Micro Focus

Fortify Static Code Analyzer

Software Version: 23.1.0

User Guide

Document Release Date: Revision 1: June 2023

Software Release Date: May 2023
User Guide

Legal Notices
Open Text Corporation
275 Frank Tompa Drive, Waterloo, Ontario, Canada, N2L 0A1

Copyright Notice
Copyright 2003 - 2023 Open Text.
The only warranties for products and services of Open Text and its affiliates and licensors (“Open Text”) are as may be set forth
in the express warranty statements accompanying such products and services. Nothing herein should be construed as
constituting an additional warranty. Open Text shall not be liable for technical or editorial errors or omissions contained herein.
The information contained herein is subject to change without notice.

Trademark Notices
“OpenText” and other Open Text trademarks and service marks are the property of Open Text or its affiliates. All other
trademarks or service marks are the property of their respective owners.

Documentation Updates
The title page of this document contains the following identifying information:
l Software Version number
l Document Release Date, which changes each time the document is updated
l Software Release Date, which indicates the release date of this version of the software

This document was produced on June 07, 2023. To check for recent updates or to verify that you are using the most recent
edition of a document, go to:
https://www.microfocus.com/support/documentation

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 2 of 216

User Guide

Contents
Preface 12
Contacting Micro Focus Fortify Customer Support 12
For More Information 12
About the Documentation Set 12
Fortify Product Feature Videos 12

Change Log 13

Chapter 1: Introduction 16
Fortify Static Code Analyzer 16
About the Analyzers 17
Licensing 18
Fortify Software Security Content 19
Fortify ScanCentral SAST 19
Fortify Static Code Analyzer Applications and Tools 20
Sample Projects 21
Related Documents 21
All Products 22
Fortify ScanCentral SAST 22
Fortify Software Security Center 23
Fortify Static Code Analyzer 23

Chapter 2: Installing Fortify Static Code Analyzer 25

About Installing Fortify Static Code Analyzer 25
Installing Fortify Static Code Analyzer 26
Installing Fortify Static Code Analyzer Silently (Unattended) 28
Installing Fortify Static Code Analyzer in Text-Based Mode on Non-Windows Platforms 30
Manually Installing Fortify Security Content 31
Using Docker to Install and Run Fortify Static Code Analyzer 31
Creating a Dockerfile to Install Fortify Static Code Analyzer 31
Running the Container 32

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 3 of 216

User Guide

Example Docker Run Commands for Translation and Scan 33

About Upgrading Fortify Static Code Analyzer 33
About Uninstalling Fortify Static Code Analyzer 34
Uninstalling Fortify Static Code Analyzer 34
Uninstalling Fortify Static Code Analyzer Silently 35
Uninstalling Fortify Static Code Analyzer in Text-Based Mode on Non-Windows Platforms36
Post-Installation Tasks 36
Running the Post-Install Tool 36
Migrating Properties Files 36
Specifying a Locale 37
Configuring Fortify Security Content Updates 37
Configuring the Connection to Fortify Software Security Center 38
Removing Proxy Server Settings 38
Adding Trusted Certificates 39

Chapter 3: Analysis Process Overview 41

Analysis Process 41
Parallel Processing 42
Translation Phase 42
Mobile Build Sessions 43
Mobile Build Session Version Compatibility 43
Creating a Mobile Build Session 44
Importing a Mobile Build Session 44
Analysis Phase 44
Applying a Scan Policy to the Analysis 45
Higher-Order Analysis 46
Modular Analysis 46
Modular Command-Line Examples 47
Regular Expression Analysis 47
Translation and Analysis Phase Verification 48

Chapter 4: Translating Java Code 49

Java Translation Command-Line Syntax 49
Java Command-Line Options 50
Java Command-Line Examples 52
Handling Java Warnings 52

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 4 of 216

User Guide

Java Translation Warnings 53

Translating Jakarta EE (Java EE) Applications 53
Translating Java Files 53
Translating JSP Projects, Configuration Files, and Deployment Descriptors 54
Jakarta EE (Java EE) Translation Warnings 54
Translating Java Bytecode 54
Troubleshooting JSP Translation and Analysis Issues 55
Unable to Translate Some JSPs 55
Increased Issues Counts in JSP-Related Categories 56

Chapter 5: Translating Kotlin Code 57

Kotlin Command-Line Syntax 57
Kotlin Command-Line Options 58
Kotlin Command-Line Examples 59
Kotlin and Java Translation Interoperability 59
Translating Kotlin Scripts 60

Chapter 6: Translating Visual Studio Projects 61

Visual Studio Project Translation Prerequisites 61
Visual Studio Project Command-Line Syntax 61
Handling Special Cases for Translating Visual Studio and MSBuild Projects 63
Running Translation from a Script 63
Translating Plain .NET and ASP.NET Projects 63
Translating C/C++ and Xamarin Projects 63
Translating Projects with Settings Containing Spaces 63
Translating a Single Project from a Visual Studio Solution 64
Analyzing Projects That Build Multiple Executable Files 64
Alternative Ways to Translate Visual Studio and MSBuild Projects 64
Alternative Translation Options for Visual Studio Solutions 65
Translating Without Explicitly Running Fortify Static Code Analyzer 65

Chapter 7: Translating C and C++ Code 67

C and C++ Code Translation Prerequisites 67
C and C++ Command-Line Syntax 67
Scanning Pre-processed C and C++ Code 68

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 5 of 216

User Guide

C/C++ Precompiled Header Files 68

Chapter 8: Translating JavaScript and TypeScript Code 70

Translating Pure JavaScript Projects 70
Excluding Dependencies 71
Excluding NPM Dependencies 71
Translating JavaScript Projects with HTML Files 72
Including External JavaScript or HTML in the Translation 72

Chapter 9: Translating Python Code 74

Python Translation Command-Line Syntax 74
Including Imported Modules and Packages 74
Including Namespace Packages 75
Using the Django Framework with Python 75
Python Command-Line Options 76
Python Command-Line Examples 77

Chapter 10: Translating Code for Mobile Platforms 78

Translating Apple iOS Projects 78
iOS Project Translation Prerequisites 78
iOS Code Analysis Command-Line Syntax 79
Translating Android Projects 79
Android Project Translation Prerequisites 80
Android Code Analysis Command-Line Syntax 80
Filtering Issues Detected in Android Layout Files 80

Chapter 11: Translating Go Code 81

Go Command-Line Syntax 81
Go Command-Line Options 81
Resolving Dependencies 83

Chapter 12: Translating Dart and Flutter Code 84

Dart and Flutter Translation Prerequisites 84

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 6 of 216

User Guide

Dart and Flutter Command-Line Syntax 85

Dart and Flutter Command-Line Examples 85

Chapter 13: Translating Ruby Code 86

Ruby Command-Line Syntax 86
Ruby Command-Line Options 86
Adding Libraries 87
Adding Gem Paths 87

Chapter 14: Translating COBOL Code 88

Preparing COBOL Source and Copybook Files for Translation 89
COBOL Command-Line Syntax 89
Translating COBOL Source Files Without File Extensions 90
Translating COBOL Source Files with Arbitrary File Extensions 90
COBOL Command-Line Options 90
Using Legacy COBOL Translation 91
Legacy COBOL Translation Command-Line Options 91

Chapter 15: Translating Salesforce Apex and Visualforce Code 93

Apex and Visualforce Translation Prerequisites 93
Apex and Visualforce Command-Line Syntax 94
Apex and Visualforce Command-Line Options 94

Chapter 16: Translating Other Languages and Configurations 96

Translating PHP Code 96
PHP Command-Line Options 97
Translating ABAP Code 97
INCLUDE Processing 98
Importing the Transport Request 98
Adding Fortify Static Code Analyzer to your Favorites List 99
Running the Fortify ABAP Extractor 100
Uninstalling the Fortify ABAP Extractor 104
Translating Flex and ActionScript 105
Flex and ActionScript Command-Line Options 105
ActionScript Command-Line Examples 106

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 7 of 216

User Guide

Handling Resolution Warnings 107

ActionScript Warnings 107
Translating ColdFusion Code 108
ColdFusion Command-Line Syntax 108
ColdFusion (CFML) Command-Line Options 108
Translating SQL 109
PL/SQL Command-Line Example 109
T-SQL Command-Line Example 110
Translating Scala Code 110
Translating Dockerfiles 110
Translating HCL 111
Translating JSON 111
Translating YAML 112
Translating ASP/VBScript Virtual Roots 112
Classic ASP Command-Line Example 114
VBScript Command-Line Example 114

Chapter 17: Integrating into a Build 115

Build Integration 115
Make Example 116
Modifying a Build Script to Invoke Fortify Static Code Analyzer 116
Touchless Build Integration 117
Ant Integration 117
Gradle Integration 118
Including Verbose and Debug Options 119
Maven Integration 119
Installing and Updating the Fortify Maven Plugin 119
Testing the Fortify Maven Plugin Installation 120
Using the Fortify Maven Plugin 121

Chapter 18: Command-Line Interface 122

Translation Options 122
Analysis Options 124

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 8 of 216

User Guide

Output Options 127

Other Options 130
Directives 132
LIM License Directives 133
Specifying Files and Directories 134

Chapter 19: Command-Line Tools 136

About Updating Security Content 137
Updating Security Content 137
fortifyupdate Command-Line Options 138
Checking the Fortify Static Code Analyzer Scan Status 140
SCAState Command-Line Options 140

Chapter 20: Improving Performance 143

Antivirus Software 143
Hardware Considerations 144
Sample Scans 145
Tuning Options 145
Quick Scan 146
Limiters 147
Using Quick Scan and Full Scan 147
Configuring Scan Speed with Speed Dial 147
Breaking Down Codebases 149
Limiting Analyzers and Languages 149
Disabling Analyzers 149
Disabling Languages 150
Optimizing FPR Files 150
Using Filter Files 150
Using Filter Sets 151
Excluding Source Code from the FPR 151
Reducing the FPR File Size 152
Opening Large FPR Files 153
Monitoring Long Running Scans 154
Using the SCAState Tool 155
Using JMX Tools 155

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 9 of 216

User Guide

Using JConsole 155

Using Java VisualVM 155

Chapter 21: Troubleshooting 157

Exit Codes 157
Memory Tuning 158
Java Heap Exhaustion 158
Native Heap Exhaustion 159
Stack Overflow 159
Scanning Complex Functions 160
Dataflow Analyzer Limiters 161
Control Flow and Null Pointer Analyzer Limiters 162
Issue Non-Determinism 162
Locating the Log Files 163
Configuring Log Files 163
Understanding Log Levels 164
Reporting Issues and Requesting Enhancements 165

Appendix A: Filtering the Analysis 166

Excluding Issues with Filter Files 166
Filter File Example 167
Excluding Issues with Filters Sets 170

Appendix B: Configuration Options 171

Fortify Static Code Analyzer Properties Files 171
Properties File Format 172
Precedence of Setting Properties 172
fortify-sca.properties 173
Translation and Analysis Phase Properties 173
Regex Analysis Properties 181
LIM License Properties 181
Rule Properties 183
Java and Kotlin Properties 184
Visual Studio and MSBuild Projects Properties 187
JavaScript and TypeScript Properties 188
Python Properties 189

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 10 of 216

User Guide

Go Properties 190
Ruby Properties 191
COBOL Properties 191
Apex Properties 193
PHP Properties 193
ABAP Properties 194
Flex and ActionScript Properties 194
ColdFusion (CFML) Properties 195
SQL Properties 195
Output Properties 196
Mobile Build Sessions (MBS) Properties 198
Logging Properties 198
Debug Properties 199
fortify-sca-quickscan.properties 200
fortify-rules.properties 203

Appendix C: Fortify Java Annotations 211

Dataflow Annotations 212
Source Annotations 212
Passthrough Annotations 212
Sink Annotations 213
Validate Annotations 214
Field and Variable Annotations 214
Password and Private Annotations 214
Non-Negative and Non-Zero Annotations 215
Other Annotations 215
Check Return Value Annotation 215
Dangerous Annotations 215

Send Documentation Feedback 216

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 11 of 216

User Guide
Preface

Preface

Contacting Micro Focus Fortify Customer Support

Visit the Support website to:
l Manage licenses and entitlements
l Create and manage technical assistance requests
l Browse documentation and knowledge articles
l Download software
l Explore the Community

https://www.microfocus.com/support

For More Information

For more information about Fortify software products:
https://www.microfocus.com/cyberres/application-security

About the Documentation Set

The Fortify Software documentation set contains installation, user, and deployment guides for all
Fortify Software products and components. In addition, you will find technical notes and release notes
that describe new features, known issues, and last-minute updates. You can access the latest versions
of these documents from the following Micro Focus Product Documentation website:
https://www.microfocus.com/support/documentation
To be notified of documentation updates between releases, subscribe to Fortify Product
Announcements on the Micro Focus Community:
https://community.microfocus.com/cyberres/fortify/w/fortify-product-announcements

Fortify Product Feature Videos

You can find videos that highlight Fortify products and features on the Fortify Unplugged YouTube
channel:
https://www.youtube.com/c/FortifyUnplugged

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 12 of 216

User Guide
Change Log

Change Log
The following table lists changes made to this document. Revisions to this document are published
between software releases only if the changes made affect product functionality.

Software Release /
Document Version Changes

23.1.0 / Revision 1: Updated:

June 2023 l Corrected and improved the documentation for translating Visual
Studio projects due to the new support for analysis on Linux (see
"Translating Visual Studio Projects" on page 61)

23.1.0 Added:
l "Applying a Scan Policy to the Analysis" on page 45
l "Translating Dart and Flutter Code" on page 84
l New properties available for rules (see "Fortify Static Code Analyzer
Properties Files" on page 171 and "fortify-rules.properties" on
page 203)

Updated:
l Installation of Fortify Static Code Analyzer is now separate from the
installation of Fortify Applications and Tools (see "Installing Fortify
Static Code Analyzer" on page 25)
l New command-line syntax for .NET projects (see "Visual Studio Project
Command-Line Syntax" on page 61)
l New scan policy analysis option (see "Analysis Options" on page 124
and "Translation and Analysis Phase Properties" on page 173)
l New filter types used for filter files and scan policy files (see "Excluding
Issues with Filter Files" on page 166)

22.2.0 Updated:
l Updated descriptions for handling Java translation warnings (see
"Handling Java Warnings" on page 52)
l Added options to support compatibility modes for default methods in
Kotlin code (see "Kotlin Command-Line Options" on page 58)

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 13 of 216

User Guide
Change Log

Software Release /
Document Version Changes

l Improved Salesforce Apex and Visualforce analysis (see "Translating

Salesforce Apex and Visualforce Code" on page 93)
l Options added to provide credentials when updating security content
from a Fortify Software Security Center server (see "Updating Security
Content" on page 137 and "fortifyupdate Command-Line Options" on
page 138)
l Sample projects are no longer included with the Fortify Static Code
Analyzer and Applications installer. The samples are provided as a
separate package (see "Sample Projects" on page 21).

22.1.0 Updated:
l New option added to display any unresolved types, fields, and
functions referenced in translated Java source files (see "Java
Command-Line Options" on page 50)

21.2.0 Added:
l Information about connecting Fortify Static Code Analyzer and its tools
to other Fortify products that require communication over HTTPS (see
"Adding Trusted Certificates" on page 39)
l New capability to analyze files using regular expression rules (see
"Regular Expression Analysis" on page 47)
l You can now use the Fortify License and Infrastructure Manager (LIM)
to manage concurrent licenses (see "Licensing" on page 18 and
"LIM License Directives" on page 133)

Updated:
l Added instructions for using a Fortify License and Infrastructure
Manager (LIM) server, and added installers for AIX and Solaris
operating systems (see "Installing Fortify Static Code Analyzer" on
page 26)
l Fortify Static Code Analyzer can now import modules and packages
from an automatically calculated common root directory (see "Including
Imported Modules and Packages" on page 74)
l Removed the requirement of a Lightbend Enterprise Suite license
purchase to analyze Scala code (see "Translating Scala Code" on

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 14 of 216

User Guide
Change Log

Software Release /
Document Version Changes

page 110)
l
MSBuild and xcodebuild integrations now support the -exclude
option (see "Translation Options" on page 122)
l New properties added for using a license managed by the Fortify
License and Infrastructure Manager (LIM) and for regular expression
analysis (see "fortify-sca.properties" on page 173)

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 15 of 216

Chapter 1: Introduction
This guide provides instructions for using Micro Focus Fortify Static Code Analyzer to scan code on
most major programming platforms. This guide is intended for people responsible for security audits
and secure coding.
This section contains the following topics:
Fortify Static Code Analyzer 16
Licensing 18
Fortify Software Security Content 19
Fortify ScanCentral SAST 19
Fortify Static Code Analyzer Applications and Tools 20
Sample Projects 21
Related Documents 21

Fortify Static Code Analyzer

Fortify Static Code Analyzer is a set of software security analyzers that search for violations of
security-specific coding rules and guidelines in a variety of languages. The Fortify Static Code
Analyzer language technology provides rich data that enables the analyzers to pinpoint and prioritize
violations so that fixes are fast and accurate. Fortify Static Code Analyzer produces analysis
information to help you deliver more secure software, and make security code reviews more efficient,
consistent, and complete. Its design enables you to incorporate customer-specific security rules.
For a list of supported languages, libraries, compilers, and build tools, see the Fortify Software System
Requirements document.
At the highest level, using Fortify Static Code Analyzer involves:

1. Running Fortify Static Code Analyzer as a stand-alone process or integrating Fortify Static Code
Analyzer in a build tool
2. Translating the source code into an intermediate translated format
3. Scanning the translated code and producing security vulnerability analysis results
4. Auditing the results of the scan, either by opening the results (typically an FPR file) in Micro
Focus Fortify Audit Workbench or uploading them to Micro Focus Fortify Software Security
Center for analysis, or working directly with the results displayed on screen.
Note: For information about how to open and view results in Fortify Audit Workbench or Fortify
Software Security Center, see the Fortify Audit Workbench User Guide or the Fortify Software
Security Center User Guide, respectively.

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 16 of 216

User Guide
Chapter 1: Introduction

About the Analyzers

Fortify Static Code Analyzer comprises eight vulnerability analyzers: Buffer, Configuration, Content,
Control Flow, Dataflow, Null Pointer, Semantic, and Structural. Each analyzer accepts a different type
of rule specifically tailored to provide the information necessary for the corresponding type of
analysis performed. Rules are definitions that identify elements in the source code that might result in
security vulnerabilities or are otherwise unsafe.
The following table lists and describes each analyzer.

Analyzer Description

Buffer The Buffer Analyzer detects buffer overflow vulnerabilities that involve writing
or reading more data than a buffer can hold. The buffer can be either stack-
allocated or heap-allocated. The Buffer Analyzer uses limited interprocedural
analysis to determine whether there is a condition that causes the buffer to
overflow. If any execution path to a buffer leads to a buffer overflow, Fortify
Static Code Analyzer reports it as a buffer overflow vulnerability and points out
the variables that could cause the overflow. If the value of the variable causing
the buffer overflow is tainted (user-controlled), then Fortify Static Code
Analyzer reports it as well and displays the dataflow trace to show how the
variable is tainted.

Configuration The Configuration Analyzer searches for mistakes, weaknesses, and policy
violations in application deployment configuration files. For example, the
Configuration Analyzer checks for reasonable timeouts in user sessions in a web
application. The Configuration Analyzer also performs regular expression
analysis (see "Regular Expression Analysis" on page 47).

Content The Content Analyzer searches for security issues and policy violations in HTML
content. In addition to static HTML pages, the Content Analyzer performs these
checks on files that contain dynamic HTML, such as PHP, JSP, and classic ASP
files.

Control Flow The Control Flow Analyzer detects potentially dangerous sequences of
operations. By analyzing control flow paths in a program, the Control Flow
Analyzer determines whether a set of operations are executed in a certain order.
For example, the Control Flow Analyzer detects time of check/time of use issues
and uninitialized variables, and checks whether utilities, such as XML readers,
are configured properly before being used.

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 17 of 216

User Guide
Chapter 1: Introduction

Analyzer Description

Dataflow The Dataflow Analyzer detects potential vulnerabilities that involve tainted data
(user-controlled input) put to potentially dangerous use. The Dataflow Analyzer
uses global, interprocedural taint propagation analysis to detect the flow of data
between a source (site of user input) and a sink (dangerous function call or
operation). For example, the Dataflow Analyzer detects whether a user-
controlled input string of unbounded length is copied into a statically sized
buffer, and detects whether a user-controlled string is used to construct SQL
query text.

Null Pointer The Null Pointer Analyzer detects dereferences of pointer variables that are
assigned the null value. The Null Pointer Analyzer detection is performed at the
intra-procedural level. Issues are detected only when the null assignment, the
dereference, and all the paths between them occur within a single function.

Semantic The Semantic Analyzer detects potentially dangerous uses of functions and APIs
at the intra-procedural level. Its specialized logic searches for buffer overflow,
format string, and execution path issues, but is not limited to these categories.
For example, the Semantic Analyzer detects deprecated functions in Java and
unsafe functions in C/C++, such as gets().

Structural The Structural Analyzer detects potentially dangerous flaws in the structure or
definition of the program. By understanding the way programs are structured,
the Structural Analyzer identifies violations of secure programming practices
and techniques that are often difficult to detect through inspection because they
encompass a wide scope involving both the declaration and use of variables and
functions. For example, the Structural Analyzer detects assignment to member
variables in Java servlets, identifies the use of loggers that are not declared
static final, and flags instances of dead code that is never executed because of a
predicate that is always false.

Licensing
Fortify Static Code Analyzer requires a license to perform both the translation and analysis
(scan) phases of security analysis (for more information about these phases, see "Analysis Process" on
page 41). For details on how to obtain a license for Fortify Static Code Analyzer, see the Fortify
Software System Requirements document.
You must have a Fortify license file (fortify.license) and optionally you can use the Micro Focus
Fortify License and Infrastructure Manager (LIM) to manage concurrent licenses for Fortify Static
Code Analyzer. With a LIM managed concurrent license, multiple installations of Fortify Static Code

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 18 of 216

User Guide
Chapter 1: Introduction

Analyzer can share a single license. For information about how to set up the LIM with licenses for
Fortify Static Code Analyzer, see Fortify License and Infrastructure Manager Installation and Usage
Guide. For more information about managing your LIM license from Fortify Static Code Analyzer, see
"LIM License Directives" on page 133.

Fortify Software Security Content

Fortify Static Code Analyzer uses a knowledge base of rules to enforce secure coding standards
applicable to the codebase for static analysis. Micro Focus Fortify Software Security Content is
required for both translation and analysis. You can download and install security content when you
install Fortify Static Code Analyzer (see "Installing Fortify Static Code Analyzer" on page 25).
Alternatively, you can download or import previously downloaded Fortify Security Content with the
fortifyupdate command-line tool as a post-installation task (see "Manually Installing Fortify Security
Content" on page 31).
Fortify Software Security Content (security content) consists of Secure Coding Rulepacks and
external metadata:
l Secure Coding Rulepacks describe general secure coding idioms for popular languages and public
APIs
l External metadata includes mappings from the Fortify categories to alternative categories (such as
CWE, OWASP Top 10, and PCI)

Fortify provides the ability to write custom rules that add to the functionality of Fortify Static Code
Analyzer and the Secure Coding Rulepacks. For example, you might need to enforce proprietary
security guidelines or analyze a project that uses third-party libraries or other pre-compiled binaries
that are not already covered by the Secure Coding Rulepacks. You can also customize the external
metadata to map Fortify issues to different taxonomies, such as internal application security
standards or additional compliance obligations. For instructions on how to create your own custom
rules or custom external metadata, see the Fortify Static Code Analyzer Custom Rules Guide.
Fortify recommends that you periodically update the security content. You can use fortifyupdate to
obtain the latest security content. For more information, see "Updating Security Content" on
page 137.

Fortify ScanCentral SAST

You can use Micro Focus Fortify ScanCentral SAST to manage your resources by offloading the
Fortify Static Code Analyzer scan phase from build machines to a collection of machines provisioned
for this purpose. For most languages, Fortify ScanCentral SAST can perform both the translation and
the analysis (scan) phases. Users of Micro Focus Fortify Software Security Center can direct Fortify
ScanCentral SAST to output the FPR file directly to the server. You have the option to install a Fortify
ScanCentral SAST client when you install Fortify Static Code Analyzer.

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 19 of 216

User Guide
Chapter 1: Introduction

You can analyze your code in one of two ways:

l Perform the translation phase on a local build machine and generate a mobile build session (MBS).
Start the scan with Fortify ScanCentral SAST using the MBS file. In addition to freeing up the build
machines, this process gives you the ability to expand the system by adding more resources as
needed, without having to interrupt the build process.
l If your application is written in a language supported for Fortify ScanCentral SAST translation, you
can offload the translation and analysis (scan) phase of the analysis to Fortify ScanCentral SAST.
For information about the specific supported languages, see the Fortify Software System
Requirements document.

For detailed information about how to configure and use Fortify ScanCentral SAST, see the Fortify
ScanCentral SAST Installation, Configuration, and Usage Guide.

Fortify Static Code Analyzer Applications and Tools

Fortify provides applications and tools (including Fortify Secure Code Plugins) that integrate with
Fortify Static Code Analyzer, Fortify ScanCentral SAST, and Fortify Software Security Center. The
following table describes the applications that are available for installation with the Fortify
Applications and Tools installer. For instructions about installing the Fortify Applications and Tools,
see the Fortify Static Code Analyzer Applications and Tools Guide.

Application Description

Fortify Audit Workbench An application that provides a graphical user interface for
Fortify Static Code Analyzer that helps you organize,
investigate, and prioritize analysis results so that developers
can fix security flaws quickly.

Fortify Plugin for Eclipse Adds the ability to scan and analyze the entire codebase of a
project and apply software security rules that identify the
vulnerabilities in your Java code from the Eclipse IDE. The
results are displayed, along with descriptions of each of the
security issues and suggestions for their elimination.

Fortify Analysis Plugin for IntelliJ Adds the ability to run Fortify Static Code Analyzer scans on
IDEA and Android Studio the entire codebase of a project and apply software security
rules that identify the vulnerabilities in your code from IntelliJ
IDEA and Android Studio.

Fortify Extension for Visual Studio Adds the ability to scan and locate security vulnerabilities in
your solutions and projects and displays the scan results in
Visual Studio. The results include a list of issues uncovered,
descriptions of the type of vulnerability each issue represents,

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 20 of 216

User Guide
Chapter 1: Introduction

Application Description

and suggestions on how to fix them. This extension also

includes remediation functionality that works with audit
results stored on a Fortify Software Security Center server.

Fortify Custom Rules Editor An application to create and edit custom rules.

Fortify Scan Wizard Provides a graphical user interface that enables you to
prepare a script to scan your code with Fortify Static Code
Analyzer (either locally or remotely using Fortify ScanCentral
SAST) and then optionally upload the results to Fortify
Software Security Center.

BIRTReportGenerator Command-line tools to generate Issue reports (BIRT) and

legacy reports from FPR files
ReportGenerator

Sample Projects
Fortify provides sample projects available as a separate download in the Fortify_SCA_Samples_
<version>.zip archive.
The ZIP file contains two directories: basic and advanced. Each code sample includes a README.txt
file that provides instructions on how to scan the code with Fortify Static Code Analyzer and view the
results in Micro Focus Fortify Audit Workbench.
The basic directory includes an assortment of simple language-specific code samples. The
advanced directory includes more advanced samples.

Related Documents
This topic describes documents that provide information about Micro Focus Fortify software
products.

Note: You can find the Fortify Product Documentation at

https://www.microfocus.com/support/documentation. Most guides are available in both PDF and
HTML formats. Product help is available within the Fortify LIM product.

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 21 of 216

User Guide
Chapter 1: Introduction

All Products
The following documents provide general information for all products. Unless otherwise noted, these
documents are available on the Micro Focus Product Documentation website.

Document / File Name Description

About Fortify Product Software This paper provides information about how to access
Documentation Fortify product documentation.
About_Fortify_Docs_<version>.pdf Note: This document is included only with the
product download.

Fortify License and Infrastructure This document describes how to install, configure, and use
Manager Installation and Usage Guide the Fortify License and Infrastructure Manager (LIM),
which is available for installation on a local Windows
LIM_Guide_<version>.pdf
server and as a container image on the Docker platform.

Fortify Software System This document provides the details about the
Requirements environments and products supported for this version of
Fortify Software.
Fortify_Sys_Reqs_<version>.pdf

Fortify Software Release Notes This document provides an overview of the changes made
to Fortify Software for this release and important
FortifySW_RN_<version>.pdf
information not included elsewhere in the product
documentation.

What’s New in Fortify Software This document describes the new features in Fortify
<version> Software products.
Fortify_Whats_New_<version>.pdf

Fortify ScanCentral SAST

The following document provides information about Fortify ScanCentral SAST. Unless otherwise
noted, this document is available on the Micro Focus Product Documentation website at
https://www.microfocus.com/documentation/fortify-software-security-center.

Document / File Name Description

Fortify ScanCentral SAST Installation, This document provides information about how to install,
Configuration, and Usage Guide configure, and use Fortify ScanCentral SAST to streamline

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 22 of 216

User Guide
Chapter 1: Introduction

Document / File Name Description

SC_SAST_Guide_<version>.pdf the static code analysis process. It is written for anyone

who intends to install, configure, or use Fortify
ScanCentral SAST to offload the resource-intensive
translation and scanning phases of their Fortify Static
Code Analyzer process.

Fortify Software Security Center

The following document provides information about Fortify Software Security Center. Unless
otherwise noted, this document is available on the Micro Focus Product Documentation website at
https://www.microfocus.com/documentation/fortify-software-security-center.

Document / File Name Description

Fortify Software Security Center This document provides Fortify Software Security Center
User Guide users with detailed information about how to deploy and use
Software Security Center. It provides all of the information
SSC_Guide_<version>.pdf
you need to acquire, install, configure, and use Software
Security Center.
It is intended for use by system and instance administrators,
database administrators (DBAs), enterprise security leads,
development team managers, and developers. Software
Security Center provides security team leads with a high-level
overview of the history and current status of a project.

Fortify Static Code Analyzer

The following documents provide information about Fortify Static Code Analyzer. Unless otherwise
noted, these documents are available on the Micro Focus Product Documentation website at
https://www.microfocus.com/documentation/fortify-static-code.

Document / File Name Description

Fortify Static Code Analyzer This document describes how to install and use Fortify
User Guide Static Code Analyzer to scan code on many of the major
programming platforms. It is intended for people
SCA_Guide_<version>.pdf
responsible for security audits and secure coding.

Fortify Static Code Analyzer This document describes how to install Fortify Static Code

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 23 of 216

User Guide
Chapter 1: Introduction

Document / File Name Description

Applications and Tools Guide Analyzer applications and tools. It provides an overview of
the applications and command-line tools that enable you
SCA_Apps_Tools_<version>.pdf
to scan your code with Fortify Static Code Analyzer,
review analysis results, work with analysis results files, and
more.

Fortify Static Code Analyzer Custom This document provides the information that you need to
Rules Guide create custom rules for Fortify Static Code Analyzer. This
guide includes examples that apply rule-writing concepts
SCA_Cust_Rules_Guide_<version>.zip
to real-world security issues.

Note: This document is included only with the

product download.

Fortify Audit Workbench User Guide This document describes how to use Fortify Audit
Workbench to scan software projects and audit analysis
AWB_Guide_<version>.pdf
results. This guide also includes how to integrate with bug
trackers, produce reports, and perform collaborative
auditing.

Fortify Plugin for Eclipse User Guide This document provides information about how to install
and use the Fortify Complete Plugin for Eclipse.
Eclipse_Plugin_Guide_<version>.pdf

Fortify Analysis Plugin for IntelliJ This document describes how to install and use Fortify
IDEA and Android Studio User Guide Analysis Plugin for IntelliJ IDEA and Android Studio.
IntelliJ_AnalysisPlugin_Guide_
<version>.pdf

Fortify Extension for Visual Studio This document provides information about how to install
User Guide and use the Fortify extension for Visual Studio to analyze,
audit, and remediate your code to resolve security-related
VS_Ext_Guide_<version>.pdf
issues in solutions and projects.

Fortify Static Code Analyzer This document describes the properties used by Fortify
Applications and Tools Properties Static Code Analyzer applications and command-line tools.
Reference Guide
SCA_Tools_Props_Ref_<version>.pdf

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 24 of 216

Chapter 2: Installing Fortify Static Code
Analyzer
This chapter describes how to install and uninstall Fortify Static Code Analyzer. This chapter also
describes basic post-installation tasks. See the Fortify Software System Requirements document to be
sure that your system meets the minimum requirements for each software component installation.
This section contains the following topics:
About Installing Fortify Static Code Analyzer 25
Using Docker to Install and Run Fortify Static Code Analyzer 31
About Upgrading Fortify Static Code Analyzer 33
About Uninstalling Fortify Static Code Analyzer 34
Post-Installation Tasks 36

About Installing Fortify Static Code Analyzer

This section describes how to install Fortify Static Code Analyzer. Several command-line tools are
installed automatically with Fortify Static Code Analyzer (see "Command-Line Tools" on page 136).
You can optionally install a Fortify ScanCentral SAST client with Fortify Static Code Analyzer. For
information about Fortify ScanCentral SAST, see the Fortify ScanCentral SAST Installation,
Configuration, and Usage Guide.
You must provide a Fortify license file and optionally LIM license pool credentials for the Fortify Static
Code Analyzer installation. The following table lists the different methods of installing Fortify Static
Code Analyzer.

Installation Method Instructions

Perform the installation using a "Installing Fortify Static Code Analyzer" on the next page
standard install wizard

Perform the installation silently "Installing Fortify Static Code Analyzer Silently
(unattended) (Unattended)" on page 28

Perform a text-based installation "Installing Fortify Static Code Analyzer in Text-Based Mode
on non-Windows systems on Non-Windows Platforms" on page 30

Perform the installation using "Using Docker to Install and Run Fortify Static Code
Docker Analyzer" on page 31

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 25 of 216

User Guide
Chapter 2: Installing Fortify Static Code Analyzer

For best performance, install Fortify Static Code Analyzer on the same local file system where the
code that you want to scan resides.

Note: On non-Windows systems, you must install Fortify Static Code Analyzer as a user that has a
home directory with write permission. Do not install Fortify Static Code Analyzer as a non-root
user that has no home directory.

After you complete the installation, see "Post-Installation Tasks" on page 36 for additional steps you
can perform to complete your system setup. You can also configure settings for runtime analysis,
output, and performance of Fortify Static Code Analyzer by updating the installed configuration files.
For information about the configuration options for Fortify Static Code Analyzer, see "Configuration
Options" on page 171.

Installing Fortify Static Code Analyzer

To install Fortify Static Code Analyzer:

1. Run the installer file for your operating system to start the Fortify Static Code Analyzer Setup
Wizard:
l
Windows: Fortify_SCA_<version>_windows_x64.exe
l
Linux: Fortify_SCA_<version>_linux_x64.run
l
macOS: Fortify_SCA_<version>_osx_x64.app.zip
l
AIX: Fortify_SCA_<version>_aix_x64.run
l
Solaris: Fortify_SCA_<version>_solaris_x86.run or Fortify_SCA_<version>_
solaris10_sparc.run
where <version> is the software release version, and then click Next.
2. Review and accept the license agreement, and then click Next.
3. (Optional) Select the components to install, and then click Next.
4. If the installer detects that the system does not include the minimum software required to
analyze some types of projects, a System Requirements page displays any missing requirements
and which projects require them.
See the Fortify Software System Requirements document for all software requirements.
5. Choose where to install Fortify Static Code Analyzer, and then click Next.
Important! Do not install Fortify Static Code Analyzer in the same directory where Fortify
Applications and Tools is installed.

Note: If you will include Micro Focus Fortify ScanCentral SAST with the installation, you must
specify a location that does not include spaces in the path.

6. Specify the path to the fortify.license file, and then click Next.
7. (Optional) On the LIM License page, select Yes to use the Fortify License and Infrastructure
Manager (LIM) for managing your concurrent licenses, and then click Next.

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 26 of 216

User Guide
Chapter 2: Installing Fortify Static Code Analyzer

Note: When Fortify Static Code Analyzer performs a task that requires a license, Fortify
Static Code Analyzer will attempt to acquire a LIM lease from the license pool. If Fortify Static
Code Analyzer fails to acquire a license due to a communication issue with the LIM server, it
will use the Fortify license file. To change this behavior, use the
com.fortify.sca.lim.WaitForInitialLicense in the fortify-sca.properties file
(see "LIM License Properties" on page 181).

a. Type the LIM API URL, the license pool name, and the pool password.
b. Click Next. The LIM Proxy Settings page opens.
c. If connection to the LIM server requires a proxy server, type the proxy host (hostname or
IP address of your proxy server) and optionally a port number.
d. Click Next.
8. Specify the settings required to update your Fortify security content.
To update the security content for your installation:
Note: For deployment environments that do not have access to the Internet during
installation, you can update the security content using the fortifyupdate command-line tool.
See "Manually Installing Fortify Security Content" on page 31.

a. Type the URL of the update server. To use the Fortify Rulepack update server for security
content updates, keep the URL as: https://update.fortify.com. You can also use Micro
Focus Fortify Software Security Center as the update server.
b. (Optional) If connection to the update server requires a proxy server, type the proxy host and
port number.
c. If you want to update the security content manually, clear the Update security content
after installation check box.
d. Click Next.
9. Specify if you want to migrate from a previous installation of Fortify Static Code Analyzer on your
system.
Migrating from a previous Fortify Static Code Analyzer installation preserves Fortify Static Code
Analyzer artifact files. For more information, see "About Upgrading Fortify Static Code Analyzer"
on page 33.
Note: You can also migrate Fortify Static Code Analyzer artifacts using the
scapostinstall command-line tool. For information on how to use the post-install tool to
migrate from a previous Fortify Static Code Analyzer installation, see "Migrating Properties
Files" on page 36.

To migrate artifacts from a previous installation:

a. In the Static Code Analyzer Migration page, select Yes, and then click Next.
b. Specify the location of the existing Fortify Static Code Analyzer installation on your system,
and then click Next.
To skip migration of artifacts from a previous release, leave the Static Code Analyzer Migration
selection set to No, and then click Next.

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 27 of 216

User Guide
Chapter 2: Installing Fortify Static Code Analyzer

10. Click Next on the Ready to Install page to install Fortify Static Code Analyzer, any selected
components, and Fortify security content.
If you selected to update security content, the Security Content Update Result window displays
the security content update results.
11. Click Finish to close the Fortify Static Code Analyzer Setup Wizard.

Installing Fortify Static Code Analyzer Silently (Unattended)

A silent installation enables you to complete the installation without any user prompts. To install
silently, you need to create an option file to provide the necessary information to the installer. Using
the silent installation, you can replicate the installation parameters on multiple machines.

Important! Do not install Fortify Static Code Analyzer in the same directory where Fortify
Applications and Tools is installed.

