HP 

Fortify Source Code Analyzer

Software Version: 4.40

Installation Guide

Document Release Date: November 2015

Software Release Date: November 2015
Installation Guide

Legal Notices
Warranty
The only warranties for HP products and services are set forth in the express warranty statements
accompanying such products and services. Nothing herein should be construed as constituting an
additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
The information contained herein is subject to change without notice.

Restricted Rights Legend

Confidential computer software. Valid license from HP required for possession, use or copying. Consistent
with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and
Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard
commercial license.
The software is restricted to use solely for the purpose of scanning software for security vulnerabilities that is
(i) owned by you; (ii) for which you have a valid license to use; or (iii) with the explicit consent of the owner of
the software to be scanned, and may not be used for any other purpose.
You shall not install or use the software on any third party or shared (hosted) server without explicit consent
from the third party.

Copyright Notice
© Copyright 2003 - 2015 Hewlett Packard Enterprise Development LP

Documentation Updates
The title page of this document contains the following identifying information:
l Software Version number
l Document Release Date, which changes each time the document is updated
l Software Release Date, which indicates the release date of this version of the software
To check for recent updates or to verify that you are using the most recent edition of a document, go to:
https://protect724.hp.com/welcome
You will receive updated or new editions if you subscribe to the appropriate product support service. Contact
your HP sales representative for details.

HP Fortify Source Code Analyzer (4.40) Page 2 of 18

Installation Guide

Contents
Preface 4
Contacting HP Fortify Support 4
For More Information 4
About the HP Fortify Software Security Center Documentation Set 4

Change Log 5

Chapter 1: Introduction 6
Intended Audience 6
HP Fortify Software Security Center Components 6
Related Documents 7

Chapter 2: Installation 9
About Downloading the Software 9
About Installing the HP Fortify Static Code Analyzer Suite 9
Installing HP Fortify Static Code Analyzer 9
Installing SCA Silently (Unattended) 10
Performing a Text-Based SCA Installation on Non-Windows Platforms 12
Uninstalling HP Fortify Static Code Analyzer 12
Uninstalling SCA 12
Uninstalling SCA Silently 13
Uninstalling SCA in Text-Based Mode on Non-Windows Platforms 13

Chapter 3: About Post-Installation Tasks 14

Running the Post-Install Tool 14
Migrating Properties Files 14
Specifying a Locale 15
Specifying a Proxy Server for Security Content Updates 15
Specifying a Proxy Server for HP Fortify Software Security Center 16
Updating the Security Content Using Fortifyupdate 16
Registering the ASPNET User 17

Send Documentation Feedback 18

HP Fortify Source Code Analyzer (4.40) Page 3 of 18

Installation Guide
Preface

Preface
Contacting HP Fortify Support
If you have questions or comments about using this product, contact HP Fortify Technical Support
using one of the following options.
To Manage Your Support Cases, Acquire Licenses, and Manage Your Account
https://support.fortify.com
To Email Support
[email protected]
To Call Support
650.735.2215

For More Information

For more information on HP Enterprise Security Software products:
http://www.hpenterprisesecurity.com

About the HP Fortify Software Security Center

Documentation Set
The HP Fortify Software Security Center documentation set contains installation, user, and
deployment guides for all HP Fortify Software Security Center products and components. In addition,
you will find technical notes and release notes that describe new features, known issues, and last-
minute updates. You can access the latest versions of these documents from the following
HP ESP user community Protect724 website:
https://protect724.hp.com/welcome
You will need to register for an account.

HP Fortify Source Code Analyzer (4.40) Page 4 of 18

Installation Guide
Change Log

Change Log
The following table lists changes made to this guide.

