters.

Fortify.ScanTask
The following table describes the parameters for the Fortify.ScanTask.

Parameter Description

Required Parameters

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 106 of 210
User Guide
Chapter 14: Integrating into a Build

Parameter Description

BuildID Build ID for the scan

Output Name of the FPR file to generate

Optional Parameters

JVMSettings Memory settings to pass to Fortify Static Code Analyzer

LogFile Location of the Fortify Static Code Analyzer log file

Debug Whether to enable debug mode for the task and Fortify Static Code Analyzer

The following example shows a Fortify.TranslateTask and a Fortify.ScanTask task in an

MSBuild project:

<UsingTask TaskName="Fortify.TranslateTask"
AssemblyFile="<sca_install_dir>\Core\lib\FortifyMSBuildTasks.dll" />

<UsingTask TaskName="Fortify.ScanTask"
AssemblyFile="<sca_install_dir>\Core\lib\FortifyMSBuildTasks.dll" />

<Target Name="FortifyBuild" AfterTargets="AfterBuild" Outputs="dummy.out">

<TranslateTask
TargetsFolder="$(OutDir)"
DotNetVersion="4.6"
BuildID="MyProj"
JVMSettings="-Xmx2000M"
LogFile="trans_task.log"
Debug="true" />          

<ScanTask
BuildID="MyProj"
JVMSettings="-Xmx2000M"
LogFile="scan_task.log"
Debug="true"
Output="MyProj.fpr" />
</Target>

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 107 of 210
User Guide
Chapter 14: Integrating into a Build

Fortify.SSCTask
The following table describes the parameters for the Fortify.ScanTask.

Parameter Description

Required Parameters

AuthToken Authentication token (if not included, you must specify the username and
password parameters)

Project Micro Focus Fortify Software Security Center application name (if not provided,
you must include the ProjectID and ProjectVersionID parameters)

ProjectVersion Fortify Software Security Center application version (if not provided, you must
include the ProjectID and ProjectVersionID parameters)

FPRFile Name of the file to upload to Fortify Software Security Center

SSCURL URL for Fortify Software Security Center

Optional Parameters

Debug Whether to enable debug mode for the task and Fortify Static Code Analyzer

Username Include a username if the AuthToken parameter is not specified

Password Include a password if AuthToken parameter is not specified

ProjectID Include with ProjectVersionID if the Project and ProjectVersion parameters are
not specified

ProjectVersionID Include with ProjectID if Project and ProjectVersion parameters are not specified

Proxy Include if a proxy is required

The following example shows the Fortify.TranslateTask, Fortify.ScanTask, and

Fortify.SSCTask tasks in an MSBuild project:

<UsingTask TaskName="Fortify.TranslateTask"
AssemblyFile="<sca_install_dir>\Core\lib\FortifyMSBuildTasks.dll" />  

<UsingTask TaskName="Fortify.ScanTask"
AssemblyFile="<sca_install_dir>\Core\lib\FortifyMSBuildTasks.dll" />

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 108 of 210
User Guide
Chapter 14: Integrating into a Build

<UsingTask TaskName="Fortify.SSCTask"
AssemblyFile=<sca_install_dir>\Core\lib\FortifyMSBuildTasks.dll" />

<Target Name="FortifyBuild" AfterTargets="AfterBuild" Outputs="dummy.out">

<TranslateTask
TargetsFolder="$(OutDir)"
DotNetVersion="4.6"
BuildID="MyProj"
JVMSettings="-Xmx1000M"
LogFile="trans_task.log"
Debug="true" />          

<ScanTask BuildID="TestTask"
JVMSettings="-Xmx1000M"
LogFile="scan_task.log"
Debug="true"
Output="MyProj.fpr" />

<SSCTask
Username="admin"
Password="admin"
Project="Test Project"
ProjectVersion="Test Version 1"
FPRFile="MyProjSSC.fpr"
SSCURL="http://localhost:8180/ssc" />
</Target>

Fortify.CloudScanTask
If you are using Micro Focus Fortify CloudScan to process your scans, you can send the translated
output to your Fortify CloudScan environment. You can also use this task to upload to Micro Focus
Fortify Software Security Center.
The following table describes the parameters for the Fortify.CloudScanTask.

Parameter Description

Required Parameters

BuildID Build ID for the translation

SSCUpload Whether to upload output to Fortify Software Security Center

CloudURL Cloud URL (include either this parameter or the SSCURL parameter)

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 109 of 210
User Guide
Chapter 14: Integrating into a Build

Parameter Description

SSCURL URL for Fortify Software Security Center (include either this parameter or the
CloudURL parameter)

Optional Parameters

Debug Whether to enable debug mode for the task and Fortify Static Code Analyzer

SSCToken (Use only when SSCUpload is true) Fortify Software Security Center token

Project (Use only when SSCUpload is true) Target application on Fortify Software
Security Center

VersionName (Use only when SSCUpload is true) Target application version on Fortify Software
Security Center

FPRName (Use only when SSCUpload is false) Name for the FPR file

The following example shows the Fortify.CloudScanTask task in an MSBuild project:

<UsingTask TaskName=”Fortify.CloudScanTask”
AssemblyFile=”<sca_install_dir>\Core\lib\FortifyMSBuildTasks.dll”/>

<Target Name="FortifyBuild" AfterTargets="AfterBuild" Outputs="dummy.out">

<CloudScanTask
BuildID="MyProj"
SSCUpload="false"
FPRName="MyProj.fpr"
CloudURL="http://localhost:8080/cloud-ctrl" />
</Target>

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 110 of 210
Chapter 15: Command-Line Interface
This chapter describes general Fortify Static Code Analyzer command-line options and how to specify
source files for analysis. Command-line options that are specific to a language are described in the
chapter for that language.
This section contains the following topics:
Translation Options 111
Analysis Options 113
Output Options 116
Other Options 119
Directives 121
Specifying Files 122

Translation Options
The following table describes the translation options.

Translation Option Description

-b <build_id> Specifies the build ID. Fortify Static Code Analyzer uses the build ID to
track which files are compiled and combined as part of a build, and
later, to scan those files.
Equivalent property name:
com.fortify.sca.BuildID

-disable-language Specifies a colon-separated list of languages to exclude from the

translation phase. The valid language values are abap,
actionscript, apex, cfml, cpp, cobol, configuration,
dotnet, java, javascript, jsp, objc, php, plsql,
python, ruby, scala, sql, swift, tsql, typescript,
vb.
Equivalent property name:
com.fortify.sca.DISabledLanguages

-exclude Removes files from the list of files to translate. Separate multiple file
<file_specifiers> paths with semicolons (Windows) or a colons (non-Windows systems).
See "Specifying Files" on page 122 for more information on how to

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 111 of 210
User Guide
Chapter 15: Command-Line Interface

Translation Option Description

use file specifiers.

For example:

sourceanalyzer –cp "**/*.jar" "**/*"

-exclude "**/Test/*.java"

This example excludes all Java files in any Test subdirectory.

Note: When you integrate the translation with a compiler or a

build tool, Fortify Static Code Analyzer translates all source files
that the compiler or build tool processes even if they are specified
with this option.

Equivalent property name:

com.fortify.sca.exclude

-encoding <encoding_ Specifies the source file encoding type. Fortify Static Code Analyzer
name> enables you to scan a project that contains differently encoded source
files. To work with a multi-encoded project, you must specify the
-encoding option in the translation phase, when Fortify Static Code
Analyzer first reads the source code file. Fortify Static Code Analyzer
remembers this encoding in the build session and propagates it into
the FVDL file.

Valid encoding names are from the java.nio.charset.Charset.

Typically, if you do not specify the encoding type, Fortify Static Code
Analyzer uses file.encoding from the
java.io.InputStreamReader constructor with no encoding
parameter. In a few cases (for example with the ActionScript parser),
Fortify Static Code Analyzer defaults to UTF-8.
Equivalent property name:
com.fortify.sca.InputFileEncoding

-nc When specified before a compiler command line, Fortify Static Code
Analyzer translates the source file but does not run the compiler.

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 112 of 210
User Guide
Chapter 15: Command-Line Interface

Translation Option Description

-noextension-type Specifies the file type for source files that have no file extension. The
<file_type> possible values are: ABAP, ACTIONSCRIPT, APEX, APEX_TRIGGER,
ARCHIVE, ASPNET, ASP, ASPX, BITCODE, BYTECODE, CFML,
COBOL, CSHARP, HTML, JAVA, JAVA_PROPERTIES, JAVASCRIPT,
JSP, JSPX, MSIL, MXML, PHP, PLSQL, PYTHON, RUBY, RUBY_ERB,
SCALA, SWIFT, TLD, SQL, TSQL, TYPESCRIPT, VB, VB6, VBSCRIPT,
VISUAL_FORCE, and XML.

Analysis Options
The following table describes the analysis options.

Analysis Option Description

-scan Causes Fortify Static Code Analyzer to perform analysis for the
specified build ID.

-analyzers Specifies the analyzers you want to enable with a colon- or

comma-separated list of analyzers. The valid analyzer names
are: buffer, content, configuration, controlflow,
dataflow, findbugs, nullptr, semantic, and structural.
You can use this option to disable analyzers that are not
required for your security requirements.
Equivalent property name:
com.fortify.sca.DefaultAnalyzers

-b <build_id> Specifies the build ID.

Equivalent property name:
com.fortify.sca.BuildID

-quick Scans the project in Quick Scan mode, using the fortify-
sca-quickscan.properties file. By default, this scan
searches for high-confidence, high-severity issues that Fortify
Static Code Analyzer can discover quickly.
Equivalent property name:
com.fortify.sca.QuickScanMode

-bin <binary> | Specifies a subset of source files to scan. Only the source files
-binary-name <binary>

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 113 of 210
User Guide
Chapter 15: Command-Line Interface

Analysis Option Description

that were linked in the named binary at build time are included
in the scan. You can use this option multiple times to specify the
inclusion of multiple binaries in the scan.
Equivalent property name:
com.fortify.sca.BinaryName

-disable-default-rule-type Disables all rules of the specified type in the default Rulepacks.
<type> You can use this option multiple times to specify multiple rule
types.

The <type> parameter is the XML tag minus the suffix Rule.
For example, use DataflowSource for DataflowSourceRule
elements. You can also specify specific sections of
characterization rules, such as Characterization:Control
flow, Characterization:Issue, and
Characterization:Generic.

The <type> parameter is case-insensitive.

-exit-code-level Extends the default exit code options. See "Exit Codes" on
page 153 for a description of the exit codes. The valid values
are:
The valid values are:

l nothing—Returns exit codes 0, 1, 2, or 3. This is the default

setting.
l warnings—Returns exit codes 0, 1, 2, 3, 4, or 5.
l errors—Returns exit codes 0, 1, 2, 3, or 5.
l no_output_file—Returns exit codes 0, 1, 2, 3, or 6.
Equivalent property name:
com.fortify.sca.ExitCodeLevel

-filter <file> Specifies a results filter file. See "Filtering the Analysis" on
page 162 for more information about this option.
Equivalent property name:
com.fortify.sca.FilterFile

-findbugs Enables FindBugs analysis for Java code. You must specify the
Java class directories with the -java-build-dir option,
which is described in "Java Command-Line Options" on page 42.

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 114 of 210
User Guide
Chapter 15: Command-Line Interface

Analysis Option Description

Equivalent property name:

com.fortify.sca.EnableFindbugs

-incremental-base Specifies that this is the initial full scan of a project for which
you plan to run subsequent incremental scans. Use this option
for the first scan when you plan to run subsequent scans on the
same project with the -incremental option. See "Incremental
Analysis" on page 39 for more information about performing
incremental analysis.
Equivalent property name:
com.fortify.sca.IncrementalBaseScan

-incremental Specifies that this is a subsequent scan of a project for which

you have already run a full base scan with the -incremental-
base option. See "Incremental Analysis" on page 39 for more
information about performing incremental analysis.
Equivalent property name:
com.fortify.sca.IncrementalScan

-no-default-issue-rules Disables rules in default Rulepacks that lead directly to issues.

Still loads rules that characterize the behavior of functions.

Note: This is equivalent to disabling the following rule

types: DataflowSink, Semantic, Controlflow, Structural,
Configuration, Content, Statistical, Internal, and
Characterization:Issue.

Equivalent property name:

com.fortify.sca.NoDefaultIssueRules

-no-default-rules Specifies not to load rules from the default Rulepacks. Fortify
Static Code Analyzer processes the Rulepacks for description
elements and language libraries, but processes no rules.
Equivalent property name:
com.fortify.sca.NoDefaultRules

-no-default-source-rules Disables source rules in the default Rulepacks.

Note: Characterization source rules are not disabled.

Equivalent property name:

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 115 of 210
User Guide
Chapter 15: Command-Line Interface

Analysis Option Description

com.fortify.sca.NoDefaultSourceRules

-no-default-sink-rules Disables sink rules in the default Rulepacks.

Note: Characterization sink rules are not disabled.

Equivalent property name:

com.fortify.sca.NoDefaultSinkRules

-project-template Specifies the issue template file to use for the scan. This only
affects scans on the local machine. If you upload the FPR to
Micro Focus Fortify Software Security Center server, it uses the
issue template assigned to the application version.
Equivalent property name:
com.fortify.sca.ProjectTemplate

-rules <file> | <dir>
Specifies a custom Rulepack or directory. You can use this
option multiple times to specify multiple Rulepack files. If you
specify a directory, includes all of the files in the directory with
the .bin and .xml extensions.
Equivalent property name:
com.fortify.sca.RulesFile

Output Options
The following table describes the output options.

Output Option Description

-f <file> |  Specifies the file to which results are written. If you do not specify
-output-file <file> an output file, Fortify Static Code Analyzer writes the output to
the terminal.
Equivalent property name:
com.fortify.sca.ResultsFile

-format <format> Controls the output format. Valid options are fpr, fvdl,
fvdl.zip, text, and auto. The default is auto, which selects the
output format based on the file extension of the file provided with
the -f option.

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 116 of 210
User Guide
Chapter 15: Command-Line Interface

Output Option Description

The FVDL is an XML file that contains the detailed Fortify Static
Code Analyzer analysis results. This includes vulnerability details,
rule descriptions, code snippets, command-line options used in the
scan, and any scan errors or warnings.
The FPR is a package of the analysis results that includes the
FVDL file as well as additional information such as a copy of the
source code used in the scan, the external metadata, and custom
rules (if applicable). Micro Focus Fortify Audit Workbench is
automatically associated with the .fpr file extension.

Note: If you use result certification, you must specify the fpr
format. See the Micro Focus Fortify Audit Workbench User
Guide for information about result certification.

You can prevent some of the information from being included in

the FPR or FVDL file to improve scan time or output file size. See
other options in this table and see the "fortify-sca.properties" on
page 173.
Equivalent property name:
com.fortify.sca.Renderer

-append Appends results to the file specified with the -f option. The
resulting FPR contains the issues from the earlier scan as well as
issues from the current scan. The build information and program
data (lists of sources and sinks) sections are also merged. To use
this option, the output file format must be fpr or fvdl. For
information on the -format output option, see the description in
this table.
The engine data, which includes Fortify security
content information, command-line options, system properties,
warnings, errors, and other information about the execution of
Fortify Static Code Analyzer (as opposed to information about
the program being analyzed), is not merged. Because engine data
is not merged with the -append option, Fortify does not certify
results generated with -append.
If this option is not specified, Fortify Static Code Analyzer adds
any new findings to the FPR file, and labels the older result as
previous findings.

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 117 of 210
User Guide
Chapter 15: Command-Line Interface
Output Option
-build-label <label>
-build-project <project>
-build-version <version>
-disable-source-bundling
-fvdl-no-descriptions
-fvdl-no-enginedata
Micro Focus Fortify Static Code Analyzer (19.1.0)
Description
In general, only use the -append option when it is not possible to
analyze an entire application at once.
Equivalent property name:
com.fortify.sca.OutputAppend
Specifies the label of the project being scanned. Fortify Static
Code Analyzer does not use this label but includes it in the
analysis results.
Equivalent property name:
com.fortify.sca.BuildLabel
Specifies the name of the project being scanned. Fortify Static
Code Analyzer does not use the name but includes it in the
analysis results.
Equivalent property name:
com.fortify.sca.BuildProject
Specifies the version of the project being scanned. Fortify Static
Code Analyzer does not use the version but includes it in the
analysis results.
Equivalent property name:
com.fortify.sca.BuildVersion
Excludes source files from the FPR file.
Equivalent property name:
com.fortify.sca.FPRDisableSourceBundling
Excludes the Fortify security content descriptions from the
analysis results file.
Equivalent property name:
com.fortify.sca.FVDLDisableDescriptions
Excludes the engine data from the analysis results file. The engine
data includes Fortify security content information, command-line
options, system properties, warnings, errors, and other
information about the execution of Fortify Static Code Analyzer.
Equivalent property name:
com.fortify.sca.FVDLDisableEngineData
Page 118 of 210
User Guide
Chapter 15: Command-Line Interface

Output Option Description

-fvdl-no-progdata Excludes program data from the analysis results file. This removes
the taint source information from the Functions view in Fortify
Audit Workbench.
Equivalent property name:
com.fortify.sca.FVDLDisableProgramData

-fvdl-no-snippets Excludes the code snippets from the analysis results file.
Equivalent property name:
com.fortify.sca.FVDLDisableSnippets

Other Options
The following table describes other options.

Other Option Description

@<filename> Reads command-line options from the specified file.

Note: The file must be ASCII or UTF-8 encoded.

-h | -? | -help Prints a summary of command-line options.