When you install Fortify Static Code Analyzer silently, the installer does not download the Micro Focus
Fortify Software Security Content by default. You can enable download of the Fortify security content
in the options file or you can install the Fortify security content manually(see "Manually Installing
Fortify Security Content" on page 31).
To install Fortify Static Code Analyzer silently:

1. Create an options file.

a. Create a text file that contains the following line:

fortify_license_path=<license_file_location>

where <license_file_location> is the full path to your fortify.license file.

b. To use a LIM license server, add the following lines with your LIM license pool credentials to
the options file :

lim_url=<lim_url>
lim_pool_name=<license_pool_name>
lim_pool_password=<license_pool_pwd>

c. If you are using a different location for the Fortify security content updates than the default of
https://update.fortify.com, add the following line:

update_server=<update_server_url>

d. If you require a proxy server for the Fortify security content download, add the following lines:

update_proxy_server=<proxy_server>
update_proxy_port=<port_number>

e. To enable download of Fortify security content, add the following line:

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 28 of 216

User Guide
Chapter 2: Installing Fortify Static Code Analyzer

update_security_content=1

f. Add more installation instructions, as needed, to the options file.

To obtain a list of installation options that you can add to your options file, open a command
prompt, and then type the installer file name and the --help option. This command displays
each available command-line option preceded with a double dash and the available
parameters enclosed in angle brackets. For example, if you want to see the progress of the
install displayed at the command line, add unattendedmodeui=minimal to your options file.
Notes:
o The command-line options are case-sensitive.
o The installation options are not the same on all supported operating systems. Run the
installer with --help to see the options available for your operating system.
The following example Windows options file specifies the location of the license file, the
location of a Fortify Software Security Center server and proxy information for obtaining
Fortify security content, a request to migrate from a previous release, and the location of the
Fortify Static Code Analyzer installation directory:

fortify_license_path=C:\Users\admin\Desktop\fortify.license
update_server=https://my_ssc_host:8080/ssc
update_proxy_server=webproxy.abc.company.com
update_proxy_port=8080
migrate_sca=1
install_dir=C:\Fortify

The following options file example is for Linux and macOS:

fortify_license_path=/opt/Fortify/fortify.license
update_server=https://my_ssc_host:8080/ssc
update_proxy_server=webproxy.abc.company.com
update_proxy_port=8080
migrate_sca=1
install_dir=/opt/Fortify

2. Save the options file.

3. Run the silent install command for your operating system.
Note: You might need to run the command prompt as an administrator before you run the
installer.

Windows Fortify_SCA_<version>_windows_x64.exe --mode unattended --

optionfile <full_path_to_options_file>

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 29 of 216

User Guide
Chapter 2: Installing Fortify Static Code Analyzer

Linux ./Fortify_SCA_<version>_linux_x64.run --mode unattended --

optionfile <full_path_to_options_file>

macOS You must uncompress the ZIP file before you run the command.
Fortify_SCA_<version>_osx_x64.app/Contents/
MacOS/installbuilder.sh --mode unattended --optionfile <full_
path_to_options_file>

AIX ./Fortify_SCA_<version>_<platform>.run --mode unattended --

Solaris optionfile <full_path_to_options_file>

The installer creates an installer log file when the installation is complete. This log file is in the
following location depending on your operating system.

Windows C:\Users\<username>\AppData\Local\Temp\FortifySCA-<version>-
install.log

Non- /tmp/FortifySCA-<version>-install.log
Windows

Installing Fortify Static Code Analyzer in Text-Based Mode on

Non-Windows Platforms
You perform a text-based installation on the command line. During the installation, you are prompted
for information required to complete the installation. Text-based installations are not supported on
Windows systems.

Important! Do not install Fortify Static Code Analyzer in the same directory where Fortify
Applications and Tools is installed.

To perform a text-based installation of Fortify Static Code Analyzer, run the text-based install
command for your operating system as listed in the following table.

Linux ./Fortify_SCA_<version>_linux_x64.run --mode text

AIX
Solaris

macOS You must uncompress the provided ZIP file before you run the command.

Fortify_SCA_<version>_osx_x64.app/Contents/
MacOS/installbuilder.sh --mode text

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 30 of 216

User Guide
Chapter 2: Installing Fortify Static Code Analyzer

Manually Installing Fortify Security Content

You can install Micro Focus Fortify Software Security Content (Secure Coding Rulepacks and
metadata) automatically during the installation. However, you can also download Fortify security
content from the Fortify Rulepack update server, and then use the fortifyupdate command-line tool to
install it. This option is provided for deployment environments that do not have access to the Internet
during installation.
Use fortifyupdate to install Fortify security content from either a remote server or a locally
downloaded file.
To install security content:

1. Open a command window.

2. Navigate to the <sca_install_dir>/bin directory.
3. At the command prompt, type fortifyupdate.
If you have previously downloaded the Fortify security content from the Fortify Rulepack update
server, run fortifyupdate with the -import option and the path to the directory where you
downloaded the ZIP file.
You can also use this same tool to update your Fortify security content. For more information about
the fortifyupdate command-line tool, see "Updating Security Content" on page 137.

Using Docker to Install and Run Fortify Static Code

Analyzer
You can install Fortify Static Code Analyzer in a Docker image and then run Fortify Static Code
Analyzer as a Docker container.

Note: You can only run Fortify Static Code Analyzer in Docker on supported Linux platforms.

Creating a Dockerfile to Install Fortify Static Code Analyzer

This topic describes how to create a Dockerfile to install Fortify Static Code Analyzer in a Docker
image.
The Dockerfile must include the following instructions:

1. Set a Linux system to use for the base image.

Note: If you intend to use build tools when you run Fortify Static Code Analyzer, make sure
that the required build tools are installed in the image. For information about using the
supported build tools, see "Build Integration" on page 115.

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 31 of 216

User Guide
Chapter 2: Installing Fortify Static Code Analyzer

2. Copy the Fortify Static Code Analyzer installer, the Fortify license file, and installation options file
to the Docker image using the COPY instruction.
For instructions on how to create an installation options file, see "Installing Fortify Static Code
Analyzer Silently (Unattended)" on page 28.
3. Run the Fortify Static Code Analyzer installer using the RUN instruction.
You must run the installer in unattended mode. For more information, see "Installing Fortify Static
Code Analyzer Silently (Unattended)" on page 28.
4. Run fortifyupdate to download the Fortify Security Content using the RUN instruction.
For more information about this command-line tool, see "Manually Installing Fortify Security
Content" on the previous page.
5. To configure the image so you can run Fortify Static Code Analyzer, set the entry point to the
location of the installed sourceanalyzer executable using the ENTRYPOINT instruction.
The default sourceanalyzer installation path is: /opt/Fortify/Fortify_SCA_
<version>/bin/sourceanalyzer.
The following is an example of a Dockerfile to install Fortify Static Code Analyzer:

FROM registry.suse.com/suse/sles12sp4
COPY fortify.license ./
COPY Fortify_SCA_23.1.0_linux_x64.run ./
COPY installerSettings ./
RUN ./Fortify_SCA_23.1.0_linux_x64.run --mode unattended \
--optionfile ./installerSettings && \
/opt/Fortify/Fortify_SCA_23.1.0/bin/fortifyupdate && \
rm Fortify_SCA_23.1.0_linux_x64.run fortify.license installerSettings

ENTRYPOINT [ "/opt/Fortify/Fortify_SCA_23.1.0/bin/sourceanalyzer" ]

To create the docker image using the Dockerfile from the current directory, you must use the docker
build command. For example:

docker build -t <image_name>

Running the Container

This topic describes how to run the Fortify Static Code Analyzer image as a container and provides
example Docker run commands for translation and scan.

Note: When you run Fortify Static Code Analyzer in a container and especially if you also leverage
runtime container protections, make sure that Fortify Static Code Analyzer has the appropriate
permission to run build commands (for example, javac).

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 32 of 216

User Guide
Chapter 2: Installing Fortify Static Code Analyzer

To run the Fortify Static Code Analyzer image as a container, you must mount two directories from
the host file system to the container:
l The directory that contains the source files you want to analyze.
l A temporary directory to store the Fortify Static Code Analyzer build session between the translate
and scan phases and to share the output files (logs and FPR file) with the host.
Specify this directory using the –project-root command-line option in both the Fortify Static
Code Analyzer translate and scan commands.

The following example commands mount the input directory /sources in /src and the temporary
directory in /scratch_docker. The image name in the example is fortify-sca.

Important! Include the Fortify Static Code Analyzer –fcontainer option in both the translate
and scan commands so that Fortify Static Code Analyzer detects and uses only the memory
dedicated to the container. Otherwise, by default Fortify Static Code Analyzer detects the total
system memory because -autoheap is enabled.

Example Docker Run Commands for Translation and Scan

The following example mounts the temporary directory and the sources directory, and then runs
Fortify Static Code Analyzer from the container for the translation phase:

docker run -v /scratch_local/:/scratch_docker -v /sources/:/src

-it fortify-sca –b MyProject -project-root /scratch_docker -fcontainer
[<sca_options>] /src

The following example mounts the temporary directory, and then runs Fortify Static Code Analyzer
from the container for the analysis phase:

docker run -v /scratch_local/:/scratch_docker

-it fortify-sca –b MyProject -project-root /scratch_docker –scan -
fcontainer [<sca_options>] –f /scratch_docker/MyResults.fpr

The MyResults.fpr output file is created in the host's /scratch_local directory.

About Upgrading Fortify Static Code Analyzer

To upgrade Fortify Static Code Analyzer, install the new version in a different location than where
your current version is installed and choose to migrate settings from the previous installation. This
migration preserves and updates the Fortify Static Code Analyzer artifact files located in the <sca_
install_dir>/Core/config directory.

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 33 of 216

User Guide
Chapter 2: Installing Fortify Static Code Analyzer

If you choose not to migrate any settings from a previous release, Fortify recommends that you save a
backup of the following data if it has been modified:
l
<sca_install_dir>/Core/config/rules folder
l
<sca_install_dir>/Core/config/customrules folder
l
<sca_install_dir>/Core/config/ExternalMetadata folder
l
<sca_install_dir>/Core/config/CustomExternalMetadata folder
l
<sca_install_dir>/Core/config/server.properties file
l
<sca_install_dir>/Core/config/scales folder

After you install the new version, you can uninstall the previous version. For more information, see
"About Uninstalling Fortify Static Code Analyzer" below.

Note: You can leave the previous version installed. If you have multiple versions installed on the
same system, the most recently installed version is invoked when you run the command from the
command line.

About Uninstalling Fortify Static Code Analyzer

This section describes how to uninstall Fortify Static Code Analyzer. You can use the standard install
wizard, or you can perform the uninstallation silently. You can also perform a text-based
uninstallation on non-Windows systems.

Uninstalling Fortify Static Code Analyzer

Uninstalling on Windows Platforms
To uninstall the Fortify Static Code Analyzer software:

1. Select Start > Settings > Apps > Apps & Features.
2. From the list of programs, select Fortify Static Code Analyzer <version>, and then click
Uninstall.
3. You are prompted to indicate whether to remove the entire application or individual components.
Make your selection, and then click Next.
If you are uninstalling specific components, select the components to remove on the Select
Components to Uninstall page, and then click Next.
4. You are prompted to indicate whether to remove all application settings. Do one of the following:
l Click Yes to remove the application settings for the components installed with the version of

Fortify Static Code Analyzer that you are uninstalling.

The Fortify Static Code Analyzer (sca<version>) folder is not removed.
l Click No to retain the application settings on your system.

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 34 of 216

User Guide
Chapter 2: Installing Fortify Static Code Analyzer

Uninstalling on Other Platforms

To uninstall Fortify Static Code Analyzer software on non-Windows platforms:

1. Run the uninstall command located in the <sca_install_dir> for your operating system:
Linux ./Uninstall_FortifySCA_<version>
AIX
Solaris

macOS Uninstall_FortifySCA_<version>.app

2. You are prompted to indicate whether to remove the entire application or individual components.
Make your selection, and then click Next.
If you are uninstalling specific components, select the components to remove on the Select
Components to Uninstall page, and then click Next.
3. You are prompted to indicate whether to remove all application settings. Do one of the following:
l Click Yes to remove the application settings for the components installed with the version of

Fortify Static Code Analyzer that you are uninstalling.

The Fortify Static Code Analyzer (sca<version>) folder is not removed.
l Click No to retain the application settings on your system.

Uninstalling Fortify Static Code Analyzer Silently

To uninstall Fortify Static Code Analyzer silently:

1. Navigate to the installation directory.

2. Type one of the following commands based on your operating system:

Windows Uninstall_FortifySCA_<version>.exe --mode unattended

Linux ./Uninstall_FortifySCA_<version> --mode unattended

AIX
Solaris

macOS Uninstall_FortifySCA_
<version>.app/Contents/MacOS/installbuilder.sh
--mode unattended

Note: For Windows, Linux, and macOS, the uninstaller removes the application settings for the
components installed with the version of Fortify Static Code Analyzer that you are uninstalling.

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 35 of 216

User Guide
Chapter 2: Installing Fortify Static Code Analyzer

Uninstalling Fortify Static Code Analyzer in Text-Based Mode on

Non-Windows Platforms
To uninstall Fortify Static Code Analyzer in text-based mode, run the text-based install command for
your operating system, as follows:

1. Navigate to the installation directory.

2. Type one of the following commands based on your operating system:

Linux ./Uninstall_FortifySCA_<version> --mode text

AIX
Solaris

macOS Uninstall_FortifySCA_
<version>.app/Contents/MacOS/installbuilder.sh --mode text

Post-Installation Tasks
Post-installation tasks prepare you to start using Fortify Static Code Analyzer.

Running the Post-Install Tool

You can use the post-install tool to migrate properties files from a previous version of Fortify Static
Code Analyzer, configure Fortify security content updates, and configure settings to connect to
Fortify Software Security Center.
To run the Fortify Static Code Analyzer post-install tool:

1. Navigate to the <sca_install_dir>/bin directory from the command line.

2. At the command prompt, type scapostinstall.
3. Type one of the following:
l
To display settings, type s.
l
To return to the previous prompt, type r.
l
To exit the tool, type q.

Migrating Properties Files

To migrate properties files from a previous version of Fortify Static Code Analyzer to the current
version of Fortify Static Code Analyzer installed on your system:

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 36 of 216

User Guide
Chapter 2: Installing Fortify Static Code Analyzer

1. Navigate to the <sca_install_dir>/bin directory from the command line.

2. At the command prompt, type scapostinstall.
3. Type 1 to select Migration.
4. Type 1 to select Static Code Analyzer Migration.
5. Type 1 to select Migrate from an existing Fortify installation.
6. Type 1 to select Set previous Fortify installation directory.
7. Type the previous install directory.
8. Type s to confirm the settings.
9. Type 2 to perform the migration.
10. Type y to confirm.

Specifying a Locale
English is the default locale for a Fortify Static Code Analyzer installation.
To change the locale for your Fortify Static Code Analyzer installation:

1. Navigate to the bin directory from the command line.

2. At the command prompt, type scapostinstall.
3. Type 2 to select Settings.
4. Type 1 to select General.
5. Type 1 to select Locale.
6. Type one of the following locale codes:
l
en (English)
l
es (Spanish)
l
ja (Japanese)
l
ko (Korean)
l
pt_BR (Brazilian Portuguese)
l
zh_CN (Simplified Chinese)
l
zh_TW (Traditional Chinese)

Configuring Fortify Security Content Updates

Specify how you want to obtain Fortify security content. You must also specify proxy information if it
is required to reach the server.
To specify settings for Fortify Security Content updates:

1. Navigate to the bin directory from the command line.

2. At the command prompt, type scapostinstall.

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 37 of 216

User Guide
Chapter 2: Installing Fortify Static Code Analyzer

3. Type 2 to select Settings.

4. Type 2 to select Fortify Update.
5. To change the Fortify Rulepack update server URL, type 1, and then type the URL.
The default Fortify Rulepack update server URL is https://update.fortify.com.
6. To specify a proxy for Fortify security content updates, do the following:
a. Type 2 to select Proxy Server, and then type the name of the proxy server.
Exclude the protocol and port number (for example, some.secureproxy.com).
b. Type 3 to select Proxy Server Port, and then type the proxy server port number.
c. (Optional) You can also specify a proxy server user name (option 4) and password (option 5).

Configuring the Connection to Fortify Software Security Center

Specify how to connect to Micro Focus Fortify Software Security Center. If your network uses a proxy
server to reach the Fortify Software Security Center server, you must specify the proxy information.
To specify settings for connecting to Fortify Software Security Center:

1. Navigate to the bin directory from the command line.

2. At the command prompt, type scapostinstall.
3. Type 2 to select Settings.
4. Type 3 to select Software Security Center Settings.
5. Type 1 to select Server URL, and then type the Fortify Software Security Center server URL.
6. To specify proxy settings for the connection, do the following:
a. Type 2 to select Proxy Server, and then type the name of the proxy server.
Exclude the protocol and port number (for example, some.secureproxy.com).
b. Type 3 to select Proxy Server Port, and then type the proxy server port number.
c. To specify a proxy server user name and password, use option 4 for the username and
option 5 for the password.
7. (Optional) You can also specify the following:
l Whether to update Fortify security content from your Fortify Software Security Center server

(option 6)
l
The Fortify Software Security Center user name (option 7)

Removing Proxy Server Settings

If you previously specified proxy server settings for the Fortify Rulepack update server or Micro Focus
Fortify Software Security Center and it is no longer required, you can remove these settings.
To remove the proxy settings for Fortify Security Content updates or Fortify Software Security
Center:

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 38 of 216

User Guide
Chapter 2: Installing Fortify Static Code Analyzer

1. Navigate to the bin directory from the command line.

2. At the command prompt, type scapostinstall.
3. Type 2 to select Settings.
4. Type 2 to select Fortify Update or type 3 to select Software Security Center Settings.
5. Type the number that corresponds to the proxy setting you want to remove, and then type a
minus sign (-) to remove the setting.
6. Repeat step 5 for each proxy setting you want to remove.

Adding Trusted Certificates

Connection from Fortify Static Code Analyzer to other Fortify software products and external systems
might require communication over HTTPS. Some examples include:
l Fortify Static Code Analyzer by default requires an HTTPS connection to communicate with the
LIM server for license management.
The property com.fortify.sca.lim.RequireTrustedSSLCert determines whether the
connection with the LIM server requires a trusted SSL certificate. For more information about this
property, see "LIM License Properties" on page 181.
l The fortifyupdate command-line tool uses an HTTPS connection either automatically during a
Windows system installation or manually (see "Manually Installing Fortify Security Content" on
page 31) to update Fortify security content.
l Fortify Static Code Analyzer configured as a ScanCentral SAST sensor uses an HTTPS connection
to communicate with the Controller.

When using HTTPS, Fortify Static Code Analyzer and its tools will by default apply standard checks to
the presented SSL server certificate, including a check to determine if the certificate is trusted. If your
organization runs its own certificate authority (CA) and Fortify Static Code Analyzer needs to trust
connections where the server presents a certificate issued by this CA, you must configure Fortify
Static Code Analyzer to trust the CA. Otherwise, the use of HTTPS connections might fail.
You must add the trusted certificate of the CA to the Fortify Static Code Analyzer keystore. The
Fortify Static Code Analyzer keystore is in the <sca_install_dir>/jre/lib/security/cacerts
file. You can use the keytool command to add the trusted certificate to the keystore.
To add a trusted certificate to the Fortify Static Code Analyzer keystore:

1. Open a command prompt, and then run the following command:

<sca_install_dir>/jre/bin/keytool -importcert -alias <alias_name> -

cacerts -file <cert_file>

where:
l
<alias_name> is a unique name for the certificate you are adding.
l
<cert_file> is the name of the file containing the trusted root certificate in PEM or
DER format.

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 39 of 216

User Guide
Chapter 2: Installing Fortify Static Code Analyzer

2. Enter the keystore password.

Note: The default password is changeit.
3. When prompted to trust this certificate, select yes.

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 40 of 216

Chapter 3: Analysis Process Overview
This section contains the following topics:
Analysis Process 41
Translation Phase 42
Mobile Build Sessions 43
Analysis Phase 44
Translation and Analysis Phase Verification 48

Analysis Process
There are four distinct phases that make up the analysis process:

1. Build Integration—Choose whether to integrate Fortify Static Code Analyzer into your build
tool. For descriptions of build integration options, see "Integrating into a Build" on page 115.
2. Translation—Gathers source code using a series of commands and translates it into an
intermediate format associated with a build ID. The build ID is usually the name of the project you
are translating. For more information, see "Translation Phase" on the next page.
3. Analysis—Scans source files identified in the translation phase and generates an analysis result
file (typically in the Fortify Project Results (FPR) format). FPR files have the .fpr file extension.
For more information, see "Analysis Phase" on page 44.
4. Verification of translation and analysis—Verifies that the source files were scanned using the
correct Rulepacks and that no errors were reported. For more information, see "Translation and
Analysis Phase Verification" on page 48.
Fortify recommends that you perform translation and analysis commands from a user account with
least privilege access. Running Fortify Static Code Analyzer as a root user, or translating a project that
requires root access, might not work properly and is not recommended.
The following is an example of the sequence of commands you use to translate and analyze code:

sourceanalyzer -b MyProject -clean

sourceanalyzer -b MyProject ...
sourceanalyzer -b MyProject -scan -f MyResults.fpr

The three commands in the previous example illustrate the following steps in the analysis process:

1. Remove all existing Fortify Static Code Analyzer temporary files for the specified build ID.
Always begin an analysis with this step to analyze a project with a previously used build ID.

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 41 of 216

User Guide
Chapter 3: Analysis Process Overview

2. Translate the project code.

This step can consist of multiple calls to sourceanalyzer with the same build ID (except for
dynamic languages including JavaScript/TypeScript, PHP, Python, and Ruby).
3. Analyze the project code and save the results in a Fortify Project Results(FPR) file.

Parallel Processing
Fortify Static Code Analyzer runs in parallel analysis mode to reduce the scan time of large projects.
This takes advantage of all CPU cores available on your system. When you run Fortify Static Code
Analyzer, avoid running other CPU intensive processes during the Fortify Static Code Analyzer
execution because it expects to have the full resources of your hardware available for the scan.

Translation Phase
To successfully translate a project that is normally compiled, make sure that you have any
dependencies required to build the project available. The chapters for each source code type describe
any specific requirements.
The basic command-line syntax to perform the first step of the analysis process, file translation, is:

sourceanalyzer -b <build_id> ... <files>

or

sourceanalyzer -b <build_id> ... <compiler_command>

The translation phase consists of one or more invocations of Fortify Static Code Analyzer using the
sourceanalyzer command. Fortify Static Code Analyzer uses a build ID (-b option) to tie the
invocations together. Subsequent invocations of sourceanalyzer add any newly specified source or
configuration files to the file list associated with the build ID.

Caution! When you translate dynamic languages (JavaScript/TypeScript, PHP, Python, and
Ruby), you must specify all source files together in one invocation. Fortify Static Code Analyzer
does not support adding new files to the file list associated with the build ID on subsequent
invocations.

After translation, you can use the -show-build-warnings directive to list any warnings and errors
that occurred in the translation phase:

sourceanalyzer -b <build_id> -show-build-warnings

To view the files associated with a build ID, use the -show-files directive:

sourceanalyzer -b <build_id> -show-files

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 42 of 216

User Guide
Chapter 3: Analysis Process Overview

The following chapters describe how to translate different types of source code:
l "Translating Java Code" on page 49
l "Translating Kotlin Code" on page 57
l "Translating Visual Studio Projects" on page 61
l "Translating C and C++ Code" on page 67
l "Translating JavaScript and TypeScript Code" on page 70
l "Translating Python Code" on page 74
l "Translating Code for Mobile Platforms" on page 78
l "Translating Go Code" on page 81
l "Translating Dart and Flutter Code" on page 84
l "Translating Ruby Code" on page 86
l "Translating COBOL Code" on page 88
l "Translating Salesforce Apex and Visualforce Code" on page 93
l "Translating Other Languages and Configurations" on page 96

Mobile Build Sessions

With a Fortify Static Code Analyzer mobile build session (MBS), you can translate a project on one
machine and scan it on another. A mobile build session (MBS file) includes all the files needed for the
analysis phase. To improve scan time, you can perform the translation on the build computer, and
then move the build session (MBS file) to a better equipped computer for the scan. The developers
can run translations on their own computers and use only one powerful computer to run large scans.

Note: Fortify recommends that you do not use MBS for regular expression analysis (see "Regular
Expression Analysis" on page 47) unless both systems have the same version of the source code
(with the files stored on the same paths on each system). If the same source code does not exist
on both systems, the quality of the regular expression analysis results is unpredictable. If the
source code files do not exist on the scan machine, then vulnerabilities normally detected by
regex analysis would not be reported.

You must have the same version of Fortify Security Content (Rulepacks) installed on both the system
where you are performing the translation and the system where you are performing the analysis.

Mobile Build Session Version Compatibility

The Fortify Static Code Analyzer version on the translate machine must be compatible with the
Fortify Static Code Analyzer version on the analysis machine. The version number format is
<major>.<minor>.<patch>.<build_number> (for example, 23.1.0.0240). The <major> and <minor>
portions of the Fortify Static Code Analyzer version numbers on both the translation and the analysis
machines must match. For example, 22.2.0 and 22.2.x are compatible. To determine the Fortify Static
Code Analyzer version number, type sourceanalyzer -v on the command line.

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 43 of 216

User Guide
Chapter 3: Analysis Process Overview

You can obtain the build ID and the Fortify Static Code Analyzer version from an MBS file with the
following command:

sourceanalyzer -import-build-session <file>.mbs

-Dcom.fortify.sca.ExtractMobileInfo=true

Creating a Mobile Build Session

On the machine where you performed the translation, issue the following command to generate a
mobile build session:

sourceanalyzer -b <build_id> -export-build-session <file>.mbs

where <file>.mbs is the file name you provide for the Fortify Static Code Analyzer mobile build
session.

Importing a Mobile Build Session

After you move the <file>.mbs file to the machine where you want to perform the scan, import the
mobile build session into the Fortify Static Code Analyzer project root directory.
To import the mobile build session, type the following command:

sourceanalyzer -import-build-session <file>.mbs

After you import your Fortify Static Code Analyzer mobile build session, you can proceed to the
analysis phase. Perform a scan with the same build ID that was used in the translation.
You cannot merge multiple mobile build sessions into a single MBS file. Each exported build session
must have a unique build ID. However, after all the build IDs are imported on the same Fortify Static
Code Analyzer installation, you can scan multiple build IDs in one scan with the -b option (see
"Analysis Phase" below).

Analysis Phase
The analysis phase scans the intermediate files created during translation and creates the
vulnerability results file (FPR).
The analysis phase consists of one invocation of sourceanalyzer. You specify the build ID and
include the -scan directive with any other required analysis or output options (see "Analysis Options"
on page 124 and "Output Options" on page 127).
The following example shows the command-line syntax to perform the analysis phase and save the
results in an FPR file:

sourceanalyzer -b MyProject -scan -f MyResults.fpr

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 44 of 216

User Guide
Chapter 3: Analysis Process Overview

Note: By default, Fortify Static Code Analyzer includes the source code in the FPR file.

To combine multiple builds into a single scan command, add the additional builds to the command
line:

sourceanalyzer -b MyProject1 -b MyProject2 -b MyProject3 -scan -f

MyResults.fpr

Applying a Scan Policy to the Analysis

For the analysis (scan) phase, you can specify a scan policy to help you identify the most serious
vulnerabilities so you can remediate the code quickly. The following table describes the three
available scan policies.

Policy
Name Description

classic This is the default scan policy, which does not prioritize the analysis results. This
policy has the same effect as not specifying a scan policy for the analysis. Fortify
recommends that you run complete classic scans whenever possible.

security This scan policy excludes issues related to code quality from the analysis results. Use
this policy to focus code remediation on the security issues.

devops This scan policy excludes issues that are also excluded by the security policy and
reduces the number of reported low-priority issues. Use this scan policy when scan
speed is a priority and developers review results directly (without any intermediate
auditing). Issues that remain after applying this scan policy are probably serious
security issues that require remediation.

Note: This devops scan policy does not automatically include any customization
made to the local security scan policy.

To use a scan policy for your analysis, include the -scan-policy (or -sc) option in the analysis
phase as shown in the following example:

sourceanalyzer -b MyProject -scan -scan-policy security -f MyResults.fpr

Alternatively, you can specify the scan policy with the com.fortify.sca.ScanPolicy property in
the fortify-sca.properties file. For example:

com.fortify.sca.ScanPolicy=security

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 45 of 216

User Guide
Chapter 3: Analysis Process Overview

Note: You can apply a filter file (see "Excluding Issues with Filter Files" on page 166) with a scan
policy setting for an analysis. In this case, Fortify Static Code Analyzer applies both the scan
policy and the filter file to the analysis.

The policy files are in the <sca_install_dir>/Core/config/scales directory. There is one file
for each scan policy. You can modify the settings in these policy files to customize your scan policies.
For information about the syntax used for the policy files, see "Excluding Issues with Filter Files" on
page 166.

Higher-Order Analysis
Higher-Order Analysis (HOA) improves the ability to track dataflow through higher-order code.
Higher-order code manipulates functions as values, generating them with anonymous function
expressions (lambda expressions), passing them as arguments, returning them as values, and
assigning them to variables and to fields of objects. These code patterns are common in modern
dynamic languages such as JavaScript, TypeScript, Python, Ruby, and Swift.
By default, Fortify Static Code Analyzer performs Higher-Order Analysis when you scan JavaScript,
TypeScript, Python, Ruby, and Swift code. For a description of the Higher-Order Analysis properties,
see "Translation and Analysis Phase Properties" on page 173.

Modular Analysis
This release includes a technology preview of modular analysis. With modular analysis, you can pre-
scan libraries (and sublibraries) separately from your core project. You can then include these pre-
scanned libraries when you scan the core project. Doing this might improve the core project analysis
performance because you are not rescanning the libraries every time you scan the core project.
Modular analysis also enables you to scan a project that references a library without requiring the
library's source code, Fortify Static Code Analyzer translated files, or custom rules used to scan the
library. This has the added benefit that you only need to audit issues in your core application. The
analysis results are more streamlined to code that you directly control and therefore you do not need
to worry about issues in code that you do not own.
Modular analysis is currently available for libraries and applications developed in Java and Jakarta EE
(Java EE).

Note: In this release, you might not see any performance improvements from modular analysis.
Fortify is working to optimize the performance of modular analysis in future releases.

You must rescan your libraries whenever you:

l Update to a new version of Fortify Static Code Analyzer
l Update your Fortify security content
l Change the libraries

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 46 of 216

User Guide
Chapter 3: Analysis Process Overview

Modular Command-Line Examples

To translate and scan a library separately, type:

sourceanalyzer -b LibA MyLibs/A/*.java

sourceanalyzer -b LibA -scan-module

To translate and scan the core project and include multiple pre-scanned libraries:

sourceanalyzer -b MyProj MyProj/*.java

sourceanalyzer -b MyProj -scan -include-modules LibA,LibB

For a description of the options shown in the previous examples, see "Analysis Options" on page 124.

Regular Expression Analysis

Regular expression (regex) analysis provides the ability to use regular expression rules for detecting
vulnerabilities in both file content and file names. This analysis can detect vulnerable secrets such as
passwords, keys, and credentials in project files. The Configuration Analyzer includes the regex
analysis capability.
Regex analysis recursively examines all file paths and path patterns included in the translation phase.
Every file, for each directory found is analyzed unless it is specifically excluded from the translation.
To manage the files that are included in regex analysis, the following options are available:
l
Exclude any file or directory with the -exclude option in the translation phase.
For more information about this option, see "Translation Options" on page 122.
l By default, regex analysis excludes all detectible binary files. To include binary files in the analysis,
add the following property to the fortify-sca.properties file (or include this property on the
command line using the -D option):

com.fortify.sca.regex.ExcludeBinaries = false

l By default, regex analysis excludes files larger than 10 MB to ensure that the scan time is
acceptable. You can change the maximum file size (in megabytes) with the following property:

com.fortify.sca.regex.MaxSize = <max_file_size_mb>

To disable regex analysis, add the following property to the fortify-sca.properties file or
include it on the command line:

com.fortify.sca.regex.Enable = false

See Also
"Regex Analysis Properties" on page 181

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 47 of 216

User Guide
Chapter 3: Analysis Process Overview

"Mobile Build Sessions" on page 43

Translation and Analysis Phase Verification

Micro Focus Fortify Audit Workbench result certification indicates whether the code analysis from a
scan is complete and valid. The project summary in Fortify Audit Workbench shows the following
specific information about Fortify Static Code Analyzer scanned code:
l List of files scanned, with file sizes and timestamps
l Java class path used for the translation (if applicable)
l Rulepacks used for the analysis
l Fortify Static Code Analyzer runtime settings and command-line options
l Any errors or warnings encountered during translation or analysis
l Machine and platform information

Note: To obtain result certification, you must specify FPR for the analysis phase output format.

To view result certification information, open the FPR file in Fortify Audit Workbench and select Tools
> Project Summary > Certification. For more information, see the Fortify Audit Workbench User
Guide.

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 48 of 216

Chapter 4: Translating Java Code
This section describes how to translate Java code.
Fortify Static Code Analyzer supports analysis of Jakarta EE (Java EE) applications (including JSP
files, configuration files, and deployment descriptors), Java Bytecode, and Java code with Lombok
annotations.
This section contains the following topics:
Java Translation Command-Line Syntax 49
Handling Java Warnings 52
Translating Jakarta EE (Java EE) Applications 53
Translating Java Bytecode 54
Troubleshooting JSP Translation and Analysis Issues 55

Java Translation Command-Line Syntax

To translate Java code, all types defined in a library that are referenced in the code must have a
corresponding definition in the source code, a class file, or a JAR file. Include all source files on the
Fortify Static Code Analyzer command line.
If your project contains Java code that refers to Kotlin code, make sure that the Java and Kotlin code
are translated in the same Fortify Static Code Analyzer instance so that the Java references to Kotlin
elements are resolved correctly. Kotlin to Java interoperability does not support Kotlin files provided
by the –sourcepath option. For more information about the –sourcepath option, see "Java
Command-Line Options" on the next page
The basic command-line syntax to translate Java code is shown in the following example:

sourceanalyzer -b <build_id> -cp <classpath> <files>

With Java code, Fortify Static Code Analyzer can either:

l Emulate the compiler, which might be convenient for build integration
l Accept source files directly, which is convenient for command-line scans

For information about integrating Fortify Static Code Analyzer with Ant, see "Ant Integration" on
page 117.
To have Fortify Static Code Analyzer emulate the compiler, type:

sourceanalyzer -b <build_id> javac [<translation_options>]

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 49 of 216

User Guide
Chapter 4: Translating Java Code

To pass files directly to Fortify Static Code Analyzer, type:

sourceanalyzer -b <build_id> -cp <classpath> [<translation_options>]

<files> | <file_specifiers>

where:
l
<translation_options> are options passed to the compiler.
l
-cp <classpath> specifies the class path to use for the Java source code.
Include all JAR dependencies normally used to build the project. Separate multiple paths with
semicolons (Windows) or colons (non-Windows).
Similar to javac, Fortify Static Code Analyzer loads classes in the order they appear in the class
path. If there are multiple classes with the same name in the list, Fortify Static Code Analyzer uses
the first loaded class. In the following example, if both A.jar and B.jar include a class called
MyData.class, Fortify Static Code Analyzer uses the MyData.class from A.jar.

sourceanalyzer -cp A.jar:B.jar myfile.java

Fortify strongly recommends that you avoid using duplicate classes with the -cp option.
Fortify Static Code Analyzer loads JAR files in the following order:
a. From the -cp option
b. From jre/lib
c. From <sca_install_dir>/Core/default_jars
This enables you to override a library class by including the similarly-named class in a
JAR specified with the -cp option.
For descriptions of all the available Java-specific command-line options, see "Java Command-Line
Options" below.

Java Command-Line Options

The following table describes the Java command-line options (for Java SE and Jakarta EE).

Java or Jakarta EE Option Description

-appserver Specifies the application server to process JSP files.

weblogic | websphere
Equivalent Property Name:
com.fortify.sca.AppServer

-appserver-home <dir> Specifies the application server’s home.

l For WebLogic, this is the path to the directory that
contains the server/lib directory.
l For WebSphere, this is the path to the directory that

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 50 of 216

User Guide
Chapter 4: Translating Java Code

Java or Jakarta EE Option Description

contains the JspBatchCompiler script.

Equivalent Property Name:

com.fortify.sca.AppServerHome

-appserver-version Specifies the version of the application server.

<version>
Equivalent Property Name:
com.fortify.sca.AppServerVersion

-cp <dirs> | Specifies the class path to use for analyzing Java source
-classpath <dirs> code. The format is the same as javac: a semicolon- or colon-
separated list of directories. You can use Fortify Static Code
Analyzer file specifiers as shown in the following example:

-cp "build/classes:lib/*.jar"

For information about file specifiers, see "Specifying Files

and Directories" on page 134.
Equivalent Property Name:
com.fortify.sca.JavaClasspath

-extdirs <dirs> Similar to the javac extdirs option, accepts a semicolon- or

colon-separated list of directories. Any JAR files found in
these directories are included implicitly on the class path.
Equivalent Property Name:
com.fortify.sca.JavaExtdirs

-java-build-dir <dirs> Specifies one or more directories that contain compiled Java
sources.

-source <version> | Indicates the JDK version for which the Java code is written.
-jdk <version> See the Fortify Software System Requirements document
for supported versions. The default is Java 1.8.
Equivalent Property Name:
com.fortify.sca.JdkVersion

-show-unresolved-symbols Displays any unresolved types, fields, and functions

referenced in translated Java source files at the end of the
translation. It lists only field and function references for
which the receiver type is a resolved Java type. Displays

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 51 of 216

User Guide
Chapter 4: Translating Java Code

Java or Jakarta EE Option Description

each class, field, and function with the source information of

the first translated occurrence in the code. This information
is also written in the log file.
Equivalent Property Name:
com.fortify.sca.ShowUnresolvedSymbols

-sourcepath <dirs> Specifies a semicolon- or colon-separated list of directories

that contain source code that is not included in the scan but
is used for name resolution. The source path is similar to
class path, except it uses source files instead of class files for
resolution. Only source files that are referenced by the
target file list are translated.
Equivalent Property Name:
com.fortify.sca.JavaSourcePath

See Also
"Java and Kotlin Properties" on page 184

Java Command-Line Examples

To translate a single file named MyServlet.java with javaee.jar as the class path, type:

sourceanalyzer -b MyServlet -cp lib/javaee.jar MyServlet.java

To translate all .java files in the src directory using all JAR files in the lib directory as a class path,
type:

sourceanalyzer -b MyProject -cp "lib/*.jar" "src/**/*.java"

To translate and compile the MyCode.java file with the javac compiler, type:

sourceanalyzer -b MyProject javac -classpath libs.jar MyCode.java

Handling Java Warnings

To see all warnings that were generated during translation, type the following command before you
start the scan phase:

sourceanalyzer -b <build_id> -show-build-warnings

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 52 of 216

User Guide
Chapter 4: Translating Java Code

Java Translation Warnings

You might see the following warnings for when translating Java code.

Warning Description / Resolution

Unable to resolve type... These warnings are typically caused by

missing resources. For example, some of
Unable to resolve function...
the .jar and .class files required to
Unable to resolve field... build the application might not have been
specified.
Unable to locate import...
To resolve these warnings, make sure that
Unable to resolve symbol...
you include all the required files that your
application uses.

Multiple definitions found for class... This warning is typically caused by

duplicate classes in the Java files.
To resolve these warnings, make sure that
the source files displayed in the warning
are not duplicates of the same file
included several times in the sources to
translate (for example if it contains two
versions of the same project). If a
duplicate exists, remove one of them from
the files to translate. Then Fortify Static
Code Analyzer can determine which
version of the class to use.

