SCA Guide 20.2.0

Micro Focus
Fortify Static Code Analyzer

Software Version: 20.2.0
User Guide
Document Release Date: Revision 1: December 2020

Software Release Date: November 2020
User Guide
Legal Notices
Micro Focus
The Lawn
22-30 Old Bath Road
Newbury, Berkshire RG14 1QN
UK
https://www.microfocus.com
Warranty
The only warranties for products and services of Micro Focus and its affiliates and licensors (“Micro Focus”) are set forth in
the express warranty statements accompanying such products and services. Nothing herein should be construed as
constituting an additional warranty. Micro Focus shall not be liable for technical or editorial errors or omissions contained
herein. The information contained herein is subject to change without notice.
Restricted Rights Legend

Confidential computer software. Except as specifically indicated otherwise, a valid license from Micro Focus is required for
possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software
Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard
commercial license.
Copyright Notice
© Copyright 2003 - 2020 Micro Focus or one of its affiliates
Trademark Notices
All trademarks, service marks, product names, and logos included in this document are the property of their respective
owners.
Documentation Updates
The title page of this document contains the following identifying information:
l Software Version number
l Document Release Date, which changes each time the document is updated
l Software Release Date, which indicates the release date of this version of the software
This document was produced on December 09, 2020. To check for recent updates or to verify that you are using the most
recent edition of a document, go to:
https://www.microfocus.com/support/documentation
Micro Focus Fortify Static Code Analyzer (20.2.0) Page 2 of 216

User Guide
Contents
Preface 12
Contacting Micro Focus Fortify Customer Support 12
For More Information 12
About the Documentation Set 12
Change Log 13
Chapter 1: Introduction 17
Fortify Static Code Analyzer 17
Fortify ScanCentral SAST 18
Fortify Scan Wizard 18
Fortify Software Security Content 18
About the Analyzers 19
Related Documents 20
All Products 21
Micro Focus Fortify ScanCentral SAST 21
Micro Focus Fortify Software Security Center 22
Micro Focus Fortify Static Code Analyzer 22
Chapter 2: Installing Fortify Static Code Analyzer 25

Fortify Static Code Analyzer Component Applications 25
About Downloading the Software 27
About Installing Fortify Static Code Analyzer and Applications 27
Installing Fortify Static Code Analyzer and Applications 28
Installing Fortify Static Code Analyzer and Applications Silently (Unattended) 29
Installing Fortify Static Code Analyzer and Applications in Text-Based Mode on
Non-Windows Platforms 32
Manually Installing Fortify Security Content 32
Using Docker to Install and Run Fortify Static Code Analyzer 33
Creating a Dockerfile to Install Fortify Static Code Analyzer 33
Running the Container 34
Example Docker Run Commands for Translation and Scan 35

User Guide
About Upgrading Fortify Static Code Analyzer and Applications 35

Notes About Upgrading the Fortify Extension for Visual Studio 36
About Uninstalling Fortify Static Code Analyzer and Applications 36
Uninstalling Fortify Static Code Analyzer and Applications 36
Uninstalling Fortify Static Code Analyzer and Applications Silently 37
Uninstalling Fortify Static Code Analyzer and Applications in Text-Based Mode on Non-
Windows Platforms 37
Post-Installation Tasks 38
Running the Post-Install Tool 38
Migrating Properties Files 38
Specifying a Locale 39
Configuring for Security Content Updates 39
Configuring the Connection to Fortify Software Security Center 40
Removing Proxy Server Settings 40
Chapter 3: Analysis Process Overview 41

Analysis Process 41
Parallel Processing 42
Translation Phase 42
Mobile Build Sessions 43
Mobile Build Session Version Compatibility 43
Creating a Mobile Build Session 43
Importing a Mobile Build Session 43
Analysis Phase 44
Higher-Order Analysis 45
Modular Analysis 45
Modular Command-Line Examples 45
Translation and Analysis Phase Verification 46
Chapter 4: Translating Java Code 47

Java Command-Line Syntax 47
Java Command-Line Options 48
Java Command-Line Examples 50
Handling Resolution Warnings 50
Java Warnings 50
Using FindBugs 51

User Guide
Translating Java EE Applications 52

Translating Java Files 52
Translating JSP Projects, Configuration Files, and Deployment Descriptors 52
Java EE Translation Warnings 53
Translating Java Bytecode 53
Troubleshooting JSP Translation Issues 54
Chapter 5: Translating Kotlin Code 55

Kotlin Command-Line Syntax 55
Kotlin Command-Line Options 56
Kotlin Command-Line Examples 57
Kotlin and Java Translation Interoperability 57
Chapter 6: Translating Visual Studio and MSBuild Projects 58

Visual Studio and MSBuild Project Translation Prerequisites 58
Visual Studio and MSBuild Project Translation Command-Line Syntax 59
Handling Special Cases for Translating Visual Studio and MSBuild Projects 59
Running Translation From a Script 59
Translating Plain .NET and ASP.NET Projects 60
Translating C/C++ and Xamarin Projects 60
Translating Projects with Settings Containing Spaces 60
Translating a Single Project from a Visual Studio Solution 60
Translating Visual Studio Solutions with Excluded or Skipped Projects 61
Working with Multiple Targets and Projects for MSBuild Command 61
Analyzing Projects That Build Multiple Executable Files 61
Alternative Ways to Translate Visual Studio and MSBuild Projects 62
Alternative Translation Options for Visual Studio Solutions 62
Translating Without Explicitly Running Fortify Static Code Analyzer 62
Chapter 7: Translating C and C++ Code 64

C and C++ Code Translation Prerequisites 64
C and C++ Command-Line Syntax 64
Scanning Pre-processed C and C++ Code 65
C/C++ Precompiled Header Files 65
Troubleshooting Translation Failed Message 65

User Guide
Chapter 8: Translating JavaScript and TypeScript Code 67

Translating Pure JavaScript Projects 67
Excluding Dependencies 67
Excluding NPM Dependencies 68
Translating JavaScript Projects with HTML Files 68
Including External JavaScript or HTML in the Translation 69
Chapter 9: Translating Python Code 71

Python Translation Command-Line Syntax 71
Including Import Files 71
Including Namespace Packages 72
Using the Django Framework with Python 72
Python Command-Line Options 72
Python Command-Line Examples 73
Chapter 10: Translating Code for Mobile Platforms 74

Translating Apple iOS Projects 74
iOS Project Translation Prerequisites 74
iOS Code Analysis Command-Line Syntax 75
Translating Android Projects 75
Android Project Translation Prerequisites 75
Android Code Analysis Command-Line Syntax 76
Filtering Issues Detected in Android Layout Files 76
Chapter 11: Translating Go Code 77

Go Command-Line Syntax 77
Go Command-Line Options 77
Resolving Dependencies 78
Chapter 12: Translating Ruby Code 79

Ruby Command-Line Syntax 79
Ruby Command-Line Options 79
Adding Libraries 80

User Guide
Adding Gem Paths 80
Chapter 13: Translating Apex and Visualforce Code 81

Apex Translation Prerequisites 81
Apex and Visualforce Command-Line Syntax 81
Apex and Visualforce Command-Line Options 82
Downloading Customized Salesforce Database Structure Information 82
Chapter 14: Translating COBOL Code 84

Preparing COBOL Source and Copybook Files for Translation 84
COBOL Command-Line Syntax 85
Translating COBOL Source Files Without File Extensions 86
COBOL Command-Line Options 86
Chapter 15: Translating Other Languages and Configurations 88

Translating PHP Code 88
PHP Command-Line Options 88
Translating ABAP Code 89
INCLUDE Processing 90
Importing the Transport Request 90
Adding Fortify Static Code Analyzer to Your Favorites List 91
Running the Fortify ABAP Extractor 92
Uninstalling the Fortify ABAP Extractor 96
Translating Flex and ActionScript 97
Flex and ActionScript Command-Line Options 97
ActionScript Command-Line Examples 98
ActionScript Warnings 99
Translating ColdFusion Code 99
ColdFusion Command-Line Syntax 99
ColdFusion Command-Line Options 100
Translating SQL 100
PL/SQL Command-Line Example 101
T-SQL Command-Line Example 101
Translating Scala Code 101

User Guide
Translating ASP/VBScript Virtual Roots 101

Translating Dockerfiles 103
Classic ASP Command-Line Example 104
VBScript Command-Line Example 104
Chapter 16: Integrating into a Build 105

Build Integration 105
Make Example 106
Modifying a Build Script to Invoke Fortify Static Code Analyzer 106
Touchless Build Integration 107
Ant Integration 107
Gradle Integration 107
Including Verbose and Debug Options 108
Maven Integration 109
Installing and Updating the Fortify Maven Plugin 109
Testing the Fortify Maven Plugin Installation 109
Using the Fortify Maven Plugin 110
Chapter 17: Command-Line Interface 112

Translation Options 112
Analysis Options 114
Output Options 117
Other Options 120
Directives 122
Specifying Files and Directories 123
Chapter 18: Command-Line Utilities 125

Fortify Static Code Analyzer Utilities 125
About Updating Security Content 126
Updating Security Content 127
fortifyupdate Command-Line Options 127
Working with FPR Files from the Command Line 128
Merging FPR Files 129
Displaying Analysis Results Information from an FPR File 130

User Guide
Extracting a Source Archive from an FPR File 134

Allocating More Memory for FPRUtility 135
Generating Reports from the Command Line 135
Generating a BIRT Report 136
Generating a Legacy Report 138
Checking the Fortify Static Code Analyzer Scan Status 139
SCAState Utility Command-Line Options 140
Chapter 19: Improving Performance 142

Hardware Considerations 142
Sample Scans 143
Tuning Options 144
Quick Scan 145
Limiters 145
Using Quick Scan and Full Scan 146
Configuring Scan Speed with Speed Dial 146
Breaking Down Codebases 147
Limiting Analyzers and Languages 148
Disabling Analyzers 148
Disabling Languages 149
Optimizing FPR Files 149
Filter Files 149
Excluding Issues from the FPR with Filter Sets 150
Excluding Source Code from the FPR 150
Reducing the FPR File Size 151
Opening Large FPR Files 152
Monitoring Long Running Scans 153
Using the SCAState Utility 154
Using JMX Tools 154
Using JConsole 154
Using Java VisualVM 154
Chapter 20: Troubleshooting 156

Exit Codes 156
Memory Tuning 157

User Guide
Java Heap Exhaustion 157

Native Heap Exhaustion 158
Stack Overflow 158
Scanning Complex Functions 159
Dataflow Analyzer Limiters 160
Control Flow and Null Pointer Analyzer Limiters 161
Issue Non-Determinism 161
Accessing Log Files 162
Configuring Log Files 162
Understanding Log Levels 163
Reporting Issues and Requesting Enhancements 164
Appendix A: Filtering the Analysis 165

Filter Files 165
Filter File Example 165
Appendix B: Fortify Scan Wizard 168

Preparing to use the Fortify Scan Wizard 168
Starting the Fortify Scan Wizard 169
Appendix C: Sample Projects 170

Basic Samples 170
Advanced Samples 172
Appendix D: Fortify Java Annotations 175

Dataflow Annotations 175
Source Annotations 176
Passthrough Annotations 176
Sink Annotations 177
Validate Annotations 178
Field and Variable Annotations 178
Password and Private Annotations 178
Non-Negative and Non-Zero Annotations 179
Other Annotations 179
Check Return Value Annotation 179

User Guide
Dangerous Annotations 179
Appendix E: Configuration Options 180

Fortify Static Code Analyzer Properties Files 180
Properties File Format 180
Precedence of Setting Properties 181
fortify-sca.properties 182
fortify-sca-quickscan.properties 211
Send Documentation Feedback 216

User Guide
Preface
Preface
Contacting Micro Focus Fortify Customer Support

Visit the Support website to:
l Manage licenses and entitlements
l Create and manage technical assistance requests
l Browse documentation and knowledge articles
l Download software
l Explore the Community
https://www.microfocus.com/support
For More Information

For more information about Fortify software products:
https://www.microfocus.com/solutions/application-security
About the Documentation Set

The Fortify Software documentation set contains installation, user, and deployment guides for all
Fortify Software products and components. In addition, you will find technical notes and release notes
that describe new features, known issues, and last-minute updates. You can access the latest versions of
these documents from the following Micro Focus Product Documentation website:
https://www.microfocus.com/support/documentation

User Guide
Change Log
Change Log
The following table lists changes made to this document. Revisions to this document are published
between software releases only if the changes made affect product functionality.
Software Release /
Document Version Changes
20.2.0 / Revision Updated:

1: December 2020
l "Running the Fortify ABAP Extractor" on page 92 - New option to
export SAP standard code in addition to custom code
20.2.0 Added:
l "About Installing Fortify Static Code Analyzer and Applications" on
page 27 and "Using Docker to Install and Run Fortify Static Code
Analyzer" on page 33
l "Translating Dockerfiles" on page 103
l "Configuring Scan Speed with Speed Dial" on page 146
l "Fortify Java Annotations" on page 175 - Incorporated information
previously available in the javaAnnotations sample README.txt to this
guide
Updated:
l "Translating Visual Studio and MSBuild Projects" on page 58 - Updated
to reflect the translation improvements made over the past couple
releases (former chapter title: Translating .NET Code)
l "Translating COBOL Code" on page 84 - Describes the changes
introduced for analyzing COBOL code
l "Generating a BIRT Report" on page 136 - New supported report
template added: OWASP ASVS 4.0
l "Sample Projects" on page 170 - Added two new samples
l All references to Fortify ScanCentral were replaced with Fortify
ScanCentral SAST (product name change)
20.1.2 Added:
l "Translating Kotlin Code" on page 55
Updated:

User Guide
Change Log
Software Release /
l "Gradle Integration" on page 107 - Added information about using the

Gradle Wrapper
20.1.0 Added:
l .NET Command-Line Options - Added a new option to exclude from
translation any disabled projects in a solution
Updated:
l "About Installing Fortify Static Code Analyzer and Applications" on
page 27 - Removed all mentions of Solaris as this operating system is no
longer supported
l "Installing Fortify Static Code Analyzer and Applications Silently
(Unattended)" on page 29 - Added more information to the instructions
for different operating systems
l "Generating a BIRT Report" on page 136 - Added support for new
report: CWE Top 25 2019
l "Generating a Legacy Report" on page 138 - Removed RTF as a possible
output format
l All references to Fortify CloudScan were replaced with Fortify
ScanCentral (product name change)
Removed:
l Incremental Analysis - Feature to be removed in the next release
19.2.0 Added:
l "Modular Analysis" on page 45 - New feature to scan Java/Java EE
libraries separately from the core project (related updated topics:
"Analysis Options" on page 114 and "fortify-sca.properties" on
page 182)
l "Translating Go Code" on page 77
Updated:
l "About Upgrading Fortify Static Code Analyzer and Applications" on
page 35 - Provided additional information
l "Translating JavaScript and TypeScript Code" on page 67 - Added
instructions for excluding NPM dependencies
l "Generating a BIRT Report" on page 136 - Support added for GDPR,

User Guide
Change Log
Software Release /
MISRA and PCI SSF reports

l "Translation Options" on page 112 and "fortify-sca.properties" on
page 182 - Updated the list of valid languages for
com.fortify.sca.DISabledLanguages and added a description for
com.fortify.sca.EnabledLanguages
Removed:
l "Translating AngularJS Code" - Analysis of AngularJS 1.x is no longer
supported
l "Translating .NET Binaries" and "Adding Custom Tasks to your MSBuild
Project" - These features will be removed from Fortify Static Code
Analyzer in the next release
19.1.0 Added:
l This document now includes all content from the Micro Focus Fortify
Static Code Analyzer Installation Guide and the Micro Focus Fortify
Static Code Analyzer User Guide, which are no longer published as of
this release.
Updated:
l "Translating JavaScript and TypeScript Code" on page 67 - The Higher
Order Analyzer is now enabled by default for JavaScript and TypeScript
l "Using the Django Framework with Python" on page 72 and "Python
Command-Line Options" on page 72 - Added a description of a new
feature to automatically discover Django template locations
l "iOS Code Analysis Command-Line Syntax" on page 75 and "Android
Code Analysis Command-Line Syntax" on page 76 - Added examples
for translating property list files and configuration files
l "Importing the Transport Request" on page 90 - Clarified the supported
SAP version for the Fortify ABAP Extractor transport request and
added a suggestion if the import fails
l "Running the Fortify ABAP Extractor" on page 92 - Updated to provide
more details
l "Using the Fortify Maven Plugin" on page 110 - Clarified the two
different ways to analyze a maven project
l "Output Options" on page 117 - Added a description of the FVDL

User Guide
Change Log
Software Release /
output format and added options to exclude information from the

FVDL file
l "Sample Scans" on page 143 - Table updated to show data for the
current release

Chapter 1: Introduction
This guide provides instructions for using Micro Focus Fortify Static Code Analyzer to scan code on
most major programming platforms. This guide is intended for people responsible for security audits
and secure coding.
This section contains the following topics:
Fortify Static Code Analyzer 17
About the Analyzers 19
Related Documents 20
Fortify Static Code Analyzer

Fortify Static Code Analyzer is a set of software security analyzers that search for violations of security-
specific coding rules and guidelines in a variety of languages. The Fortify Static Code Analyzer language
technology provides rich data that enables the analyzers to pinpoint and prioritize violations so that
fixes are fast and accurate. Fortify Static Code Analyzer produces analysis information to help you
deliver more secure software, as well as make security code reviews more efficient, consistent, and
complete. Its design enables you to quickly incorporate new third-party and customer-specific security
rules.
At the highest level, using Fortify Static Code Analyzer involves:
1. Running Fortify Static Code Analyzer as a stand-alone process or integrating Fortify Static Code
Analyzer in a build tool
2. Translating the source code into an intermediate translated format
3. Scanning the translated code and producing security vulnerability reports
4. Auditing the results of the scan, either by opening the results (typically an FPR file) in Micro Focus
Fortify Audit Workbench or uploading them to Micro Focus Fortify Software Security Center for
analysis, or working directly with the results displayed on screen.
Note: For information about how to open and view results in Fortify Audit Workbench or Fortify
Software Security Center, see the Micro Focus Fortify Audit Workbench User Guide or the Micro
Focus Fortify Software Security Center User Guide respectively.

User Guide
Fortify ScanCentral SAST

You can use Micro Focus Fortify ScanCentral SAST to manage your resources by offloading the Fortify
Static Code Analyzer scan phase from build machines to a collection of machines provisioned for this
purpose. For some languages, Fortify ScanCentral SAST can perform both the translation and the
analysis (scan) phases. You can analyze your code in one of two ways:
l Perform the translation phase on a local build machine and generate a mobile build session (MBS).
Start the scan with Fortify ScanCentral SAST using the MBS file. In addition to freeing up the build
machines, this process makes it easy to expand the system by adding more resources as needed,
without having to interrupt the build process. In addition, users of Micro Focus Fortify Software
Security Center can direct Fortify ScanCentral SAST to output the FPR file directly to the server.
l If your application is written in a language supported for Fortify ScanCentral SAST translation, you
can also offload the translation phase of the analysis to Fortify ScanCentral SAST. For information
about the specific supported language, see the Micro Focus Fortify Software System Requirements
document.
For detailed information about how to use Fortify ScanCentral SAST, see the Micro Focus Fortify
ScanCentral SAST Installation, Configuration, and Usage Guide.
Fortify Scan Wizard

Micro Focus Fortify Scan Wizard is a utility that enables you to quickly and easily generate a script to
run on Windows or Linux/macOS so that you can scan project code with Fortify Static Code Analyzer.
With the Scan Wizard, you can run your scans locally, or, if you are using Micro Focus Fortify
ScanCentral SAST, in a collection of computers provisioned to manage the processor-intensive scan
phase of the analysis.
For more information, see "Fortify Scan Wizard" on page 168.
Fortify Software Security Content

Fortify Static Code Analyzer uses a knowledge base of rules to enforce secure coding standards
applicable to the codebase for static analysis. Micro Focus Fortify Software Security Content is required
for both translation and analysis. You can download and install security content when you install Fortify
Static Code Analyzer (see "Installing Fortify Static Code Analyzer" on page 25). Alternatively, you can
download or import previously downloaded Fortify Security Content with the fortifyupdate utility as a
post-installation task (see "Manually Installing Fortify Security Content" on page 32).
Fortify Software Security Content (security content) consists of Secure Coding Rulepacks and external
metadata:
l Secure Coding Rulepacks describe general secure coding idioms for popular languages and public
APIs
l External metadata includes mappings from the Fortify categories to alternative categories (such as
CWE, OWASP Top 10, and PCI)

User Guide
Fortify provides the ability to write custom rules that add to the functionality of Fortify Static Code
Analyzer and the Secure Coding Rulepacks. For example, you might need to enforce proprietary
security guidelines or analyze a project that uses third-party libraries or other pre-compiled binaries that
are not already covered by the Secure Coding Rulepacks. You can also customize the external metadata
to map Fortify issues to different taxonomies, such as internal application security standards or
additional compliance obligations. For instructions on how to create your own custom rules or custom
external metadata, see the Micro Focus Fortify Static Code Analyzer Custom Rules Guide.
Fortify recommends that you periodically update the security content. You can use the fortifyupdate
utility to obtain the latest security content. For more information, see "Updating Security Content" on
page 127.
About the Analyzers

Fortify Static Code Analyzer comprises eight vulnerability analyzers: Buffer, Configuration, Content,
Control Flow, Dataflow, Higher Order, Semantic, and Structural. Each analyzer accepts a different type
of rule specifically tailored to provide the information necessary for the corresponding type of analysis
performed. Rules are definitions that identify elements in the source code that might result in security
vulnerabilities or are otherwise unsafe.
The following table lists and describes each analyzer.
Analyzer Description
Buffer The Buffer Analyzer detects buffer overflow vulnerabilities that involve writing or
reading more data than a buffer can hold. The buffer can be either stack-allocated
or heap-allocated. The Buffer Analyzer uses limited interprocedural analysis to
determine whether there is a condition that causes the buffer to overflow. If any
execution path to a buffer leads to a buffer overflow, Fortify Static Code Analyzer
reports it as a buffer overflow vulnerability and points out the variables that could
cause the overflow. If the value of the variable causing the buffer overflow is tainted
(user-controlled), then Fortify Static Code Analyzer reports it as well and displays
the dataflow trace to show how the variable is tainted.
Configuration The Configuration Analyzer searches for mistakes, weaknesses, and policy violations
in application deployment configuration files. For example, the Configuration
Analyzer checks for reasonable timeouts in user sessions in a web application.
Content The Content Analyzer searches for security issues and policy violations in HTML
content. In addition to static HTML pages, the Content Analyzer performs these
checks on files that contain dynamic HTML, such as PHP, JSP, and classic ASP files.

User Guide
Analyzer Description
Control Flow The Control Flow Analyzer detects potentially dangerous sequences of operations.
By analyzing control flow paths in a program, the Control Flow Analyzer determines
whether a set of operations are executed in a certain order. For example, the Control
Flow Analyzer detects time of check/time of use issues and uninitialized variables,
and checks whether utilities, such as XML readers, are configured properly before
being used.
Dataflow The Dataflow Analyzer detects potential vulnerabilities that involve tainted data
(user-controlled input) put to potentially dangerous use. The Dataflow Analyzer
uses global, interprocedural taint propagation analysis to detect the flow of data
between a source (site of user input) and a sink (dangerous function call or
operation). For example, the Dataflow Analyzer detects whether a user-controlled
input string of unbounded length is copied into a statically sized buffer, and detects
whether a user-controlled string is used to construct SQL query text.
Null Pointer The Null Pointer Analyzer detects dereferences of pointer variables that are
assigned the null value. The Null Pointer Analyzer detection is performed at the
intra-procedural level. Issues are detected only when the null assignment, the
dereference, and all the paths between them occur within a single function.
Semantic The Semantic Analyzer detects potentially dangerous uses of functions and APIs at
the intra-procedural level. Its specialized logic searches for buffer overflow, format
string, and execution path issues, but is not limited to these categories. For example,
the Semantic Analyzer detects deprecated functions in Java and unsafe functions in
C/C++, such as gets().
Structural The Structural Analyzer detects potentially dangerous flaws in the structure or
definition of the program. By understanding the way programs are structured, the
Structural Analyzer identifies violations of secure programming practices and
techniques that are often difficult to detect through inspection because they
encompass a wide scope involving both the declaration and use of variables and
functions. For example, the Structural Analyzer detects assignment to member
variables in Java servlets, identifies the use of loggers that are not declared static
final, and flags instances of dead code that is never executed because of a predicate
that is always false.
Related Documents
This topic describes documents that provide information about Micro Focus Fortify software products.

User Guide
Note: You can find the Micro Focus Fortify Product Documentation at
https://www.microfocus.com/support/documentation. All guides are available in both PDF and
HTML formats.
All Products
The following documents provide general information for all products. Unless otherwise noted, these
documents are available on the Micro Focus Product Documentation website.
Document / File Name Description
About Micro Focus Fortify Product This paper provides information about how to access Micro
Software Documentation Focus Fortify product documentation.
About_Fortify_Docs_<version>.pdf Note: This document is included only with the product
download.
Micro Focus Fortify Software System This document provides the details about the
Requirements environments and products supported for this version of
Fortify Software.
Fortify_Sys_Reqs_<version>.pdf
Micro Focus Fortify Software Release This document provides an overview of the changes made
Notes to Fortify Software for this release and important
information not included elsewhere in the product
FortifySW_RN_<version>.pdf
documentation.
What’s New in Micro Focus Fortify This document describes the new features in Fortify
Software <version> Software products.
Fortify_Whats_New_<version>.pdf
Micro Focus Fortify ScanCentral SAST

The following document provides information about Fortify ScanCentral SAST. Unless otherwise
noted, these documents are available on the Micro Focus Product Documentation website at
https://www.microfocus.com/documentation/fortify-software-security-center.
Micro Focus Fortify ScanCentral This document provides information about how to install,
SAST Installation, Configuration, and configure, and use Fortify ScanCentral SAST to streamline
Usage Guide the static code analysis process. It is written for anyone who

User Guide
SC_SAST_Guide_<version>.pdf intends to install, configure, or use Fortify ScanCentral

SAST to offload the resource-intensive translation and
scanning phases of their Fortify Static Code Analyzer
process.
Micro Focus Fortify Software Security Center

The following document provides information about Fortify Software Security Center. Unless otherwise
https://www.microfocus.com/documentation/fortify-software-security-center.
Micro Focus Fortify Software Security This document provides Fortify Software Security Center
Center User Guide users with detailed information about how to deploy and
use Software Security Center. It provides all of the
SSC_Guide_<version>.pdf
information you need to acquire, install, configure, and use
Software Security Center.
It is intended for use by system and instance
administrators, database administrators (DBAs), enterprise
security leads, development team managers, and
developers. Software Security Center provides security
team leads with a high-level overview of the history and
current status of a project.
Micro Focus Fortify Static Code Analyzer

The following documents provide information about Fortify Static Code Analyzer. Unless otherwise
https://www.microfocus.com/documentation/fortify-static-code.
Micro Focus Fortify Static Code This document describes how to install and use Fortify
Analyzer User Guide Static Code Analyzer to scan code on many of the major
programming platforms. It is intended for people
SCA_Guide_<version>.pdf
responsible for security audits and secure coding.

User Guide
Micro Focus Fortify Static Code This document provides the information that you need to
Analyzer Custom Rules Guide create custom rules for Fortify Static Code Analyzer. This
guide includes examples that apply rule-writing concepts to
SCA_Cust_Rules_Guide_<version>.zip
real-world security issues.
Note: This document is included only with the product

download.
Micro Focus Fortify Audit Workbench This document describes how to use Fortify Audit
User Guide Workbench to scan software projects and audit analysis
results. This guide also includes how to integrate with bug
AWB_Guide_<version>.pdf
trackers, produce reports, and perform collaborative
auditing.
Micro Focus Fortify Plugins for Eclipse This document provides information about how to install
User Guide and use the Fortify Complete and the Fortify Remediation
Plugins for Eclipse.
Eclipse_Plugins_Guide_<version>.pdf
Micro Focus Fortify Plugins for This document describes how to install and use both the
JetBrains IDEs and Android Studio Fortify Analysis Plugin for IntelliJ IDEA and Android Studio
User Guide and the Fortify Remediation Plugin for IntelliJ IDEA,
Android Studio, and other JetBrains IDEs.
JetBrains_AndStud_Plugins_Guide_
<version>.pdf
Micro Focus Fortify Jenkins Plugin This document describes how to install, configure, and use
User Guide the plugin. This documentation is available at
https://www.microfocus.com/documentation/fortify-
Jenkins_Plugin_Guide_<version>.pdf
jenkins-plugin.
Micro Focus Fortify Security Assistant This document describes how to install and use Fortify
Plugin for Eclipse User Guide Security Assistant plugin for Eclipse to provide alerts to
security issues as you write your Java code.
SecAssist_Eclipse_Guide_
<version>.pdf
Micro Focus Fortify Extension for This document provides information about how to install
Visual Studio User Guide and use the Fortify extension for Visual Studio to analyze,
audit, and remediate your code to resolve security-related
VS_Ext_Guide_<version>.pdf
issues in solutions and projects.
Micro Focus Fortify Static Code This document describes the properties used by Fortify

User Guide
Analyzer Tools Properties Reference Static Code Analyzer tools.

Guide
SCA_Tools_Props_Ref_<version>.pdf

Chapter 2: Installing Fortify Static Code
Analyzer
This chapter describes how to install and uninstall Fortify Static Code Analyzer and Fortify Static Code
Analyzer tools. This chapter also describes basic post-installation tasks. See the Micro Focus Fortify
Software System Requirements document to be sure that your system meets the minimum
requirements for each software component installation.
Fortify Static Code Analyzer Component Applications 25
About Downloading the Software 27
About Installing Fortify Static Code Analyzer and Applications 27
Using Docker to Install and Run Fortify Static Code Analyzer 33
About Upgrading Fortify Static Code Analyzer and Applications 35
About Uninstalling Fortify Static Code Analyzer and Applications 36
Post-Installation Tasks 38
Fortify Static Code Analyzer Component Applications

The installation consists of Fortify Static Code Analyzer, which analyzes your build code according to a
set of rules specifically tailored to provide the information necessary for the type of analysis performed.
A Fortify Static Code Analyzer installation might also include one or more component applications.
The following table describes the components that are available for installation with the Fortify Static
Code Analyzer and Applications installer.
Component Description
Micro Focus Fortify Audit Provides a graphical user interface for Fortify Static Code Analyzer that
Workbench helps you organize, investigate, and prioritize analysis results so that
developers can fix security flaws quickly.
Micro Focus Fortify Adds the ability to scan and analyze the entire codebase of a project and
Plugin for Eclipse apply software security rules that identify the vulnerabilities in your Java
code from the Eclipse IDE. The results are displayed, along with
descriptions of each of the security issues and suggestions for their
elimination.