-debug Includes debug information in the Fortify Support log file,

which is only useful for Micro Focus Fortify Customer
Support to help troubleshoot.
Equivalent property name:
com.fortify.sca.Debug

-debug-verbose This is the same as the -debug option, but it includes

more details, specifically for parse errors.
Equivalent property name:
com.fortify.sca.DebugVerbose

-verbose Sends verbose status messages to the console and to the

Fortify Support log file.
Equivalent property name:
com.fortify.sca.Verbose

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 119 of 210
User Guide
Chapter 15: Command-Line Interface

Other Option Description

-logfile <file> Specifies the log file that Fortify Static Code Analyzer
creates.
Equivalent property name:
com.fortify.sca.LogFile

-clobber-log Directs Fortify Static Code Analyzer to overwrite the log

file for each run of sourceanalyzer. Without this option,
Fortify Static Code Analyzer appends information to the
log file.
Equivalent property name:
com.fortify.sca.ClobberLogFile

-quiet Disables the command-line progress information.

Equivalent property name:
com.fortify.sca.Quiet

-version | -v Displays the Fortify Static Code Analyzer version number.

-autoheap Enables automatic allocation of memory based on the

physical memory available on the system. This is the
default memory allocation setting.

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 120 of 210
User Guide
Chapter 15: Command-Line Interface

Other Option Description

-Xmx<size>M | G Specifies the maximum amount of memory Fortify Static

Code Analyzer uses.
Heap sizes between 32 GB and 48 GB are not advised due
to internal JVM implementations. Heap sizes in this range
perform worse than at 32 GB. Heap sizes smaller than
32 GB are optimized by the JVM. If your scan requires
more than 32 GB, then you probably need 64 GB or more.
As a guideline, assuming no other memory intensive
processes are running, do not allocate more than 2/3 of
the available memory.
When you specify this option, make sure that you do not
allocate more memory than is physically available, because
this degrades performance. As a guideline, and the
assumption that no other memory intensive processes are
running, do not allocate more than 2/3 of the available
memory.

Note: Specifying this option overrides the default

memory allocation you would get with the
-autoheap option.

Directives
Use the following directives to list information about previous translation commands. Use only one
directive at a time and do not use any directive in conjunction with normal translation or analysis
commands.

Directive Description

-clean Deletes all Fortify Static Code Analyzer intermediate files and build
records. If a build ID is specified, only files and build records relating to
that build ID are deleted.

-show-binaries Displays all objects that were created but not used in the production of
any other binaries. If fully integrated into the build, it lists all of the
binaries produced.

-show-build-ids Displays a list of all known build IDs.

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 121 of 210
User Guide
Chapter 15: Command-Line Interface

Directive Description

-show-build-tree When you scan with the -bin option, displays all files used to create the
binary and all files used to create those files in a tree layout. If the -bin
option is not present, the tree is displayed for each binary.

Note: This option can generate an extensive amount of

information.

-show-build-warnings Use with -b <build_id> to show any errors and warnings that
occurred in the translation phase on the console.

Note: Fortify Audit Workbench also displays these errors and

warnings in the results certification panel.

-show-files Lists the files in the specified build ID. When the -bin option is present,
displays only the source files that went into the binary.

-show-loc Displays the number of lines in the code being translated.

Specifying Files
File specifiers are expressions that allow you to pass a long list of files to Fortify Static Code Analyzer
using wildcard characters. Fortify Static Code Analyzer recognizes two types of wildcard characters: a
single asterisk character (*) matches part of a file name, and double asterisk characters (**) recursively
matches directories. You can specify one or more files, one or more file specifiers, or a combination of
files and file specifiers.

<files> | <file specifiers>

The following table describes different file specifier formats examples.

Note: In the following table, the .java extension is only used as an example to show the different
file specifier options.

File Specifier Description

<dir> All files found in the named directory or any subdirectories.

<dir>/**/Example.java Any file named Example.java found in the named directory or any
subdirectories.

<dir>/*.java Any file with the extension .java found in the named directory.

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 122 of 210
User Guide
Chapter 15: Command-Line Interface

File Specifier Description

<dir>/**/*.java Any file with the extension .java found in the named directory or any
subdirectories.

<dir>/**/* All files found in the named directory or any subdirectories (same as
<dir>).

Note: Windows and many Unix shells automatically expand parameters that contain the asterisk
character (*), so you must enclose file-specifier expressions in quotes. Also, on Windows, you can
use the backslash character (\) as the directory separator instead of the forward slash (/).

File specifiers do not apply to C, C++, or Objective-C++ languages.

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 123 of 210
Chapter 16: Command-Line Utilities
This section contains the following topics:
Fortify Static Code Analyzer Utilities 124
About Updating Security Content 125
Working with FPR Files from the Command Line 127
Generating Reports from the Command Line 134
Checking the Fortify Static Code Analyzer Scan Status 138

Fortify Static Code Analyzer Utilities

Fortify Static Code Analyzer command-line utilities enable you to manage Fortify Security Content and
FPR files, run reports, perform post-installation configuration, and monitor scans. These utilities are
located in <sca_install_dir>/bin. The utilities for Windows are provided as .bat or .cmd files. The
following table describes the utilities.

More
Utility Description Information

fortifyupdate Compares installed security content to the current version "About

and makes any required updates Updating
Security
Content" on
the next page

FPRUtility With this utility you can: "Working with

FPR Files
l Merge audited projects
from the
l Verify FPR signatures Command
l Display mappings for a migrated project Line" on
l Display any errors associated with an FPR page 127
l Display the number of issues in an FPR
l Display filtered lists of issues in different formats
l Display table of analyzed functions
l Combine or split source code files and audit projects into
FPR files

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 124 of 210
User Guide
Chapter 16: Command-Line Utilities

More
Utility Description Information

BIRTReportGenerator Generates BIRT reports and legacy reports from FPR files "Generating
Reports from
ReportGenerator
the Command
Line" on
page 134

scapostinstall After you install Fortify Static Code Analyzer, this utility "Running the
enables you to migrate properties files from a previous Post-Install
version of Fortify Static Code Analyzer, specify a locale, Tool" on
and specify a proxy server for security content updates and page 33
for Fortify Software Security Center.

SCAState Provides state analysis information on the JVM during the "Checking the
scan phase Fortify Static
Code
Analyzer Scan
Status" on
page 138

About Updating Security Content

You can use the fortifyupdate utility to download the latest Fortify Secure Coding Rulepacks and
metadata from the Fortify Customer Portal for your installation.
The fortifyupdate utility gathers information about the existing security content in your Fortify
installation and contacts the update server with this information. The server returns new or updated
security content, and removes any obsolete security content from your Fortify Static Code Analyzer
installation. If your installation is current, a message is displayed to that effect.

Updating Security Content

Use the fortifyupdate utility to either download security content or import a local copy of the
security content. This utility is located in the <sca_install_dir>/bin directory. To update your
Fortify Static Code Analyzer installation with the latest Fortify Secure Coding Rulepacks and external
metadata from the Fortify Customer Portal, type the following command:

fortifyupdate [<options>]

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 125 of 210
User Guide
Chapter 16: Command-Line Utilities

fortifyupdate Command-Line Options

The following table lists the fortifyupdate options.

Option Description

-acceptKey Accept the public key. When this is specified, you are not
prompted to provide a public key.

-acceptSSLCertificate Use the SSL certificate provided by the server.

-coreDir <dir> Specifies the core directory where the update is stored.

-import <file>.zip Imports the ZIP file that contains archived security

content.

-includeMetadata Specifies to only update external metadata.

-includeRules Specifies to only update Rulepacks.

-locale <locale> Specifies a locale. The default is the value set for the locale
property in the fortify.properties configuration file.
For more information about the fortify.properties
configuration file, see the Micro Focus Fortify Static Code
Analyzer Tools Properties Reference Guide.

-proxyhost <host> Specifies a proxy server network name or IP address.

-proxyport <port> Specifies a proxy server port number.

-proxyUsername If the proxy server requires authentication, specifies the

<username> user name.

-proxyPassword If the proxy server requires authentication, specifies the

<password> password.

-showInstalledRules Displays the currently installed Rulepacks including any

custom rules or metadata.

-showInstalledExternalMetadata Displays the currently installed external metadata.

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 126 of 210
User Guide
Chapter 16: Command-Line Utilities

Option Description

-url <url> Specifies a URL from which to download the security

content. The default URL is
https://update.fortify.com or the value set for the
rulepackupdate.server property in the
server.properties configuration file.

For more information about the server.properties

configuration file, see the Micro Focus Fortify Static Code
Analyzer Tools Properties Reference Guide.

Working with FPR Files from the Command Line

Use the FPRUtility that is located in the bin directory of your Fortify Static Code Analyzer installation to
perform the following tasks:
l "Merging FPR Files" below
l "Displaying Analysis Results Information from an FPR File" on page 129
l "Extracting a Source Archive from an FPR File" on page 133
l "Allocating More Memory for FPRUtility" on page 134

Merging FPR Files

The FPRUtility -merge option combines the analysis information from two FPR files into a single FPR
file using the values of the primary project to resolve conflicts.
To merge FPR files:

FPRUtility -merge -project <primary>.fpr -source <secondary>.fpr \

-f <output>.fpr

To merge FPR files and set instance ID migrator options:

FPRUtility -merge -project <primary>.fpr -source <secondary>.fpr \

-f <output>.fpr -iidmigratorOptions "<iidmigrator_options>"

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 127 of 210
User Guide
Chapter 16: Command-Line Utilities

FPRUtility Data Merge Options

The following table lists the FPRUtility options that apply to merging data.

Option Description

-merge Merges the specified project and source FPR files.

-project <primary>.fpr Specifies the primary FPR file to merge. Conflicts are resolved using
the values in this file.

-source <secondary>.fpr Specifies the secondary FPR file to merge. The primary project
overrides values if conflicts exist.

-f <output>.fpr Specifies the name of the merged output file. This file is the result
of the merged files.

Note: When you specify this option, neither of the original FPR
files are modified. If you do not use this option, the primary
FPR is overwritten with the merged results.

-forceMigration Forces the migration, even if the engine and the Rulepack versions
of the two projects are the same.

-useMigrationFile Specifies an instance ID mapping file. This enables you to modify

<mapping_file> mappings manually rather than using the migration results. Supply
your own instance ID mapping file.

-useSourceIssueTemplate Specifies to use the filter sets and folders from the issue template in
the secondary FPR. By default, Fortify Static Code Analyzer uses
the filter sets and folders from the issue template in the primary
FPR.

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 128 of 210
User Guide
Chapter 16: Command-Line Utilities

Option Description

-iidmigratorOptions Specifies instance ID migrator options. Separate included options

<iidmigrator_options> with spaces and enclosed them in quotes. Some valid options are:

l -i provides a case-sensitive file name comparison of the merged

files
l -u <scheme_file> tells iidmigrator to read the matching
scheme from <scheme_file> for instance ID migration
Note: Wrap -iidmigrator options in single quotes ('-u
<scheme_file>') when working from a Cygwin command
prompt.

Windows example:

FPRUtility -merge -project primary.fpr

-source secondary.fpr -f output.fpr
-iidmigratorOptions "-u scheme_file"

FPRUtility Data Merge Exit Codes

Upon completion of the -merge command, FPRUtility provides one of the exit codes described in the
following table.

Exit Code Description

0 The merge completed successfully.

5 The merge failed.

Displaying Analysis Results Information from an FPR File

The FPRUtility -information option displays information about the analysis results. You can obtain
information to:
l Validate signatures
l Examine any errors associated with the FPR

l Obtain the number of issues for each analyzer, vulnerability category, or custom grouping

l Obtain lists of issues (including some basic information). You can filter these lists.

To display project signature information:

FPRUtility -information -signature -project <project>.fpr -f <output>.txt

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 129 of 210
User Guide
Chapter 16: Command-Line Utilities

To display a full analysis error report for the FPR:

FPRUtility -information -errors -project <project.fpr> -f <output>.txt

To display the number of issues per vulnerability category or analyzer:

FPRUtility -information -categoryIssueCounts -project <project>.fpr

FPRUtility -information -analyzerIssueCounts -project <project>.fpr

To display the number of issues for a custom grouping based on a search:

FPRUtility -information -search -query "search expression" \

[-categoryIssueCounts] [-analyzerIssueCounts] \
[-includeSuppressed] [-includeRemoved] \
-project <project>.fpr -f <output>.txt

Note: By default, the result does not include suppressed and removed issues. To include
suppressed or removed issues, use the -includeSuppressed or -includeRemoved options.
To display information for issues in CSV format:

FPRUtility -information -listIssues \

-search [-queryAll | -query "search expression"] \
[-categoryIssueCounts] [-analyzerIssueCouts] \
[-includeSuppressed] [-includeRemoved] \
-project <project>.fpr -f <output>.csv -outputFormat CSV

FPRUtility Information Options

The following table lists the FPRUtility options that apply to project information.

Option Description

-information Displays information for the project.

One of: The -signature option displays the signature.

-signature The -mappings option displays the migration
-mappings
mappings report.
-errors
-versions
-functionsMeta The -errors option displays a full error report for the
-categoryIssueCounts FPR.
-analyzerIssueCounts
-search -query <search_expression> The -versions option displays the engine version
-search -queryAll and the Rulepack version used in the static scan.

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 130 of 210
User Guide
Chapter 16: Command-Line Utilities

Option Description

The -functionsMeta option displays all functions

that the static analyzer encountered in CSV format. To
filter which functions are displayed, include
-excludeCoveredByRules, and
-excludeFunctionsWithoutSource.

The -categoryIssueCounts option displays the

number of issues for each vulnerability category.

The -analyzerIssueCounts option displays the

number of issues for each analyzer.

The -search -query option displays the number of

issues in the result of your specified search expression.
To display the number of issues per vulnerability
category or analyzer, add the optional
-categoryIssueCounts and
-analyzerIssueCounts options to the search
option. Use the -includeSuppressed and
-includeRemoved options to include suppressed or
removed issues.

The -search -queryAll searches all the issues in

the FPR, including suppressed and removed issues.

-project <project>.fpr Specifies the FPR from which to extract the results
information.

-f <output> Specifies the output file. The default is System.out.

-outputformat <format> Specifies the output format. The valid values are TEXT
and CSV. The default value is TEXT.

-listIssues Displays the location for each issue in one of the

following formats:

<sink_filename>:<line_num> or
<sink_filename>:<line_num> (<category>
| <analyzer>)

You can also use the -listIssues option with

-search and with both issueCounts grouping

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 131 of 210
User Guide
Chapter 16: Command-Line Utilities

Option Description

options. If you group by -categoryIssueCounts,

then the output includes (<analyzer>) and if you
group by -analyzerIssueCounts, then the output
includes (<category>).

If you specify the -outputFormat CSV, then each

issue is displayed as a line in the format:

"<instanceid>", "<category>",
"<sink_filename>:<line_num>",
"<analyzer>"

FPRUtility Signature Exit Codes

Upon completion of the -information -signature command, FPRUtility provides one of the exit
codes described in the following table.

Exit Code Description

0 The project is signed and all signatures are valid.

1 The project is signed, and some, but not all, of the signatures passed the validity test.

2 The project is signed but none of the signatures are valid.

3 The project had no signatures to validate.

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 132 of 210
User Guide
Chapter 16: Command-Line Utilities

Extracting a Source Archive from an FPR File

The FPRUtility -sourceArchive option creates a source archive (FSA) file from a specified FPR file
and removes the source code from the FPR file. You can extract the source code from an FPR file,
merge an existing source archive (FSA) back into an FPR file, or recover source files from a source
archive.
To archive data:

FPRUtility -sourceArchive -extract -project <project>.fpr -f

<outputArchive>.fsa

To archive data to a folder:

FPRUtility -sourceArchive -extract -project <project>.fpr \

-recoverSourceDirectory -f <output_folder>

To add an archive to an FPR file:

FPRUtility -sourceArchive -mergeArchive -project <project>.fpr \

-source <old_source_archive>.fsa -f <project_with_archive>.fpr

To recover files that are missing from an FPR file:

FPRUtility -sourceArchive -fixSecondaryFileSources \

-payload <source_archive>.zip -project <project>.fpr -f <output>.fpr

FPRUtility Source Archive Options

The following table lists the FPRUtility options that apply to working with the source archive.

Option Description

-sourceArchive Creates an FSA file so that you can extract a source

archive.

One of: Use the -extract option to extract the contents of

the FPR file.
-extract
-mergeArchive Use the -mergeArchive option to merge the contents
-fixSecondaryFileSources
of the FPR file with an existing archived file (-source
option).

Use the -fixSecondaryFileSources option to

recover source files from a source archive (-payload

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 133 of 210
User Guide
Chapter 16: Command-Line Utilities

Option Description

option) missing from an FPR file.

-project <project>.fpr Specifies the FPR to archive.

-recoverSourceDirectory Use with the -extract option to extract the source as

a folder with restored source files.

-source <old_source_archive>.fsa Specifies the name of the existing archive. Use only if
you are merging an FPR file with an existing archive
(-mergeArchive option).

-payload <source_archive>.zip Use with the -fixSecondaryFileSources option to

specify the source archive from which to recover source
files.

-f <project_with_archive>.fpr | Specifies the output file. You can generate an FPR, a

<output_archive>.fsa | folder, or an FSA file.
<output_folder>

Allocating More Memory for FPRUtility

Performing tasks with large and complex FPR files could trigger out-of-memory errors. By default,
1000 MB is allocated for FPRUtility. To increase the memory, add the -Xmx option to the command line.
For example, to allocate 2 GB for FPRUtility, use the following command:

FPRUtility -Xmx2G -merge -project <primary>.fpr -source <secondary>.fpr \

-f <output>.fpr

Generating Reports from the Command Line

There are two command-line utilities to generate reports:
l BIRTReportGenerator—Produces reports that are based on the Business Intelligence and Reporting
Technology (BIRT) system. BIRT is an open source reporting system.
l ReportGenerator—Generates legacy reports from FPR files from the command line. You can specify a
report template, otherwise the default report template is used. See the Micro Focus Fortify Audit
Workbench User Guide for a description of the available report templates.