Translating Jakarta EE (Java EE) Applications

To translate Jakarta EE applications, Fortify Static Code Analyzer processes Java source files and
Jakarta EE components such as JSP files, deployment descriptors, and configuration files. While you
can process all the pertinent files in a Jakarta EE application in one step, your project might require
that you break the procedure into its components for integration in a build process or to meet the
needs of various stakeholders in your organization.

Translating Java Files

To translate Jakarta EE applications, use the same procedure used to translate Java files. For
examples, see "Java Command-Line Examples" on the previous page.

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 53 of 216

User Guide
Chapter 4: Translating Java Code

Translating JSP Projects, Configuration Files, and Deployment

Descriptors
In addition to translating the Java files in your Jakarta EE (Java EE) application, you might also need
to translate JSP files, configuration files, and deployment descriptors. Your JSP files must be part of a
Web Application Archive (WAR). If your source directory is already organized in a WAR file format,
you can translate the JSP files directly from the source directory. If not, you might need to deploy
your application and translate the JSP files from the deployment directory.
For example:

sourceanalyzer -b MyJavaApp "/**/*.jsp" "/**/*.xml"

where /**/*.jsp refers to the location of your JSP project files and /**/*.xml refers to the location
of your configuration and deployment descriptor files.

Jakarta EE (Java EE) Translation Warnings

You might see the following warning in the translation of Jakarta EE applications:

Could not locate the root (WEB-INF) of the web application. Please build
your web application and try again. Failed to parse the following jsp
files:

<list_of_jsp_files>

This warning indicates that your web application is not deployed in the standard WAR directory
format or does not contain the full set of required libraries. To resolve the warning, make sure that
your web application is in an exploded WAR directory format with the correct WEB-INF/lib and
WEB-INF/classes directories containing all the .jar and .class files required for your application.
Also verify that you have all the TLD files for all your tags and the corresponding JAR files with their
tag implementations.

Translating Java Bytecode

Fortify recommends that you do not translate Java bytecode and JSP/Java code in the same call to
sourceanalyzer. Use multiple invocations of sourceanalyzer with the same build ID to translate a
project that contains both bytecode and JSP/Java code.
In addition to translating source code, you can translate the Java bytecode in your project. To
translate bytecode, you have the following two options:
l Request that Fortify Static Code Analyzer decompile the bytecode classes to regular Java files for
inclusion in the translation.

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 54 of 216

User Guide
Chapter 4: Translating Java Code

To have the bytecode decompiled for the translation, add the following property to the fortify-
sca.properties file (or include this property on the command line using the -D option):
com.fortify.sca.DecompileBytecode=true
l Request that Fortify Static Code Analyzer translate bytecode without decompilation.
For best results, Fortify recommends that the bytecode be compiled with full debug information
(javac -g).
To include bytecode in the Fortify Static Code Analyzer translation:
a. Add the following properties to the fortify-sca.properties file (or include these
properties on the command line using the -D option):
com.fortify.sca.fileextensions.class=BYTECODE
com.fortify.sca.fileextensions.jar=ARCHIVE

This specifies how Fortify Static Code Analyzer processes .class and .jar files.
b. In the Fortify Static Code Analyzer translation phase, specify the Java bytecode files that you
want to translate. For best performance, specify only the .jar or .class files that require
scanning.
In the following example, the .class files are translated:

sourceanalyzer -b MyProject -cp "lib/*.jar" "src/**/*.class"

Troubleshooting JSP Translation and Analysis Issues

The following sections provide troubleshooting information for translating and scanning JSP.

Unable to Translate Some JSPs

Fortify Static Code Analyzer uses either the built-in compiler or your specific application server JSP
compiler to translate JSP files into Java files for analysis. If the JSP parser encounters problems when
Fortify Static Code Analyzer converts JSP files to Java files, you will see a message similar to the
following:

Failed to translate the following jsps into analysis model. Please see the
log file for any errors from the jsp parser and the user manual for hints
on fixing those
<list_of_jsp_files>

This typically happens for one or more of the following reasons:

l The web application is not laid out in a proper deployable WAR directory format
l Some JAR files or classes required for the application are missing
l Some tag libraries or their definitions (TLD) for the application are missing

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 55 of 216

User Guide
Chapter 4: Translating Java Code

To obtain more information about the problem, perform the following steps:

1. Open the Fortify Static Code Analyzer log file in an editor.

2. Search for the following strings:
l
Jsp parser stdout:
l
Jsp parser stderr:
The JSP parser generates these errors. Resolve the errors and rerun Fortify Static Code Analyzer.
For more information about scanning Jakarta EE applications, see "Translating Jakarta EE (Java EE)
Applications" on page 53.

Increased Issues Counts in JSP-Related Categories

If the analysis results contain a considerable increase in the number of vulnerabilities in JSP-related
categories such as cross-site scripting compared with earlier Fortify Static Code Analyzer versions,
you can specify the -legacy-jsp-dataflow option in the analysis phase (with the -scan option).
This option enables additional filtering on JSP-related dataflow to reduce the number of spurious
false positives detected.
The equivalent property for this option that you can specify in the fortify-sca.properties file is
com.fortify.sca.jsp.LegacyDataflow.

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 56 of 216

Chapter 5: Translating Kotlin Code
This section describes how to translate Kotlin code.
This section contains the following topics:
Kotlin Command-Line Syntax 57
Kotlin and Java Translation Interoperability 59
Translating Kotlin Scripts 60

Kotlin Command-Line Syntax

The translation of Kotlin code is similar to the translation of Java code. To translate Kotlin code, all
types defined in a library that are referenced in the code must have a corresponding definition in the
source code, a class file, or a JAR file. Include all source files on the Fortify Static Code Analyzer
command line.
The basic command-line syntax to translate Kotlin code is shown in the following example:

sourceanalyzer –b <build_id> -cp <classpath> [<translation_options>]

<files>

where
l
-cp <classpath> specifies the class path to use for the Kotlin source code.
Include all JAR dependencies normally used to build the project. Separate multiple paths with
semicolons (Windows) or colons (non-Windows).
Fortify Static Code Analyzer loads classes in the order they appear in the class path. If there are
multiple classes with the same name in the list, Fortify Static Code Analyzer uses the first loaded
class. In the following example, if both A.jar and B.jar include a class called MyData.class,
Fortify Static Code Analyzer uses the MyData.class from A.jar.

sourceanalyzer –cp "A.jar:B.jar" myfile.kt

Fortify strongly recommends that you avoid using duplicate classes with the -cp option.
For descriptions of all the available Kotlin-specific command-line options, see "Kotlin Command-Line
Options" on the next page.

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 57 of 216

User Guide
Chapter 5: Translating Kotlin Code

Kotlin Command-Line Options

The following table describes the Kotlin-specific command-line options.

Kotlin Option Description

-cp <paths> | Specifies the class path to use for translating Kotlin source
-classpath <dirs> code, which is a semicolon- or colon-separated list of
directories. You can use Fortify Static Code Analyzer file
specifiers as shown in the following example:

-cp "build/classes:lib/*.jar"

For information about file specifiers, see "Specifying Files

and Directories" on page 134.
Equivalent Property Name:
com.fortify.sca.JavaClasspath

-source <version> | Indicates the JDK version for which the Kotlin code is
-jdk <version> written. See the Fortify Software System Requirements
document for supported versions. The default is Java 1.8.
Equivalent Property Name:
com.fortify.sca.JdkVersion

-sourcepath <dirs> Specifies a semicolon- or colon-separated list of directories

that contain Java source code that is not included in the
scan but is used for name resolution. The source path is
similar to class path, except it uses source files instead of
class files for resolution. Only source files that are
referenced by the target file list are translated.
Equivalent Property Name:
com.fortify.sca.JavaSourcePath

-jvm-default <mode> Specifies the generation of the DefaultImpls class for

methods with bodies in Kotlin interfaces. The valid values
for <mode> are:
l
disable—Specifies to generate the DefaultImpls class
for each interface that contains methods with bodies.
l
all—Specifies to generate the DefaultImpls class if an
interface is annotated with

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 58 of 216

User Guide
Chapter 5: Translating Kotlin Code

Kotlin Option Description

@JvmDefaultWithCompatibility.
l
all-compatibility—Specifies to generate the
DefaultImpls class unless an interface is annotated
with @JvmDefaultWithoutCompatibility.

Equivalent Property Name:

com.fortify.sca.KotlinJvmDefault

See Also
"Java and Kotlin Properties" on page 184

Kotlin Command-Line Examples

To translate a single file named MyKotlin.kt with A.jar as the class path, type:

sourceanalyzer -b MyProject -cp lib/A.jar MyKotlin.kt

To translate all .kt files in the src directory using all JAR files in the lib directory as a class path,
type:

sourceanalyzer -b MyProject -cp "lib/**/*.jar" "src/**/*.kt"

To translate a gradle project using gradlew, type:

sourceanalyzer -b MyProject gradlew clean assemble

To translate all files in the src directory using Java dependencies from src/java and all JAR files in
the lib directory and subdirectories as a class path, type:

sourceanalyzer –b MyProject –cp "lib/**/*.jar" -sourcepath "src/java" "src"

Kotlin and Java Translation Interoperability

If your project contains Kotlin code that refers to Java code, you can provide Java files to the
translator the same way as Kotlin files that refers to another Kotlin file. You can provide them as part
of the translated project source or as –sourcepath parameters.
If your project contains Java code that refers to Kotlin code, make sure that the Java and Kotlin code
are translated in the same Fortify Static Code Analyzer instance so that the Java references to Kotlin
elements are resolved correctly. Kotlin to Java interoperability does not support Kotlin files provided
by the –sourcepath option. For more information about the –sourcepath option, see "Kotlin
Command-Line Options" on the previous page

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 59 of 216

User Guide
Chapter 5: Translating Kotlin Code

Translating Kotlin Scripts

Fortify Static Code Analyzer supports translation of Kotlin scripts excluding experimental script
customization. Script customization includes adding external properties, providing static or dynamic
dependencies, and so on. Script definitions (templates) are used to create custom scripts and the
template is applied to the script based on the *.kts file extension. Fortify Static Code Analyzer
translates *.kts files but does not apply these templates.

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 60 of 216

Chapter 6: Translating Visual Studio Projects
Fortify Static Code Analyzer provides a build integration to support translation of the following Visual
Studio project types:
l C/C++ projects
l C# projects that target .NET Framework and .NET Core
l ASP.NET applications that target ASP.NET framework and ASP.NET Core
l Xamarin applications that target Android and iOS platforms

For the list of supported versions of relevant programming languages and frameworks, as well as
Visual Studio and MSBuild, see the Fortify Software System Requirements document.
This section contains the following topics:
Visual Studio Project Translation Prerequisites 61
Visual Studio Project Command-Line Syntax 61
Handling Special Cases for Translating Visual Studio and MSBuild Projects 63
Alternative Ways to Translate Visual Studio and MSBuild Projects 64

Visual Studio Project Translation Prerequisites

Fortify recommends that each project you translate is complete and that you perform the translation
in an environment where you can build it without errors. A complete project contains the following:
l All necessary source code files (C/C++, C#, or VB.NET).
l All required reference libraries.
This includes those from relevant frameworks, NuGet packages, and third-party libraries.
l For C/C++ projects, include all necessary header files that do not belong to the Visual Studio or
MSBuild installation.
l For ASP.NET and ASP.NET Core projects, include all the necessary ASP.NET page files.
The supported ASP.NET page types are ASAX, ASCX, ASHX, ASMX, ASPX, AXML, BAML, CSHTML,
Master, RAZOR, VBHTML, and XAML.

Visual Studio Project Command-Line Syntax

The basic syntax to translate a Visual Studio solution or project is to specify the corresponding build
option for your project as part of the Fortify Static Code Analyzer translation command. This invokes
a build integration that analyzes your solution and project files and automatically executes the
appropriate translation steps.

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 61 of 216

User Guide
Chapter 6: Translating Visual Studio Projects

Important! To ensure that the build integration correctly pulls in all of the appropriate project
dependencies and resources, you must run the Fortify Static Code Analyzer command from a
command prompt with access to your build environment configuration. Fortify strongly
recommends you run this command from the Developer Command Prompt for Visual Studio to
ensure an optimal environment for the translation.

In the following examples, Fortify Static Code Analyzer translates all the projects contained in the
Visual Studio solution Sample.sln. You can also translate one or more specific projects by providing
a semicolon-separated list of projects.
l For a .NET 6.0 or later solution on Windows or Linux, use the following commands to translate the
solution:
a. Optionally, run the following command to remove any intermediate files from previous project
builds:

dotnet clean Sample.sln

b. Optionally, run the following command to ensure that all required reference libraries are
downloaded and installed in the project. Run this command from the top-level folder of the
project:

dotnet restore Sample.sln

c. Run one of the following Fortify Static Code Analyzer commands depending on how your
project build is implemented. You can include any additional build parameters in this command:

sourceanalyzer –b MyProject dotnet msbuild Sample.sln

or

sourceanalyzer –b MyProject dotnet build Sample.sln

l For a C, C++, and .NET Framework solution (4.8.x or earlier) on Windows, use the following
command to translate the solution:

sourceanalyzer –b MyProject msbuild /t:rebuild Sample.sln

Note: If you run Fortify Static Code Analyzer from a Windows Command Prompt instead of the
Visual Studio Developer Command Prompt, you must set up the environment and make sure
the path to the MSBuild executable required to build your project is included in the PATH
environment variable.

After the translation is complete, you can perform the analysis phase and save the results in an
FPR file as shown in the following example:

sourceanalyzer –b MyProject -scan -f MyResults.fpr

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 62 of 216

User Guide
Chapter 6: Translating Visual Studio Projects

Handling Special Cases for Translating Visual Studio

and MSBuild Projects
Running Translation from a Script
To perform the translation in a non-interactive mode such as with a script, establish an optimal
environment for translation by executing the following command before you run the Fortify Static
Code Analyzer translation:

cmd.exe /k <vs_install_dir>/Common7/Tools/VSDevCmd.bat

where <vs_install_dir> is the directory where you installed Visual Studio.

Translating Plain .NET and ASP.NET Projects

You can translate plain .NET and ASP.NET projects from the Windows Command Prompt as well as
from a Visual Studio environment. When you translate from the Windows Command Prompt, make
sure the path to the MSBuild executable required to build your project is included in PATH
environment variable.

Translating C/C++ and Xamarin Projects

You must translate C/C++ and Xamarin projects either from a Developer Command Prompt for Visual
Studio or from the Micro Focus Fortify Extension for Visual Studio.

Note: For Xamarin projects, there is no need to use a custom rule for the Xamarin.Android API if a
rule for the corresponding native Android API exists in the Fortify Secure Coding Rulepacks.
Doing so can cause duplicate issues to be reported.

Translating Projects with Settings Containing Spaces

If your project is built with a configuration or other settings file that contains spaces, make sure to
enclose the setting values in quotes. For example, to translate a Visual Studio solution Sample.sln
that is built with configuration My Configuration, use the following command:

sourceanalyzer –b MySampleProj msbuild /t:rebuild

/p:Configuration="My Configuration" Sample.sln

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 63 of 216

User Guide
Chapter 6: Translating Visual Studio Projects

Translating a Single Project from a Visual Studio Solution

If your Visual Studio solution contains multiple projects, you have the option to translate a single
project instead of the entire solution. Project files have a file name extension that ends with proj
such as .vcxproj and .csproj. To translate a single project, specify the project file instead of the
solution as the parameter for the MSBuild command.
The following example translates the Sample.vcxproj project file:

sourceanalyzer –b MySampleProj msbuild /t:rebuild Sample.vcxproj

Analyzing Projects That Build Multiple Executable Files

If your Visual Studio or MSBuild project builds multiple executable files (such as files with the file
name extension *.exe), Fortify strongly recommends that you run the analysis phase separately for
each executable file to avoid false positive issues in the analysis results. To do this, use –binary-
name option when running the analysis phase and specify the executable file name or .NET assembly
name as the parameter.
The following example shows how to translate and analyze a Visual Studio solution Sample.sln that
consists of two projects, Sample1 (a C++ project with no associated .NET assembly name) and
Sample2 (a .NET project with .NET assembly name Sample2). Each project builds a separate
executable file, Sample1.exe and Sample2.exe, respectively. The analysis results are saved in
Sample1.fpr and Sample2.fpr files.

sourceanalyzer -b MySampleProj msbuild /t:rebuild Sample.sln

sourceanalyzer -b MySampleProj -scan -binary-name Sample1.exe -f
Sample1.fpr
sourceanalyzer -b MySampleProj -scan -binary-name Sample2.exe -f
Sample2.fpr

For more information about the -binary-name option, see "Analysis Options" on page 124.

Alternative Ways to Translate Visual Studio and

MSBuild Projects
This section describes alternative methods of translating Visual Studio and MSBuild projects.

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 64 of 216

User Guide
Chapter 6: Translating Visual Studio Projects

Alternative Translation Options for Visual Studio Solutions

The following are two alternative ways of translation available only for Windows-based Visual Studio
solutions:
l Use the Micro Focus Fortify Extension for Visual Studio
The Fortify Extension for Visual Studio runs the translation and analysis (scan) phases together in
one step.
l Append a devenv command to the Fortify Static Code Analyzer command
The following command translates a Visual Studio solution Sample.sln:

sourceanalyzer –b MySampleProj devenv Sample.sln /rebuild

Note that Fortify Static Code Analyzer converts a devenv invocation to the equivalent MSBuild
invocation, therefore in this case, the solution with this command is built by MSBuild instead of the
devenv tool.

Translating Without Explicitly Running Fortify Static Code

Analyzer
You have the option to translate your Visual Studio project without invoking Fortify Static Code
Analyzer directly. This requires the Fortify.targets file, which is located in <sca_install_
dir>\Core\private-bin\sca\MSBuildPlugin in the DotNet and Framework directory. You can
specify the file using an absolute or relative path in the build command line that builds your project.
Use the path with the Dotnet or Framework directory depending on the build command you are
using: dotnet.exe or MSBuild.exe respectively. For example:

dotnet.exe msbuild /t:rebuild /p:CustomAfterMicrosoftCommonTargets=<sca_

install_dir>\Core\private-bin\sca\MSBuildPlugin\Dotnet\Fortify.targets
Sample.sln

or

msbuild.exe /t:rebuild
/p:CustomAfterMicrosoftCommonTargets=<sca_install_dir>\Core\private-
bin\sca\MSBuildPlugin\Framework\Fortify.targets Sample.sln

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 65 of 216

User Guide
Chapter 6: Translating Visual Studio Projects

There are several environment variables that you can set to configure the translation of your project.
Most of them have default values, which Fortify Static Code Analyzer uses if the variable is not set.
These variables are listed in the following table.

Environment
Variable Description Default Value

FORTIFY_ Specifies the Fortify Static Code Analyzer None

MSBUILD_ build ID for translation. Make sure that you
BUILDID set this value.
This is equivalent to the Fortify Static Code
Analyzer -b option.

FORTIFY_ Enables debug mode. This is equivalent to False

MSBUILD_ the Fortify Static Code Analyzer –debug
DEBUG option.

FORTIFY_ Enables verbose debug mode. This is False

MSBUILD_ equivalent to the Fortify Static Code
DEBUG_ Analyzer –debug-verbose option. Takes
VERBOSE precedence over FORTIFY_MSBUILD_
DEBUG variable if both are set to true.

FORTIFY_ Specifies the memory requirements for Automatic allocation based on

MSBUILD_MEM translation in the form of the JVM -Xmx physical memory available on
option. For example, -Xmx2G. the system

FORTIFY_ Specifies the location (absolute path) of the %LOCALAPPDATA%/Fortify/

MSBUILD_ Fortify Static Code Analyzer log file. sca/log/sca.log
SCALOG
This is equivalent to the Fortify Static Code
Analyzer -logfile option.

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 66 of 216

Chapter 7: Translating C and C++ Code
This section describes how to translate C and C++ code.

Important! The chapter describes how to translate C and C++ code that is not a part of a Visual
Studio or MSBuild project. For instructions on translating Visual Studio or MSBuild projects, see
"Translating Visual Studio Projects" on page 61.

This section contains the following topics:

C and C++ Code Translation Prerequisites 67
C and C++ Command-Line Syntax 67
Scanning Pre-processed C and C++ Code 68
C/C++ Precompiled Header Files 68

C and C++ Code Translation Prerequisites

Make sure that you have any dependencies required to build the project available, including headers
for third-party libraries. Fortify Static Code Analyzer translation does not require object files and
static/dynamic library files.

Note: Fortify Static Code Analyzer might not support all non-standard C++ constructs.

If you use Gradle to build your C++ project, make sure that the C++ Application Plugin is added to
your Gradle file in one of the following formats:

apply plugin: 'cpp'

plugins {
id 'cpp-application'
}

For more information about integrating with Gradle, see "Build Integration" on page 115.

C and C++ Command-Line Syntax

Command-line options passed to the compiler affect preprocessor execution and can enable or
disable language features and extensions. For Fortify Static Code Analyzer to interpret your source
code in the same way as the compiler, the translation phase for C/C++ source code requires the
complete compiler command line. Prefix your original compiler command with the sourceanalyzer
command and options.

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 67 of 216

User Guide
Chapter 7: Translating C and C++ Code

The basic command-line syntax for translating a single file is:

sourceanalyzer -b <build_id> [<sca_options>] <compiler> [<compiler_

options>] <file>.c

where:
l
<sca_options> are options passed to Fortify Static Code Analyzer.
l
<compiler> is the name of the C/C++ compiler you use, such as gcc, g++, or cl. See the Fortify
Software System Requirements document for a list of supported C/C++ compilers.
l
<compiler_options> are options passed to the C/C++ compiler.
l
<file>.c must be in ASCII or UTF-8 encoding.

Note: All Fortify Static Code Analyzer options must precede the compiler options.

The compiler command must successfully complete when executed on its own. If the compiler
command fails, then the Fortify Static Code Analyzer command prefixed to the compiler command
also fails.
For example, if you compile a file with the following command:

gcc -I. -o hello.o -c helloworld.c

then you can translate this file with the following command:

sourceanalyzer -b MyProject gcc -I. -o hello.o -c helloworld.c

Fortify Static Code Analyzer executes the original compiler command as part of the translation phase.
In the previous example, the command produces both the translated source suitable for scanning, and
the object file hello.o from the gcc execution. You can use the Fortify Static Code Analyzer -nc
option to disable the compiler execution.

Scanning Pre-processed C and C++ Code

If, before compilation, your C/C++ build executes a third-party C preprocessor that Fortify Static Code
Analyzer does not support, you must invoke the Fortify Static Code Analyzer translation on the
intermediate file. Fortify Static Code Analyzer touchless build integration automatically translates the
intermediate file provided that your build executes the unsupported preprocessor and supported
compiler as two commands connected by a temporary file rather than a pipe chain.

C/C++ Precompiled Header Files

Some C/C++ compilers support Precompiled Header Files, which can improve compilation
performance. Some compilers' implementations of this feature have subtle side-effects. When the
feature is enabled, the compiler might accept erroneous source code without warnings or errors. This

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 68 of 216

User Guide
Chapter 7: Translating C and C++ Code

can result in a discrepancy where Fortify Static Code Analyzer reports translation errors even when
your compiler does not.
If you use your compiler's Precompiled Header feature, disable Precompiled Headers, and then
perform a full build to make sure that your source code compiles cleanly.

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 69 of 216

Chapter 8: Translating JavaScript and
TypeScript Code
You can analyze JavaScript projects that contain JavaScript, TypeScript, JSX, and TSX source files, as
well as JavaScript embedded in HTML files.
Some JavaScript frameworks are transpiled (source-to-source compilation) to plain JavaScript. This
generated code is optimized., minimized, or both. Therefore, you might want to exclude it from
translation because it would be challenging to fix any vulnerabilities Fortify Static Code Analyzer
might report in this code. Use the -exclude command-line option to manually exclude this type of
code.
Fortify Static Code Analyzer does not translate minified JavaScript (*.min.js).

Note: When you translate JavaScript and TypeScript code, make sure that you specify all source
files together in one invocation. Fortify Static Code Analyzer does not support adding new files to
the file list associated with the build ID on subsequent invocations.

This section contains the following topics:

Translating Pure JavaScript Projects 70
Excluding Dependencies 71
Excluding NPM Dependencies 71
Translating JavaScript Projects with HTML Files 72
Including External JavaScript or HTML in the Translation 72

Translating Pure JavaScript Projects

The basic command-line syntax to translate JavaScript is:

sourceanalyzer –b <build_id> <js_file_or_dir>

where <js_file_or_dir> is either the name of the JavaScript file to be translated or a directory that
contains multiple JavaScript files. You can also translate multiple files by specifying *.js for the <js_
file_or_dir>.

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 70 of 216

User Guide
Chapter 8: Translating JavaScript and TypeScript Code

Excluding Dependencies
You can avoid translating specific dependencies by adding them to the appropriate property setting
in the fortify-sca.properties file. Files specified in the following properties are not translated:
l
com.fortify.sca.skip.libraries.ES6
l
com.fortify.sca.skip.libraries.jQuery
l
com.fortify.sca.skip.libraries.javascript
l
com.fortify.sca.skip.libraries.typescript

Each property specifies a list of comma- or colon-separated file names (without path information).
The files specified in these properties apply to both local files and files on the internet. Suppose, for
example, that the JavaScript code includes the following local file reference:

<script src="js/jquery-ui.js" type="text/javascript" charset="utf-

8"></script>

By default, the com.fortify.sca.skip.libraries.jQuery property in the fortify-

sca.properties file includes jquery-us.js, and therefore Fortify Static Code Analyzer does not
translate the file shown in the previous example.
You can use regular expressions for the file names. Note that Fortify Static Code Analyzer
automatically inserts the regular expression '(-?\d+\.\d+\.\d+)?' before .min.js or .js for
each file name included in the com.fortify.sca.skip.libraries.jQuery property value.

Note: You can also exclude local files or entire directories with the -exclude command-line
option. For more information about this option, see "Translation Options" on page 122.

Note: To provide a thorough analysis, dependent files are included in the translation even if the
dependency is in a language that is disabled with the -disable-language option. For more
information about the option to disable languages, see "Translation Options" on page 122).

Excluding NPM Dependencies

By default, Fortify Static Code Analyzer translates only the NPM dependencies that are imported in
the code. You can change this behavior with the following two properties:
l
The com.fortify.sca.follow.imports property directs Fortify Static Code Analyzer to resolve
all imported files and include them in the translation.
This property is enabled by default. Setting this property to false prevents NPM dependencies that
are not explicitly included on the command-line from being included in the translation.
l
The com.fortify.sca.exclude.unimported.node.modules property directs Fortify Static
Code Analyzer to exclude all files in any node_modules directory from the translation except files

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 71 of 216

User Guide
Chapter 8: Translating JavaScript and TypeScript Code

that are specifically imported by the com.fortify.sca.follow.imports property.

This property is enabled by default to avoid translating dependencies that are not needed for the
final project such as those only required for the build system.

Translating JavaScript Projects with HTML Files

If the project contains HTML files in addition to JavaScript files, set the
com.fortify.sca.EnableDOMModeling property to true in the fortify-sca.properties file or
on the command line as shown in the following example:

sourceanalyzer –b MyProject <js_file_or_dir>

-Dcom.fortify.sca.EnableDOMModeling=true

When you set the com.fortify.sca.EnableDOMModeling property to true, this can decrease false
negative reports of DOM-related attacks, such as DOM-related cross-site scripting issues.

Note: If you enable this option, Fortify Static Code Analyzer generates JavaScript code to model
the DOM tree structure in the HTML files. The duration of the analysis phase might increase
(because there is more translated code to analyze).

If you set the com.fortify.sca.EnableDOMModeling property to true, you can also specify
additional HTML tags for Fortify Static Code Analyzer to include in the DOM modeling with the
com.fortify.sca.DOMModeling.tags property. By default, Fortify Static Code Analyzer includes
the following HTML tags: body, button, div, form, iframe, input, head, html, and p.
For example, to include the HTML tags ul and li in the DOM model, use the following command:

sourceanalyzer –b MyProject <js_file_or_dir>

-Dcom.fortify.sca.DOMModeling.tags=ul,li

Including External JavaScript or HTML in the

Translation
To include external JavaScript or HTML files that are specified with the src attribute, you can specify
which domains Fortify Static Code Analyzer can download and include in the translation phase. To do
this, specify one or more domains with the
com.fortify.sca.JavaScript.src.domain.whitelist property.

Note: You can also set this property globally in the fortify-sca.properties file.
For example, you might have the following statement in your HTML file:

<script src='http://xyzdomain.com/foo/bar.js' language='text/javascript'/>

</script>

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 72 of 216

User Guide
Chapter 8: Translating JavaScript and TypeScript Code

If you are confident that the xyzdomain.com domain is a safe location from which to download files,
then you can include them in the translation phase by adding the following property specification on
the command line:

-Dcom.fortify.sca.JavaScript.src.domain.whitelist="xyzdomain.com/foo"

Note: You can omit the www. prefix from the domain in the property value. For example, if the src
tag in the original HTML file specifies to download files from www.google.com, you can specify
just the google.com domain.

To trust more than one domain, include each domain separated by the vertical bar character (|) as
shown in the following example:

-Dcom.fortify.sca.JavaScript.src.domain.whitelist=
"xyzdomain.com/foo|abcdomain.com|123.456domain.com”

If you are using a proxy server, then you need to include the proxy server information on the
command line as shown in the following example:

-Dhttp.proxyHost=example.proxy.com -Dhttp.proxyPort=8080

For a complete list of proxy server options, see the Networking Properties Java documentation.

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 73 of 216

Chapter 9: Translating Python Code
Fortify Static Code Analyzer translates Python applications, and processes files with the .py
extension as Python source code.
This section contains the following topics:
Python Translation Command-Line Syntax 74
Including Imported Modules and Packages 74
Including Namespace Packages 75
Using the Django Framework with Python 75
Python Command-Line Options 76
Python Command-Line Examples 77

Python Translation Command-Line Syntax

The basic command-line syntax to translate Python code is:

sourceanalyzer -b <build_id> -python-version <python_version>

-python-path <dirs> <files>

Note: When you translate Python code, make sure that you specify all source files together in one
invocation. Fortify Static Code Analyzer does not support adding new files to the file list
associated with the build ID on subsequent invocations.

Including Imported Modules and Packages

To translate Python applications and prepare for a scan, Fortify Static Code Analyzer searches for any
imported modules and packages used by the application. Fortify Static Code Analyzer does not
respect the PYTHONPATH environment variable, which the Python runtime system uses to find
imported modules and packages.
Fortify Static Code Analyzer searches for imported modules and packages using the list of directories
in the following order:

1. The common root directory for all project source files. which Fortify Static Code Analyzer
calculates automatically. For example, if there are two project directories
PrimaryDir/project1/* and PrimaryDir/project2/*, the common root directory is
PrimaryDir.

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 74 of 216

User Guide
Chapter 9: Translating Python Code

To remove the common root directory as a search target for imported modules and packages,
include the -python-no-auto-root-calculation option in the translation command.
2. The directories specified with the -python-path option.
Fortify Static Code Analyzer includes a subset of modules from the standard Python library
(module "builtins", all modules originally written in C, and others) in the translation. Fortify Static
Code Analyzer first searches for a standard Python library module in the set included with Fortify
Static Code Analyzer and then in the paths specified with the -python-path option. If your
Python code imports any module that Fortify Static Code Analyzer cannot find, it produces a
warning. To make sure that all modules of the standard Python library are found, add the path to
your standard Python library in the -python-path list.
3. The current directory that contains the file Fortify Static Code Analyzer is translating. For
example, when Fortify Static Code Analyzer translates a PrimaryDir/project1/a.py, the
directory PrimaryDir/project1 is added as the last directory to search for imported modules
and packages.

Including Namespace Packages

To translate namespace packages, include all the paths to the namespace package directories in the -
python-path option. For example, if you have two subpackages for a namespace package package_
name in multiple folders as in this example:

/path_1/package_name/subpackageA
/path_2/package_name/subpackageB

Include the following with the -python-path option: /path_1;/path_2.

Using the Django Framework with Python

Fortify Static Code Analyzer supports the Django framework. To translate code created using the
Django framework, add the following properties to the <sca_install_
dir>/Core/config/fortify-sca.properties configuration file:

com.fortify.sca.limiters.MaxPassthroughChainDepth=8

com.fortify.sca.limiters.MaxChainDepth=8

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 75 of 216

User Guide
Chapter 9: Translating Python Code

By default, Fortify Static Code Analyzer attempts to discover Django templates in the project root
folder. Any Django templates found are automatically added to the translation. If you do not want
Fortify Static Code Analyzer to automatically discover Django templates, use the -django-disable-
autodiscover option. If your project requires Django templates, but the project is configured such
that Django templates are in an unexpected location, use the -django-template-dirs option to
specify the directories that contain the templates in addition to the -django-disable-
autodiscover option.
You can specify additional locations of Django template files by adding the -django-template-
dirs option to the sourceanalyzer command:

-django-template-dirs <dirs>

Python Command-Line Options

The following table describes the Python options.

Python Option Description

-python-version Specifies the Python source code version to scan. The valid values for
<version> <version> are 2 and 3. The default value is 2.
Equivalent Property Name:
com.fortify.sca.PythonVersion

-python-no-auto- Disables the automatic calculation of a common root directory of all

root-calculation project source files to use for importing modules and packages.
Equivalent Property Name:
com.fortify.sca.PythonNoAutoRootCalculation

-python-path Specifies a semicolon-separated (Windows) or colon-separated (non-

<dirs> Windows) list of additional import directories. You can use the -python-
path option to specify all paths used to import packages or modules.
Include all paths to namespace package directories with this option.
Fortify Static Code Analyzer sequentially searches the specified paths
for each imported file and uses the first file encountered.
Equivalent Property Name:
com.fortify.sca.PythonPath

-django-disable- Specifies that Fortify Static Code Analyzer does not automatically
autodiscover discover Django templates.
Equivalent Property Name:
com.fortify.sca.DjangoDisableAutodiscover

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 76 of 216

User Guide
Chapter 9: Translating Python Code

Python Option Description

-django-template- Specifies a semicolon-separated (Windows) or colon-separated (non-

dirs <dirs> Windows) list of directories that contain Django templates. Fortify Static
Code Analyzer sequentially searches the specified paths for each Django
template file and uses the first template file encountered.
Equivalent Property Name:
com.fortify.sca.DjangoTemplateDirs

See Also
"Python Properties" on page 189

Python Command-Line Examples

To translate Python 3 code, type:

sourceanalyzer -b Python3Proj -python-version 3 -python-path

/usr/lib/python3.4:/usr/local/lib/python3.4/site-packages src/*.py

To translate Python 2 code, type:

sourceanalyzer -b MyPython2 -python-path

/usr/lib/python2.7:/usr/local/lib/python2.7/site-packages src/*.py

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 77 of 216

Chapter 10: Translating Code for Mobile
Platforms
Fortify Static Code Analyzer supports analysis of the following mobile application source languages:
l Swift, Objective-C, and Objective-C++ for iOS applications developed using Xcode
l Java for Android applications

For information about translating Xamarin applications, see "Translating Visual Studio Projects" on
page 61.
This section contains the following topics:
Translating Apple iOS Projects 78
Translating Android Projects 79

Translating Apple iOS Projects

This section describes how to translate Swift, Objective-C, and Objective-C++ source code for iOS
applications. Fortify Static Code Analyzer automatically integrates with the Xcode Command Line
Tool, Xcodebuild, to identify the project source files.

iOS Project Translation Prerequisites

The following are the prerequisites for translating iOS projects:
l Objective-C++ projects must use the non-fragile Objective-C runtime (ABI version 2 or 3).
l
Use Apple’s xcode-select command-line tool to set your Xcode path. Fortify Static Code
Analyzer uses the system global Xcode configuration to find the Xcode toolchain and headers.
l Make sure that all source files required for a successful Xcode build are provided.
You can exclude files from the analysis using the -exclude option (see "iOS Code Analysis
Command-Line Syntax" on the next page).
l Make sure that you have any dependencies required to build the project available.
l To translate Swift code, make sure that you have available all third-party modules, including
CocoaPods. Bridging headers must also be available. However, Xcode usually generates them
automatically during the build.
l If your project includes property list files in binary format, you must first convert them to XML
format. You can do this with the Xcode putil command.
l To translate Objective-C projects, ensure that the headers for third-party libraries are available.

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 78 of 216

User Guide
Chapter 10: Translating Code for Mobile Platforms

l To translate WatchKit applications, make sure that you translate both the iPhone application target
and the WatchKit extension target.

iOS Code Analysis Command-Line Syntax

The command-line syntax to translate iOS code using Xcodebuild is:

sourceanalyzer -b <build_id> xcodebuild [<compiler_options>]

where <compiler_options> are the supported options that are passed to the Xcode compiler. You
must include the build option with any <compiler_options>. The Fortify Static Code Analyzer
Xcodebuild integration does not support the output format of alternate build commands such as
xcodebuild archive.

Note: Xcodebuild compiles the source code when you run this command.

To exclude files from the analysis, use the -exclude option (see "Translation Options" on page 122).
All source files that match the exclude specification are not translated, even if they are included in the
Xcode build. The following is an example:

sourceanalyzer -b MyProject -exclude "**/TestFile.swift" xcodebuild clean

build

If your application uses any property list files (for example, <file>.plist), translate these files with
a separate sourceanalyzer command. Use the same build ID that you used to translate the project
files. The following is an example:

sourceanalyzer -b MyProject <path_to_plist_files>

If your project uses CocoaPods, include -workspace to build the project. For example:

sourceanalyzer -b DemoAppSwift xcodebuild clean build -workspace

DemoAppSwift.xcworkspace -scheme DemoAppSwift -sdk iphonesimulator

After the translation is complete, you can perform the analysis phase and save the results in an
FPR file, as shown in the following example:

sourceanalyzer -b DemoAppSwift -scan -f MyResults.fpr

Translating Android Projects

This section describes how to translate Java source code for Android applications. You can use Fortify
Static Code Analyzer to scan the code with Gradle from either:

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 79 of 216

User Guide
Chapter 10: Translating Code for Mobile Platforms

l Your operating system's command line

l A terminal window running in Android Studio

The way you use Gradle is the same for either method.

Note: You can also scan Android code directly from Android Studio with the Micro Focus Fortify
Analysis Plugin for IntelliJ and Android Studio. For more information, see the Fortify Analysis
Plugin for IntelliJ IDEA and Android Studio User Guide.

Android Project Translation Prerequisites

The following are the prerequisites for translating Android projects:
l Android Studio and the relevant Android SDKs are installed on the system where you will run the
scans
l Your Android project uses Gradle for builds.
If you have an older project that does not use Gradle, you must add Gradle support to the
associated Android Studio project
Use the same version of Gradle that is provided with the version of Android Studio that you use to
create your Android project
l Make sure you have available all dependencies that are required to build the Android code in the
application's project
l To translate your Android code from a command window that is not displayed within Android
Studio, make sure that Gradle Wrapper (gradlew) is defined on the system path

Android Code Analysis Command-Line Syntax

Use gradlew to scan Android projects, which is similar to using Gradle except that you use the Gradle
Wrapper. For information about how to translate your Android project using the Gradle Wrapper, see
"Gradle Integration" on page 118.