User Guide
Chapter 2: Installing Fortify Static Code Analyzer
Micro Focus Fortify Adds the ability to run Fortify Static Code Analyzer scans on the entire
Analysis Plugin for IntelliJ codebase of a project and apply software security rules that identify the
and Android Studio vulnerabilities in your code from the IntelliJ and Android Studio IDEs.
Micro Focus Fortify Adds the ability to scan and locate security vulnerabilities in your
Extension for Visual solutions and projects and displays the scan results in Visual Studio. The
Studio results include a list of issues uncovered, descriptions of the type of
vulnerability each issue represents, and suggestions on how to fix them.
This extension also includes remediation functionality that works with
audit results stored on a Micro Focus Fortify Software Security Center
server.
Micro Focus Fortify A tool to create and edit custom rules.

Custom Rules Editor
Micro Focus Fortify Scan A tool to quickly prepare a script that you can use to scan your code with
Wizard Fortify Static Code Analyzer and optionally, upload the results directly
to Fortify Software Security Center.
Note: This tool is installed automatically with Fortify Static Code

Analyzer.
Command-line utilities There are several command-line utilities that are installed automatically
with Fortify Static Code Analyzer. For more information, see "Command-
Line Utilities" on page 125.
The following table describes the components that are included in the Fortify Static Code Analyzer and
Applications package. You install these components separately from the Fortify Static Code Analyzer
and Applications installer.
Micro Focus Fortify Remediation Plugin for Works with Fortify Software Security Center for
Eclipse developers who want to remediate issues detected in
source code from the Eclipse IDE.
Micro Focus Fortify Remediation Plugin for Works in several JetBrains IDEs and Android Studio
JetBrains IDEs together with Fortify Software Security Center to
add remediation functionality to your security
analysis.

User Guide
Micro Focus Fortify Security Assistant Plugin Provides alerts to potential security issues as you
for Eclipse write your Java code. It provides detailed
information about security risks and
recommendations for how to secure the potential
issue.
About Downloading the Software

Fortify Static Code Analyzer and Applications is available as a downloadable application or package. For
details on how to acquire the software and a license for the Fortify Software, see the Micro Focus
Fortify Software System Requirements document.
About Installing Fortify Static Code Analyzer and

Applications
This section describes how to install Fortify SCA and Applications. You need a Fortify license file to
complete the process. The following table lists the different methods of installing Fortify SCA and
Applications.
Installation Method Instructions
Perform the installation using a standard install "Installing Fortify Static Code Analyzer and
wizard Applications" on the next page
Perform the installation silently (unattended) "Installing Fortify Static Code Analyzer and
Applications Silently (Unattended)" on page 29
Perform a text-based installation on non- "Installing Fortify Static Code Analyzer and
Windows systems Applications in Text-Based Mode on
Non-Windows Platforms" on page 32
Perform the installation using Docker "Using Docker to Install and Run Fortify Static
Code Analyzer" on page 33
For best performance, install Fortify Static Code Analyzer on the same local file system where the code
that you want to scan resides.
Note: On non-Windows systems, you must install Fortify SCA and Applications as a user that has a
home directory with write permission. Do not install Fortify SCA and Applications as a non-root
user that has no home directory.

User Guide
After you complete the installation, see "Post-Installation Tasks" on page 38 for additional steps you
can perform to complete your system setup. You can also configure settings for runtime analysis,
output, and performance of Fortify Static Code Analyzer and its components by updating the installed
configuration files. For information about the configuration options for Fortify Static Code Analyzer,
see "Configuration Options" on page 180. For information about configuration options for Fortify
Static Code Analyzer component applications, see the Micro Focus Fortify Static Code Analyzer Tools
Properties Reference Guide.
Installing Fortify Static Code Analyzer and Applications

To install Fortify Static Code Analyzer and Applications:
1. Run the installer file that corresponds to your operating system:
l Windows: Fortify_SCA_and_Apps_<version>_windows_x64.exe
l Linux: Fortify_SCA_and_Apps_<version>_linux_x64.run
l macOS: Fortify_SCA_and_Apps_<version>_osx_x64.app.zip
where <version> is the software release version.
2. Accept the license agreement, and then click Next.
3. Choose where to install Fortify Static Code Analyzer and applications, and then click Next.
Note: If you are using Micro Focus Fortify ScanCentral SAST, you must specify a location that
does not include spaces in the path.
4. (Optional) Select the components to install, and then click Next.

Note: Component selection is not available for all operating systems.
5. If you are installing the Fortify extension for Visual Studio 2015 or 2017, you are prompted to
specify whether to install the extensions for the current install user or for all users.
The default is to install the extensions for the current install user.
6. Specify the path to the fortify.license file, and then click Next.
7. Specify the settings required to update your security content.
To update the security content for your installation:
Note: For installations on non-Windows platforms and for deployment environments that do
not have access to the Internet during installation, you can update the security content using
the fortifyupdate utility. See "Manually Installing Fortify Security Content" on page 32.
a. Specify the URL address of the update server. To use the Fortify Rulepack update server for
security content updates, specify the URL as: https://update.fortify.com.
b. (Optional) Specify the proxy host and port number of the update server.
c. Click Next.

User Guide
8. Specify if you want to migrate from a previous installation of Fortify Static Code Analyzer on your
system.
Migrating from a previous Fortify Static Code Analyzer installation preserves Fortify Static Code
Analyzer artifact files. For more information, see "About Upgrading Fortify Static Code Analyzer
and Applications" on page 35.
Note: You can also migrate Fortify Static Code Analyzer artifacts using the scapostinstall
command-line utility. For information on how to use the post-install tool to migrate from a
previous Fortify Static Code Analyzer installation, see "Migrating Properties Files" on page 38.
To migrate artifacts from a previous installation:

a. In the SCA Migration step, select Yes, and then click Next.
b. Specify the location of the existing Fortify Static Code Analyzer installation on your system,
and then click Next.
9. Specify if you want to install sample source code projects, and then click Next.
See "Sample Projects" on page 170 for descriptions of these samples.
Note: If you do not install the samples and decide later that you want to install them, you must
uninstall and then re-install Fortify Static Code Analyzer and Applications.
10. Click Next to proceed to install Fortify Static Code Analyzer and applications.
11. After Fortify Static Code Analyzer is installed, select Update security content after installation
if you want to update the security content, and then click Finish.
The Security Content Update Result window displays the security content update results.
Installing Fortify Static Code Analyzer and Applications Silently

(Unattended)
A silent installation enables you to complete the installation without any user prompts. To install
silently, you need to create an option file to provide the necessary information to the installer. Using the
silent installation, you can replicate the installation parameters on multiple machines. When you install
Fortify Static Code Analyzer and Applications silently, the installer does not download the Micro Focus
Fortify Software Security Content. For instructions on how to install the Fortify security content, see
"Manually Installing Fortify Security Content" on page 32.
To install Fortify Static Code Analyzer silently:
1. Create an options file.
a. Create a text file that contains the following line:
fortify_license_path=<license_file_location>
where <license_file_location> is the full path to your fortify.license file.

User Guide
b. If you are using a different location for the Fortify Security Content updates than the default of
https://update.fortify.com, add the following line:
UpdateServer=<update_server_url>
Note: As previously mentioned, Fortify security content is not downloaded with a silent
installation. However, this information and the proxy information in the following step is
added to the <sca_install_dir>Core/config/server.properties file to use for
manually installing Fortify security content.
c. If you require a proxy server, add the following lines:
UpdateProxyServer=<proxy_server>
UpdateProxyPort=<port_number>
d. If you do not want to install the sample source code projects, add the following line.
On Windows:
InstallSamples=0
On Linux and macOS:
enable-components=Samples
e. Add more information, as needed, to the options file.

For list of installation options that you can add to your options file, type the installer file name
and the --help option. This command displays each available command-line option preceded
with a double dash and optional file parameters enclosed in angle brackets. For example, if you
want to see the progress of the install displayed at the command line, add
unattendedmodeui=minimal to your options file.
Note: The installation options are not the same on all supported operating systems. Run
the installer with --help to see the options available for your operating system.
For the enable-components option on Windows, you can specify the AWB_group parameter
to install Fortify Audit Workbench, Fortify Custom Rules Editor, and associate FPR files with
Fortify Audit Workbench. To install specific plugins, list each one by parameter name (the
Plugins_group parameter does not install all plugins and you do not need to include it).

User Guide
The following example Windows options file specifies the location of the license file, the location
and proxy information for obtaining the Fortify Security Content, a request to migrate from a
previous release, installation of Audit Workbench, installation of Micro Focus Fortify Extension
for Visual Studio 2019 for all users, and the location of the Fortify SCA and Applications
installation directory:
fortify_license_path=C:\Users\admin\Desktop\fortify.license
UpdateServer=https://internalserver.abc.com
UpdateProxyServer=webproxy.abc.company.com
UpdateProxyPort=8080
MigrateSCA=1
enable-components=AWB_group,VS2019
VS_all_users=1
installdir=C:\Fortify
The following options file example is for Linux and macOS:
fortify_license_path=/opt/Fortify/fortify.license
UpdateServer=https://internalserver.abc.com
UpdateProxyServer=webproxy.abc.company.com
UpdateProxyPort=8080
MigrateSCA=1
enable-components=Samples
installdir=/opt/Fortify
2. Save the options file.

3. Run the silent install command for your operating system.
Windows Fortify_SCA_and_Apps_<version>_windows_x64.exe --mode unattended --

optionfile <full_path_to_option_file>
Linux ./Fortify_SCA_and_Apps_<version>_linux_x64.run --mode unattended --

optionfile <full_path_to_option_file>
macOS You must uncompress the ZIP file before you run the command.
Fortify_SCA_and_Apps_<version>_osx_x64.app/Contents/
MacOS/installbuilder.sh --mode unattended --optionfile <full_
path_to_option_file>
The installer creates an installer log file when the installation is complete. This log file is located in the
following location depending on your operating system.
Windows C:\Users\<username>\AppData\Local\Temp\FortifySCAandApps-
<version>-install.log

User Guide
Linux /tmp/FortifySCAandApps-<version>-install.log
macOS /tmp/FortifySCAandApps-<version>-install.log
Installing Fortify Static Code Analyzer and Applications in Text-

Based Mode on Non-Windows Platforms
You perform a text-based installation on the command line. During the installation, you are prompted
for information required to complete the installation. Text-based installations are not supported on
Windows systems.
To perform a text-based installation of Fortify Static Code Analyzer and Applications, run the text-
based install command for your operating system as listed in the following table.
Linux ./Fortify_SCA_and_Apps_<version>_linux_x64.run --mode text
macOS You must uncompress the provided ZIP file before you run the command.
Fortify_SCA_and_Apps_<version>_osx_x64.app/Contents/
MacOS/installbuilder.sh --mode text
Manually Installing Fortify Security Content

You can install Micro Focus Fortify Software Security Content (Secure Coding Rulepacks and
metadata) automatically during the Windows installation procedure. However, you can also download
Fortify security content from the Fortify Rulepack update server, and then use the fortifyupdate utility
to install it. This option is provided for installations on non-Windows platforms and for deployment
environments that do not have access to the Internet during installation.
Use the fortifyupdate utility to install Fortify security content from either a remote server or a locally
downloaded file.
To install security content:
1. Open a command window.
2. Navigate to the <sca_install_dir>/bin directory.
3. At the command prompt, type fortifyupdate.
If you have previously downloaded the Fortify security content from the Fortify Customer Portal,
run fortifyupdate with the -import option and the path to the directory where you
downloaded the ZIP file.
You can also use this same utility to update your security content. For more information about the
fortifyupdate utility, see "Updating Security Content" on page 127.

User Guide
Using Docker to Install and Run Fortify Static Code

Analyzer
You can install Fortify Static Code Analyzer in a Docker image and then run Fortify Static Code
Analyzer as a Docker container.
Note: You can only run Fortify Static Code Analyzer in Docker on supported Linux platforms.
Creating a Dockerfile to Install Fortify Static Code Analyzer

This topic describes how to create a Dockerfile to install Fortify Static Code Analyzer in Docker image.
The Dockerfile must include the following instructions:
1. Set a Linux system to use for the base image.
Note: If you intend to use build tools when you run Fortify Static Code Analyzer, make sure
that the required build tools are installed in the image. For information about using the
supported build tools, see "Build Integration" on page 105.
2. Copy the Fortify SCA and Applications installer, the Fortify license file, and installation options file
to the Docker image using the COPY instruction.
For instructions on how to create an installation options file, see "Installing Fortify Static Code
Analyzer and Applications Silently (Unattended)" on page 29.
3. Run the Fortify SCA and Applications installer using the RUN instruction.
You must run the installer in unattended mode. For more information, see "Installing Fortify Static
Code Analyzer and Applications Silently (Unattended)" on page 29.
4. Run fortifyupdate to download the Fortify Security Content using the RUN instruction.
For more information about this utility, see "Manually Installing Fortify Security Content" on the
previous page.
5. To configure the image so you can run Fortify Static Code Analyzer, set the entry point to the
location of the installed sourceanalyzer executable using the ENTRYPOINT instruction.
The default sourceanalyzer installation path is: /opt/Fortify/Fortify_SCA_and_Apps_
<version>/bin/sourceanalyzer.

User Guide
The following is an example of a Dockerfile to install Fortify SCA and Applications:
FROM registry.suse.com/suse/sles12sp4
COPY fortify.license ./
COPY Fortify_SCA_and_Apps_20.2.0_linux_x64.run ./
COPY installerSettings ./
RUN zypper -n install rpm-build
RUN ./Fortify_SCA_and_Apps_20.2.0_linux_x64.run --mode unattended \
--optionfile ./installerSettings && \
/opt/Fortify/Fortify_SCA_and_Apps_20.2.0/bin/fortifyupdate && \
rm Fortify_SCA_and_Apps_20.2.0_linux_x64.run fortify.license installerSettings
ENTRYPOINT [ "/opt/Fortify/Fortify_SCA_and_Apps_20.2.0/bin/sourceanalyzer" ]
Note: The rpm-build package in SUSE is needed by the installer.
To create the docker image using the Dockerfile from the current directory, you must use the docker
build command. For example:
docker build -t <image_name>
Running the Container

This topic describes how to run the Fortify Static Code Analyzer image as a container and provides
example Docker run commands for translation and scan.
To run the Fortify Static Code Analyzer image as a container, you must mount two directories from the
host file system to the container:
l The directory that contains the source files you want to analyze.
l A temporary directory to store the SCA build session between the translate and scan phases and to
share the output files (logs, FPR) with the host.
Specify this directory using the –project-root command-line option in both the Fortify Static
Code Analyzer translate and scan commands.
The following example commands mount the input directory /sources in /src and the temporary
directory in /scratch_docker. The image name in the example is fortify-sca.
Important! Include the Fortify Static Code Analyzer –fcontainer option in both the translate
and scan commands so that Fortify Static Code Analyzer detects and uses only the memory
dedicated to the container. Otherwise, by default Fortify Static Code Analyzer detects the total
system memory because -autoheap is enabled.

User Guide
Example Docker Run Commands for Translation and Scan

The following example mounts the temporary directory and the sources directory, and then runs Fortify
Static Code Analyzer from the container for the translation phase:
docker run -v /scratch_local/:/scratch_docker -v /sources/:/src

-it fortify-sca –b <build_id> -project-root /scratch_docker -fcontainer
[<sca_options>] /src
The following example mounts the temporary directory, and then runs Fortify Static Code Analyzer
from the container for the analysis phase:
docker run -v /scratch_local/:/scratch_docker

-it fortify-sca –b <build_id> -project-root /scratch_docker –scan -
fcontainer [<sca_options>] –f /scratch_docker/results.fpr
The results.fpr file is created in the host's /scratch_local directory.
About Upgrading Fortify Static Code Analyzer and

Applications
To upgrade Fortify Static Code Analyzer and Applications, install the new version in a different location
than where your current version is installed and choose to migrate settings from the previous
installation. This migration preserves and updates the Fortify Static Code Analyzer artifact files located
in the <sca_install_dir>/Core/config directory.
If you choose not to migrate any settings from a previous release, Fortify recommends that you save a
backup of the following data:
l <sca_install_dir>/Core/config/rules folder
l <sca_install_dir>/Core/config/customrules folder
l <sca_install_dir>/Core/config/ExternalMetadata folder
l <sca_install_dir>/Core/config/CustomExternalMetadata folder
l <sca_install_dir>/Core/config/server.properties file
After you install the new version, you can uninstall the previous version. For more information, see
"About Uninstalling Fortify Static Code Analyzer and Applications" on the next page.
Note: You can leave the previous version installed. If you have multiple versions installed on the
same system, the most recently installed version is invoked when you run the command from the
command line. Scanning source code from the Fortify Secure Code Plugins also uses the most
recently installed version of Fortify Static Code Analyzer.

User Guide
Notes About Upgrading the Fortify Extension for Visual Studio

If you have administrative privileges and are upgrading from a previous version of the Fortify Static
Code Analyzer for any supported version of Visual Studio, the installer will overwrite the existing Micro
Focus Fortify Extension for Visual Studio. If the previous version was installed without administrative
privileges, the installer will also overwrite the existing Fortify Extension for Visual Studio without
requiring administrative privileges.
Note: If you do not have administrative privileges and you are upgrading the Fortify Extension for
Visual Studio 2015, 2017, or 2019 that was previously installed using an administrative privileged
user account, you must first uninstall the Fortify Extension for Visual Studio from Visual Studio
2015, 2017, or 2019 using an administrative privilege account.
About Uninstalling Fortify Static Code Analyzer and

Applications
This section describes how to uninstall Fortify Static Code Analyzer and Applications. You can use the
standard install wizard or you can perform the uninstallation silently. You can also perform a text-based
uninstallation on non-Windows systems.
Uninstalling Fortify Static Code Analyzer and Applications

Uninstalling on Windows Platforms
To uninstall the Fortify Static Code Analyzer and applications software:
1. Select Start > Control Panel > Add or Remove Programs.
2. From the list of programs, select Fortify SCA and Applications <version>, and then click
Remove.
3. You are prompted to indicate whether to remove all application settings. Do one of the following:
l Click Yes to remove the application setting folders for the tools installed with the version of
Fortify Static Code Analyzer that you are uninstalling. The Fortify Static Code Analyzer
(sca<version>) folder is not removed.
l Click No to retain the application settings on your system.

User Guide
Uninstalling on Other Platforms

To uninstall Fortify Static Code Analyzer software on Linux and macOS platforms:
1. Back up your configuration, including any important files you have created.
2. Run the uninstall command located in the <sca_install_dir> for your operating system:
Linux Uninstall_FortifySCAandApps_<version>
macOS Uninstall_FortifySCAandApps_<version>.app
3. You are prompted to indicate whether to remove all application settings. Do one of the following:
l Click Yes to remove the application setting folders for the tools installed with the version of
Fortify Static Code Analyzer that you are uninstalling. The Fortify Static Code Analyzer
(sca<version>) folder is not removed.
l Click No to retain the application settings on your system.
Uninstalling Fortify Static Code Analyzer and Applications Silently

To uninstall Fortify Static Code Analyzer silently:
1. Navigate to the installation directory.
2. Type one of the following commands based on your operating system:
Windows Uninstall_FortifySCAandApps_<version>.exe --mode unattended
Linux ./Uninstall_FortifySCAandApps_<version> --mode unattended
macOS Uninstall_FortifySCAandApps_
<version>.app/Contents/MacOS/installbuilder.sh
--mode unattended
Note: The uninstaller removes the application setting folders for the tools installed with the version
of Fortify Static Code Analyzer that you are uninstalling.
Uninstalling Fortify Static Code Analyzer and Applications in

Text-Based Mode on Non-Windows Platforms
To uninstall Fortify Static Code Analyzer in text-based mode, run the text-based install command for
your operating system, as follows:
1. Navigate to the installation directory.
2. Type one of the following commands based on your operating system:
Linux ./Uninstall_FortifySCAandApps_<version> --mode text

User Guide
macOS Uninstall_FortifySCAandApps_
<version>.app/Contents/MacOS/installbuilder.sh --mode text
Post-Installation Tasks
Post-installation tasks prepare you to start using Fortify Static Code Analyzer and tools.
Running the Post-Install Tool

To run the Fortify Static Code Analyzer post-install tool:
1. Navigate to the <sca_install_dir>/bin directory from the command line.
2. At the command prompt, type scapostinstall.
3. Type one of the following:
l To display settings, type s.
l To return to a previous prompt, type r.
l To exit the tool, type q.
Migrating Properties Files

To migrate properties files from a previous version of Fortify Static Code Analyzer to the current
version of Fortify Static Code Analyzer installed on your system:
1. Navigate to the <sca_install_dir>/bin directory from the command line.
3. Type 1 to select Migration.
4. Type 1 to select SCA Migration.
5. Type 1 to select Migrate from an existing Fortify installation.
6. Type 1 to select Set previous Fortify installation directory.
7. Type the previous install directory.
8. Type s to confirm the settings.
9. Type 2 to perform the migration.
10. Type y to confirm.

User Guide
Specifying a Locale
English is the default locale for a Fortify Static Code Analyzer installation.
To change the locale for your Fortify Static Code Analyzer installation:
1. Navigate to the bin directory from the command line.
3. Type 2 to select Settings.
4. Type 1 to select General.
5. Type 1 to select Locale.
6. Type one of the following locale codes:
l English: en
l Spanish: es
l Japanese: ja
l Korean: ko
l Brazilian Portuguese: pt_BR
l Simplified Chinese: zh_CN
l Traditional Chinese: zh_TW
Configuring for Security Content Updates

Specify how you want to obtain Micro Focus Fortify Software Security Content. You must also specify
proxy information if it is required to reach the server.
To specify settings for Fortify Security Content updates:
4. Type 2 to select Fortify Update.
5. To change the Fortify Rulepack update server URL, type 1 and then type the URL.
The default Fortify Rulepack update server URL is https://update.fortify.com.
6. To specify a proxy for Fortify Security Content updates, do the following:
a. Type 2 to select Proxy Server Host, and then type the name of the proxy server.
b. Type 3 to select Proxy Server Port, and then type the proxy server port number.
c. (Optional) You can also specify the proxy server user name (option 4) and password
(option 5).

User Guide
Configuring the Connection to Fortify Software Security Center

Specify how to connect to Micro Focus Fortify Software Security Center. If your network uses a proxy
server to reach the Fortify Software Security Center server, you must specify the proxy information.
To specify settings for connecting to Fortify Software Security Center:
4. Type 3 to select Software Security Center Settings.
5. Type 1 to select Server URL, and then type the Fortify Software Security Center server URL.
For example, https://mywebserver/ssc.
6. To specify proxy settings for the connection, do the following:
a. Type 2 to select Proxy Server, and then type the proxy server path.
b. Type 3 to select Proxy Server Port, and then type the proxy server port number.
c. To specify the proxy server username and password, use option 4 for the username and
option 5 for the password.
7. (Optional) You can also specify the following:
l Whether to update security content from your Fortify Software Security Center server
(option 6)
l The Fortify Software Security Center user name (option 7)
Removing Proxy Server Settings

If you previously specified proxy server settings for the Fortify Security Content update server or Micro
Focus Fortify Software Security Center and it is no longer required, you can remove these settings.
To remove the proxy settings for Fortify Security Content updates or Fortify Software Security Center:
4. Type 2 to select Fortify Update or type 3 to select Software Security Center Settings.
5. Type the number that corresponds to the proxy setting you want to remove, and then type -
(hyphen) to remove the setting.
6. Repeat step 5 for each proxy setting you want to remove.

Chapter 3: Analysis Process Overview
Analysis Process 41
Translation Phase 42
Mobile Build Sessions 43
Analysis Phase 44
Translation and Analysis Phase Verification 46
Analysis Process
There are four distinct phases that make up the analysis process:
1. Build Integration—Choose whether to integrate Fortify Static Code Analyzer into your build tool.
For descriptions of build integration options, see "Integrating into a Build" on page 105.
2. Translation—Gathers source code using a series of commands and translates it into an
intermediate format associated with a build ID. The build ID is usually the name of the project you
are translating. For more information, see "Translation Phase" on the next page.
3. Analysis—Scans source files identified in the translation phase and generates an analysis results
file (typically in the Fortify Project Results (FPR) format). FPR files have the .fpr file extension.
For more information, see "Analysis Phase" on page 44.
4. Verification of translation and analysis—Verifies that the source files were scanned using the
correct Rulepacks and that no errors were reported. For more information, see "Translation and
Analysis Phase Verification" on page 46.
The following is an example of the sequence of commands you use to translate and analyze code:
sourceanalyzer -b <build_id> -clean

sourceanalyzer -b <build_id> ...
sourceanalyzer -b <build_id> -scan -f myresults.fpr
The three commands in the previous example illustrates the following steps in the analysis process:
1. Remove all existing Fortify Static Code Analyzer temporary files for the specified build ID.
Always begin an analysis with this step to analyze a project with a previously used build ID.
2. Translate the project code.
This step can consist of multiple calls to sourceanalyzer with the same build ID.
3. Analyze the project code and produce the Fortify Project Results file (FPR).

User Guide
Parallel Processing
Fortify Static Code Analyzer runs in parallel analysis mode to reduce the scan time of large projects. This
takes advantage of all CPU cores available on your system. When you run Fortify Static Code Analyzer,
avoid running other substantial processes during the Fortify Static Code Analyzer execution because it
expects to have the full resources of your hardware available for the scan.
Translation Phase
To successfully translate a project that is normally compiled, make sure that you have any dependencies
required to build the project available. The chapters for each source code type describe any specific
requirements.
The basic command-line syntax to perform the first step of the analysis process, file translation, is:
sourceanalyzer -b <build_id> ... <files>
or
sourceanalyzer -b <build_id> ... <compiler_command>
The translation phase consists of one or more invocations of Fortify Static Code Analyzer using the
sourceanalyzer command. Fortify Static Code Analyzer uses a build ID (-b option) to tie the
invocations together. Subsequent invocations of sourceanalyzer add any newly specified source or
configuration files to the file list associated with the build ID.
After translation, you can use the -show-build-warnings directive to list any warnings and errors
that occurred in the translation phase:
sourceanalyzer -b <build_id> -show-build-warnings
To view the files associated with a build ID, use the -show-files directive:
sourceanalyzer -b <build_id> -show-files
The following chapters describe how to translate different types of source code:
l "Translating Java Code" on page 47
l "Translating Kotlin Code" on page 55
l "Translating Visual Studio and MSBuild Projects" on page 58
l "Translating C and C++ Code" on page 64
l "Translating JavaScript and TypeScript Code" on page 67
l "Translating Python Code" on page 71
l "Translating Code for Mobile Platforms" on page 74
l "Translating Go Code" on page 77

User Guide
l "Translating Ruby Code" on page 79

l "Translating Apex and Visualforce Code" on page 81
l "Translating COBOL Code" on page 84
l "Translating Other Languages and Configurations" on page 88
Mobile Build Sessions

With a Fortify Static Code Analyzer mobile build session (MBS), you can translate a project on one
machine and scan it on another. A mobile build session (MBS file) includes all the files needed for the
analysis phase. To improve scan time, you can perform the translation on the original computer and
then move the build session (MBS file) to a better equipped computer for the scan. The developers can
run translations on their own computers and use only one powerful computer to run large scans.
You must have the same version of Fortify Security Content (Rulepacks) installed on both the system
where you are performing the translation and the system where you are performing the analysis.
Mobile Build Session Version Compatibility

The Fortify Static Code Analyzer version on the translate machine must be compatible with the Fortify
Static Code Analyzer version on the analysis machine. The version number format is:
major.minor.patch.buildnumber (for example, 20.2.0.0240). The major and minor portions of the Fortify
Static Code Analyzer version numbers on both the translation and the analysis machines must match.
For example, 20.2.0 and 20.1.x are compatible.
Note: Before version 16.10, the major portion of the Fortify Static Code Analyzer version number
was not the same as the Micro Focus Fortify Software Security Center version number.
To determine the Fortify Static Code Analyzer version number, type sourceanalyzer -version on
the command line.
Creating a Mobile Build Session

On the machine where you performed the translation, issue the following command to generate a
mobile build session:
sourceanalyzer -b <build_id> -export-build-session <file>.mbs
where <file>.mbs is the file name you provide for the Fortify Static Code Analyzer mobile build
session.
Importing a Mobile Build Session

After you move the <file>.mbs file to the machine where you want to perform the scan, import the
mobile build session into the Fortify Static Code Analyzer project root directory.

User Guide
Note: If necessary, you can obtain the build ID and Fortify Static Code Analyzer version from an
MBS file with the following command:
sourceanalyzer -import-build-session <file>.mbs

-Dcom.fortify.sca.ExtractMobileInfo=true
To import the mobile build session, type the following command:
sourceanalyzer -import-build-session <file>.mbs
After you import your Fortify Static Code Analyzer mobile build session, you can proceed to the
analysis phase. Perform a scan with the same build ID that was used in the translation.
You cannot merge multiple mobile build sessions into a single MBS file. Each exported build session
must have a unique build ID. However, after all the build IDs are imported on the same Fortify Static
Code Analyzer installation, you can scan multiple build IDs in one scan with the -b option (see "Analysis
Phase" below).
Analysis Phase
The analysis phase scans the intermediate files created during translation and creates the vulnerability
results file (FPR).
The analysis phase consists of one invocation of sourceanalyzer. You specify the build ID and
include the -scan directive with any other required analysis or output options (see "Analysis Options"
on page 114 and "Output Options" on page 117).
An example of the basic command-line syntax for the analysis phase is:
Note: By default, Fortify Static Code Analyzer includes the source code in the FPR file.
To combine multiple builds into a single scan command, add the additional builds to the command line:
sourceanalyzer -b <build_id1> -b <build_id2> -b <build_id3> -scan -f

myresults.fpr
The use of antivirus software can negatively impact Fortify Static Code Analyzer performance. If you
notice long scan times, Fortify recommends that you temporarily exclude the internal Fortify Static
Code Analyzer files from your antivirus software scan. You can also do the same for the directories
where the source code resides, however the performance impact on the Fortify analysis is less than with
the internal directories.
By default, Fortify Static Code Analyzer creates internal files in the following location:
l On Windows: c:\Users\<user>\AppData\Local\Fortify\sca<version>
l On non-Windows: $HOME/.fortify/sca<version>
where <version> is the version of Fortify Static Code Analyzer you are using.