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 134 of 210
User Guide
Chapter 16: Command-Line Utilities

Generating a BIRT Report

The basic command-line syntax to generate a BIRT report is:

BIRTReportGenerator -template <template_name> -source <audited_

project>.fpr -format PDF|DOC|HTML|XLS -output <report_file>

The following is an example of how to generate an OWASP Top 10 2017 report with additional options:

BIRTReportGenerator -template "OWASP Top 10" -source auditedProject.fpr

-format PDF -showSuppressed --Version "OWASP Top 10 2017"
--UseFortifyPriorityOrder -output MyOWASP_Top10_Report.pdf

BIRTReportGenerator Command-Line Options

The following table lists the BIRTReportGenerator options.

Option Description

-template <template_name> (Required) Specifies the report template name. The valid

values for <template_name> are: "Developer
Workbook", "DISA CCI 2", "DISA STIG", "CWE/SANS
Top 25", "FISMA Compliance", "OWASP Mobile Top
10", "OWASP Top 10", and "PCI DSS Compliance".

-source <audited_project>.fpr (Required) Specifies the audited project on which to base

the report.

-format <format> (Required) Specifies the generated report format. The valid

values for <format> are: PDF, DOC, HTML, and XLS.

-output <report_file.***> (Required) Specifies the file to which the report is written.

-searchQuery <query> Specifies a search query to filter issues before generating

the report.

-showSuppressed Include issues that are marked as suppressed.

-showRemoved Include issues that are marked as removed.

-showHidden Include issues that are marked as hidden.

-filterSet <filterset_name> Specifies a filter set to use to generate the report. For
example: -filterSet "Quick View".

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 135 of 210
User Guide
Chapter 16: Command-Line Utilities

Option Description

--Version <version> Specifies the version for the template. The valid values for
the templates versions are listed below.

Note: Templates that are not listed here have only

one version available.
If you do not specify a template version when
multiple versions are available, the most recent
version is used by default. Use the -help option
for information about the available versions.

l For the "CWE/SANS Top 25" template, the version

is: "<year> CWE/SANS Top 25" (for example, "2011
CWE/SANS Top 25")
l For the "DISA STIG" template, the version
is: "DISA STIG <version>" (for example,
"DISA STIG 4.8")
l For the "OWASP Top 10" template, the version is:
"OWASP Top 10 <year>" (for example, "OWASP Top
10 2017")
l For the "PCI DSS Compliance" template, the version
is: "<version> Compliance" (for example, "3.2
Compliance")

--IncludeDescOfKeyTerminology Include the Description of Key Terminology section in the

report.

--IncludeAboutFortify Include the About Fortify Solutions section in the report.

--SecurityIssueDetails Provide detailed descriptions of reported issues. This

option is not available for the Developer Workbook
template.

--UseFortifyPriorityOrder Use Fortify Priority Order instead of folder names to

categorize issues. This option is not available for the
Developer Workbook and PCI Compliance templates.

-help | -h Displays detailed information about the options.

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 136 of 210
User Guide
Chapter 16: Command-Line Utilities

Generating a Legacy Report

To generate a PDF report, type the following command:

ReportGenerator -format pdf -f <results_file>.pdf -source <audited_

project>.fpr

To generate an XML report, type the following command:

ReportGenerator -format XML -f <results_file>.xml -source <audited_

project>.fpr

ReportGenerator Command-Line Options

The following table lists the ReportGenerator options.

Option Description

-format <format> Specifies the generated report format. The valid values for
<format> are: PDF, RTF, and XML.

-f <resultsfile.***> Specifies the file to which the report is written.

-source <audited_project>.fpr Specifies the audited project on which to base the report.

-template <template_name> Specifies the issue template used to define the report. If not
specified, ReportGenerator uses the default template.

-user <username> Specifies a user name to add to the report.

-showSuppressed Include issues marked as suppressed.

-showRemoved Include issues marked as removed.

-showHidden Include issues marked as hidden.

-filterSet <filterset_name> Specifies a filter set to use to generate the report. For
example: -filterset "Quick View".

-verbose Displays status messages to the console.

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 137 of 210
User Guide
Chapter 16: Command-Line Utilities

Checking the Fortify Static Code Analyzer Scan

Status
Use the SCAState utility to see up-to-date state analysis information during the scan phase.
To check Fortify Static Code Analyzer state:
1. Run a Fortify Static Code Analyzer scan.
2. Open another command window.
3. Type the following at the command prompt:

SCAState [<options>]

SCAState Utility Command-Line Options

The following table lists the SCAState utility options.

Option Description

-a | --all Displays all available information.

-debug Displays information that is useful to debug SCAState behavior.

-ftd | --full-thread- Prints a thread dump for every thread.

dump

-h | --help Displays the help information for the SCAState utility.

-hd <filename> |  Specifies the file to which the heap dump is written. The file is
--heap-dump <filename> interpreted relative to the remote scan’s working directory; this is not
necessarily the same directory where you are running SCAState.

-liveprogress Displays the ongoing status of a running scan. This is the default. If
possible, this information is displayed in a separate terminal window.

-nogui Causes the Fortify Static Code Analyzer state information to display

in the current terminal window instead of in a separate window.

-pi | --program-info Displays information about the source code being scanned, including
how many source files and functions it contains.

-pid <process_id> Specifies the currently running Fortify Static Code Analyzer process
ID. Use this option if there are multiple Fortify Static Code Analyzer

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 138 of 210
User Guide
Chapter 16: Command-Line Utilities

Option Description

processes running simultaneously.

To obtain the process ID on Windows systems:
1. Open a command window.
2. Type tasklist at the command prompt.
A list of processes is displayed.
3. Find the java.exe process in the list and note its PID.
To find the process ID on Linux or Unix systems:

l Type ps aux | grep sourceanalyzer at the command

prompt.

-progress Displays scan information up to the point at which the command is

issued. This includes the elapsed time, the current phase of the
analysis, and the number of results already obtained.

-properties Displays configuration settings (this does not include sensitive

information such as passwords).

-scaversion Displays the Fortify Static Code Analyzer version number for the
sourceanalyzer that is currently running.

-td | --thread-dump Prints a thread dump for the main scanning thread.

-timers Displays information from the timers and counters that are
instrumented in Fortify Static Code Analyzer.

-version Displays the SCAState version.

-vminfo Displays the following statistics that JVM standard MXBeans

provides: ClassLoadingMXBean, CompilationMXBean,
GarbageCollectorMXBeans, MemoryMXBean,
OperatingSystemMXBean, RuntimeMXBean, and ThreadMXBean.

<none> Displays scan progress information (this is the same as -progress).

Note: Fortify Static Code Analyzer writes Java process information to the location of the TMP
system environment variable. On Windows systems, the TMP system environment variable location
is C:\Users\<userID>\AppData\Local\Temp. If you change this TMP system environment
variable to point to a different location, SCAState cannot locate the sourceanalyzer Java
process and does not return the expected results. To resolve this issue, change the TMP system
environment variable to match the new TMP location. Fortify recommends that you run SCAState

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 139 of 210
User Guide
Chapter 16: Command-Line Utilities

as an administrator on Windows.

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 140 of 210
Chapter 17: Improving Performance
This chapter provides guidelines and tips to optimize memory usage and performance when analyzing
different types of codebases with Fortify Static Code Analyzer.
This section contains the following topics:
Hardware Considerations 141
Sample Scans 142
Tuning Options 143
Breaking Down Codebases 144
Quick Scan 145
Limiting Analyzers and Languages 146
Optimizing FPR Files 147
Monitoring Long Running Scans 151

Hardware Considerations
The variety of source code makes accurate predictions of memory usage and scan times impossible. The
factors that affect memory usage and performance consists of many different factors including:
l Code type
l Codebase size and complexity

l Ancillary languages used (such as JSP, JavaScript, and HTML)

l Number of vulnerabilities

l Type of vulnerabilities (analyzer used)

Fortify developed the following set of "best guess" hardware recommendations based on real-world
application scan results. The following table lists these recommendations based on the complexity of the
application.

Average
Application RAM  Scan
Complexity CPU Cores (GB) Time Description

Simple 4 16 1 hour A standalone system that runs on a server or

desktop such as a batch job or a command-line
utility.

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 141 of 210
User Guide
Chapter 17: Improving Performance

Average
Application RAM  Scan
Complexity CPU Cores (GB) Time Description

Medium 8 32 5 hours A standalone system that works with complex

computer models such as a tax calculation system
or a scheduling system.

Complex 16 128 4 days A three-tiered business system with transactional

data processing such as a financial system or a
commercial website.

Very 32 256 7+ days A system that delivers content such as an

Complex application server, database server, or content
management system.

Note: TypeScript scans increase the analysis time significantly. If the total lines of code in an
application consist of more than 20% TypeScript, use the next highest recommendation.

The Micro Focus Fortify Software System Requirements document describes the system requirements.
However, for large and complex applications, Fortify Static Code Analyzer requires more capable
hardware. This includes:
l Disk I/O—Fortify Static Code Analyzer is I/O intensive and therefore the faster the hard drive, the
more savings on the I/O transactions. Fortify recommends a 7,200 RPM drive, although a 10,000
RPM drive (such as the WD Raptor) or an SSD drive is better.
l Memory—See "Memory Tuning" on page 154 for more information about how to determine the
amount of memory required for optimal performance.
l CPU—Fortify recommends a 2.1 GHz or faster processor.

Sample Scans
These sample scans were performed using Fortify Static Code Analyzer version 19.1.0 on a dedicated
Linux virtual machine with 4 CPUs and 32 GB of RAM. These scans were run using Micro Focus Fortify
Software Security Content 2019 Update 1. The following table shows the scan times you can expect for
several common open-source projects.

Project Name  Language Scan Time Total Issues LOC

Apache-HTTPd C/C++ 08:48 1,903 32,562

WebGoat 7.0 Java 01:30 464 3,599

WordPress Java 03:34 804 10,055

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 142 of 210
User Guide
Chapter 17: Improving Performance

Project Name  Language Scan Time Total Issues LOC

CakePHP PHP 04:22 2,307 54,548

phpBB 3 PHP 04:22 1,297 39,600

SmartStoreNET .NET 1:18:27 5,586 208,748

Office365-cli TypeScript 1:10:15 194 7,7063

Hackademic JavaScript 09:21 458 43,840

numpy-1.13.3 Python 3 1:07:42 248 92,633

Swift.nV Swift 00:46 62 886

Tuning Options
Fortify Static Code Analyzer can take a long time to process complex projects. The time is spent in
different phases:
l Translation
l Analysis

Fortify Static Code Analyzer can produce large analysis result files (FPRs), which can cause a long time
to audit and upload to Micro Focus Fortify Software Security Center. This is referred to as the following
phase:
l Audit/Upload
The following table lists tips on how to improve performance in the different time-consuming phases.

Phase Option Description More Information

Translation -export-build- Translate and scan on "Mobile Build Sessions" on

session different machines page 38
-import-build-
session

Analysis -Xmx<size>M | G Set maximum heap size "Memory Tuning" on page 154

Analysis -Xss<size>M | G Set stack size for each "Memory Tuning" on page 154
thread

Analysis -bin Scan the files related to a "Breaking Down Codebases" on

binary the next page

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 143 of 210
User Guide
Chapter 17: Improving Performance

Phase Option Description More Information

Analysis -quick Run a quick scan "Quick Scan" on the next page

Analysis -filter <file> Apply a filter using a filter "Filter Files" on page 147
file
Audit/Upload

Analysis -disable- Exclude source files from "Excluding Source Code from the
source-bundling the FPR file FPR" on page 148
Audit/Upload

Breaking Down Codebases

It is more efficient to break down large projects into independent modules. For example, if you have a
portal application that consists of several modules that are independent of each other or have very little
interactions, you can translate and scan the modules separately. The caveat to this is that you might
lose dataflow issue detection if some interactions exist.
For C/C++, you might reduce the scan time by using the –bin option with the –scan option. You need
to pass the binary file as the parameter (such as -bin <filename>.exe -scan or -bin
<filename>.dll -scan). Fortify Static Code Analyzer finds the related files associated with the
binary and scans them. This is useful if you have several binaries in a makefile.
The following table lists some useful Fortify Static Code Analyzer command-line options to break down
codebases.

Option Description

-bin <binary> Specifies a subset of source files to scan. Only the source files that were
linked in the named binary at build time are included in the scan. You can use
this option multiple times to specify the inclusion of multiple binaries in the
scan.

-show-binaries Displays all objects that were created but not used in the production of any
other binaries. If fully integrated into the build, it lists all of the binaries
produced.

-show-build-tree When used with the -bin option, displays all files used to create the binary
and all files used to create those files in a tree layout. If the -bin option is not
present, Fortify Static Code Analyzer displays the tree for each binary.

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 144 of 210
User Guide
Chapter 17: Improving Performance

Quick Scan
Quick scan mode provides a way to quickly scan your projects for major defects. By default, quick scan
mode searches for high‐ confidence, high‐ severity issues. Although scanning in quick scan mode is
significantly faster, it does not provide a robust result set.

Limiters
The depth of the Fortify Static Code Analyzer analysis sometimes depends on the available resources.
Fortify Static Code Analyzer uses a complexity metric to trade off these resources with the number of
vulnerabilities that it can find. Sometimes, this means giving up on a particular function when it does not
look like Fortify Static Code Analyzer has enough resources available.
Fortify Static Code Analyzer enables the user to control the “cutoff” point by using Fortify Static Code
Analyzer limiter properties. The different analyzers have different limiters. You can run a predefined set
of these limiters using a Quick Scan. See the "fortify-sca-quickscan.properties" on page 205 for
descriptions of the limiters.
To enable quick scan mode, use the -quick option with -scan option. With quick scan mode enabled,
Fortify Static Code Analyzer applies the properties from the <sca_install_
dir>/Core/config/fortify-sca-quickscan.properties file, in addition to the standard
<sca_install_dir>/Core/config/fortify-sca.properties file. You can adjust the limiters
that Fortify Static Code Analyzer uses by editing the fortify-sca-quickscan.properties file. If
you modify fortify-sca.properties, it also affects quick scan behavior. Fortify recommends that
you do performance tuning in Quick Scan mode, and leave the full scan in the default settings to
produce a highly accurate scan. For description of the quick scan mode properties, see "Fortify Static
Code Analyzer Properties Files" on page 171.

Using Quick Scan and Full Scan

l Run full scans periodically—A periodic full scan is important as it might find issues that quick scan
mode does not detect. Run a full scan at least once per software iteration. If possible, run a full scan
periodically when it will not interrupt the development workflow, such as on a weekend.
l Compare quick scan with a full scan—To evaluate the accuracy impact of a quick scan, perform a
quick scan and a full scan on the same codebase. Open the quick scan results in Micro Focus Fortify
Audit Workbench and merge it into the full scan. Group the issues by New Issue to produce a list of
issues detected in the full scan but not in the quick scan.
l Quick scans and Micro Focus Fortify Software Security Center server—To avoid overwriting
the results of a full scan, by default Fortify Software Security Center ignores uploaded FPR files
scanned in quick scan mode. However, you can configure a Fortify Software Security Center
application version so that FPR files scanned in quick scan are processed. For more information, see
analysis results processing rules in the Micro Focus Fortify Software Security Center User Guide.

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 145 of 210
User Guide
Chapter 17: Improving Performance

Limiting Analyzers and Languages

Occasionally, you might find that a significant amount of the scan time is spent either running one
particular analyzer or analyzing a particular language. It is possible that this particular analyzer or
language is not important to your security requirements. You can limit the specific analyzers that run
and the specific languages that Fortify Static Code Analyzer translates.

Disabling Analyzers
To disable specific analyzers, include the -analyzers option to Fortify Static Code Analyzer at scan
time with a colon- or comma-separated list of analyzers you want to enable. The full list of analyzers is:
buffer, content, configuration, controlflow, dataflow, findbugs, nullptr, semantic, and
structural.
For example, to run a scan that only includes the Dataflow, Control Flow, and Buffer analyzers, use the
following scan command:

sourceanalyzer -b <build_id> -analyzers dataflow:controlflow:buffer -scan

-f myResults.fpr

You can also do the same thing by setting com.fortify.sca.DefaultAnalyzers in the Fortify
Static Code Analyzer property file <sca_install_dir>/Core/config/fortify-
sca.properties. For example, to achieve the equivalent of the previous scan command, set the
following in the properties file:

com.fortify.sca.DefaultAnalyzers=dataflow:controlflow:buffer

Disabling Languages
To disable specific languages, include the -disable-language option in the translation phase, which
specifies a list of languages that you want to exclude. The full list of valid language parameters is:

abap, actionscript, apex, cfml, cpp, cobol, configuration, dotnet, java,

javascript, jsp, objc, php, plsql, python, ruby, scala, sql, swift, tsql,
typescript, vb

For example, to perform a translation that excludes SQL and PHP files, use the following command:

sourceanalyzer -b <build_id> <src_files> -disable-language sql:php

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 146 of 210
User Guide
Chapter 17: Improving Performance

You can also disable languages by setting the com.fortify.sca.DISabledLanguages property in

the Fortify Static Code Analyzer properties file <sca_install_
dir>/Core/config/fortify-sca.properties. For example, to achieve the equivalent of the
previous translation command, set the following in the properties file:

com.fortify.sca.DISabledLanguages=sql:php

Optimizing FPR Files
This chapter describes how to handle performance issues related to the audit results (FPR) file. This
includes reducing the scan time, reducing FPR file size, and tips for opening large FPR files.