Software
Release-
Version Change

4.40-01 Removed: 
l Configuration Options chapter. The configuration information for HP Fortify Static
Code Analyzer (SCA) is described in the HP Fortify Static Code Analyzer User Guide.
The configuration information for the SCA tools is described in HP Fortify Static Code
Analyzer Tools Properties Reference Guide.
l Installing the HP Fortify Plugin for Eclipse. This information is covered in the
HP Fortify Plugin for Eclipse Installation and Usage Guide.
Updated: 
l Migrating from a Previous SCA Installation and Updating Rulepacks Using the
Windows Installer (moved to "About Installing the HP Fortify Static Code Analyzer
Suite" on page 9).
l "Specifying a Locale" on page 15 (added Spanish) and "About Installing the HP Fortify
Static Code Analyzer Suite" on page 9
Added:
l "Specifying a Proxy Server for HP Fortify Software Security Center" on page 16
l "Installing SCA Silently (Unattended)" on page 10
l "Performing a Text-Based SCA Installation on Non-Windows Platforms" on page 12
l "Uninstalling SCA Silently" on page 13
l "Uninstalling SCA in Text-Based Mode on Non-Windows Platforms" on page 13

4.30-01 Updated: Minor edits

4.21-01 Updated: Minor edits

HP Fortify Source Code Analyzer (4.40) Page 5 of 18

 Chapter 1: Introduction
This document contains installation instructions for the HP Fortify Static Code Analyzer (SCA) suite.
Topics covered in this section:

• Intended Audience 6
• HP Fortify Software Security Center Components 6
• Related Documents 7

Intended Audience
This installation guide is intended for individuals who are responsible for installing or uninstalling the
HP Fortify Static Code Analyzer suite of analyzers and application components. This guide also
describes basic post-installation tasks.
Refer to the HP Fortify Software Security Center System Requirements document to ensure that your
system meets the minimum requirements for each software component installation.

Note: This document does not cover the installation process for HP Fortify Software Security
Center (Software Security Center). Software Security Center requires a separate installation
procedure that is described in the HP Fortify Software Security Center Installation and
Configuration Guide.

HP Fortify Software Security Center

Components
An HP Fortify Software Security Center installation consists of one or more of the following analyzers:
l HP Fortify Static Code Analyzer: Analyzes your build code according to a set of rules specifically
tailored to provide the information necessary for the type of analysis performed.
l HP Fortify Runtime Application Protection: Monitors and protects deployed applications from
common attacks, unintended use, and targeted hacking. In addition, best security practices, such
as input verification and proper exception handling, can be consistently applied to deployed
applications.
An HP Fortify Software Security Center installation might also include one or more of the following
application tools:
l HP Fortify Audit Workbench: Provides a graphical user interface for HP Fortify Static Code Analyzer
that helps you organize, investigate, and prioritize analysis results so that security flaws can be
fixed quickly.

HP Fortify Source Code Analyzer (4.40) Page 6 of 18

Installation Guide
Chapter 1: Introduction

l HP Fortify Plugin for Eclipse: Integrates with the Eclipse development environment and adds the
ability to scan and analyze the entire code base of a project and apply hundreds of software security
rules that identify the vulnerabilities in your Java code. The results are displayed within the IDE,
along with descriptions of each of the security issues and suggestions for their elimination.
l HP Fortify Remediation Plugin for Eclipse: Integrates with the Eclipse development environment.
The Remediation Plugin for Eclipse is a lightweight plug-in option for developers who need
remediation functionality but do not need the scanning and auditing capabilities of Audit Workbench
or the full Eclipse Plugin.
l HP Fortify Package for Microsoft Visual Studio: Integrates with Microsoft Visual Studio to locate
security vulnerabilities in your solutions and packages and displays the scan results in Visual
Studio. The results include a list of issues uncovered, descriptions of the type of vulnerability each
issue represents, and suggestions on how to fix them.
l HP Fortify Remediation Package for Visual Studio: Integrates with Microsoft Visual Studio
integrated development environments (IDEs). The HP Fortify Remediation Package for Visual
Studio is a lightweight plug-in option for developers who need remediation functionality but do not
need the scanning and auditing capabilities of Audit Workbench or the full Visual Studio package.
l HP Fortify Scanning Package for Visual Studio: Integrates with Microsoft Visual Studio and allows
you to run HP Fortify Static Code Analyzer scans with MSBuild on projects and solutions through
the Microsoft Visual Studio IDE.
l HP Fortify Analysis Plugin for IntelliJ and Android Studio: Works in the IntelliJ and Android Studio
integrated development environments and HP Fortify Software Security Center to add scanning
functionality to your security analysis.
l HP Fortify Remediation Plugin for IntelliJ: Integrates with the IntelliJ integrated development
environment (IDE) and adds the ability to scan and analyze the entire code base of a project and
apply hundreds of software security rules that identify the vulnerabilities in your code.
l HP Fortify Remediation Extension for JDeveloper: Integrates with the JDeveloper integrated
development environment (IDE) and adds the ability to scan and analyze the entire code base of a
project and apply hundreds of software security rules that identify the vulnerabilities in your code.
l HP Fortify Scanning Plugin for Xcode: Works in the Xcode development environment and allows
you to run HP Fortify Static Code Analyzer scans on projects through the Xcode IDE.