Filtering Issues Detected in Android Layout Files

If your Android project contains layout files (used to design the user interface), your project files
might include R.java source files that are automatically generated by Android Studio. When you
scan the project, Fortify Static Code Analyzer can detect issues associated with these layout files.
Fortify recommends that Issues reported in any layout file be included in your standard audit so you
can carefully determine if any of them are false positives. After you identify issues in layout files that
you are not interested in, you can filter them out as described in "Filtering the Analysis" on page 166.
You can filter out the issues based on the Instance ID.

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 80 of 216

Chapter 11: Translating Go Code
This section describes how to translate Go code. Fortify Static Code Analyzer supports analysis of Go
code on Windows, Linux, and macOS.
This section contains the following topics:
Go Command-Line Syntax 81
Go Command-Line Options 81
Resolving Dependencies 83

Go Command-Line Syntax
For the best results, your project must be compilable and you must have all required dependencies
available.
The following entities are excluded from the translation (and the scan):
l Vendor folder
l
All projects defined by any go.mod files in subfolders, except the project defined by the go.mod file
under the %PROJECT_ROOT%
l
All files with the _test.go suffix (unit tests)
The basic command-line syntax to translate Go code is:

sourceanalyzer -b <build_id> [-gopath <dir>] [-goroot <dir>] <files>

Go Command-Line Options
The following table describes the command-line options that are specifically for translating Go code.

Go Option Description

-gopath <dir> Specifies the root directory of your project. Make sure that the directory
structure adheres to the Go workspace hierarchy
(https://golang.org/doc/gopath_code.html). If this option is not specified,
then the GOPATH system environment variable is used.
You must specify the gopath directory as an absolute path. The following
examples are valid values for <dir>:

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 81 of 216

User Guide
Chapter 11: Translating Go Code

Go Option Description

/home/projects/go_workspace/my_proj
C:\projects\go_workspace\my_proj

The following example is an invalid value for <dir>:

go_workspace/my_proj
If this option and the GOPATH system environment variable is not set,
then the gopath defaults to a subdirectory named go in the user's home
directory ($HOME/go on Linux and %USERPROFILE%\go on Windows),
unless that directory contains a Go distribution.
Equivalent Property Name
com.fortify.sca.GOPATH

-goroot <dir> Specifies the location of the Go installation. If this option is not specified,
the GOROOT system environment variable is used.
If this option is not specified and the GOROOT system environment
variable is not set, then Fortify Static Code Analyzer uses the Go
compiler included in the Fortify Static Code Analyzer installation.
Equivalent Property Name
com.fortify.sca.GOROOT

-goproxy <url> Specifies one or more comma-separated proxy URLs. You can also
specify direct or off (to disable network usage).
If this option is not specified and the GOPROXY system environment
variable is not set, then Fortify Static Code Analyzer uses
https://proxy.golang.org,direct.
Equivalent Property Name
com.fortify.sca.GOPROXY

See Also
"Go Properties" on page 190

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 82 of 216

User Guide
Chapter 11: Translating Go Code

Resolving Dependencies
Fortify Static Code Analyzer supports two dependency management systems built into Go:
l Modules
Fortify Static Code Analyzer downloads all required dependencies using the native Go toolchain. If
access to the internet is restricted on the machine where you run Fortify Static Code Analyzer, then
do one of the following:
l If you are using an artifact management system such as Artifactory, set the GOPROXY

environment variable or use the -goproxy option described in "Go Command-Line Options" on
page 81.
l Download all required dependencies using modules and vendoring.
l GOPATH dependency resolution
If you are using a third-party dependency management system such as dep, you must download all
dependencies before you start the translation.

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 83 of 216

Chapter 12: Translating Dart and Flutter
Code
This section describes how to translate Dart and Flutter code. Fortify Static Code Analyzer supports
analysis of Dart and Flutter code on Windows, and Linux.
This section contains the following topics:
Dart and Flutter Translation Prerequisites 84
Dart and Flutter Command-Line Syntax 85
Dart and Flutter Command-Line Examples 85

Dart and Flutter Translation Prerequisites

The following are the prerequisites for translating Dart and Flutter projects:
l Make sure that you have a supported Dart SDK (for Dart-only projects) and the Flutter SDK (for
Flutter projects) installed on your system. See the Fortify Software System Requirements
document for the supported Dart and Flutter SDK versions.
l Download the project dependencies by running one of the following commands:
l
For Flutter projects, use flutter pub get.
l
For Dart-only projects, use dart pub get .
For example, to download the dependencies for a Flutter project that has the project root
myproject, run the following commands:

cd myproject

flutter pub get

Important! If the project includes nested packages with different pubspec.yaml files, you
must run dart pub get or flutter pub get for each package root.

Important! Make sure that the following are included in the project directory:
l
The pubspec.yaml file, which specifies the dependencies
l
The .dart_tool directory, which includes the package_config.json file automatically
generated by the pub tool

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 84 of 216

User Guide
Chapter 12: Translating Dart and Flutter Code

Dart and Flutter Command-Line Syntax

The basic command-line syntax to translate Dart and Flutter code is:

sourceanalyzer –b <build_id> <translation_options> <dirs>

sourceanalyzer –b <build_id> <translation_options> <files>

Dart and Flutter Command-Line Examples

To translate a Dart or Flutter project with the my_app project root directory:

sourceanalyzer -b myProject my_app/

To translate the a_widget.dart file in the my_app project root directory:

sourceanalyzer -b myProject my_app/a_widget.dart

To translate all dart source files in the my_dart_proj directory:

sourceanalyzer -b myProject "my_dart_proj/**/*.dart"

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 85 of 216

Chapter 13: Translating Ruby Code
This section contains the following topics:
Ruby Command-Line Syntax 86
Adding Libraries 87
Adding Gem Paths 87

Ruby Command-Line Syntax

The basic command-line syntax to translate Ruby code is:

sourceanalyzer –b <build_id> <file>

where <file> is the name of the Ruby file you want to scan. To include multiple Ruby files, separate
them with a space, as shown in the following example:

sourceanalyzer –b <build_id> file1.rb file2.rb file3.rb

In addition to listing individual Ruby files, you can use the asterisk (*) wildcard to select all Ruby files
in a specified directory. For example, to find all the Ruby files in a directory called src, use the
following sourceanalyzer command:

sourceanalyzer –b <build_id> src/*.rb

Note: When you translate Ruby code, make sure that you specify all source files together in one
invocation. Fortify Static Code Analyzer does not support adding new files to the file list
associated with the build ID on subsequent invocations.

Ruby Command-Line Options

The following table describes the Ruby translation options.

Ruby Option Description

-ruby-path <dirs> Specifies one or more paths to directories that contain Ruby libraries
(see "Adding Libraries " on the next page)
Equivalent Property Name:
com.fortify.sca.RubyLibraryPaths

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 86 of 216

User Guide
Chapter 13: Translating Ruby Code

Ruby Option Description

-rubygem-path Specifies the path(s) to a RubyGems location (see "Adding Gem Paths"
<dirs> below)
Equivalent Property Name:
com.fortify.sca.RubyGemPaths

See Also
"Ruby Properties" on page 191

Adding Libraries
If your Ruby source code requires a specific library, add the Ruby library to the sourceanalyzer
command. Include all ruby libraries that are installed with ruby gems. For example, if you have a
utils.rb file that resides in the /usr/share/ruby/myPersonalLibrary directory, then add the
following to the sourceanalyzer command:

-ruby-path /usr/share/ruby/myPersonalLibrary

Separate multiple libraries with semicolons (Windows) or colons (non-Windows). The following is an
example of the option on non-Windows system:

-ruby-path /path/one:/path/two:/path/three

Adding Gem Paths

To add all RubyGems and their dependency paths, import all RubyGems. To obtain the Ruby gem
paths, run the gem env command. Under GEM PATHS, look for a directory similar to:

/home/myUser/gems/ruby-version

This directory contains another directory called gems, which contains directories for all the gem files
installed on the system. For this example, use the following in your command line:

-rubygem-path /home/myUser/gems/ruby-version/gems

If you have multiple gems directories, separate them with semicolons (Windows) or colons (non-
Windows ) such as:

-rubygem-path /path/to/gems:/another/path/to/more/gems

Note: On Windows systems, separate the gems directories with a semicolon.

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 87 of 216

Chapter 14: Translating COBOL Code
The COBOL translation runs on Windows systems only and supports modern COBOL dialects.
Alternatively, you can use the legacy COBOL translation (see "Using Legacy COBOL Translation" on
page 91).
For a list of supported technologies for translating COBOL code, see the Fortify Software System
Requirements document. Fortify Static Code Analyzer does not currently support custom rules for
COBOL applications.

Note: To scan COBOL with Fortify Static Code Analyzer, you must have a Fortify Static Code
Analyzer license file that specifically includes COBOL scanning capabilities. Contact Micro Focus
Fortify Customer Support for more information about scanning COBOL and the required license
file.

This section contains the following topics:

Preparing COBOL Source and Copybook Files for Translation 89
COBOL Command-Line Syntax 89
Using Legacy COBOL Translation 91

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 88 of 216

User Guide
Chapter 14: Translating COBOL Code

Preparing COBOL Source and Copybook Files for

Translation
Before you can analyze a COBOL program, you must copy the following program components to the
Windows system where you run Fortify Static Code Analyzer:
l COBOL source code
Fortify strongly recommends that your COBOL source code files have extensions .CBL, .cbl, .COB,
or .cob. If your source code files do not have extensions or have non-standard extensions, you
must follow the instructions in "Translating COBOL Source Files Without File Extensions" on the
next page and "Translating COBOL Source Files with Arbitrary File Extensions" on the next page.
l All copybook files that the COBOL source code uses
This includes All SQL INCLUDE files that the COBOL source code references (a SQL INCLUDE file is
technically a copybook file)
Important! The copybook files must have the file extension .CPY or .cpy.
If your COBOL source code contains:

COPY FOO

or

EXEC SQL INCLUDE FOO END-EXEC

then FOO is the name of a COBOL copybook and the corresponding copybook file has the name
FOO.CPY or FOO.cpy.

Fortify recommends that you place your COBOL source code files in a directory called sources and
your copybook files in a directory called copybooks. Create these directories at the same level.

COBOL Command-Line Syntax

The basic syntax used to translate a single COBOL source code file is:

sourceanalyzer -b <build_id> <path>

The basic syntax used to scan a translated COBOL program and save the analysis results in an
FPR file is:

sourceanalyzer -b <build_id> -scan -f <results>.fpr

See Also
"Specifying Files and Directories" on page 134

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 89 of 216

User Guide
Chapter 14: Translating COBOL Code

Translating COBOL Source Files Without File Extensions

If you have COBOL source files (not copybook files) retrieved from a mainframe without .COB or .CBL
file extensions (which is typical for COBOL file names), then you must include the following in the
translation command line:

-noextension-type COBOL

The following example command translates COBOL source code without file extensions:

sourceanalyzer -b MyProject -noextension-type COBOL -copydirs copybooks

sources

Translating COBOL Source Files with Arbitrary File Extensions

If you have COBOL source files with an arbitrary extension .xyz, then you must include the following
in the translation command line:

-Dcom.fortify.sca.fileextensions.xyz=COBOL

You must also include the expression *.xyz in the file or directory specifier, if any (see "Specifying
Files and Directories" on page 134).

COBOL Command-Line Options

The following table describes the COBOL command-line options. To use legacy COBOL translation,
see "Legacy COBOL Translation Command-Line Options" on the next page.

COBOL Option Description

-copydirs <dirs> Specifies one or more semicolon-separated directories where Fortify

Static Code Analyzer looks for copybook files.
Equivalent Property Name:
com.fortify.sca.CobolCopyDirs

-dialect <dialect> Specifies the COBOL dialect. The valid values for <dialect> are
COBOL390 and MICROFOCUS. The dialect value is case insensitive. The
default value is COBOL390.
Equivalent Property Name:
com.fortify.sca.CobolDialect

-checker- Specifies one or more semicolon-separated COBOL checker directives.

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 90 of 216

User Guide
Chapter 14: Translating COBOL Code

COBOL Option Description

directives Note: This option is intended for advanced users of Micro Focus
<directives> Server Express.

Equivalent property name:

com.fortify.sca.CobolCheckerDirectives

Using Legacy COBOL Translation

Use the legacy COBOL translation if either of the following is true:
l You run Fortify Static Code Analyzer on a non-Windows operating system.
For supported non-Windows platforms and architectures, see the Fortify Software System
Requirements document.
l Your COBOL dialect is different than what is supported by the default COBOL translation (see the
-dialect option in "COBOL Command-Line Options" on the previous page).

Prepare the COBOL source code and copybook files as described in "Preparing COBOL Source and
Copybook Files for Translation" on page 89 and use the command-line syntax described in "COBOL
Command-Line Syntax" on page 89. Note that the legacy COBOL translation accepts copybook files
with or without file extensions. If the copybook files have file extensions, use the -copy-extensions
command-line option (see "Legacy COBOL Translation Command-Line Options" below).

Legacy COBOL Translation Command-Line Options

The following table describes the command-line options for the legacy COBOL translation.

Legacy COBOL Option Description

-cobol-legacy Specifies translation of COBOL code using legacy COBOL translation.

This option is required to enable legacy COBOL translation.
Equivalent Property Name:
com.fortify.sca.CobolLegacy

-copydirs <dirs> Specifies one or more semicolon- or colon-separated directories where

Fortify Static Code Analyzer looks for copybook files.
Equivalent Property Name:
com.fortify.sca.CobolCopyDirs

-copy-extensions Specifies one or more semicolon- or colon-separated copybook file

<ext>

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 91 of 216

User Guide
Chapter 14: Translating COBOL Code

Legacy COBOL Option Description

extensions.
Equivalent Property Name:
com.fortify.sca.CobolCopyExtensions

-fixed-format Specifies fixed-format COBOL to direct Fortify Static Code Analyzer to

only look for source code between columns 8–72 in all lines of code.
The default is free-format.
IBM Enterprise COBOL code is typically fixed-format. The following are
indications that you might need the -fixed-format option:
l The COBOL translation appears to hang indefinitely
l Fortify Static Code Analyzer reports numerous parsing errors in the
COBOL translation

Equivalent Property Name:

com.fortify.sca.CobolFixedFormat

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 92 of 216

Chapter 15: Translating Salesforce Apex and
Visualforce Code
This section contains the following topics:
Apex and Visualforce Translation Prerequisites 93
Apex and Visualforce Command-Line Syntax 94
Apex and Visualforce Command-Line Options 94

Apex and Visualforce Translation Prerequisites

To translate Apex and Visualforce projects, make sure that all the source code to scan is available on
the same machine where you have installed Fortify Static Code Analyzer.
To scan your custom Salesforce app, download it to your local computer from your Salesforce
organization (org) where you develop and deploy it. The downloaded version of your app consists of:
l
Apex classes in files with the .cls extension
l
Visualforce web pages in files with the .page extension
l
Apex code files called database “trigger” functions are in files with the .trigger extension
l
Visualforce component files with the .component extension
l
Objects with the .object extension
Use the Ant Migration Tool available on the Salesforce website to download your app from your org in
the Salesforce cloud to your local computer. Make sure that the project manifest files are set up
correctly for the specified target in your build.xml file. For example, the following package.xml
manifest file provides Fortify Static Code Analyzer with all classes, custom objects, pages, and
components.

<?xml version="1.0" encoding="UTF-8"?>

<Package xmlns=http://soap.sforce.com/2006/04/metadata>
<types>
<members>*</members>
<name>ApexClass</name>
</types>
<types>
<members>*</members>
<name>ApexTrigger</name>
</types>
<types>
<members>*</members>

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 93 of 216

User Guide
Chapter 15: Translating Salesforce Apex and Visualforce Code

<name>ApexPage</name>
</types>
<types>
<members>*</members>
<name>ApexComponent</name>
</types>
<types>
<members>*</members>
<name>CustomObject</name>
</types>
<version>55.0</version>
</Package>

Configure the retrieve targets using the Ant Migration Tool documentation. If your organization uses
any apps from the app exchange, make sure that these are downloaded as packaged targets.

Apex and Visualforce Command-Line Syntax

The basic command-line syntax to translate Apex and Visualforce code is:

sourceanalyzer -b <build_id> -apex <files>

where <files> is an Apex or Visualforce file or a path to the source files.

Important! Supported file extensions for the source code files are: .cls, .component,
.trigger, .object, and .page.

For descriptions of all the Apex- and Visualforce-specific command-line options, see "Apex and
Visualforce Command-Line Options" below.

Apex and Visualforce Command-Line Options

The following table describes the Apex and Visualforce translation command-line options.

Apex and Visualforce Option Description

-apex Directs Fortify Static Code Analyzer to use Apex and

Visualforce translation for files with the .cls extension.
Without this option, Fortify Static Code Analyzer translates
*.cls files as Visual Basic code.

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 94 of 216

User Guide
Chapter 15: Translating Salesforce Apex and Visualforce Code

Apex and Visualforce Option Description

Note: Alternatively, you can set the

com.fortify.sca.fileextensions.cls property to
APEX either on the command line (include -
Dcom.fortify.sca.fileextensions.cls=APEX) or
in the <sca_install_dir>/Core/config/fortify-
sca.properties file.

Equivalent Property Name:

com.fortify.sca.Apex

See Also
"Apex Properties" on page 193

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 95 of 216

Chapter 16: Translating Other Languages
and Configurations
This section contains the following topics:
Translating PHP Code 96
Translating ABAP Code 97
Translating Flex and ActionScript 105
Translating ColdFusion Code 108
Translating SQL 109
Translating Scala Code 110
Translating Dockerfiles 110
Translating HCL 111
Translating JSON 111
Translating YAML 112
Translating ASP/VBScript Virtual Roots 112
Classic ASP Command-Line Example 114
VBScript Command-Line Example 114

Translating PHP Code

The syntax to translate a single PHP file named MyPHP.php is shown in the following example:

sourceanalyzer -b <build_id> MyPHP.php

To translate a file where the source or the php.ini file entry includes a relative path name (starts
with ./ or ../), consider setting the PHP source root as shown in the following example:

sourceanalyzer -php-source-root <path> -b <build_id> MyPHP.php

For more information about the -php-source-root option, see the description in "PHP Command-
Line Options" on the next page.

Note: When you translate PHP code, make sure that you specify all source files together in one
invocation. Fortify Static Code Analyzer does not support adding new files to the file list
associated with the build ID on subsequent invocations.

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 96 of 216

User Guide
Chapter 16: Translating Other Languages and Configurations

PHP Command-Line Options

The following table describes the PHP-specific command-line options.

PHP Option Description

-php-source-root Specifies an absolute path to the project root directory. The relative path
<path> name first expands from the current directory. If the file is not found,
then the path expands from the specified PHP source root directory.
Equivalent Property Name:
com.fortify.sca.PHPSourceRoot

-php-version Specifies the PHP version. The default version is 7.4. For a list of valid
<version> versions, see the Fortify Software System Requirements document.
Equivalent Property Name:
com.fortify.sca.PHPVersion

See Also
"PHP Properties" on page 193

Translating ABAP Code

Translating ABAP code is similar to translating other operating language code. However, it requires
additional steps to extract the code from the SAP database and prepare it for scanning. See
"Importing the Transport Request" on the next page for more information. This section assumes you
have a basic understanding of SAP and ABAP.
To translate ABAP code, the Fortify ABAP Extractor program downloads source files to the
presentation server, and optionally, invokes Fortify Static Code Analyzer. You need to use an account
with permission to download files to the local system and execute operating system commands.
Because the extractor program is executed online, you might receive a max dialog work process
time reached exception message if the volume of source files selected for extraction exceeds the
allowable process run time. To work around this, download large projects as a series of smaller
Extractor tasks. For example, if your project consists of four different packages, download each
package separately into the same project directory. If the exception occurs frequently, work with your
SAP Basis administrator to increase the maximum time limit (rdisp/max_wprun_time).
When a PACKAGE is extracted from ABAP, the Fortify ABAP Extractor extracts everything from
TDEVC with a parentcl field that matches the package name. It then recursively extracts everything
else from TDEVC with a parentcl field equal to those already extracted from TDEVC. The field
extracted from TDEVC is devclass.

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 97 of 216

User Guide
Chapter 16: Translating Other Languages and Configurations

The devclass values are treated as a set of program names and handled the same way as a program
name, which you can provide.
Programs are extracted from TRDIR by comparing the name field with either:
l The program name specified in the selection screen
l
The list of values extracted from TDEVC if a package was provided

The rows from TRDIR are those for which the name field has the given program name and the
expression LIKEprogramname is used to extract rows.
This final list of names is used with READ REPORT to get code out of the SAP system. This method
does read classes and methods out as well as merely REPORTS, for the record.
Each READ REPORT call produces a file in the temporary folder on the local system. This set of files is
what Fortify Static Code Analyzer translates and scans, producing an FPR file that you can open with
Micro Focus Fortify Audit Workbench.
See Also
"ABAP Properties" on page 194

INCLUDE Processing
As source code is downloaded, the Fortify ABAP Extractor detects INCLUDE statements in the source.
When found, it downloads the include targets to the local machine for analysis.

Importing the Transport Request

To scan ABAP code, you need to import the Fortify ABAP Extractor transport request on your SAP
Server. You can find the Fortify transport request in <sca_install_dir>/Tools/SAP_
Extractor.zip.
The Fortify ABAP Extractor package, SAP_Extractor.zip, contains the following files:
l
K900XXX.S9S (where the “XXX” is the release number)
l
R900XXX.S9S (where the “XXX” is the release number)

These files make up the SAP transport request that you must import into your SAP system from
outside your local Transport Domain. Have your SAP administrator or an individual authorized to
install transport requests on the system import the transport request.
The S95 files contain a program, a transaction (YSCA), and the program user interface. After you
import them into your system, you can extract your code from the SAP database and prepare it for
Fortify Static Code Analyzer scanning.

Installation Note
The Fortify ABAP Extractor transport request is supported on a system running SAP release 7.02, SP
level 0006. If you are running a different SAP version and you get the transport request import error:

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 98 of 216

User Guide
Chapter 16: Translating Other Languages and Configurations

Install release does not match the current version, then the transport request
installation has failed.
To try to resolve this issue, perform the following steps:

1. Re-run the transport request import.

The Import Transport Request dialog box opens.
2. Select the Options tab.
3. Select the Ignore Invalid Component Version check box.
4. Complete the import procedure.
If this does not resolve the issue or if your system is running on an SAP version with a different table
structure, Fortify recommends that you export your ABAP file structure using your own technology so
that Fortify Static Code Analyzer can scan the ABAP code.

Adding Fortify Static Code Analyzer to your Favorites List

Adding Fortify Static Code Analyzer to your Favorites list is optional, but doing so can make it quicker
to access and launch Fortify Static Code Analyzer scans. The following steps assume that you use the
user menu in your day-to-day work. If your work is done from a different menu, add the Favorites link
to the menu that you use. Before you create the Fortify Static Code Analyzer entry, make sure that
the SAP server is running and you are in the SAP Easy Access area of your web-based client.
To add Fortify Static Code Analyzer to your Favorites list:

1. From the SAP Easy Access menu, type S000 in the transaction box.
The SAP Menu opens.
2. Right-click the Favorites folder and select Insert transaction.
The Manual entry of a transaction dialog box opens.

3. Type YSCA in the Transaction Code box.

4. Click the green check mark button .
The Extract ABAP code and launch SCA item appears in the Favorites list.

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 99 of 216

User Guide
Chapter 16: Translating Other Languages and Configurations

5. Click the Extract ABAP code and launch SCA link to launch the Fortify ABAP Extractor.

Running the Fortify ABAP Extractor

To run the Fortify ABAP Extractor:

1. Start the program from the Favorites link, the transaction code, or manually start the Extractor
object.

This opens the Fortify ABAP Extractor.

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 100 of 216
User Guide
Chapter 16: Translating Other Languages and Configurations

2. Select the code to download.

Provide the start and end name for the range of software components, packages, programs, or
BSP applications that you want to scan.

Note: You can specify multiple objects or ranges.

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 101 of 216
User Guide
Chapter 16: Translating Other Languages and Configurations

3. Provide the Fortify Static Code Analyzer-specific information described in the following table.

Field Description

FPR File Path (Optional) Type or select the directory where you want to store the scan
results file (FPR). Include the name for the FPR file in the path name. You must
provide the FPR file path if you want to automatically scan the downloaded
code on the same machine where you are running the extraction process.

Working Type or select the directory where you want to store the extracted source
Directory code.

Build-ID (Optional) Type the build ID for the scan. Fortify Static Code Analyzer uses
the build ID to identify the translated source code, which is necessary to scan
the code. You must specify the build ID if you want to automatically translate

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 102 of 216
User Guide
Chapter 16: Translating Other Languages and Configurations

Field Description

the downloaded code on the same machine where you are running the
extraction process.

Translation (Optional) Type any additional Fortify Static Code Analyzer command-line
Parameters translation options. You must specify translation parameters if you want to
automatically translate the downloaded code on the same machine where you
are running the extraction process or you want to customize the translation
options.

Scan (Optional) Type any Fortify Static Code Analyzer command-line scan options.
Parameters You must specify scan parameters if you want to scan the downloaded code
automatically on the same machine where you are running the process or you
want to customize the scan options.

ZIP File Name (Optional) Type a ZIP file name if you want your output in a compressed
package.

Maximum A global SAP-function F is not downloaded unless F was explicitly selected or

Call-chain unless F can be reached through a chain of function calls that start in
Depth explicitly-selected code and whose length is this number or less. Fortify
recommends that you do not specify a value greater than 2 unless directed to
do so by Micro Focus Fortify Customer Support.

4. Provide action information described in the following table.

Field Description

Download Select this check box to have Fortify Static Code Analyzer download the

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 103 of 216
User Guide
Chapter 16: Translating Other Languages and Configurations

Field Description

source code extracted from your SAP database.

Build Select this check box to have Fortify Static Code Analyzer translate all
downloaded ABAP code and store it using the specified build ID. This action
requires that you have an installed version of Fortify Static Code Analyzer
on the machine where you are running the Fortify ABAP Extractor. It is
often easier to move the downloaded source code to a predefined Fortify
Static Code Analyzer machine.

Scan Select this check box to have Fortify Static Code Analyzer run a scan of the
specified build ID. This action requires that the translate (build) action was
previously performed. This action requires that you have an installed
version of Fortify Static Code Analyzer on the machine where you are
running the Fortify ABAP Extractor. It is often easier to move the
downloaded source code to a predefined Fortify Static Code Analyzer
machine.

Launch AWB Select this check box to start Micro Focus Fortify Audit Workbench and
open the specified FPR file.

Create ZIP File Select this check box to compress the output. You can also manually
compress the output after the source code is extracted from your SAP
database.

Export Select this check box to export SAP standard code in addition to custom
SAP standard code.
code

5. Click Execute.

Uninstalling the Fortify ABAP Extractor

To uninstall the ABAP extractor:

1. In ABAP Workbench, open the Object Navigator.

2. Select package Y_FORTIFY_ABAP.
3. Expand the Programs tab.

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 104 of 216
User Guide
Chapter 16: Translating Other Languages and Configurations

4. Right-click the following element, and then select Delete.

l Program: Y_FORTIFY_SCA

Translating Flex and ActionScript

The basic command-line syntax for translating ActionScript is:

sourceanalyzer -b <build_id> -flex-libraries <libs> <files>

where:
<libs> is a semicolon-separated (Windows) or a colon-separated (non-Windows systems) list of
library names to which you want to "link" and <files> are the files to translate.

Flex and ActionScript Command-Line Options

Use the following command-line options to translate Flex files. You can also specify this information in
the properties configuration file (fortify-sca.properties) as noted in each description.

Flex and ActionScript

Option Description

-flex-sdk-root Specifies the location of the root of a valid Flex SDK. This directory must
<dir> contain a frameworks folder that contains a flex-config.xml file. It
must also contain a bin folder that contains an MXMLC executable.
Equivalent Property Name:
com.fortify.sca.FlexSdkRoot

-flex-libraries Specifies a semicolon-separated (Windows) or a colon-separated (non-

<libs> Windows) list of library names to which you want to link. In most cases,
this list includes flex.swc, framework.swc, and playerglobal.swc
(usually found in frameworks/libs/ in your Flex SDK root).

Note: You can specify SWC or SWF files as Flex libraries (SWZ is not
currently supported).

Equivalent Property Name:

com.fortify.sca.FlexLibraries

-flex-source-roots Specifies a semicolon-separated (Windows) or a colon-separated (non-

<dirs> Windows) list of root directories where MXML sources are located.
Normally, these contain a subfolder named com.

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 105 of 216
User Guide
Chapter 16: Translating Other Languages and Configurations

Flex and ActionScript

Option Description

For example, if the Flex source root specified is foo/bar/src, then

foo/bar/src/com/fortify/manager/util/Foo.mxml is
transformed into an object named com.fortify.manager.util.Foo
(an object named Foo in the package com.fortify.manager.util).
Equivalent Property Name:
com.fortify.sca.FlexSourceRoots

Note: -flex-sdk-root and –flex-source-roots are primarily for MXML translation, and are
optional if you are scanning pure ActionScript. Use –flex-libraries for to resolve all
ActionScript linked libraries.

Fortify Static Code Analyzer translates MXML files into ActionScript, and then runs them through an
ActionScript parser. The generated ActionScript is simple to analyze; not rigorously correct like the
Flex runtime model. Consequently, you might get parse errors with MXML files. For instance, the XML
parsing could fail, translation to ActionScript could fail, and the parsing of the resulting ActionScript
could also fail. If you see any errors that do not have a clear connection to the original source code,
notify Micro Focus Fortify Customer Support.
See Also
"Flex and ActionScript Properties" on page 194

ActionScript Command-Line Examples

The following examples illustrate command-line syntax for typical scenarios for translating
ActionScript.
Example 1
The following example is for a simple application that contains only one MXML file and a single SWF
library (MyLib.swf):

sourceanalyzer -b MyFlexApp -flex-libraries lib/MyLib.swf -flex-sdk-root

/home/myself/flex-sdk/ -flex-source-roots . my/app/FlexApp.mxml

This identifies the location of the libraries to include and the Flex SDK and the Flex source root
locations. The single MXML file, located in /my/app/FlexApp.mxml, results in translating the MXML
application as a single ActionScript class called FlexApp and located in the my.app package.

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 106 of 216
User Guide
Chapter 16: Translating Other Languages and Configurations

Example 2
The following example is for an application in which the source files are relative to the src directory.
It uses a single SWF library, MyLib.swf, and the Flex and framework libraries from the Flex SDK:

sourceanalyzer -b MyFlexProject -flex-sdk-root /home/myself/flex-sdk/

-flex-source-roots src/ -flex-libraries lib/MyLib.swf "src/**/*.mxml"
"src/**/*.as"
This example locates the Flex SDK and uses Fortify Static Code Analyzer file specifiers to include the
.as and .mxml files in the src folder. It is not necessary to explicitly specify the .SWC files located in
the –flex-sdk-root, although this example does so for the purposes of illustration. Fortify Static
Code Analyzer automatically locates all .SWC files in the specified Flex SDK root, and it assumes that
these are libraries intended for use in translating ActionScript or MXML files.
Example 3
In this example, the Flex SDK root and Flex libraries are specified in the properties file because typing
the information for each sourceanalyzer run is time consuming and the data does not change often.
Divide the application into two sections and store them in folders: a main section folder and a modules
folder. Each folder contains a src folder where the paths start. File specifiers contain wild cards to
pick up all the .mxml and .as files in both src folders. An MXML file in
main/src/com/foo/util/Foo.mxml is translated as an ActionScript class named Foo in the
package com.foo.util, for example, with the source roots specified here:

sourceanalyzer -b MyFlexProject -flex-source-roots main/src:modules/src

"./main/src/**/*.mxml" "./main/src/**/*.as" "./modules/src/**/*.mxml"
"./modules/src/**/*.as"

Handling Resolution Warnings

To see all warnings that were generated during translation, type the following command before you
start the scan phase:

sourceanalyzer -b <build_id> -show-build-warnings

ActionScript Warnings
You might receive a message similar to the following:

The ActionScript front end was unable to resolve the following imports:
a.b at y.as:2. foo.bar at somewhere.as:5. a.b at foo.mxml:8.

This error occurs when Fortify Static Code Analyzer cannot find all the required libraries. You might
need to specify additional SWC or SWF Flex libraries (using the -flex-libraries option or the
com.fortify.sca.FlexLibraries property) so that Fortify Static Code Analyzer can complete the
analysis.

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 107 of 216
User Guide
Chapter 16: Translating Other Languages and Configurations

Translating ColdFusion Code

To treat undefined variables in a CFML page as tainted, uncomment the following line in <sca_
install_dir>/Core/config/fortify-sca.properties:

#com.fortify.sca.CfmlUndefinedVariablesAreTainted=true

This instructs the Dataflow Analyzer to watch out for register-globals-style vulnerabilities. However,
enabling this property interferes with Dataflow Analyzer findings in which a variable in an included
page is initialized to a tainted value in an earlier-occurring included page.

ColdFusion Command-Line Syntax

Type the following to translate ColdFusion source code:

sourceanalyzer -b <build_id> -source-base-dir <dir> <files> | <file_

specifiers>

where:
l
<build_id> specifies the build ID for the project
l
<dir> specifies the root directory of the web application
l
<files> | <file_specifiers> specifies the CFML source code files
For a description of how to use <file_specifiers>, see "Specifying Files and Directories" on
page 134.

Note: Fortify Static Code Analyzer calculates the relative path to each CFML source file with the
-source-base-dir directory as the starting point. Fortify Static Code Analyzer uses these
relative paths when it generates instance IDs. If you move the entire application source tree to a
different directory, the Fortify Static Code Analyzer- generated instance IDs remain the same if
you specify an appropriate parameter for the -source-base-dir option.

ColdFusion (CFML) Command-Line Options

The following table describes the CFML options.

ColdFusion Option Description

-source-base-dir <web_app_root_dir> <files> The web application root directory.

| <file_specifiers>
Equivalent Property Name:
com.fortify.sca.SourceBaseDir

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 108 of 216
User Guide
Chapter 16: Translating Other Languages and Configurations

See Also
"ColdFusion (CFML) Properties" on page 195

Translating SQL
On Windows (and Linux for .NET projects only), Fortify Static Code Analyzer assumes that files with
the .sql extension are T-SQL rather than PL/SQL. If you have PL/SQL files with the .sql extension
on Windows, you must configure Fortify Static Code Analyzer to treat them as PL/SQL.
To specify the SQL type for translation on Windows platforms, type one of the following translation
commands:

sourceanalyzer -b <build_id> -sql-language TSQL <files>

or

sourceanalyzer -b <build_id> -sql-language PL/SQL <files>

Alternatively, you can change the default behavior for files with the .sql extension. In the fortify-
sca.properties file, set the com.fortify.sca.fileextensions.sql property to TSQL or
PLSQL.
See Also
"SQL Properties" on page 195

PL/SQL Command-Line Example

The following example translates two PL/SQL files:

sourceanalyzer -b MyProject x.pks y.pks

The following example translates all PL/SQL files in the sources directory:

sourceanalyzer -b MyProject "sources/**/*.pks"

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 109 of 216
User Guide
Chapter 16: Translating Other Languages and Configurations

T-SQL Command-Line Example

The following example translates two T-SQL files:

sourceanalyzer -b MyProject x.sql y.sql

The following example translates all T-SQL files in the sources directory:

sourceanalyzer -b MyProject "sources\**\*.sql"

Note: This example assumes the com.fortify.sca.fileextensions.sql property in

fortify-sca.properties is set to TSQL.

Translating Scala Code

Translating Scala code requires the following:
l The Scala compiler plugin
You can download this plugin from the Maven Central Repository.
l A Lightbend license file
This license file is included with the Fortify Static Code Analyzer installation in the <sca_install_
dir>/plugins/lightbend directory

For instructions on how set up the license and translate Scala code, see the Lightbend documentation
at https://developer.lightbend.com/guides/fortify.

Important! If your project contains source code other than Scala, you must translate the Scala
code using the Scala Fortify compiler plugin, and then translate other source code with
sourceanalyzer using the same build ID before you run the analysis phase.

Translating Dockerfiles
By default, Fortify Static Code Analyzer translates the following files as Dockerfiles: Dockerfile*,
dockerfile*, *.Dockerfile, and *.dockerfile.

Note: You can modify the file extension used to detect Dockerfiles using the
com.fortify.sca.fileextensions property. See "Translation and Analysis Phase Properties"
on page 173.

Fortify Static Code Analyzer accepts the following escape characters in Dockerfiles: backslash (\) and
backquote (`). If the escape character is not set in the Dockerfile, then Fortify Static Code Analyzer
assumes that the backslash is the escape character.

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 110 of 216
User Guide
Chapter 16: Translating Other Languages and Configurations

The syntax to translate a directory that contains Dockerfiles is shown in the following example:

sourceanalyzer -b <build_id> <dir>

If the Dockerfile is malformed, Fortify Static Code Analyzer writes an error to the log file indicating
that the file cannot be parsed and skips the analysis of the Dockerfile. The following is an example of
the error written to the log:

Unable to parse dockerfile ProjA.Dockerfile, error on Line 1:20: mismatched

input '\n' expecting {LINE_EXTEND, WHITESPACE}

Unable to parse config file

C:/Users/jsmith/MyProj/docker/dockerfile/ProjA.Dockerfile

Translating HCL
By default, Fortify Static Code Analyzer translates files with the HCL extensions .hcl and .tf. The
following example translates two HCL files with different file extensions:

sourceanalyzer -b MyProject x.hcl y.tf

The following example translates all HCL files in the sources directory:

sourceanalyzer -b MyProject "sources\**\*.tf" "sources\**\*.hcl"

Note: HCL analysis support is specific to Terraform and supported cloud provider Infrastructure
as Code (IaC) configurations.

Translating JSON
By default, Fortify Static Code Analyzer translates files with the JSON extension .json as JSON. The
following example translates a JSON file:

sourceanalyzer -b MyProject x.json

The following example translates all JSON files in the sources directory:

sourceanalyzer -b MyProject "sources\**\*.json"

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 111 of 216
User Guide
Chapter 16: Translating Other Languages and Configurations

Translating YAML
By default, Fortify Static Code Analyzer translates files with the YAML extensions .yaml and .yml.
The following example translates two YAML files with different file extensions:

sourceanalyzer -b MyProject x.yaml y.yml

The following example translates all YAML files in the sources directory:

sourceanalyzer -b MyProject "sources\**\*.yaml" "sources\**\*.yml"

Translating ASP/VBScript Virtual Roots

Fortify Static Code Analyzer allows you to handle ASP virtual roots. For web servers that use virtual
directories as aliases that map to physical directories, Fortify Static Code Analyzer enables you to use
an alias.
For example, you can have virtual directories named Include and Library that refer to the physical
directories C:\WebServer\CustomerOne\inc and C:\WebServer\CustomerTwo\Stuff,
respectively.
The following example shows the ASP/VBScript code for an application that uses virtual includes:

<!--#include virtual="Include/Task1/foo.inc"-->

For this example, the previous ASP code refers to the file in the following physical location:

C:\Webserver\CustomerOne\inc\Task1\foo.inc

The real directory replaces the virtual directory name Include in this example.