Filter Files
Filter files are flat files that you can specify with a scan using the -filter option. Use a filter file to
blacklist specified categories, instance IDs, and rule IDs. If you determine that a certain category of
issues or rules are not relevant for a particular scan, you can stop Fortify Static Code Analyzer from
flagging these types of issues and adding them to the FPR. Using a filter file can reduce both the scan
time and the size of the results file.
For example, if you are scanning a simple program that just reads a specified file, you might not want to
see path manipulation issues, because these are likely planned as part of the functionality. To filter out
path manipulation issues, create a file that contains a single line:
Path Manipulation
Save this file as filter.txt. Use the -filter option for the scan as shown in the following example:

sourceanalyzer -b <build_id> -scan -f myResults.fpr -filter filter.txt

The myResults.fpr does not include any issues with the category Path Manipulation.
For more information about filter files, see "Filtering the Analysis" on page 162.

Excluding Issues from the FPR with Filter Sets

Filters in an issue template determine how the results from Fortify Static Code Analyzer are shown. For
example, you can have a filter to put any detected SQL Injection issues into a separate folder called SQL
Injections, or you might have a filter that hides issues with a confidence below a certain threshold. In
addition to filters, filter sets enable you to have a selection of filters used at any one time. Each FPR has
an issue template associated with it. You can use filter sets to reduce the number of issues based on
conditions you specify with filters in an issue template. This can dramatically reduce the size of an FPR.

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 147 of 210
User Guide
Chapter 17: Improving Performance

To do this, use Micro Focus Fortify Audit Workbench to create a filter and a filter set and then run the
Fortify Static Code Analyzer scan with the filter set. For more detailed instructions about how to create
filters and filter sets in Fortify Audit Workbench, see the Micro Focus Fortify Audit Workbench User
Guide. The following example describes the basic steps for how to create and use a scan-time filter:
1. In this example, suppose you use OWASP Top 10 2017 and you only want to see issues
categorized within this standard. Create a filter in Fortify Audit Workbench such as:

If [OWASP Top 10 2017] does not contain A Then hide issue

This filter looks through the issues and if an issue does not map to an OWASP Top 10 2017
category with ‘A’ in the name, then it hides it. Because all OWASP Top 10 2017 categories start
with ‘A’ (A1, A2, …, A10), then any category without the letter ‘A’ is not in the OWASP Top 10
2017. The filter hides the issues from view in Fortify Audit Workbench, but they are still in the FPR.
2. In Fortify Audit Workbench, create a new filter set called OWASP_Filter_Set that contains the
previous filter, and then export the issue template to a file called IssueTemplate.xml.
3. You can then specify this filter at scan-time with the following command:

sourceanalyzer -b <build_id> -scan -f myFilteredResults.fpr

-project-template IssueTemplate.xml -Dcom.fortify.sca.FilterSet=OWASP_
Filter_set

In the previous example, the inclusion of the -Dcom.fortify.sca.FilterSet property tells Fortify
Static Code Analyzer to use the OWASP_Filter_Set filter set from the issue template
IssueTemplate.xml. Any filters that hide issues from view are removed and are not written to the
FPR. Therefore, you can reduce the visible number of issues, make the scan very targeted, and reduce
the size of the resulting FPR file.

Note: Although filtering issues with a filter set can reduce the size of the FPR, they do not usually
reduce the scan time. Fortify Static Code Analyzer examines the filter set after it calculates the
issues to determine whether or not to write them to the FPR file. The filters in a filter set determine
the rule types that Fortify Static Code Analyzer loads.

Excluding Source Code from the FPR

You can reduce the scan time and the size of the FPR file by excluding the source code information
from the FPR. This is especially valuable for large source files or codebases. You do not generally get a
scan time reduction for small source files.
There are two ways to prevent Fortify Static Code Analyzer from including source code in the FPR. You
can set the property in the <sca_install_dir>/Core/config/fortify-sca.properties file or
specify an option on the command line. The following table describes these settings.

Property Name Description

com.fortify.sca. This excludes source code from the FPR.

FPRDisableSourceBundling=true

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 148 of 210
User Guide
Chapter 17: Improving Performance

Property Name Description

Command-line Option:
-disable-source-bundling

com.fortify.sca. This excludes code snippets from the FPR.

FVDLDisableSnippets=true
Command-line Option:
–fvdl-no-snippets
The following command-line example uses both options:

sourceanalyzer -b <build_id> -disable-source-bundling

-fvdl-no-snippets -scan -f mySourcelessResults.fpr

Reducing the FPR File Size

There are a few ways to reduce the size of FPR files. The quickest way to do this without affecting
results is to exclude the source code from the FPR as described in "Excluding Source Code from the
FPR" on the previous page.
There are a few other options and properties that you can use to select what is excluded from the FPR.
You can set these properties in the Fortify Static Code Analyzer properties file: <sca_install_
dir>/Core/config/fortify-sca.properties or specify them during the scan phase with
-D<property_name>=true. Most of these options have an equivalent command-line option.

Property Name Description

com.fortify.sca. This excludes the metatable from the FPR. Micro

FPRDisableMetatable Focus Fortify Audit Workbench uses the metatable to
=true map information in Functions view.
Command-line Option: 
-disable-metatable

com.fortify.sca. This excludes rule descriptions from the FPR. If you

FVDLDisableDescriptions do not use custom descriptions, the descriptions in
=true the Fortify Taxonomy (https://vulncat.fortify.com)
Command-line Option:  are used.
-fvdl-no-descriptions

com.fortify.sca. This excludes engine data from the FPR. This is

FVDLDisableEngineData useful if your FPR contains a large number of
=true warnings when you open the file in Fortify Audit
Command-line Option:  Workbench.
-fvdl-no-enginedata

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 149 of 210
User Guide
Chapter 17: Improving Performance

Property Name Description

Note: If you exclude engine data from the FPR,

you must merge the FPR with the current audit
project locally before you upload it to Micro
Focus Fortify Software Security Center. Fortify
Software Security Center cannot merge it on the
server because the FPR does not contain the
Fortify Static Code Analyzer version.

com.fortify.sca. This excludes the program data from the FPR. This
FVDLDisableProgramData removes the Taint Sources information from the
=true Functions view in Fortify Audit Workbench. This
Command-line Option:  property typically only has a minimal effect on the
-fvdl-no-progdata overall size of the FPR file.

Opening Large FPR Files

To reduce the time required to open a large FPR file, there are some properties that you can set in the
<sca_install_dir>/Core/config/fortify.properties configuration file. For more
information about these properties, see the Micro Focus Fortify Static Code Analyzer Tools Properties
Reference Guide. The following table describes these properties.

Property Name Description

com.fortify. This disables use of the code navigation

model.DisableProgramInfo=true features in Micro Focus Fortify Audit
Workbench.

com.fortify. The IssueCutOffStartIndex property is

model.IssueCutOffStartIndex inclusive and IssueCutOffEndIndex is
=<num> (inclusive) exclusive so that you can specify a subset of
com.fortify. issues you want to see. For example, to see the
model.IssueCutOffEndIndex first 100 issues, specify the following:
=<num> (exclusive)
com.fortify.model.
IssueCutOffStartIndex=0

com.fortify.model.
IssueCutOffEndIndex=101

Because the IssueCutOffStartIndex is 0 by

default, you do not need to specify this

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 150 of 210
User Guide
Chapter 17: Improving Performance

Property Name Description

property.

com.fortify. These two properties are similar to the previous

model.IssueCutOffByCategoryStartIndex= cutoff properties except these are specified for
<num> (inclusive) each category. For example, to see the first five
com.fortify. issues for every category, specify the following:
model.IssueCutOffByCategoryEndIndex=
<num> (exclusive) com.fortify.model.
IssueCutOffByCategoryEndIndex=6

com.fortify. This minimizes the data loaded in the FPR. This

model.MinimalLoad=true also restricts usage of the Functions view and
might prevent Fortify Audit Workbench from
loading the source from the FPR.

com.fortify. This property specifies the number of Fortify

model.MaxEngineErrorCount= Static Code Analyzer reported warnings that
<num> are loaded with the FPR. For projects with a
large number of scan warnings, this can reduce
both load time in Fortify Audit Workbench and
the amount of memory required to open the
FPR.

com.fortify. Specifies the JVM heap memory size for Audit

model.ExecMemorySetting Workbench to launch external utilities such as
iidmigrator and fortifyupdate.

Monitoring Long Running Scans

When you run Fortify Static Code Analyzer, large and complex scans can often take a long time to
complete. During the scan it is not always clear what is happening. While Fortify recommends that you
provide your debug logs to the Micro Focus Fortify Customer Support team, there are a couple of ways
to see what Fortify Static Code Analyzer is doing and how it is performing in real-time.

Using the SCAState Utility

The SCAState command-line utility enables you to see up-to-date state analysis information during the
analysis phase. The SCAState utility is located in the <sca_install_dir>/bin directory. In addition
to a live view of the analysis, it also provides a set of timers and counters that show where Fortify Static

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 151 of 210
User Guide
Chapter 17: Improving Performance

Code Analyzer spends its time during the scan. For more information about how to use the SCAState
utility, see the "Checking the Fortify Static Code Analyzer Scan Status" on page 138.

Using JMX Tools

You can use tools to monitor Fortify Static Code Analyzer with JMX technology. These tools can
provide a way to track Fortify Static Code Analyzer performance over time. For more information about
these tools, see the full Oracle documentation available at: http://docs.oracle.com.

Note: These are third-party tools and Micro Focus does not provide or support them.

Using JConsole
JConsole is an interactive monitoring tool that complies with the JMX specification. The disadvantage of
JConsole is that you cannot save the output.
To use JConsole, you must first set some additional JVM parameters. Set the following environment
variable:

export SCA_VM_OPTS="-Dcom.sun.management.jmxremote
-Dcom.sun.management.jmxremote.port=9090
-Dcom.sun.management.jmxremote.ssl=false
-Dcom.sun.management.jmxremote.authenticate=false"

After the JMX parameters are set, start a Fortify Static Code Analyzer scan. During the scan, start
JConsole to monitor Fortify Static Code Analyzer locally or remotely with the following command:

jconsole <host_name>:9090

Using Java VisualVM

Java VisualVM offers the same capabilities as JConsole. It also provides more detailed information on
the JVM and enables you to save the monitor information to an application snapshot file. You can store
these files and open them later with Java VisualVM.
Similar to JConsole, before you can use Java VisualVM, you must set the same JVM parameters
described in "Using JConsole" above.
After the JVM parameters are set, start the scan. You can then start Java VisualVM to monitor the scan
either locally or remotely with the following command:

jvisualvm <host_name>:9090

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 152 of 210
Chapter 18: Troubleshooting
This section contains the following topics:
Exit Codes 153
Translation Failed Message 154
Memory Tuning 154
Scanning Complex Functions 156
Issue Non-Determinism 159
C/C++ Precompiled Header Files 159
Accessing Log Files 159
Configuring Log Files 160
Reporting Issues and Requesting Enhancements 161

Exit Codes
The following table describes the possible Fortify Static Code Analyzer exit codes.

Exit
Code Description

0 Success

1 Generic failure

2 Invalid input files

(this could indicate that an attempt was made to translate a file that has a file extension that
Fortify Static Code Analyzer does not support)

3 Process timed out

4 Analysis completed with numbered warning messages written to the console and/or to the
log file

5 Analysis completed with numbered error messages written to the console and/or to the log
file

6 Scan phase was unable to generate issue results

By default, Fortify Static Code Analyzer only returns exit codes 0, 1, 2, or 3.

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 153 of 210
User Guide
Chapter 18: Troubleshooting

You can extend the default exit code options by setting the com.fortify.sca.ExitCodeLevel
property in the <sca_install_dir>/Core/Config/fortify-sca.properties file.

Note: The equivalent command-line option is -exit-code-level.

The valid values are:
l nothing—Returns exit codes 0, 1, 2, or 3. This is the default setting.
l warnings—Returns exit codes 0, 1, 2, 3, 4, or 5.
l errors—Returns exit codes 0, 1, 2, 3, or 5.
l no_output_file—Returns exit codes 0, 1, 2, 3, or 6.

Translation Failed Message

If your C or C++ application builds successfully but you see one or more “translation failed” messages
during the Fortify Static Code Analyzer translation, edit the <sca_install_
dir>/Core/config/fortify-sca.properties file to change the following line:

com.fortify.sca.cpfe.options= --remove_unneeded_entities --suppress_vtbl

to:

com.fortify.sca.cpfe.options= -w --remove_unneeded_entities --suppress_

vtbl

Re-run the translation to print the errors that the translator encountered. If the output indicates an
incompatibility between your compiler and the Fortify Static Code Analyzer translator, send your
output to Micro Focus Fortify Customer Support for further investigation.

Memory Tuning
The amount of physical RAM required for a scan depends on the complexity of the code. By default,
Fortify Static Code Analyzer automatically allocates the memory it uses based on the physical memory
available on the system. This is generally sufficient. As described in "Output Options" on page 116, you
can adjust the Java heap size with the -Xmx command-line option.
This section describes suggestions for what you can do if you encounter OutOfMemory errors during
the analysis.

Note: You can set the memory allocation options discussed in this section to run for all scans by
setting the SCA_VM_OPTS environment variable.

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 154 of 210
User Guide
Chapter 18: Troubleshooting

Java Heap Exhaustion

Java heap exhaustion is the most common memory problem that might occur during Fortify Static Code
Analyzer scans. It is caused by allocating too little heap space to the Java virtual machine that Fortify
Static Code Analyzer uses to scan the code. You can identify Java heap exhaustion from the following
symptom.
Symptom
One or more of these messages appears in the Fortify Static Code Analyzer log file and in the
command-line output:

There is not enough memory available to complete analysis. For details on

making more memory available, please consult the user manual.
java.lang.OutOfMemoryError: Java heap space
java.lang.OutOfMemoryError: GC overhead limit exceeded

Resolution
To resolve a Java heap exhaustion problem, allocate more heap space to the Fortify Static Code
Analyzer Java virtual machine when you start the scan. To increase the heap size, use the -Xmx
command-line option when you run the Fortify Static Code Analyzer scan. For example, -Xmx1G makes
1 GB available. Before you use this parameter, determine the maximum allowable value for Java heap
space. The maximum value depends on the available physical memory.
Fortify recommends that you do not specify a value for the -Xmx option that exceeds either 90% of the
total physical memory or the total physical memory minus 1.5 GB to allow for the operating system. If
the system is dedicated to running Fortify Static Code Analyzer, you do not need to change it. However,
if the system resources are shared with other memory-intensive processes, subtract an allowance for
those other processes.

Note: You do not need to account for other resident but not active processes (while Fortify Static
Code Analyzer is running) that the operating system might swap to disk. Allocating more physical
memory to Fortify Static Code Analyzer than is available in the environment might cause
“thrashing,” which typically slows down the scan along with everything else on the system.

Native Heap Exhaustion

Native heap exhaustion is a rare scenario where the Java virtual machine can allocate the Java memory
regions on startup, but is left with so few resources for its native operations (such as garbage collection)
that it eventually encounters a fatal memory allocation failure that immediately terminates the process.

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 155 of 210
User Guide
Chapter 18: Troubleshooting

Symptom
You can identify native heap exhaustion by abnormal termination of the Fortify Static Code Analyzer
process and the following output on the command line:

# A fatal error has been detected by the Java Runtime Environment:

#
# java.lang.OutOfMemoryError: requested ... bytes for GrET ...

Because this is a fatal Java virtual machine error, it is usually accompanied by an error log created in the
working directory with the file name hs_err_pidNNN.log.
Resolution
Because the problem is a result of overcrowding within the process, the resolution is to reduce the
amount of memory used for the Java memory regions (Java heap). Reducing this value should reduce
the crowding problem and allow the scan to complete successfully.

Stack Overflow
Each thread in a Java application has its own stack. The stack holds return addresses, function/method
call arguments, and so on. If a thread tends to process large structures with recursive algorithms, it
might need a large stack for all those return addresses. With the JVM, you can set that size with the
-Xss option.
Symptoms
This message typically appears in the Fortify Static Code Analyzer log file, but might also appear in the
command-line output:

java.lang.StackOverflowError

Resolution
The default stack size is 16 MB. To increase the stack size, pass the -Xss option to the
sourceanalyzer command. For example, -Xss32M increases the stack to 32 MB.

Scanning Complex Functions

During a Fortify Static Code Analyzer scan, the Dataflow Analyzer might encounter a function for
which it cannot complete the analysis and reports the following message:

Function <name> is too complex for <analyzer> analysis and will be skipped
(<identifier>)

where:
l <name> is the name of the source code function
l <analyzer> is the name of the analyzer

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 156 of 210
User Guide
Chapter 18: Troubleshooting

l <identifier> is the type of complexity, which is one of the following:

l l: Too many distinct locations
l m: Out of memory
l s: Stack size too small
l t: Analysis taking too much time
The depth of analysis Fortify Static Code Analyzer performs sometimes depends on the available
resources. Fortify Static Code Analyzer uses a complexity metric to tradeoff these resources against the
number of vulnerabilities that it can find. Sometimes, this means giving up on a particular function when
Fortify Static Code Analyzer does not have enough resources available. This is normally when you see
the "Function too complex" messages.
When you see this message, it does not necessarily mean that Fortify Static Code Analyzer completely
ignored the function in the program. For example, the Dataflow Analyzer typically visits a function
many times before completing the analysis, and might not have run into this complexity limit in the
previous visits. In this case, the results include anything learned from the previous visits.
You can control the "give up" point using Fortify Static Code Analyzer properties called limiters.
Different analyzers have different limiters.
The following sections provide a discussion of a resolution for this issue.