Related Documents
The following documents provide additional information about HP Fortify Static Code Analyzer:
l HP Fortify Static Code Analyzer User Guide
This document provides instructions on using the analyzers to identify vulnerabilities in your code.
This document also describes the command-line tools that provide additional management and
access to the functions provided by SCA.
l HP Fortify Static Code Analyzer Performance Guide
This document describes the issues involved when trying to select hardware to scan certain code
bases, provides guidelines for making those decisions and tips for optimizing memory usage and
performance.

HP Fortify Source Code Analyzer (4.40) Page 7 of 18

Installation Guide
Chapter 1: Introduction

l HP Fortify Software Security Center System Requirements

This document contains information about the hardware and software requirements for HP Fortify
Static Code Analyzer.

HP Fortify Source Code Analyzer (4.40) Page 8 of 18

 Chapter 2: Installation
Topics covered in this section:

• About Downloading the Software 9

• About Installing the HP Fortify Static Code Analyzer Suite 9
• Uninstalling HP Fortify Static Code Analyzer 12

About Downloading the Software

HP Fortify Software is available as a downloadable application or package. For details on obtaining a
license for your software and for obtaining the HP Fortify software, see the HP Fortify Software
Security Center System Requirements document.

About Installing the HP Fortify Static Code

Analyzer Suite
This section describes how to install the SCA suite of analyzers and applications. You need an
HP Fortify license file to complete the process. You can use the typical install wizard to complete the
installation or your can perform the installation silently. You can also perform a text-based installation
on non-Windows systems.

Note: For more information on acquiring the software and license for your operating system, see
the HP Fortify Software Security Center System Requirements document.

After you have completed the installation, see "About Post-Installation Tasks" on page 14 for additional
steps you can perform to complete your system setup. You can also configure settings for runtime
analysis, output, and performance of HP Fortify Software Security Center and its components by
updating the installed configuration files. For information about the configuration options for HP Fortify
Static Code Analyzer, see the HP Fortify Static Code Analyzer User Guide. For information about
configuration options for SCA application components, see the HP Fortify Static Code Analyzer Tools
Properties Reference Guide.

Installing HP Fortify Static Code Analyzer

To install the SCA suite:
1. Run the installer file that corresponds to your operating system and system processor.
2. Accept the license agreement and click Next.
3. Choose where to install the HP Fortify Static Code Analyzer suite and click Next.

HP Fortify Source Code Analyzer (4.40) Page 9 of 18

Installation Guide
Chapter 2: Installation

Note: If you are using HP Fortify CloudScan, you must specify a location that does not
include spaces in the path.

4. Select the components you want to install and click Next.

Note: Component selection is not available for all operating systems.