Accommodating Virtual Roots

To provide the mapping of each virtual directory to Fortify Static Code Analyzer, you must set the
com.fortify.sca.ASPVirtualRoots.name_of_virtual_directory property in your Fortify
Static Code Analyzer command-line invocation as shown in the following example:

sourceanalyzer -Dcom.fortify.sca.ASPVirtualRoots.<virtual_directory>=<full_
path_to_corresponding_physical_directory>

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 112 of 216
User Guide
Chapter 16: Translating Other Languages and Configurations

Note: On Windows, if the physical path includes spaces, you must enclose the property setting in
quotes:
sourceanalyzer "-Dcom.fortify.sca.ASPVirtualRoots.<virtual_
directory>=<full_path_to_corresponding_physical_directory>"
To expand on the example in the previous section, pass the following property value to Fortify Static
Code Analyzer:

-Dcom.fortify.sca.ASPVirtualRoots.Include="C:\WebServer\CustomerOne\inc"

-Dcom.fortify.sca.ASPVirtualRoots.Library="C:\WebServer\CustomerTwo\Stuff"

This maps Include to C:\WebServer\CustomerOne\inc and Library to

C:\WebServer\CustomerTwo\Stuff.
When Fortify Static Code Analyzer encounters the #include directive:

<!-- #include virtual="Include/Task1/foo.inc" -->

Fortify Static Code Analyzer determines if the project contains a physical directory named Include. If
there is no such physical directory, Fortify Static Code Analyzer looks through its runtime properties
and finds the -Dcom.fortify.sca.ASPVirtualRoots.Include=
"C:\WebServer\CustomerOne\inc" setting. Fortify Static Code Analyzer then looks for this file:
C:\WebServer\CustomerOne\inc\Task1\foo.inc.
Alternatively, you can set this property in the fortify-sca.properties file located in <sca_
install_dir>\Core\config. You must escape the backslash character (\) in the path of the
physical directory as shown in the following example:

com.fortify.sca.ASPVirtualRoots.Library=C:\\WebServer\\CustomerTwo\\Stuff

com.fortify.sca.ASPVirtualRoots.Include=C:\\WebServer\\CustomerOne\\inc

Note: The previous version of the ASPVirtualRoot property is still valid. You can use it on the
Fortify Static Code Analyzer command line as follows:
-Dcom.fortify.sca.ASPVirtualRoots=C:\WebServer\CustomerTwo\Stuff;
C:\WebServer\CustomerOne\inc
This prompts Fortify Static Code Analyzer to search through the listed directories in the order
specified when it resolves a virtual include directive.

Using Virtual Roots Example

You have a file as follows:

C:\files\foo\bar.asp

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 113 of 216
User Guide
Chapter 16: Translating Other Languages and Configurations

To specify this file, use the following include:

<!-- #include virtual="/foo/bar.asp">

Then set the virtual root in the sourceanalyzer command as follows:

-Dcom.fortify.sca.ASPVirtualRoots=C:\files\foo

This strips the /foo from the front of the virtual root. If you do not specify foo in the
com.fortify.sca.ASPVirtualRoots property, then Fortify Static Code Analyzer looks for
C:\files\bar.asp and fails.
The sequence to specify virtual roots is as follows:

1. Remove the first part of the path in the source.

2. Replace the first part of the path with the virtual root as specified on the command line.

Classic ASP Command-Line Example

To translate a single file classic ASP written in VBScript named MyASP.asp, type:

sourceanalyzer -b mybuild "MyASP.asp"

VBScript Command-Line Example

To translate a VBScript file named myApp.vb, type:

sourceanalyzer -b mybuild "myApp.vb"

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 114 of 216
Chapter 17: Integrating into a Build
You can integrate the analysis into supported build tools.
This section contains the following topics:
Build Integration 115
Modifying a Build Script to Invoke Fortify Static Code Analyzer 116
Touchless Build Integration 117
Ant Integration 117
Gradle Integration 118
Maven Integration 119

Build Integration
You can translate entire projects with a single operation. Prefix your original build operation with the
sourceanalyzer command followed by the Fortify Static Code Analyzer options.
The basic command-line syntax to translate a complete project is:

sourceanalyzer -b <build_id> [<sca_options>] <build_tool> [<build_tool_

options>]

where <build_tool> is the name of your build tool, such as make, gmake, msbuild, devenv, or
xcodebuild. See the Fortify Software System Requirements document for a list of supported build
tools. Fortify Static Code Analyzer executes your build tool and intercepts all compiler operations to
collect the specific command line used for each input.

Note: Fortify Static Code Analyzer only processes the compiler commands that the build tool
executes. If you do not clean your project before you execute the build, then Fortify Static Code
Analyzer only processes those files that the build tool re-compiles.

For information about integrating with Xcodebuild, see "iOS Code Analysis Command-Line Syntax" on
page 79. For information about integration with MSBuild, see "Translating Visual Studio Projects" on
page 61.
Successful build integration requires that the build tool:
l Executes a Fortify Static Code Analyzer-supported compiler
l Executes the compiler on the operating system path search, not with a hardcoded path (This
requirement does not apply to xcodebuild integration.)
l Executes the compiler, rather than executing a sub-process that then executes the compiler

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 115 of 216
User Guide
Chapter 17: Integrating into a Build

If you cannot meet these requirements in your environment, see "Modifying a Build Script to Invoke
Fortify Static Code Analyzer" below.

Make Example
If you build your project with the following build commands:

make clean
make
make install

then you can simultaneously translate and compile the entire project with the following example
commands:

make clean
sourceanalyzer -b MyProject make
make install

Modifying a Build Script to Invoke Fortify Static Code

Analyzer
As an alternative to build integration, you can modify your build script to prefix each compiler, linker,
and archiver operation with the sourceanalyzer command. For example, a makefile often defines
variables for the names of these tools:

CC=gcc
CXX=g++
LD=ld
AR=ar

You can prepend the tool references in the makefile with the sourceanalyzer command and the
appropriate Fortify Static Code Analyzer options.

CC=sourceanalyzer -b mybuild gcc

CXX=sourceanalyzer -b mybuild g++
LD=sourceanalyzer -b mybuild ld
AR=sourceanalyzer -b mybuild ar

When you use the same build ID for each operation, Fortify Static Code Analyzer automatically
combines each of the separately-translated files into a single translated project.

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 116 of 216
User Guide
Chapter 17: Integrating into a Build

Touchless Build Integration

Fortify Static Code Analyzer includes a generic build tool called touchless that enables translation
of projects using build systems that Fortify Static Code Analyzer does not directly support. The
command-line syntax for touchless build integration is:

sourceanalyzer -b <build_id> touchless <build_command>

For example, you might use a python script called build.py to compute dependencies and execute
appropriately-ordered C compiler operations. Then to execute your build, run the following command:

python build.py

Fortify Static Code Analyzer does not have native support for such a build design. However, you can
use the touchless build tool to translate and build the entire project with the single command:

sourceanalyzer -b <build_id> touchless python build.py

The same requirements for successful build integration with supported build systems described
earlier in this chapter (see "Build Integration" on page 115) apply to touchless integration with
unsupported build systems.

Ant Integration
Fortify Static Code Analyzer provides an easy way to translate Java source files for projects that use
an Ant build file. You can apply this integration on the command line without modifying the Ant
build.xml file. When the build runs, Fortify Static Code Analyzer intercepts all javac task
invocations and translates the Java source files as they are compiled. Make sure that you pass any
properties to Ant by adding them to the ANT_OPTS environment variable. Do not include them in the
sourceanalyzer command.

Note: You must translate any JSP files, configuration files, or any other non-Java source files that
are part of the application in a separate step.

To use the Ant integration, make sure that the sourceanalyzer executable is on the system PATH.
Prepend your Ant command-line with the sourceanalyzer command as follows:

sourceanalyzer -b <build_id> ant [<ant_options>]

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 117 of 216
User Guide
Chapter 17: Integrating into a Build

Gradle Integration
You can translate projects that are built with Gradle without any modification of the build.gradle
file. When the build runs, Fortify Static Code Analyzer translates the source files as they are compiled.
See the Fortify Software System Requirements document for platforms and languages supported
specifically for Gradle integration. Any files in the project in unsupported languages for Gradle
integration are not translated (with no error reporting). These files are therefore not analyzed, and
any existing potential vulnerabilities can go undetected.
To integrate Fortify Static Code Analyzer into your Gradle build, make sure that the
sourceanalyzer executable is on the system PATH. Prepend the Gradle command line with the
sourceanalyzer command as follows:

sourceanalyzer -b <build_id> <sca_options> gradle [<gradle_options>]

<gradle_tasks>

For example:

sourceanalyzer -b MyProject gradle clean build

sourceanalyzer -b MyProject gradle --info assemble

If your build file name is different than build.gradle, then include the build file name with the --
build-file option as shown in the following example:

sourceanalyzer -b MyProject gradle --build-file sample.gradle clean

assemble

You can also use the Gradle Wrapper (gradlew) as shown in the following example:

sourceanalyzer -b MyProject gradlew [<gradle_options>]

If your application uses XML or property configuration files, translate these files with a separate
sourceanalyzer command. Use the same build ID that you used for the project files. The following
are examples:

sourceanalyzer -b MyProject <path_to_xml_files>

sourceanalyzer -b MyProject <path_to_properties_files>

After translating the project with gradle or gradlew, you can then perform the analysis phase and
save the results in an FPR file as shown in the following example:

sourceanalyzer -b MyProject -scan -f MyResults.fpr

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 118 of 216
User Guide
Chapter 17: Integrating into a Build

Including Verbose and Debug Options

If you use the Fortify Static Code Analyzer -verbose option, then you must also include the -gradle
option. Use of this option applies to both Gradle and the Gradle Wrapper. For example:

sourceanalyzer -b MyProject -gradle -verbose gradle assemble

As part of the gradle integration, Fortify Static Code Analyzer temporarily updates the original build
file build.gradle. If you include the -debug option, Fortify Static Code Analyzer saves a copy of the
original build file as build.gradle.orig). After the analysis with the -debug option is complete,
rename the build.gradle.orig file back to build.gradle and run sourceanalyzer again without
the -debug option.

Maven Integration
Fortify Static Code Analyzer includes a Maven plugin that provides a way to add the following
capabilities to your Maven project builds:
l Fortify Static Code Analyzer clean, translate, scan
l Fortify Static Code Analyzer export mobile build session (MBS) for a Fortify Static Code Analyzer
translated project
l Send translated code to Micro Focus Fortify ScanCentral SAST
l Upload results to Micro Focus Fortify Software Security Center

You can use the plugin directly or integrate its functionality into your build process.

Installing and Updating the Fortify Maven Plugin

The Fortify Maven Plugin is located in <sca_install_dir>/plugins/maven. This directory
contains a binary and a source version of the plugin in both zip and tarball archives. To install the
plugin, extract the version (binary or source) that you want to use, and then follow the instructions in
the included README.TXT file. Perform the installation in the directory where you extracted the
archive.
For information about supported versions of Maven, see the Fortify Software System Requirements
document.
If you have a previous version of the Fortify Maven Plugin installed, then install the latest version.

Uninstalling the Fortify Maven Plugin

To uninstall the Fortify Maven Plugin, manually delete all files from the <maven_local_
repo>/repository/com/fortify/ps/maven/plugin directory.

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 119 of 216
User Guide
Chapter 17: Integrating into a Build

Testing the Fortify Maven Plugin Installation

After you install the Fortify Maven Plugin, use one of the included sample files to be sure your
installation works properly.
To test the Fortify Maven Plugin using the Eightball sample file:

1. Add the directory that contains the sourceanalyzer executable to the path environment
variable.
For example:

export set PATH=$PATH:/<sca_install_dir>/bin

or

set PATH=%PATH%;<sca_install_dir>/bin

2. Type sourceanalyzer -version to test the path setting.

Fortify Static Code Analyzer displays the version information if the path setting is correct.
3. Navigate to the sample Eightball directory: <root_dir>/samples/EightBall.
4. Type the following command:

mvn com.fortify.sca.plugins.maven:sca-maven-plugin:<ver>:clean

where <ver> is the version of the Fortify Maven Plugin you are using. If the version is not
specified, Maven uses the latest version of the Fortify Maven Plugin installed in the local
repository.
Note: To see the version of the Fortify Maven Plugin, open the pom.xml file that you
extracted in <root_dir> in a text editor. The Fortify Maven Plugin version is specified in the
<version> element.

5. If the command in step 4 completed successfully, then the Fortify Maven Plugin is installed
correctly. The Fortify Maven Plugin is not installed correctly if you get the following error
message:

[ERROR] Error resolving version for plugin

'com.fortify.sca.plugins.maven:sca-maven-plugin' from the repositories

Check the Maven local repository and try to install the Fortify Maven Plugin again.

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 120 of 216
User Guide
Chapter 17: Integrating into a Build

Using the Fortify Maven Plugin

There are two ways to perform a Fortify analysis on a maven project:
l As a Maven Plugin
In this method, you perform the Fortify analysis tasks as goals with the mvn command. For example,
use the following command to translate source code:

mvn com.fortify.sca.plugins.maven:sca-maven-plugin:<ver>:translate

To analyze your code this way, see the documentation included with the Fortify Maven Plugin. The
following table describes where to find the documentation after you install the Fortify Maven
Plugin.

Package Type Documentation Location

Binary <root_dir>/docs/index.html

Source <root_dir>/sca-maven-plugin/target/site/index.html

l In a Fortify Static Code Analyzer build integration

In this method, prepend the maven command used to build your project with the sourceanalyzer
command and any Fortify Static Code Analyzer options. To analyze your files as part of a Fortify
Static Code Analyzer build integration:
a. Clean out the previous build:

sourceanalyzer -b MyProject -clean

b. Translate the code:

sourceanalyzer -b MyProject [<sca_options>] [<mvn_command_with_

options>]

For example:

sourceanalyzer -b MyProject mvn package

See "Command-Line Interface" on page 122 for descriptions of available Fortify Static Code
Analyzer options.
c. Complete the analysis by running the scan and saving the results in an FPR file as shown in the
following example:

sourceanalyzer -b MyProject [<sca_scan_options>] -scan -f

MyResults.fpr

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 121 of 216
Chapter 18: Command-Line Interface
This chapter describes general Fortify Static Code Analyzer command-line options and how to specify
source files for analysis. Command-line options that are specific to a language are described in the
chapter for that language.
This section contains the following topics:
Translation Options 122
Analysis Options 124
Output Options 127
Other Options 130
Directives 132
Specifying Files and Directories 134

Translation Options
The following table describes the translation options.

Translation Option Description

-b <build_id> Specifies a build ID. Fortify Static Code Analyzer uses a build ID to
track the files that are compiled and combined as part of a build, and
then later, to scan those files.
Equivalent Property Name:
com.fortify.sca.BuildID

-disable-language Specifies a colon-separated list of languages to exclude from the

<languages> translation phase. The valid language values are abap,
actionscript, apex, cfml, cobol, configuration, cpp, dart,
dotnet, golang, java, javascript, jsp, kotlin, objc, php,
plsql, python, ruby, scala, sql, swift, tsql, typescript, and
vb.
Equivalent Property Name:
com.fortify.sca.DISabledLanguages

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 122 of 216
User Guide
Chapter 18: Command-Line Interface

Translation Option Description

-enable-language Specifies a colon-separated list of languages to translate. The valid

<languages> language values are abap, actionscript, apex, cfml, cobol,
configuration, cpp, dart, dotnet, golang, java, javascript,
jsp, kotlin, objc, php, plsql, python, ruby, scala, sql, swift,
tsql, typescript, and vb.
Equivalent Property Name:
com.fortify.sca.EnabledLanguages

-exclude Specifies the files to exclude from the translation. Files excluded
<file_specifiers> from translation are also not scanned. Separate multiple file paths
with semicolons (Windows) or colons (non-Windows). For example:

sourceanalyzer –cp "**/*.jar" "**/*"

-exclude "**/Test/*.java"

This example excludes all Java files in any Test subdirectory. See
"Specifying Files and Directories" on page 134 for more information
on how to use file specifiers.

Note: When you integrate the translation with most compilers or

build tools, Fortify Static Code Analyzer translates all source files
that the compiler or build tool processes even if this option
specifies to exclude them. However, the Fortify Static Code
Analyzer xcodebuild and MSBuild integrations do support the
-exclude option.

Equivalent Property Name:

com.fortify.sca.exclude

-encoding <encoding_ Specifies the source file encoding type. Fortify Static Code Analyzer
name> enables you to scan a project that contains differently encoded
source files. To work with a multi-encoded project, you must specify
the -encoding option in the translation phase, when Fortify Static
Code Analyzer first reads the source code file. Fortify Static Code
Analyzer remembers this encoding in the build session and
propagates it into the FVDL file.

Valid encoding names are from the java.nio.charset.Charset.

Typically, if you do not specify the encoding type, Fortify Static Code
Analyzer uses file.encoding from the

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 123 of 216
User Guide
Chapter 18: Command-Line Interface

Translation Option Description

java.io.InputStreamReader constructor with no encoding

parameter. In a few cases (for example with the ActionScript parser),
Fortify Static Code Analyzer defaults to UTF-8 encoding.
Equivalent Property Name:
com.fortify.sca.InputFileEncoding

-nc When specified before a compiler command line, Fortify Static Code
Analyzer translates the source file but does not run the compiler.

-noextension-type Specifies the file type for source files that have no file extension. The
<file_type> valid file type values are ABAP, ACTIONSCRIPT, APEX, APEX_OBJECT,
APEX_TRIGGER, ARCHIVE, ASPNET, ASP, ASPX, BITCODE, BSP,
BYTECODE, CFML, COBOL, CSHARP, DART, DOCKERFILE, GENERIC, GO,
HOCON, HTML, INI, JAVA, JAVA_PROPERTIES, JAVASCRIPT, JSP,
JSPX, KOTLIN, MSIL, MXML, OBJECT, PHP, PLSQL, PYTHON, RUBY,
RUBY_ERB, SCALA, SWIFT, SWC, SWF, TLD, SQL, TSQL, TYPESCRIPT,
VB, VB6, VBSCRIPT, VISUAL_FORCE, VUE, and XML.

Analysis Options
The following table describes the analysis options.

Analysis Option Description

-b <build_id> Specifies the build ID used in a prior translation command.

Equivalent Property Name:
com.fortify.sca.BuildID

-scan Causes Fortify Static Code Analyzer to perform a security analysis for
the specified build ID.

Note: Do not use this option together with the -scan-module

option in the same sourceanalyzer command.

-scan-policy Specifies a scan policy for the scan. The valid policy names are classic,
<policy_name> | security, and devops. For more information, see "Applying a Scan
-sc <policy_name> Policy to the Analysis" on page 45.
Equivalent Property Name:

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 124 of 216
User Guide
Chapter 18: Command-Line Interface

Analysis Option Description

com.fortify.sca.ScanPolicy

-scan-module Causes Fortify Static Code Analyzer to perform a security analysis for
the specified build ID as a separate module.

Note: Do not use this option together with the -scan option in the
same sourceanalyzer command.

Equivalent Property Name:

com.fortify.sca.ScanScaModule

-include-modules Specifies the libraries previously scanned as separate modules in a

comma- or colon-separated list of build IDs to include in the project scan.
Equivalent Property Name:
com.fortify.sca.IncludeScaModules

-analyzers Specifies the analyzers you want to enable with a colon- or comma-
<analyzer_list> separated list of analyzers. The valid analyzer names are buffer,
content, configuration, controlflow, dataflow, nullptr,
semantic, and structural. You can use this option to disable
analyzers that are not required for your security requirements.
Equivalent Property Name:
com.fortify.sca.DefaultAnalyzers

-p <level> | Uses speed dial to scan the project with a scan precision level. The lower
-scan-precision the scan precision level, the faster the scan performance. The valid
<level> values are 1, 2, 3, and 4. For more information, see "Configuring Scan
Speed with Speed Dial" on page 147.
Equivalent Property Name:
com.fortify.sca.PrecisionLevel

-quick Quickly scan the project for critical- and high-priority issues using the
fortify-sca-quickscan.properties file, which provides a less in-
depth analysis. By default, quick scan disables the Buffer Analyzer and
the Control Flow Analyzer. In addition, it applies the Quick View filter set.
For more information, see "Quick Scan" on page 146.
Equivalent Property Name:
com.fortify.sca.QuickScanMode

-bin <binary> | Specifies a subset of source files to scan. Only the source files that were

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 125 of 216
User Guide
Chapter 18: Command-Line Interface

Analysis Option Description

-binary-name linked in the named binary at build time are included in the scan. You can
<binary> use this option multiple times to specify the inclusion of multiple binaries
in the scan.
Equivalent Property Name:
com.fortify.sca.BinaryName

-disable-default- Disables all rules of the specified type in the default Rulepacks. You can
rule-type use this option multiple times to specify multiple rule types.
<type>
The <type> parameter is the XML tag minus the suffix Rule. For
example, use DataflowSource for DataflowSourceRule elements. You
can also specify specific sections of characterization rules, such as
Characterization:Control flow, Characterization:Issue, and
Characterization:Generic.

The <type> parameter is case-insensitive.

-filter <file> Specifies a results filter file. For more information, see "Filtering the
Analysis" on page 166.
Equivalent Property Name:
com.fortify.sca.FilterFile

-no-default-issue- Disables rules in default Rulepacks that lead directly to issues. Fortify
rules Static Code Analyzer still loads rules that characterize the behavior of
functions.

Note: This is equivalent to disabling the following rule types:

DataflowSink, Semantic, Controlflow, Structural, Configuration,
Content, Statistical, Internal, and Characterization:Issue.

Equivalent Property Name:

com.fortify.sca.NoDefaultIssueRules

-no-default-rules Disables loading of rules from the default Rulepacks. Fortify Static Code
Analyzer processes the Rulepacks for description elements and language
libraries, but processes no rules.
Equivalent Property Name:
com.fortify.sca.NoDefaultRules

-no-default- Disables source rules in the default Rulepacks.

source-rules

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 126 of 216
User Guide
Chapter 18: Command-Line Interface

Analysis Option Description

Note: Characterization source rules are not disabled.

Equivalent Property Name:

com.fortify.sca.NoDefaultSourceRules

-no-default-sink- Disables sink rules in the default Rulepacks.

rules
Note: Characterization sink rules are not disabled.

Equivalent Property Name:

com.fortify.sca.NoDefaultSinkRules

-project-template Specifies the issue template file to use for the scan. This only affects
<file> scans on the local machine. If you upload the FPR to Micro Focus Fortify
Software Security Center, it uses the issue template assigned to the
application version.
Equivalent Property Name:
com.fortify.sca.ProjectTemplate

-rules <file> | Specifies a custom Rulepack or directory. You can use this option
<dir> multiple times to specify multiple Rulepack files. If you specify a
directory, Fortify Static Code Analyzer includes all the files in the
directory with the .bin and .xml extensions.
Equivalent Property Name:
com.fortify.sca.RulesFile

Output Options
The following table describes the output options. Apply all these options during the analysis phase
(with the -scan option). You can specify the build-label, build-project, and build-version
options during the translation phase and they are overridden if specified again for the analysis phase.

Output Option Description

-f <file> | Specifies the file to which analysis results are written. If you do not
-output-file specify an output file, Fortify Static Code Analyzer writes the output to
<file> the terminal.
Equivalent Property Name:
com.fortify.sca.ResultsFile

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 127 of 216
User Guide
Chapter 18: Command-Line Interface

Output Option Description

-format <format> Controls the output format. Valid options are fpr, fvdl, fvdl.zip,
text, and auto. The default is auto, which selects the output format
based on the file extension of the file provided with the -f option.
The FVDL is an XML file that contains the detailed Fortify Static Code
Analyzer analysis results. This includes vulnerability details, rule
descriptions, code snippets, command-line options used in the scan, and
any scan errors or warnings.
The FPR is a package of the analysis results that includes the FVDL file
as well as extra information such as a copy of the source code used in the
scan, the external metadata, and custom rules (if applicable). Micro
Focus Fortify Audit Workbench is automatically associated with the .fpr
file extension.

Note: If you use result certification, you must specify the fpr format.
See the Fortify Audit Workbench User Guide for information about
result certification.

You can prevent some information from being included in the FPR or
FVDL file to improve scan time or output file size. See other options in
this table and see "Optimizing FPR Files" on page 150.
Equivalent Property Name:
com.fortify.sca.Renderer

-append Appends results to the file specified with the -f option. The resulting
FPR file contains the issues from the earlier scan as well as issues from
the current scan. The build information and program data (lists of
sources and sinks) sections are also merged. To use this option, the
output file format must be fpr or fvdl. For information on the -format
output option, see the description in this table.
The engine data, which includes Fortify security content information,
command-line options, system properties, warnings, errors, and other
information about the execution of Fortify Static Code Analyzer (as
opposed to information about the program being analyzed), is not
merged. Because engine data is not merged with the -append option,
Fortify does not certify results generated with -append.
If this option is not specified, Fortify Static Code Analyzer adds any new
findings to the FPR file, and labels the older result as previous findings.

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 128 of 216
User Guide
Chapter 18: Command-Line Interface

Output Option Description

In general, only use the -append option when it is impossible to analyze

an entire application at once.
Equivalent Property Name:
com.fortify.sca.OutputAppend

-build-label Specifies a label for the project to include in the analysis results. You can
<label> include this option during the translation or the analysis phase. Fortify
Static Code Analyzer does not use this label for code analysis.
Equivalent Property Name:
com.fortify.sca.BuildLabel

-build-project Specifies a name for the project to include in the analysis results. You can
<project_name> include this option during the translation or the analysis phase. Fortify
Static Code Analyzer does not use this name for code analysis.
Equivalent Property Name:
com.fortify.sca.BuildProject

-build-version Specifies a version for the project to include in the analysis results. You
<version> can include this option during the translation or the analysis phase.
Fortify Static Code Analyzer does not use this version for code analysis.
Equivalent Property Name:
com.fortify.sca.BuildVersion

-disable-source- Excludes source files from the analysis results file.

bundling
Equivalent Property Name:
com.fortify.sca.FPRDisableSourceBundling

-fvdl-no- Excludes the Fortify security content descriptions from the analysis
descriptions results file.
Equivalent Property Name:
com.fortify.sca.FVDLDisableDescriptions

-fvdl-no- Excludes engine data from the analysis results file. The engine data
enginedata includes Fortify security content information, command-line options,
system properties, warnings, errors, and other information about the
Fortify Static Code Analyzer execution.
Equivalent Property Name:
com.fortify.sca.FVDLDisableEngineData

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 129 of 216
User Guide
Chapter 18: Command-Line Interface

Output Option Description

-fvdl-no-progdata Excludes program data from the analysis results file. This removes the
taint source information from the Functions view in Fortify Audit
Workbench.
Equivalent Property Name:
com.fortify.sca.FVDLDisableProgramData

-fvdl-no-snippets Excludes the code snippets from the analysis results file.
Equivalent Property Name:
com.fortify.sca.FVDLDisableSnippets

Other Options
The following table describes other options.

Other Option Description

@<file> Reads command-line options from the specified file.

Note: By default, this file uses the JVM system encoding. You can
change the encoding by using the
com.fortify.sca.CmdlineOptionsFileEncoding property
specified in the fortify-sca.properties file. For more
information about this property, see "Translation and Analysis Phase
Properties" on page 173.

-h | Prints a summary of command-line options.

-? |
-help

-debug Includes debug information in the Fortify Support log file, which is only
useful for Micro Focus Fortify Customer Support to help troubleshoot.
Equivalent Property Name:
com.fortify.sca.Debug

-debug-verbose This is the same as the -debug option, but it includes more details,
specifically for parse errors.
Equivalent Property Name:
com.fortify.sca.DebugVerbose

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 130 of 216
User Guide
Chapter 18: Command-Line Interface

Other Option Description

-verbose Sends verbose status messages to the console and to the Fortify
Support log file.
Equivalent Property Name:
com.fortify.sca.Verbose

-logfile <file> Specifies the log file that Fortify Static Code Analyzer creates.
Equivalent Property Name:
com.fortify.sca.LogFile

-clobber-log Directs Fortify Static Code Analyzer to overwrite the log file for each run
of sourceanalyzer. Without this option, Fortify Static Code Analyzer
appends information to the log file.
Equivalent Property Name:
com.fortify.sca.ClobberLogFile

-quiet Disables the command-line progress information.

Equivalent Property Name:
com.fortify.sca.Quiet

-version | Displays the Fortify Static Code Analyzer version and versions of various
-v independent modules included with Fortify Static Code Analyzer (all
other functionality is contained in Fortify Static Code Analyzer).

-autoheap Enables automatic allocation of memory based on the physical memory

available on the system. This is the default memory allocation setting.

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 131 of 216
User Guide
Chapter 18: Command-Line Interface

Other Option Description

-Xmx<size>M | G Specifies the maximum amount of memory Fortify Static Code Analyzer
uses.
Heap sizes between 32 GB and 48 GB are not advised due to internal
JVM implementations. Heap sizes in this range perform worse than at 32
GB. The JVM optimizes heap sizes smaller than 32 GB. If your scan
requires more than 32 GB, then you need 64 GB or more. As a guideline,
assuming no other memory intensive processes are running, do not
allocate more than 2/3 of the available memory.
When you specify this option, make sure that you do not allocate more
memory than is physically available, because this degrades performance.
As a guideline, and the assumption that no other memory intensive
processes are running, do not allocate more than 2/3 of the available
memory.

Note: Specifying this option overrides the default memory allocation

obtained with the -autoheap option.

Directives
Use only one directive at a time and do not use any directive in conjunction with translation or
analysis commands. Use the directives described in the following table to list information about
previous translation commands.

Directive Description

-clean Deletes all Fortify Static Code Analyzer intermediate files and build
records. If you specify a build ID, only files and build records that relate
to that build ID are deleted.

-show-binaries Displays all objects created but not used in the production of any other
binaries. If fully integrated into the build, it lists all the binaries
produced.

-show-build-ids Displays a list of all known build IDs.

-show-build-tree When you scan with the -bin option, displays all files used to create
the binary and all files used to create those files in a tree layout. If the
-bin option is not present, the tree is displayed for each binary.

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 132 of 216
User Guide
Chapter 18: Command-Line Interface

Directive Description

Note: This option can generate an extensive amount of

information.

-show-build-warnings Use with -b <build_id> to show any errors and warnings that
occurred in the translation phase on the console.

Note: Fortify Audit Workbench also displays these errors and

warnings in the results Certification tab.

-show-files Displays the files included in the specified build ID. When the -bin
option is present, displays only the source files that went into the
binary.

-show-loc Displays the number of lines in the code being translated.

LIM License Directives

Fortify Static Code Analyzer provides directives to manage the usage of your LIM license. You can
store or clear the LIM license pool credentials. You can also request (and release) a detached lease for
offline analysis if the specified license pool permits detached leases.

Note: By default, Fortify Static Code Analyzer requires an HTTPS connection to the LIM server
and you must have a trusted certificate. For more information, see "Adding Trusted Certificates"
on page 39.

Use the directives described in the following table for a license managed by the LIM.

Directive Description

-store-license- Stores your LIM license pool credentials so that Fortify Static Code
pool-credentials Analyzer uses the LIM for licensing. The proxy information is optional.
"<lim_url>|<lim_ Fortify Static Code Analyzer stores the pool password and the proxy
pool_name>|<lim_
credentials provided with this directive in the fortify-sca.properties
pool_
file as encrypted data. If your license pool credentials change after you
pwd>|<proxy_
url>|<proxy_ have installed Fortify Static Code Analyzer, you can run this directive again
user>|<proxy_ to save the new credentials.
pwd>"
Example:

sourceanalyzer -store-license-pool-credentials
"https://<ip_address>/LIM.REST.API|TeamA|mypassword"

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 133 of 216
User Guide
Chapter 18: Command-Line Interface

Directive Description

Associated Property Names:

com.fortify.sca.lim.Url
com.fortify.sca.lim.PoolName
com.fortify.sca.lim.PoolPassword
com.fortify.sca.lim.ProxyUrl
com.fortify.sca.lim.ProxyUsername
com.fortify.sca.lim.ProxyPassword

-clear-license- Removes the LIM license pool credentials from the fortify-
pool-credentials sca.properties file. If your license pool credentials change, you can
remove them with this directive, and then use the -store-license-
pool-credentials directive to save the new credentials.

-request- Requests a detached lease from the LIM license pool for exclusive use on
detached-lease this system for the specified duration (in minutes). This enables you to run
<duration> Fortify Static Code Analyzer even when disconnected from your corporate
intranet.

Note: To use this directive, the license pool must be configured to

allow detached leases.

-release- Releases a detached lease back to the license pool.

detached-lease

Specifying Files and Directories

File specifiers are expressions that allow you to pass a long list of files or a directory to Fortify Static
Code Analyzer using wildcard characters. Fortify Static Code Analyzer recognizes two types of
wildcard characters: a single asterisk character (*) matches part of a file name, and double asterisk
characters (**) recursively matches directories. You can specify one or more files, one or more file
specifiers, or a combination of files and file specifiers.

<files> | <file_dir_specifiers>

Note: File specifiers do not apply to C, C++, or Objective-C++.

The following table describes examples of file and directory specifiers.

File / Directory Specifier Description

<dir> Matches all files in the named directory and any

subdirectories or the named directory when used for a
<dir>/**/*

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 134 of 216
User Guide
Chapter 18: Command-Line Interface

File / Directory Specifier Description

directory parameter.

<dir>/**/Example.java Matches any file named Example.java found in the named

directory or any subdirectories.

<dir>/*.java Matches any file with the specified extension found in the
named directory.
<dir>/*.jar

<dir>/**/*.kt Matches any file with the specified extension found in the
named directory or any subdirectories.
<dir>/**/*.jar

<dir>/**/beta/** Matches all directories and files found in the named directory
that have beta in the path, including beta as a file name.

<dir>/**/classes/ Matches all directories and files with the name classes
found in the named directory and any subdirectories.

**/test/** Matches all files in the current directory tree that have a
test element in the path, including test as a file name.

**/webgoat/* Matches all files in any webgoat directory in the current

directory tree.
Matches:
l
/src/main/java/org/owasp/webgoat
l
/test/java/org/owasp/webgoat

Does not match (assignments directory does not match)

l
/test/java/org/owasp/webgoat/assignments

Note: Windows and many Linux shells automatically expand parameters that contain the asterisk
character (*), so you must enclose file-specifier expressions in quotes. Also, on Windows, you can
use the backslash character (\) as the directory separator instead of the forward slash (/).

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 135 of 216
Chapter 19: Command-Line Tools
Fortify Static Code Analyzer command-line tools enable you to manage Fortify Security Content,
perform post-installation configurations, and monitor scans. These tools are located in <sca_
install_dir>/bin. The tools for Windows are provided as .bat or .cmd files. The following table
describes the command-line tools installed with Fortify Static Code Analyzer.

Note: By default, log files for Fortify Static Code Analyzer tools are written to the following
directory:
l
Windows: C:\Users\<username>\AppData\Local\Fortify\<tool_name>-
<version>\log
l
Non-Windows: <userhome>/.fortify/<tool_name>-<version>/log

Tool Description More Information

fortifyupdate Compares installed security content to the current "About Updating Security
version and makes any required updates Content" on the next page

FPRUtility With this tool you can: Fortify Static Code

Analyzer Applications and
l Merge audited projects
Tools Guide in Fortify
l Verify FPR signatures Static Code Analyzer and
l Display information from an FPR file Tools Documentation
l Combine or split source code files and audit
projects into FPR files
l Alter an FPR

scapostinstall This tool enables you to migrate properties files "Running the Post-Install
from a previous version of Fortify Static Code Tool" on page 36
Analyzer, specify a locale, and specify a proxy
server for security content updates and for Fortify
Software Security Center.

SCAState Provides state analysis information on the JVM "Checking the Fortify
during the analysis phase Static Code Analyzer Scan
Status" on page 140

This section contains the following topics:

About Updating Security Content 137

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 136 of 216
User Guide
Chapter 19: Command-Line Tools

Checking the Fortify Static Code Analyzer Scan Status 140

About Updating Security Content

You can use the fortifyupdate command-line tool to download the latest Fortify Secure Coding
Rulepacks and metadata from Fortify.
The fortifyupdate tool gathers information about the existing security content in your Fortify
installation and contacts the Fortify Rulepack update server with this information. The server returns
new or updated security content, and removes any obsolete security content from your Fortify Static
Code Analyzer installation. If your installation is current, a message is displayed to that effect.

Updating Security Content

Use the fortifyupdate command-line tool to either download security content or import a local copy of
the security content. This tool is located in the <sca_install_dir>/bin directory.
The default read timeout for this tool is 180 seconds. To change the timeout setting, add the
rulepackupdate.SocketReadTimeoutSeconds property in the server.properties
configuration file. For more information, see the Fortify Static Code Analyzer Applications and Tools
Properties Reference Guide.
The basic command-line syntax for fortifyupdate is shown in the following example:

fortifyupdate [<options>]

To update your Fortify Static Code Analyzer installation with the latest Fortify Secure Coding
Rulepacks and external metadata from the Fortify Rulepack update server, type the following
command:

fortifyupdate

To update security content from the local system:

fortifyupdate -import <my_local_rules>.zip

To update security content from a Fortify Software Security Center server using credentials:

fortifyupdate -url <ssc_url> -sscUser <username> -sscPassword <password>

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 137 of 216
User Guide
Chapter 19: Command-Line Tools

fortifyupdate Command-Line Options

The following table describes the fortifyupdate options.

fortifyupdate Option Description

-acceptKey Specifies to accept the public key. When this is

specified, you are not prompted to provide a public key.
Use this option to accept the public key if you are
updating from a non-standard location using the -url
option.

-acceptSSLCertificate Specifies to use the SSL certificate provided by the

server.

-import <file>.zip Imports the ZIP file that contains security content. By
default, Rulepacks are imported into the <sca_
install_dir>/Core/config/rules directory.

-coreDir <dir> Specifies a core directory where fortifyupdate stores

the update. If this is not specified, the fortifyupdate
performs the update in the <sca_install_dir>.

Important! Make sure that you copy the contents

of the <sca_install_dir>/config/keys folder
and paste it to a config/keys folder in this
directory before you run fortifyupdate.

-includeMetadata Specifies to only update external metadata.

-includeRules Specifies to only update Rulepacks.

-locale <locale> Specifies a locale. English is the default if no security

content exists for the specified locale. The valid values
are:
l
en (English)
l
es (Spanish)
l
ja (Japanese)
l
ko (Korean)
l
pt_BR (Brazilian Portuguese)

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 138 of 216
User Guide
Chapter 19: Command-Line Tools

fortifyupdate Option Description

l
zh_CN (Simplified Chinese)
l
zh_TW (Traditional Chinese)

Note: The values are not case-sensitive.

Alternatively, you can specify a default locale for

security content updates in the fortify.properties
configuration file. For more information, see the Fortify
Static Code Analyzer Applications and Tools Properties
Reference Guide.

-proxyhost <host> Specifies a proxy server network name or IP address.

-proxyport <port> Specifies a proxy server port number.

-proxyUsername Specifies a user name if the proxy server requires

<username> authentication.

-proxyPassword Specifies the password if the proxy server requires

<password> authentication.

-showInstalledRules Displays the currently installed Rulepacks including any

custom rules and custom metadata.

-showInstalledExternalMetadata Displays the currently installed external metadata.

-url <url> Specifies a URL from which to download the security

content. The default URL is
https://update.fortify.com or the value set for
the rulepackupdate.server property in the
server.properties configuration file.