Dataflow Analyzer Limiters

There are three types of complexity identifiers for the Dataflow Analyzer:
l l: Too many distinct locations
l m: Out of memory
l s: Stack size too small
To resolve the issue identified by s, increase the stack size for by setting -Xss to a value greater than
16 MB.
To resolve the complexity identifier of m, increase the physical memory for Fortify Static Code Analyzer.
To resolve the complexity identifier of l, you can adjust the following limiters in the Fortify Static Code
Analyzer property file <sca_install_dir>/Core/config/fortify-sca.properties or on the
command line.

Property Name Default Value

com.fortify.sca. 1000
limiters.MaxTaintDefForVar

com.fortify.sca. 4000
limiters.MaxTaintDefForVarAbort

com.fortify.sca. 4
limiters.MaxFieldDepth

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 157 of 210
User Guide
Chapter 18: Troubleshooting

The MaxTaintDefForVar limiter is a dimensionless value expressing the complexity of a function,

while MaxTaintDefForVarAbort is the upper bound for it. Use the MaxFieldDepth limiter to
measure the precision when the Dataflow Analyzer analyzes any given object. Fortify Static Code
Analyzer always tries to analyze objects at the highest precision possible.
If a given function exceeds the MaxTaintDefForVar limit at a given level of precision, the Dataflow
Analyzer analyzes that function with a lower level of precision (by reducing the MaxFieldDepth
limiter). When you reduce the precision, it reduces the complexity of the analysis. When the precision
cannot be reduced any further, Fortify Static Code Analyzer then proceeds with analysis at the lowest
precision level until either it finishes or the complexity exceeds the MaxTaintDefForVarAbort limiter.
In other words, Fortify Static Code Analyzer tries harder at the lowest precision level than at higher
precision levels, to get at least some results from the function. If Fortify Static Code Analyzer reaches
the MaxTaintDefForVarAbort limiter, it gives up on the function entirely and you get the "Function
too complex" warning.

Control Flow and Null Pointer Analyzer Limiters

There are two types of complexity identifiers for both Control Flow and Null Pointer analyzers:
l m: Out of memory
l t: Analysis taking too much time
Due to the way that the Dataflow Analyzer handles function complexity, it does not take an indefinite
amount of time. Control Flow and Null Pointer analyzers, however, can take a very long time when
analyzing very complex functions. Therefore, Fortify Static Code Analyzer provides a way to abort the
analysis when this happens, and then you get the "Function too complex" message with a complexity
identifier of t.
To change the maximum amount of time these analyzers spend analyzing functions, you can adjust the
following property values in the Fortify Static Code Analyzer property file <sca_install_
dir>/Core/config/fortify-sca.properties or on the command line.

Default
Property Name Description Value

com.fortify.sca. Sets the time limit (in milliseconds) for Control Flow 600000
CtrlflowMaxFunctionTime analysis on a single function. (10 minutes)

com.fortify.sca. Sets the time limit (in milliseconds) for Null Pointer 300000
NullPtrMaxFunctionTime analysis on a single function. (5 minutes)

To resolve the complexity identifier of m, increase the physical memory for Fortify Static Code Analyzer.
Note: If you increase these limiters or time settings, it makes the analysis of complex functions take
longer. It is difficult to characterize the exact performance implications of a particular value for the
limiters/time, because it depends on the specific function in question. If you never want see the
"Function too complex" warning, you can set the limiters/time to an extremely high value, however it
can cause unacceptable scan time.

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 158 of 210
User Guide
Chapter 18: Troubleshooting

Issue Non-Determinism
Running in parallel analysis mode might introduce issue non-determinism. If you experience any
problems, contact Micro Focus Fortify Customer Support and disable parallel analysis mode. Disabling
parallel analysis mode results in sequential analysis, which can be substantially slower but provides
deterministic results across multiple scans.
To disable parallel analysis mode:
1. Open the fortify-sca.properties file located in the <sca_install_dir>/core/config
directory in a text editor.
2. Change the value for the com.fortify.sca.MultithreadedAnalysis property to false.

com.fortify.sca.MultithreadedAnalysis=false

C/C++ Precompiled Header Files

Some C/C++ compilers support Precompiled Header Files, which can improve compilation performance.
Some compilers' implementations of this feature have subtle side-effects. When the feature is enabled,
the compiler might accept erroneous source code without warnings or errors. This can result in a
discrepancy where Fortify Static Code Analyzer reports translation errors even when your compiler
does not.
If you use your compiler's Precompiled Header feature, disable Precompiled Headers, and then perform
a full build to make sure that your source code compiles cleanly.

Accessing Log Files

By default, Fortify Static Code Analyzer creates two log files in the following location:
l On Windows: C:\Users\<user>\AppData\Local\Fortify\sca<version>\log
l On other platforms: $HOME/.fortify/sca<version>/log

where <version> is the version of Fortify Static Code Analyzer that you are using.
The following table describes the two log files.

Default File Name Description

sca.log The standard log provides a log of informational messages,

warnings, and errors that occurred in the run of
sourceanalyzer.

sca_FortifySupport.log The Fortify Support log provides:

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 159 of 210
User Guide
Chapter 18: Troubleshooting

Default File Name Description

l The same log messages as the standard log file, but with
additional details
l Additional detailed messages that are not included in the
standard log file
This log file is only helpful to Micro Focus Fortify Customer
Support or the development team to troubleshoot any
possible issues.

If you encounter warnings or errors that you cannot resolve, provide the Fortify Support log file to
Micro Focus Fortify Customer Support.

Configuring Log Files

You can configure the information that Fortify Static Code Analyzer writes to the log files by setting
logging properties (see "fortify-sca.properties" on page 173). You can configure the following log file
settings:
l The location and name of the log file
Property: com.fortify.sca.LogFile
l Log level (see "Understanding Log Levels" below)
Property: com.fortify.sca.LogLevel
l Whether to overwrite the log files for each run of sourceanalyzer
Property: com.fortify.sca.ClobberLog
Command-line option: -clobber-log

Understanding Log Levels

The log level you select gives you all log messages equal to and greater than it. The log levels in the
following table are listed in order from least to greatest. For example, the default log level of
INFO includes log messages with the following levels: INFO, WARN, ERROR, and FATAL. You can set
the log level with the com.fortify.sca.LogLevel property in the <sca_install_
dir>/Core/config/fortify.sca.properties file or on the command-line using the -D option.
The default log level is INFO.

Log
Level Description

DEBUG Includes information that could be used by Micro Focus Fortify Customer Support or the
development team to troubleshoot an issue

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 160 of 210
User Guide
Chapter 18: Troubleshooting

Log
Level Description

INFO Basic information about the translation or scan process

WARN Information about issues where the translation or scan did not stop, but might require
your attention for accurate results

ERROR Information about an issue that might require attention

FATAL Information about an error that caused the translation or scan to abort

Reporting Issues and Requesting Enhancements

Feedback is critical to the success of this product. To request enhancements or patches, or to report
issues, visit Micro Focus Fortify Customer Support at https://softwaresupport.softwaregrp.com.
Include the following information when you contact customer support:
l Product: Fortify Static Code Analyzer
l Version number: To determine the version number, run the following:

sourceanalyzer -version
l Platform: (for example, Red Hat Enterprise Linux <version>)
l Operating system: (such as Linux)

To request an enhancement, include a description of the feature enhancement.

To report an issue, provide enough detail so that support can duplicate the issue. The more descriptive
you are, the faster support can analyze and resolve the issue. Also include the log files, or the relevant
portions of them, from when the issue occurred.

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 161 of 210
Appendix A: Filtering the Analysis
This section contains the following topics:
Filter Files 162
Filter File Example 162

Filter Files
You can create a file to filter out particular vulnerability instances, rules, and vulnerability categories
when you run the sourceanalyzer command. You specify the file with the -filter analysis option.
Note: Fortify recommends that you only use filter files if you are an advanced user. Do not use filter
files for standard audits, because auditors typically want to see and evaluate all issues that Fortify
Static Code Analyzer finds.

A filter file is a text file that you can create with any text editor. The file functions as a blacklist, where
only the filter items you do not want are specified. Each filter item is on a separate line in the filter file.
You can specify the following filter types:
l Category
l Instance ID

l Rule ID

The filters are applied at different times in the analysis process, based on the type of filter. Fortify Static
Code Analyzer applies category and rule ID filters in the initialization phase before any analysis has
taken place, whereas an instance ID filter is applied after the analysis phase.

Filter File Example

As an example, the following output is from a scan of the EightBall.java, located in the <sca_
install_dir>/Samples/basic/eightball directory.
The following commands are executed to produce the analysis results:

sourceanalyzer -b eightball EightBall.java

sourceanalyzer -b eightball -scan

The following results show seven detected issues:

[F7A138CDE5235351F6A4405BA4AD7C53 : low : Unchecked Return Value :

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 162 of 210
User Guide
Appendix A: Filtering the Analysis

semantic ]
EightBall.java(12) : Reader.read()

[63C4F599F304C400E4BB77AB3EF062F6 : high : Path Manipulation : dataflow ]

EightBall.java(12) :  ->new FileReader(0)
EightBall.java(8) : <=> (filename)
EightBall.java(8) : <->Integer.parseInt(0->return)
EightBall.java(6) : <=> (filename)
EightBall.java(4) : ->EightBall.main(0)

[EFE997D3683DC384056FA40F6C7BD0E8 : critical : Path Manipulation :

dataflow ]
EightBall.java(12) : ->new FileReader(0)
EightBall.java(6) : <=> (filename)
EightBall.java(4) : ->EightBall.main(0)

[60AC727CCEEDE041DE984E7CE6836177 : high : Unreleased Resource : Streams :

controlflow ]
EightBall.java(12) : start -> loaded : new FileReader(...)
EightBall.java(12) : loaded -> loaded : <inline expression> refers to an
allocated resource
EightBall.java(12) : java.io.IOException thrown
EightBall.java(12) : loaded -> loaded : throw
EightBall.java(12) : loaded -> loaded : <inline expression> no longer
refers to an allocated resource
EightBall.java(12) : loaded -> end_of_scope : end scope : Resource
leaked : java.io.IOException thrown
EightBall.java(12) : start -> loaded : new FileReader(...)
EightBall.java(12) : loaded -> loaded : <inline expression> refers to an
allocated resource
EightBall.java(14) : loaded -> loaded : <inline expression> no longer
refers to an allocated resource
EightBall.java(14) : loaded -> end_of_scope : end scope : Resource
leaked

[BB9F74FFA0FF75C9921D0093A0665BEB : low : J2EE Bad Practices : Leftover

Debug Code : structural ]
EightBall.java(4)

[FF0D787110C7AD2F3ACFA5BEB6E951C3 : low : Poor Logging Practice : Use of a

System Output Stream : structural ]
EightBall.java(10)

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 163 of 210
User Guide
Appendix A: Filtering the Analysis

[FF0D787110C7AD2F3ACFA5BEB6E951C4 : low : Poor Logging Practice : Use of a

System Output Stream : structural ]
EightBall.java(13)

The following is example filter file content that performs the following:
l Remove all results related to the Poor Logging Practice category
l Remove the Unreleased Resource based on its instance ID
l Remove any dataflow issues that were generated from a specific rule ID

#This is a category that will be filtered from scan output

Poor Logging Practice

#This is an instance ID of a specific issue to be filtered from scan

output
60AC727CCEEDE041DE984E7CE6836177

#This is a specific Rule ID that leads to the reporting of a specific

issue in
#the scan output: in this case the data flow sink for a Path Manipulation
issue.
823FE039-A7FE-4AAD-B976-9EC53FFE4A59

To test the filtered output, copy the above text and paste it into a file with the name test_
filter.txt.
To apply the filtering in the test_filter.txt file, execute the following command:

sourceanalyzer -b eightball -scan -filter test_filter.txt

The filtered analysis produces the following results:

[F7A138CDE5235351F6A4405BA4AD7C53 : low : Unchecked Return Value :

semantic]
EightBall.java(12) : Reader.read()

[63C4F599F304C400E4BB77AB3EF062F6 : high : Path Manipulation : dataflow ]

EightBall.java(12) : ->new FileReader(0)
EightBall.java(8) : <=> (filename)
EightBall.java(8) : <->Integer.parseInt(0->return)
EightBall.java(6) : <=> (filename)
EightBall.java(4) : ->EightBall.main(0)

[BB9F74FFA0FF75C9921D0093A0665BEB : low : J2EE Bad Practices : Leftover

Debug Code : structural]
EightBall.java(4)

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 164 of 210
Appendix B: Fortify Scan Wizard
This section contains the following topics:
Preparing to use the Fortify Scan Wizard 165
Starting the Fortify Scan Wizard 166

Preparing to use the Fortify Scan Wizard

Fortify Scan Wizard uses the information you provide to create a script with the commands for Fortify
Static Code Analyzer to translate and scan project code and optionally upload the results directly to
Micro Focus Fortify Software Security Center. You can use Fortify Scan Wizard to run your scans locally
or upload them to a Micro Focus Fortify CloudScan server.

Note: If you generate a script on a Windows system, you cannot run that script on a non-Windows
system. Likewise, if you generate a script on a non-Windows system, you cannot run it on a
Windows system.

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 165 of 210
User Guide
Appendix B: Fortify Scan Wizard

To use the Fortify Scan Wizard, you need the following:

l Location of the build directory or directories of the project to be scanned
l Access to the build directory or directories of the project to be scanned

l To scan Java code, the version of the Java JDK used to develop the code

l To use Fortify CloudScan to scan your code, the URL of the CloudScan Controller

l (Optional) Location of custom rule files

To upload your scan results to Fortify Software Security Center, you also need:
l Your Fortify Software Security Center logon credentials
l The Fortify Software Security Center server URL
l An upload authentication token
Note: If you do not have an upload token, you can use the Fortify Scan Wizard to generate one.
To do this, you must have Fortify Software Security Center logon credentials.

If you do not have Fortify Software Security Center logon credentials, you must have the following:
l Application name
l Application version name
Note: Fortify Scan Wizard uses a default scan memory setting of 90% of the total available memory
if it is greater than 4 GB, otherwise the default memory setting is 2/3 the total available memory.
Adjust the scan memory as necessary in the Translation and Scan step.

Starting the Fortify Scan Wizard

To start the Fortify Scan Wizard with Fortify SCA and Applications installed locally, do one of the
following, based on your operating system:
l On Windows, select Start > All Programs > Fortify SCA and Applications <version> > Scan
Wizard.
l On Linux, navigate to the <sca_install_dir>/bin directory, and then run the ScanWizard file
from the command line.
l On macOS, navigate to the <sca_install_dir>/bin directory, and then double-click
ScanWizard.

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 166 of 210
Appendix C: Sample Files
The Fortify SCA and Applications installation might include several code sample that you can use to
when learning to use Fortify Static Code Analyzer. If you installed the sample files, they are located in
the following directory:

<sca_install_dir>/Samples
The Samples directory contains two subdirectories: basic and advanced. Each code sample includes a
README.txt file that provides instructions on how to scan the code with Fortify Static Code Analyzer
and view the results in Micro Focus Fortify Audit Workbench.
The basic subdirectory includes an assortment of simple language-specific code samples. The
advanced subdirectory includes more advanced samples including source code to help you integrate
Fortify Static Code Analyzer with your bug tracker application. For information on integrating bug
tracker applications with Fortify Audit Workbench, see Micro Focus Fortify Audit Workbench User
Guide.
This section contains the following topics:
Basic Samples 167
Advanced Samples 169

Basic Samples
The following table describes the sample files in the <sca_install_dir>/Samples/basic directory
and provides a list of the vulnerabilities that the samples demonstrate. Many of the samples includes a
README.txt file that provides details and instructions on its use.

Folder Name Description Vulnerabilities

cpp A C++ sample file and instructions to analyze code that has a Command
simple dataflow vulnerability. It requires a gcc or cl compiler. Injection
Memory Leak

database A database.pks sample file. This SQL sample includes issues in Access Control:
SQL code. Database

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 167 of 210
User Guide
Appendix C: Sample Files

Folder Name Description Vulnerabilities

eightball A Java application (EightBall.java) that exhibits bad error Path

handling. It requires an integer argument. If you supply a file Manipulation
name instead of an integer as the argument, it displays the file
Unreleased
contents.
Resource:
Streams
J2EE Bad
Practices:
Leftover
Debug Code

formatstring The formatstring.c file. It requires a gcc or cl compiler. Format String

javascript The sample.js JavaScript file. Cross Site

Scripting (XSS)
Open Redirect

nullpointer The NullPointerSample.java file. Null

Dereference

php Two PHP files: sink.php and source.php. Analyzing Cross Site

source.php reveals simple dataflow vulnerabilities and a Scripting
dangerous function.
SQL Injection

sampleOutput A sample output file (WebGoat5.0.fpr) from the WebGoat Various

project located in the Samples/advanced/webgoat directory.

stackbuffer The stackbuffer.c file. It requires a gcc or cl compiler. Buffer

Overflow

toctou The toctou.c file. Time-of-

Check/Time-of-
Use (Race
Condition)

vb6 The command-injection.bas file. Command

Injection
SQL Injection

vbscript The source.asp and sink.asp files. SQL Injection

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 168 of 210
User Guide
Appendix C: Sample Files

Advanced Samples
The following table describes the sample files in the <sca_install_dir>/Samples/advanced
directory. Many of the samples include a README.txt file that provides further details and instructions
on its use.