5. Specify the path to the fortify.license file and click Next.

6. Specify the settings to update your security content.
HP Fortify releases quarterly updates to Secure Coding Rulepacks, which drive the SCA
analyzers. They are distributed as part of the subscription service through updates on the HP
Fortify Customer Portal site, automated tool updates, and software releases. To update the
security content for your installation:

Note: For installations on non-Windows platforms and for deployment environments that do
not have access to the Internet during the installation procedure, you can update the security
content using the fortifyupdate utility. See "Updating the Security Content Using
Fortifyupdate" on page 16.

a. Specify the URL address of the update server. To use the HP Fortify Customer Portal for
security content updates, specify the URL as: https://update.fortify.com.
b. (Optional) Specify the proxy host and port number of the update server.
c. Click Next.
7. Specify if you want to migrate from a previous installation of SCA on your system.
Migrating from a previous SCA installation preserves SCA artifact files.

Note: You can also migrate SCA artifacts using the scapostinstall command-line utility.
For information on using the post-install tool to migrate from a previous SCA install, see
"Migrating Properties Files" on page 14.

To migrate artifacts from a previous installation:

a. In the SCA Migration step, select Yes.
b. Specify the location of the previous SCA installation on your system and then click Next.
8. Click Next to proceed with the installation of the HP Fortify Static Code Analyzer suite.
9. After SCA is installed, select Update security content after installation if you want to update
the security content, and then click Finish.
The security content update results are displayed.

Installing SCA Silently (Unattended)

A silent installation allows you to complete the installation without any user prompts. To run the
installation silently, you need to create an option file to provide the necessary information to the
installer. Using the silent installation, you can replicate the installation parameters on multiple
machines.

HP Fortify Source Code Analyzer (4.40) Page 10 of 18

Installation Guide
Chapter 2: Installation

To install SCA silently:

1. Create an options file.
a. Create a text file that includes the following line:

fortify_license_path=<license_file_location>

where <license_file_location> is the full path to your fortify.license file.

b. If you require a proxy server, add the following lines:

UpdateProxyServer=<proxy_server>
UpdateProxyPort=8080

c. Add additional information as needed to the options file.

To obtain a list of other installation options, such as whether to migrate from a previous version
of SCA or install other SCA components, type the installer file name and the --help option to
display a list of instructions you can add to your options file. The list displays command-line
options preceded with a double dash and option file parameters enclosed in angle brackets. For
example, if you want to see the progress of the install displayed at the command line, add
unattendedmodeui=minimal to your options file.
Example of an options file:

fortify_license_path=C:\Users\admin\Desktop\fortify.license
UpdateProxyServer=web-proxy.abc.company.com
UpdateProxyPort=8080
MigrateSCA=0
enable-components=AWB_group,VS2015,VS2015Rem
installdir=C:\HP_Fortify_XYZ

d. Save the options file in the same directory as the installer using the same name as the
installation file with a .option file extension.
For example, if the installer file name is: HP_Fortify_SCA_and_Apps_<version>_windows_
x64.exe, then save your options file with the name HP_Fortify_SCA_and_Apps_<version>_
windows_x64.exe.options.
2. Run the silent install command for your operating system:

Windows HP_Fortify_SCA_and_Apps_<version>_<OS>.exe --mode unattended

Unix or ./HP_Fortify_SCA_and_Apps_<version>_<OS>.run --mode unattended

Linux

Mac OS X The Macintosh software is provided as a zip file. You must uncompress the zip file
before running the command.
HP_Fortify_SCA_and_Apps_<version>_osx_x64.app/Contents/
MacOS/installbuilder.sh --mode unattended --optionfile <full_path_
to_option_file>

Note: You can also perform a silent installation of SCA for HP-UX and Solaris. On these
operating systems, replace the installer file in the previous table with the appropriate one for
your operating system.