For more information about the server.properties

configuration file, see the Fortify Static Code Analyzer
Applications and Tools Properties Reference Guide.
You can download the security content from a Fortify
Software Security Center server by providing a Fortify
Software Security Center URL.

Specify one of the following types of credentials if you are updating security content from Fortify
Software Security Center with the -url option:

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 139 of 216
User Guide
Chapter 19: Command-Line Tools

fortifyupdate Option Description

-sscUsername Specifies a Fortify Software Security Center user

account by user name and password.
-sscPassword

-sscAuthToken Specifies a Fortify Software Security

Center authentication token of type
UnifiedLoginToken, CIToken, or ToolsConnectToken.

Checking the Fortify Static Code Analyzer Scan

Status
Use the SCAState tool to see up-to-date state analysis information during the analysis phase.
To check Fortify Static Code Analyzer state:

1. Start a Fortify Static Code Analyzer scan.

2. Open another command window.
3. Type the following at the command prompt:

SCAState [<options>]

SCAState Command-Line Options

The following table describes the SCAState options.

SCAState Option Description

-a | Displays all available information.

--all

-debug Displays information that is useful to debug SCAState behavior.

-ftd | Prints a thread dump for every thread.

--full-thread-dump

-h | Displays the help information for the SCAState tool.

--help

-hd <filename> | Specifies the file to which the heap dump is written. The file is
--heap-dump <filename> interpreted relative to the remote scan’s working directory; this is
not necessarily the same directory where you are running

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 140 of 216
User Guide
Chapter 19: Command-Line Tools

SCAState Option Description

SCAState.

-liveprogress Displays the ongoing status of a running scan. This is the default.
If possible, this information is displayed in a separate terminal
window.

-nogui Causes the Fortify Static Code Analyzer state information to

display in the current terminal window instead of in a separate
window.

-pi | Displays information about the source code being scanned,

--program-info including how many source files and functions it contains.

-pid <process_id> Specifies the currently running Fortify Static Code

Analyzer process ID. Use this option if there are multiple Fortify
Static Code Analyzer processes running simultaneously.
To obtain the process ID on Windows systems:

1. Open a command window.

2. Type tasklist at the command prompt.
A list of processes is displayed.
3. Find the java.exe process in the list and note its PID.
To find the process ID on Linux systems:
l
Type ps aux | grep sourceanalyzer at the command
prompt.

-progress Displays scan information up to the point at which the command is

issued. This includes the elapsed time, the current phase of the
analysis, and the number of results already obtained.

-properties Displays configuration settings (this does not include sensitive

information such as passwords).

-scaversion Displays the Fortify Static Code Analyzer version number for the
sourceanalyzer that is currently running.

-td | Prints a thread dump for the main scanning thread.

--thread-dump

-timers Displays information from the timers and counters that are

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 141 of 216
User Guide
Chapter 19: Command-Line Tools

SCAState Option Description

instrumented in Fortify Static Code Analyzer.

-version Displays the SCAState version.

-vminfo Displays the following statistics that JVM standard MXBeans

provides: ClassLoadingMXBean, CompilationMXBean,
GarbageCollectorMXBeans, MemoryMXBean,
OperatingSystemMXBean, RuntimeMXBean, and ThreadMXBean.

<none> Displays scan progress information (this is the same as -

progress).

Note: Fortify Static Code Analyzer writes Java process information to the location of the TMP
system environment variable. On Windows systems, the TMP system environment variable
location is C:\Users\<username>\AppData\Local\Temp. If you change this TMP system
environment variable to point to a different location, SCAState cannot locate the
sourceanalyzer Java process and does not return the expected results. To resolve this issue,
change the TMP system environment variable to match the new TMP location. Fortify
recommends that you run SCAState as an administrator on Windows.

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 142 of 216
Chapter 20: Improving Performance
This chapter provides guidelines and tips to optimize memory usage and performance when
analyzing different types of codebases with Fortify Static Code Analyzer.
This section contains the following topics:
Antivirus Software 143
Hardware Considerations 144
Sample Scans 145
Tuning Options 145
Quick Scan 146
Configuring Scan Speed with Speed Dial 147
Breaking Down Codebases 149
Limiting Analyzers and Languages 149
Optimizing FPR Files 150
Monitoring Long Running Scans 154

Antivirus Software
The use of antivirus software can negatively impact Fortify Static Code Analyzer performance. If you
notice long scan times, Fortify recommends that you temporarily exclude the internal Fortify Static
Code Analyzer files from your antivirus software scan. You can also do the same for the directories
where the source code resides, however the performance impact on the Fortify analysis is less than
with the internal directories.
By default, Fortify Static Code Analyzer creates internal files in the following location:
l
Windows: c:\Users\<username>\AppData\Local\Fortify\sca<version>
l
Non-Windows: <userhome>/.fortify/sca<version>
where <version> is the version of Fortify Static Code Analyzer you are using.

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 143 of 216
User Guide
Chapter 20: Improving Performance

Hardware Considerations
The variety of source code makes accurate predictions of memory usage and scan times impossible.
The factors that affect memory usage and performance consists of many different factors including:
l Code type
l Codebase size and complexity
l Ancillary languages used (such as JSP, JavaScript, and HTML)
l Number of vulnerabilities
l Type of vulnerabilities (analyzer used)

Fortify developed the following set of "best guess" hardware recommendations based on real-world
application scan results. The following table lists these recommendations based on the complexity of
the application. In general, increasing the number of available cores might improve scan times.

Application RAM
Complexity CPU Cores (GB) Description

Simple 4 16 A standalone system that runs on a server or desktop

such as a batch job or a command-line tool.

Medium 8 32 A standalone system that works with complex

computer models such as a tax calculation system or
a scheduling system.

Complex 16 128 A three-tiered business system with transactional

data processing such as a financial system or a
commercial website.

Very Complex 32 256 A system that delivers content such as an application

server, database server, or content management
system.

Note: TypeScript and JavaScript scans increase the analysis time significantly. If the total lines of
code in an application consist of more than 20% TypeScript or JavaScript, use the next highest
recommendation.

The Fortify Software System Requirements document describes the system requirements. However,
for large and complex applications, Fortify Static Code Analyzer requires more capable hardware. This
includes:
l Disk I/O—Fortify Static Code Analyzer is I/O intensive and therefore the faster the hard drive, the
more savings on the I/O transactions. Fortify recommends a 7,200 RPM drive, although a 10,000

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 144 of 216
User Guide
Chapter 20: Improving Performance

RPM drive (such as the WD Raptor) or an SSD drive is better.

l Memory—See "Memory Tuning" on page 158 for more information about how to determine the
amount of memory required for optimal performance.
l CPU—Fortify recommends a 2.1 GHz or faster processor.

Sample Scans
These sample scans were performed using Fortify Static Code Analyzer version 23.1.0 on dedicated
virtual machines. These scans were run using Fortify Security Content 2023 Update 1. The following
table shows the scan times you can expect for several common open-source projects.

Translation Analysis (Scan) Total

Project Name Language Time (mm:ss) Time (mm:ss) Issues LOC System Configuration

nasm 0.98.38 C/C++ 00:32 03:57 1,118 21,458 Linux VM with 8 CPUs
and 32 GB of RAM

WebGoat 8 Java 01:11 01:30 503 5,224 Linux VM with 8 CPUs

and 32 GB of RAM
WordPress for Java 00:27 02:14 797 10,055
Android

CakePHP PHP 00:20 02:10 4,378 47,812

phpBB 3 PHP 00:37 02:06 1,339 34,229

SharpZipLib .NET (C#) 02:00 02:10 910 12,088 Windows VM with

8 CPUs and 32 GB of
RAM

Hackademic-next JavaScript 01:17 03:36 790 39,271 Linux VM with 8 CPUs

and 32 GB of RAM
prisma TypeScript 00:55 03:19 89 24,003

numpy-1.13.3 Python 3 02:55 10:09 336 83,334

MediaBrowser Swift 00:17 00:50 25 6,175 macOS VM with 2 CPUs

and 8 GB of RAM

Tuning Options
Fortify Static Code Analyzer can take a long time to process complex projects. The time is spent in
different phases:
l Translation
l Analysis

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 145 of 216
User Guide
Chapter 20: Improving Performance

Fortify Static Code Analyzer can produce large analysis result files (FPRs), which can take a long time
to audit and upload to Micro Focus Fortify Software Security Center. This is referred to as the
following phase:
l Audit/Upload

The following table lists tips on how to improve performance in the different time-consuming phases.

Phase Option Description More Information

Translation -export- Translate and scan on "Mobile Build Sessions" on

build-session different machines page 43
-import-
build-session

Analysis -quick Run a quick scan "Quick Scan" below

Analysis -scan- Set the scan precision "Configuring Scan Speed with
precision Speed Dial" on the next page

Analysis -bin Scan the files related to "Breaking Down Codebases" on

a binary page 149

Analysis -Xmx<size>M | G Set maximum heap size "Memory Tuning" on page 158

Analysis -Xss<size>M | G Set stack size for each "Memory Tuning" on page 158
thread

Analysis -filter Apply a filter using a "Using Filter Files" on page 150
<file> filter file
Audit/Upload

Analysis -disable- Exclude source files "Excluding Source Code from the
source- from the FPR file FPR" on page 151
Audit/Upload bundling

Quick Scan
Quick scan mode provides a way to quickly scan your projects for critical- and high-priority issues.
Fortify Static Code Analyzer performs the scan faster by reducing the depth of the analysis. It also
applies the Quick View filter set. Quick scan settings are configurable. For more details about the
configuration of quick scan mode, see "fortify-sca-quickscan.properties" on page 200.
Quick scans are a great way to get many applications through an assessment so that you can quickly
find issues and begin remediation. The performance improvement you get depends on the complexity
and size of the application. Although the scan is faster than a full scan, it does not provide as robust a
result set. Fortify recommends that you run full scans whenever possible.

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 146 of 216
User Guide
Chapter 20: Improving Performance

Limiters
The depth of the Fortify Static Code Analyzer analysis sometimes depends on the available resources.
Fortify Static Code Analyzer uses a complexity metric to trade off these resources with the number of
vulnerabilities that it can find. Sometimes, this means giving up on a particular function when it does
not look like Fortify Static Code Analyzer has enough resources available.
Fortify Static Code Analyzer enables the user to control the “cutoff” point by using Fortify Static Code
Analyzer limiter properties. The different analyzers have different limiters. You can run a predefined
set of these limiters using a quick scan. See the "fortify-sca-quickscan.properties" on page 200 for
descriptions of the limiters.
To enable quick scan mode, use the -quick option with -scan option. With quick scan mode enabled,
Fortify Static Code Analyzer applies the properties from the <sca_install_
dir>/Core/config/fortify-sca-quickscan.properties file, in addition to the standard <sca_
install_dir>/Core/config/fortify-sca.properties file. You can adjust the limiters that
Fortify Static Code Analyzer uses by editing the fortify-sca-quickscan.properties file. If you
modify fortify-sca.properties, it also affects quick scan behavior. Fortify recommends that you
do performance tuning in quick scan mode, and leave the full scan in the default settings to produce a
highly accurate scan. For description of the quick scan mode properties, see "Fortify Static Code
Analyzer Properties Files" on page 171.

Using Quick Scan and Full Scan

l Run full scans periodically—A periodic full scan is important as it might find issues that quick
scan mode does not detect. Run a full scan at least once per software iteration. If possible, run a full
scan periodically when it will not interrupt the development workflow, such as on a weekend.
l Compare quick scan with a full scan—To evaluate the accuracy impact of a quick scan, perform a
quick scan and a full scan on the same codebase. Open the quick scan results in Micro Focus Fortify
Audit Workbench and merge it into the full scan. Group the issues by New Issue to produce a list of
issues detected in the full scan but not in the quick scan.
l Quick scans and Micro Focus Fortify Software Security Center server—To avoid overwriting
the results of a full scan, by default Fortify Software Security Center ignores uploaded FPR files
scanned in quick scan mode. However, you can configure a Fortify Software Security Center
application version so that FPR files scanned in quick scan are processed. For more information, see
analysis results processing rules in the Fortify Software Security Center User Guide.

Configuring Scan Speed with Speed Dial

You can configure the speed and depth of the scan by specifying a precision level for the analysis
phase. You can use these precision levels to adjust the scan time to fit for example, into a pipeline and
quickly find a set of vulnerabilities while the developer is still working on the code. Although scans
with the speed dial settings are faster than a full scan, it does not provide as robust a result set.
Fortify recommends that you run full scans whenever possible.

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 147 of 216
User Guide
Chapter 20: Improving Performance

The precision level controls the depth and precision of the scan by associating configuration
properties with each level. The configuration properties files for each level are in the <sca_install_
dir>/Core/config/scales directory. There is one file for each level: (level-<precision_
level>.properties). You can modify the settings in these files to create your own specific
precision levels.

Notes:
l By default, Micro Focus Fortify Software Security Center blocks uploaded analysis results that
were created with a precision level less than four. However, you can configure your Fortify
Software Security Center application version so that uploaded audit projects scanned with
these precision levels are processed.
l If you merge a speed dial scan with a full scan, this might remove issues from previous scans
that still exist in your application (and would be detected again with a full scan).

To specify the speed dial setting for a scan, include the -scan-precision (or -p) option in the scan
phase as shown in the following example:

sourceanalyzer -b MyProject -scan -scan-precision <level> -f MyResults.fpr

Note: You cannot use the speed dial setting and the -quick option in the same scan command.
The following table describes the four precision levels.

Precision
Level Description

1 This is the quickest scan and is recommended if you are scanning a few files. By
default, a scan with this precision level disables the Buffer Analyzer, Control Flow
Analyzer, Dataflow Analyzer, and Null Pointer Analyzer.

2 By default, a scan with this precision level enables all analyzers. The scan runs
quicker by performing with reduced limiters. This results in fewer issues detected.

3 This precision level improves intermediate development scan speeds by up to 50%

(with a reduction in reported issues). Specifically, this level improves the scan time
for typed languages such as Java and C/C++.

4 This is equivalent to a full scan.

You can also specify the scan precision level with the com.fortify.sca.PrecisionLevel property
in the fortify-sca.properties file. For example:

com.fortify.sca.PrecisionLevel=1

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 148 of 216
User Guide
Chapter 20: Improving Performance

Breaking Down Codebases

It is more efficient to break down large projects into independent modules. For example, if you have a
portal application that consists of several modules that are independent of each other or have few
interactions, you can translate and scan the modules separately. The caveat to this is that you might
lose dataflow issue detection if some interactions exist.
For C/C++, you might reduce the scan time by using the –bin option with the –scan option. You need
to pass the binary file as the parameter (such as -bin <filename>.exe -scan or -bin
<filename>.dll -scan). Fortify Static Code Analyzer finds the related files associated with the
binary and scans them. This is useful if you have several binaries in a makefile.
The following table lists some useful Fortify Static Code Analyzer command-line options to break
down codebases.

Option Description

-bin <binary> Specifies a subset of source files to scan. Only the source files that were
linked in the named binary at build time are included in the scan. You can
use this option multiple times to specify the inclusion of multiple binaries
in the scan.

-show-binaries Displays all objects that were created but not used in the production of
any other binaries. If fully integrated into the build, it lists all the binaries
produced.

-show-build-tree When used with the -bin option, displays all files used to create the
binary and all files used to create those files in a tree layout. If the -bin
option is not present, Fortify Static Code Analyzer displays the tree for
each binary.

Limiting Analyzers and Languages

Occasionally, you might find that a significant amount of the scan time is spent either running one
analyzer or analyzing a particular language. It is possible that this analyzer or language is not
important to your security requirements. You can limit the specific analyzers that run and the specific
languages that Fortify Static Code Analyzer translates.

Disabling Analyzers
To disable specific analyzers, include the -analyzers option to Fortify Static Code Analyzer at scan
time with a comma- or colon-separated list of analyzers to enable. The valid parameter values for the

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 149 of 216
User Guide
Chapter 20: Improving Performance

-analyzers option are buffer, content, configuration, controlflow, dataflow, nullptr,

semantic, and structural.
For example, to run a scan that only includes the Dataflow, Control Flow, and Buffer analyzers, use the
following scan command:

sourceanalyzer -b MyProject -analyzers dataflow:controlflow:buffer -scan -f

MyResults.fpr

You can also do the same thing by setting com.fortify.sca.DefaultAnalyzers in the Fortify
Static Code Analyzer property file <sca_install_dir>/Core/config/fortify-
sca.properties. For example, to achieve the equivalent of the previous scan command, set the
following in the properties file:

com.fortify.sca.DefaultAnalyzers=dataflow:controlflow:buffer

Disabling Languages
To disable specific languages, include the -disable-language option in the translation phase,
which specifies a list of languages that you want to exclude. The valid language values are abap,
actionscript, apex, cfml, cobol, configuration, cpp, dart, dotnet, golang, java,
javascript, jsp, kotlin, objc, php, plsql, python, ruby, scala, sql, swift, tsql, typescript,
and vb.
For example, to perform a translation that excludes SQL and PHP files, use the following command:

sourceanalyzer -b MyProject <src_files> -disable-language sql:php

You can also disable languages by setting the com.fortify.sca.DISabledLanguages property in

the Fortify Static Code Analyzer properties file <sca_install_dir>/Core/config/fortify-
sca.properties. For example, to achieve the equivalent of the previous translation command, set
the following in the properties file:

com.fortify.sca.DISabledLanguages=sql:php

Optimizing FPR Files

This chapter describes how to handle performance issues related to the audit results (FPR) file. This
includes reducing the scan time, reducing FPR file size, and tips for opening large FPR files.

Using Filter Files

You can use a file to filter out specific vulnerability instances, rules, and vulnerability categories from
the analysis results. If you determine that a certain issue category or rule is not relevant for a

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 150 of 216
User Guide
Chapter 20: Improving Performance

particular scan, you can stop Fortify Static Code Analyzer from adding them to the FPR. Using a filter
file can reduce both the scan time and analysis results file size.
For example, if you are scanning a simple program that just reads a specified file, you might not want
to see path manipulation issues, because these are not likely planned as part of the functionality. To
filter out path manipulation issues, create a file that contains a single line:
Path Manipulation
Save this file as filter.txt. Use the -filter option in the analysis phase as shown in the following
example:

sourceanalyzer -b MyProject -scan -filter filter.txt -f MyResults.fpr

The analysis output in MyResults.fpr does not include any issues with the category Path
Manipulation. For more information and an example of a filter file, see "Excluding Issues with Filter
Files" on page 166.

Using Filter Sets

Filters in an issue template determine how the results from Fortify Static Code Analyzer are shown. In
addition to filters, filter sets enable you to have a selection of filters used at any one time. Each FPR
has an issue template associated with it. You can use filter sets to reduce the number of issues based
on conditions you specify with filters in an issue template. This can dramatically reduce the size of an
FPR.
To do this, use Micro Focus Fortify Audit Workbench to create a filter in a filter set, and then run the
Fortify Static Code Analyzer scan with the filter set and the containing issue template. For more
information and a basic example of how to create a filter set, see "Excluding Issues with Filters Sets"
on page 170.

Note: Although filtering issues with a filter set can reduce the size of the FPR, they do not usually
reduce the scan time. Fortify Static Code Analyzer examines the filter set after it calculates the
issues to determine whether to write them to the FPR file. The filters in a filter set determine the
rule types that Fortify Static Code Analyzer loads.

Excluding Source Code from the FPR

You can reduce the size of the FPR file by excluding the source code information from the FPR. This is
especially valuable for large source files or codebases. Typically, you do not get a scan time reduction
for small source files using this method.
There are properties you can use to prevent Fortify Static Code Analyzer from including source code
in the FPR. You can set either property in the <sca_install_dir>/Core/config/fortify-
sca.properties file or specify an option on the command line. The following table describes these
settings.

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 151 of 216
User Guide
Chapter 20: Improving Performance

Property Name Description

com.fortify.sca. Excludes source code from the FPR.

FPRDisableSourceBundling=true
Command-Line Option:
-disable-source-bundling

com.fortify.sca. Excludes code snippets from the FPR.

FVDLDisableSnippets=true
Command-Line Option:
–fvdl-no-snippets

The following command-line example uses both options to exclude both the source code and code
snippets from the FPR:

sourceanalyzer -b MyProject -disable-source-bundling

-fvdl-no-snippets -scan -f MySourcelessResults.fpr

Reducing the FPR File Size

There are a few ways to reduce the size of FPR files. The quickest way to do this without affecting
results is to exclude the source code from the FPR as described in "Excluding Source Code from the
FPR" on the previous page. You can also reduce the size of a merged FPR with the FPRUtility (see the
Fortify Static Code Analyzer Applications and Tools Guide).
There are a few other properties that you can use to select what is excluded from the FPR. You can
set these properties in the <sca_install_dir>/Core/config/fortify-sca.properties file or
specify an option on the command line for the analysis (scan) phase.

Property Name Description

com.fortify.sca. Excludes the metatable from the FPR. Micro Focus

FPRDisableMetatable Fortify Audit Workbench uses the metatable to map
=true information in Functions view.
Command-Line Option:
-disable-metatable

com.fortify.sca. Excludes rule descriptions from the FPR. If you do

FVDLDisableDescriptions not use custom descriptions, the descriptions in the
=true Fortify Taxonomy (https://vulncat.fortify.com) are
Command-Line Option: used.
-fvdl-no-descriptions

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 152 of 216
User Guide
Chapter 20: Improving Performance

Property Name Description

com.fortify.sca. Excludes engine data from the FPR. This is useful if

FVDLDisableEngineData your FPR contains many warnings when you open
=true the file in Fortify Audit Workbench.
Command-Line Option:
Note: If you exclude engine data from the FPR,
-fvdl-no-enginedata
you must merge the FPR with the current audit
project locally before you upload it to Micro
Focus Fortify Software Security Center. Fortify
Software Security Center cannot merge it on the
server because the FPR does not contain the
Fortify Static Code Analyzer version.

com.fortify.sca. Excludes the program data from the FPR. This

FVDLDisableProgramData removes the Taint Sources information from the
=true Functions view in Fortify Audit Workbench. This
Command-Line Option: property typically only has a minimal effect on the
-fvdl-no-progdata overall size of the FPR file.

Opening Large FPR Files

To reduce the time required to open a large FPR file in Micro Focus Fortify Audit Workbench, you can
set some properties in the <sca_install_dir>/Core/config/fortify.properties file. For
more information about these properties, see the Fortify Static Code Analyzer Applications and Tools
Properties Reference Guide. The following table describes the properties you can use to reduce the
time to open large FPR files.

Property Name Description

com.fortify. Disables use of the code navigation features

model.DisableProgramInfo=true in Micro Focus Fortify Audit Workbench.

com.fortify. Sets the start and end index for issue cutoff.
model.IssueCutOffStartIndex The IssueCutOffStartIndex property is
=<num> (inclusive) inclusive and IssueCutOffEndIndex is
com.fortify. exclusive so that you can specify a subset of
model.IssueCutOffEndIndex issues you want to see. For example, to see
=<num> (exclusive) the first 100 issues, specify the following:

com.fortify.model.
IssueCutOffStartIndex=0

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 153 of 216
User Guide
Chapter 20: Improving Performance

Property Name Description

com.fortify.model.
IssueCutOffEndIndex=101

Because the IssueCutOffStartIndex is 0

by default, you do not need to specify this
property.

com.fortify. Sets the start index for issue cutoff by

model.IssueCutOffByCategoryStartIndex= category. These two properties are similar to
<num> (inclusive) the previous cutoff properties except these
com.fortify. are specified for each category. For example,
model.IssueCutOffByCategoryEndIndex= to see the first five issues for every category,
<num> (exclusive) specify the following:

com.fortify.model.
IssueCutOffByCategoryEndIndex=6

com.fortify. Minimizes the data loaded from the FPR. This

model.MinimalLoad=true also restricts usage of the Functions view and
might prevent Fortify Audit Workbench from
loading the source from the FPR.

com.fortify. Specifies the number of Fortify Static Code

model.MaxEngineErrorCount= Analyzer reported warnings to load from the
<num> FPR. For projects with many scan warnings,
reducing this number from a default of 3000
can speed up the load time of large FPR files.

com.fortify. Specifies the JVM heap memory size for

model.ExecMemorySetting Fortify Audit Workbench to launch external
command-line tools such as iidmigrator and
fortifyupdate.

Monitoring Long Running Scans

When you run Fortify Static Code Analyzer, large and complex scans can often take a long time to
complete. During the scan it is not always clear what is happening. While Fortify recommends that you
provide your debug logs to the Micro Focus Fortify Customer Support team, there are a couple of
ways to see what Fortify Static Code Analyzer is doing and how it is performing in real-time.

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 154 of 216
User Guide
Chapter 20: Improving Performance

Using the SCAState Tool

The SCAState command-line tool enables you to see up-to-date state analysis information during the
analysis phase. The SCAState tool is located in the <sca_install_dir>/bin directory. In addition
to a live view of the analysis, it also provides a set of timers and counters that show where Fortify
Static Code Analyzer spends its time during the analysis phase. For more information about how to
use SCAState, see the "Checking the Fortify Static Code Analyzer Scan Status" on page 140.

Using JMX Tools

You can use tools to monitor Fortify Static Code Analyzer with JMX technology. These tools can
provide a way to track Fortify Static Code Analyzer performance over time. For more information
about these tools, see the full Oracle documentation available at: http://docs.oracle.com.

Note: These are third-party tools and Micro Focus does not provide or support them.

Using JConsole
JConsole is an interactive monitoring tool that complies with the JMX specification. The disadvantage
of JConsole is that you cannot save the output.
To use JConsole, you must first set some additional JVM parameters. Set the following environment
variable:

export SCA_VM_OPTS="-Dcom.sun.management.jmxremote
-Dcom.sun.management.jmxremote.port=9090
-Dcom.sun.management.jmxremote.ssl=false
-Dcom.sun.management.jmxremote.authenticate=false"

After the JMX parameters are set, start a Fortify Static Code Analyzer scan. During the scan, start
JConsole to monitor Fortify Static Code Analyzer locally or remotely with the following command:

jconsole <host_name>:9090

Using Java VisualVM

Java VisualVM offers the same capabilities as JConsole. It also provides more detailed information on
the JVM and enables you to save the monitor information to an application snapshot file. You can
store these files and open them later with Java VisualVM.
Similar to JConsole, before you can use Java VisualVM, you must set the same JVM parameters
described in "Using JConsole" above.

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 155 of 216
User Guide
Chapter 20: Improving Performance

After the JVM parameters are set, start the scan. You can then start Java VisualVM to monitor the
scan either locally or remotely with the following command:

jvisualvm <host_name>:9090

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 156 of 216
Chapter 21: Troubleshooting
This section contains the following topics:
Exit Codes 157
Memory Tuning 158
Scanning Complex Functions 160
Issue Non-Determinism 162
Locating the Log Files 163
Configuring Log Files 163
Reporting Issues and Requesting Enhancements 165

Exit Codes
The following table describes the possible Fortify Static Code Analyzer exit codes.

Exit
Code Description

0 Success

1 Generic failure

2 Invalid input files

(this could indicate that an attempt was made to translate a file that has a file extension
that Fortify Static Code Analyzer does not support)

3 Process timed out

4 Analysis completed with numbered warning messages written to the console and/or to
the log file

5 Analysis completed with numbered error messages written to the console and/or to the
log file

6 Scan phase was unable to generate issue results

7 Unable to detect a valid license or the LIM license expired at run time

By default, Fortify Static Code Analyzer only returns exit codes 0, 1, 2, 3, or 7.

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 157 of 216
User Guide
Chapter 21: Troubleshooting

You can extend the default exit code options by setting the com.fortify.sca.ExitCodeLevel
property in the <sca_install_dir>/Core/Config/fortify-sca.properties file.
The valid values are:
l
nothing—Returns any of the default exit codes (0, 1, 2, 3, or 7).
l
warnings—Returns exit codes 4 and 5 in addition to the default exit codes.
l
errors—Returns exit code 5 in addition to the default exit codes.
l
no_output_file—Returns exit code 6 in addition to the default exit codes.

Memory Tuning
The amount of physical RAM required for a scan depends on the complexity of the code. By default,
Fortify Static Code Analyzer automatically allocates the memory it uses based on the physical
memory available on the system. This is generally sufficient. As described in "Output Options" on
page 127, you can adjust the Java heap size with the -Xmx command-line option.
This section describes suggestions for what you can do if you encounter OutOfMemory errors during
the analysis.

Note: You can set the memory allocation options discussed in this section to run for all scans by
setting the SCA_VM_OPTS environment variable.

Java Heap Exhaustion

Java heap exhaustion is the most common memory problem that might occur during Fortify Static
Code Analyzer scans. It is caused by allocating too little heap space to the Java virtual machine that
Fortify Static Code Analyzer uses to scan the code. You can identify Java heap exhaustion from the
following symptom.
Symptom
One or more of these messages appears in the Fortify Static Code Analyzer log file and in the
command-line output:

There is not enough memory available to complete analysis. For details on

making more memory available, please consult the user manual.
java.lang.OutOfMemoryError: Java heap space
java.lang.OutOfMemoryError: GC overhead limit exceeded

Resolution
To resolve a Java heap exhaustion problem, allocate more heap space to the Fortify Static Code
Analyzer Java virtual machine when you start the scan. To increase the heap size, use the -Xmx
command-line option when you run the Fortify Static Code Analyzer scan. For example, -Xmx1G
makes 1 GB available. Before you use this parameter, determine the maximum allowable value for
Java heap space. The maximum value depends on the available physical memory.

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 158 of 216
User Guide
Chapter 21: Troubleshooting

Heap sizes between 32 GB and 48 GB are not advised due to internal JVM implementations. Heap
sizes in this range perform worse than at 32 GB. Heap sizes smaller than 32 GB are optimized by the
JVM. If your scan requires more than 32 GB, then you need 64 GB or more. As a guideline, assuming
no other memory intensive processes are running, do not allocate more than 2/3 of the available
memory.
If the system is dedicated to running Fortify Static Code Analyzer, you do not need to change it.
However, if the system resources are shared with other memory-intensive processes, subtract an
allowance for those other processes.

Note: You do not need to account for other resident but not active processes (while Fortify Static
Code Analyzer is running) that the operating system might swap to disk. Allocating more physical
memory to Fortify Static Code Analyzer than is available in the environment might cause
“thrashing,” which typically slows down the scan along with everything else on the system.

Native Heap Exhaustion

Native heap exhaustion is a rare scenario where the Java virtual machine can allocate the Java
memory regions on startup, but is left with so few resources for its native operations (such as garbage
collection) that it eventually encounters a fatal memory allocation failure that immediately terminates
the process.
Symptom
You can identify native heap exhaustion by abnormal termination of the Fortify Static Code Analyzer
process and the following output on the command line:

# A fatal error has been detected by the Java Runtime Environment:

#
# java.lang.OutOfMemoryError: requested ... bytes for GrET ...

Because this is a fatal Java virtual machine error, it is usually accompanied by an error log created in
the working directory with the file name hs_err_pidNNN.log.
Resolution
Because the problem is a result of overcrowding within the process, the resolution is to reduce the
amount of memory used for the Java memory regions (Java heap). Reducing this value should reduce
the crowding problem and allow the scan to complete successfully.

Stack Overflow
Each thread in a Java application has its own stack. The stack holds return addresses,
function/method call arguments, and so on. If a thread tends to process large structures with
recursive algorithms, it might need a large stack for all those return addresses. With the JVM, you can
set that size with the -Xss option.

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 159 of 216
User Guide
Chapter 21: Troubleshooting

Symptoms
This message typically appears in the Fortify Static Code Analyzer log file, but might also appear in
the command-line output:

java.lang.StackOverflowError

Resolution
The default stack size is 16 MB. To increase the stack size, pass the -Xss option to the
sourceanalyzer command. For example, -Xss32M increases the stack to 32 MB.

Scanning Complex Functions

During a Fortify Static Code Analyzer scan, the Dataflow Analyzer might encounter a function for
which it cannot complete the analysis and reports the following message:

Function <name> is too complex for <analyzer> analysis and will be skipped
(<identifier>)

where:
l
<name> is the name of the source code function
l
<analyzer> is the name of the analyzer
l
<identifier> is the type of complexity, which is one of the following:
l
l: Too many distinct locations
l
m: Out of memory
l
s: Stack size too small
l
t: Analysis taking too much time
l
v: Function visits exceed the limit

The depth of analysis Fortify Static Code Analyzer performs sometimes depends on the available
resources. Fortify Static Code Analyzer uses a complexity metric to trade off these resources against
the number of vulnerabilities that it can find. Sometimes, this means giving up on a particular function
when Fortify Static Code Analyzer does not have enough resources available. This is normally when
you see the "Function too complex" messages.
When you see this message, it does not necessarily mean that Fortify Static Code Analyzer completely
ignored the function in the program. For example, the Dataflow Analyzer typically visits a function
many times before completing the analysis, and might not have run into this complexity limit in the
previous visits. In this case, the results include anything learned from the previous visits.
You can control the "give up" point using Fortify Static Code Analyzer properties called limiters.
Different analyzers have different limiters.
The following sections provide a discussion of a resolution for this issue.

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 160 of 216
User Guide
Chapter 21: Troubleshooting

Dataflow Analyzer Limiters

There are three types of complexity identifiers for the Dataflow Analyzer:
l
l: Too many distinct locations
l
m: Out of memory
l
s: Stack size too small
l
v: Function visits exceed the limit

To resolve the issue identified by s, increase the stack size for by setting -Xss to a value greater than
16 MB.
To resolve the complexity identifier of m, increase the physical memory for Fortify Static Code
Analyzer.
To resolve the complexity identifier of l, you can adjust the following limiters in the Fortify Static
Code Analyzer property file <sca_install_dir>/Core/config/fortify-sca.properties or on
the command line.

Property Name Default Value

com.fortify.sca. 1000
limiters.MaxTaintDefForVar

com.fortify.sca. 4000
limiters.MaxTaintDefForVarAbort

com.fortify.sca. 4
limiters.MaxFieldDepth

The MaxTaintDefForVar limiter is a dimensionless value expressing the complexity of a function,

while MaxTaintDefForVarAbort is the upper bound for it. Use the MaxFieldDepth limiter to
measure the precision when the Dataflow Analyzer analyzes any given object. Fortify Static Code
Analyzer always tries to analyze objects at the highest precision possible.
If a given function exceeds the MaxTaintDefForVar limit at a given precision, the Dataflow Analyzer
analyzes that function with lower precision (by reducing the MaxFieldDepth limiter). When you
reduce the precision, it reduces the complexity of the analysis. When the precision cannot be reduced
any further, Fortify Static Code Analyzer then proceeds with analysis at the lowest precision until
either it finishes, or the complexity exceeds the MaxTaintDefForVarAbort limiter. In other words,
Fortify Static Code Analyzer tries harder at the lowest precision to get at least some results from the
function. If Fortify Static Code Analyzer reaches the MaxTaintDefForVarAbort limiter, it gives up
on the function entirely and you get the "Function too complex" warning.
To resolve the complexity identifier of v, you can adjust the property
com.fortify.sca.limiters.MaxFunctionVisits. This property sets the maximum number of
times the taint propagation analyzer visits functions. The default is 50.

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 161 of 216
User Guide
Chapter 21: Troubleshooting

Control Flow and Null Pointer Analyzer Limiters

There are two types of complexity identifiers for both Control Flow and Null Pointer analyzers:
l
m: Out of memory
l
t: Analysis taking too much time

Due to the way that the Dataflow Analyzer handles function complexity, it does not take an indefinite
amount of time. Control Flow and Null Pointer analyzers, however, can take an exceptionally long time
when analyzing complex functions. Therefore, Fortify Static Code Analyzer provides a way to abort
the analysis when this happens, and then you get the "Function too complex" message with a
complexity identifier of t.
To change the maximum amount of time these analyzers spend to analyze functions, you can adjust
the following property values in the Fortify Static Code Analyzer property file <sca_install_
dir>/Core/config/fortify-sca.properties or on the command line.

Property Name Description Default Value

com.fortify.sca. Sets the time limit (in milliseconds) for Control 600000
CtrlflowMaxFunctionTime Flow analysis on a single function. (10 minutes)

com.fortify.sca. Sets the time limit (in milliseconds) for Null 300000
NullPtrMaxFunctionTime Pointer analysis on a single function. (5 minutes)

To resolve the complexity identifier of m, increase the physical memory for Fortify Static Code
Analyzer.

Note: If you increase these limiters or time settings, it makes the analysis of complex functions
take longer. It is difficult to characterize the exact performance implications of a particular value
for the limiters/time, because it depends on the specific function in question. If you never want to
see the "Function too complex" warning, you can set the limiters/time to an extremely high value,
however it can cause unacceptable scan time.

Issue Non-Determinism
Running in parallel analysis mode might introduce issue non-determinism. If you experience any
problems, contact Micro Focus Fortify Customer Support, and disable parallel analysis mode.
Disabling parallel analysis mode results in sequential analysis, which can be substantially slower but
provides deterministic results across multiple scans.
To disable parallel analysis mode:

1. Open the fortify-sca.properties file located in the <sca_install_dir>/core/config

directory in a text editor.

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 162 of 216
User Guide
Chapter 21: Troubleshooting

2. Change the value for the com.fortify.sca.MultithreadedAnalysis property to false.

com.fortify.sca.MultithreadedAnalysis=false

Locating the Log Files

By default, Fortify Static Code Analyzer creates two log files in the following location:
l
Windows: C:\Users\<username>\AppData\Local\Fortify\sca<version>\log
l
Non-Windows: <userhome>/.fortify/sca<version>/log

where <version> is the version of Fortify Static Code Analyzer that you are using.
The following table describes the two log files.

Default File Name Description

sca.log The standard log provides a log of informational messages,

warnings, and errors that occurred in the run of
sourceanalyzer.

sca_FortifySupport.log The Fortify Support log provides:

l The same log messages as the standard log file, but with
additional details
l Additional detailed messages that are not included in
the standard log file

This log file is primarily helpful to Micro Focus Fortify

Customer Support or the development team to
troubleshoot any issues.

If you encounter warnings or errors that you cannot resolve, provide the Fortify Support log file to
Micro Focus Fortify Customer Support.

Configuring Log Files

You can configure the information that Fortify Static Code Analyzer writes to the log files by setting
logging properties (see "Logging Properties" on page 198). You can configure the following log file
settings:
l The location and name of the log file
Property: com.fortify.sca.LogFile

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 163 of 216
User Guide
Chapter 21: Troubleshooting

l Log level (see "Understanding Log Levels" below)

Property: com.fortify.sca.LogLevel
l Whether to overwrite the log files for each run of sourceanalyzer
Property: com.fortify.sca.ClobberLogFile
Command-line option: -clobber-log

Understanding Log Levels

The log level you select gives you all log messages equal to and greater than it. The following table
lists the log levels in order from least to greatest. For example, the default log level of INFO includes
log messages with the following levels: INFO, WARN, ERROR, and FATAL. You can set the log level
with the com.fortify.sca.LogLevel property in the <sca_install_
dir>/Core/config/fortify.sca.properties file or on the command-line using the -D option.