User Guide
Higher-Order Analysis
Higher-Order Analysis (HOA) improves the ability to track dataflow through higher-order code. Higher-
order code manipulates functions as values, generating them with anonymous function expressions
(lambda expressions), passing them as arguments, returning them as values, and assigning them to
variables and to fields of objects. These code patterns are common in modern dynamic languages such
as JavaScript, TypeScript, Python, Ruby, and Swift.
By default, Fortify Static Code Analyzer performs Higher-Order Analysis when you scan JavaScript,
TypeScript, Python, Ruby, and Swift code. For a description of the Higher-Order Analysis properties,
see "fortify-sca.properties" on page 182 and search for "higher-order analysis."
Modular Analysis
This release includes a technology preview of modular analysis. With modular analysis, you can pre-scan
libraries (and sublibraries) separately from your core project. You can then include these pre-scanned
libraries when you scan the core project. Doing this might improve the core project analysis performance
because you are not rescanning the libraries every time you scan the core project. Modular analysis also
enables you to scan a project that references a library without requiring the library's source code, Fortify
Static Code Analyzer translated files, or custom rules used to scan the library. This has the added
benefit that you only need to audit issues in your core application. The analysis results are more
streamlined to code that you directly control and therefore you do not need to worry about issues in
code that you do not own.
Modular analysis is currently available for libraries and applications developed in Java and Java EE.
Note: In this release, you might not see any performance improvements from modular analysis.
Fortify is working to optimize the performance of modular analysis in future releases.
You must rescan your libraries whenever you:

l Update to a new version of Fortify Static Code Analyzer
l Update your Fortify security content
l Modify the libraries
Modular Command-Line Examples

To translate and scan a library separately, type:
sourceanalyzer -b LibA MyLibs/A/*.java
sourceanalyzer -b LibA -scan-module
To translate and scan the core project and include multiple pre-scanned libraries:
sourceanalyzer -b MyProj MyProj/*.java

User Guide
sourceanalyzer -b MyProj -scan -include-modules LibA,LibB
For a description of the options shown in the previous examples, see "Analysis Options" on page 114.
Translation and Analysis Phase Verification

Micro Focus Fortify Audit Workbench result certification indicates whether the code analysis from a
scan is complete and valid. The project summary in Fortify Audit Workbench shows the following
specific information about Fortify Static Code Analyzer scanned code:
l List of files scanned, with file sizes and timestamps
l Java class path used for the translation (if applicable)
l Rulepacks used for the analysis
l Fortify Static Code Analyzer runtime settings and command-line options
l Any errors or warnings encountered during translation or analysis
l Machine and platform information
Note: To obtain result certification, you must specify FPR for the analysis phase output format.
To view result certification information, open the FPR file in Fortify Audit Workbench and select Tools
> Project Summary > Certification. For more information, see the Micro Focus Fortify Audit
Workbench User Guide.

Chapter 4: Translating Java Code
This section describes how to translate Java code.
Fortify Static Code Analyzer supports translation of Java EE applications (including JSP files,
configuration files, and deployment descriptors), Java Bytecode, and Java code with Lombok
annotations.
Java Command-Line Syntax 47
Using FindBugs 51
Translating Java EE Applications 52
Translating Java Bytecode 53
Troubleshooting JSP Translation Issues 54
Java Command-Line Syntax

To translate Java code, all types defined in a library that are referenced in the code must have a
corresponding definition in the source code, a class file, or a JAR file. Include all source files on the
Fortify Static Code Analyzer command line.
If your project contains Java code that refers to Kotlin code, make sure that the Java and Kotlin code are
translated in the same Fortify Static Code Analyzer instance so that the Java references to Kotlin
elements are resolved correctly. Kotlin to Java interoperability does not support Kotlin files provided by
the –sourcepath option. For more information about the –sourcepath option, see "Java Command-
Line Options" on the next page
The basic command-line syntax to translate Java code is shown in the following example:
sourceanalyzer -b <build_id> -cp <classpath> <files>
With Java code, Fortify Static Code Analyzer can either:

l Emulate the compiler, which might be convenient for build integration
l Accept source files directly, which is convenient for command-line scans
For information about integrating Fortify Static Code Analyzer with Ant, see "Ant Integration" on
page 107.
To have Fortify Static Code Analyzer emulate the compiler, type:
sourceanalyzer -b <build_id> javac [<translation_options>]

User Guide
To pass files directly to Fortify Static Code Analyzer, type:
sourceanalyzer -b <build_id> -cp <classpath> [<translation_options>]

<files> | <file_specifiers>
where:
l <translation_options> are options passed to the compiler.
l -cp <classpath> specifies the class path to use for the Java source code.
A class path is the path that the Java runtime environment searches for classes and other resource
files. Include all JAR dependencies normally used to build the project. The format is the same as what
javac expects (colon- or semicolon-separated list of paths).
Similar to javac, Fortify Static Code Analyzer loads classes in the order they appear in the class path.
If there are multiple classes with the same name in the list, Fortify Static Code Analyzer uses the first
loaded class. In the following example, if both A.jar and B.jar include a class called
MyData.class, Fortify Static Code Analyzer uses the MyData.class from A.jar.
sourceanalyzer -cp A.jar:B.jar myfile.java
Fortify strongly recommends that you avoid using duplicate classes with the -cp option.
Fortify Static Code Analyzer loads JAR files in the following order:
a. From the -cp option
b. From jre/lib
c. From <sca_install_dir>/Core/default_jars
This enables you to override a library class by including the similarly-named class in a JAR specified
with the -cp option.
For descriptions of all the available Java-specific command-line options, see "Java Command-Line
Options" below.
Java Command-Line Options

The following table describes the Java command-line options (for Java SE and Java EE).
Java/Java EE Option Description
-appserver Specifies the application server to process JSP files.

weblogic | websphere
Equivalent Property Name:
com.fortify.sca.AppServer
-appserver-home <dir> Specifies the application server’s home.

l For WebLogic, this is the path to the directory that
contains the server/lib directory.
l For WebSphere, this is the path to the directory that

User Guide
contains the JspBatchCompiler script.

com.fortify.sca.AppServerHome
-appserver-version Specifies the version of the application server. See the Micro
<version> Focus Fortify Software System Requirements document for
supported versions.
com.fortify.sca.AppServerVersion
-cp <dirs> | Specifies the class path to use for analyzing Java source code.
-classpath <dirs> The format is the same as javac: a colon- or semicolon-
separated list of directories. You can use Fortify Static Code
Analyzer file specifiers as shown in the following example:
-cp "build/classes:lib/*.jar"
For information about file specifiers, see "Specifying Files and

Directories" on page 123.
com.fortify.sca.JavaClasspath
-extdirs <dirs> Similar to the javac extdirs option, accepts a colon- or

semicolon-separated list of directories. Any JAR files found in
these directories are included implicitly on the class path.
com.fortify.sca.JavaExtdirs
-java-build-dir <dirs> Specifies one or more directories that contain compiled Java
sources. You must specify this for FindBugs results as
described in "Analysis Options" on page 114.
-source <version> | Indicates the JDK version for which the Java code is written.
-jdk <version> See the Micro Focus Fortify Software System Requirements
document for supported versions. The default is Java 8.
com.fortify.sca.JdkVersion
-sourcepath <dirs> Specifies a colon- or semicolon-separated list of directories

that contain source code that is not included in the scan but is

User Guide
used for name resolution. The source path is similar to class

path, except it uses source files instead of class files for
resolution. Only source files that are referenced by the target
file list are translated.
com.fortify.sca.JavaSourcePath
Java Command-Line Examples

To translate a single file named MyServlet.java with javaee.jar as the class path, type:
sourceanalyzer -b MyServlet -cp lib/javaee.jar MyServlet.java
To translate all .java files in the src directory using all JAR files in the lib directory as a class path,
type:
sourceanalyzer -b MyProject -cp "lib/*.jar" "src/**/*.java"
To translate and compile the MyCode.java file with the javac compiler, type:
sourceanalyzer -b MyProject javac -classpath libs.jar MyCode.java
Handling Resolution Warnings

To see all warnings that were generated during translation, type the following command before you
start the scan phase:
Java Warnings
You might see the following warnings for Java:
Unable to resolve type...
Unable to resolve function...
Unable to resolve field...
Unable to locate import...
Unable to resolve symbol...

User Guide
Multiple definitions found for function...
Multiple definitions found for class...

These warnings are typically caused by missing resources. For example, some of the .jar and .class
files required to build the application might not have been specified. To resolve the warnings, make sure
that you include all the required files that your application uses.
Using FindBugs
FindBugs (http://findbugs.sourceforge.net) is a static analysis tool that detects quality issues in Java
code. You can run FindBugs with Fortify Static Code Analyzer and the results are integrated into the
analysis results file. Unlike Fortify Static Code Analyzer, which runs on Java source files, FindBugs runs
on Java bytecode. Therefore, before you run an analysis on your project, first compile the project and
produce the class files.
To see an example of how to run FindBugs automatically with Fortify Static Code Analyzer, compile the
sample code Warning.java as follows:
1. Go to the following directory:
<sca_install_dir>/Samples/advanced/findbugs
2. Type the following commands to compile the sample:
mkdir build
javac -d build Warning.java
3. Scan the sample with FindBugs and Fortify Static Code Analyzer as follows:
sourceanalyzer -b findbugs_sample -java-build-dir build Warning.java
sourceanalyzer -b findbugs_sample -scan -findbugs -f myresults.fpr
4. Examine the analysis results in Micro Focus Fortify Audit Workbench:
auditworkbench myresults.fpr
The output contains the following issue categories:

l Bad casts of Object References (1)
l Dead local store (2)
l Equal objects must have equal hashcodes (1)
l Object model violation (1)
l Unwritten field (2)
l Useless self-assignment (2)

User Guide
If you group by analyzer, you can see that the Structural Analyzer produced one issue and FindBugs
produced eight. The Object model violation issue Fortify Static Code Analyzer detected on line
25 is similar to the Equal objects must have equal hash codes issue that FindBugs detected.
In addition, FindBugs produces two sets of issues (Useless self-assignment and Dead local
store) about the same vulnerabilities on lines 6 and 7. To avoid overlapping results, use the -filter
option during the scan to apply the filter.txt filter file. Note that the filtering is not complete
because each tool filters at a different level of granularity. To see how to avoid overlapping results, scan
the sample code using filter.txt as follows:
sourceanalyzer -b findbugs_sample -scan -findbugs -filter filter.txt

-f myresults.fpr
Translating Java EE Applications

To translate Java EE applications, Fortify Static Code Analyzer processes Java source files and
Java EE components such as JSP files, deployment descriptors, and configuration files. While you can
process all the pertinent files in a Java EE application in one step, your project might require that you
break the procedure into its components for integration in a build process or to meet the needs of
various stakeholders in your organization.
Translating Java Files

To translate Java EE applications, use the same procedure used to translate Java files. For examples, see
"Java Command-Line Examples" on page 50.
Translating JSP Projects, Configuration Files, and Deployment

Descriptors
In addition to translating the Java files in your Java EE application, you might also need to translate JSP
files, configuration files, and deployment descriptors. Your JSP files must be part of a Web Application
Archive (WAR). If your source directory is already organized in a WAR file format, you can translate the
JSP files directly from the source directory. If not, you might need to deploy your application and
translate the JSP files from the deployment directory.
For example:
sourceanalyzer -b MyJavaApp "/**/*.jsp" "/**/*.xml"
where /**/*.jsp refers to the location of your JSP project files and /**/*.xml refers to the location
of your configuration and deployment descriptor files.

User Guide
Java EE Translation Warnings

You might see the following warning in the translation of Java EE applications:
Could not locate the root (WEB-INF) of the web application. Please build
your web application and try again. Failed to parse the following jsp
files:
<list_of_jsp_files>
This warning indicates that your web application is not deployed in the standard WAR directory format
or does not contain the full set of required libraries. To resolve the warning, make sure that your web
application is in an exploded WAR directory format with the correct WEB-INF/lib and WEB-
INF/classes directories containing all of the .jar and .class files required for your application.
Also verify that you have all of the TLD files for all of your tags and the corresponding JAR files with
their tag implementations.
Translating Java Bytecode

In addition to translating source code, you can translate the bytecode in your project. You must specify
two configuration properties and include the bytecode files in the Fortify Static Code Analyzer
translation phase.
For best results, Fortify recommends that the bytecode be compiled with full debug information
(javac -g).
Fortify recommends that you do not translate Java bytecode and JSP/Java code in the same call to
sourceanalyzer. Use multiple invocations of sourceanalyzer with the same build ID to translate a
project that contains both bytecode and JSP/Java code.
To include bytecode in the Fortify Static Code Analyzer translation:
1. Add the following properties to the fortify-sca.properties file (or include these properties
on the command line using the -D option):
com.fortify.sca.fileextensions.class=BYTECODE
com.fortify.sca.fileextensions.jar=ARCHIVE
This specifies how Fortify Static Code Analyzer processes .class and .jar files.
2. In the Fortify Static Code Analyzer translation phase, specify the Java bytecode files that you want
to translate. For best performance, specify only the .jar or .class files that require scanning.
In the following example, the .class files are translated:
sourceanalyzer -b MyProject -cp "lib/*.jar" "src/**/*.class"

User Guide
Troubleshooting JSP Translation Issues

Fortify Static Code Analyzer uses either the built-in compiler or your specific application server JSP
compiler to translate JSP files into Java files for analysis. If the JSP parser encounters problems when
Fortify Static Code Analyzer converts JSP files to Java files, you will see a message similar to the
following:
Failed to translate the following jsps into analysis model. Please see the
log file for any errors from the jsp parser and the user manual for hints
on fixing those
<list_of_jsp_files>
This typically happens for one or more of the following reasons:

l The web application is not laid out in a proper deployable WAR directory format
l You are missing some JAR files or classes required for the application
l You are missing some tag libraries or their definitions (TLD) for the application
To obtain more information about the problem, perform the following steps:
1. Open the Fortify Static Code Analyzer log file in an editor.
2. Search for the strings Jsp parser stdout: and Jsp parser stderr:.
The JSP parser generates these errors. Resolve the errors and rerun Fortify Static Code Analyzer.
For more information about scanning Java EE applications, see "Translating Java EE Applications" on
page 52.

Chapter 5: Translating Kotlin Code
This section describes how to translate Kotlin code.
Kotlin Command-Line Syntax 55
Kotlin and Java Translation Interoperability 57
Kotlin Command-Line Syntax

The translation of Kotlin code is similar to the translation of Java code. To translate Kotlin code, all types
defined in a library that are referenced in the code must have a corresponding definition in the source
code, a class file, or a JAR file. Include all source files on the Fortify Static Code Analyzer command line.
The basic command-line syntax to translate Kotlin code is shown in the following example:
sourceanalyzer –b <build_id> -cp <classpath> [<translation_options>]

<files>
where
l -cp <classpath> specifies the class path to use for the Kotlin source code.
A class path is the path that the Java runtime environment searches for classes and other resource
files. Include all JAR dependencies normally used to build the project. The format is a colon- or
semicolon-separated list of paths.
Fortify Static Code Analyzer loads classes in the order they appear in the class path. If there are
multiple classes with the same name in the list, Fortify Static Code Analyzer uses the first loaded class.
In the following example, if both A.jar and B.jar include a class called MyData.class, Fortify
Static Code Analyzer uses the MyData.class from A.jar.
sourceanalyzer –cp "A.jar:B.jar" myfile.kt
Fortify strongly recommends that you avoid using duplicate classes with the -cp option.
For descriptions of all the available Kotlin-specific command-line options, see "Kotlin Command-Line
Options" on the next page.

User Guide
Kotlin Command-Line Options

The following table describes the Kotlin-specific command-line options.
Kotlin Option Description
-cp <paths> | Specifies the class path to use for translating Kotlin source
-classpath <dirs> code, which is a colon- or semicolon-separated list of
directories. You can use Fortify Static Code Analyzer file
specifiers as shown in the following example:
-cp "build/classes:lib/*.jar"
For information about file specifiers, see "Specifying Files and

Directories" on page 123.
com.fortify.sca.JavaClasspath
-sourcepath <dirs> Specifies a colon- or semicolon-separated list of directories

that contain source code that is not included in the scan but is
used for name resolution. The source path is similar to class
path, except it uses source files instead of class files for
resolution. Only source files that are referenced by the target
file list are translated.
com.fortify.sca.JavaSourcePath

User Guide
Kotlin Command-Line Examples

To translate a single file named MyKotlin.kt with A.jar as the class path, type:
sourceanalyzer -b MyProject -cp lib/A.jar MyKotlin.kt
To translate all .kt files in the src directory using all JAR files in the lib directory as a class path, type:
sourceanalyzer -b MyProject -cp "lib/**/*.jar" "src/**/*.kt"
To translate and scan a gradle project using gradlew, type:
sourceanalyzer -b MyProject gradlew clean assemble
sourceanalyzer -b MyProject -scan –f myresults.fpr
To translate all files in the src directory using Java dependencies from src/java and all JAR files in
the lib directory and subdirectories as a class path, type:
sourceanalyzer –b MyProject –cp "lib/**/*.jar" -sourcepath "src/java"

"src"
Kotlin and Java Translation Interoperability

If your project contains Kotlin code that refers to Java code, you can provide Java files to the translator
the same way as Kotlin files that refers to another Kotlin file. You can provide them as part of the
translated project source or as –sourcepath parameters.
If your project contains Java code that refers to Kotlin code, make sure that the Java and Kotlin code are
translated in the same Fortify Static Code Analyzer instance so that the Java references to Kotlin
elements are resolved correctly. Kotlin to Java interoperability does not support Kotlin files provided by
the –sourcepath option. For more information about the –sourcepath option, see "Kotlin
Command-Line Options" on the previous page

Chapter 6: Translating Visual Studio and
MSBuild Projects
Fortify Static Code Analyzer supports translation of the following types of projects built with Visual
Studio or MSBuild:
l C/C++ projects
l .NET projects written in C# or Visual Basic (VB.NET)
This includes projects that target .NET Framework, .NET Core, and .NET Standard
l ASP.NET applications
This includes applications that make use of the ASP.NET Core framework
l Xamarin applications that target Android and iOS platforms
For the list of supported versions of relevant programming languages and frameworks, as well as Visual
Studio and MSBuild, see the Micro Focus Fortify Software System Requirements document.
Visual Studio and MSBuild Project Translation Prerequisites 58
Visual Studio and MSBuild Project Translation Command-Line Syntax 59
Handling Special Cases for Translating Visual Studio and MSBuild Projects 59
Alternative Ways to Translate Visual Studio and MSBuild Projects 62
Visual Studio and MSBuild Project Translation

Prerequisites
Important! Fortify Static Code Analyzer supports translation of Visual Studio and MSBuild
projects on Windows systems only.
Fortify recommends that each project you translate is complete and that you perform the translation in
an environment where you can build it without errors. A complete project contains the following:
l All necessary source code files (C/C++, C#, or VB.NET)
l All required reference libraries
This includes those from relevant frameworks, NuGet packages, and third-party libraries.
l For C/C++ projects, include all necessary header files that do not belong to the Visual Studio or
MSBuild installation

User Guide
Chapter 6: Translating Visual Studio and MSBuild Projects
l For ASP.NET and ASP.NET Core projects, include all the necessary ASP.NET page files
The supported ASP.NET page types are ASPX, ASCX, ASAX, ASHX, ASMX, AXML, Master,
CSHTML, VBHTML, BAML, and XAML.
Visual Studio and MSBuild Project Translation

Command-Line Syntax
The basic syntax to translate Visual Studio or MSBuild projects is to append an MSBuild command that
builds the project to the Fortify Static Code Analyzer command. The following command translates a
Visual Studio solution called Sample.sln:
sourceanalyzer –b <build_id> msbuild /t:rebuild Sample.sln
This command first builds the solution or project and then translates it. Fortify strongly recommends
you run this command from the Developer Command Prompt for Visual Studio to ensure an optimal
environment for the translation.
Important! When you translate from the Developer Command Prompt for Visual Studio
environment, Fortify recommends that you run the dotnet restore command before you run
the Fortify Static Code Analyzer translation. You must run this command from the top-level folder
of the project. This ensures that all required reference libraries are downloaded and installed in the
project.
After the translation is complete, you can perform the analysis phase as shown in the following example:
sourceanalyzer –b <build_id> -scan -f <results>.fpr
Handling Special Cases for Translating Visual Studio

and MSBuild Projects
Running Translation From a Script
As stated previously, Fortify recommends that you run the Fortify Static Code Analyzer translation of
Visual Studio and MSBuild projects from the Developer Command Prompt for Visual Studio. To
perform the translation in a non-interactive mode such as with a script, establish an optimal
environment for translation by executing the following command before you run the Fortify Static
Code Analyzer translation:
cmd.exe /k <vs_install_dir>/Common7/Tools/VSDevCmd.bat
where <vs_install_dir> is the directory where you installed Visual Studio.

User Guide
Translating Plain .NET and ASP.NET Projects

You can translate plain .NET and ASP.NET projects from the Windows Command Prompt as well as
from a Visual Studio environment. When you translate from the Windows Command Prompt, make sure
the path to the MSBuild executable required to build your project is included in PATH environment
variable.
Translating C/C++ and Xamarin Projects

Important! You must translate C/C++ and Xamarin projects either from a Developer Command
Prompt for Visual Studio or from the Micro Focus Fortify Extension for Visual Studio.
Additionally, Fortify recommends that you translate Xamarin projects from the Visual Studio 2019
environment, even if you created the project with a different version of Visual Studio. Using a different
Visual Studio version environment for translation might reduce the quality of the analysis results.
Translating Projects with Settings Containing Spaces

If your project is built with a configuration or other settings file that contains spaces, make sure to do
the following in the MSBuild command:
l Enclose the setting value in quotes (in addition to the quotes around the appropriate command-line
option)
l Quotes are escaped
For example, to translate a Visual Studio solution Sample.sln that is built with configuration My
Configuration, use the following command:
sourceanalyzer –b <build_id> msbuild /t:rebuild

"/p:Configuration=\"My Configuration\"" Sample.sln
Translating a Single Project from a Visual Studio Solution

If your Visual Studio solution contains multiple projects, you have the option to translate a single
project instead of the entire solution. Project files have a file name extension that ends with proj such
as .vcxproj and .csproj. To translate a single project, specify the project file instead of the solution
as the parameter for the MSBuild command.
The following example translates the Sample.vcxproj project file:
sourceanalyzer –b <build_id> msbuild /t:rebuild Sample.vcxproj

User Guide
Translating Visual Studio Solutions with Excluded or Skipped

Projects
By default, Fortify Static Code Analyzer translates all projects in the solution specified on the command
line, even if some projects are explicitly excluded from build in the solution or skipped during the build
due to platform and configuration settings used. To skip these excluded or skipped projects from the
translation, add the –exclude-disabled-projects option to the Fortify Static Code Analyzer
command as shown in the following example:
sourceanalyzer –b <build_id> -exclude-disabled-projects msbuild /t:rebuild

Sample.sln
Working with Multiple Targets and Projects for MSBuild Command

Recent versions of MSBuild enable you to build multiple targets and specific projects using an extended
syntax of the /t option. However, Fortify recommends that you avoid this syntax for translating Visual
Studio or MSBuild projects. Specifying a single rebuild target is sufficient to translate any supported
Visual Studio and MSBuild project.
If you cannot use a single rebuild target to translate your project, Fortify provides limited support of
multiple targets and projects specified for the MSBuild command. To use this feature, add the –
multiple-msbuild-targets option to the Fortify Static Code Analyzer command, as shown in the
following example:
sourceanalyzer –b <build_id> -multiple-msbuild-targets msbuild

/t:Project1:build;Project2:build Sample.sln
Note: Support of this translation mode is limited and Fortify Static Code Analyzer might not
properly handle all possible combinations of targets and projects.
Important! If you use this translation mode, do not specify a clean target as the last target on the
list. This target removes dependencies that your Visual Studio or MSBuild project requires. This
drastically reduces the translation quality and can negatively impact the analysis results.
Analyzing Projects That Build Multiple Executable Files

If your Visual Studio or MSBuild project builds multiple executable files (such as files with the file name
extension *.exe), Fortify strongly recommends that you run the analysis phase separately for each
executable file to avoid false positive issues in the analysis results. To do this, use –binary-name
option when running the analysis phase and specify the executable file name or .NET assembly name as
the parameter.
The following example shows how to translate and analyze a Visual Studio solution Sample.sln that
consists of two projects, Sample1 (a C++ project with no associated .NET assembly name) and Sample2

User Guide
(a .NET project with .NET assembly name Sample2). Each project builds a separate executable file,
Sample1.exe and Sample2.exe, respectively.
sourceanalyzer -b <build_id> msbuild /t:rebuild Sample.sln

sourceanalyzer -b <build_id> -scan -binary-name Sample1.exe -f Sample1.fpr
sourceanalyzer -b <build_id> -scan -binary-name Sample2 -f Sample2.fpr
For more information about the -binary-name option, see "Analysis Options" on page 114.
Alternative Ways to Translate Visual Studio and

MSBuild Projects
This section describes alternative methods of translating Visual Studio and MSBuild projects.
Alternative Translation Options for Visual Studio Solutions

The following are two alternative ways of translation available only for Visual Studio solutions:
l Use the Micro Focus Fortify Extension for Visual Studio
The Fortify Extension for Visual Studio runs the translation and analysis (scan) phases together in
one step.
l Append a devenv command to the Fortify Static Code Analyzer command
The following command translates a Visual Studio solution called Sample.sln:
sourceanalyzer –b <build_id> devenv Sample.sln /rebuild
Note that Fortify Static Code Analyzer converts a devenv invocation to the equivalent MSBuild
invocation, therefore in this case the solution with this command is actually built by MSBuild instead
of the devenv tool.
Translating Without Explicitly Running Fortify Static Code

Analyzer
You have the option to translate your Visual Studio or MSBuild project without invoking Fortify Static
Code Analyzer directly. This requires the MSbuild extension file named
FortifyMSBuildTouchless.dll located in the \Core\lib directory where you have installed
Fortify Static Code Analyzer. Specify this MSBuild extension file using an absolute or relative path in
the MSBuild command that builds your project with the /logger option. For example:
msbuild /t:rebuild /logger:<sca_install_dir>\Core\lib\FortifyMSBuildTouchless.dll

Sample.sln

User Guide
There are several environment variables that you can set to configure the translation of your project.
Most of them have default values, which Fortify Static Code Analyzer uses if the variable is not set.
These variables are listed in the following table.
Environment
Variable Description Default Value
FORTIFY_ Specifies the Fortify Static Code Analyzer build None

MSBUILD_ ID for translation. Make sure that you set this
BUILDID value.
This is equivalent to the Fortify Static Code
Analyzer's -b option.
FORTIFY_ Enables debug mode. This is equivalent to the False

MSBUILD_ Fortify Static Code Analyzer–debug option.
DEBUG
FORTIFY_ Enables verbose debug mode. This is False

MSBUILD_ equivalent to the Fortify Static Code Analyzer–
DEBUG_ debug-verbose option. Takes precedence
VERBOSE over FORTIFY_MSBUILD_DEBUG variable if
both are set to true.
FORTIFY_ Specifies the memory requirements translation Automatic allocation based on

MSBUILD_MEM in the form of the JVM -Xmx option. For physical memory available on
example, -Xmx2G. the system
FORTIFY_ Specifies the location (absolute path) of the %LOCALAPPDATA%/Fortify/

MSBUILD_ Fortify Static Code Analyzer log file. sca/log/sca.log
SCALOG
This is equivalent to the Fortify Static Code
Analyzer's -logfile option.

Chapter 7: Translating C and C++ Code
This section describes how to translate C and C++ code.
Important! The chapter describes how to translate C and C++ code that is not a part of a Visual
Studio or MSBuild project. For instructions on translating Visual Studio or MSBuild projects, see
"Translating Visual Studio and MSBuild Projects" on page 58.

C and C++ Code Translation Prerequisites 64
C and C++ Command-Line Syntax 64
Scanning Pre-processed C and C++ Code 65
C/C++ Precompiled Header Files 65
Troubleshooting Translation Failed Message 65
C and C++ Code Translation Prerequisites

Make sure that you have any dependencies required to build the project available, including headers for
third-party libraries. Fortify Static Code Analyzer translation does not require object files and
static/dynamic library files.
C and C++ Command-Line Syntax

Command-line options passed to the compiler affect preprocessor execution and can enable or disable
language features and extensions. For Fortify Static Code Analyzer to interpret your source code in the
same way as the compiler, the translation phase for C/C++ source code requires the complete compiler
command line. Prefix your original compiler command with the sourceanalyzer command and
options.
The basic command-line syntax for translating a single file is:
sourceanalyzer -b <build_id> [<sca_options>] <compiler> [<compiler_

options>] <file>.c
where:
l <compiler> is the name of the C/C++ compiler you use, such as gcc, g++, or cl. See the Micro
Focus Fortify Software System Requirements document for a list of supported C/C++ compilers.
l <sca_options> are options passed to Fortify Static Code Analyzer.

User Guide
l <compiler_options> are options passed to the C/C++ compiler.

l <file>.c must be in ASCII or UTF-8 encoding.
Note: All Fortify Static Code Analyzer options must precede the compiler options.
The compiler command must successfully complete when executed on its own. If the compiler command
fails, then the Fortify Static Code Analyzer command prefixed to the compiler command also fails.
For example, if you compile a file with the following command:
gcc -I. -o hello.o -c helloworld.c
then you can translate this file with the following command:
sourceanalyzer -b <build_id> gcc -I. -o hello.o -c helloworld.c
Fortify Static Code Analyzer executes the original compiler command as part of the translation phase. In
the previous example, the command produces both the translated source suitable for scanning, and the
object file hello.o from the gcc execution. You can use the Fortify Static Code Analyzer -nc option
to disable the compiler execution.
Scanning Pre-processed C and C++ Code

If, before compilation, your C/C++ build executes a third-party C preprocessor that Fortify Static Code
Analyzer does not support, you must invoke the Fortify Static Code Analyzer translation on the
intermediate file. Fortify Static Code Analyzer touchless build integration automatically translates the
intermediate file provided that your build executes the unsupported preprocessor and supported
compiler as two commands connected by a temporary file rather than a pipe chain.
C/C++ Precompiled Header Files

Some C/C++ compilers support Precompiled Header Files, which can improve compilation performance.
Some compilers' implementations of this feature have subtle side-effects. When the feature is enabled,
the compiler might accept erroneous source code without warnings or errors. This can result in a
discrepancy where Fortify Static Code Analyzer reports translation errors even when your compiler
does not.
If you use your compiler's Precompiled Header feature, disable Precompiled Headers, and then perform
a full build to make sure that your source code compiles cleanly.
Troubleshooting Translation Failed Message

If your C or C++ application builds successfully but you see one or more “translation failed” messages
during the Fortify Static Code Analyzer translation phase, edit the <sca_install_
dir>/Core/config/fortify-sca.properties file to change the following line:

User Guide
com.fortify.sca.cpfe.options= --remove_unneeded_entities --suppress_vtbl
to:
com.fortify.sca.cpfe.options= -w --remove_unneeded_entities --suppress_

vtbl
Re-run the translation to print the errors that the translator encountered. If the output indicates an
incompatibility between your compiler and the Fortify Static Code Analyzer translator, send your
output to Micro Focus Fortify Customer Support for further investigation.