Folder Name Description

BugTrackerPlugin Includes source code for the supported bug tracker plugin.
<bugtracker>

c++ A sample solution for different supported versions of Visual Studio.

To use this sample, you must have the following installed:
l A supported version of Visual Studio Visual C/C++
l Fortify Static Code Analyzer
l To analyze the sample from Visual Studio as described in the README.txt
file, you must have the Micro Focus Fortify Extension for Visual Studio
installed for your Visual Studio version
The code includes a Command Injection issue and an Unchecked Return Value
issue.

configuration A sample Java EE application that has vulnerabilities in its web module
deployment descriptor web.xml.

crosstier A sample that has vulnerabilities that span multiple application technologies
(Java, PL/SQL, JSP, struts).
The output contains several issues of different types, including two Access
Control vulnerabilities. One of these is a cross-tier result. It has a dataflow trace
from user input in Java code that can affect a SELECT statement in PL/SQL.

csharp A simple C# program that has SQL injection vulnerabilities. Versions are
included for different supported versions of Visual Studio. Scanning this sample
reveals the SQL Injection vulnerabilities and an Unreleased Resource
vulnerability. Other categories might also be present, depending on the
Rulepacks used in the scan.

customrules Several simple source code samples and Rulepack files that illustrate how four
different analyzers: Semantic, Dataflow, Control Flow, and Configuration
interpret rules. This folder also includes several miscellaneous samples of real-

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 169 of 210
User Guide
Appendix C: Sample Files

Folder Name Description

world rules that you can use to scan real applications.

ejb A sample Java EE cross-tier application with Servlets and EJBs.

filters A sample that uses the Fortify Static Code Analyzer -filter option.

findbugs A sample that demonstrates how to run the FindBugs static analysis tool
together with Fortify Static Code Analyzer and filter out results that overlap.

java1.5 A sample Java file: ResourceInjection.java. The result file includes a Path
Manipulation, a J2EE Bad Practices, and a Poor Style vulnerability.

javaAnnotations A sample application that illustrates problems that might arise from its use and
how to fix the problems with the Fortify Java Annotations.
This example illustrates how the use of Fortify Annotations can result in
increased accuracy in the reported vulnerabilities. The README.txt file
describes the Fortify Java Annotations and the potential problems and
solutions associated with the sample application.

JavaDoc JavaDoc directory for the public-api and WSClient.

riches.java A Java EE 1.4 sample web application with various known security vulnerabilities
including Cross-Site Scripting, SQL Injection, and Command Injection.

riches.net A .NET 4.0 sample web application with various known security vulnerabilities
including Cross-Site Scripting, SQL Injection, and Command Injection.

webgoat The WebGoat test Java EE web application provided by the Open Web
Application Security Project (https://www.owasp.org). This directory contains
the WebGoat 5.0 source code.

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 170 of 210
Appendix D: Configuration Options
The Fortify SCA and Applications installer places a set of properties files on your system. Properties files
contain configurable settings for Micro Focus Fortify Static Code Analyzer runtime analysis, output, and
performance.
This section contains the following topics:
Fortify Static Code Analyzer Properties Files 171
fortify-sca.properties 173
fortify-sca-quickscan.properties 205

Fortify Static Code Analyzer Properties Files

The properties files are located in the <sca_install_dir>/Core/config directory.
The installed properties files contain default values. Fortify recommends that you consult with your
project leads before you make changes to the properties in the properties files. You can modify any of
the properties in the configuration file with any text editor. You can also specify the property on the
command line with the -D option.
The following table describes the primary properties files. Additional properties files are described in
Micro Focus Fortify Static Code Analyzer Tools Properties Reference Guide.

Properties File Name Description

fortify-sca.properties Defines the Fortify Static Code Analyzer configuration

properties.

fortify-sca-quickscan.properties Defines the configuration properties applicable for a

Fortify Static Code Analyzer quick scan.

Properties File Format

In the properties file, each property consists of a pair of strings: the first string is the property name and
the second string is the property value.

com.fortify.sca.fileextensions.htm=HTML

As shown above, the property sets the translation to use for .htm files. The property name is
com.fortify.sca.fileextension.htm and the value is set to HTML.

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 171 of 210
User Guide
Appendix D: Configuration Options

Note: When you specify a path for Windows systems as the property value, you must escape any
backslash character (\) with a backslash (for example:
com.fortify.sca.ASPVirtualRoots.Library=C:\\WebServer\\CustomerA\\inc).

Disabled properties are commented out of the properties file. To enable these properties, remove the
comment symbol (#) and save the properties file. In the following example, the
com.fortify.sca.LogFile property is disabled in the properties file and is not part of the
configuration:

# default location for the log file

#com.fortify.sca.LogFile=${com.fortify.sca.ProjectRoot}/sca/log/sca.log

Precedence of Setting Properties

Fortify Static Code Analyzer uses properties settings in a specific order. You can override any previously
set properties with the values that you specify. Keep this order in mind when making changes to the
properties files.
The following table lists the order of precedence for Fortify Static Code Analyzer properties.

Order Property Specification Description

1 Command line with the Properties specified on the command line have the highest
-D option priority and you can specify them in any scan.

2 Fortify Static Code Properties specified in the Quick Scan configuration file
Analyzer Quick Scan (fortify-sca-quickscan.properties) have the second
configuration file priority, but only if you include the -quick option to enable
Quick Scan mode. If Quick Scan is not invoked, this file is ignored.

3 Fortify Static Code Properties specified in the Fortify Static Code Analyzer
Analyzer configuration configuration file (fortify-sca.properties) have the lowest
file priority. Edit this file to change the property values on a more
permanent basis for all scans.

Fortify Static Code Analyzer also relies on some properties that have internally defined default values.

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 172 of 210
User Guide
Appendix D: Configuration Options

fortify-sca.properties
The following table summarizes the properties available for use in the fortify-sca.properties file.
See "fortify-sca-quickscan.properties" on page 205 for additional properties that you can use in this
properties file. The description for each property includes the value type, the default value, the
equivalent command-line option (if applicable), and an example.

Property Name Description

com.fortify.sca. Specifies the build ID of the build.

BuildID
Value type: String
Default: (none)

Command-line Option: -b

com.fortify.sca. Specifies the folder to store intermediate files generated in

ProjectRoot the translation and scan phases. Fortify Static Code
Analyzer makes extensive use of intermediate files located
in this project root directory. In some cases, you achieve
better performance for analysis by making sure this
directory is on local storage rather than on a network
drive.
Value type: String (path)
Default (Windows):
${win32.LocalAppdata}\Fortify

Note: ${win32.LocalAppdata} is a special variable

that points to the windows Local Application Data
shell folder.

Default (Non-Windows): $home/.fortify

Command-line Option: -project-root
Example: com.fortify.sca.ProjectRoot=
C:\Users\<user>\AppData\Local\

com.fortify.sca. Dead code is code that can never be executed, such as

DisableDeadCode code inside the body of an if statement that always
Elimination evaluates to false. If this property is set to true, then
Fortify Static Code Analyzer does not identify dead code,

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 173 of 210
User Guide
Appendix D: Configuration Options

Property Name Description

does not report dead code issues, and reports other

vulnerabilities in the dead code, even though they are
unreachable during execution.
Value type: Boolean

Default:false

com.fortify.sca. If set to true, Fortify Static Code Analyzer removes dead

DeadCodeFilter code issues, for example because the compiler generated
dead code and it does not appear in the source code.
Value type: Boolean

Default: true

com.fortify.sca. Specifies how to translate specific file extensions for

fileextensions.java languages that do not require build integration. The valid
com.fortify.sca. types are: ABAP, ACTIONSCRIPT, APEX, APEX_
fileextensions.cs TRIGGER, ARCHIVE, ASPNET, ASP, ASPX, BITCODE,
BYTECODE, CFML, COBOL, CSHARP, HTML, JAVA,
com.fortify.sca.
fileextensions.js
JAVA_PROPERTIES, JAVASCRIPT, JSP, JSPX, MSIL,
MXML, PHP, PLSQL, PYTHON, RUBY, RUBY_ERB,
com.fortify.sca. SCALA, SWIFT, TLD, SQL, TSQL, TYPESCRIPT, VB, VB6,
fileextensions.py
VBSCRIPT, VISUAL_FORCE, and XML.
com.fortify.sca.
fileextensions.rb Value type: String (valid language type)

com.fortify.sca. Default: See the fortify-sca.properties file for the

fileextensions.aspx complete list.
com.fortify.sca. Examples:
fileextensions.php
com.fortify.sca.fileextensions.java=JAVA
Note: This is a partial list. For the com.fortify.sca.fileextensions.cs=CSHARP
complete list, see the properties file. com.fortify.sca.fileextensions.js=JAVASCRIP
T
com.fortify.sca.fileextensions.py=PYTHON
com.fortify.sca.fileextensions.rb=RUBY
com.fortify.sca.fileextensions.aspx=ASPNET
com.fortify.sca.fileextensions.php=PHP

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 174 of 210
User Guide
Appendix D: Configuration Options

Property Name Description

You can also specify a value of oracle:<path_to_

script> to programmatically supply a language type.
Provide a script that accepts one command-line parameter
of a file name that matches the specified file extension.
The script must write the valid Fortify Static Code
Analyzer file type (see previous list) to stdout and exit
with a return value of zero. If the script returns a non-zero
return code or the script does not exist, the file is not
translated and Fortify Static Code Analyzer writes a
warning to the log file.
Example:
com.fortify.sca.fileextensions.jsp=
oracle:<path_to_script>

com.fortify.sca. Specifies custom-named compilers.

compilers.javac=
com.fortify.sca.
Value type: String (compiler)
util.compilers.
Default: See the Compilers section in the fortify-
JavacCompiler
sca.properties file for the complete list.
com.fortify.sca.
compilers.c++= Example:
com.fortify.sca. To tell Fortify Static Code Analyzer that “my-gcc” is a gcc
util.compilers.
compiler:
GppCompiler
com.fortify.sca. com.fortify.sca.
compilers.make= compilers.my-gcc=
com.fortify.sca. com.fortify.sca.util.compilers.
util.compilers. GccCompiler
TouchlessCompiler
Notes:
com.fortify.sca.
compilers.mvn= l Compiler names can begin or end with an asterisk
com.fortify.sca. (*), which matches zero or more characters.
util.compilers. l Execution of Apple LLVM clang/clang++ is not
MavenAdapter
supported with the gcc/g++ command names. You
Note: This is a partial list. For the can specify the following:
complete list, com.fortify.sca.compilers.g++=
see the properties file. com.fortify.sca.util.compilers.
GppCompiler

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 175 of 210
User Guide
Appendix D: Configuration Options

Property Name Description

com.fortify.sca. If set to true, Fortify Static Code Analyzer includes

UseAntListener com.fortify.dev.ant.SCAListener in the compiler
options.
Value type: Boolean

Default: false

com.fortify.sca. Specifies a file or a list of files to exclude from translation.

exclude Separate the file list with semicolons (Windows) or a
colons (non-Windows systems).

Note: Fortify Static Code Analyzer only uses this

property during translation without build integration.
When you integrate with a compiler or build tool,
Fortify Static Code Analyzer translates all source files
that the compiler or build tool processes even if they
are specified with this property.

Value type: String (list of file names)

Default: Not enabled

Command-line Option: -exclude

Example: com.fortify.sca.exclude=
file1.x;file2.x

com.fortify.sca. Specifies the source file encoding type. Fortify Static Code
InputFileEncoding Analyzer allows you to scan a project that contains
differently encoded source files. To work with a multi-
encoded project, you must specify the -encoding option
in the translation phase, when Fortify Static Code
Analyzer first reads the source code file. Fortify Static
Code Analyzer remembers this encoding in the build
session and propagates it into the FVDL file.
Valid encoding names are from the
java.nio.charset.Charset
Typically, if you do not specify the encoding type, Fortify
Static Code Analyzer uses file.encoding from the
java.io.InputStreamReader constructor with no
encoding parameter. In a few cases (for example with the

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 176 of 210
User Guide
Appendix D: Configuration Options

Property Name Description

ActionScript parser), Fortify Static Code Analyzer defaults

to UTF-8.
Value type: String
Default: (none)

Command-Line Option: -encoding

Example:
com.fortify.sca.InputFileEncoding=UTF-16

com.fortify.sca. Specifies whether the xcodebuild touchless adapter

xcode.TranslateAfterError
continues translation if the xcodebuild subprocess exited
with a non-zero exit code. If set to false, translation stops
after encountering a non-zero xcodebuild exit code and
the Fortify Static Code Analyzer touchless build halts with
the same exit code. If set to true, the Fortify Static Code
Analyzer touchless build executes translation of the build
file identified prior to the xcodebuild exit, and Fortify
Static Code Analyzer exits with an exit code of zero
(unless some other error also occurs).
Regardless of this setting, if xcodebuild exits with a non-
zero code, then the xcodebuild exit code, stdout, and
stderr are written to the log file.
Value type: Boolean

Default: false

com.fortify.sca. If set to true, Fortify Static Code Analyzer uses Apex

Apex translation for files with the .cls extension and
Visualforce translation for files with the .component
extension.
Value type: Boolean

Default: false
Command-line Option: -apex

com.fortify.sca. Specifies the absolute path of the custom sObject JSON

ApexObjectPath file sobjects.json.
Value type: String

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 177 of 210
User Guide
Appendix D: Configuration Options

Property Name Description

Default: (none)

Command-line Option: -apex-sobject-path

com.fortify.sca. Specifies a comma- or colon-separated list of the types of

DefaultAnalyzers analysis to perform. The valid values for this property are:
buffer, content, configuration, controlflow,
dataflow, findbugs, nullptr, semantic, and
structural.
Value type: String
Default: This property is commented out and all analysis
types are used in scans.

Command-line Option: -analyzers

com.fortify.sca. Specifies a comma- or colon-separated list of analyzers to

EnableAnalyzer use for a scan in addition to the default analyzers. The
valid values for this property are: buffer, content,
configuration, controlflow, dataflow, findbugs,
nullptr, semantic, and structural.
Value type: String
Default: (none)

com.fortify.sca. Extends the default exit code options. See "Exit Codes" on
ExitCodeLevel page 153 for a description of the exit codes. The valid
values are:
The valid values are:

l nothing—Returns exit codes 0, 1, 2, or 3. This is the

default setting.
l warnings—Returns exit codes 0, 1, 2, 3, 4, or 5.
l errors—Returns exit codes 0, 1, 2, 3, or 5.
l no_output_file—Returns exit codes 0, 1, 2, 3, or 6.
Command-line Option:
-exit-code-level

com.fortify.sca. If set to true, requests a full scan of a project for which you
IncrementalBaseScan can run subsequent incremental scans.

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 178 of 210
User Guide
Appendix D: Configuration Options

Property Name Description

Value type: Boolean

Default: false

com.fortify.sca. If set to true, requests an incremental rescan of a

IncrementalScan previously scanned project.
Value type: Boolean

Default: false

com.fortify.sca. If set to true, Fortify Static Code Analyzer generates

AddImpliedMethods implied methods when it encounters implementation by
inheritance.
Value type: Boolean

Default: true

com.fortify.sca. If set to true, higher-order analysis is enabled.

hoa.Enable
Value type: Boolean

Default: true

com.fortify.sca. The languages for which to run higher-order analysis.

Phase0HigherOrder. Valid values are: python, swift, ruby, javascript, and
Languages typescript.
Value type: String (comma separated list of languages)
Default:
python,ruby,swift,javascript,typescript

com.fortify.sca. Specifies the total time (in seconds) for higher-order

Phase0HigherOrder.Timeout. analysis. When the analyzer reaches the hard timeout limit,
Hard it exits immediately.
Fortify recommends this timeout limit in case some issue
causes the analysis to run too long. Fortify recommends
that you set the hard timeout to about 50% longer than
the soft timeout, so that either the fixpoint pass limiter or
the soft timeout occurs first.
Value type: Number

Default: 2700

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 179 of 210
User Guide
Appendix D: Configuration Options

Property Name Description

com.fortify.sca. Comma- or colon-separated list of languages that use type

TypeInferenceLanguages inference. This setting improves the precision of the
analysis for dynamically-typed languages.
Value type: String

Default: javascript,python,ruby,typescript

com.fortify.sca. The total amount of time (in seconds) that type inference

TypeInferencePhase0 can spend in phase 0 (the interprocedural analysis).
Timeout Unlimited if set to zero or is not specified.
Value type: Long

Default: 300

com.fortify.sca. The amount of time (in seconds) that type inference can
TypeInferenceFunctionTimeout spend to analyze a single function. Unlimited if set to zero
or is not specified.
Value type: Long

Default: 60

com.fortify.sca. If set to true, disables function pointers during the scan.

DisableFunctionPointers
Value type: Boolean

Default: false

com.fortify.sca. Specifies a list of file extensions for rules files. Any files in
RulesFileExtensions <sca_install_dir>/Core/config/rules (or a
directory specified with the -rules option) whose
extension is in this list is included. The .bin extension is
always included, regardless of the value of this property.
The delimiter for this property is the system path
separator.
Value type: String

Default: .xml

com.fortify.sca. Specifies a custom Rulepack or directory. If you specify a

RulesFile directory, all of the files in the directory with the .bin and
.xml extensions are included.