Log Level Description

DEBUG Includes information that Micro Focus Fortify Customer Support or the development
team can use to troubleshoot an issue

INFO Basic information about the translation or scan process

WARN Information about issues where the translation or scan did not stop, but might
require your attention for accurate results

ERROR Information about an issue that might require attention

FATAL Information about an error that caused the translation or scan to abort

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 164 of 216
User Guide
Chapter 21: Troubleshooting

Reporting Issues and Requesting Enhancements

Feedback is critical to the success of this product. To request enhancements or patches, or to report
issues, visit Micro Focus Fortify Customer Support at https://www.microfocus.com/support.
Include the following information when you contact customer support:
l Product: Fortify Static Code Analyzer
l Version number of Fortify Static Code Analyzer and any independent Fortify Static Code Analyzer
modules: To determine the version numbers, run the following:

sourceanalyzer -version
l Platform: (for example, Red Hat Enterprise Linux <version>)
l Operating system: (such as Linux)

To request an enhancement, include a description of the feature enhancement.

To report an issue, provide enough detail so that support can duplicate the issue. The more
descriptive you are, the faster support can analyze and resolve the issue. Also include the log files, or
the relevant portions of them, from when the issue occurred.

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 165 of 216
Appendix A: Filtering the Analysis
This section describes two methods of filtering out vulnerabilities from the analysis results (FPR)
during the scan phase. You can use a filter file to remove issues based on specific vulnerability
instances, rules, and vulnerability categories. You can also use a filter set (created in Fortify Audit
Workbench) to remove issues that are hidden from view in an issue template.

Caution! Fortify recommends that you only use filter files if you are an advanced user. Do not use
filter files for standard audits, because auditors typically want to see and evaluate all issues that
Fortify Static Code Analyzer finds.

This section contains the following topics:

Excluding Issues with Filter Files 166
Excluding Issues with Filters Sets 170

Excluding Issues with Filter Files

You can create a file to filter out particular vulnerability instances, rules, and vulnerability categories
when you run the sourceanalyzer command. You specify the file with the -filter analysis option.
A filter file is a text file that you can create with any text editor. You specify only the filter items that
you do not want in this file.

Note: The filter types described in this section apply to both filter files and scan policy files (see
"Applying a Scan Policy to the Analysis" on page 45).

The following table lists the available filter types and provides examples for each.

Filter Type Notes Examples

Category A category only covers all Poor Error Handling

subcategories
J2EE Bad Practices: Leftover
Debug Code
Note: Fortify Static Code
Analyzer applies category filters
in the initialization phase before
any analysis has taken place.

Instance ID An instance ID of a specific issue 6291C6A33303ED270C269917AA8A1005

Note: Fortify Static Code

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 166 of 216
User Guide
Appendix A: Filtering the Analysis

Filter Type Notes Examples

Analyzer applies instance

ID filters after the analysis
phase.

Rule ID A rule ID that leads to the reporting 823FE039-A7FE-4AAD-B976-

of a specific issue 9EC53FFE4A59

Note: Fortify Static Code

Analyzer applies rule ID filters in
the initialization phase before
any analysis has taken place.

Priority1 Priority is also referred to as Fortify priority <= low

Priority Order. The priority values in
priority < medium
ascending order are low, medium,
high, and critical.

Impact1 impact < 0.5

Likelihood1 likelihood <= 1.5

Confidence1 confidence < 1.8

Probability1 probability <= 1.2

Accuracy1 accuracy <= 1.0

1For the priority and metadata filters, use less than (<) or less than or equal to (<=).

See Also
"Filter File Example" below

Filter File Example

As an example, the following output is from a scan of the EightBall.java sample. This sample
project is included in the Fortify_SCA_Samples_<version>.zip archive in the
basic/eightball directory.

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 167 of 216
User Guide
Appendix A: Filtering the Analysis

The following commands are executed to produce the analysis results:

sourceanalyzer -b eightball EightBall.java

sourceanalyzer -b eightball -scan

The following results show five detected issues:

[F7A138CDE5235351F6A4405BA4AD7C53 : low : Unchecked Return Value : semantic

]
EightBall.java(12) : Reader.read()

[6291C6A33303ED270C269917AA8A1005 : high : Path Manipulation : dataflow ]

EightBall.java(12) : ->new FileReader(0)
EightBall.java(8) : <=> (filename)
EightBall.java(8) : <->Integer.parseInt(0->return)
EightBall.java(6) : <=> (filename)
EightBall.java(4) : ->EightBall.main(0)

[176CC0B182267DD538992E87EF41815F : critical : Path Manipulation : dataflow

]
EightBall.java(12) : ->new FileReader(0)
EightBall.java(6) : <=> (filename)
EightBall.java(4) : ->EightBall.main(0)

[E4B3ACF92911ED6D98AAC15876739EC7 : high : Unreleased Resource : Streams :

controlflow ]

EightBall.java(12) : start -> loaded : new FileReader(...)

EightBall.java(14) : loaded -> end_of_scope : end scope : Resource
leaked

EightBall.java(12) : start -> loaded : new FileReader(...)

EightBall.java(12) : java.io.IOException thrown
EightBall.java(12) : loaded -> loaded : throw
EightBall.java(12) : loaded -> end_of_scope : end scope : Resource
leaked : java.io.IOException thrown

[BB9F74FFA0FF75C9921D0093A0665BEB : low : J2EE Bad Practices : Leftover

Debug Code : structural ]
EightBall.java(4)

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 168 of 216
User Guide
Appendix A: Filtering the Analysis

The following is an example filter file that performs the following:

l Remove all results related to the J2EE Bad Practice category
l Remove the Path Manipulation based on its instance ID
l Remove any dataflow issues that were generated from a specific rule ID

#This is a category to filter from scan output

J2EE Bad Practices

#This is an instance ID of a specific issue to be filtered

#from scan output
6291C6A33303ED270C269917AA8A1005

#This is a specific Rule ID that leads to the reporting of a

#specific issue in the scan output: in this case the
#dataflow sink for a Path Manipulation issue.
823FE039-A7FE-4AAD-B976-9EC53FFE4A59

To test the filtered output, copy the above text and paste it into a file with the name test_
filter.txt.
To apply the filtering in the test_filter.txt file, execute the following command:

sourceanalyzer -b eightball -scan -filter test_filter.txt

The filtered analysis produces the following results:

[176CC0B182267DD538992E87EF41815F : critical : Path Manipulation : dataflow

]
EightBall.java(12) : ->new FileReader(0)
EightBall.java(6) : <=> (filename)
EightBall.java(4) : ->EightBall.main(0)

[E4B3ACF92911ED6D98AAC15876739EC7 : high : Unreleased Resource : Streams :

controlflow ]

EightBall.java(12) : start -> loaded : new FileReader(...)

EightBall.java(14) : loaded -> end_of_scope : end scope : Resource
leaked

EightBall.java(12) : start -> loaded : new FileReader(...)

EightBall.java(12) : java.io.IOException thrown
EightBall.java(12) : loaded -> loaded : throw
EightBall.java(12) : loaded -> end_of_scope : end scope : Resource
leaked : java.io.IOException thrown

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 169 of 216
User Guide
Appendix A: Filtering the Analysis

Excluding Issues with Filters Sets

You can use filter sets in an issue template created in Micro Focus Fortify Audit Workbench to filter
issues from the analysis results. When you apply a filter set that hides issues from view during the
analysis phase, Fortify Static Code Analyzer does not write the hidden issues to the FPR. To do this,
use Fortify Audit Workbench to create a filter set, and then run the Fortify Static Code Analyzer scan
with the filter set and the issue template, which contains the filter set. For more detailed instructions
about how to create filters and filter sets in Fortify Audit Workbench, see the Fortify Audit Workbench
User Guide.
The following example describes the basic steps for how to create and use a filter in an issue template
to remove issues from an FPR:

1. Suppose you use OWASP Top 10 2021 and you only want to see issues categorized within this
standard. In Fortify Audit Workbench, create a new filter set called OWASP_Filter
2. In Fortify Audit Workbench, create a visibility filter in the OWASP_Filter filter set:

If [OWASP Top 10 2021] does not contain A Then hide issue

This filter looks through the issues and if an issue does not map to an OWASP Top 10 2021
category with ‘A’ in the name, then it hides it. Because all OWASP Top 10 2021 categories start
with ‘A’ (A01, A02, …, A10), then any category without the letter ‘A’ is not in the OWASP Top 10
2021. The filter hides the issues from view in Fortify Audit Workbench, but they are still in the
FPR.
3. In Fortify Audit Workbench, export the issue template to a file called IssueTemplate.xml.
4. Using Fortify Static Code Analyzer, specify the filter set in the analysis phase with the following
command:

sourceanalyzer -b MyProject -scan -project-template IssueTemplate.xml

-Dcom.fortify.sca.FilterSet=OWASP_Filter -f MyFilteredResults.fpr

Although filtering issues with a filter set can reduce the size of the FPR, it does not usually reduce the
scan time. Fortify Static Code Analyzer examines the filter set after it calculates the issues to
determine whether to write them to the FPR file. The filters in a filter set determine the rule types that
Fortify Static Code Analyzer loads.

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 170 of 216
Appendix B: Configuration Options
The Fortify Static Code Analyzer installer places a set of properties files on your system. Properties
files contain configurable settings for Fortify Static Code Analyzer runtime analysis, output, and
performance.
This section contains the following topics:
Fortify Static Code Analyzer Properties Files 171
fortify-sca.properties 173
fortify-sca-quickscan.properties 200
fortify-rules.properties 203

Fortify Static Code Analyzer Properties Files

The properties files are located in the <sca_install_dir>/Core/config directory. The installed
properties files contain default values. Fortify recommends that you consult with your project leads
before you make changes to the properties in the properties files. You can modify any of the
properties in the configuration file with any text editor. You can also specify the property on the
command line with the -D option.
The following table lists the Fortify Static Code Analyzer properties files. Property files for the Fortify
Static Code Analyzer applications and tools are described in the Fortify Static Code Analyzer
Applications and Tools Properties Reference Guide.

Properties File Name Description More Information

fortify- Defines the Fortify Static Code Analyzer "fortify-sca.properties"

sca.properties configuration properties. on page 173

fortify-sca- Defines the configuration properties "fortify-sca-

quickscan.properties applicable for a Fortify Static Code quickscan.properties"
Analyzer quick scan. on page 200

fortify- Defines the configuration properties that "fortify-

rules.properties determine rule behavior. rules.properties" on
page 203

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 171 of 216
User Guide
Appendix B: Configuration Options

Properties File Format

In the properties file, each property consists of a pair of strings: the first string is the property name
and the second string is the property value.

com.fortify.sca.fileextensions.htm=HTML

As shown above, the property sets the translation to use for .htm files. The property name is
com.fortify.sca.fileextensions.htm and the value is set to HTML.

Note: When you specify a path for Windows systems as the property value, you must escape any
backslash character (\) with a backslash (for example:
com.fortify.sca.ASPVirtualRoots.Library=C:\\WebServer\\CustomerA\\inc).

Disabled properties are commented out of the properties file. To enable these properties, remove the
comment symbol (#) and save the properties file. In the following example, the
com.fortify.sca.LogFile property is disabled in the properties file and is not part of the
configuration:

# default location for the log file

#com.fortify.sca.LogFile=${com.fortify.sca.ProjectRoot}/sca/log/sca.log

Precedence of Setting Properties

Fortify Static Code Analyzer uses properties settings in a specific order. You can override any
previously set properties with the values that you specify. Keep this order in mind when making
changes to the properties files.
The following table lists the order of precedence for Fortify Static Code Analyzer properties.

Order Property Specification Description

1 Command line with the -D Properties specified on the command line have the highest
option priority and you can specify them in any scan.

2 Fortify Static Code Note: You can specify either quick scan or a scan
Analyzer quick scan precision level. Therefore, these property settings both
configuration file have second priority.

Properties specified in the quick scan configuration file

(fortify-sca-quickscan.properties) have the
second priority, but only if you include the -quick option
to enable quick scan mode.

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 172 of 216
User Guide
Appendix B: Configuration Options

Order Property Specification Description

Fortify Static Code Properties specified in the scan precision property files
Analyzer scan precision have the second priority, but only if you include the -scan-
property files precision option to enable scan precision.

3 Fortify Static Code Properties specified in the Fortify Static Code Analyzer
Analyzer configuration configuration file (fortify-sca.properties) have the
file lowest priority. Edit this file to change the property values
on a more permanent basis for all scans.

Fortify Static Code Analyzer also relies on some properties that have internally defined default values.

fortify-sca.properties
The following sections describe the properties available for use in the fortify-sca.properties
file. See "fortify-sca-quickscan.properties" on page 200 for additional properties that you can use in
this properties file. Each property description includes the value type, the default value, the
equivalent command-line option (if applicable), and an example.

Translation and Analysis Phase Properties

The properties for the fortify-sca.properties file in the following table are general properties
that apply to the translation and/or analysis (scan) phase.

Property Name Description

Translation and Scan

com.fortify.sca. Specifies the build ID of the build.

BuildID
Value Type: String
Default: (none)

Command-Line Option: -b

com.fortify.sca. Specifies the encoding of the command-line options file provided with @<filename> (see
CmdlineOptionsFileEncod "Other Options" on page 130). You can use this property, for example, to specify Unicode
ing file paths in the options file. Valid encoding names are from the
java.nio.charset.Charset

Note: This property is only valid in the fortify-sca.properties file and does not
work in the fortify-sca-quickscan.properites file or with the -D option.

Value Type: String

Default: JVM system default encoding

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 173 of 216
User Guide
Appendix B: Configuration Options

Property Name Description

Example: com.fortify.sca.CmdlineOptionsFileEncoding=UTF-8

com.fortify.sca. Specifies a colon-separated list of languages to exclude from the translation phase. The
DISabledLanguages valid language values are abap, actionscript, apex, cfml, cobol, configuration,
cpp, dart, dotnet, golang, java, javascript, jsp, kotlin, objc, php, plsql, python,
ruby, scala, sql, swift, tsql, typescript, and vb.
Value Type: String
Default: (none)

Command-Line Option: -disable-language

com.fortify.sca. Specifies a colon-separated list of languages to translate. The valid language values are
EnabledLanguages abap, actionscript, apex, cfml, cobol, configuration, cpp, dart, dotnet, golang,
java, javascript, jsp, kotlin, objc, php, plsql, python, ruby, scala, sql, swift,
tsql, typescript, and vb.
Value Type: String
Default: All languages in the specified source are translated unless explicitly excluded
with the com.fortify.sca.DISabledLanguages property.
Command-Line Option: -enable-language

com.fortify.sca. Specifies the directory to store intermediate files generated in the translation and analysis
ProjectRoot phases. Fortify Static Code Analyzer makes extensive use of intermediate files located in
this project root directory. In some cases, you achieve better performance for analysis by
making sure this directory is on local storage rather than on a network drive.
Value Type: String (path)

Default (Windows): ${win32.LocalAppdata}\Fortify

Note: ${win32.LocalAppdata} is a special variable that points to the windows

Local Application Data shell folder.

Default (Non-Windows): $home/.fortify

Command-Line Option: -project-root
Example: com.fortify.sca.ProjectRoot=
C:\Users\<username>\AppData\Local\
Translation

com.fortify.sca. Specifies how to translate specific file extensions for languages that do not require build
fileextensions.java integration. The valid file extension types are ABAP, ACTIONSCRIPT, APEX, APEX_OBJECT,
com.fortify.sca. APEX_TRIGGER, ARCHIVE, ASPNET, ASP, ASPX, BITCODE, BSP, BYTECODE, CFML, COBOL,
fileextensions.cs CSHARP, DART, DOCKERFILE, GENERIC, GO, HOCON, HTML, INI, JAVA, JAVA_PROPERTIES,
JAVASCRIPT, JSP, JSPX, KOTLIN, MSIL, MXML, OBJECT, PHP, PLSQL, PYTHON, RUBY, RUBY_
com.fortify.sca.
ERB, SCALA, SWIFT, SWC, SWF, TLD, SQL, TSQL, TYPESCRIPT, VB, VB6, VBSCRIPT, VISUAL_
fileextensions.js
FORCE, VUE, and XML.
com.fortify.sca.
fileextensions.py Value Type: String (valid language type)

Default: See the fortify-sca.properties file for the complete list.

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 174 of 216
User Guide
Appendix B: Configuration Options

Property Name Description

com.fortify.sca. Examples:
fileextensions.rb
com.fortify.sca.fileextensions.java=JAVA
com.fortify.sca. com.fortify.sca.fileextensions.cs=CSHARP
fileextensions.aspx
com.fortify.sca.fileextensions.js=TYPESCRIPT
com.fortify.sca. com.fortify.sca.fileextensions.py=PYTHON
fileextensions.php com.fortify.sca.fileextensions.swift=SWIFT
com.fortify.sca.fileextensions.razor=ASPNET
Note: This is a partial list.
com.fortify.sca.fileextensions.php=PHP
For the complete list, see
com.fortify.sca.fileextensions.tf=HCL
the properties file.
You can also specify a value of oracle:<path_to_script> to programmatically supply
a language type. Provide a script that accepts one command-line parameter of a file name
that matches the specified file extension. The script must write the valid Fortify Static
Code Analyzer file type (see previous list) to stdout and exit with a return value of zero. If
the script returns a non-zero return code or the script does not exist, the file is not
translated and Fortify Static Code Analyzer writes a warning to the log file.
Example:
com.fortify.sca.fileextensions.jsp=
oracle:<path_to_script>

com.fortify.sca. Specifies custom-named compilers.

compilers.javac=
Value Type: String (compiler)
com.fortify.sca.
util.compilers.JavacCom Default: See the Compilers section in the fortify-sca.properties file for the
piler complete list.
com.fortify.sca.
Example:
compilers.c++=
com.fortify.sca. To tell Fortify Static Code Analyzer that “my-gcc” is a gcc compiler:
util.compilers.GppCompi
ler com.fortify.sca.
compilers.my-gcc=
com.fortify.sca.
com.fortify.sca.util.compilers.
compilers.make=
GccCompiler
com.fortify.sca.
util.compilers.Touchles Notes:
sCompiler
l Compiler names can begin or end with an asterisk (*), which matches zero or more
com.fortify.sca.
characters.
compilers.mvn=
com.fortify.sca. l Execution of clang/clang++ is not supported with the gcc/g++ command names.
util.compilers.MavenAda You can specify the following: com.fortify.sca.compilers.g++=
pter com.fortify.sca.util.compilers.GppCompiler
Note: This is a partial list.
For the complete list,
see the properties file.

com.fortify.sca. If set to true, Fortify Static Code Analyzer includes

UseAntListener com.fortify.dev.ant.SCAListener in the compiler options.
Value Type: Boolean

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 175 of 216
User Guide
Appendix B: Configuration Options

Property Name Description

Default: false

com.fortify.sca. Specifies one or more files to exclude from translation. Separate multiple files with
exclude semicolons (Windows) or colons (non-Windows). See "Specifying Files and Directories" on
page 134 for more information on how to use file specifiers.

Note: Fortify Static Code Analyzer only uses this property during translation without
build integration. When you integrate with most compilers or build tools, Fortify
Static Code Analyzer translates all source files that the compiler or build tool
processes even if they are specified with this property. However, the Fortify Static
Code Analyzer xcodebuild and MSBuild integrations do support the -exclude
option.

Value Type: String

Default: Not enabled

Command-Line Option: -exclude

Example: com.fortify.sca.exclude=file1.x;file2.x

com.fortify.sca. Specifies the source file encoding type. Fortify Static Code Analyzer allows you to scan a
InputFileEncoding project that contains differently encoded source files. To work with a multi-encoded
project, you must specify the -encoding option in the translation phase, when Fortify
Static Code Analyzer first reads the source code file. Fortify Static Code Analyzer
remembers this encoding in the build session and propagates it into the FVDL file.
Typically, if you do not specify the encoding type, Fortify Static Code Analyzer uses
file.encoding from the java.io.InputStreamReader constructor with no encoding
parameter. In a few cases (for example with the ActionScript parser), Fortify Static Code
Analyzer defaults to UTF-8.
Value Type: String
Default: (none)

Command-Line Option: -encoding

Example:
com.fortify.sca.InputFileEncoding=UTF-16

com.fortify.sca. On Windows platforms, specifies the path to the reg.exe system utility. Specify the paths
RegExecutable in Windows syntax, not Cygwin syntax, even when you run Fortify Static Code Analyzer
from within Cygwin. Escape backslashes with an additional backslash.
Value Type: String (path)

Default: reg
Example:
com.fortify.sca.RegExecutable=
C:\\Windows\\System32\\reg.exe

com.fortify.sca. Specifies whether the xcodebuild touchless adapter continues translation if the
xcode.TranslateAfterErr xcodebuild subprocess exited with a non-zero exit code. If set to false, translation stops
or after encountering a non-zero xcodebuild exit code and the Fortify Static Code Analyzer

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 176 of 216
User Guide
Appendix B: Configuration Options

Property Name Description

touchless build halts with the same exit code. If set to true, the Fortify Static Code
Analyzer touchless build executes translation of the build file identified prior to the
xcodebuild exit, and Fortify Static Code Analyzer exits with an exit code of zero (unless
some other error also occurs).
Regardless of this setting, if xcodebuild exits with a non-zero code, then the xcodebuild
exit code, stdout, and stderr are written to the log file.
Value Type: Boolean

Default: false
Scan

com.fortify.sca. If set to true, Fortify Static Code Analyzer generates implied methods when it encounters
AddImpliedMethods implementation by inheritance.
Value Type: Boolean

Default: true

com.fortify.sca. If set to true, enables alias analysis.

alias.Enable
Value Type: Boolean

Default: true

com.fortify.sca. Specifies whether to enable Control Flow Analyzer timeouts.

analyzer.controlflow.En
Value Type: Boolean
ableTimeOut
Default: true

com.fortify.sca. Specifies a subset of source files to scan. Only the source files that were linked in the
BinaryName named binary at build time are included in the scan.
Value Type: String (path)
Default: (none)

Command-Line Option: -bin or -binary-name

com.fortify.sca. If set to true, Fortify Static Code Analyzer removes dead code issues, for example because
DeadCodeFilter the compiler generated dead code and it does not appear in the source code.
Value Type: Boolean

Default: true

com.fortify.sca. Specifies a comma- or colon-separated list of the types of analysis to perform. The valid
DefaultAnalyzers values for this property are buffer, content, configuration, controlflow,
dataflow, , nullptr, semantic, and structural.
Value Type: String
Default: This property is commented out and all analysis types are used in scans.

Command-Line Option: -analyzers

com.fortify.sca. Dead code is code that can never be executed, such as code inside the body of an if
DisableDeadCodeEliminat

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 177 of 216
User Guide
Appendix B: Configuration Options

Property Name Description

ion statement that always evaluates to false. If this property is set to true, then Fortify Static
Code Analyzer does not identify dead code, does not report dead code issues, and reports
other vulnerabilities in the dead code, even though they are unreachable during execution.
Value Type: Boolean

Default: false

com.fortify.sca. If set to true, disables function pointers during the scan.

DisableFunctionPointers
Value Type: Boolean

Default: false

com.fortify.sca. Specifies a comma- or colon-separated list of analyzers to use for a scan in addition to the
EnableAnalyzer default analyzers. The valid values for this property are buffer, content,
configuration, controlflow, dataflow, nullptr, semantic, and structural.
Value Type: String
Default: (none)

com.fortify.sca. Extends the default exit code options. See "Exit Codes" on page 157 for a description of
ExitCodeLevel the exit codes and the valid values for this property.

com.fortify.sca. Specifies the path to a filter file for the scan. See "Excluding Issues with Filter Files" on
FilterFile page 166 for more information.
Value Type: String (path)
Default: (none)

Command-Line Option: -filter

com.fortify.sca. Specifies a comma-separated list of IIDs to be filtered out using a filter file.
FilteredInstanceIDs
Value Type: String
Default: (none)
Example:
com.fortify.sca.FilteredInstanceIDs=CA4E1623A2424919B98EC19FCA279FFA,
4418B3DC072647158B3758E6183C14CD

com.fortify.sca. If set to true, higher-order analysis is enabled.

hoa.Enable
Value Type: Boolean

Default: true

com.fortify.sca. Specifies a comma- or colon-separated list of build IDs for libraries pre-scanned as
IncludeScaModules separate modules to use in the project scan. Each build ID must denote an existing
scanned library.
Value Type: String (build IDs)
Default: (none)

Command-Line Option: -include-modules

Example:

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 178 of 216
User Guide
Appendix B: Configuration Options

Property Name Description

com.fortify.sca.IncludeScaModules=LibA,LibB

com.fortify.sca. Specifies the cutoff level for severity suppression. Fortify Static Code Analyzer ignores
LowSeverityCutoff any issues found with a lower severity value than the one specified for this property.
Value Type: Number

Default: 1.0

com.fortify.sca. Specifies the length of a taint path between input and output parameters in a function call.
MaxPassthroughChainDept
Value Type: Integer
h
Default: 4

com.fortify.sca. Specifies whether Fortify Static Code Analyzer runs in parallel analysis mode.
MultithreadedAnalysis
Value Type: Boolean

Default: true

com.fortify.sca. Specifies a comma-separated list of languages for which to run higher-order analysis.
Phase0HigherOrder.Langu Valid values are python, swift, ruby, javascript, and typescript.
ages
Value Type: String

Default: python,ruby,swift,javascript,typescript

com.fortify.sca. Specifies the total time (in seconds) for higher-order analysis. When the analyzer reaches
Phase0HigherOrder.Timeo the hard timeout limit, it exits immediately.
ut.Hard
Fortify recommends this timeout limit in case some issue causes the analysis to run too
long. Fortify recommends that you set the hard timeout to about 50% longer than the soft
timeout, so that either the fixpoint pass limiter or the soft timeout occurs first.
Value Type: Number

Default: 2700

com.fortify.sca. Specifies the scan precision. Scans with a lower precision level are performed faster. The
PrecisionLevel valid values are 1, 2, 3, and 4.
Value Type: Number
Default: (none)

Command-Line Option: -scan-precision | -p

com.fortify.sca. Specifies the issue template file to use for the scan. This only affects scans on the local
ProjectTemplate machine. If you upload the FPR to Micro Focus Fortify Software Security Center server, it
uses the issue template assigned to the application version.
Value Type: String
Default: (none)

Command-Line Option: -project-template

Example:
com.fortify.sca.ProjectTemplate=
test_issuetemplate.xml

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 179 of 216
User Guide
Appendix B: Configuration Options

Property Name Description

com.fortify.sca. If set to true, Fortify Static Code Analyzer performs a quick scan. Fortify Static Code
QuickScanMode Analyzer uses the settings from fortify-sca-quickscan.properties, instead of the
fortify-sca.properties configuration file.
Value Type: Boolean
Default: (not enabled)

Command-Line Option: -quick

com.fortify.sca. Specifies the scan policy used to prioritize reported vulnerabilities. The valid scan policy
ScanPolicy values are classic, security, and devops.
Value Type: String

Default: classic
Command-Line Option: -sc or -scan-policy

com.fortify.sca. If set to true, Fortify Static Code Analyzer performs modular scan of this project, which
ScanScaModule enables use of this library's build ID with the include-modules option (or the
com.fortify.sca.IncludeScaModules property) in subsequent scans. For more
information, see "Configuring Scan Speed with Speed Dial" on page 147.

This property is ignored if the -scan command-line option is specified.

Value Type: Boolean
Default: false

Command-Line Option: -scan-module

com.fortify.sca. If set to true, Fortify Static Code Analyzer ignores low severity issues found in a scan.
SuppressLowSeverity
Value Type: Boolean

Default: true

com.fortify.sca. Specifies the number of threads for parallel analysis mode. Add this property only if you
ThreadCount need to reduce the number of threads used because of a resource constraint. If you
experience an increase in scan time or problems with your scan, a reduction in the number
of threads used might solve the problem.
Value type: Integer
Default: (number of available processor cores)

com.fortify.sca. The amount of time (in seconds) that type inference can spend to analyze a single
TypeInferenceFunctionTi function. Unlimited if set to zero or is not specified.
meout
Value Type: Long

Default: 60

com.fortify.sca. Comma- or colon-separated list of languages that use type inference. This setting
TypeInferenceLanguages improves the precision of the analysis for dynamically-typed languages.
Value Type: String

Default: javascript,python,ruby,typescript

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 180 of 216
User Guide
Appendix B: Configuration Options

Property Name Description

com.fortify.sca. Specifies the total amount of time (in seconds) that type inference can spend in phase 0
TypeInferencePhase0Time (the interprocedural analysis). Unlimited if set to zero or is not specified.
out
Value Type: Long

Default: 300

com.fortify.sca. Specifies a colon-separated list of functions to hide from all analyzers.

UniversalBlacklist
Value Type: String

Default: .*yyparse.*

Regex Analysis Properties

The properties for the fortify-sca.properties file in the following table apply to regular
expression analysis.

Property Name Description

com.fortify.sca. If set to true, regular expression analysis is enabled.

regex.Enable
Value Type: Boolean

Default: true

com.fortify.sca. If set to true, binary files are excluded from a regular expression analysis.
regex.ExcludeBinaries
Value Type: Boolean

Default: true

com.fortify.sca. Specifies the maximum size (in megabytes) for files that are scanned in a regular expression
regex.MaxSize analysis. Files that exceed this file size maximum are excluded from a regular expression
analysis.
Value Type: Number

Default: 10

See Also
"Regular Expression Analysis" on page 47

LIM License Properties

The properties for the fortify-sca.properties file in the following table apply to licensing with
the LIM.

Property Name Description

com.fortify.sca. Specifies the LIM server API URL. Do not edit this value directly with a text editor. Use
lim.Url the command-line option to change this value.

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 181 of 216
User Guide
Appendix B: Configuration Options

Property Name Description

Value Type: String

Default: (none)

Command-Line Option: -store-license-pool-credentials

Example: https://<ip_address>/LIM.REST.API

com.fortify.sca. Specifies the LIM license pool name. Do not edit this value directly with a text editor.
lim.PoolName Use the command-line option to change this value.
Value Type: String
Default: (none)

Command-Line Option: -store-license-pool-credentials

com.fortify.sca. Specifies the LIM license pool password (encrypted). Do not edit this value directly
lim.PoolPassword with a text editor. Use the command-line option to change this value.
Value Type: String
Default: (none)

Command-Line Option: -store-license-pool-credentials

com.fortify.sca. Specifies the proxy server used to connect to the LIM server.
lim.ProxyUrl
Value Type: String
Default: (none)
Examples:
http://proxy.example.com:8080
https://proxy.example.com
Command-Line Option: -store-license-pool-credentials

com.fortify.sca. Specifies an encrypted user name for proxy authentication to connect to the LIM
lim.ProxyUsername server. Do not edit this value directly with a text editor. Use the command-line option
to change this value.
Value Type: String
Default: (none)

Command-Line Option: -store-license-pool-credentials

com.fortify.sca. Specifies an encrypted password for proxy authentication to connect to the LIM
lim.ProxyPassword server. Do not edit this value directly with a text editor. Use the command-line option
to change this value.
Value Type: String
Default: (none)

Command-Line Option: -store-license-pool-credentials

com.fortify.sca. If set to true, any attempt to connect to the LIM server without a trusted certificate
lim.RequireTrustedSSLCert fails. If this property is set to false, a warning message displays for any attempt to
connect to the LIM server without a trusted certificate.

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 182 of 216
User Guide
Appendix B: Configuration Options

Property Name Description

Value Type: Boolean

Default: true

com.fortify.sca. If set to true and LIM license pool credentials are stored, Fortify Static Code Analyzer
lim.WaitForInitialLicense waits for a LIM license to become available before starting a translation or scan. If this
property is set to false, Fortify Static Code Analyzer aborts if it cannot obtain a LIM
license.
Value Type: Boolean

Default: true

See Also
"LIM License Directives" on page 133

Rule Properties
The properties for the fortify-sca.properties file in the following table apply to rules (and
custom rules) and Rulepacks.

Property Name Description

com.fortify.sca. Sets the directory used to search for the Fortify provided encrypted rules files.
DefaultRulesDir
Value Type: String (path)
Default:
${com.fortify.Core}/config/rules

com.fortify.sca. Specifies a custom Rulepack or directory. If you specify a directory, all of the files in the
RulesFile directory with the .bin and .xml extensions are included.
Value Type: String (path)
Default: (none)

Command-Line Option: -rules

com.fortify.sca. Sets the directory used to search for custom rules.

CustomRulesDir
Value Type: String (path)
Default:
${com.fortify.Core}/config/customrules

com.fortify.sca. Specifies a list of file extensions for rules files. Any files in <sca_install_
RulesFileExtensions dir>/Core/config/rules (or a directory specified with the -rules option) whose
extension is in this list is included. The .bin extension is always included, regardless of the
value of this property. The delimiter for this property is the system path separator.
Value Type: String

Default: .xml

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 183 of 216
User Guide
Appendix B: Configuration Options

Property Name Description

com.fortify.sca. If set to true, rules from the default Rulepacks are not loaded. Fortify Static Code Analyzer
NoDefaultRules processes the Rulepacks for description elements and language libraries, but no rules are
processed.
Value Type: Boolean
Default: (none)

Command-Line Option: -no-default-rules

com.fortify.sca. If set to true, disables rules in default Rulepacks that lead directly to issues. Fortify Static
NoDefaultIssueRules Code Analyzer still loads rules that characterize the behavior of functions. This can be helpful
when creating custom issue rules.
Value Type: Boolean
Default: (none)

Command-Line Option: -no-default-issue-rules

com.fortify.sca. If set to true, disables source rules in the default Rulepacks. This can be helpful when
NoDefaultSourceRules creating custom source rules.

Note: Characterization source rules are not disabled.

Value Type: Boolean

Default: (none)

Command-Line Option: -no-default-source-rules

com.fortity.sca. If set to true, disables sink rules in the default Rulepacks. This can be helpful when creating
NoDefaultSinkRules custom sink rules.

Note: Characterization sink rules are not disabled.

Value Type: Boolean

Default: (none)

Command-Line Option: -no-default-sink-rules

Java and Kotlin Properties

The properties for the fortify-sca.properties file in the following table apply to the translation
of Java and Kotlin code.

Property Name Description

com.fortify.sca. Specifies the class path used to analyze Java or Kotlin source code. Separate multiple
JavaClasspath paths with semicolons (Windows) or colons (non-Windows).
Value Type: String (paths)
Default: (none)

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 184 of 216
User Guide
Appendix B: Configuration Options

Property Name Description

Command-Line Option: -cp or -classpath

com.fortify.sca. Specifies the Java source code version for Java or Kotlin translation.
JdkVersion
Value Type: String

Default: 1.8
Command-Line Option: -jdk or -source

com.fortify.sca. Specifies a semicolon- (Windows) or colon-separated (non-Windows) list of Java or Kotlin

JavaSourcepath source file directories that are not included in the scan but are used for name resolution.
The source path is similar to class path, except it uses source files rather than class files for
resolution.
Value Type: String (paths)
Default: (none)

Command-Line Option: -sourcepath

com.fortify.sca. Specifies the application server to process JSP files. The valid values are weblogic or
Appserver websphere.
Value Type: String
Default: (none)

Command-Line Option: -appserver

com.fortify.sca. Specifies the application server's home directory. For WebLogic, this is the path to the
AppserverHome directory that contains server/lib. For WebSphere, this is the path to the directory that
contains the JspBatchCompiler script.
Value Type: String (path)
Default: (none)

Command-Line Option: -appserver-home

com.fortify.sca. Specifies the version of the WebLogic or WebSphere application server.

AppserverVersion
Value Type: String
Default: (none)

Command-Line Option: -appserver-version

com.fortify.sca. Specifies directories to include implicitly on the class path for WebLogic and WebSphere
JavaExtdirs application servers.
Value Type: String
Default: (none)

Command-Line Option: -extdirs

com.fortify.sca. If set to true, Fortify Static Code Analyzer only translates Java source files that are
JavaSourcepathSearch referenced by the target file list. Otherwise, Fortify Static Code Analyzer translates all files
included in the source path.

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 185 of 216
User Guide
Appendix B: Configuration Options

Property Name Description

Value Type: Boolean

Default: true

com.fortify.sca. Specifies semicolon- or colon-separated list of directories of commonly used JAR files. JAR
DefaultJarsDirs files located in these directories are appended to the end of the class path option (-cp).
Value Type: String

Default: default_jars

com.fortify.sca. If set to true, Java bytecode is decompiled for the translation.

DecompileBytecode
Value Type: Boolean

Default: false

com.fortify.sca. If set to true, the JSP parser uses JSP security manager.
jsp.UseSecurityManager
Value Type: Boolean

Default: true

com.fortify.sca. Specifies the encoding for JSPs.

jsp.DefaultEncoding
Value Type: String (encoding)

Default: ISO-8859-1

com.fortify.sca. If set to true, enables additional filtering on JSP-related dataflow to reduce the amount of
jsp.LegacyDataflow spurious false positives detected.
Value Type: Boolean

Default: false
Command-Line Option: -legacy-jsp-dataflow

com.fortify.sca. Specifies the generation of the DefaultImpls class for methods with bodies in Kotlin
KotlinJvmDefault interfaces. The valid values are:
l
disable—Specifies to generate the DefaultImpls class for each interface that
contains methods with bodies.
l
all—Specifies to generate the DefaultImpls class if an interface is annotated with
@JvmDefaultWithCompatibility.
l
all-compatibility—Specifies to generate the DefaultImpls class unless an
interface is annotated with @JvmDefaultWithoutCompatibility.

Value Type: String

Default: disable

com.fortify.sca. If set to true, displays any unresolved types, fields, and functions referenced in translated
ShowUnresolvedSymbols Java source files at the end of the translation.
Value Type: Boolean

Default: false
Command-Line Option: -show-unresolved-symbols

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 186 of 216
User Guide
Appendix B: Configuration Options

See Also
"Translating Java Code" on page 49
"Translating Kotlin Code" on page 57

Visual Studio and MSBuild Projects Properties

The properties for the fortify-sca.properties file in the following table apply to the translation
of .NET projects and solutions.

Property Name Description

WinForms. Sets various .NET options.

TransformDataBindings
Value Type: Boolean and String
WinForms.
TransformMessageLoops Defaults and Examples:

WinForms. WinForms.TransformDataBindings=true
TransformChangeNotificationPattern
WinForms.TransformMessageLoops=true
WinForms.
WinForms.TransformChangeNotificationPattern=true
CollectionMutationMonitor.Label
WinForms.CollectionMutationMonitor.Label=
WinForms.
WinFormsDataSource
ExtractEventHandlers
WinForms.ExtractEventHandlers=true

com.fortify.sca. Specifies a semicolon-separated list of full paths to virtual roots used.

ASPVirtualRoots.<virtual_path>
Value Type: String
Default: (none)
Example:
com.fortify.sca.ASPVirtualRoots.Library=
c:\\WebServer\\CustomerTwo\\Stuff
com.fortify.sca.ASPVirtualRoots.Include=
c:\\WebServer\\CustomerOne\\inc

com.fortify.sca. If set to true, disables ASP external entries in the scan.

DisableASPExternalEntries
Value Type: Boolean

Default: false

See Also
"Translating Visual Studio Projects" on page 61

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 187 of 216
User Guide
Appendix B: Configuration Options

JavaScript and TypeScript Properties

The properties for the fortify-sca.properties file in the following table apply to the translation
of JavaScript and TypeScript code.

Property Name Description

com.fortify.sca. If set to true, Fortify Static Code Analyzer generates JavaScript code to model
EnableDOMModeling the DOM tree that an HTML file generated during the translation phase and
identifies DOM-related issues (such as cross-site scripting issues). Enable this
property if the code you are translating includes HTML files that have
embedded or referenced JavaScript code.