Chapter 8: Translating JavaScript and
TypeScript Code
You can analyze JavaScript projects that contain JavaScript, TypeScript, JSX, and TSX source files, as
well as JavaScript embedded in HTML files.
Some JavaScript frameworks are transpiled (source-to-source compilation) to plain JavaScript. This
generated code is optimized., minimized, or both. Therefore, you might want to exclude it from
translation because it would be challenging to fix any vulnerabilities Fortify Static Code Analyzer might
report in this code. Use the -exclude command-line option to manually exclude this type of code.
Translating Pure JavaScript Projects 67
Excluding Dependencies 67
Excluding NPM Dependencies 68
Translating JavaScript Projects with HTML Files 68
Including External JavaScript or HTML in the Translation 69
Translating Pure JavaScript Projects

The basic command-line syntax to translate JavaScript is:
sourceanalyzer –b <build_id> <js_file_or_dir>
where <js_file_or_dir> is the either the name of the JavaScript file to be translated or a directory
that contains multiple JavaScript files. You can also translate multiple files by specifying *.js for the
<js_file_or_dir>.
Excluding Dependencies
You can avoid translating specific dependencies by adding them to the appropriate property setting in
the fortify-sca.properties file. Files specified in the following properties are not translated:
l com.fortify.sca.skip.libraries.ES6
l com.fortify.sca.skip.libraries.jQuery
l com.fortify.sca.skip.libraries.javascript
l com.fortify.sca.skip.libraries.typescript
Each property specifies a list of comma- or colon-separated file names (without path information).

User Guide
Chapter 8: Translating JavaScript and TypeScript Code
The files specified in these properties apply to both local files and files on the internet. Suppose, for
example, that the JavaScript code includes the following file reference:
<script
src="https://ajax.googleapis.com/ajax/libs/jquery/3.1.0/jquery.min.js">
</script>
By default, the com.fortify.sca.skip.libraries.jQuery property in the fortify-

sca.properties file includes jquery.min.js, and therefore Fortify Static Code Analyzer does not
translate the file shown in the previous example. Also, any local copy of the jquery.min.js file is not
translated.
You can use regular expressions for the file names. Note that Fortify Static Code Analyzer automatically
inserts the regular expression '(-?\d+\.\d+\.\d+)?' before .min.js or .js for each file name
included in the com.fortify.sca.skip.libraries.jQuery property value.
Note: You can also exclude local files or entire directories with the -exclude command-line option.
For more information about this option, see "Translation Options" on page 112.
Excluding NPM Dependencies

By default, Fortify Static Code Analyzer translates only the NPM dependences that are imported in the
code. You can change this behavior with the following two properties:
l The com.fortify.sca.follow.imports property directs Fortify Static Code Analyzer to resolve
all imported files and include them in the translation.
This property is enabled by default. Setting this property to false prevents NPM dependencies that
are not explicitly included on the command-line from being included in the translation.
l The com.fortify.sca.exclude.unimported.node.modules property directs Fortify Static
Code Analyzer to exclude all files in any node_modules directory from the translation except files that
are specifically imported by the com.fortify.sca.follow.imports property.
This property is enabled by default to avoid translating dependencies that are not needed for the
final project such as those only required for the build system.
Translating JavaScript Projects with HTML Files

If the project contains HTML files in addition to JavaScript files, set the
com.fortify.sca.EnableDOMModeling property to true in the fortify-sca.properties file or
on the command line as follows:

-Dcom.fortify.sca.EnableDOMModeling=true
When you set the com.fortify.sca.EnableDOMModeling property to true, this can decrease false
negative reports of DOM-related attacks, such as DOM-related cross-site scripting issues.

User Guide
Note: If you enable this option, Fortify Static Code Analyzer generates JavaScript code to model
the DOM tree structure in the HTML files. The duration of the analysis phase might increase
(because there is more translated code to analyze).
If you set the com.fortify.sca.EnableDOMModeling property to true, you can also specify
additional HTML tags for Fortify Static Code Analyzer to include in the DOM modeling with the
com.fortify.sca.DOMModeling.tags property. By default, Fortify Static Code Analyzer includes
the following HTML tags: body, button, div, form, iframe, input, head, html, and p.
For example, to include the HTML tags ul and li in the DOM model, use the following command:

-Dcom.fortify.sca.DOMModeling.tags=ul,li
Including External JavaScript or HTML in the

Translation
To include external JavaScript or HTML files that are specified with the src attribute, you can specify
which domains Fortify Static Code Analyzer can download and include in the translation phase. To do
this, specify one or more domains with the
com.fortify.sca.JavaScript.src.domain.whitelist property.
Note: You can also set this property globally in the fortify-sca.properties file.
For example, you might have the following statement in your HTML file:
<script src='http://xyzdomain.com/foo/bar.js' language='text/javascript'/>

</script>
If you are confident that the xyzdomain.com domain is a safe location from which to download files,
then you can include them in the translation phase by adding the following property specification on
the command line:
-Dcom.fortify.sca.JavaScript.src.domain.whitelist="xyzdomain.com/foo"
Note: You can omit the www. prefix from the domain in the property value. For example, if the src
tag in the original HTML file specifies to download files from www.google.com, you can specify
just the google.com domain.
To trust more than one domain, include each domain separated by the vertical bar character (|) as
shown in the following example:
-Dcom.fortify.sca.JavaScript.src.domain.whitelist=
"xyzdomain.com/foo|abcdomain.com|123.456domain.com”

User Guide
If you are using a proxy server, then you need to include the proxy server information on the command
line as shown in the following example:
-Dhttp.proxyHost=example.proxy.com -Dhttp.proxyPort=8080
For a complete list of proxy server options, see the Networking Properties Java documentation.

Chapter 9: Translating Python Code
Fortify Static Code Analyzer translates Python applications, and processes files with the .py extension
as Python source code.
Python Translation Command-Line Syntax 71
Including Import Files 71
Including Namespace Packages 72
Using the Django Framework with Python 72
Python Command-Line Options 72
Python Command-Line Examples 73
Python Translation Command-Line Syntax

The basic command-line syntax to translate Python code is:
sourceanalyzer -b <build_id> -python-version <python_version>

-python-path <dirs> <files>
Including Import Files

To translate Python applications and prepare for a scan, Fortify Static Code Analyzer searches for any
import files used by the application. Fortify Static Code Analyzer does not respect the PYTHONPATH
environment variable, which the Python runtime system uses to find imported files. Specify all the paths
to search for import files with the -python-path option.
Fortify Static Code Analyzer includes a subset of modules from the standard Python library (module
"builtins", all modules originally written in C, and others) in the translation. Fortify Static Code Analyzer
first searches for a standard Python library module in the set included with Fortify Static Code Analyzer
and then in the paths specified with the -python-path option. If your Python code imports any
module that Fortify Static Code Analyzer cannot find, it produces a warning. To make sure that all
modules of standard Python library are found, add the path to your standard Python library to the -
python-path list.

User Guide
Including Namespace Packages

To translate namespace packages, include all the paths to the namespace package directories in the -
python-path option. For example, if you have two subpackages for a namespace package package_
name in multiple folders as in this example:
/path_1/package_name/subpackageA
/path_2/package_name/subpackageB
Include the following with the -python-path option: /path_1;/path_2.
Using the Django Framework with Python

Fortify Static Code Analyzer supports the Django framework. To translate code created using the
Django framework, add the following properties to the <sca_install_
dir>/Core/config/fortify-sca.properties configuration file:
com.fortify.sca.limiters.MaxPassthroughChainDepth=8
com.fortify.sca.limiters.MaxChainDepth=8
By default, Fortify Static Code Analyzer attempts to discover Django templates in the project root
folder. Any Django templates found are automatically added to the translation. If you do not want
Fortify Static Code Analyzer to automatically discover Django templates, use the -django-disable-
autodiscover option. If your project requires Django templates, but the project is configured such
that Django templates are in an unexpected location, use the -django-template-dirs option to
specify the directories that contain the templates in addition to the -django-disable-
autodiscover option.
You can specify additional locations of Django template files by adding the -django-template-dirs
option to the sourceanalyzer command:
-django-template-dirs <dirs>
Python Command-Line Options

The following table describes the Python options.
Python Option Description
-python-version Specifies the Python source code version you want to scan. The valid
<version> values for <version> are 2 and 3. The default value is 2.

User Guide
Python Option Description

com.fortify.sca.PythonVersion
-python-path Specifies a colon-separated (non-Windows) or semicolon-separated

<dirs> (Windows) list of additional import directories. You can use the -python-
path option to specify all paths used to import packages or modules.
Include all paths to namespace package directories with this option.
Fortify Static Code Analyzer sequentially searches the specified paths for
each imported file and uses the first file encountered.
com.fortify.sca.PythonPath
-django-template- Specifies a colon-separated (non-Windows) or semicolon-separated

dirs <dirs> (Windows) list of directories that contain Django templates. Fortify Static
Code Analyzer sequentially searches the specified paths for each Django
template file and uses the first template file encountered.
com.fortify.sca.DjangoTemplateDirs
-django-disable- Specifies that Fortify Static Code Analyzer does not automatically
autodiscover discover Django templates.
com.fortify.sca.DjangoDisableAutodiscover
Python Command-Line Examples

To translate Python 3 code, type:
sourceanalyzer -b Python3Proj -python-version 3 -python-path

/usr/lib/python3.4:/usr/local/lib/python3.4/site-packages src/*.py
To translate Python 2 code, type:
sourceanalyzer -b MyPython2 -python-path

/usr/lib/python2.7:/usr/local/lib/python2.7/site-packages src/*.py

Chapter 10: Translating Code for Mobile
Platforms
Fortify Static Code Analyzer supports analysis of the following mobile application source languages:
l Swift, Objective-C, and Objective-C++ for iOS applications developed using Xcode
l Java for Android applications
For information about translating Xamarin applications, see "Translating Visual Studio and MSBuild
Projects" on page 58.
Translating Apple iOS Projects 74
Translating Android Projects 75
Translating Apple iOS Projects

This section describes how to translate Swift, Objective-C, and Objective-C++ source code for iOS
applications. Fortify Static Code Analyzer automatically integrates with the Xcode Command Line Tool,
Xcodebuild, to identify the project source files.
iOS Project Translation Prerequisites

The following are the prerequisites for translating iOS projects:
l Objective-C++ projects must use the non-fragile Objective-C runtime (ABI version 2 or 3).
l Use Apple’s xcode-select command-line tool to set your Xcode path. Fortify Static Code Analyzer
uses the system global Xcode configuration to find the Xcode toolchain and headers.
l Make sure that you have any dependencies required to build the project available.
l To translate Swift code, make sure that you have available all third-party modules, including
CocoaPods. Bridging headers must also be available. However, Xcode usually generates them
automatically during the build.
l If your project includes property list files in binary format, you must first convert them to XML format.
You can do this with the Xcode putil command.
l To translate Objective-C projects, ensure that the headers for third-party libraries are available.
l To translate WatchKit applications, make sure that you translate both the iPhone application target
and the WatchKit extension target.

User Guide
Chapter 10: Translating Code for Mobile Platforms
iOS Code Analysis Command-Line Syntax

The command-line syntax to translate iOS code using Xcodebuild is:
sourceanalyzer -b <build_id> xcodebuild [<compiler_options>]
where <compiler_options> are the supported options that are passed to the Xcode compiler.
Note: Xcodebuild compiles the source code when you run this command.
If your application uses any property list files (for example, <file>.plist), translate these files with a
separate sourceanalyzer command. Use the same build ID that you used to translate the project files.
The following is an example:
sourceanalyzer -b <build_id> <path_to_plist_files>
If your project uses CocoaPods, include -workspace to build the project. For example:
sourceanalyzer -b DemoAppSwift xcodebuild clean build -workspace

DemoAppSwift.xcworkspace -scheme DemoAppSwift -sdk iphonesimulator
You can then perform the analysis phase, as shown in the following example:
sourceanalyzer -b DemoAppSwift -scan -f myresults.fpr
Translating Android Projects

This section describes how to translate Java source code for Android applications. You can use Fortify
Static Code Analyzer to scan the code with Gradle from either:
l Your operating system's command line
l A terminal window running in Android Studio
The way you use Gradle is the same for either method.
Note: You can also scan Android code directly from Android Studio with the Micro Focus Fortify
Analysis Plugin for IntelliJ and Android Studio. For more information, see the Micro Focus Fortify
Plugins for JetBrains IDEs and Android Studio User Guide.
Android Project Translation Prerequisites

The following are the prerequisites for translating Android projects:
l Android Studio and the relevant Android SDKs are installed on the system where you will run the
scans

User Guide
Chapter 10: Translating Code for Mobile Platforms
l Your Android project uses Gradle for builds.

If you have an older project that does not use Gradle, you must add Gradle support to the associated
Android Studio project
Use the same version of Gradle that is provided with the version of Android Studio that you use to
create your Android project
l Make sure you have available all dependencies that are required to build the Android code in the
application's project
l To translate your Android code from a command window that is not displayed within Android
Studio, make sure that Gradle Wrapper (gradlew) is defined on the system path
Android Code Analysis Command-Line Syntax

Use gradlew to scan Android projects, which is similar to using Gradle except that you use the Gradle
Wrapper. For information about how to translate your Android project using the Gradle Wrapper, see
"Gradle Integration" on page 107.
Filtering Issues Detected in Android Layout Files

If your Android project contains layout files (used to design the user interface), your project files might
include R.java source files that are automatically generated by Android Studio. When you scan the
project, Fortify Static Code Analyzer can detect issues associated with these layout files.
Fortify recommends that Issues reported in any layout file be included in your standard audit so you can
carefully determine if any of them are false positives. After you identify issues in layout files that you are
not interested in, you can filter them out as described in "Filtering the Analysis" on page 165. You can
filter out the issues based on the Instance ID.

Chapter 11: Translating Go Code
This section describes how to translate Go code.
Go Command-Line Syntax 77
Go Command-Line Options 77
Resolving Dependencies 78
Go Command-Line Syntax
For best results, your project must be compilable and you must have all required dependencies available.
The following entities are excluded from the translation (and the scan):
l Vendor folder
l All projects defined by any go.mod files in subfolders, except the project defined by the go.mod file
under the %PROJECT_ROOT%
l All files with the _test.go suffix (unit tests)
The basic command-line syntax to translate Go code is:
sourceanalyzer -b <build_id> [-gopath <path>] [-goroot <path>] <files>
Go Command-Line Options
The following table describes the command-line options that are specific for translating Go code.
Go Option Description
-gopath <path> Specifies the root directory of your project. Make sure that the directory
structure adheres to the Go workspace hierarchy
(https://golang.org/doc/gopath_code.html).
If this option is not specified, then the GOPATH system environment
variable is used.
You must specify the root directory as an absolute path. The following
examples are valid values for <path>:

User Guide
Chapter 11: Translating Go Code
Go Option Description
/home/projects/go_workspace/my_proj
C:\projects\go_workspace\my_proj
The following example is an invalid value for <path>:
go_workspace/my_proj
If the environment variable is not set, then the gopath defaults to a

subdirectory named go in the user's home directory ($HOME/go on Linux
and %USERPROFILE%\go on Windows), unless that directory contains a
Go distribution.
-goroot <path> Specifies the location of the Go installation. If this option is not specified,
the GOROOT system environment variable is used.
If this option is not specified and the GOROOT system environment
variable is not set, then Fortify Static Code Analyzer uses the Go compiler
included in the Fortify Static Code Analyzer installation.
Resolving Dependencies
Fortify Static Code Analyzer supports two dependency management systems built-in into Go:
l GOPATH dependency resolution
If you are using a third-party dependency management system such as GoDeps or dep), you must
download all dependencies before you start the translation.
l Modules
Fortify Static Code Analyzer downloads all required dependencies using the native Go toolchain. If
access to the internet is restricted on the machine where you run Fortify Static Code Analyzer, then
do one of the following:
l If you are using an artifact management system such as Artifactory, set the GOPROXY
environment variable.
l Download all required dependencies using modules and vendoring.

Chapter 12: Translating Ruby Code
Ruby Command-Line Syntax 79
Adding Libraries 80
Adding Gem Paths 80
Ruby Command-Line Syntax

The basic command-line syntax to translate Ruby code is:
sourceanalyzer –b <build_id> <file>
where <file> is the name of the Ruby file you want to scan. To include multiple Ruby files, separate
them with a space, as shown in the following example:
sourceanalyzer –b <build_id> file1.rb file2.rb file3.rb
In addition to listing individual Ruby files, you can use the asterisk (*) wildcard to select all Ruby files in a
specified directory. For example, to find all of the Ruby files in a directory called src, use the following
sourceanalyzer command:
sourceanalyzer –b <build_id> src/*.rb
Ruby Command-Line Options

The following table describes the Ruby translation options.
Ruby Option Description
-ruby-path <dirs> Specifies one or more paths to directories that contain Ruby libraries (see
"Adding Libraries " on the next page)
com.fortify.sca.RubyLibraryPaths
-rubygem-path Specifies the path(s) to a RubyGems location (see "Adding Gem Paths" on
<dirs> the next page)
com.fortify.sca.RubyGemPaths

User Guide
Chapter 12: Translating Ruby Code
Adding Libraries
If your Ruby source code requires a specific library, add the Ruby library to the sourceanalyzer
command. Include all ruby libraries that are installed with ruby gems. For example, if you have a
utils.rb file that resides in the /usr/share/ruby/myPersonalLibrary directory, then add the
following to the sourceanalyzer command:
-ruby-path /usr/share/ruby/myPersonalLibrary
To use multiple libraries, use a delimited list. On Windows, separate the paths with a semicolon; and on
all other platforms use a colon, as in the following non-Windows example:
-ruby-path /path/one:/path/two:/path/three
Adding Gem Paths

To add all RubyGems and their dependency paths, import all RubyGems. To obtain the Ruby gem paths,
run the gem env command. Under GEM PATHS, look for a directory similar to:
/home/myUser/gems/ruby-version
This directory contains another directory called gems, which contains directories for all the gem files
installed on the system. For this example, use the following in your command line:
-rubygem-path /home/myUser/gems/ruby-version/gems
If you have multiple gems directories, add them by specifying a delimited list of directories such as:
-rubygem-path /path/to/gems:/another/path/to/more/gems
Note: On Windows systems, separate the gems directories with a semicolon.

Chapter 13: Translating Apex and
Visualforce Code
Apex Translation Prerequisites 81
Apex and Visualforce Command-Line Syntax 81
Apex and Visualforce Command-Line Options 82
Downloading Customized Salesforce Database Structure Information 82
Apex Translation Prerequisites

l All the source code to scan is available on the same machine where you have installed Fortify Static
Code Analyzer
To scan your custom Salesforce app, download it to your local computer from your Salesforce
organization (org) where you develop and deploy it. The downloaded version of your app consists
of:
l Apex classes in files with the .cls extension
l Visualforce web pages in files with the .page extension
l Apex code files called database “trigger” functions are in files with the .trigger extension
Use the Force.com Migration Tool available on the Salesforce website to download your app from
your org in the Salesforce cloud to your local computer.
l If you customized the standard Salesforce database structures to support your app, then you must
also download a description of the changes so that Fortify Static Code Analyzer knows how your
modified version of Salesforce interacts with your app. See "Downloading Customized Salesforce
Database Structure Information" on the next page.
Apex and Visualforce Command-Line Syntax

The basic command-line syntax to translate Apex and Visualforce code is:
sourceanalyzer -b <build_id> -apex <files>
where <files> is an Apex or Visualforce file or a path to the source files.
Important! Supported file extensions for the source code files are: .cls, .trigger, .page, and
.component.

User Guide
Chapter 13: Translating Apex and Visualforce Code
For descriptions of all the Apex- and Visualforce-specific command-line options, see "Apex and
Visualforce Command-Line Options" below.
Apex and Visualforce Command-Line Options

The following table describes the Apex and Visualforce translation command-line options.
Apex or Visualforce Option Description
-apex Directs Fortify Static Code Analyzer to use the Apex and
Visualforce translation for files with the .cls extension.
Without this option, Fortify Static Code Analyzer translates
*.cls files as Visual Basic code.
Note: Alternatively, you can set the

com.fortify.sca.fileextension.cls property to
APEX either on the command line (include -
Dcom.fortify.sca.fileextensions.cls=APEX) or
in the <sca_install_dir>/Core/config/fortify-
sca.properties file.

com.fortify.sca.Apex
-apex-sobject-path <path> Specifies the location of the custom sObject JSON file
sobjects.json.
For instructions on how to use the sf_extractor tool, see
"Downloading Customized Salesforce Database Structure
Information" below.
com.fortify.sca.ApexObjectPath
Downloading Customized Salesforce Database

Structure Information
Use the sf_extractor tool to download a description of any customized Salesforce database structures.
Fortify Static Code Analyzer requires this information to perform a more complete analysis. The sf_
extractor creates a custom sObject JSON file that you include with the sourceanalyzer translation phase.
(For information about how to provide this information to Fortify Static Code Analyzer, see "Apex and
Visualforce Command-Line Options" above.)

User Guide
Chapter 13: Translating Apex and Visualforce Code
The following table describes the contents of the sf_extractor.zip file, which is located in <sca_
install_dir>/Tools.
Folder or File Name Description
lib Folder containing JAR dependencies
src Source code
partner.wsdl Partner WSDL file version 37.0
sf_extractor.jar Compiled JAR file (dependencies included)
The command-line syntax to run sf_extractor is:
java -jar sf_extractor.jar <username> <password> <security_token> <org>
where:
l <username> is your Salesforce cloud user name. For example, test@test.test.
l <password> is your Salesforce cloud password.
l <security_token> is the 25 alphanumeric character security token
l <org> is y if you are using a sandbox org or n if you are using a production org
The sf_extractor tool uses the credentials to access the Salesforce SOAP API. It downloads all the
sObjects with additional information from the current org, and then it downloads information about
fields in the sObjects. This is required to properly resolve types represented in current org.
This tool produces an sobjects.json file that you provide to Fortify Static Code Analyzer in the
translation command using the -apex-sobject-path option.

Chapter 14: Translating COBOL Code
The 20.2.0 release of Fortify Static Code Analyzer introduces updated COBOL code translation, which is
now the default translation method. The previous translation method, referred to now as legacy
COBOL translation, is still available for use with a command-line option. Use the legacy
COBOL translation method if either of the following is true:
l You run Fortify Static Code Analyzer on a non-Windows operating system
l Your COBOL dialect is unsupported. For example, your COBOL source code is free format.
The following sections describe the default COBOL code translation. Information that pertains only to
the legacy COBOL translation is indicated as such.
For a list of supported technologies for translating COBOL code, see the Micro Focus Fortify Software
System Requirements document. Fortify Static Code Analyzer does not currently support custom rules
for COBOL applications.
Note: To scan COBOL with Fortify Static Code Analyzer, you must have a specialized Fortify license
specifically for COBOL scanning capabilities. Contact Micro Focus Fortify Customer Support for
more information about scanning COBOL and the required license.

Preparing COBOL Source and Copybook Files for Translation 84
COBOL Command-Line Syntax 85
COBOL Command-Line Options 86
Preparing COBOL Source and Copybook Files for

Translation
Fortify Static Code Analyzer supports translation of COBOL source files on Windows systems only.
Legacy COBOL Translation: Fortify Static Code Analyzer supports translation of COBOL source
files on the supported platforms and architectures listed in the Micro Focus Fortify Software
System Requirements document.

User Guide
Before you can analyze a COBOL program, you must copy the following program components to the
Windows system where you run Fortify Static Code Analyzer:
l COBOL source code
Note: Fortify Static Code Analyzer translates COBOL source code files with or without file
extensions.
l All copybook files that the COBOL source code uses

l All SQL INCLUDE files that the COBOL source code references (a SQL INCLUDE file is technically a
copybook file)
Important! The copybook files must have the file extension .CPY or .cpy.
Legacy COBOL Translation: Fortify Static Code Analyzer translates copybook files with or
without file extensions.
If your COBOL source code contains:
COPY FOO
or
EXEC SQL INCLUDE FOO END-EXEC
then FOO is the name of a COBOL copybook and the corresponding copybook file has the name
FOO.CPY or FOO.cpy.
Legacy COBOL Translation:

l The corresponding copybook file has the name FOO with or without a file extension. If the
copybook files have file extensions, use the -copy-extensions command-line option. For
more information, see "Legacy COBOL Translation Command-Line Options" on page 87.
l The COPY command can also accept a directory-file-path structure instead of a file name.
Fortify Static Code Analyzer processes only top-level COBOL sources. Do not include copybook files in
the directory or the subdirectory where the COBOL sources reside. Fortify recommends that you place
your COBOL source code files in a directory called sources and your copybook files in a directory called
copybooks. Create these directories at the same level.
COBOL Command-Line Syntax

The basic syntax used to translate a single COBOL source code file is:
sourceanalyzer -b <build_id> <path>
The basic syntax used to scan a translated COBOL program is:
sourceanalyzer -b <build_id> -scan -f <results>.fpr

User Guide
Legacy COBOL Translation: Free-format COBOL is the default translation mode. Fortify Static
Code Analyzer supports the translation of fixed-format COBOL. To translate fixed-format COBOL,
you must specify the -fixed-format command-line option. For more information, see "Legacy
COBOL Translation Command-Line Options" on the next page.
Translating COBOL Source Files Without File Extensions

If you have COBOL source files retrieved from a mainframe without .COB or .CBL file extensions (which
is typical for COBOL file names), then you must include the following in the translation command line:
-noextension-type COBOL
If you have COBOL source files with an arbitrary extension .xyz, then you must include the following in
the translation command line:
-Dcom.fortify.sca.fileextension.xyz=COBOL
The following example command translates COBOL source code without file extensions:
sourceanalyzer -b MyProject -noextension-type COBOL -copydirs copybooks

sources
COBOL Command-Line Options

The following table describes the COBOL command-line options.
COBOL Option Description
-copydirs <dirs> Specifies one or more semicolon-separated directory paths in which

Fortify Static Code Analyzer looks for copybook files.
com.fortify.sca.CobolCopyDirs
-checker- Specifies one or more semicolon-separated COBOL checker directives.

directives
<directives> Note: This option is intended for advanced users of Micro Focus
Server Express.
Equivalent property name:

com.fortify.sca.CobolCheckerDirectives

User Guide
Legacy COBOL Translation Command-Line Options

The following table describes the command-line options for the legacy COBOL translation.
Legacy COBOL Option Description
-cobol-legacy Specifies translation of COBOL code using legacy COBOL translation. This
option is required to enable legacy COBOL translation.
com.fortify.sca.CobolLegacy
-copydirs <dirs> Specifies one or more colon- or semicolon-separated directory paths in

which Fortify Static Code Analyzer looks for copybook files.
com.fortify.sca.CobolCopyDirs
-copy-extensions Specifies one or more colon- or semicolon-separated copybook file

<ext> extensions.
com.fortify.sca.CobolCopyExtensions
-fixed-format Specifies fixed-format COBOL to direct Fortify Static Code Analyzer to

only look for source code between columns 8–72 in all lines of code.
IBM Enterprise COBOL code is typically fixed-format. The following are
indications that you might need the -fixed-format option:
l The COBOL translation appears to hang indefinitely
l Fortify Static Code Analyzer reports numerous parsing errors in the
COBOL translation
com.fortify.sca.CobolFixedFormat

Chapter 15: Translating Other Languages
and Configurations
Translating PHP Code 88
Translating ABAP Code 89
Translating Flex and ActionScript 97
Translating ColdFusion Code 99
Translating SQL 100
Translating Scala Code 101
Translating ASP/VBScript Virtual Roots 101
Translating Dockerfiles 103
Classic ASP Command-Line Example 104
VBScript Command-Line Example 104
Translating PHP Code

The syntax to translate a single PHP file named MyPHP.php is shown in the following example:
sourceanalyzer -b <build_id> MyPHP.php
To translate a file where the source or the php.ini file entry includes a relative path name (starts with
./ or ../), consider setting the PHP source root as shown in the following example:
sourceanalyzer -php-source-root <path> -b <build_id> MyPHP.php
For more information about the -php-source-root option, see the description in "PHP Command-
Line Options" below.
PHP Command-Line Options

The following table describes the PHP-specific command-line options.
PHP Option Description
-php-source-root Specifies an absolute path to the project root directory. The relative path

User Guide
Chapter 15: Translating Other Languages and Configurations
PHP Option Description
<path> name first expands from the current directory. If the file is not found, then
the path expands from the specified PHP source root directory.
com.fortify.sca.PHPSourceRoot
-php-version Specifies the PHP version. The default version is 7.0. For a list of valid
<version> versions, see the Micro Focus Fortify Software System Requirements.
com.fortify.sca.PHPVersion
Translating ABAP Code

Translating ABAP code is similar to translating other operating language code. However, it requires
additional steps to extract the code from the SAP database and prepare it for scanning. See "Importing
the Transport Request" on the next page for more information. This section assumes you have a basic
understanding of SAP and ABAP.
To translate ABAP code, the Fortify ABAP Extractor program downloads source files to the
presentation server, and optionally, invokes Fortify Static Code Analyzer. You need to use an account
with permission to download files to the local system and execute operating system commands.
Because the extractor program is executed online, you might receive a max dialog work process
time reached exception message if the volume of source files selected for extraction exceeds the
allowable process run time. To work around this, download large projects as a series of smaller Extractor
tasks. For example, if your project consists of four different packages, download each package
separately into the same project directory. If the exception occurs frequently, work with your SAP Basis
administrator to increase the maximum time limit (rdisp/max_wprun_time).
When a PACKAGE is extracted from ABAP, the Fortify ABAP Extractor extracts everything from TDEVC
with a parentcl field that matches the package name. It then recursively extracts everything else from
TDEVC with a parentcl field equal to those already extracted from TDEVC. The field extracted from
TDEVC is devclass.
The devclass values are treated as a set of program names and handled the same way as a program
name, which you can provide.
Programs are extracted from TRDIR by comparing the name field with either:
l The program name specified in the selection screen
l The list of values extracted from TDEVC if a package was provided
The rows from TRDIR are those for which the name field has the given program name and the
expression LIKEprogramname is used to extract rows.