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 180 of 210
User Guide
Appendix D: Configuration Options

Property Name Description

Value type: String (path)

Default: (none)

Command-line Option: -rules

com.fortify.sca. If set to true, rules from the default Rulepacks are not
NoDefaultRules loaded. Fortify Static Code Analyzer processes the
Rulepacks for description elements and language libraries,
but no rules are processed.
Value type: Boolean
Default: (none)

Command-line Option: -no-default-rules

com.fortify.sca. If set to true, disables rules in default Rulepacks that lead

NoDefaultIssueRules directly to issues. Still loads rules that characterize the
behavior of functions. This can be helpful when creating
custom issue rules.
Value type: Boolean
Default: (none)

Command-line Option: -no-default-issue-rules

com.fortify.sca. If set to true, disables source rules in the default

NoDefaultSourceRules Rulepacks. This can be helpful when creating custom
source rules.

Note: Characterization source rules are not disabled.

Value type: Boolean
Default: (none)

Command-line Option: -no-default-source-rules

com.fortity.sca. If set to true, disables sink rules in the default Rulepacks.

NoDefaultSinkRules This can be helpful when creating custom sink rules.

Note: Characterization sink rules are not disabled.

Value type: Boolean

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 181 of 210
User Guide
Appendix D: Configuration Options

Property Name Description

Default: (none)

Command-line Option: -no-default-sink-rules

com.fortify.sca. Sets the directory used to search for custom rules.

CustomRulesDir
Value type: String (path)
Default:

${com.fortify.Core}/config/customrules

com.fortify.sca. If set to true, FindBugs is enabled as part of the scan.

EnableFindbugs
Value type: Boolean

Default: true
Command-line Option: -findbugs

com.fortify.sca. Sets the maximum heap size for findbugs.

findbugs.maxheap
Value type: String
Default: Maximum heap size for Fortify Static Code
Analyzer
Example:
com.fortify.sca.findbugs.maxheap=500m

com.fortify.sca. If set to true, Fortify Static Code Analyzer ignores low

SuppressLowSeverity severity issues found in a scan.
Value type: Boolean

Default: true

com.fortify.sca. Specifies the cutoff level for severity suppression. Fortify

LowSeverityCutoff Static Code Analyzer ignores any issues found with a
lower severity value than the one specified for this
property.
Value type: Number

Default:1.0

com.fortify.sca. Specifies whether to enable Control Flow Analyzer

analyzer.controlflow. timeouts.

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 182 of 210
User Guide
Appendix D: Configuration Options

Property Name Description

EnableTimeOut Value type: Boolean

Default: true

com.fortify.sca. On Windows platforms, specifies the path to the reg.exe

RegExecutable system utility. Specify the paths in Windows syntax, not
Cygwin syntax, even when you run Fortify Static Code
Analyzer from within Cygwin. Escape backslashes with an
additional backslash.
Value type: String (path)

Default: reg
Example:
com.fortify.sca.RegExecutable=
C:\\Windows\\System32\\reg.exe

com.fortify.sca. Specifies the path to a filter file for the scan. See "Filter
FilterFile Files" on page 162 for more information.
Value type: String (path)
Default: (none)

Command-line Option: -filter

com.fortify.sca. Specifies a comma-separated list of IIDs to be filtered out

FilteredInstanceIDs using a filter file.
Value type: String
Default: (none)

com.fortify.sca. Specifies a subset of source files to scan. Only the source

BinaryName files that were linked in the named binary at build time are
included in the scan.
Value type: String (path)
Default: (none)

Command-line Option: -bin or -binary-name

com.fortify.sca. If set to true, Fortify Static Code Analyzer performs a

QuickScanMode quick scan. Fortify Static Code Analyzer uses the settings
from fortify-sca-quickscan.properties, instead

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 183 of 210
User Guide
Appendix D: Configuration Options

Property Name Description

of the fortify-sca.properties configuration file.

Value type: Boolean
Default: (not enabled)

Command-line Option: -quick

com.fortify.sca. Specifies the issue template file to use for the scan. This
ProjectTemplate only affects scans on the local machine. If you upload the
FPR to Micro Focus Fortify Software Security Center
server, it uses the issue template assigned to the
application version.
Value type: String
Default: (none)

Command-line Option: -project-template

Example:
com.fortify.sca.ProjectTemplate=
test_issuetemplate.xml

com.fortify.sca. If set to true, enables alias analysis.

alias.Enable
Value type: Boolean

Default: true

com.fortify.sca. Specifies a list of functions to blacklist from all analyzers.

UniversalBlacklist
Value type: String (colon-separated list)

Default: .*yyparse.*

com.fortify.sca. Specifies whether or not Fortify Static Code Analyzer runs

MultithreadedAnalysis in parallel analysis mode.
Value type: Boolean

Default: true

com.fortify.sca. Specifies the number of threads for parallel analysis mode.

ThreadCount Add this property only if you need to reduce the number
of threads used because of a resource constraint. If you
experience an increase in scan time or problems with your
scan, a reduction in the number of threads used might

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 184 of 210
User Guide
Appendix D: Configuration Options

Property Name Description

solve the problem.

Value type: Integer
Default: (number of available processor cores)

com.fortify.sca. Add a colon-separated list of languages to exclude from

DISabledLanguages the translation phase. The valid language values are
abap, actionscript, apex, cfml, cpp, cobol,
configuration, dotnet, java, javascript,
jsp, objc, php, plsql, python, ruby, scala,
sql, swift, tsql, typescript, vb.
Value type: String
Default: (none)

Command-line Option: -disable-language

com.fortify.sca. Specifies the Java source code version to the Java

JdkVersion translator.
Value type: String

Default: 1.8
Command-line Option: -jdk

com.fortify.sca. Specifies the class path used to analyze Java source code.
JavaClasspath Specify the paths as a semicolon-separated list (Windows)
or a colon-separated list (non-Windows systems).
Value type: String (paths)
Default: (none)

Command-line Option: -cp or -classpath

com.fortify.sca. Specifies the application server to process JSP files. The

Appserver valid values are weblogic or websphere.
Value type: String
Default: (none)

Command-line Option: -appserver

com.fortify.sca. Specifies the application server's home directory. For

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 185 of 210
User Guide
Appendix D: Configuration Options

Property Name Description

AppserverHome WebLogic, this is the path to the directory that contains

server/lib. For WebSphere, this is the path to the
directory that contains the JspBatchCompiler script.
Value type: String (path)
Default: (none)

Command-line Option: -appserver-home

com.fortify.sca. Specifies the version of the application server.

AppserverVersion
Value type: String
Default: (none)

Command-line Option: -appserver-version

com.fortify.sca. Specifies directories to include implicitly on the class path

JavaExtdirs for WebLogic and WebSphere application servers.
Value type: String
Default: (none)

Command-line Option: -extdirs

com.fortify.sca. Specifies a colon- or semicolon-separated list of source file

JavaSourcepath directories that are not included in the scan but are used
for name resolution. The source path is similar to
classpath, except it uses source files rather than class files
for resolution.
Value type: String (paths)
Default: (none)

Command-line Option: -sourcepath

com.fortify.sca. If set to true, Fortify Static Code Analyzer only translates

JavaSourcepathSearch source files that are referenced by the target file list.
Otherwise, Fortify Static Code Analyzer translates all files
included in the source path.
Value type: Boolean

Default: true

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 186 of 210
User Guide
Appendix D: Configuration Options

Property Name Description

com.fortify.sca. Specifies semicolon- or colon-separated list of directories

DefaultJarsDirs of commonly used JAR files. The JAR files located in these
directories are appended to the end of the class path
option (-cp).
Value type: String
Default: (none)

com.fortify.sca If set to true, the JSP parser uses JSP security manager.
jsp.UseSecurityManager
Value type: Boolean

Default: true

com.fortify.sca. Specifies the encoding for JSPs.

jsp.DefaultEncoding
Value type: String (encoding)

Default: ISO-8859-1

com.fortify.sca Specifies the .NET framework version. See the Micro

DotnetVersion Focus Fortify Software System Requirements for a list of
supported versions.
Value type: String
Default: (the latest supported version)

Command-line Option: -dotnet-version

com.fortify.sca Specifies the .NET Core version.

DotnetCoreVersion
Value type: String
Default: (none)

Command-line Option: -dotnet-core-version

com.fortify.sca Specifies the .NET Standard version.

DotnetStdVersion
Value type: String
Default: (none)

Command-line Option: -dotnet-std-version

com.fortify.sca. Specifies the semicolon-delimited list of directories where

DotnetLibdirs third-party DLL files are located. Used for default .NET

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 187 of 210
User Guide
Appendix D: Configuration Options

Property Name Description

library files.
Value type: String (path)
Default: (none)

Command-line Option: -libdirs

com.fortify.sca. If set to true, disables use of runtime .NET libraries

DotnetLibdirsOnly corresponding to target .Net framework version and only
uses the libraries referenced by the com.fortify.sca.
DotnetLibdirs property or the -libdirs command-
line option.
Value type: Boolean

Default: false
Command-line Option: -libdirs-only

com.fortify.sca. Overrides the default path to the NuGet cache directory.

NugetCacheDir
Value type: String (path)

Default: The .nuget/packages folder in the current

user’s home directory (Windows environment
variable: USERPROFILE)

Command-line Option: -nuget-cache-dir

com.fortify.sca. Specifies a semicolon-separated list of the source files for

DotnetSharedFiles all Shared Projects included in the project you are
translating.
Value type: String (files)
Default: (none)

Command-line Option: -dotnet-shared-files

com.fortify.sca. Specifies the output directory where the binary (EXE or

DotnetOutputDir DLL) built from the project is placed.
Value type: String (path)
Default: (none)

Command-line Option: -dotnet-output-dir

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 188 of 210
User Guide
Appendix D: Configuration Options

Property Name Description

com.fortify.sca. Specifies the root (home) directory of an ASP.NET project.

DotnetWebRoot
Value type: String (path)
Default: (none)

Command-line Option: -dotnetwebroot

com.fortify.sca. If set to true, the project is of type WebSite.

WebSiteProject
Value type: Boolean

Default: false
Command-line Option: -dotnet-website

com.fortify.sca. Specifies a semicolon-separated list of additional reference

DotnetWebAppLibs DLLs needed to translate ASP.NET pages.
Value type: String (path)
Default: (none)

Command-line Option: -dotnet-applibs

com.fortify.sca. Specifies a semicolon-separated list of source files that are

DotnetCodeBehind bound to ASP.NET pages (referred to as code-behind
files).
Value type: String (path)
Default: (none)

Command-line Option: -dotnet-codebehind

com.fortify.sca. If set to true, indicates a web project (ASP.NET or

AspNetCore ASP.NET Core) that targets the .NET Core or .NET
Standard framework.
Value type: Boolean

Default: false
Command-line Option: -aspnetcore

com.fortify.sca. Specifies the name of the target .NET assembly as

DotnetAssemblyName specified in Visual Studio project settings.
Value type: String

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 189 of 210
User Guide
Appendix D: Configuration Options

Property Name Description

Default: (none)

Command-line Option: -dotnet-assembly-name

com.fortify.sca. Specifies a list of external aliases for a specified DLL file in

DotnetAlias the following format: <alias1>,<alias2>,..=<path_
to_dll>. You can include multiple aliases as a semicolon-
separated list of pairs.
Value type: String
Default: (none)

Command-line Option: -cs-extern-alias

com.fortify.sca. Specifies a semicolon-separated list of preprocessor

DotnetPreprocessorSymbols symbols used in the source code.
Value type: String
Default: (none)

Command-line Option: -dotnet-preproc-symbols

com.fortify.sca. Specifies any special compilation options required for the

VBCompileOptions correct translation of the source code, such as
OptionStrict, OptionInfer, and OptionExplicit.
Value type: String
Default: (none)

Command-line Option: -vb-compile-options

com.fortify.sca. Specifies a semicolon-separated list of namespaces

VBGlobalImports imported for all source files in the project.
Value type: String
Default: (none)

Command-line Option: -vb-imports

com.fortify.sca. Specifies the value for the _MYTYPE preprocessor symbol

VBMyType that is specified in the <MyType> tag in the project
settings. This is required if the source code to be
translated uses My namespace.

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 190 of 210
User Guide
Appendix D: Configuration Options

Property Name Description

Value type: String

Default: (none)

Command-line Option: -vb-mytype

com.fortify.sca. Specifies the root namespace for the project as specified in

VBRootNamespace Visual Studio project settings.
Value type: String
Default: (none)

Command-line Option: -vb-root

com.fortify.sca. Specifies the target Android SDK version for Xamarin

XamarinAndroidVersion Android projects.
Value type: String
Default: (the latest installed version)

Command-line Option: -xamarin-android-version

com.fortify.sca. Specifies the target iOS SDK version for Xamarin iOS

XamariniOSVersion projects.
Value type: String
Default: (the latest installed version)

Command-line Option: -xamarin-ios-version

WinForms. Set various .NET options.

TransformDataBindings
Value type: Boolean and String
WinForms.
TransformMessageLoops Defaults and Examples:

WinForms. WinForms.TransformDataBindings=true
TransformChange
NotificationPattern WinForms.TransformMessageLoops=true

WinForms. WinForms.TransformChangeNotificationPattern
CollectionMutation =
Monitor.Label true

WinForms. WinForms.CollectionMutationMonitor.Label=
ExtractEventHandlers WinFormsDataSource
WinForms.ExtractEventHandlers=true

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 191 of 210
User Guide
Appendix D: Configuration Options

Property Name Description

com.fortify.sca. If set to true, Fortify Static Code Analyzer generates

EnableDOMModeling JavaScript code to model the DOM tree that an HTML file
generated during the translation phase and identifies
DOM-related issues (such as cross-site scripting issues).
Enable this property if the code you are
translatingincludes HTML files that have embedded or
referenced JavaScript code.

Note: Enabling this property can increase the

translation time.

Value type: Boolean

Default: false

com.fortify.sca If you set the com.fortify.sca.EnableDOMModeling

DOMModeling.tags property to true, you can specify additional HTML tags for
Fortify Static Code Analyzer to include in the DOM
modeling.
Value type: String (comma-separated HTML tag names)

Default: body, button, div, form, iframe, input, head,

html, and p.
Example:
com.fortify.sca.DOMModeling.tags=ul,li

com.fortify.sca. Specifies trusted domain names where Fortify Static Code

JavaScript.src.domain. Analyzer can download referenced JavaScript files for the
whitelist scan. Delimit the URLs with vertical bars.
Value type: String
Default: (none)

Example: com.fortify.sca.JavaScript.
src.domain.whitelist=
http://www.xyz.com|http://www.123.org

com.fortify.sca. If set to true, JavaScript code embedded in JSP, JSPX,

DisableJavascript PHP, and HTML files is not extracted and not scanned.
Extraction
Value type: Boolean

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 192 of 210
User Guide
Appendix D: Configuration Options

Property Name Description

Default: false

com.fortify.sca. Specifies a list of comma- or colon-separated JavaScript

skip.libraries.AngularJS technology library files that are not translated. You can
com.fortify.sca. use regular expressions in the file names. Note that the
skip.libraries.ES6 regular expression '(-\d\.\d\.\d)?' is automatically
com.fortify.sca.
inserted before .min.js or .js for each file name
skip.libraries.jQuery
included in the
com.fortify.sca.skip.libraries.jQuery
com.fortify.sca. property value.
skip.libraries.javascript
Value type: String
com.fortify.sca.
skip.libraries.typescript Defaults:

l AngularJS: angular.js,angular.min.js,
angular-animate.js,angular-aria.js,
angular_1_router.js,angular-cookies.js,
angular-message-format.js,angular-
messages.js,
angular-mocks.js,angular-parse-ext.js,
angular-resource.js,angular-route.js,
angular-sanitize.js,angular-touch.js
l ES6: es6-shim.min.js,system-polyfills.js,
shims_for_IE.js
l jQuery: jquery.js,jquery.min.js,
jquery-migrate.js,jquery-migrate.min.js,
jquery-ui.js,jquery-ui.min.js,
jquery.mobile.js,jquery.mobile.min.js,
jquery.color.js,jquery.color.min.js,
jquery.color.svg-names.js,
jquery.color.svg-names.min.js,
jquery.color.plus-names.js,
jquery.color.plus-names.min.js,
jquery.tools.min.js
l javascript: bootstrap.js,
bootstrap.min.js,
typescript.js,
typescriptServices.js
l typescript: typescript.d.ts,
typescriptServices.d.ts

com.fortify.sca. Specifies the PHP version. For a list of valid versions, see

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 193 of 210
User Guide
Appendix D: Configuration Options

Property Name Description

PHPVersion the Micro Focus Fortify Software System Requirements.

Value type: String

Default: 7.0
Command-Line Option: -php-version

com.fortify.sca. Specifies the PHP source root.

PHPSourceRoot
Value type: Boolean
Default: (none)

Command-Line Option: -php-source-root

com.fortify.sca. Specifies a colon- or semicolon-separated list of additional

PythonPath import directories. Fortify Static Code Analyzer does not
respect PYTHONPATH environment variable that the
Python runtime system uses to find import files. Use this
property to specify the additional import directories.
Value type: String (path)
Default: (none)

Command-line Option: -python-path

com.fortify.sca. Specifies the Python source code version you want to

PythonVersion scan. The valid values are 2 and 3.
Value type: Number

Default: 2
Command-Line Option: -python-version

com.fortify.sca. Specifies path to Django templates. Fortify Static Code

DjangoTemplateDirs Analyzer does not use the TEMPLATE_DIRS setting from
the Django settings.py file.
Value type: String (paths)
Default: (none)

Command-line Option: -django-template-dirs

com.fortify.sca. Specifies that Fortify Static Code Analyzer does not

DjangoDisableAutodiscover

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 194 of 210
User Guide
Appendix D: Configuration Options

Property Name Description

automatically discover Django templates.