HP Fortify Source Code Analyzer (4.40) Page 11 of 18

Installation Guide
Chapter 2: Installation

Performing a Text-Based SCA Installation on Non-

Windows Platforms
You perform a text-based installation on the command line. During the installation, you are prompted for
information required to complete the installation. Text-based installations are not supported on
Windows systems.
To perform a text-based installation, run the text-based install command for your operating system:

Unix or ./HP_Fortify_SCA_and_Apps_<version>_<OS>.run --mode text

Linux
where <version> is the software release version and <OS> is either Linux_x64 or
Linux_x86.

Mac OS X The Macintosh software is provided as a zip file. You must uncompress the zip file
before running the command.
HP_Fortify_SCA_and_Apps_<version>_osx_x64.app/Contents/
MacOS/installbuilder.sh --mode text
where <version> is the software release version.

Uninstalling HP Fortify Static Code Analyzer

This section describes how to uninstall the SCA software.

Uninstalling SCA
Uninstalling on Windows Platforms
To uninstall SCA suite software on Windows, use the Windows Add or Remove Programs utility on
the Control Panel:
1. Select Start > Control Panel > Add or Remove Programs.
2. In the list of programs, choose HP Fortify SCA and Applications X.XX, and then click
Remove.
Uninstalling on Other Platforms
To uninstall SCA software on Mac OS X, Unix, and Linux platforms:
1. Back up your configuration, including any important files you have created.
2. Run the uninstall command located in the <Installation_Dir>:
l Linux and Unix: Uninstall_HPFortifySCAandApps_4.40.exe
l Mac OS X: Uninstall_HPFortifySCAandApps_4.40.app

HP Fortify Source Code Analyzer (4.40) Page 12 of 18

Installation Guide
Chapter 2: Installation

Uninstalling SCA Silently

To uninstall SCA silently:
1. Navigate to the installation directory.
2. Type the following command for your operating system.

Windows Uninstall_HPFortifySCAandApps_<version>.exe --mode unattended

Unix or ./Uninstall_HPFortifySCAandApps_<version>.run --mode unattended

Linux

Uninstall_HPFortifySCAandApps_
<version>.app/Contents/MacOS/installbuilder.sh
Mac OS X --mode unattended

Uninstalling SCA in Text-Based Mode on Non-Windows

Platforms
To uninstall SCA in text-base mode, run the text-based install command for your operating system:
1. Navigate to the installation directory.
2. Type the following command for your operating system:

Unix or ./Uninstall_HPFortifySCAandApps_<version>.run --mode text

Linux

Mac OS X Uninstall_HPFortifySCAandApps_
<version>.app/Contents/MacOS/installbuilder.sh --mode text

HP Fortify Source Code Analyzer (4.40) Page 13 of 18

 Chapter 3: About Post-Installation Tasks
Post-installation tasks prepare you to start using the SCA analyzers and applications.
Topics covered in this section:

• Running the Post-Install Tool 14

• Migrating Properties Files 14
• Specifying a Locale 15
• Specifying a Proxy Server for Security Content Updates 15
• Specifying a Proxy Server for HP Fortify Software Security Center 16
• Updating the Security Content Using Fortifyupdate 16
• Registering the ASPNET User 17

Running the Post-Install Tool

To run the post-install tool:
1. Navigate to the bin directory from the command line.
2. Enter scapostinstall at the Command Prompt.
3. Enter s to display settings, r to return to a previous prompt, and q to exit the tool.

Migrating Properties Files

To migrate properties files from a previous version of SCA to the current version of SCA installed on
your system:
1. Navigate to the bin directory from the command line.
2. Enter scapostinstall at the Command Prompt.
3. Enter 1 to select Migration.
4. Enter 1 to select SCA Migration.
5. Enter 1 to select Migrate from an existing SCA installation.
6. Enter 1 to select Set previous Fortify installation directory.
7. Enter the previous install directory.
8. Enter s to confirm the settings.
9. Enter 2 to perform the migration.
10. Enter y to confirm.