User Guide
This final list of names is used with READ REPORT to get code out of the SAP system. This method does
read classes and methods out as well as merely REPORTS, for the record.
Each READ REPORT call produces a file in the temporary folder on the local system. This set of files is
what Fortify Static Code Analyzer translates and scans, producing an FPR file that you can open with
Micro Focus Fortify Audit Workbench.
INCLUDE Processing
As source code is downloaded, the Fortify ABAP Extractor detects INCLUDE statements in the source.
When found, it downloads the include targets to the local machine for analysis.
Importing the Transport Request

To scan ABAP code, you need to import the Fortify ABAP Extractor transport request on your SAP
Server.
The Fortify transport request is located in the SAP_Extractor.zip package. The package is located in
the Tools directory:
<sca_install_dir>/Tools/SAP_Extractor.zip
The Fortify ABAP Extractor package, SAP_Extractor.zip, contains the following files:
l K900XXX.S9S (where the “XXX” is the release number)
l R900XXX.S9S (where the “XXX” is the release number)
These files make up the SAP transport request that you must import into your SAP system from
outside your local Transport Domain. Have your SAP administrator or an individual authorized to install
transport requests on the system import the transport request.
The NSP files contain a program, a transaction (YSCA), and the program user interface. After you
import them into your system, you can extract your code from the SAP database and prepare it for
Fortify Static Code Analyzer scanning.
Installation Note
The Fortify ABAP Extractor transport request is supported on a system running SAP release 7.02, SP
level 0006. If you are running a different SAP version and you get the transport request import error:
Install release does not match the current version, then the transport request
installation has failed.
To try to resolve this issue, perform the following steps:
1. Re-run the transport request import.
The Import Transport Request dialog box opens.
2. Click the Options tab.
3. Select the Ignore Invalid Component Version check box.
4. Complete the import procedure.

User Guide
If this does not resolve the issue or if your system is running on an SAP version with a different table
structure, Fortify recommends that you export your ABAP file structure using your own technology so
that Fortify Static Code Analyzer can scan the ABAP code.
Adding Fortify Static Code Analyzer to Your Favorites List

Adding Fortify Static Code Analyzer to your Favorites list is optional, but doing so can make it quicker
to access and launch Fortify Static Code Analyzer scans. The following steps assume that you use the
user menu in your day-to-day work. If your work is done from a different menu, add the Favorites link
to the menu that you use. Before you create the Fortify Static Code Analyzer entry, make sure that the
SAP server is running and you are in the SAP Easy Access area of your web-based client.
To add Fortify Static Code Analyzer to your Favorites list:
1. From the SAP Easy Access menu, type S000 in the transaction box.
The SAP Menu opens.
2. Right-click the Favorites folder and select Insert transaction.
The Manual entry of a transaction dialog box opens.
3. Type YSCA in the Transaction Code box.

4. Click the green check mark button .
The Extract ABAP code and launch SCA item appears in the Favorites list.

User Guide
5. Click the Extract ABAP code and launch SCA link to launch the Fortify ABAP Extractor.
Running the Fortify ABAP Extractor

To run the Fortify ABAP Extractor:
1. Start the program from the Favorites link, the transaction code, or manually start the Extractor
object.
This opens the Fortify ABAP Extractor.

User Guide
2. Select the code to download.

Provide the start and end name for the range of software components, packages, programs, or
BSP applications that you want to scan.
Note: You can specify multiple objects or ranges.

User Guide
3. Provide the Fortify Static Code Analyzer specific information described in the following table.
Field Description
FPR File (Optional) Type or select the directory where you want to store the scan results
Path file (FPR). Include the name for the FPR file in the path name. You must provide
the FPR file path if you want to automatically scan the downloaded code on the
same machine where you are running the extraction process.
Working Type or select the directory where you want to store the extracted source code.
Directory
Build-ID (Optional) Type the build ID for the scan. Fortify Static Code Analyzer uses the
build ID to identify the translated source code, which is necessary to scan the code.
You must specify the build ID if you want to automatically translate the
downloaded code on the same machine where you are running the extraction

User Guide
Field Description
process.
Translation (Optional) Type any additional Fortify Static Code Analyzer command-line
Parameters translation options. You must specify translation parameters if you want to
automatically translate the downloaded code on the same machine where you are
running the extraction process or you want to customize the translation options.
Scan (Optional) Type any Fortify Static Code Analyzer command-line scan options. You
Parameters must specify scan parameters if you want to scan the downloaded code
automatically on the same machine where you are running the process or you
want to customize the scan options.
ZIP File (Optional) Type a ZIP file name if you want your output in a compressed package.
Name
Maximum A global SAP-function F is not downloaded unless F was explicitly selected or

Call-chain unless F can be reached through a chain of function calls that start in explicitly-
Depth selected code and whose length is this number or less. Fortify recommends that
you do not specify a value greater than 2 unless directed to do so by Micro Focus
Fortify Customer Support.
4. Provide action information described in the following table.
Field Description
Download Select this check box to have Fortify Static Code Analyzer download the source
code extracted from your SAP database.
Build Select this check box to have Fortify Static Code Analyzer translate all

User Guide
Field Description
downloaded ABAP code and store it using the specified build ID. This action
requires that you have an installed version of Fortify Static Code Analyzer on
the machine where you are running the Fortify ABAP Extractor. It is often
easier to move the downloaded source code to a predefined Fortify Static Code
Analyzer machine.
Scan Select this check box to have Fortify Static Code Analyzer run a scan of the
specified build ID. This action requires that the translate (build) action was
previously performed. This action requires that you have an installed version of
Fortify Static Code Analyzer on the machine where you are running the Fortify
ABAP Extractor. It is often easier to move the downloaded source code to a
predefined Fortify Static Code Analyzer machine.
Launch AWB Select this check box to start Micro Focus Fortify Audit Workbench and open
the specified FPR file.
Create ZIP Select this check box to compress the output. You can also manually compress
File the output after the source code is extracted from your SAP database.
Export Select this check box to export SAP standard code in addition to custom code.
SAP standard
code
5. Click Execute.
Uninstalling the Fortify ABAP Extractor

To uninstall the ABAP extractor:
1. In ABAP Workbench, open the Object Navigator.
2. Select package Y_FORTIFY_ABAP.
3. Expand the Programs tab.
4. Right-click the following element, and then select Delete.
l Program: Y_FORTIFY_SCA

User Guide
Translating Flex and ActionScript

The basic command-line syntax for translating ActionScript is:
sourceanalyzer -b <build_id> -flex-libraries <libs> <files>
where:
<libs> is a semicolon-separated list (Windows) or a colon-separated list (non-Windows systems) of
library names to which you want to "link" and <files> are the files to translate.
Flex and ActionScript Command-Line Options

Use the following command-line options to translate Flex files. You can also specify this information in
the properties configuration file (fortify-sca.properties) as noted in each description.
Flex and ActionScript

Option Description
-flex-sdk-root The location of the root of a valid Flex SDK. This folder must contain a
<path> frameworks folder that contains a flex-config.xml file. It must also
contain a bin folder that contains an MXMLC executable.
com.fortify.sca.FlexSdkRoot
-flex-libraries A colon- or semicolon-separated list (colon on most platforms, semicolon

<libs> on Windows) of library names that you want to “link” to. In most cases, this
list includes flex.swc, framework.swc, and playerglobal.swc
(usually found in frameworks/libs/ in your Flex SDK root).
Note: You can specify SWC or SWF files as Flex libraries (SWZ is not
currently supported).

com.fortify.sca.FlexLibraries
-flex-source-roots A colon- or semicolon-separated list of root directories in which MXML

<dirs> sources are located. Normally, these contain a subfolder named com.
For example, if the Flex source root specified is foo/bar/src, then
foo/bar/src/com/fortify/manager/util/Foo.mxml is
transformed into an object named com.fortify.manager.util.Foo
(an object named Foo in the package com.fortify.manager.util).

User Guide
Flex and ActionScript

Option Description

com.fortify.sca.FlexSourceRoots
Note: -flex-sdk-root and –flex-source-roots are primarily for MXML translation, and are
optional if you are scanning pure ActionScript. Use –flex-libraries for resolving all
ActionScript.
Fortify Static Code Analyzer translates MXML files into ActionScript and then runs them through an
ActionScript parser. The generated ActionScript is simple to analyze; not rigorously correct like the Flex
runtime model. As a consequence, you might get parse errors with MXML files. For instance, the XML
parsing could fail, translation to ActionScript could fail, and the parsing of the resulting ActionScript
could also fail. If you see any errors that do not have a clear connection to the original source code,
notify Micro Focus Fortify Customer Support.
ActionScript Command-Line Examples

The following examples illustrate command-line syntax for typical scenarios for translating ActionScript.
Example 1
The following example is for a simple application that contains only one MXML file and a single SWF
library (MyLib.swf):
sourceanalyzer -b MyFlexApp -flex-libraries lib/MyLib.swf -flex-sdk-root

/home/myself/flex-sdk/ -flex-source-roots . my/app/FlexApp.mxml
This identifies the location of the libraries to include and the Flex SDK and the Flex source root
locations. The single MXML file, located in /my/app/FlexApp.mxml, results in translating the MXML
application as a single ActionScript class called FlexApp and located in the my.app package.
Example 2
The following example is for an application in which the source files are relative to the src directory. It
uses a single SWF library, MyLib.swf, and the Flex and framework libraries from the Flex SDK:
sourceanalyzer -b MyFlexProject -flex-sdk-root /home/myself/flex-sdk/

-flex-source-roots src/ -flex-libraries lib/MyLib.swf "src/**/*.mxml"
"src/**/*.as"
This example locates the Flex SDK and uses Fortify Static Code Analyzer file specifiers to include the
.as and .mxml files in the src folder. It is not necessary to explicitly specify the .SWC files located in
the –flex-sdk-root, although this example does so for the purposes of illustration. Fortify Static
Code Analyzer automatically locates all .SWC files in the specified Flex SDK root, and it assumes that
these are libraries intended for use in translating ActionScript or MXML files.

User Guide
Example 3
In this example, the Flex SDK root and Flex libraries are specified in a properties file because typing in
the data is time consuming and the data is generally constant. Divide the application into two sections
and store them in folders: a main section folder and a modules folder. Each folder contains a src folder
where the paths start. File specifiers contain wild cards to pick up all the .mxml and .as files in both src
folders. An MXML file in main/src/com/foo/util/Foo.mxml is translated as an ActionScript class
named Foo in the package com.foo.util, for example, with the source roots specified here:
sourceanalyzer -b MyFlexProject -flex-source-roots main/src:modules/src

"./main/src/**/*.mxml" "./main/src/**/*.as" "./modules/src/**/*.mxml"
"./modules/src/**/*.as"
Handling Resolution Warnings

To see all warnings that were generated during translation, type the following command before you
start the scan phase:
ActionScript Warnings
You might receive a message similar to the following:
The ActionScript front end was unable to resolve the following imports:
a.b at y.as:2. foo.bar at somewhere.as:5. a.b at foo.mxml:8.
This error occurs when Fortify Static Code Analyzer cannot find all of the required libraries. You might
need to specify additional SWC or SWF Flex libraries (-flex-libraries option or
com.fortify.sca.FlexLibraries property) so that Fortify Static Code Analyzer can complete the
analysis.
Translating ColdFusion Code

To treat undefined variables in a CFML page as tainted, uncomment the following line in <sca_
install_dir>/Core/config/fortify-sca.properties:
#com.fortify.sca.CfmlUndefinedVariablesAreTainted=true
This instructs the Dataflow Analyzer to watch out for register-globals-style vulnerabilities. However,
enabling this property interferes with Dataflow Analyzer findings in which a variable in an included page
is initialized to a tainted value in an earlier-occurring included page.
ColdFusion Command-Line Syntax

Type the following to translate ColdFusion source code:

User Guide
sourceanalyzer -b <build_id> -source-base-dir <dir> <files> | <file_

specifiers>
where:
l <build_id> specifies the build ID for the project
l <dir> specifies the root directory of the web application
l <files> | <file_specifiers> specifies the CFML source code files
For a description of how to use <file_specifiers>, see "Specifying Files and Directories" on
page 123.
Note: Fortify Static Code Analyzer calculates the relative path to each CFML source file with the
-source-base-dir directory as the starting point. Fortify Static Code Analyzer uses these
relative paths when it generates instance IDs. If you move the entire application source tree to a
different directory, the Fortify Static Code Analyzer- generated instance IDs remain the same if you
specify an appropriate parameter for the -source-base-dir option.
ColdFusion Command-Line Options

The following table describes the ColdFusion options.
ColdFusion Option Description
-source-base-dir <web_app_root_dir> <files> | The web application root directory.

<file_specifiers> Equivalent Property Name:
com.fortify.sca.SourceBaseDir
Translating SQL
On Windows platforms, Fortify Static Code Analyzer assumes that files with the .sql extension are T-
SQL rather than PL/SQL. If you have PL/SQL files with the .sql extension on Windows, you must
configure Fortify Static Code Analyzer to treat them as PL/SQL.
To specify the SQL type for translation on Windows platforms, type one of the following translation
commands:
sourceanalyzer -b <build_id> -sql-language TSQL <files>
or
sourceanalyzer -b <build_id> -sql-language PL/SQL <files>
User Guide
Alternatively, you can change the default behavior for files with the .sql extension. In the fortify-
sca.properties file, set the com.fortify.sca.fileextensions.sql property to TSQL or
PLSQL.
PL/SQL Command-Line Example

The following example shows the syntax to translate two PL/SQL files:
sourceanalyzer -b MyProject x.pks y.pks
The following example shows how to translate all PL/SQL files in the sources directory:
sourceanalyzer -b MyProject "sources/**/*.pks"
T-SQL Command-Line Example

The following example shows the command to translate two T-SQL files:
sourceanalyzer -b MyProject x.sql y.sql
The following example shows how to translate all T-SQL files in the sources directory:
sourceanalyzer -b MyProject "sources\**\*.sql"
Note: This example assumes the com.fortify.sca.fileextensions.sql property in

fortify-sca.properties is set to TSQL.
Translating Scala Code

To translate Scala code, you must have a standard Lightbend Enterprise Suite license. Download the
Scala translation plugin from Lightbend. For instructions on how to download and translate Scala code,
see the Lightbend documentation at https://developer.lightbend.com/guides/fortify.
Important! If your project contains source code other than Scala, you must translate the Scala
code using the Lightbend's Scala translation plugin, and then translate the other source code with
sourceanalyzer using the same build ID before you run the scan phase.
Translating ASP/VBScript Virtual Roots

Fortify Static Code Analyzer allows you to handle ASP virtual roots. For web servers that use virtual
directories as aliases that map to physical directories, Fortify Static Code Analyzer enables you to use an
alias.
User Guide
For example, you can have virtual directories named Include and Library that refer to the physical
directories C:\WebServer\CustomerOne\inc and C:\WebServer\CustomerTwo\Stuff,
respectively.
The following example shows the ASP/VBScript code for an application that uses virtual includes:

For this example, the previous ASP code refers to the file in the following physical location:
C:\Webserver\CustomerOne\inc\Task1\foo.inc
The real directory replaces the virtual directory name Include in this example.
Accommodating Virtual Roots

To provide the mapping of each virtual directory to Fortify Static Code Analyzer, you must set the
com.fortify.sca.ASPVirtualRoots.name_of_virtual_directory property in your Fortify
Static Code Analyzer command-line invocation as shown in the following example:
sourceanalyzer -Dcom.fortify.sca.ASPVirtualRoots.<virtual_
directory>=<full_path_to_corresponding_physical_directory>
Note: On Windows, if the physical path includes spaces, you must enclose the property setting in
quotes:
sourceanalyzer "-Dcom.fortify.sca.ASPVirtualRoots.<virtual_
directory>=<full_path_to_corresponding_physical_directory>"
To expand on the example in the previous section, pass the following property value to Fortify Static
Code Analyzer:
-Dcom.fortify.sca.ASPVirtualRoots.Include="C:\WebServer\CustomerOne\inc"
-Dcom.fortify.sca.ASPVirtualRoots.Library="C:\WebServer\CustomerTwo\Stuff"
This maps Include to C:\WebServer\CustomerOne\inc and Library to

C:\WebServer\CustomerTwo\Stuff.
When Fortify Static Code Analyzer encounters the #include directive:

Fortify Static Code Analyzer determines if the project contains a physical directory named Include. If
there is no such physical directory, Fortify Static Code Analyzer looks through its runtime properties
and finds the -Dcom.fortify.sca.ASPVirtualRoots.Include=
"C:\WebServer\CustomerOne\inc" setting. Fortify Static Code Analyzer then looks for this file:
C:\WebServer\CustomerOne\inc\Task1\foo.inc.
User Guide
Alternatively, you can set this property in the fortify-sca.properties file located in <sca_
install_dir>\Core\config. You must escape the backslash character (\) in the path of the physical
directory as shown in the following example:
com.fortify.sca.ASPVirtualRoots.Library=C:\\WebServer\\CustomerTwo\\Stuff
com.fortify.sca.ASPVirtualRoots.Include=C:\\WebServer\\CustomerOne\\inc
Note: The previous version of the ASPVirtualRoot property is still valid. You can use it on the
Fortify Static Code Analyzer command line as follows:
-Dcom.fortify.sca.ASPVirtualRoots=C:\WebServer\CustomerTwo\Stuff;
C:\WebServer\CustomerOne\inc
This prompts Fortify Static Code Analyzer to search through the listed directories in the order specified
when it resolves a virtual include directive.
Using Virtual Roots Example

You have a file as follows:
C:\files\foo\bar.asp
To specify this file, use the following include:
<!-- #include virtual="/foo/bar.asp">
Then set the virtual root in the sourceanalyzer command as follows:
-Dcom.fortify.sca.ASPVirtualRoots=C:\files\foo
This strips the /foo from the front of the virtual root. If you do not specify foo in the
com.fortify.sca.ASPVirtualRoots property, then Fortify Static Code Analyzer looks for
C:\files\bar.asp and fails.
The sequence to specify virtual roots is as follows:
1. Remove the first part of the path in the source.
2. Replace the first part of the path with the virtual root as specified on the command line.
Translating Dockerfiles
By default, Fortify Static Code Analyzer translates the following files as Dockerfiles: Dockerfile,
dockerfile, *.Dockerfile, and *.dockerfile.
Note: You can modify the file extension used to detect Dockerfiles using the
com.fortify.sca.fileextensions property. See "fortify-sca.properties" on page 182.
User Guide
Fortify Static Code Analyzer accepts the following escape characters in Dockerfiles: backslash (\) and
backquote (`). If the escape character is not set in the Dockerfile, then Fortify Static Code Analyzer
assumes that the backslash is the escape character.
The syntax to translate a directory that contains Dockerfiles is shown in the following example:
sourceanalyzer -b <build_id> <dir>
If the Dockerfile is malformed and Fortify Static Code Analyzer cannot parse the file, an error is written
to the log and analysis of the Dockerfile is skipped. The following is an example of the error written to
the log:
Dockerfile parser error 1:20 : mismatched input '\n' expecting {LINE_

EXTEND, WHITESPACE}
Unable to parse config file

C:/Users/jsmith/MyProj/docker/dockerfile/ProjA.Dockerfile
Classic ASP Command-Line Example

To translate a single file classic ASP written in VBScript named MyASP.asp, type:
sourceanalyzer -b mybuild "MyASP.asp"
VBScript Command-Line Example

To translate a VBScript file named myApp.vb, type:
sourceanalyzer -b mybuild "myApp.vb"
Chapter 16: Integrating into a Build
You can integrate the analysis into supported build tools.
Build Integration 105
Modifying a Build Script to Invoke Fortify Static Code Analyzer 106
Touchless Build Integration 107
Ant Integration 107
Gradle Integration 107
Maven Integration 109
Build Integration
You can translate entire projects in a single operation. Prefix your original build operation with the
sourceanalyzer command followed by the Fortify Static Code Analyzer options.
The basic command-line syntax to translate a complete project is:
sourceanalyzer -b <build_id> [<sca_options>] <build_tool> [<build_tool_

options>]
where <build_tool> is the name of your build tool, such as make, gmake, msbuild, devenv, or
xcodebuild. See the Micro Focus Fortify Software System Requirements document for a list of
supported build tools. Fortify Static Code Analyzer executes your build tool and intercepts all compiler
operations to collect the specific command line used for each input.
Note: Fortify Static Code Analyzer only processes the compiler commands that the build tool
executes. If you do not clean your project before you execute the build, then Fortify Static Code
Analyzer only processes those files that the build tool re-compiles.
For information about integrating with Xcodebuild, see "iOS Code Analysis Command-Line Syntax" on
page 75. For information about integration with MSBuild, see "Translating Visual Studio and MSBuild
Projects" on page 58.
Successful build integration requires that the build tool:
l Executes a Fortify Static Code Analyzer-supported compiler
l Executes the compiler on the operating system path search, not with a hardcoded path (This
requirement does not apply to xcodebuild integration.)
l Executes the compiler, rather than executing a sub-process that then executes the compiler
User Guide
If you cannot meet these requirements in your environment, see "Modifying a Build Script to Invoke
Fortify Static Code Analyzer" below.
Make Example
If you build your project with the following build commands:
make clean
make
make install
then you can simultaneously translate and compile the entire project with the following commands:
make clean
sourceanalyzer -b <build_id> make
make install
Modifying a Build Script to Invoke Fortify Static Code

Analyzer
As an alternative to build integration, you can modify your build script to prefix each compiler, linker,
and archiver operation with the sourceanalyzer command. For example, a makefile often defines
variables for the names of these tools:
CC=gcc
CXX=g++
LD=ld
AR=ar
You can prepend the tool references in the makefile with the sourceanalyzer command and the
appropriate Fortify Static Code Analyzer options.
CC=sourceanalyzer -b mybuild gcc

CXX=sourceanalyzer -b mybuild g++
LD=sourceanalyzer -b mybuild ld
AR=sourceanalyzer -b mybuild ar
When you use the same build ID for each operation, Fortify Static Code Analyzer automatically
combines each of the separately-translated files into a single translated project.
User Guide
Touchless Build Integration

Fortify Static Code Analyzer includes a generic build tool called touchless that enables translation of
projects using build systems that Fortify Static Code Analyzer does not directly support. The command-
line syntax for touchless build integration is:
sourceanalyzer -b <build_id> touchless <build_command>
For example, you might use a python script called build.py to compute dependencies and execute
appropriately-ordered C compiler operations. Then to execute your build, run the following command:
python build.py
Fortify Static Code Analyzer does not have native support for such a build design. However, you can
use the touchless build tool to translate and build the entire project with the single command:
sourceanalyzer -b <build_id> touchless python build.py
The same requirements for successful build integration with supported build systems described earlier
in this chapter (see "Build Integration" on page 105) apply to touchless integration with unsupported
build systems.
Ant Integration
Fortify Static Code Analyzer provides an easy way to translate Java source files for projects that use an
Ant build file. You can apply this integration on the command line without modifying the Ant
build.xml file. When the build runs, Fortify Static Code Analyzer intercepts all javac task invocations
and translates the Java source files as they are compiled.
Note: You must translate any JSP files, configuration files, or any other non-Java source files that
are part of the application in a separate step.
To use the Ant integration, make sure that the sourceanalyzer executable is on the system PATH.
Prepend your Ant command-line with the sourceanalyzer command as follows:
sourceanalyzer -b <build_id> ant [<ant_options>]
Gradle Integration
You can translate projects that are built with Gradle without any modification of the build.gradle
file. When the build runs, Fortify Static Code Analyzer translates the source files as they are compiled.
See the Micro Focus Fortify Software System Requirements document for platforms and languages
User Guide
supported specifically for Gradle integration. Any files in the project in unsupported languages for
Gradle integration are not translated (with no error reporting). These files are therefore not analyzed,
and any existing potential vulnerabilities can go undetected.
To integrate Fortify Static Code Analyzer into your Gradle build, make sure that the sourceanalyzer
executable is on the system PATH. Prepend the Gradle command line with the sourceanalyzer
command as follows:
sourceanalyzer -b <build_id> <sca_options> gradle [<gradle_options>]

<gradle tasks>
For example:
sourceanalyzer -b buildxyz gradle clean build

sourceanalyzer -b buildxyz gradle --info assemble
If your build file name is different than build.gradle, then include the build file name with the --
build-file option as shown in the following example:
sourceanalyzer -b buildxyz gradle --build-file sample.gradle clean

assemble
You can also use the Gradle Wrapper (gradlew) as shown in the following example:
sourceanalyzer -b <build_id> gradlew [<gradle_options>]
If your application uses XML or property configuration files, translate these files with a separate
sourceanalyzer command. Use the same build ID that you used for the project files. The following
are examples:
sourceanalyzer -b <build_id> <path_to_xml_files>

sourceanalyzer -b <build_id> <path_to_properties_files>
After translating the project with gradle or gradlew, you can then perform the analysis phase as shown
in the following example:
Including Verbose and Debug Options

If you use the Fortify Static Code Analyzer -verbose option, then you must also include the -gradle
option. Use of this option applies to both Gradle and the Gradle Wrapper. For example:
sourceanalyzer -b buildxyz -gradle -verbose gradle assemble

As part of the gradle integration, Fortify Static Code Analyzer temporarily updates the original build file
build.gradle. If you include the -debug option, Fortify Static Code Analyzer saves a copy of the
original build file as build.gradle.orig). After the analysis with the -debug option is complete,
User Guide
rename the build.gradle.orig file back to build.gradle and run sourceanalyzer again without
the -debug option.
Maven Integration
Fortify Static Code Analyzer includes a Maven plugin that provides a way to add the following
capabilities to your Maven project builds:
l Fortify Static Code Analyzer clean, translate, scan
l Fortify Static Code Analyzer export mobile build session (MBS) for a Fortify Static Code Analyzer
translated project
l Send translated code to Micro Focus Fortify ScanCentral SAST
l Upload results to Micro Focus Fortify Software Security Center
You can use the plugin directly or integrate its functionality into your build process.
Installing and Updating the Fortify Maven Plugin

The Fortify Maven Plugin is located in <sca_install_dir>/plugins/maven. This directory contains
a binary and a source version of the plugin in both zip and tarball archives. To install the plugin, extract
the version (binary or source) that you want to use, and then follow the instructions in the included
README.TXT file. Perform the installation in the directory where you extracted the archive.
For information about supported versions of Maven, see the Micro Focus Fortify Software System
Requirements document.
If you have a previous version of the Fortify Maven Plugin installed, and then install the latest version.
Uninstalling the Fortify Maven Plugin

To uninstall the Fortify Maven Plugin, manually delete all files from the <maven_local_
repo>/repository/com/fortify/ps/maven/plugin directory.
Testing the Fortify Maven Plugin Installation

After you install the Fortify Maven Plugin, use one of the included sample files to be sure your
installation works properly.
To test the Fortify Maven Plugin using the Eightball sample file:
1. Add the directory that contains the sourceanalyzer executable to the path environment
variable.
For example:
export set PATH=$PATH:/<sca_install_dir>/bin
or
User Guide
set PATH=%PATH%;<sca_install_dir>/bin
2. Type sourceanalyzer -version to test the path setting.

Fortify Static Code Analyzer version information is displayed if the path setting is correct.
3. Navigate to the sample Eightball directory: <root_dir>/samples/EightBall.
4. Type the following command:
mvn com.fortify.sca.plugins.maven:sca-maven-plugin:<ver>:clean
where <ver> is the version of the Fortify Maven Plugin you are using. If the version is not
specified, Maven uses the latest version of the Fortify Maven Plugin that is installed in the local
repository.
Note: To see the version of the Fortify Maven Plugin, open the pom.xml file that you
extracted in <root_dir> in a text editor. The Fortify Maven Plugin version is specified in the
<version> element.
5. If the command in step 4 completed successfully, then the Fortify Maven Plugin is installed
correctly. The Fortify Maven Plugin is not installed correctly if you get the following error message:
[ERROR] Error resolving version for plugin

'com.fortify.sca.plugins.maven:sca-maven-plugin' from the repositories
Check the Maven local repository and try to install the Fortify Maven Plugin again.
Using the Fortify Maven Plugin

There are two ways to perform a Fortify analysis on a maven project:
l As a Maven Plugin
In this method, you perform the Fortify analysis tasks as goals with the mvn command. For example,
the following command is used to translate source code:
mvn com.fortify.sca.plugins.maven:sca-maven-plugin:<ver>:translate
To analyze your code this way, see the documentation included with the Fortify Maven Plugin. The
following table describes where to find the documentation after the Fortify Maven Plugin is properly
installed.
Package Type Documentation Location
Binary <root_dir>/docs/index.html
Source <root_dir>/sca-maven-plugin/target/site/index.html
l In a Fortify Static Code Analyzer build integration
User Guide
In this method, prepend the maven command used to build your project with the sourceanalyzer
command and any Fortify Static Code Analyzer options. To analyze your files as part of a Fortify
Static Code Analyzer build integration:
a. Clean out the previous build:
sourceanalyzer -b <build_id> -clean
b. Translate the code:
sourceanalyzer -b <build_id> [<sca_options>] [<mvn_command_with_

options>]
For example:
sourceanalyzer -b buildxyz mvn package
The following additional example includes the Fortify Static Code Analyzer option to exclude
selected files from the analysis. To specify the files you want to exclude, add the -exclude
option to the translate step as shown in the following example:
sourceanalyzer -b buildxyz -exclude "fileA;fileB;fileC;" mvn package
Note: On Windows, separate the file names with a semicolon; and on all other platforms use
a colon.
See "Command-Line Interface" on page 112 for descriptions of available Fortify Static Code
Analyzer options.
c. Complete the analysis by running the scan as shown in the following example:
sourceanalyzer -b <build_id> [<sca_scan_options>] -scan -f

myresults.fpr
Chapter 17: Command-Line Interface
This chapter describes general Fortify Static Code Analyzer command-line options and how to specify
source files for analysis. Command-line options that are specific to a language are described in the
chapter for that language.
Translation Options 112
Analysis Options 114
Output Options 117
Other Options 120
Directives 122
Specifying Files and Directories 123
Translation Options
The following table describes the translation options.
Translation Option Description
-b <build_id> Specifies the build ID. Fortify Static Code Analyzer uses the build ID to
track which files are compiled and combined as part of a build, and
later, to scan those files.
com.fortify.sca.BuildID
-disable-language Specifies a colon-separated list of languages to exclude from the

translation phase. The valid language values are abap,
actionscript, apex, cfml, cobol, cpp, csharp, golang, java,
javascript, jsp, kotlin, objc, php, plsql, python, ruby, scala,
sql, swift, tsql, typescript, and vb.
com.fortify.sca.DISabledLanguages
User Guide
-enable-language Specifies a colon-separated list of languages to translate. The valid

language values are abap, actionscript, apex, cfml, cobol, cpp,
csharp, golang, java, javascript, jsp, kotlin, objc, php,
plsql, python, ruby, scala, sql, swift, tsql, typescript, and
vb.
com.fortify.sca.EnabledLanguages
-exclude Removes files from the list of files to translate. Separate multiple file
<file_specifiers> paths with semicolons (Windows) or colons (non-Windows systems).
See "Specifying Files and Directories" on page 123 for more
information on how to use file specifiers.
For example:
sourceanalyzer –cp "**/*.jar" "**/*"

-exclude "**/Test/*.java"
This example excludes all Java files in any Test subdirectory.
Note: When you integrate the translation with a compiler or a

build tool, Fortify Static Code Analyzer translates all source files
that the compiler or build tool processes even if they are specified
with this option.

com.fortify.sca.exclude
-encoding <encoding_ Specifies the source file encoding type. Fortify Static Code Analyzer
name> enables you to scan a project that contains differently encoded source
files. To work with a multi-encoded project, you must specify the -
encoding option in the translation phase, when Fortify Static Code
Analyzer first reads the source code file. Fortify Static Code Analyzer
remembers this encoding in the build session and propagates it into
the FVDL file.
Valid encoding names are from the java.nio.charset.Charset.