Note: Enabling this property can increase the translation time.

Value Type: Boolean

Default: false

com.fortify.sca. If you set the com.fortify.sca.EnableDOMModeling property to true, you

DOMModeling.tags can specify additional coma-separated HTML tags names for Fortify Static
Code Analyzer to include in the DOM modeling.
Value Type: String

Default: body, button, div, form, iframe, input, head, html, and p.
Example:
com.fortify.sca.DOMModeling.tags=ul,li

com.fortify.sca. Specifies trusted domain names where Fortify Static Code Analyzer can
JavaScript.src.domain.whitelist download referenced JavaScript files for the scan. Delimit the URLs with
vertical bars.
Value Type: String
Default: (none)

Example: com.fortify.sca.JavaScript.
src.domain.whitelist=
http://www.xyz.com|http://www.123.org

com.fortify.sca. If set to true, JavaScript code embedded in JSP, JSPX, PHP, and HTML files is
DisableJavascriptExtraction not extracted and not scanned.
Value Type: Boolean

Default: false

com.fortify.sca. Specifies a list of comma- or colon-separated JavaScript technology library

skip.libraries.ES6 files that are not translated. You can use regular expressions in the file names.
com.fortify.sca. Note that the regular expression '(-\d\.\d\.\d)?' is automatically inserted
skip.libraries.jQuery before .min.js or .js for each file name included in the
com.fortify.sca.skip.libraries.jQuery property value.
com.fortify.sca.
skip.libraries.javascript Value Type: String

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 188 of 216
User Guide
Appendix B: Configuration Options

Property Name Description

com.fortify.sca. Defaults:
skip.libraries.typescript l
ES6: es6-shim.min.js,system-polyfills.js,
shims_for_IE.js
l
jQuery: jquery.js,jquery.min.js,
jquery-migrate.js,jquery-migrate.min.js,
jquery-ui.js,jquery-ui.min.js,
jquery.mobile.js,jquery.mobile.min.js,
jquery.color.js,jquery.color.min.js,
jquery.color.svg-names.js,
jquery.color.svg-names.min.js,
jquery.color.plus-names.js,
jquery.color.plus-names.min.js,
jquery.tools.min.js
l
javascript: bootstrap.js,
bootstrap.min.js,
typescript.js,
typescriptServices.js
l
typescript: typescript.d.ts,
typescriptServices.d.ts

com.fortify.sca. If set to true, files included with an import statement are included in the
follow.imports JavaScript translation.
Value Type: Boolean

Default: true

com.fortify.sca. If set to true, only imported node_modules are included in the JavaScript
exclude.unimported.node.modules translation.
Value Type: Boolean

Default: true

See Also
"Translating JavaScript and TypeScript Code" on page 70

Python Properties
The properties for the fortify-sca.properties file in the following table apply to the translation
of Python code.

Property Name Description

com.fortify.sca. Specifies a semicolon-separated (Windows) or colon-separated (non-Windows) list

PythonPath of additional import directories. Fortify Static Code Analyzer does not respect
PYTHONPATH environment variable that the Python runtime system uses to find
import files. Use this property to specify the additional import directories.
Value Type: String (path)

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 189 of 216
User Guide
Appendix B: Configuration Options

Property Name Description

Default: (none)

Command-Line Option: -python-path

com.fortify.sca. Specifies the Python source code version to scan. The valid values are 2 and 3.
PythonVersion
Value Type: Number

Default: 2
Command-Line Option: -python-version

com.fortify.sca. If set to true, disables the automatic calculation of a common root directory of all
PythonNoAutoRootCalculation project files to use for importing modules and packages For more details, see
"Including Imported Modules and Packages" on page 74.
Value Type: Boolean

Default: false
Command-Line Option: -python-no-auto-root-calculation

com.fortify.sca. Specifies semicolon-separated (Windows) or colon-separated (non-Windows) list of

DjangoTemplateDirs paths for Django templates. Fortify Static Code Analyzer does not use the
TEMPLATE_DIRS setting from the Django settings.py file.
Value Type: String (paths)
Default: (none)

Command-Line Option: -django-template-dirs

com.fortify.sca. Specifies that Fortify Static Code Analyzer does not automatically discover Django
DjangoDisableAutodiscover templates.
Value Type: Boolean
Default: (none)

Command-Line Option: -django-disable-autodiscover

See Also
"Translating Python Code" on page 74

Go Properties
The properties for the fortify-sca.properties file in the following table apply to the translation
of Go code.

Property Name Description

com.fortify.sca. Specifies the root directory of your project/workspace.

GOPATH
Value Type: String
Default: (GOPATH system environment variable)

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 190 of 216
User Guide
Appendix B: Configuration Options

Property Name Description

com.fortify.sca. Specifies the location of the Go installation.

GOROOT
Value Type: String
Default: (GOROOT system environment variable)

com.fortify.sca. Specifies one or more comma-separated proxy URLs. You can also specify direct or off.
GOPROXY
Value Type: String
Default: (GOPROXY system environment variable)

See Also
"Translating Go Code" on page 81

Ruby Properties
The properties for the fortify-sca.properties file in the following table apply to the translation
of Ruby code.

Property Name Description

com.fortify.sca. Specifies one or more paths to directories that contain Ruby libraries.
RubyLibraryPaths
Value Type: String (path)
Default: (none)

Command-Line Option: -ruby-path

com.fortify.sca. Specifies one or more paths to RubyGems locations. Set this value if the project has associated
RubyGemPaths gems to scan.
Value Type: String (path)
Default: (none)

Command-Line Option: -rubygem-path

See Also
"Translating Ruby Code" on page 86

COBOL Properties
The properties for the fortify-sca.properties file in the following table apply to the translation
of COBOL code.

Property Name Description

com.fortify.sca. Specifies one or more semicolon- or colon-separated directories where Fortify Static Code
CobolCopyDirs Analyzer looks for copybook files.

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 191 of 216
User Guide
Appendix B: Configuration Options

Property Name Description

Value Type: String (path)

Default: (none)

Command-Line Option: -copydirs

com.fortify.sca. Specifies the COBOL dialect. The valid values for dialect are COBOL390 or MICROFOCUS.
CobolDialect The dialect value is case-insensitive.
Value Type: String
Default: COBOL390

Command-Line Option: -dialect

com.fortify.sca. Specifies one or more semicolon-separated COBOL checker directives.

CobolCheckerDirectives
Value Type: String
Default: (none)

Command-Line Option: -checker-directives

com.fortify.sca. If set to true, enables legacy COBOL translation.

CobolLegacy
Value Type: Boolean

Default: false
Command-Line Option: -cobol-legacy

com.fortify.sca. If set to true, specifies fixed-format COBOL to direct Fortify Static Code Analyzer to only
CobolFixedFormat look for source code between columns 8-72 in all lines of code (legacy COBOL translation
only).
Value Type: Boolean

Default: false
Command-Line Option: -fixed-format

com.fortify.sca. Specifies one or more semicolon- or colon-separated copybook file extensions (legacy
CobolCopyExtensions COBOL translation only).
Value Type: String
Default: (none)

Command-Line Option: -copy-extensions

See Also
"Translating COBOL Code" on page 88

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 192 of 216
User Guide
Appendix B: Configuration Options

Apex Properties
The properties for the fortify-sca.properties file in the following table apply to the translation
of Apex and Visualforce code.

Property Name Description

com.fortify.sca. If set to true, Fortify Static Code Analyzer uses Apex translation for files with the .cls extension
Apex and Visualforce translation for files with the .component extension.
Value Type: Boolean

Default: false
Command-Line Option: -apex

See Also
"Translating Salesforce Apex and Visualforce Code" on page 93

PHP Properties
The properties for the fortify-sca.properties file in the following table apply to the translation
of PHP code.

Property Name Description

com.fortify.sca. Specifies the PHP version. For a list of valid versions, see the Fortify Software System
PHPVersion Requirements document.
Value Type: String

Default: 7.4
Command-Line Option: -php-version

com.fortify.sca. Specifies the PHP source root.

PHPSourceRoot
Value Type: Boolean
Default: (none)

Command-Line Option: -php-source-root

See Also
"Translating PHP Code" on page 96

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 193 of 216
User Guide
Appendix B: Configuration Options

ABAP Properties
The properties described in the following table apply to the translation of ABAP code.

Property Name Description

com.fortify.sca. If set to true, Fortify Static Code Analyzer adds ABAP statements to debug messages.
AbapDebug
Value Type: Boolean
Default: (none)

com.fortify.sca. When Fortify Static Code Analyzer encounters an ABAP 'INCLUDE' directive, it looks in the named
AbapIncludes directory.
Value Type: String (path)
Default: (none)

Flex and ActionScript Properties

The properties for the fortify-sca.properties file in the following table apply to the translation
of Flex and ActionScript code.

Property Name Description

com.fortify.sca. Specifies a semicolon-separated (Windows) or colon-separated (non-Windows) of libraries to "link"

FlexLibraries to. This list must include flex.swc, framework.swc, and playerglobal.swc (which are usually
located in the frameworks/libs directory in your Flex SDK root). Use this property primarily to
resolve ActionScript.
Value Type: String (path)
Default: (none)

Command-Line Option: -flex-libraries

com.fortify.sca. Specifies the root location of a valid Flex SDK. The folder must contain a frameworks folder that
FlexSdkRoot contains a flex-config.xml file. It must also contain a bin folder that contains an mxmlc
executable.
Value Type: String (path)
Default: (none)

Command-Line Option: -flex-sdk-root

com.fortify.sca. Specifies any additional source directories for a Flex project. Separate multiple directories with
FlexSourceRoots semicolons (Windows) or colons (non-Windows).
Value Type: String (path)
Default: (none)

Command-Line Option: -flex-source-root

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 194 of 216
User Guide
Appendix B: Configuration Options

ColdFusion (CFML) Properties

The properties for the fortify-sca.properties file in the following table apply to the translation
of CFML code.

Property Name Description

com.fortify.sca. If set to true, Fortify Static Code Analyzer treats undefined variables in CFML
CfmlUndefinedVariablesAreTainted pages as tainted. This serves as a hint to the Dataflow Analyzer to watch out
for register-globals-style vulnerabilities. However, enabling this property
interferes with dataflow findings where a variable in an included page is
initialized to a tainted value in an earlier-occurring included page.
Value Type: Boolean

Default: false

com.fortify.sca. If set to true, make CFML files case-insensitive for applications developed
CaseInsensitiveFiles using a case-insensitive file system and scanned on case-sensitive file
systems.
Value Type: Boolean
Default: (not enabled)

com.fortify.sca. Specifies the base directory for ColdFusion projects.

SourceBaseDir
Value Type: String (path)
Default: (none)

Command-Line Option: -source-base-dir

See Also
"Translating ColdFusion Code" on page 108

SQL Properties
The properties for the fortify-sca.properties file in the following table apply to the translation
of SQL code.

Property Name Description

com.fortify.sca. Specifies the SQL language variant. The valid SQL language type values are PLSQL (for Oracle
SqlLanguage PL/SQL) and TSQL (for Microsoft T-SQL).
Value Type: String

Default: TSQL
Command-Line Option: -sql-language

See Also
"Translating SQL" on page 109

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 195 of 216
User Guide
Appendix B: Configuration Options

Output Properties
The properties for the fortify-sca.properties file in the following table apply to the analysis
output.

Property Name Description

com.fortify.sca. The file to which results are written.

ResultsFile
Value Type: String
Default: (none)

Command-Line Option: -f
Example: com.fortify.sca.ResultsFile=MyResults.fpr

com.fortify.sca. Controls the output format. The valid values are fpr, fvdl, text, and auto. The default
Renderer of auto selects the output format based on the file extension of the file provided with
the -f option.
Value Type: String

Default: auto
Command-Line Option: -format

com.fortify.sca. If set to true, Fortify Static Code Analyzer appends results to an existing results file.
OutputAppend
Value Type: Boolean

Default: false
Command-Line Option: -append

com.fortify.sca. If set to true, Fortify Static Code Analyzer prints results as they become available. This
ResultsAsAvailable is helpful if you do not specify the -f option (to specify an output file) and print to
stdout.
Value Type: Boolean

Default: false

com.fortify.sca. Specifies a label for the scanned project. Fortify Static Code Analyzer does not use this
BuildLabel label but includes it in the results.
Value Type: String
Default: (none)

Command-Line Option: -build-label

com.fortify.sca. Specifies a name for the scanned project. Fortify Static Code Analyzer does not use this
BuildProject name but includes it in the results.
Value Type: String
Default: (none)

Command-Line Option: -build-project

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 196 of 216
User Guide
Appendix B: Configuration Options

Property Name Description

com.fortify.sca. Specifies a version number for the scanned project. Fortify Static Code Analyzer does
BuildVersion not use this version number but it is included in the results.
Value Type: String
Default: (none)

Command-Line Option: -build-version

com.fortify.sca. Output information in a format that scripts or Fortify Static Code Analyzer tools can use
MachineOutputMode rather than printing output interactively. Instead of a single line to display scan
progress, a new line is printed below the previous one on the console to display updated
progress.
Value Type: Boolean
Default: (not enabled)

Command-Line Option: -machine-output

com.fortify.sca. Sets the number of lines of code to display surrounding an issue. The two lines of code
SnippetContextLines on each side of the line where the error occurs are always included. By default, five lines
are displayed.
Value Type: Number

Default: 2

com.fortify.sca. If set to true, excludes Fortify security content descriptions from the analysis results file
FVDLDisableDescriptions (FVDL).
Value Type: Boolean

Default: false
Command-Line Option: -fvdl-no-descriptions

com.fortify.sca. If set to true, excludes engine data from the analysis results file (FVDL).
FVDLDisableEngineData
Value Type: Boolean

Default: false
Command-Line Option:-fvdl-no-enginedata

com.fortify.sca. If set to true, excludes label evidence from the analysis results file (FVDL).
FVDLDisableLabelEvidence
Value Type: Boolean

Default: false

com.fortify.sca. If set to true, excludes the ProgramData section from the analysis results file (FVDL).
FVDLDisableProgramData
Value Type: Boolean

Default: false
Command-Line Option: -fvdl-no-progdata

com.fortify.sca. If set to true, excludes code snippets from the analysis results file (FVDL).
FVDLDisableSnippets
Value Type: Boolean

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 197 of 216
User Guide
Appendix B: Configuration Options

Property Name Description

Default: false
Command-Line Option: -fvdl-no-snippets

com.fortify.sca. Specifies location of the style sheet for the analysis results.
FVDLStylesheet
Value Type: String (path)
Default:
${com.fortify.Core}/resources/sca/fvdl2html.xsl

Mobile Build Sessions (MBS) Properties

The properties for the fortify-sca.properties file in the following table apply to MBS files.
Property Name Description

com.fortify.sca. If set to true, Fortify Static Code Analyzer copies source files into the build session directory.
MobileBuildSessions
Value Type: Boolean

Default: false

com.fortify.sca. If set to true, Fortify Static Code Analyzer extracts the build ID and the Fortify Static Code
ExtractMobileInfo Analyzer version number from the mobile build session.

Note: Fortify Static Code Analyzer does not extract the mobile build with this property.

Value Type: Boolean

Default: false

See Also
"Mobile Build Sessions" on page 43

Logging Properties
The properties for the fortify-sca.properties file in the following table apply to log files.
Property Name Description

com.fortify.sca. Specifies the default log file name and location.

LogFile
Value Type: String (path)
Default:
${com.fortify.sca.ProjectRoot}/log/sca.log
and ${com.fortify.sca.ProjectRoot}/log/sca_FortifySupport.log
Command-Line Option: -logfile

com.fortify.sca. Specifies the minimum log level for both log files. The valid values are DEBUG,
LogLevel INFO, WARN, ERROR, and FATAL. For more information, see "Locating the Log

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 198 of 216
User Guide
Appendix B: Configuration Options

Property Name Description

Files" on page 163 and "Configuring Log Files" on page 163.

Value Type: String

Default: INFO

com.fortify.sca. If set to true, Fortify Static Code Analyzer overwrites the log file for each run of
ClobberLogFile sourceanalyzer.
Value Type: Boolean

Default: false
Command-Line Option: -clobber-log

com.fortify.sca. If set to true, Fortify Static Code Analyzer writes performance-related data to the
PrintPerformanceDataAfterScan Fortify Support log file after the scan is complete. This value is automatically set
to true when in debug mode.
Value Type: Boolean

Default: false

See Also
"Configuring Log Files" on page 163

Debug Properties
The properties for the fortify-sca.properties file in the following table apply to debug settings.
Property Name Description

com.fortify.sca. Includes debug information in the Fortify Support log file, which is only useful for Micro
Debug Focus Fortify Customer Support to help troubleshoot.
Value Type: Boolean

Default: false
Command-Line Option: -debug

com.fortify.sca. This is the same as the com.fortify.sca.Debug property, but it includes more details,
DebugVerbose specifically for parse errors.
Value Type: Boolean
Default: (not enabled)

Command-Line Option: -debug-verbose

com.fortify.sca. If set to true, includes verbose messages in the Fortify Support log file.
Verbose
Value Type: Boolean

Default: false
Command-Line Option: -verbose

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 199 of 216
User Guide
Appendix B: Configuration Options

Property Name Description

com.fortify.sca. If set to true, additional performance information is written to the Fortify Support log.
DebugTrackMem
Value Type: Boolean
Default: (not enabled)

Command-Line Option: -debug-mem

com.fortify.sca. If set to true, enables additional timers to track performance.

CollectPerformanceData
Value Type: Boolean
Default: (not enabled)

com.fortify.sca. If set to true, disables the command-line progress information.

Quiet
Value Type: Boolean

Default: false
Command-Line Option: -quiet

com.fortify.sca. If set to true, Fortify Static Code Analyzer monitors its memory use and warns when JVM
MonitorSca garbage collection becomes excessive.
Value Type: Boolean

Default: true

fortify-sca-quickscan.properties
Fortify Static Code Analyzer offers a less in-depth scan known as a quick scan. This option scans the
project in quick scan mode, using the property values in the fortify-sca-quickscan.properties
file. By default, a quick scan reduces the depth of the analysis and applies the Quick View filter set.
The Quick View filter set provides only critical and high priority issues.

Note: Properties in this file are only used if you specify the -quick option on the command line
for your scan.

The following table provides two sets of default values: the default value for quick scans and the
default value for normal scans. If only one default value is shown, the value is the same for both
normal scans and quick scans.

Property Name Description

com.fortify.sca. Sets the time limit (in milliseconds) for Control Flow analysis on a single
CtrlflowMaxFunctionTime function.
Value Type: Integer

Quick Scan Default: 30000

Default: 600000

com.fortify.sca. Specifies a comma- or colon-separated list of analyzers to disable during a

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 200 of 216
User Guide
Appendix B: Configuration Options

Property Name Description

DisableAnalyzers scan. The valid analyzer names are buffer, content, configuration,
controlflow, dataflow, nullptr, semantic, and structural.
Value Type: String

Quick Scan Default: controlflow:buffer

Default: (none)

com.fortify.sca. Specifies the filter set to use. You can use this property with an issue
FilterSet template to filter at scan-time instead of post-scan. See
com.fortify.sca.ProjectTemplate described in "Translation and
Analysis Phase Properties" on page 173 to specify an issue template that
contains the filter set to use.

When set to Quick View, this property runs rules that have a potentially
high impact and a high likelihood of occurring and rules that have a
potentially high impact and a low likelihood of occurring. Filtered issues are
not written to the FPR and therefore this can reduce the size of an FPR. For
more information about filter sets, see the Fortify Audit Workbench User
Guide.
Value Type: String

Quick Scan Default: Quick View

Default: (none)

com.fortify.sca. Disables the creation of the metatable, which includes information for the
FPRDisableMetatable Function view in Micro Focus Fortify Audit Workbench. This metatable
enables right-click on a variable in the source window to show the
declaration. If C/C++ scans take an extremely long time, setting this property
to true can potentially reduce the scan time by hours.
Value Type: Boolean

Quick Scan Default: true

Default: false
Command-Line Option: -disable-metatable

com.fortify.sca. Disables source code inclusion in the FPR file. Prevents Fortify Static Code
FPRDisableSourceBundling Analyzer from generating marked-up source code files during a scan. If you
plan to upload FPR files that are generated as a result of a quick scan to
Fortify Software Security Center, you must set this property to false.
Value Type: Boolean

Quick Scan Default: true

Default: false
Command-Line Option: -disable-source-bundling

com.fortify.sca. Sets the time limit (in milliseconds) for Null Pointer analysis for a single
NullPtrMaxFunctionTime function. The standard default is five minutes. If this value is set to a shorter
limit, the overall scan time decreases.

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 201 of 216
User Guide
Appendix B: Configuration Options

Property Name Description

Value Type: Integer

Quick Scan Default: 10000

Default: 300000

com.fortify.sca. Disables path tracking for Control Flow analysis. Path tracking provides more
TrackPaths detailed reporting for issues, but requires more scan time. To disable this for
JSP only, set it to NoJSP. Specify None to disable all functions.
Value Type: String
Quick Scan Default: (none)

Default: NoJSP

com.fortify.sca. Specifies the size limit for complex calculations in the Buffer Analyzer. Skips
limiters.ConstraintPredicateSize calculations that are larger than the specified size value in the Buffer
Analyzer to improve scan time.
Value Type: Integer

Quick Scan Default: 10000

Default: 500000

com.fortify.sca. Controls the maximum call depth through which the Dataflow Analyzer tracks
limiters.MaxChainDepth tainted data. Increase this value to increase the coverage of dataflow
analysis, which results in longer scan times.

Note: Call depth refers to the maximum call depth on a dataflow path
between a taint source and sink, rather than call depth from the
program entry point, such as main().

Value Type: Integer

Quick Scan Default: 3

Default: 5

com.fortify.sca. Sets the number of times taint propagation analyzer visits functions.
limiters.MaxFunctionVisits
Value Type: Integer

Quick Scan Default: 5

Default: 50

com.fortify.sca. Controls the maximum number of paths to report for a single dataflow
limiters.MaxPaths vulnerability. Changing this value does not change the results that are found,
only the number of dataflow paths displayed for an individual result.

Note: Fortify does not recommend setting this property to a value

larger than 5 because it might increase the scan time.

Value Type: Integer

Quick Scan Default: 1

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 202 of 216
User Guide
Appendix B: Configuration Options

Property Name Description

Default: 5

com.fortify.sca. Sets a complexity limit for the Dataflow Analyzer. Dataflow incrementally
limiters.MaxTaintDefForVar decreases precision of analysis on functions that exceed this complexity
metric for a given precision level.
Value Type: Integer

Quick Scan Default: 250

Default: 1000

com.fortify.sca. Sets a hard limit for function complexity. If complexity of a function exceeds
limiters.MaxTaintDefForVarAbort this limit at the lowest precision level, the analyzer skips analysis of the
function.
Value Type: Integer

Quick Scan Default: 500

Default: 4000

fortify-rules.properties
This topic describes the properties available for use in the fortify-rules.properties file. Use
these properties to modify behavior of individual rules or provide information that can improve how
rules identify weaknesses.

Property Name Description

com.fortify.sca.rules. The regular expression to match password identifiers across all

password_regex.global languages unless a language-specific rules property is set.
Value Type: String

Default: (?i)(s|_)?
(user|usr|member|admin|guest|login|default|
new|current|old|client|server|proxy|sqlserver|
my|mysql|mongo|mongodb|db|database|ldap|smtp|
email|email(_)?smtp)?(_|\.)?pass(wd|word|phrase)

com.fortify.sca.rules Regular expression to match password identifiers in ABAP code.

.password_regex.abap Setting this property overrides the global regex password rules
property.
Value Type: String
Default: (none)

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 203 of 216
User Guide
Appendix B: Configuration Options

Property Name Description

com.fortify.sca.rules. Regular expression to match password identifiers in ActionScript

password_ code. Setting this property overrides the global regex password
regex.actionscript rules property.
Value Type: String
Default: (none)

com.fortify.sca.rules. Regular expression to match password identifiers in ColdFusion

password_regex.cfml (CFML) code. Setting this property overrides the global regex
password rules property.
Value Type: String
Default: (none)

com.fortify.sca.rules. Regular expression to match password identifiers in COBOL code.

password_regex.cobol Setting this property overrides the global regex password rules
property.
Value Type: String
Default: (none)

com.fortify.sca.rules. Regular expression to match password identifiers in XML. Setting

password_regex.config this property overrides the global regex password rules property.
Do not use regular expression modifiers. The value is case-
insensitive.
Value Type: String

Default: (s|_)?
(user|usr|member|admin|guest|login|default|
new|current|old|client|server|proxy|sqlserver|
my|mysql|mongo|mongodb|db|database|ldap|smtp|
email|email(_)?smtp)?(_|\.)?pass(wd|word|phrase)

com.fortify.sca.rules. Regular expression to match password identifiers in C and C++

password_regex.cpp code. Setting this property overrides the global regex password
rules property.
Value Type: String
Default: (none)

com.fortify.sca.rules. Regular expression to match password identifiers in .NET code.

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 204 of 216
User Guide
Appendix B: Configuration Options

Property Name Description

password_regex.dotnet Setting this property overrides the global regex password rules
property.
Value Type: String
Default: (none)

com.fortify.sca.rules. Regular expression to match password identifiers in Dockerfiles.

password_regex.docker Setting this property overrides the global regex password rules
property.
Value Type: String

Default: .*pass(wd|word|phrase).*

com.fortify.sca.rules. Regular expression to match password identifiers in Go code.

password_regex.golang Setting this property overrides the global regex password rules
property.
Value Type: String
Default: (none)

com.fortify.sca.rules. Regular expression to match password identifiers in Java code.

password_regex.java Setting this property overrides the global regex password rules
property.
Value Type: String
Default: (none)

com.fortify.sca.rules. Regular expression to match password identifiers in JavaScript

password_ and TypeScript code. Setting this property overrides the global
regex.javascript regex password rules property.
Value Type: String
Default: (none)

com.fortify.sca.rules. Regular expression to match password identifiers in JSON.

password_regex.json Setting this property overrides the global regex password rules
property.
Value Type: String

Default: (?i).*pass(wd|word|phrase).*

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 205 of 216
User Guide
Appendix B: Configuration Options

Property Name Description

com.fortify.sca.rules. Regular expression used to match password identifiers in JSP

password_regex.jsp code. Setting this property overrides the global regex password
rules property.
Value Type: String
Default: (none)

com.fortify.sca.rules. Regular expression to match password identifiers in Objective-C

password_regex.objc and Objective-C++ code. Setting this property overrides the
global regex password rules property.
Value Type: String

Default: (?i)(s|_)?
(user|usr|member|admin|guest|login|default|
new|current|old|client|server|proxy|sqlserver|
my|mysql|mongo|mongodb|db|database|ldap|smtp|
email|email(_)?smtp)?(_|\.)?token|pin|pass
(wd|word|phrase))

com.fortify.sca.rules. Regular expression to match password identifiers in PHP code.

password_regex.php Setting this property overrides the global regex password rules
property.
Value Type: String
Default: (none)

com.fortify.sca.rules. Regular expression to match password identifiers in Properties

password_ files. Setting this property overrides the global regex password
regex.properties rules property.
Value Type: String
Default: (none)

com.fortify.sca.rules. Regular expression to match password identifiers in Python code.

password_regex.python Setting this property overrides the global regex password rules
property.
Value Type: String
Default: (none)

com.fortify.sca.rules. Regular expression to match password identifiers in Ruby code.

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 206 of 216
User Guide
Appendix B: Configuration Options

Property Name Description

password_regex.ruby Setting this property overrides the global regex password rules
property.
Value Type: String
Default: (none)

com.fortify.sca.rules. Regular expression to match password identifiers in SQL code.

password_regex.sql Setting this property overrides the global regex password rules
property.
Value Type: String
Default: (none)

com.fortify.sca.rules. Regular expression to match password identifiers in Swift code.

password_regex.swift Setting this property overrides the global regex password rules
property.
Value Type: String

Default: (?i)(s|_)?
(user|usr|member|admin|guest|login|default|
new|current|old|client|server|proxy|sqlserver|
my|mysql|mongo|mongodb|db|database|ldap|smtp|
email|email(_)?smtp)?(_|\.)?(token|pin|pass
(wd|word|phrase))

com.fortify.sca.rules. Regular expression to match password identifiers in VB6 code.

password_regex.vb Setting this property overrides the global regex password rules
property.
Value Type: String
Default: (none)

com.fortify.sca.rules. Regular expression to match password identifiers in YAML.

password_regex.yaml Setting this property overrides the global regex password rules
property.
Value Type: String

Default: (?i).*pass(wd|word|phrase).*

com.fortify.sca.rules. The regular expression to match key identifiers across all

key_regex.global languages unless a language-specific regex key rules property is

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 207 of 216
User Guide
Appendix B: Configuration Options

Property Name Description

set.
Value Type: String

Default: (?i)((enc|dec)
(ryption|rypt)?|crypto|secret|private)(_)?key

com.fortify.sca.rules. Regular expression to match key identifiers in ABAP code. Setting

key_regex.abap this property overrides the global regex key rules property.
Value Type: String
Default: (none)

com.fortify.sca.rules. Regular expression to match key identifiers in ActionScript code.

key_regex.actionscript Setting this property overrides the global regex key rules
property.
Value Type: String
Default: (none)

com.fortify.sca.rules. Regular expression to match key identifiers in CFML code. Setting

key_regex.cfml this property overrides the global regex key rules property.
Value Type: String
Default: (none)

com.fortify.sca.rules. Regular expression to match key identifiers in C and C++ code.

key_regex.cpp Setting this property overrides the global regex key rules
property.
Value Type: String
Default: (none)

com.fortify.sca.rules. Regular expression to match key identifiers in Go code. Setting

key_regex.golang this property overrides the global regex key rules property.
Value Type: String
Default: (none)

com.fortify.sca.rules. Regular expression to match key identifiers in Java code. Setting

key_regex.java this property overrides the global regex key rules property.

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 208 of 216
User Guide
Appendix B: Configuration Options

Property Name Description

Value Type: String

Default: (none)

com.fortify.sca.rules. Regular expression to match key identifiers in JavaScript and

key_regex.javascript TypeScript code. Setting this property overrides the global regex
key rules property.
Value Type: String
Default: (none)

com.fortify.sca.rules. Regular expression to match key identifiers in JSP code. Setting

key_regex.jsp this property overrides the global regex key rules property.
Value Type: String
Default: (none)

com.fortify.sca.rules. Regular expression used to match key identifiers in Objective-C

key_regex.objc and Objective-C++ code. Setting this property overrides the
global regex key rules property.
Value Type: String
Default: (none)

com.fortify.sca.rules. Regular expression to match key identifiers in PHP code. Setting

key_regex.php this property overrides the global regex key rules property.
Value Type: String
Default: (none)

com.fortify.sca.rules. Regular expression to match key identifiers in Python code.

key_regex.python Setting this property overrides the global regex key rules
property.
Value Type: String
Default: (none)

com.fortify.sca.rules. Regular expression used to match key identifiers in Ruby code.

key_regex.ruby Setting this property overrides the global regex key rules
property.
Value Type: String

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 209 of 216
User Guide
Appendix B: Configuration Options

Property Name Description

Default: (none)

com.fortify.sca.rules. Regular expression to match key identifiers in SQL code. Setting

key_regex.sql this property overrides the global regex key rules property.
Default: (none)

com.fortify.sca.rules. Regular expression used to match key identifiers in Swift code.

key_regex.swift Setting this property overrides the global regex key rules
property.
Value Type: String
Default: (none)

com.fortify.sca.rules. Regular expression to match key identifiers in Visual Basic 6 code.

key_regex.vb Setting this property overrides the global regex key rules
property.
Value Type: String
Default: (none)

com.fortify.sca.rules. Name of the serverless function called when no JSON/YAML

GCPFunctionName cloud build config file exists.
Value Type: String
Default: (none)

com.fortify.sca.rules. If set to true, the scanned cloud function is an HTTP trigger.

GCPHttpTrigger
Value Type: Boolean

Default: false

com.fortify.sca.rules. If set to true and Fortify Static Code Analyzer scans an

enable_wi_correlation application with a supported framework, produces a results file to
be imported into Fortify WebInspect to improve results.
Value Type: Boolean

Default: false

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 210 of 216
Appendix C: Fortify Java Annotations
Fortify provides two versions of the Java Fortify annotations library.
l
Annotations with the retention policy set to CLASS (FortifyAnnotations-CLASS.jar).
With this version of the library, Fortify annotations are propagated to the bytecode during
compilation.
l
Annotations with the retention policy set to SOURCE (FortifyAnnotations-SOURCE.jar).
With this version of the library, Fortify annotations are not propagated to the bytecode after the
code that uses them is compiled.

If you use Fortify products to analyze bytecode of your applications (for example, with Fortify on
Demand assessments), then use the version with the annotation retention policy set to CLASS. If you
use Fortify products to analyze the source code of your applications, you can use either version of the
library. However, Fortify strongly recommends that you use the library with a retention policy set to
SOURCE.

Important! Leaving Fortify annotations in production code is a security risk because they can
leak information about potential security problems in the code. Fortify recommends that you use
annotations with the retention policy set to CLASS only for internal Fortify analysis, and never
use them in your application production builds.

This section outlines the annotations available. A sample application is included in the Fortify_SCA_
Samples_<version>.zip archive in the advanced/javaAnnotations directory. A README.txt
file included in the directory describes the sample application, problems that might arise from it, and
how to fix these problems using Fortify Java Annotations.
There are two limitations with Fortify Java annotations:
l Each annotation can specify only one input and/or one output.
l You can apply only one annotation of each type to the same target.

Fortify provides three main types of annotations:

l "Dataflow Annotations" on the next page
l "Field and Variable Annotations" on page 214
l "Other Annotations" on page 215

You also can write rules to support your own custom annotations. Contact Micro Focus Fortify
Customer Support for more information.

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 211 of 216
User Guide
Appendix C: Fortify Java Annotations

Dataflow Annotations
There are four types of Dataflow annotations, similar to Dataflow rules: Source, Sink, Passthrough, and
Validate. All are applied to methods and specify the inputs and/or outputs by parameter name or the
strings this and return. Additionally, you can apply the Dataflow Source and Sink annotations to
the function arguments.

Source Annotations
The acceptable values for the annotation parameter are this, return, or a function parameter name.
For example, you can assign taint to an output of the target method.

@FortifyDatabaseSource("return")
String [] loadUserProfile(String userID) {
...
}

For example, you can assign taint to an argument of the target method.

void retrieveAuthCode(@FortifyPrivateSource String authCode) {

...
}

In addition to specific source annotations, Fortify provides a generic untrusted taint source called
FortifySource.
The following is a complete list of source annotations:
l
FortifySource
l
FortifyDatabaseSource
l
FortifyFileSystemSource
l
FortifyNetworkSource
l
FortifyPCISource
l
FortifyPrivateSource
l
FortifyWebSource

Passthrough Annotations
Passthrough annotations transfer any taint from an input to an output of the target method. It can
also assign or remove taint from the output, in the case of FortifyNumberPassthrough and
FortifyNotNumberPassthrough. The acceptable values for the in annotation parameter are this

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 212 of 216
User Guide
Appendix C: Fortify Java Annotations

or a function parameter name. The acceptable values for the out annotation parameter are this,
return, or a function parameter name.

@FortifyPassthrough(in="a",out="return")
String toLowerCase(String a) {
...
}

Use FortifyNumberPassthrough to indicate that the data is purely numeric. Numeric data cannot
cause certain types of issues, such as cross-site scripting, regardless of the source. Using
FortifyNumberPassthrough can reduce false positives of this type. If a program decomposes
character data into a numeric type (int, int[], and so on), you can use FortifyNumberPassthrough.
If a program concatenates numeric data into character or string data, then use
FortifyNotNumberPassthrough.
The following is a complete list of passthrough annotations:
l
FortifyPassthrough
l
FortifyNumberPassthrough
l
FortifyNotNumberPassthrough

Sink Annotations
Sink annotations report an issue when taint of the appropriate type reaches an input of the target
method. Acceptable values for the annotation parameter are this or a function parameter name.

@FortifyXSSSink("a")
void printToWebpage(int a) {
...
}

You can also apply the annotation to the function argument or the return parameter. In the following
example, an issue is reported when taint reaches the argument a.

void printToWebpage(int b, @FortifyXSSSink String a) {

...
}

The following is a complete list of the sink annotations:

l
FortifySink
l
FortifyCommandInjectionSink
l
FortifyPCISink
l
FortifyPrivacySink

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 213 of 216
User Guide
Appendix C: Fortify Java Annotations

l
FortifySQLSink
l
FortifySystemInfoSink
l
FortifyXSSSink

Validate Annotations
Validate annotations remove taint from an output of the target method. Acceptable values for the
annotation parameter are this, return, or a function parameter name.

@FortifyXSSValidate("return")
String xssCleanse(String a) {
...
}

The following is a complete list of validate sink annotations:

l
FortifyValidate
l
FortifyCommandInjectionValidate
l
FortifyPCIValidate
l
FortifyPrivacyValidate
l
FortifySQLValidate
l
FortifySystemInfoValidate
l
FortifyXSSValidate

Field and Variable Annotations

You can apply these annotations to fields and (in most cases) variables.

Password and Private Annotations

Use password and private annotations to indicate whether the target field or variable is a password or
private data.

@FortifyPassword String x;
@FortifyNotPassword String pass;
@FortifyPrivate String y;
@FortifyNotPrivate String cc;

In the previous example, string x will be identified as a password and checked for privacy violations
and hardcoded passwords. The string pass will not be identified as a password. Without the

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 214 of 216
User Guide
Appendix C: Fortify Java Annotations

annotation, it might cause false positives. The FortifyPrivate and FortifyNotPrivate

annotations work similarly, only they do not cause privacy violation issues.

Non-Negative and Non-Zero Annotations

Use these annotations to indicate disallowed values for the target field or variable.

@FortifyNonNegative int index;

@FortifyNonZero double divisor;

In the previous example, an issue is reported if a negative value is assigned to index or zero is
assigned to divisor.

Other Annotations
Check Return Value Annotation
Use the FortifyCheckReturnValue annotation to add a target method to the list of functions that
require a check of the return values.

@FortifyCheckReturnValue
int openFile(String filename){
...
}

Dangerous Annotations
With the FortifyDangerous annotation, any use of the target function, field, variable, or class is
reported. Acceptable values for the annotation parameter are CRITICAL, HIGH, MEDIUM, or LOW.
These values indicat how to categorize the issue based on the Fortify Priority Order values).

@FortifyDangerous{"CRITICAL"}
public class DangerousClass {
@FortifyDangerous{"HIGH"}
String dangerousField;
@FortifyDangerous{"LOW"}
int dangerousMethod() {
...
}
}

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 215 of 216
Send Documentation Feedback
If you have comments about this document, you can contact the documentation team by email.

Note: If you are experiencing a technical issue with our product, do not email the documentation
team. Instead, contact Micro Focus Fortify Customer Support at
https://www.microfocus.com/support so they can assist you.

If an email client is configured on this computer, click the link above to contact the documentation
team and an email window opens with the following information in the subject line:
Feedback on User Guide (Fortify Static Code Analyzer 23.1.0)
Just add your feedback to the email and click send.
If no email client is available, copy the information above to a new message in a web mail client, and
send your feedback to fortifydocteam@microfocus.com.
We appreciate your feedback!

Micro Focus Fortify Static Code Analyzer (23.1.0) Page 216 of 216