HP Fortify Source Code Analyzer (4.40) Page 14 of 18

Installation Guide
Chapter 3: About Post-Installation Tasks

Specifying a Locale
By default, the locale of an SCA installation is English.
To specify a different locale:
1. Navigate to the bin directory from the command line.
2. Enter scapostinstall at the Command Prompt.
3. Enter 2 to select Settings.
4. Enter 1 to select General.
5. Enter 1 to select Locale.
6. Enter the locale code:
English: en
Spanish: es
Japanese: ja
Korean: ko
Chinese, Simplified: zh_CN
Chinese, Traditional: zh_TW

Specifying a Proxy Server for Security Content

Updates
If your network uses a proxy server to reach the Fortify update server, you must specify the proxy
server with the post-install tool.
To specify a proxy for security content updates:
1. Navigate to the bin directory from the command line.
2. Enter scapostinstall at the command prompt.
3. Enter 2 to select Settings.
4. Enter 2 to select Fortify Update.
5. Enter 2 to select Proxy Server Host.
6. Enter the name of the proxy server.
7. Enter 3 to select Proxy Server Port.
8. Enter the proxy server port number.

HP Fortify Source Code Analyzer (4.40) Page 15 of 18

Installation Guide
Chapter 3: About Post-Installation Tasks

Specifying a Proxy Server for HP Fortify

Software Security Center
If your network uses a proxy server to reach the Software Security Center server, you must specify the
proxy server with the post-install tool.
To specify proxy settings for connecting to the Software Security Center:
1. Navigate to the bin directory from the command line.
2. Enter scapostinstall at the Command Prompt.
3. Enter 2 to select Settings.
4. Enter 3 to select Software Security Center Settings.
5. Enter 1 to select the Server URL and then enter the Software Security Center server URL.
6. Enter 2 to select Proxy Server and then enter the proxy server path.
7. Enter 3 to select Proxy Server Port and then enter the proxy server port number.
8. You can also specify:
l The proxy server user name (option 4) and password (option 5)
l Whether to update security content from your Software Security Center server. The default is
false. (option 6)
l The Software Security Center user name (option 7)

Updating the Security Content Using

Fortifyupdate
The HP Fortify security content (which includes Secure Coding Rulepacks and metadata) is updated
automatically during the Windows installation procedure. However, you can also download security
content from the HP Fortify Customer Portal and then use the fortifyupdate utility to update your
security content. This option is provided for installations on non-Windows platforms and for deployment
environments that do not have access to the Internet during the installation procedure.
Use the fortifyupdate utility to update security content from either a remote server or a locally
downloaded file.
To update security content:
1. Open a command window.
2. Navigate to the <Installation_Dir>/bin directory.
3. Enter fortifyupdate at the command prompt.
If you have previously downloaded the security content from the HP Fortify Customer Portal, run
fortifyupdate with the -import option and the path to the directory where you downloaded the
security content zip file.

HP Fortify Source Code Analyzer (4.40) Page 16 of 18

Installation Guide
Chapter 3: About Post-Installation Tasks

For more detailed instructions about the fortifyupdate utility, see the HP Fortify Static Code Analyzer
User Guide.

Registering the ASPNET User

If you are using the Microsoft .NET Framework, you might need to register the ASPNET user. If the
Microsoft Internet Information Server (IIS) is installed first, the ASPNET user is created when .NET
Framework is installed; otherwise, you must register.
To register the ASPNET user, run the following command.

aspnet_regiis -i

Find this command in the .NET Framework installation directory. For example, it is often located in:

C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322

or

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727

HP Fortify Source Code Analyzer (4.40) Page 17 of 18

 Send Documentation Feedback
If you have comments about this document, you can contact the documentation team by email. If an
email client is configured on this system, click the link above and an email window opens with the
following information in the subject line:
Feedback on Installation Guide (Fortify Source Code Analyzer 4.40)
Just add your feedback to the email and click send.
If no email client is available, copy the information above to a new message in a web mail client, and
send your feedback to [email protected].
We appreciate your feedback!

HP Fortify Source Code Analyzer (4.40) Page 18 of 18