Typically, if you do not specify the encoding type, Fortify Static Code
Analyzer uses file.encoding from the
java.io.InputStreamReader constructor with no encoding
parameter. In a few cases (for example with the ActionScript parser),
User Guide
Fortify Static Code Analyzer defaults to UTF-8.

com.fortify.sca.InputFileEncoding
-nc When specified before a compiler command line, Fortify Static Code
Analyzer translates the source file but does not run the compiler.
-noextension-type Specifies the file type for source files that have no file extension. The
<file_type> possible values are: ABAP, ACTIONSCRIPT, APEX, APEX_TRIGGER,
ARCHIVE, ASPNET, ASP, ASPX, BITCODE, BYTECODE, CFML,
COBOL, CSHARP, DOCKERFILE, GO, HTML, JAVA, JAVA_
PROPERTIES, JAVASCRIPT, JSP, JSPX, KOTLIN, MSIL, MXML, PHP,
PLSQL, PYTHON, RUBY, RUBY_ERB, SCALA, SWIFT, TLD, SQL,
TSQL, TYPESCRIPT, VB, VB6, VBSCRIPT, VISUAL_FORCE, and XML.
Analysis Options
The following table describes the analysis options.
Analysis Option Description
-scan Causes Fortify Static Code Analyzer to perform analysis for the specified
build ID.
Note: Do not use this option together with the -scan-module

option in the same sourceanalyzer command.
-scan-module Causes Fortify Static Code Analyzer to perform analysis for the specified
build ID as a separate module.
Note: Do not use this option together with the -scan option in the
same sourceanalyzer command.

com.fortify.sca.ScanScaModule
-include-modules Specifies the libraries previously scanned as separate modules in a comma-

or colon-separated list of build IDs to include in the project scan.
com.fortify.sca.IncludeScaModules
User Guide
-analyzers Specifies the analyzers you want to enable with a colon- or comma-
separated list of analyzers. The valid analyzer names are buffer,
content, configuration, controlflow, dataflow, findbugs,
nullptr, semantic, and structural. You can use this option to
disable analyzers that are not required for your security requirements.
com.fortify.sca.DefaultAnalyzers
-b <build_id> Specifies the build ID.

com.fortify.sca.BuildID
-p <level> | Scans the project with a scan precision level. Scans with a lower precision
-scan-precision level are performed faster. The valid values are 1 and 2. For more
<level> information, see "Configuring Scan Speed with Speed Dial" on page 146.
com.fortify.sca.PrecisionLevel
-quick Scans the project in quick scan mode using the fortify-sca-
quickscan.properties file, providing a less in-depth analysis. By
default, it disables the Buffer Analyzer and the Control Flow Analyzer. In
addition, it applies the Quick View filter set.
com.fortify.sca.QuickScanMode
-bin <binary> | Specifies a subset of source files to scan. Only the source files that were
-binary-name linked in the named binary at build time are included in the scan. You can
<binary> use this option multiple times to specify the inclusion of multiple binaries
in the scan.
com.fortify.sca.BinaryName
-disable-default- Disables all rules of the specified type in the default Rulepacks. You can
rule-type use this option multiple times to specify multiple rule types.
<type>
The <type> parameter is the XML tag minus the suffix Rule. For
example, use DataflowSource for DataflowSourceRule elements. You
can also specify specific sections of characterization rules, such as
Characterization:Control flow, Characterization:Issue, and
User Guide
Characterization:Generic.
The <type> parameter is case-insensitive.
-filter <file> Specifies a results filter file. See "Filtering the Analysis" on page 165 for
more information about this option.
com.fortify.sca.FilterFile
-findbugs Enables FindBugs analysis for Java code. You must specify the Java class
directories with the -java-build-dir option, which is described in "Java
Command-Line Options" on page 48.
com.fortify.sca.EnableFindbugs
-no-default-issue- Disables rules in default Rulepacks that lead directly to issues. Still loads
rules rules that characterize the behavior of functions.
Note: This is equivalent to disabling the following rule types:

DataflowSink, Semantic, Controlflow, Structural, Configuration,
Content, Statistical, Internal, and Characterization:Issue.

com.fortify.sca.NoDefaultIssueRules
-no-default-rules Specifies not to load rules from the default Rulepacks. Fortify Static Code
Analyzer processes the Rulepacks for description elements and language
libraries, but processes no rules.
com.fortify.sca.NoDefaultRules
-no-default- Disables source rules in the default Rulepacks.

source-rules
Note: Characterization source rules are not disabled.

com.fortify.sca.NoDefaultSourceRules
-no-default-sink- Disables sink rules in the default Rulepacks.

rules
Note: Characterization sink rules are not disabled.
User Guide

com.fortify.sca.NoDefaultSinkRules
-project-template Specifies the issue template file to use for the scan. This only affects scans
on the local machine. If you upload the FPR to Micro Focus Fortify
Software Security Center server, it uses the issue template assigned to the
application version.
com.fortify.sca.ProjectTemplate
-rules <file> | Specifies a custom Rulepack or directory. You can use this option multiple
<dir> times to specify multiple Rulepack files. If you specify a directory, includes
all of the files in the directory with the .bin and .xml extensions.
com.fortify.sca.RulesFile
Output Options
The following table describes the output options.
Output Option Description
-f <file> | Specifies the file to which results are written. If you do not specify an
-output-file output file, Fortify Static Code Analyzer writes the output to the terminal.
<file>
com.fortify.sca.ResultsFile
-format <format> Controls the output format. Valid options are fpr, fvdl, fvdl.zip,
text, and auto. The default is auto, which selects the output format
based on the file extension of the file provided with the -f option.
The FVDL is an XML file that contains the detailed Fortify Static Code
Analyzer analysis results. This includes vulnerability details, rule
descriptions, code snippets, command-line options used in the scan, and
any scan errors or warnings.
The FPR is a package of the analysis results that includes the FVDL file as
well as additional information such as a copy of the source code used in
the scan, the external metadata, and custom rules (if applicable). Micro
User Guide
Focus Fortify Audit Workbench is automatically associated with the .fpr

file extension.
Note: If you use result certification, you must specify the fpr format.
See the Micro Focus Fortify Audit Workbench User Guide for
information about result certification.
You can prevent some of the information from being included in the FPR
or FVDL file to improve scan time or output file size. See other options in
this table and see the "fortify-sca.properties" on page 182.
com.fortify.sca.Renderer
-append Appends results to the file specified with the -f option. The resulting FPR
contains the issues from the earlier scan as well as issues from the current
scan. The build information and program data (lists of sources and sinks)
sections are also merged. To use this option, the output file format must
be fpr or fvdl. For information on the -format output option, see the
description in this table.
The engine data, which includes Fortify security content information,
command-line options, system properties, warnings, errors, and other
information about the execution of Fortify Static Code Analyzer (as
opposed to information about the program being analyzed), is not
merged. Because engine data is not merged with the -append option,
Fortify does not certify results generated with -append.
If this option is not specified, Fortify Static Code Analyzer adds any new
findings to the FPR file, and labels the older result as previous findings.
In general, only use the -append option when it is not possible to analyze
an entire application at once.
com.fortify.sca.OutputAppend
-build-label Specifies the label of the project being scanned. Fortify Static Code
<label> Analyzer does not use this label but includes it in the analysis results.
com.fortify.sca.BuildLabel
-build-project Specifies the name of the project being scanned. Fortify Static Code
User Guide
<project> Analyzer does not use the name but includes it in the analysis results.
com.fortify.sca.BuildProject
-build-version Specifies the version of the project being scanned. Fortify Static Code
<version> Analyzer does not use the version but includes it in the analysis results.
com.fortify.sca.BuildVersion
-disable-source- Excludes source files from the FPR file.

bundling
com.fortify.sca.FPRDisableSourceBundling
-fvdl-no- Excludes the Fortify security content descriptions from the analysis results
descriptions file.
com.fortify.sca.FVDLDisableDescriptions
-fvdl-no- Excludes the engine data from the analysis results file. The engine data
enginedata includes Fortify security content information, command-line options,
system properties, warnings, errors, and other information about the
execution of Fortify Static Code Analyzer.
com.fortify.sca.FVDLDisableEngineData
-fvdl-no-progdata Excludes program data from the analysis results file. This removes the
taint source information from the Functions view in Fortify Audit
Workbench.
com.fortify.sca.FVDLDisableProgramData
-fvdl-no-snippets Excludes the code snippets from the analysis results file.
com.fortify.sca.FVDLDisableSnippets
User Guide
Other Options
The following table describes other options.
Other Option Description
@<file> Reads command-line options from the specified file.
Note: By default, this file uses the JVM system encoding. You can
change the encoding by using the
com.fortify.sca.CmdlineOptionsFileEncoding property
specified in the fortify-sca.properties file. For more
information about this property, see "fortify-sca.properties" on
page 182.
-h | Prints a summary of command-line options.

-? |
-help
-debug Includes debug information in the Fortify Support log file, which is only
useful for Micro Focus Fortify Customer Support to help troubleshoot.
com.fortify.sca.Debug
-debug-verbose This is the same as the -debug option, but it includes more details,
specifically for parse errors.
com.fortify.sca.DebugVerbose
-verbose Sends verbose status messages to the console and to the Fortify Support
log file.
com.fortify.sca.Verbose
-logfile <file> Specifies the log file that Fortify Static Code Analyzer creates.
com.fortify.sca.LogFile
-clobber-log Directs Fortify Static Code Analyzer to overwrite the log file for each run
of sourceanalyzer. Without this option, Fortify Static Code Analyzer
User Guide
Other Option Description
appends information to the log file.

com.fortify.sca.ClobberLogFile
-quiet Disables the command-line progress information.

com.fortify.sca.Quiet
-version | Displays the Fortify Static Code Analyzer version number.

-v
-autoheap Enables automatic allocation of memory based on the physical memory

available on the system. This is the default memory allocation setting.
-Xmx<size>M | G Specifies the maximum amount of memory Fortify Static Code Analyzer
uses.
Heap sizes between 32 GB and 48 GB are not advised due to internal JVM
implementations. Heap sizes in this range perform worse than at 32 GB.
Heap sizes smaller than 32 GB are optimized by the JVM. If your scan
requires more than 32 GB, then you probably need 64 GB or more. As a
guideline, assuming no other memory intensive processes are running, do
not allocate more than 2/3 of the available memory.
When you specify this option, make sure that you do not allocate more
memory than is physically available, because this degrades performance.
As a guideline, and the assumption that no other memory intensive
processes are running, do not allocate more than 2/3 of the available
memory.
Note: Specifying this option overrides the default memory allocation

you would get with the -autoheap option.
User Guide
Directives
Use the following directives to list information about previous translation commands. Use only one
directive at a time and do not use any directive in conjunction with normal translation or analysis
commands.
Directive Description
-clean Deletes all Fortify Static Code Analyzer intermediate files and build
records. If a build ID is specified, only files and build records relating to
that build ID are deleted.
-show-binaries Displays all objects that were created but not used in the production of
any other binaries. If fully integrated into the build, it lists all of the
binaries produced.
-show-build-ids Displays a list of all known build IDs.
-show-build-tree When you scan with the -bin option, displays all files used to create the
binary and all files used to create those files in a tree layout. If the -bin
option is not present, the tree is displayed for each binary.
Note: This option can generate an extensive amount of information.
-show-build- Use with -b <build_id> to show any errors and warnings that occurred
warnings in the translation phase on the console.
Note: Fortify Audit Workbench also displays these errors and

warnings in the results certification panel.
-show-files Lists the files in the specified build ID. When the -bin option is present,
displays only the source files that went into the binary.
-show-loc Displays the number of lines in the code being translated.
User Guide
Specifying Files and Directories

File specifiers are expressions that allow you to pass a long list of files or a directory to Fortify Static
Code Analyzer using wildcard characters. Fortify Static Code Analyzer recognizes two types of wildcard
characters: a single asterisk character (*) matches part of a file name, and double asterisk characters (**)
recursively matches directories. You can specify one or more files, one or more file specifiers, or a
combination of files and file specifiers.
<files> | <file_dir_specifiers>
Note: File specifiers do not apply to C, C++, or Objective-C++.
The following table describes examples of file and directory specifiers.
File / Directory Specifier Description
<dir> Matches all files in the named directory and any subdirectories
or the named directory when used for a directory parameter.
<dir>/**/*
<dir>/**/Example.java Matches any file named Example.java found in the named

directory or any subdirectories.
<dir>/*.java Matches any file with the specified extension found in the
named directory.
<dir>/*.jar
<dir>/**/*.kt Matches any file with the specified extension found in the
named directory or any subdirectories.
<dir>/**/*.jar
<dir>/**/beta/** Matches all directories and files found in the named directory
that have beta in the path, including beta as a file name.
<dir>/**/classes/ Matches all directories and files with the name classes found
in the named directory and any subdirectories.
**/test/** Matches all files in the current directory tree that have a test
element in the path, including test as a file name.
**/webgoat/* Matches all files in any webgoat directory in the current

directory tree.
Matches:
l /src/main/java/org/owasp/webgoat
l /test/java/org/owasp/webgoat
User Guide
File / Directory Specifier Description
Does not match (assignments directory does not match)

l /test/java/org/owasp/webgoat/assignments
Note: Windows and many Linux shells automatically expand parameters that contain the asterisk
character (*), so you must enclose file-specifier expressions in quotes. Also, on Windows, you can
use the backslash character (\) as the directory separator instead of the forward slash (/).
Chapter 18: Command-Line Utilities
Fortify Static Code Analyzer Utilities 125
About Updating Security Content 126
Working with FPR Files from the Command Line 128
Generating Reports from the Command Line 135
Checking the Fortify Static Code Analyzer Scan Status 139
Fortify Static Code Analyzer Utilities

Fortify Static Code Analyzer command-line utilities enable you to manage Fortify Security Content and
FPR files, run reports, perform post-installation configuration, and monitor scans. These utilities are
located in <sca_install_dir>/bin. The utilities for Windows are provided as .bat or .cmd files. The
following table describes the utilities.
Note: By default, log files for most of the utilities are written to the following directory:
l On Windows: C:\Users\<username>\AppData\Local\Fortify\<utility_name>-
<version>\log
l On Linux and macOS: <userhome>/.fortify/<utility_name>-<version>\log
More
Utility Description Information
fortifyupdate Compares installed security content to the current version "About

and makes any required updates Updating
Security
Content" on
the next page
FPRUtility With this utility you can: "Working with

FPR Files
l Merge audited projects
from the
l Verify FPR signatures Command
l Display mappings for a migrated project Line" on
l Display any errors associated with an FPR page 128
l Display the number of issues in an FPR
User Guide
More
Utility Description Information
l Display filtered lists of issues in different formats

l Display table of analyzed functions
l Combine or split source code files and audit projects into
FPR files
BIRTReportGenerator Generates BIRT reports and legacy reports from FPR files "Generating
Reports from
ReportGenerator
the Command
Line" on
page 135
scapostinstall After you install Fortify Static Code Analyzer, this utility "Running the
enables you to migrate properties files from a previous Post-Install
version of Fortify Static Code Analyzer, specify a locale, Tool" on
and specify a proxy server for security content updates and page 38
for Fortify Software Security Center.
SCAState Provides state analysis information on the JVM during the "Checking the
scan phase Fortify Static
Code
Analyzer Scan
Status" on
page 139
About Updating Security Content

You can use the fortifyupdate utility to download the latest Fortify Secure Coding Rulepacks and
metadata from the Fortify Customer Portal for your installation.
The fortifyupdate utility gathers information about the existing security content in your Fortify
installation and contacts the update server with this information. The server returns new or updated
security content, and removes any obsolete security content from your Fortify Static Code Analyzer
installation. If your installation is current, a message is displayed to that effect.
User Guide
Updating Security Content

Use the fortifyupdate utility to either download security content or import a local copy of the
security content. This utility is located in the <sca_install_dir>/bin directory.
To update your Fortify Static Code Analyzer installation with the latest Fortify Secure Coding
Rulepacks and external metadata from the Fortify Customer Portal, type the following command:
fortifyupdate [<options>]
fortifyupdate Command-Line Options

The following table lists the fortifyupdate options.
fortifyUpdate Option Description
-import <file>.zip Imports the ZIP file that contains archived security
content. Rulepacks are extracted to the <sca_
install_dir>/Core/config/rules directory.
-coreDir <dir> Specifies a core directory where the update is stored. If

this is not specified, the update is made in the <sca_
install_dir>.
Important! Make sure that you copy the contents

of the <sca_install_dir>/config/keys folder
and paste it to a config/keys folder in this
directory before you run fortifyupdate.
-includeMetadata Specifies to only update external metadata.
-includeRules Specifies to only update Rulepacks.
-locale <locale> Specifies a locale. The default is the value set for the
locale property in the fortify.properties
configuration file.
For more information about the fortify.properties

configuration file, see the Micro Focus Fortify Static
Code Analyzer Tools Properties Reference Guide.
-proxyhost <host> Specifies a proxy server network name or IP address.
User Guide
fortifyUpdate Option Description
-proxyport <port> Specifies a proxy server port number.
-proxyUsername If the proxy server requires authentication, specifies the

<username> user name.
-proxyPassword If the proxy server requires authentication, specifies the

<password> password.
-showInstalledRules Displays the currently installed Rulepacks including any

custom rules or metadata.
-showInstalledExternalMetadata Displays the currently installed external metadata.
-url <url> Specifies a URL from which to download the security

content. The default URL is
https://update.fortify.com or the value set for
the rulepackupdate.server property in the
server.properties configuration file.
For more information about the server.properties

configuration file, see the Micro Focus Fortify Static
Code Analyzer Tools Properties Reference Guide.
-acceptKey Accept the public key. When this is specified, you are not
prompted to provide a public key. Use this option to
accept the public key if you are updating from a non-
standard location (that you specify with the -url
option).
-acceptSSLCertificate Use the SSL certificate provided by the server.
Working with FPR Files from the Command Line

Use the FPRUtility that is located in the bin directory of your Fortify Static Code Analyzer installation to
perform the following tasks:
l "Merging FPR Files" on the next page
l "Displaying Analysis Results Information from an FPR File" on page 130
l "Extracting a Source Archive from an FPR File" on page 134
l "Allocating More Memory for FPRUtility" on page 135
User Guide
Merging FPR Files

The FPRUtility -merge option combines the analysis information from two FPR files into a single FPR
file using the values of the primary project to resolve conflicts.
To merge FPR files:
FPRUtility -merge -project <primary>.fpr -source <secondary>.fpr \

-f <output>.fpr
To merge FPR files and set instance ID migrator options:
FPRUtility -merge -project <primary>.fpr -source <secondary>.fpr \

-f <output>.fpr -iidmigratorOptions "<iidmigrator_options>"
FPRUtility Data Merge Options

The following table lists the FPRUtility options that apply to merging data.
FPRUtility Option Description
-merge Merges the specified project and source FPR files.
-project <primary>.fpr Specifies the primary FPR file to merge. Conflicts are resolved using
the values in this file.
-source <secondary>.fpr Specifies the secondary FPR file to merge. The primary project
overrides values if conflicts exist.
-f <output>.fpr Specifies the name of the merged output file. This file is the result
of the merged files.
Note: When you specify this option, neither of the original FPR
files are modified. If you do not use this option, the primary
FPR is overwritten with the merged results.
-forceMigration Forces the migration, even if the engine and the Rulepack versions
of the two projects are the same.
-useMigrationFile Specifies an instance ID mapping file. This enables you to modify

<mapping_file> mappings manually rather than using the migration results. Supply
your own instance ID mapping file.
-useSourceIssueTemplate Specifies to use the filter sets and folders from the issue template in
User Guide
the secondary FPR. By default, Fortify Static Code Analyzer uses

the filter sets and folders from the issue template in the primary
FPR.
-iidmigratorOptions Specifies instance ID migrator options. Separate included options

<iidmigrator_options> with spaces and enclosed them in quotes. Some valid options are:
l -i provides a case-sensitive file name comparison of the merged

files
l -u <scheme_file> tells iidmigrator to read the matching
scheme from <scheme_file> for instance ID migration
Note: Wrap -iidmigrator options in single quotes ('-u
<scheme_file>') when working from a Cygwin command
prompt.
Windows example:
FPRUtility -merge -project <primary>.fpr

-source <secondary>.fpr -f <output>.fpr
-iidmigratorOptions "-u scheme_file"
-debug Displays debug information that can be helpful to troubleshoot

issues with FPRUtility.
FPRUtility Data Merge Exit Codes

Upon completion of the -merge command, FPRUtility provides one of the exit codes described in the
following table.
Exit Code Description
0 The merge completed successfully.
5 The merge failed.
Displaying Analysis Results Information from an FPR File

The FPRUtility -information option displays information about the analysis results. You can obtain
information to:
l Validate signatures
l Examine any errors associated with the FPR
User Guide
l Obtain the number of issues for each analyzer, vulnerability category, or custom grouping
l Obtain lists of issues (including some basic information). You can filter these lists.
To display project signature information:
FPRUtility -information -signature -project <project>.fpr -f <output>.txt
To display a full analysis error report for the FPR:
FPRUtility -information -errors -project <project.fpr> -f <output>.txt
To display the number of issues per vulnerability category or analyzer:
FPRUtility -information -categoryIssueCounts -project <project>.fpr

FPRUtility -information -analyzerIssueCounts -project <project>.fpr
To display the number of issues for a custom grouping based on a search:
FPRUtility -information -search -query "search expression" \

[-categoryIssueCounts] [-analyzerIssueCounts] \
[-includeSuppressed] [-includeRemoved] \
-project <project>.fpr -f <output>.txt
Note: By default, the result does not include suppressed and removed issues. To include
suppressed or removed issues, use the -includeSuppressed or -includeRemoved options.
To display information for issues in CSV format:
FPRUtility -information -listIssues \

-search [-queryAll | -query "search expression"] \
[-categoryIssueCounts] [-analyzerIssueCouts] \
[-includeSuppressed] [-includeRemoved] \
-project <project>.fpr -f <output>.csv -outputFormat CSV
FPRUtility Information Options

The following table lists the FPRUtility options that apply to project information.
-information Displays information for the project.
One of: The -signature option displays the signature.

-signature
-mappings
-errors
User Guide
-versions
-functionsMeta The -mappings option displays the migration
-categoryIssueCounts mappings report.
-analyzerIssueCounts
-search -query <search_expression> The -errors option displays a full error report for the
-search -queryAll FPR.
The -versions option displays the engine version

and the Rulepack version used in the static scan.
The -functionsMeta option displays all functions

that the static analyzer encountered in CSV format. To
filter which functions are displayed, include -
excludeCoveredByRules, and -
excludeFunctionsWithoutSource.
The -categoryIssueCounts option displays the

number of issues for each vulnerability category.
The -analyzerIssueCounts option displays the

number of issues for each analyzer.
The -search -query option displays the number of

issues in the result of your specified search expression.
To display the number of issues per vulnerability
category or analyzer, add the optional -
categoryIssueCounts and -
analyzerIssueCounts options to the search option.
Use the -includeSuppressed and -
includeRemoved options to include suppressed or
removed issues.
The -search -queryAll searches all the issues in

the FPR, including suppressed and removed issues.
-project <project>.fpr Specifies the FPR from which to extract the results
information.
-f <output> Specifies the output file. The default is System.out.
-outputformat <format> Specifies the output format. The valid values are TEXT
and CSV. The default value is TEXT.
User Guide
-listIssues Displays the location for each issue in one of the

following formats:
<sink_filename>:<line_num> or
<sink_filename>:<line_num> (<category>
| <analyzer>)
You can also use the -listIssues option with -

search and with both issueCounts grouping options.
If you group by -categoryIssueCounts, then the
output includes (<analyzer>) and if you group by -
analyzerIssueCounts, then the output includes
(<category>).
If you specify the -outputFormat CSV, then each

issue is displayed as a line in the format:
"<instanceid>", "<category>",
"<sink_filename>:<line_num>",
"<analyzer>"
-debug Displays debug information that can be helpful to

troubleshoot issues with FPRUtility.
FPRUtility Signature Exit Codes

Upon completion of the -information -signature command, FPRUtility provides one of the exit
codes described in the following table.
Exit Code Description
0 The project is signed, and all the signatures are valid.
1 The project is signed, and some, but not all, of the signatures passed the validity test.
2 The project is signed but none of the signatures are valid.
3 The project had no signatures to validate.
User Guide
Extracting a Source Archive from an FPR File

The FPRUtility -sourceArchive option creates a source archive (FSA) file from a specified FPR file
and removes the source code from the FPR file. You can extract the source code from an FPR file,
merge an existing source archive (FSA) back into an FPR file, or recover source files from a source
archive.
To archive data:
FPRUtility -sourceArchive -extract -project <project>.fpr -f

<outputArchive>.fsa
To archive data to a folder:
FPRUtility -sourceArchive -extract -project <project>.fpr \

-recoverSourceDirectory -f <output_folder>
To add an archive to an FPR file:
FPRUtility -sourceArchive -mergeArchive -project <project>.fpr \

-source <old_source_archive>.fsa -f <project_with_archive>.fpr
To recover files that are missing from an FPR file:
FPRUtility -sourceArchive -fixSecondaryFileSources \

-payload <source_archive>.zip -project <project>.fpr -f <output>.fpr
FPRUtility Source Archive Options

The following table lists the FPRUtility options that apply to working with the source archive.
-sourceArchive Creates an FSA file so that you can extract a source

archive.
One of: Use the -extract option to extract the contents of

the FPR file.
-extract
-mergeArchive Use the -mergeArchive option to merge the contents
-fixSecondaryFileSources
of the FPR file with an existing archived file (-source
option).
User Guide
Use the -fixSecondaryFileSources option to

recover source files from a source archive (-payload
option) missing from an FPR file.
-project <project>.fpr Specifies the FPR to archive.
-recoverSourceDirectory Use with the -extract option to extract the source as

a folder with restored source files.
-source <old_source_archive>.fsa Specifies the name of the existing archive. Use only if
you are merging an FPR file with an existing archive (-
mergeArchive option).
-payload <source_archive>.zip Use with the -fixSecondaryFileSources option to

specify the source archive from which to recover source
files.
-f <project_with_archive>.fpr | Specifies the output file. You can generate an FPR, a

<output_archive>.fsa | folder, or an FSA file.
<output_folder>

troubleshoot issues with FPRUtility.
Allocating More Memory for FPRUtility

Performing tasks with large and complex FPR files could trigger out-of-memory errors. By default,
1000 MB is allocated for FPRUtility. To increase the memory, add the -Xmx option to the command line.
For example, to allocate 2 GB for FPRUtility, use the following command:
FPRUtility -Xmx2G -merge -project <primary>.fpr -source <secondary>.fpr \

-f <output>.fpr
Generating Reports from the Command Line

There are two command-line utilities to generate reports:
l BIRTReportGenerator—Produces reports that are based on the Business Intelligence and Reporting
Technology (BIRT) system from FPR files.
Note: If you are using a text-based Linux system running OpenJDK, you must install DejaVu
Sans and DejaVu Serif fonts to successfully generate BIRT reports.
User Guide
l ReportGenerator—Generates legacy reports from FPR files. You can specify a report template,
otherwise a default report template is used. See the Micro Focus Fortify Audit Workbench User
Guide for a description of the available report templates.
Generating a BIRT Report

The basic command-line syntax to generate a BIRT report is:
BIRTReportGenerator -template <template_name>

-source <audited_proj>.fpr -format <format>
-output <report_file>
The following is an example of how to generate an OWASP Top 10 2017 report with additional options:
BIRTReportGenerator -template "owasp top 10" -source auditedProj.fpr

-format pdf-showSuppressed --Version "owasp top 10 2017"
--UseFortifyPriorityOrder -output MyOWASP_Top10_Rpt.pdf
BIRTReportGenerator Command-Line Options

The following table lists the BIRTReportGenerator options.
BIRTReportGenerator Option Description
-template <template_name> (Required) Specifies the report template name. The valid
values for <template_name> are "CWE Top 25 2019",
"CWE/SANS Top 25", "Developer Workbook", "DISA
CCI 2", "DISA STIG", "FISMA Compliance", GDPR,
MISRA, "OWASP ASVS 4.0", "OWASP Mobile Top 10",
"OWASP Top 10", "PCI DSS Compliance" and
"PCI SSF Compliance".
Note: You only need to enclose the report template

name in quotes if a space exists in the <template
name>. The template name values are not case-
sensitive.
-source <audited_proj>.fpr (Required) Specifies the audited project on which to base

the report.
-format pdf | doc | html | xls (Required) Specifies the generated report format.
Note: The format values are not case-sensitive.
User Guide
-output <report_file.***> (Required) Specifies the file to which the report is written.
-searchQuery <query> Specifies a search query to filter issues before generating

the report. For example:
-searchQuery audited:false
For a description of the search query syntax, see the Micro

Focus Fortify Audit Workbench User Guide.
-showSuppressed Include issues that are marked as suppressed.
-showRemoved Include issues that are marked as removed.
-showHidden Include issues that are marked as hidden.
-filterSet <filterset_name> Specifies a filter set to use to generate the report (for
example, -filterSet "Quick View").
--Version <version> Specifies the version for the template. The valid values for
the template versions are listed below.
Note: Templates that are not listed here have only

one version available.
If you do not specify a version when multiple
versions are available, the most recent version
based on the external metadata used when the
FPR was created is used by default. The template
version values are not case-sensitive.
l For the "CWE/SANS Top 25" template, the version is

"<year> CWE/SANS Top 25" (for example, "2011
CWE/SANS Top 25")
l For the "DISA STIG" template, the version
is "DISA STIG <version>" (for example,
"DISA STIG 4.10")
l For the MISRA template, the available versions are
"MISRA C 2012" or "MISRA C++ 2008"
User Guide
l For the "OWASP Top 10" template, the version is

"OWASP Top 10 <year>" (for example, "OWASP Top
10 2017")
l For the "PCI DSS Compliance" template, the version
is "<version> Compliance" (for example, "3.2
Compliance")
--IncludeDescOfKeyTerminology Include the Description of Key Terminology section in the

report.
--IncludeAboutFortify Include the About Fortify Solutions section in the report.
--SecurityIssueDetails Provide detailed descriptions of reported issues. This

option is not available for the Developer Workbook
template.
--UseFortifyPriorityOrder Use Fortify Priority Order instead of folder names to

categorize issues. This option is not available for the
Developer Workbook and PCI Compliance templates.
-h | -help Displays detailed information about the options.

troubleshoot issues with BIRTReportGenerator.
Generating a Legacy Report

To generate a PDF report, type the following command:
ReportGenerator -format pdf -f <myreport>.pdf -source <myresults>.fpr
To generate an XML report, type the following command:
ReportGenerator -format xml -f <myreport>.xml -source <myresults>.fpr
ReportGenerator Command-Line Options

The following table lists the ReportGenerator options.
ReportGenerator Option Description
-format pdf | xml (Required) Specifies the generated report format.
User Guide
ReportGenerator Option Description
-source <audited_proj>.fpr (Required) Specifies the audited project on which to base the
report.
-f <report_file.***> (Required) Specifies the file to which the report is written.
-template <template_name> Specifies the report template. If not specified, ReportGenerator

uses the default template. The default template is located in
<sca_install_dir>
/Core/config/reports/DefaultReportDefinition.xm
l.
Note: Enclose the <template_name> in quotes if it contains

any spaces.
-user <username> Specifies a user name to add to the report.
-showSuppressed Include issues marked as suppressed.
-showRemoved Include issues marked as removed.
-showHidden Include issues marked as hidden.
-filterSet <filterset_ Specifies a filter set to use to generate the report (for example,
name> -filterset "Quick View").
-verbose Displays status messages to the console.
-debug Displays debug information that can be helpful to troubleshoot

issues with ReportGenerator.
-h Displays detailed information about the options.
Checking the Fortify Static Code Analyzer Scan

Status
Use the SCAState utility to see up-to-date state analysis information during the scan phase.
To check Fortify Static Code Analyzer state:
1. Run a Fortify Static Code Analyzer scan.
2. Open another command window.
User Guide
3. Type the following at the command prompt:
SCAState [<options>]
SCAState Utility Command-Line Options

The following table lists the SCAState utility options.
SCAState Option Description
-a | Displays all available information.