Value type: Boolean
Default: (none)

Command-line Option: -django-disable-

autodiscover

com.fortify.sca. Specifies to translate python 2 code with the legacy

PythonLegacy Python translator. Only use this property if the translation
without the option fails and Micro Focus Fortify Customer
Support has recommended that you use it.
Value type: Boolean
Default: false

Command-line Option:-python-legacy

com.fortify.sca. Specifies one or more paths to directories that contain

RubyLibraryPaths Ruby libraries.
Value type: String (path)
Default: (none)

Command-line Option: -ruby-path

com.fortify.sca. Specifies the path(s) to a RubyGems location. Set this

RubyGemPaths value if the project has associated gems to scan.
Value type: String (path)
Default: (none)

Command-line Option: -rubygem-path

com.fortify.sca. Specifies a semicolon-separated list (Windows) or a colon-

FlexLibraries separated list (non-Windows systems) of libraries to "link"
to. This list must include flex.swc, framework.swc, and
playerglobal.swc (which are usually located in the
frameworks/libs directory in your Flex SDK root). Use
this property primarily to resolve ActionScript.
Value type: String (path)
Default: (none)

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 195 of 210
User Guide
Appendix D: Configuration Options

Property Name Description

Command-line Option: -flex-libraries

com.fortify.sca. Specifies the root location of a valid Flex SDK. The folder
FlexSdkRoot must contain a frameworks folder that contains a flex-
config.xml file. It must also contain a bin folder that
contains an mxmlc executable.
Value type: String (path)
Default: (none)

Command-line Option: -flex-sdk-root

com.fortify.sca. Specifies any additional source directories for a Flex

FlexSourceRoots project. Separate the list of directories with semicolons
(Windows) or colons (non-Windows systems).
Value type: String (path)
Default: (none)

Command-line Option: -flex-source-root

com.fortify.sca. If set to true, Fortify Static Code Analyzer adds ABAP

AbapDebug statements to debug messages.
Value type: String (statement)
Default: (none)

com.fortify.sca. When Fortify Static Code Analyzer encounters an ABAP

AbapIncludes 'INCLUDE' directive, it looks in the named directory.
Value type: String (path)
Default: (none)

com.fortify.sca. If set to true, specifies fixed-format COBOL to direct

CobolFixedFormat Fortify Static Code Analyzer to only look for source code
between columns 8-72 in all lines of code.
Value type: Boolean

Default: false
Command-line Option: -fixed-format

com.fortify.sca. Sets the SQL language variant. The valid values are PLSQL

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 196 of 210
User Guide
Appendix D: Configuration Options

Property Name Description

SqlLanguage (for Oracle PL/SQL) and TSQL (for Microsoft T-SQL).

Value type: String (SQL language type)

Default: TSQL
Command-line Option: -sql-language

com.fortify.sca. If set to true, Fortify Static Code Analyzer treats

CfmlUndefinedVariablesAreTain undefined variables in CFML pages as tainted. This serves
ted as a hint to the Dataflow Analyzer to watch out for
register-globals-style vulnerabilities. However, enabling
this property interferes with dataflow findings where a
variable in an included page is initialized to a tainted value
in an earlier-occurring included page.
Value type: Boolean

Default: false

com.fortify.sca. If set to true, make CFML files case-insensitive for

CaseInsensitiveFiles applications developed using a case-insensitive file system
and scanned on case-sensitive file systems.
Value type: Boolean
Default: (not enabled)

com.fortify.sca. Specifies the base directory for ColdFusion projects.

SourceBaseDir
Value type: String (path)
Default: (none)

Command-Line Option: -source-base-dir

com.fortify.sca. If set to true, excludes Fortify security content

FVDLDisableDescriptions descriptions from the analysis results file (FVDL).
Value type: Boolean

Default: false
Command-line Option: -fvdl-no-descriptions

com.fortify.sca. If set to true, excludes the ProgramData section from the

FVDLDisableProgramData analysis results file (FVDL).

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 197 of 210
User Guide
Appendix D: Configuration Options

Property Name Description

Value type: Boolean

Default: false
Command-line Option: -fvdl-no-progdata

com.fortify.sca. If set to true, excludes the engine data from the analysis
FVDLDisableEngineData results file (FVDL).
Value type: Boolean

Default: false
Command-line Option: -fvdl-no-enginedata

com.fortify.sca. If set to true, excludes code snippets from the analysis

FVDLDisableSnippets results file (FVDL).
Value type: Boolean

Default: false
Command-line Option: -fvdl-no-snippets

com.fortify.sca. If set to true, excludes the label evidence from the analysis
FVDLDisableLabelEvidence results file (FVDL).
Value type: Boolean

Default: false

com.fortify.sca. Specifies location of the style sheet for the analysis results.
FVDLStylesheet
Value type: String (path)
Default:
${com.fortify.Core}/resources/sca/fvdl2html
.xsl

com.fortify.sca. The file to which results are written.

ResultsFile
Value type: String
Default: (none)

Command-line Option: -f
Example:
com.fortify.sca.ResultsFile=results.fpr

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 198 of 210
User Guide
Appendix D: Configuration Options

Property Name Description

com.fortify.sca. If set to true, Fortify Static Code Analyzer appends results

OutputAppend to an existing results file.
Value type: Boolean

Default: false
Command-line Option: -append

com.fortify.sca. Controls the output format. The valid values are fpr,
Renderer fvdl, text, and auto. The default of auto selects the
output format based on the file extension of the file
provided with the -f option.
Value type: String

Default: auto
Command-line Option: -format

com.fortify.sca. If set to true, Fortify Static Code Analyzer prints results as

ResultsAsAvailable they become available. This is helpful if you do not specify
the -f option (to specify an output file) and print to
stdout.
Value type: Boolean

Default: false

com.fortify.sca. Specifies a name for the scanned project. Fortify Static

BuildProject Code Analyzer does not use this name but includes it in
the results.
Value type: String
Default: (none)

Command-line Option: -build-project

com.fortify.sca. Specifies a label for the scanned project. Fortify Static

BuildLabel Code Analyzer does not use this label but includes it in the
results.
Value type: String
Default: (none)

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 199 of 210
User Guide
Appendix D: Configuration Options

Property Name Description

Command-line Option: -build-label

com.fortify.sca. Specifies a version number for the scanned project. Fortify

BuildVersion Static Code Analyzer does not use this version number
but it is included in the results.
Value type: String
Default: (none)

Command-line Option: -build-version

com.fortify.sca. Output information in a format that scripts or Fortify

MachineOutputMode Static Code Analyzer tools can use rather than printing
output interactively. Instead of a single line to display scan
progress, a new line is printed below the previous one on
the console to display updated progress.
Value type: Boolean
Default: (not enabled)

com.fortify.sca. Sets the number of lines of code to display surrounding an

SnippetContextLines issue. The two lines of code on each side of the line where
the error occurs are always included. By default, five lines
are displayed.
Value type: Number

Default: 2

com.fortify.sca. If set to true, Fortify Static Code Analyzer copies source

MobileBuildSession files into the build session.
Value type: Boolean

Default: false

com.fortify.sca. If set to true, Fortify Static Code Analyzer extracts the

ExtractMobileInfo build ID and the Fortify Static Code Analyzer version
number from the mobile build session.

Note: Fortify Static Code Analyzer does not extract

the mobile build with this property.

Value type: Boolean

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 200 of 210
User Guide
Appendix D: Configuration Options

Property Name Description

Default: false

com.fortify.sca. If set to true, Fortify Static Code Analyzer overwrites the

ClobberLogFile log file for each run of sourceanalyzer.
Value type: Boolean

Default: false
Command-line Option: -clobber-log

com.fortify.sca. Specifies the default log file name and location.

LogFile
Value type: String (path)
Default:
${com.fortify.sca.ProjectRoot}/log/sca.log
and ${com.fortify.sca.ProjectRoot}/log/sca_
FortifySupport.log
Command-line Option: -logfile

com.fortify.sca. Specifies the minimum log level for both log files. The valid
LogLevel values are: DEBUG, INFO, WARN, ERROR, and FATAL. For
more information, see "Accessing Log Files" on page 159
and "Configuring Log Files" on page 160.
Value type: String

Default: INFO

com.fortify.sca. If set to true, Fortify Static Code Analyzer writes

PrintPerformanceDataAfterScan performance-related data to the Fortify Support log file
after the scan is complete. This value is automatically set to
true when in debug mode.
Value type: Boolean

Default: false

com.fortify.sca. Includes debug information in the Fortify Support log file,

Debug which is only useful for Micro Focus Fortify Customer
Support to help troubleshoot.
Value type: Boolean

Default: false

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 201 of 210
User Guide
Appendix D: Configuration Options

Property Name Description

Command-line Option: -debug

com.fortify.sca. This is the same as the com.fortify.sca.Debug

DebugVerbose property, but it includes more details, specifically for parse
errors.
Value type: Boolean
Default: (not enabled)

Command-line Option: -debug-verbose

com.fortify.sca. If set to true, includes verbose messages in the Fortify

Verbose Support log file.
Value type: Boolean
Default: (not enabled)

Command-line Option: -verbose

com.fortify.sca. If set to true, enables additional debugging for

DebugTrackMem performance information to be written to the Fortify
Support log.
Value type: Boolean
Default: (not enabled)

Command-line Option: -debug-mem

com.fortify.sca. If set to true, enables additional timers to track

CollectPerformanceData performance.
Value type: Boolean
Default: (not enabled)

com.fortify.sca. If set to true, disables the command-line progress

Quiet information.
Value type: Boolean

Default: false
Command-line Option: -quiet

com.fortify.sca. If set to true, Fortify Static Code Analyzer monitors its

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 202 of 210
User Guide
Appendix D: Configuration Options

Property Name Description

MonitorSca memory use and warns when JVM garbage collection

becomes excessive.
Value type: Boolean

Default: true

com.fortify.sca. Sets the location of the CPFE binary to use in the

cpfe.command translation phase.
Value type: String (path)
Default:
${com.fortify.Core}/private-bin/sca/cpfe48

com.fortify.sca. If set to true, Fortify Static Code Analyzer uses CPFE

cpfe.441 version 4.4.1.
Value type: Boolean

Default: false

com.fortify.sca. Sets the location of the CPFE binary (version 4.4.1) to use
cpfe.441.command in the translation phase.
Value type: String (path)
Default:
${com.fortify.Core}/private-
bin/sca/cpfe441.rfct

com.fortify.sca. Adds options to the CPFE command line to use when

cpfe.options translating C/C++ code.
Value type: String
Default:
--remove_unneeded_entities --suppress_vtbl
-tused

com.fortify.sca. Sets the name of CPFE option that specifies the output
cpfe.file.option (for example NST) file name.
Value type: String

Default: --gen_c_file_name
Example:

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 203 of 210
User Guide
Appendix D: Configuration Options

Property Name Description

com.fortify.sca.cpfe.file.option=
--gen_c_file_name

com.fortify.sca. If set to true, CPFE handles multibyte characters in the

cpfe.multibyte source code. This enables Fortify Static Code Analyzer to
handle code with multibyte encoding, such as SJIS
(Japanese).
Value type: Boolean

Default: false

com.fortify.sca. If set to true, any CPFE warnings are included in the

cpfe.CaptureWarnings Fortify Static Code Analyzer log.
Value type: Boolean

Default: false

com.fortify.sca. If set to true, CPFE fails if there is an error.

cpfe.FailOnError
Value type: Boolean

Default: false

com.fortify.sca. If set to true, any failure to open a source file (including

cpfe.IgnoreFileOpen headers) is considered a warning instead of an error.
Failures
Value type: Boolean

Default: false

com.fortify.sca. Specifies a semicolon delimited list of full paths to virtual

ASPVirtualRoots. roots used.
<virtual_path>
Value type: String
Default: (none)
Example:
com.fortify.sca.ASPVirtualRoots.Library=
c:\\WebServer\\CustomerTwo\\Stuff
com.fortify.sca.ASPVirtualRoots.Include=
c:\\WebServer\\CustomerOne\\inc

com.fortify.sca. If set to true, disables ASP external entries in the analysis.

DisableASPExternalEntries
Value type: Boolean

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 204 of 210
User Guide
Appendix D: Configuration Options

Property Name Description

Default: false

fortify-sca-quickscan.properties
Fortify Static Code Analyzer offers a less-intensive scan known as a quick scan. This option scans the
project in Quick Scan mode, using the property values in the fortify-sca-quickscan.properties
file. By default, a Quick Scan searches for high-confidence, high-severity issues only. For more
information about Quick Scan mode, see the Micro Focus Fortify Audit Workbench User Guide.

Note: Properties in this file are only used if you specify the -quick option on the command line for
your scan.

The table provides two sets of default values: the default value for quick scans and the default value for
normal scans. If only one default value is shown, the value is the same for both normal scans and quick
scans.

Property Name Description

com.fortify.sca. Sets the time limit (in milliseconds) for Control Flow
CtrlflowMaxFunctionTime analysis on a single function.
Value type: Integer

Quick scan default: 30000

Default: 600000

com.fortify.sca. Specifies a comma- or colon-separated list of analyzers

DisableAnalyzers to disable during a scan. The valid values for this
property are: buffer, content, configuration,
controlflow, dataflow, findbugs, nullptr,
semantic, and structural.
Value type: String

Quick scan default: controlflow:buffer

Default: (none)

com.fortify.sca. Specifies the filter set to use. You can use this property
FilterSet with an issue template to filter at scan-time instead of
post-scan. See
com.fortify.sca.ProjectTemplate described in
"fortify-sca.properties" on page 173 to specify an issue

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 205 of 210
User Guide
Appendix D: Configuration Options

Property Name Description

template that contains the filter set to use.

When set to Quick View, this property runs rules that

have a potentially high impact and a high likelihood of
occurring and rules that have a potentially high impact
and a low likelihood of occurring. Filtered issues are not
written to the FPR and therefore this can reduce the
size of an FPR. For more information about filter sets,
see the Micro Focus Fortify Audit Workbench User
Guide.
Value type: String

Quick scan default: Quick View

Default: (none)

com.fortify.sca. Disables the creation of the metatable, which includes

FPRDisableMetatable information for the Function view in Micro Focus
Fortify Audit Workbench. This metatable enables right-
click on a variable in the source window to show the
declaration. If C/C++ scans take an extremely long time,
setting this property to true can potentially reduce the
scan time by hours.
Value type: Boolean

Quick scan default: true

Default: false
Command-line Option: -disable-metatable

com.fortify.sca. Disables source code inclusion in the FPR file. Prevents

FPRDisableSourceBundling
Fortify Static Code Analyzer from generating marked-
up source code files during a scan. If you plan to upload
FPR files that are generated as a result of a quick scan
to Fortify Software Security Center, you must set this
property to false.
Value type: Boolean

Quick scan default: true

Default: false

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 206 of 210
User Guide
Appendix D: Configuration Options

Property Name Description

Command-line Option:
-disable-source-bundling

com.fortify.sca. Sets the time limit (in milliseconds) for Null Pointer
NullPtrMaxFunctionTime analysis for a single function. The standard default is
five minutes. If this value is set to a shorter limit, the
overall scan time decreases.
Value type: Integer

Quick scan default: 10000

Default: 300000

com.fortify.sca. Disables path tracking for Control Flow analysis. Path

TrackPaths tracking provides more detailed reporting for issues,
but requires more scan time. To disable this for JSP
only, set it to NoJSP. Specify None to disable all
functions.
Value type: String
Quick scan default: (none)

Default: NoJSP

com.fortify.sca. Specifies the size limit for complex calculations in the

limiters.ConstraintPredicateSize Buffer Analyzer. Skips calculations that are larger than
the specified size value in the Buffer Analyzer to
improve scan time.
Value type: Integer

Quick scan default: 10000

Default: 500000

com.fortify.sca. Controls the maximum call depth through which the

limiters.MaxChainDepth Dataflow Analyzer tracks tainted data. Increase this
value to increase the coverage of dataflow analysis, and
results in longer scan times.

Note: Call depth refers to the maximum call depth

on a dataflow path between a taint source and sink,
rather than call depth from the program entry

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 207 of 210
User Guide
Appendix D: Configuration Options

Property Name Description

point, such as main().

Value type: Integer

Quick scan default: 3

Default: 5

com.fortify.sca. Sets the number of times taint propagation analyzer

limiters.MaxFunctionVisits visits functions.
Value type: Integer

Quick scan default: 5

Default: 50

com.fortify.sca. Controls the maximum number of paths to report for a

limiters.MaxPaths single dataflow vulnerability. Changing this value does
not change the results that are found, only the number
of dataflow paths displayed for an individual result.

Note: Fortify does not recommend setting this

property to a value larger than 5 because it might
increase the scan time.

Value type: Integer

Quick scan default: 1

Default: 5

com.fortify.sca. Sets a complexity limit for the Dataflow Analyzer.

limiters.MaxTaintDefForVar Dataflow incrementally decreases precision of analysis
on functions that exceed this complexity metric for a
given precision level.
Value type: Integer

Quick scan default: 250

Default: 1000

com.fortify.sca. Sets a hard limit for function complexity. If complexity

limiters.MaxTaintDefForVarAbort of a function exceeds this limit at the lowest precision
level, the analyzer skips analysis of the function.

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 208 of 210
User Guide
Appendix D: Configuration Options

Property Name Description

Value type: Integer

Quick scan default: 500

Default: 4000

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 209 of 210
Send Documentation Feedback
If you have comments about this document, you can contact the documentation team by email. If an
email client is configured on this computer, click the link above and an email window opens with the
following information in the subject line:
Feedback on User Guide (Fortify Static Code Analyzer 19.1.0)
Just add your feedback to the email and click send.
If no email client is available, copy the information above to a new message in a web mail client, and send
your feedback to [email protected].
We appreciate your feedback!

Micro Focus Fortify Static Code Analyzer (19.1.0) Page 210 of 210