--all
-debug Displays information that is useful to debug SCAState behavior.
-ftd | Prints a thread dump for every thread.

--full-thread-dump
-h | --help Displays the help information for the SCAState utility.
-hd <filename> | Specifies the file to which the heap dump is written. The file is
--heap-dump <filename> interpreted relative to the remote scan’s working directory; this is not
necessarily the same directory where you are running SCAState.
-liveprogress Displays the ongoing status of a running scan. This is the default. If
possible, this information is displayed in a separate terminal window.
-nogui Causes the Fortify Static Code Analyzer state information to display
in the current terminal window instead of in a separate window.
-pi | Displays information about the source code being scanned, including
--program-info how many source files and functions it contains.
-pid <process_id> Specifies the currently running Fortify Static Code Analyzer process
ID. Use this option if there are multiple Fortify Static Code Analyzer
processes running simultaneously.
To obtain the process ID on Windows systems:
1. Open a command window.
2. Type tasklist at the command prompt.
A list of processes is displayed.
3. Find the java.exe process in the list and note its PID.
To find the process ID on Linux systems:
User Guide
SCAState Option Description
l Type ps aux | grep sourceanalyzer at the command

prompt.
-progress Displays scan information up to the point at which the command is

issued. This includes the elapsed time, the current phase of the
analysis, and the number of results already obtained.
-properties Displays configuration settings (this does not include sensitive

information such as passwords).
-scaversion Displays the Fortify Static Code Analyzer version number for the
sourceanalyzer that is currently running.
-td | Prints a thread dump for the main scanning thread.

--thread-dump
-timers Displays information from the timers and counters that are
instrumented in Fortify Static Code Analyzer.
-version Displays the SCAState version.
-vminfo Displays the following statistics that JVM standard MXBeans

provides: ClassLoadingMXBean, CompilationMXBean,
GarbageCollectorMXBeans, MemoryMXBean,
OperatingSystemMXBean, RuntimeMXBean, and ThreadMXBean.
<none> Displays scan progress information (this is the same as -progress).
Note: Fortify Static Code Analyzer writes Java process information to the location of the TMP
system environment variable. On Windows systems, the TMP system environment variable location
is C:\Users\<userID>\AppData\Local\Temp. If you change this TMP system environment
variable to point to a different location, SCAState cannot locate the sourceanalyzer Java
process and does not return the expected results. To resolve this issue, change the TMP system
environment variable to match the new TMP location. Fortify recommends that you run SCAState
as an administrator on Windows.
Chapter 19: Improving Performance
This chapter provides guidelines and tips to optimize memory usage and performance when analyzing
different types of codebases with Fortify Static Code Analyzer.
Hardware Considerations 142
Sample Scans 143
Tuning Options 144
Quick Scan 145
Configuring Scan Speed with Speed Dial 146
Breaking Down Codebases 147
Limiting Analyzers and Languages 148
Optimizing FPR Files 149
Monitoring Long Running Scans 153
Hardware Considerations
The variety of source code makes accurate predictions of memory usage and scan times impossible. The
factors that affect memory usage and performance consists of many different factors including:
l Code type
l Codebase size and complexity
l Ancillary languages used (such as JSP, JavaScript, and HTML)
l Number of vulnerabilities
l Type of vulnerabilities (analyzer used)
Fortify developed the following set of "best guess" hardware recommendations based on real-world
application scan results. The following table lists these recommendations based on the complexity of the
application. In general, increasing the number of available cores might improve scan times.
Application RAM
Complexity CPU Cores (GB) Description
Simple 4 16 A standalone system that runs on a server or desktop such as

a batch job or a command-line utility.
User Guide
Application RAM
Complexity CPU Cores (GB) Description
Medium 8 32 A standalone system that works with complex computer

models such as a tax calculation system or a scheduling
system.
Complex 16 128 A three-tiered business system with transactional data

processing such as a financial system or a commercial website.
Very Complex 32 256 A system that delivers content such as an application server,
database server, or content management system.
Note: TypeScript and JavaScript scans increase the analysis time significantly. If the total lines of
code in an application consist of more than 20% TypeScript or JavaScript, use the next highest
recommendation.
The Micro Focus Fortify Software System Requirements document describes the system requirements.
However, for large and complex applications, Fortify Static Code Analyzer requires more capable
hardware. This includes:
l Disk I/O—Fortify Static Code Analyzer is I/O intensive and therefore the faster the hard drive, the
more savings on the I/O transactions. Fortify recommends a 7,200 RPM drive, although a 10,000
RPM drive (such as the WD Raptor) or an SSD drive is better.
l Memory—See "Memory Tuning" on page 157 for more information about how to determine the
amount of memory required for optimal performance.
l CPU—Fortify recommends a 2.1 GHz or faster processor.
Sample Scans
These sample scans were performed using Fortify Static Code Analyzer version 20.2.0 on dedicated
virtual machines. These scans were run using Micro Focus Fortify Software Security Content 2020
Update 3. The following table shows the scan times you can expect for several common open-source
projects.
Translation Analysis (Scan) Total

Project Name Language Time (mm:ss) Time (mm:ss) Issues LOC System Configuration
nasm 0.98.38 C/C++ 00:27 06:01 1,254 12,074 Linux VM with 4 CPUs and
32 GB of RAM
User Guide
Translation Analysis (Scan) Total

Project Name Language Time (mm:ss) Time (mm:ss) Issues LOC System Configuration
WebGoat 7.0.1 Java 00:16 00:51 421 3,628 Linux VM with 8 CPUs and
32 GB of RAM
WordPress Java 00:17 01:29 665 10,055
CakePHP PHP 00:25 01:56 2,354 54,564
phpBB 3 PHP 00:29 02:11 1,273 39,581
SharpZipLib .NET 01:01 02:28 1,439 12,200 Windows VM with 8 CPUs

and 32 GB of RAM
Hackademic-next JavaScript 01:29 04:07 453 43,838 Linux VM with 8 CPUs and
32 GB of RAM
prisma TypeScript 00:57 02:39 52 22,911
numpy-1.13.3 Python 3 01:51 08:32 247 92,816
MediaBrowser Swift 01:24 01:37 23 6,768 macOS VM with 2 CPUs

and 8 GB of RAM
Tuning Options
Fortify Static Code Analyzer can take a long time to process complex projects. The time is spent in
different phases:
l Translation
l Analysis
Fortify Static Code Analyzer can produce large analysis result files (FPRs), which can cause a long time
to audit and upload to Micro Focus Fortify Software Security Center. This is referred to as the following
phase:
l Audit/Upload
The following table lists tips on how to improve performance in the different time-consuming phases.
Phase Option Description More Information
Translation -export-build- Translate and scan on "Mobile Build Sessions" on

session different machines page 43
-import-build-
session
Analysis -quick Run a quick scan "Quick Scan" on the next page
Analysis -scan- Set the scan precision "Configuring Scan Speed with
precision Speed Dial" on page 146
Analysis -bin Scan the files related to a "Breaking Down Codebases" on
User Guide
Phase Option Description More Information
binary page 147
Analysis -Xmx<size>M | G Set maximum heap size "Memory Tuning" on page 157
Analysis -Xss<size>M | G Set stack size for each "Memory Tuning" on page 157
thread
Analysis -filter <file> Apply a filter using a "Filter Files" on page 149
filter file
Audit/Upload
Analysis -disable- Exclude source files from "Excluding Source Code from the
source- the FPR file FPR" on page 150
Audit/Upload bundling
Quick Scan
Quick scan mode provides a way to quickly scan your projects for critical- and high-priority issues.
Fortify Static Code Analyzer performs the scan faster by reducing the depth of the and applying the
Quick View filter set. Quick scan settings are configurable. For more details about the configuration of
quick scan mode, see "fortify-sca-quickscan.properties" on page 211.
Quick scans are a great way to get many applications through an assessment so that you can quickly
find issues and begin remediation. The performance improvement you get depends on the complexity
and size of the application. Although the scan is faster than a full scan, it does not provide as robust a
result set. Fortify recommends that you run full scans whenever possible.
Limiters
The depth of the Fortify Static Code Analyzer analysis sometimes depends on the available resources.
Fortify Static Code Analyzer uses a complexity metric to trade off these resources with the number of
vulnerabilities that it can find. Sometimes, this means giving up on a particular function when it does not
look like Fortify Static Code Analyzer has enough resources available.
Fortify Static Code Analyzer enables the user to control the “cutoff” point by using Fortify Static Code
Analyzer limiter properties. The different analyzers have different limiters. You can run a predefined set
of these limiters using a quick scan. See the "fortify-sca-quickscan.properties" on page 211 for
descriptions of the limiters.
To enable quick scan mode, use the -quick option with -scan option. With quick scan mode enabled,
Fortify Static Code Analyzer applies the properties from the <sca_install_
dir>/Core/config/fortify-sca-quickscan.properties file, in addition to the standard
<sca_install_dir>/Core/config/fortify-sca.properties file. You can adjust the limiters
that Fortify Static Code Analyzer uses by editing the fortify-sca-quickscan.properties file. If
you modify fortify-sca.properties, it also affects quick scan behavior. Fortify recommends that
User Guide
you do performance tuning in quick scan mode, and leave the full scan in the default settings to
produce a highly accurate scan. For description of the quick scan mode properties, see "Fortify Static
Code Analyzer Properties Files" on page 180.
Using Quick Scan and Full Scan

l Run full scans periodically—A periodic full scan is important as it might find issues that quick scan
mode does not detect. Run a full scan at least once per software iteration. If possible, run a full scan
periodically when it will not interrupt the development workflow, such as on a weekend.
l Compare quick scan with a full scan—To evaluate the accuracy impact of a quick scan, perform a
quick scan and a full scan on the same codebase. Open the quick scan results in Micro Focus Fortify
Audit Workbench and merge it into the full scan. Group the issues by New Issue to produce a list of
issues detected in the full scan but not in the quick scan.
l Quick scans and Micro Focus Fortify Software Security Center server—To avoid overwriting
the results of a full scan, by default Fortify Software Security Center ignores uploaded FPR files
scanned in quick scan mode. However, you can configure a Fortify Software Security Center
application version so that FPR files scanned in quick scan are processed. For more information, see
analysis results processing rules in the Micro Focus Fortify Software Security Center User Guide.
Configuring Scan Speed with Speed Dial

The speed dial feature is available in this release as a technology preview. You can configure the speed
and depth of the scan by specifying a precision level for the scan phase. You can use these precision
levels adjust the scan time to fit for example, into a pipeline and quickly find a set of vulnerabilities while
the developer is still working on the code. Although scans with the speed dial settings are faster than a
full scan, it does not provide as robust a result set. Fortify recommends that you run full scans whenever
possible.
The precision level controls the depth and precision of the scan by associating configuration properties
with each level. The configuration properties files for each level are located in the <sca_install_
dir>/Core/config/scales directory. There is one file for each level: (level-<precision_
level>.properties). You can modify the settings in these files to create your own specific precision
levels.
Important! As this feature is a technology preview, be aware that if you modify the configuration
files they might be overwritten with an upgrade of Fortify Static Code Analyzer.
Notes:
l By default, Micro Focus Fortify Software Security Center blocks uploaded scans performed with
a precision level. However, you can configure your Fortify Software Security Center application
version so that uploaded audit projects scanned with these precision levels are processed.
l If you merge a speed dial scan with a full scan, this might remove issues from previous scans that
still exist in your application (and would be detected again with a full scan).
User Guide
To specify the speed dial setting for a scan, include the -scan-precision (or -p) option in the scan
phase as shown in the following example:
sourceanalyzer -b <build_id> -scan -scan-precision <level> -f

myresults.fpr
Note: You cannot use the speed dial setting and the -quick option in the same scan command.
The following table describes the two precision levels.
Precision
Level Description
1 This is the quickest scan and is recommended if you are scanning a few files. By default, a
scan with this precision level disables the Buffer Analyzer, Control Flow Analyzer,
Dataflow Analyzer, and Null Pointer Analyzer.
2 By default, a scan with this precision level enables all analyzers. The scan runs quicker by
performing with reduced limiters. This results in fewer issues detected.
You can also specify the scan precision level with the com.fortify.sca.PrecisionLevel property
in the fortify-sca.properties file. For example:
com.fortify.sca.PrecisionLevel=1
Breaking Down Codebases

It is more efficient to break down large projects into independent modules. For example, if you have a
portal application that consists of several modules that are independent of each other or have very little
interactions, you can translate and scan the modules separately. The caveat to this is that you might
lose dataflow issue detection if some interactions exist.
For C/C++, you might reduce the scan time by using the –bin option with the –scan option. You need
to pass the binary file as the parameter (such as -bin <filename>.exe -scan or -bin
<filename>.dll -scan). Fortify Static Code Analyzer finds the related files associated with the
binary and scans them. This is useful if you have several binaries in a makefile.
User Guide
The following table lists some useful Fortify Static Code Analyzer command-line options to break down
codebases.
Option Description
-bin <binary> Specifies a subset of source files to scan. Only the source files that were
linked in the named binary at build time are included in the scan. You can
use this option multiple times to specify the inclusion of multiple binaries
in the scan.
-show-binaries Displays all objects that were created but not used in the production of
any other binaries. If fully integrated into the build, it lists all of the
binaries produced.
-show-build-tree When used with the -bin option, displays all files used to create the
binary and all files used to create those files in a tree layout. If the -bin
option is not present, Fortify Static Code Analyzer displays the tree for
each binary.
Limiting Analyzers and Languages

Occasionally, you might find that a significant amount of the scan time is spent either running one
particular analyzer or analyzing a particular language. It is possible that this particular analyzer or
language is not important to your security requirements. You can limit the specific analyzers that run
and the specific languages that Fortify Static Code Analyzer translates.
Disabling Analyzers
To disable specific analyzers, include the -analyzers option to Fortify Static Code Analyzer at scan
time with a colon- or comma-separated list of analyzers you want to enable. The full list of analyzers is:
buffer, content, configuration, controlflow, dataflow, findbugs, nullptr, semantic, and
structural.
For example, to run a scan that only includes the Dataflow, Control Flow, and Buffer analyzers, use the
following scan command:
sourceanalyzer -b <build_id> -analyzers dataflow:controlflow:buffer -scan

-f myresults.fpr
You can also do the same thing by setting com.fortify.sca.DefaultAnalyzers in the Fortify
Static Code Analyzer property file <sca_install_dir>/Core/config/fortify-
sca.properties. For example, to achieve the equivalent of the previous scan command, set the
following in the properties file:
com.fortify.sca.DefaultAnalyzers=dataflow:controlflow:buffer
User Guide
Disabling Languages
To disable specific languages, include the -disable-language option in the translation phase, which
specifies a list of languages that you want to exclude. The full list of valid language parameters is:
abap, actionscript, apex, cfml, cpp, cobol, configuration, dotnet, java,

javascript, jsp, objc, php, plsql, python, ruby, scala, sql, swift, tsql,
typescript, vb
For example, to perform a translation that excludes SQL and PHP files, use the following command:
sourceanalyzer -b <build_id> <src_files> -disable-language sql:php
You can also disable languages by setting the com.fortify.sca.DISabledLanguages property in

the Fortify Static Code Analyzer properties file <sca_install_dir>/Core/config/fortify-
sca.properties. For example, to achieve the equivalent of the previous translation command, set the
following in the properties file:
com.fortify.sca.DISabledLanguages=sql:php
Optimizing FPR Files

This chapter describes how to handle performance issues related to the audit results (FPR) file. This
includes reducing the scan time, reducing FPR file size, and tips for opening large FPR files.
Filter Files
Filter files are flat files that you can specify with a scan using the -filter option. Use a filter file to filter
out particular vulnerability instances, rules, and vulnerability categories. If you determine that a certain
issue category or rule is not relevant for a particular scan, you can stop Fortify Static Code Analyzer
from flagging these types of issues and adding them to the FPR. Using a filter file can reduce both the
scan time and results file size.
For example, if you are scanning a simple program that just reads a specified file, you might not want to
see path manipulation issues, because these are likely planned as part of the functionality. To filter out
path manipulation issues, create a file that contains a single line:
Path Manipulation
Save this file as filter.txt. Use the -filter option for the scan as shown in the following example:
sourceanalyzer -b <build_id> -scan -f myresults.fpr -filter filter.txt
The myresults.fpr does not include any issues with the category Path Manipulation.
For more information about filter files, see "Filtering the Analysis" on page 165.
User Guide
Excluding Issues from the FPR with Filter Sets

Filters in an issue template determine how the results from Fortify Static Code Analyzer are shown. For
example, you can have a filter to put any detected SQL Injection issues into a separate folder called SQL
Injections, or you might have a filter that hides issues with a confidence below a certain threshold. In
addition to filters, filter sets enable you to have a selection of filters used at any one time. Each FPR has
an issue template associated with it. You can use filter sets to reduce the number of issues based on
conditions you specify with filters in an issue template. This can dramatically reduce the size of an FPR.
To do this, use Micro Focus Fortify Audit Workbench to create a filter and a filter set and then run the
Fortify Static Code Analyzer scan with the filter set. For more detailed instructions about how to create
filters and filter sets in Fortify Audit Workbench, see the Micro Focus Fortify Audit Workbench User
Guide. The following example describes the basic steps for how to create and use a scan-time filter:
1. In this example, suppose you use OWASP Top 10 2017 and you only want to see issues
categorized within this standard. Create a filter in Fortify Audit Workbench such as:
If [OWASP Top 10 2017] does not contain A Then hide issue
This filter looks through the issues and if an issue does not map to an OWASP Top 10 2017
category with ‘A’ in the name, then it hides it. Because all OWASP Top 10 2017 categories start
with ‘A’ (A1, A2, …, A10), then any category without the letter ‘A’ is not in the OWASP Top 10
2017. The filter hides the issues from view in Fortify Audit Workbench, but they are still in the FPR.
2. In Fortify Audit Workbench, create a new filter set called OWASP_Filter_Set that contains the
previous filter, and then export the issue template to a file called IssueTemplate.xml.
3. You can then specify this filter at scan-time with the following command:
sourceanalyzer -b <build_id> -scan -f myFilteredResults.fpr

-project-template IssueTemplate.xml -Dcom.fortify.sca.FilterSet=OWASP_
Filter_set
In the previous example, the inclusion of the -Dcom.fortify.sca.FilterSet property tells Fortify
Static Code Analyzer to use the OWASP_Filter_Set filter set from the issue template
IssueTemplate.xml. Any filters that hide issues from view are removed and are not written to the
FPR. Therefore, you can reduce the visible number of issues, make the scan very targeted, and reduce
the size of the resulting FPR file.
Note: Although filtering issues with a filter set can reduce the size of the FPR, they do not usually
reduce the scan time. Fortify Static Code Analyzer examines the filter set after it calculates the
issues to determine whether to write them to the FPR file. The filters in a filter set determine the
rule types that Fortify Static Code Analyzer loads.
Excluding Source Code from the FPR

You can reduce the scan time and the size of the FPR file by excluding the source code information
from the FPR. This is especially valuable for large source files or codebases. You do not generally get a
User Guide
scan time reduction for small source files.

There are two ways to prevent Fortify Static Code Analyzer from including source code in the FPR. You
can set the property in the <sca_install_dir>/Core/config/fortify-sca.properties file or
specify an option on the command line. The following table describes these settings.
Property Name Description
com.fortify.sca. This excludes source code from the FPR.

FPRDisableSourceBundling=true
Command-Line Option:
-disable-source-bundling
com.fortify.sca. This excludes code snippets from the FPR.

FVDLDisableSnippets=true
–fvdl-no-snippets
The following command-line example uses both options:
sourceanalyzer -b <build_id> -disable-source-bundling

-fvdl-no-snippets -scan -f mySourcelessResults.fpr
Reducing the FPR File Size

There are a few ways to reduce the size of FPR files. The quickest way to do this without affecting
results is to exclude the source code from the FPR as described in "Excluding Source Code from the
FPR" on the previous page.
There are a few other options and properties that you can use to select what is excluded from the FPR.
You can set these properties in the Fortify Static Code Analyzer properties file: <sca_install_
dir>/Core/config/fortify-sca.properties or specify them during the scan phase with -
D<property_name>=true. Most of these options have an equivalent command-line option.
com.fortify.sca. This excludes the metatable from the FPR. Micro

FPRDisableMetatable Focus Fortify Audit Workbench uses the metatable to
=true map information in Functions view.
-disable-metatable
com.fortify.sca. This excludes rule descriptions from the FPR. If you

FVDLDisableDescriptions do not use custom descriptions, the descriptions in
=true the Fortify Taxonomy (https://vulncat.fortify.com)
are used.
User Guide
-fvdl-no-descriptions
com.fortify.sca. This excludes engine data from the FPR. This is

FVDLDisableEngineData useful if your FPR contains a large number of
=true warnings when you open the file in Fortify Audit
Command-Line Option: Workbench.
-fvdl-no-enginedata
Note: If you exclude engine data from the FPR,
you must merge the FPR with the current audit
project locally before you upload it to Micro
Focus Fortify Software Security Center. Fortify
Software Security Center cannot merge it on the
server because the FPR does not contain the
Fortify Static Code Analyzer version.
com.fortify.sca. This excludes the program data from the FPR. This
FVDLDisableProgramData removes the Taint Sources information from the
=true Functions view in Fortify Audit Workbench. This
Command-Line Option: property typically only has a minimal effect on the
-fvdl-no-progdata overall size of the FPR file.
Opening Large FPR Files

To reduce the time required to open a large FPR file, there are some properties that you can set in the
<sca_install_dir>/Core/config/fortify.properties configuration file. For more
information about these properties, see the Micro Focus Fortify Static Code Analyzer Tools Properties
Reference Guide. The following table describes these properties.
com.fortify. This setting disables use of the code navigation

model.DisableProgramInfo=true features in Micro Focus Fortify Audit
Workbench.
com.fortify. The IssueCutOffStartIndex property is

model.IssueCutOffStartIndex inclusive and IssueCutOffEndIndex is
=<num> (inclusive) exclusive so that you can specify a subset of
com.fortify. issues you want to see. For example, to see the
model.IssueCutOffEndIndex first 100 issues, specify the following:
=<num> (exclusive)
User Guide
com.fortify.model.
IssueCutOffStartIndex=0
com.fortify.model.
IssueCutOffEndIndex=101
Because the IssueCutOffStartIndex is 0 by

default, you do not need to specify this
property.
com.fortify. These two properties are similar to the previous

model.IssueCutOffByCategoryStartIndex= cutoff properties except these are specified for
<num> (inclusive) each category. For example, to see the first five
com.fortify. issues for every category, specify the following:
model.IssueCutOffByCategoryEndIndex=
<num> (exclusive) com.fortify.model.
IssueCutOffByCategoryEndIndex=6
com.fortify. This minimizes the data loaded in the FPR. This

model.MinimalLoad=true also restricts usage of the Functions view and
might prevent Fortify Audit Workbench from
loading the source from the FPR.
com.fortify. This property specifies the number of Fortify

model.MaxEngineErrorCount= Static Code Analyzer reported warnings that
<num> are loaded with the FPR. For projects with a
large number of scan warnings, this can reduce
both load time in Fortify Audit Workbench and
the amount of memory required to open the
FPR.
com.fortify. Specifies the JVM heap memory size for Audit

model.ExecMemorySetting Workbench to launch external utilities such as
iidmigrator and fortifyupdate.
Monitoring Long Running Scans

When you run Fortify Static Code Analyzer, large and complex scans can often take a long time to
complete. During the scan it is not always clear what is happening. While Fortify recommends that you
provide your debug logs to the Micro Focus Fortify Customer Support team, there are a couple of ways
to see what Fortify Static Code Analyzer is doing and how it is performing in real-time.
User Guide
Using the SCAState Utility

The SCAState command-line utility enables you to see up-to-date state analysis information during the
analysis phase. The SCAState utility is located in the <sca_install_dir>/bin directory. In addition
to a live view of the analysis, it also provides a set of timers and counters that show where Fortify Static
Code Analyzer spends its time during the scan. For more information about how to use the SCAState
utility, see the "Checking the Fortify Static Code Analyzer Scan Status" on page 139.
Using JMX Tools

You can use tools to monitor Fortify Static Code Analyzer with JMX technology. These tools can
provide a way to track Fortify Static Code Analyzer performance over time. For more information about
these tools, see the full Oracle documentation available at: http://docs.oracle.com.
Note: These are third-party tools and Micro Focus does not provide or support them.
Using JConsole
JConsole is an interactive monitoring tool that complies with the JMX specification. The disadvantage of
JConsole is that you cannot save the output.
To use JConsole, you must first set some additional JVM parameters. Set the following environment
variable:
export SCA_VM_OPTS="-Dcom.sun.management.jmxremote
-Dcom.sun.management.jmxremote.port=9090
-Dcom.sun.management.jmxremote.ssl=false
-Dcom.sun.management.jmxremote.authenticate=false"
After the JMX parameters are set, start a Fortify Static Code Analyzer scan. During the scan, start
JConsole to monitor Fortify Static Code Analyzer locally or remotely with the following command:
jconsole <host_name>:9090
Using Java VisualVM

Java VisualVM offers the same capabilities as JConsole. It also provides more detailed information on
the JVM and enables you to save the monitor information to an application snapshot file. You can store
these files and open them later with Java VisualVM.
Similar to JConsole, before you can use Java VisualVM, you must set the same JVM parameters
described in "Using JConsole" above.
User Guide
After the JVM parameters are set, start the scan. You can then start Java VisualVM to monitor the scan
either locally or remotely with the following command:
jvisualvm <host_name>:9090
Chapter 20: Troubleshooting
Exit Codes 156
Memory Tuning 157
Scanning Complex Functions 159
Issue Non-Determinism 161
Accessing Log Files 162
Configuring Log Files 162
Reporting Issues and Requesting Enhancements 164
Exit Codes
The following table describes the possible Fortify Static Code Analyzer exit codes.
Exit
Code Description
0 Success
1 Generic failure
2 Invalid input files

(this could indicate that an attempt was made to translate a file that has a file extension that
Fortify Static Code Analyzer does not support)
3 Process timed out
4 Analysis completed with numbered warning messages written to the console and/or to the
log file
5 Analysis completed with numbered error messages written to the console and/or to the log
file
6 Scan phase was unable to generate issue results
By default, Fortify Static Code Analyzer only returns exit codes 0, 1, 2, or 3.
User Guide
You can extend the default exit code options by setting the com.fortify.sca.ExitCodeLevel
property in the <sca_install_dir>/Core/Config/fortify-sca.properties file.
The valid values are:
l nothing—Returns exit codes 0, 1, 2, or 3. This is the default setting.
l warnings—Returns exit codes 0, 1, 2, 3, 4, or 5.
l errors—Returns exit codes 0, 1, 2, 3, or 5.
l no_output_file—Returns exit codes 0, 1, 2, 3, or 6.
Memory Tuning
The amount of physical RAM required for a scan depends on the complexity of the code. By default,
Fortify Static Code Analyzer automatically allocates the memory it uses based on the physical memory
available on the system. This is generally sufficient. As described in "Output Options" on page 117, you
can adjust the Java heap size with the -Xmx command-line option.
This section describes suggestions for what you can do if you encounter OutOfMemory errors during
the analysis.
Note: You can set the memory allocation options discussed in this section to run for all scans by
setting the SCA_VM_OPTS environment variable.
Java Heap Exhaustion

Java heap exhaustion is the most common memory problem that might occur during Fortify Static Code
Analyzer scans. It is caused by allocating too little heap space to the Java virtual machine that Fortify
Static Code Analyzer uses to scan the code. You can identify Java heap exhaustion from the following
symptom.
Symptom
One or more of these messages appears in the Fortify Static Code Analyzer log file and in the
command-line output:
There is not enough memory available to complete analysis. For details on

making more memory available, please consult the user manual.
java.lang.OutOfMemoryError: Java heap space
java.lang.OutOfMemoryError: GC overhead limit exceeded
Resolution
To resolve a Java heap exhaustion problem, allocate more heap space to the Fortify Static Code
Analyzer Java virtual machine when you start the scan. To increase the heap size, use the -Xmx
command-line option when you run the Fortify Static Code Analyzer scan. For example, -Xmx1G makes
1 GB available. Before you use this parameter, determine the maximum allowable value for Java heap
space. The maximum value depends on the available physical memory.
User Guide
Heap sizes between 32 GB and 48 GB are not advised due to internal JVM implementations. Heap sizes
in this range perform worse than at 32 GB. Heap sizes smaller than 32 GB are optimized by the JVM. If
your scan requires more than 32 GB, then you probably need 64 GB or more. As a guideline, assuming
no other memory intensive processes are running, do not allocate more than 2/3 of the available
memory.
If the system is dedicated to running Fortify Static Code Analyzer, you do not need to change it.
However, if the system resources are shared with other memory-intensive processes, subtract an
allowance for those other processes.
Note: You do not need to account for other resident but not active processes (while Fortify Static
Code Analyzer is running) that the operating system might swap to disk. Allocating more physical
memory to Fortify Static Code Analyzer than is available in the environment might cause
“thrashing,” which typically slows down the scan along with everything else on the system.
Native Heap Exhaustion

Native heap exhaustion is a rare scenario where the Java virtual machine can allocate the Java memory
regions on startup, but is left with so few resources for its native operations (such as garbage collection)
that it eventually encounters a fatal memory allocation failure that immediately terminates the process.
Symptom
You can identify native heap exhaustion by abnormal termination of the Fortify Static Code Analyzer
process and the following output on the command line:
# A fatal error has been detected by the Java Runtime Environment:

#
# java.lang.OutOfMemoryError: requested ... bytes for GrET ...
Because this is a fatal Java virtual machine error, it is usually accompanied by an error log created in the
working directory with the file name hs_err_pidNNN.log.
Resolution
Because the problem is a result of overcrowding within the process, the resolution is to reduce the
amount of memory used for the Java memory regions (Java heap). Reducing this value should reduce
the crowding problem and allow the scan to complete successfully.
Stack Overflow
Each thread in a Java application has its own stack. The stack holds return addresses, function/method
call arguments, and so on. If a thread tends to process large structures with recursive algorithms, it
might need a large stack for all those return addresses. With the JVM, you can set that size with the -
Xss option.
Symptoms
This message typically appears in the Fortify Static Code Analyzer log file, but might also appear in the
command-line output:
User Guide
java.lang.StackOverflowError
Resolution
The default stack size is 16 MB. To increase the stack size, pass the -Xss option to the
sourceanalyzer command. For example, -Xss32M increases the stack to 32 MB.
Scanning Complex Functions

During a Fortify Static Code Analyzer scan, the Dataflow Analyzer might encounter a function for
which it cannot complete the analysis and reports the following message:
Function <name> is too complex for <analyzer> analysis and will be skipped
(<identifier>)
where:
l <name> is the name of the source code function
l <analyzer> is the name of the analyzer
l <identifier> is the type of complexity, which is one of the following:
l l: Too many distinct locations
l m: Out of memory
l s: Stack size too small
l t: Analysis taking too much time
l v: Function visits exceed the limit
The depth of analysis Fortify Static Code Analyzer performs sometimes depends on the available
resources. Fortify Static Code Analyzer uses a complexity metric to tradeoff these resources against the
number of vulnerabilities that it can find. Sometimes, this means giving up on a particular function when
Fortify Static Code Analyzer does not have enough resources available. This is normally when you see
the "Function too complex" messages.
When you see this message, it does not necessarily mean that Fortify Static Code Analyzer completely
ignored the function in the program. For example, the Dataflow Analyzer typically visits a function
many times before completing the analysis, and might not have run into this complexity limit in the
previous visits. In this case, the results include anything learned from the previous visits.
You can control the "give up" point using Fortify Static Code Analyzer properties called limiters.
Different analyzers have different limiters.
The following sections provide a discussion of a resolution for this issue.
User Guide
Dataflow Analyzer Limiters

There are three types of complexity identifiers for the Dataflow Analyzer:
l l: Too many distinct locations
l m: Out of memory
l s: Stack size too small
l v: Function visits exceed the limit
To resolve the issue identified by s, increase the stack size for by setting -Xss to a value greater than
16 MB.
To resolve the complexity identifier of m, increase the physical memory for Fortify Static Code Analyzer.
To resolve the complexity identifier of l, you can adjust the following limiters in the Fortify Static Code
Analyzer property file <sca_install_dir>/Core/config/fortify-sca.properties or on the
command line.
Property Name Default Value
com.fortify.sca. 1000
limiters.MaxTaintDefForVar
com.fortify.sca. 4000
limiters.MaxTaintDefForVarAbort
com.fortify.sca. 4
limiters.MaxFieldDepth
The MaxTaintDefForVar limiter is a dimensionless value expressing the complexity of a function,

while MaxTaintDefForVarAbort is the upper bound for it. Use the MaxFieldDepth limiter to
measure the precision when the Dataflow Analyzer analyzes any given object. Fortify Static Code
Analyzer always tries to analyze objects at the highest precision possible.
If a given function exceeds the MaxTaintDefForVar limit at a given precision, the Dataflow Analyzer
analyzes that function with lower precision (by reducing the MaxFieldDepth limiter). When you reduce
the precision, it reduces the complexity of the analysis. When the precision cannot be reduced any
further, Fortify Static Code Analyzer then proceeds with analysis at the lowest precision until either it
finishes, or the complexity exceeds the MaxTaintDefForVarAbort limiter. In other words, Fortify
Static Code Analyzer tries harder at the lowest precision to get at least some results from the function.
If Fortify Static Code Analyzer reaches the MaxTaintDefForVarAbort limiter, it gives up on the
function entirely and you get the "Function too complex" warning.
To resolve the complexity identifier of v, you can adjust the property
com.fortify.sca.limiters.MaxFunctionVisits. This property sets the maximum number of
times the taint propagation analyzer visits functions. The default is 50.
User Guide
Control Flow and Null Pointer Analyzer Limiters

There are two types of complexity identifiers for both Control Flow and Null Pointer analyzers:
l m: Out of memory
l t: Analysis taking too much time
Due to the way that the Dataflow Analyzer handles function complexity, it does not take an indefinite
amount of time. Control Flow and Null Pointer analyzers, however, can take a very long time when
analyzing very complex functions. Therefore, Fortify Static Code Analyzer provides a way to abort the
analysis when this happens, and then you get the "Function too complex" message with a complexity
identifier of t.
To change the maximum amount of time these analyzers spend to analyze functions, you can adjust the
following property values in the Fortify Static Code Analyzer property file <sca_install_
dir>/Core/config/fortify-sca.properties or on the command line.
Default
Property Name Description Value
com.fortify.sca. Sets the time limit (in milliseconds) for Control Flow 600000
CtrlflowMaxFunctionTime analysis on a single function. (10 minutes)
com.fortify.sca. Sets the time limit (in milliseconds) for Null Pointer 300000
NullPtrMaxFunctionTime analysis on a single function. (5 minutes)
To resolve the complexity identifier of m, increase the physical memory for Fortify Static Code Analyzer.
Note: If you increase these limiters or time settings, it makes the analysis of complex functions take
longer. It is difficult to characterize the exact performance implications of a particular value for the
limiters/time, because it depends on the specific function in question. If you never want to see the
"Function too complex" warning, you can set the limiters/time to an extremely high value, however it
can cause unacceptable scan time.
Issue Non-Determinism
Running in parallel analysis mode might introduce issue non-determinism. If you experience any
problems, contact Micro Focus Fortify Customer Support and disable parallel analysis mode. Disabling
parallel analysis mode results in sequential analysis, which can be substantially slower but provides
deterministic results across multiple scans.
To disable parallel analysis mode:
1. Open the fortify-sca.properties file located in the <sca_install_dir>/core/config
directory in a text editor.
User Guide
2. Change the value for the com.fortify.sca.MultithreadedAnalysis property to false.
com.fortify.sca.MultithreadedAnalysis=false
Accessing Log Files

By default, Fortify Static Code Analyzer creates two log files in the following location:
l On Windows: C:\Users\<user>\AppData\Local\Fortify\sca<version>\log
l On other platforms: $HOME/.fortify/sca<version>/log
where <version> is the version of Fortify Static Code Analyzer that you are using.
The following table describes the two log files.
Default File Name Description
sca.log The standard log provides a log of informational messages,

warnings, and errors that occurred in the run of
sourceanalyzer.
sca_FortifySupport.log The Fortify Support log provides:

l The same log messages as the standard log file, but with
additional details
l Additional detailed messages that are not included in the
standard log file
This log file is only helpful to Micro Focus Fortify Customer
Support or the development team to troubleshoot any
possible issues.
If you encounter warnings or errors that you cannot resolve, provide the Fortify Support log file to
Micro Focus Fortify Customer Support.
Configuring Log Files

You can configure the information that Fortify Static Code Analyzer writes to the log files by setting
logging properties (see "fortify-sca.properties" on page 182). You can configure the following log file
settings:
l The location and name of the log file
Property: com.fortify.sca.LogFile
l Log level (see "Understanding Log Levels" on the next page)
Property: com.fortify.sca.LogLevel
User Guide
l Whether to overwrite the log files for each run of sourceanalyzer

Property: com.fortify.sca.ClobberLogFile
Command-line option: -clobber-log
Understanding Log Levels

The log level you select gives you all log messages equal to and greater than it. The log levels in the
following table are listed in order from least to greatest. For example, the default log level of
INFO includes log messages with the following levels: INFO, WARN, ERROR, and FATAL. You can set
the log level with the com.fortify.sca.LogLevel property in the <sca_install_
dir>/Core/config/fortify.sca.properties file or on the command-line using the -D option.
Log
Level Description
DEBUG Includes information that could be used by Micro Focus Fortify Customer Support or the
development team to troubleshoot an issue
INFO Basic information about the translation or scan process
WARN Information about issues where the translation or scan did not stop, but might require
your attention for accurate results
ERROR Information about an issue that might require attention
FATAL Information about an error that caused the translation or scan to abort
User Guide
Reporting Issues and Requesting Enhancements

Feedback is critical to the success of this product. To request enhancements or patches, or to report
issues, visit Micro Focus Fortify Customer Support at https://www.microfocus.com/support.
Include the following information when you contact customer support:
l Product: Fortify Static Code Analyzer
l Version number: To determine the version number, run the following:
sourceanalyzer -version
l Platform: (for example, Red Hat Enterprise Linux <version>)
l Operating system: (such as Linux)
To request an enhancement, include a description of the feature enhancement.

To report an issue, provide enough detail so that support can duplicate the issue. The more descriptive
you are, the faster support can analyze and resolve the issue. Also include the log files, or the relevant
portions of them, from when the issue occurred.
Appendix A: Filtering the Analysis
Filter Files 165
Filter File Example 165
Filter Files
You can create a file to filter out particular vulnerability instances, rules, and vulnerability categories
when you run the sourceanalyzer command. You specify the file with the -filter analysis option.
Note: Fortify recommends that you only use filter files if you are an advanced user. Do not use
filter files for standard audits, because auditors typically want to see and evaluate all issues that
Fortify Static Code Analyzer finds.
A filter file is a text file that you can create with any text editor. You specify only the filter items that you
do not want in this file. Each filter item is on a separate line in the filter file. You can specify the following
filter types:
l Category
l Instance ID
l Rule ID
The filters are applied at different times in the analysis process, based on the type of filter. Fortify Static
Code Analyzer applies category and rule ID filters in the initialization phase before any analysis has
taken place, whereas an instance ID filter is applied after the analysis phase.
Filter File Example

As an example, the following output is from a scan of the EightBall.java, located in the <sca_
install_dir>/Samples/basic/eightball directory.
The following commands are executed to produce the analysis results:
sourceanalyzer -b eightball EightBall.java

sourceanalyzer -b eightball -scan
User Guide
The following results show five detected issues:
[F7A138CDE5235351F6A4405BA4AD7C53 : low : Unchecked Return Value :

semantic ]
EightBall.java(12) : Reader.read()
[6291C6A33303ED270C269917AA8A1005 : high : Path Manipulation : dataflow ]

EightBall.java(12) : ->new FileReader(0)
EightBall.java(8) : <=> (filename)
EightBall.java(8) : <->Integer.parseInt(0->return)
EightBall.java(4) : ->EightBall.main(0)
[176CC0B182267DD538992E87EF41815F : critical : Path Manipulation :

dataflow ]
[E4B3ACF92911ED6D98AAC15876739EC7 : high : Unreleased Resource : Streams :

controlflow ]
EightBall.java(12) : start -> loaded : new FileReader(...)

EightBall.java(14) : loaded -> end_of_scope : end scope : Resource
leaked

EightBall.java(12) : java.io.IOException thrown
EightBall.java(12) : loaded -> loaded : throw
leaked : java.io.IOException thrown
[BB9F74FFA0FF75C9921D0093A0665BEB : low : J2EE Bad Practices : Leftover

Debug Code : structural ]
EightBall.java(4)
The following is example filter file content that performs the following:
l Remove all results related to the J2EE Bad Practice category
l Remove the Path Manipulation based on its instance ID
l Remove any dataflow issues that were generated from a specific rule ID
#This is a category to filter from scan output

J2EE Bad Practices
User Guide
#This is an instance ID of a specific issue to be filtered

#from scan output
6291C6A33303ED270C269917AA8A1005
#This is a specific Rule ID that leads to the reporting of a

#specific issue in the scan output: in this case the
#dataflow sink for a Path Manipulation issue.
823FE039-A7FE-4AAD-B976-9EC53FFE4A59
To test the filtered output, copy the above text and paste it into a file with the name test_
filter.txt.
To apply the filtering in the test_filter.txt file, execute the following command:
sourceanalyzer -b eightball -scan -filter test_filter.txt
The filtered analysis produces the following results:
[176CC0B182267DD538992E87EF41815F : critical : Path Manipulation :

dataflow ]
[E4B3ACF92911ED6D98AAC15876739EC7 : high : Unreleased Resource : Streams :

controlflow ]

leaked

EightBall.java(12) : java.io.IOException thrown
EightBall.java(12) : loaded -> loaded : throw
leaked : java.io.IOException thrown
Appendix B: Fortify Scan Wizard
Preparing to use the Fortify Scan Wizard 168
Starting the Fortify Scan Wizard 169
Preparing to use the Fortify Scan Wizard

Fortify Scan Wizard uses the information you provide to create a script with the commands for Fortify
Static Code Analyzer to translate and scan project code and optionally upload the results directly to
Micro Focus Fortify Software Security Center. You can use Fortify Scan Wizard to run your scans locally
or upload them to a Micro Focus Fortify ScanCentral SAST server.
Note: If you generate a script on a Windows system, you cannot run that script on a non-Windows
system. Likewise, if you generate a script on a non-Windows system, you cannot run it on a
Windows system.
User Guide
Appendix B: Fortify Scan Wizard
To use the Fortify Scan Wizard, you need the following:

l Location of the build directory or directories of the project to be scanned
l Access to the build directory or directories of the project to be scanned
l To scan Java code, the version of the Java JDK used to develop the code
l To use Fortify ScanCentral SAST to scan your code, the ScanCentral Controller URL
l (Optional) Location of custom rule files
To upload your scan results to Fortify Software Security Center, you also need:
l The Fortify Software Security Center server URL
l Your Fortify Software Security Center login credentials
l An upload authentication token
Note: If you do not have an upload token, you can use the Fortify Scan Wizard to generate one.
To do this, you must have Fortify Software Security Center login credentials.
If you do not have Fortify Software Security Center login credentials, you must have the following:
l Application name
l Application version name
Note: Fortify Scan Wizard uses a default scan memory setting of 90% of the total available memory
if it is greater than 4 GB, otherwise the default memory setting is 2/3 the total available memory.
Adjust the scan memory as necessary in the Translation and Scan step.
Starting the Fortify Scan Wizard

To start the Fortify Scan Wizard with Fortify SCA and Applications installed locally, do one of the
following, based on your operating system:
l On Windows, select Start > All Programs > Fortify SCA and Applications <version> > Scan
Wizard.
l On Linux, navigate to the <sca_install_dir>/bin directory, and then run the ScanWizard file
from the command line.
l On macOS, navigate to the <sca_install_dir>/bin directory, and then double-click
ScanWizard.
Appendix C: Sample Projects
The Fortify SCA and Applications installation might include several code samples that you can use to
when learning to use Fortify Static Code Analyzer. If you installed the sample files, they are in the
following directory:
<sca_install_dir>/Samples
The Samples directory contains two subdirectories: basic and advanced. Each code sample includes a
README.txt file that provides instructions on how to scan the code with Fortify Static Code Analyzer
and view the results in Micro Focus Fortify Audit Workbench.
The basic subdirectory includes an assortment of simple language-specific code samples. The
advanced subdirectory includes more advanced samples including source code to help you integrate
Fortify Static Code Analyzer with your bug tracker application. For information on integrating bug
tracker applications with Fortify Audit Workbench, see Micro Focus Fortify Audit Workbench User
Guide.
Basic Samples 170
Advanced Samples 172
Basic Samples
The following table describes the sample files in the <sca_install_dir>/Samples/basic directory
and provides a list of the vulnerabilities that the samples demonstrate. Many of the samples includes a
README.txt file that provides details and instructions on its use.
Folder Name Description Vulnerabilities
cpp A C++ sample file and instructions to analyze code Command Injection
that has a simple dataflow vulnerability. Fortify
Memory Leak
analysis requires a gcc or cl compiler.
database A database.pks sample file. This SQL sample Access Control: Database
includes issues in SQL code.
User Guide
eightball A Java application (EightBall.java) that exhibits Path Manipulation

bad error handling. It requires an integer argument. If
Unreleased Resource:
you supply a file name instead of an integer as the
Streams
argument, it displays the file contents.
Unchecked Return Value
J2EE Bad Practices:
Leftover Debug Code
formatstring The formatstring.c file. Fortify analysis requires a Format String

gcc or cl compiler.
java13 The Sample.java file. Privacy Violation

Insecure Randomness:
Hardcoded Seed
J2EE Bad Practices:
Leftover Debug Code
Poor Logging Practice: Use
of a System Output System
javascript The sample.js JavaScript file. Cross-Site Scripting

Open Redirect
Privacy Violation
nullpointer The NullPointerSample.java file. Null Dereference
php Two PHP files: sink.php and source.php. Cross-Site Scripting

Analyzing source.php reveals simple dataflow SQL Injection
vulnerabilities and a dangerous function.
sampleOutput A sample output file (WebGoat5.0.fpr) from the Various

WebGoat project located in the
Samples/advanced/webgoat directory.
stackbuffer The stackbuffer.c file. Fortifyanalysis requires a Buffer Overflow

gcc or cl compiler.
toctou The toctou.c file. Fortifyanalysis requires a gcc or cl Time-of-Check/Time-of-

compiler. Use (Race Condition)
User Guide
vb6 The command-injection.bas file. Command Injection

SQL Injection
vbscript The source.asp and sink.asp files. SQL Injection
Advanced Samples
The following table describes the samples in the <sca_install_dir>/Samples/advanced directory.
Many of the samples include a README.txt file that provides additional details and instructions on how
to analyze the sample.
Folder Name Description
BugTrackerPlugin Includes source code for the supported bug tracker plugin.
<bugtracker>
c++ A sample solution for each supported version of Visual Studio.

To use this sample, you must have the following installed:
l A supported version of Visual Studio Visual C/C++
l Fortify Static Code Analyzer
l To analyze the sample from Visual Studio as described in the README.txt
file, you must have the Micro Focus Fortify Extension for Visual Studio
installed for your Visual Studio version
The code includes a Command Injection issue and an Unchecked Return Value
issue.
configuration A sample Java EE application that has vulnerabilities in its web module
deployment descriptor web.xml.
crosstier A sample that has vulnerabilities that span multiple application technologies
(Java, PL/SQL, JSP, and struts).
The output contains several issues of different types, including two Access
Control vulnerabilities. One of these is a cross-tier result. It has a dataflow trace
from user input in Java code that can affect a SELECT statement in PL/SQL.
User Guide
csharp A simple C# program that has SQL injection vulnerabilities. Versions are
included for each supported version of Visual Studio. Analysis of this sample
reveals SQL Injection ,Unreleased Resource, and Path Manipulation
vulnerabilities. Other categories might also be present, depending on the
Rulepack version used in the scan.
customrules Several simple source code samples and Rulepack files that illustrate how four
different analyzers: Semantic, Dataflow, Control Flow, and Configuration
interpret rules. This folder also includes several miscellaneous samples of real-
world rules that you can use to scan real applications.
ejb A sample Java EE cross-tier application with Servlets and EJBs.
filters A sample that uses the Fortify Static Code Analyzer -filter option.
findbugs A sample that demonstrates how to run the FindBugs static analysis tool
together with Fortify Static Code Analyzer and filter out results that overlap.
java1.5 A sample Java file: ResourceInjection.java. The result file includes a Path
Manipulation, a J2EE Bad Practices, and a Poor Style vulnerability.
javaAnnotations A sample application that illustrates problems that might arise from its use and
how to fix the problems with the Fortify Java Annotations.
This sample illustrates how the use of Fortify Annotations can result in
increased accuracy in the reported vulnerabilities. The README.txt file
describes the potential problems and solutions associated with the sample
application.
JavaDoc JavaDoc directory for the public-api and WSClient.
riches.java A Java EE 1.4 sample web application with various known security vulnerabilities
including Cross-Site Scripting, SQL Injection, and Command Injection.
riches.net A .NET 4.0 sample web application with various known security vulnerabilities
including Cross-Site Scripting, SQL Injection, and Command Injection.
swift The iGoat-Swift folder contains the iGoat-Swift source provided by the Open
Web Application Security Project (OWASP). To analyze this project, you must
have a supported xcodebuild version installed. The README.txt file describes
the vulnerabilities that are revealed in the analysis of this application.
User Guide
webgoat The WebGoat test Java EE web application provided by the Open Web
Application Security Project (OWASP). This directory contains the WebGoat 5.0
source code.
Appendix D: Fortify Java Annotations
Fortify provides two versions of the Java Fortify annotations library.
l Annotations with the retention policy set to CLASS (FortifyAnnotations-CLASS.jar).
With this version of the library, Fortify annotations are propagated to the bytecode during
compilation.
l Annotations with the retention policy set to SOURCE (FortifyAnnotations-SOURCE.jar).
With this version of the library, Fortify annotations are not propagated to the bytecode after the
code that uses them is compiled.
If you use Fortify products to analyze bytecode of your applications (for example, with Fortify on
Demand assessments), then use the version with the annotation retention policy set to CLASS. If you
use Fortify products to analyze the source code of your applications, you can use either version of the
library, however Fortify strongly recommends that you use the library with retention policy set to
SOURCE.
Important! Leaving Fortify annotations in production code is a security risk because they can leak
information about potential security problems in the code. Fortify recommends that you use
annotations with the retention policy set to CLASS only for internal Fortify analysis, and never use
them in your application production builds.
This section outlines the annotations available. A sample application is included with the Fortify SCA
and Applications samples installation in the <sca_install_
dir>/Samples/advanced/javaAnnotations directory. A README.txt file included in the directory
describes the sample application, problems that might arise from it, and how to fix these problems using
the Fortify Java Annotations.
There are two limitations with Fortify Java annotations:
l Each annotation can specify only one input and/or one output.
l You can apply only one annotation of each type to the same target.
Fortify provides three main types of annotations:

l "Dataflow Annotations" below
l "Field and Variable Annotations" on page 178
l "Other Annotations" on page 179
You also can write rules to support your own custom annotations. Contact Micro Focus Fortify
Customer Support for more information.
Dataflow Annotations
There are four types of Dataflow annotations, similar to Dataflow rules: Source, Sink, Passthrough, and
Validate. All are applied to methods and specify the inputs and/or outputs by parameter name or the
User Guide
strings this and return. Additionally, you can apply the Dataflow Source and Sink annotations to the
function arguments.
Source Annotations
The acceptable values for the annotation parameter are this, return, or a function parameter name.
For example, you can assign taint to an output of the target method.
@FortifyDatabaseSource("return")
String [] loadUserProfile(String userID) {
...
}
For example, you can assign taint to an argument of the target method.
void retrieveAuthCode(@FortifyPrivateSource String authCode) {

...
}
In addition to specific source annotations, Fortify provides a generic untrusted taint source called
FortifySource.
The following is a complete list of source annotations:
l FortifySource
l FortifyDatabaseSource
l FortifyFileSystemSource
l FortifyNetworkSource
l FortifyPCISource
l FortifyPrivateSource
l FortifyWebSource
Passthrough Annotations
Passthrough annotations transfer any taint from an input to an output of the target method. It can also
assign or remove taint from the output, in the case of FortifyNumberPassthrough and
FortifyNotNumberPassthrough. The acceptable values for the in annotation parameter are "this"
or a function parameter name. The acceptable values for the out annotation parameter are this,
return, or a function parameter name.
@FortifyPassthrough(in="a",out="return")
String toLowerCase(String a) {
...
}
User Guide
Use FortifyNumberPassthrough to indicate that the data is purely numeric. Numeric data cannot
cause certain types of issues, such as cross-site scripting, regardless of the source. Using
FortifyNumberPassthrough can reduce false positives of this type. If a program decomposes
character data into a numeric type (int, int[], and so on), you can use FortifyNumberPassthrough. If
a program concatenates numeric data into character or string data, then use
FortifyNotNumberPassthrough.
The following is a complete list of passthrough annotations:
l FortifyPassthrough
l FortifyNumberPassthrough
l FortifyNotNumberPassthrough
Sink Annotations
Sink annotations report an issue when taint of the appropriate type reaches an input of the target
method. Acceptable values for the annotation parameter are this or a function parameter name.
@FortifyXSSSink("a")
void printToWebpage(int a) {
...
}
You can also apply the annotation to the function argument or the return parameter. In the following
example, an issue is reported when taint reaches the argument a.
void printToWebpage(int b, @FortifyXSSSink String a) {

...
}
The following is a complete list of the sink annotations:

l FortifySink
l FortifyCommandInjectionSink
l FortifyPCISink
l FortifyPrivacySink
l FortifySQLSink
l FortifySystemInfoSink
l FortifyXSSSink
User Guide
Validate Annotations
Validate annotations remove taint from an output of the target method. Acceptable values for the
annotation parameter are this, return, or a function parameter name.
@FortifyXSSValidate("return")
String xssCleanse(String a) {
...
}
The following is a complete list of validate sink annotations:

l FortifyValidate
l FortifyCommandInjectionValidate
l FortifyPCIValidate
l FortifyPrivacyValidate
l FortifySQLValidate
l FortifySystemInfoValidate
l FortifyXSSValidate
Field and Variable Annotations

You can apply these annotations to fields and (in most cases) variables.
Password and Private Annotations

Use password and private annotations to indicate whether the target field or variable is a password or
private data.
@FortifyPassword String x;
@FortifyNotPassword String pass;
@FortifyPrivate String y;
@FortifyNotPrivate String cc;
In the previous example, string x will be identified as a password and checked for privacy violations and
hardcoded passwords. The string pass will not be identified as a password. Without the annotation, it
might cause false positives. The FortifyPrivate and FortifyNotPrivate annotations work
similarly, only they do not cause privacy violation issues.
User Guide
Non-Negative and Non-Zero Annotations

Use these annotations to indicate disallowed values for the target field or variable.
@FortifyNonNegative int index;

@FortifyNonZero double divisor;
In the previous example, an issue is reported if a negative value is assigned to index or zero is assigned
to divisor.
Other Annotations
Check Return Value Annotation
Use the FortifyCheckReturnValue annotation to add a target method to the list of functions that
require a check of the return values.
@FortifyCheckReturnValue
int openFile(String filename){
...
}
Dangerous Annotations
With the FortifyDangerous annotation, any use of the target function, field, variable, or class is
reported. Acceptable values for the annotation parameter are CRITICAL, HIGH, MEDIUM, or LOW. These
values indicat how to categorize the issue based on the Fortify Priority Order values).
@FortifyDangerous{"CRITICAL"}
public class DangerousClass {
@FortifyDangerous{"HIGH"}
String dangerousField;
@FortifyDangerous{"LOW"}
int dangerousMethod() {
...
}
}
Appendix E: Configuration Options
The Fortify SCA and Applications installer places a set of properties files on your system. Properties files
contain configurable settings for Micro Focus Fortify Static Code Analyzer runtime analysis, output, and
performance.
Fortify Static Code Analyzer Properties Files 180
fortify-sca.properties 182
fortify-sca-quickscan.properties 211
Fortify Static Code Analyzer Properties Files

The properties files are located in the <sca_install_dir>/Core/config directory.
The installed properties files contain default values. Fortify recommends that you consult with your
project leads before you make changes to the properties in the properties files. You can modify any of
the properties in the configuration file with any text editor. You can also specify the property on the
command line with the -D option.
The following table describes the primary properties files. Additional properties files are described in
Micro Focus Fortify Static Code Analyzer Tools Properties Reference Guide.
Properties File Name Description
fortify-sca.properties Defines the Fortify Static Code Analyzer configuration properties.
fortify-sca- Defines the configuration properties applicable for a Fortify Static

quickscan.properties Code Analyzer quick scan.
Properties File Format

In the properties file, each property consists of a pair of strings: the first string is the property name and
the second string is the property value.
com.fortify.sca.fileextensions.htm=HTML
As shown above, the property sets the translation to use for .htm files. The property name is
com.fortify.sca.fileextension.htm and the value is set to HTML.
User Guide
Note: When you specify a path for Windows systems as the property value, you must escape any
backslash character (\) with a backslash (for example:
com.fortify.sca.ASPVirtualRoots.Library=C:\\WebServer\\CustomerA\\inc).
Disabled properties are commented out of the properties file. To enable these properties, remove the
comment symbol (#) and save the properties file. In the following example, the
com.fortify.sca.LogFile property is disabled in the properties file and is not part of the
configuration:
# default location for the log file

#com.fortify.sca.LogFile=${com.fortify.sca.ProjectRoot}/sca/log/sca.log
Precedence of Setting Properties

Fortify Static Code Analyzer uses properties settings in a specific order. You can override any previously
set properties with the values that you specify. Keep this order in mind when making changes to the
properties files.
The following table lists the order of precedence for Fortify Static Code Analyzer properties.
Order Property Specification Description
1 Command line with the Properties specified on the command line have the highest
-D option priority and you can specify them in any scan.
2 Fortify Static Code Note: You can specify either quick scan or a scan precision
Analyzer quick scan level. Therefore, these property settings both have second
configuration file priority.
Properties specified in the quick scan configuration file

(fortify-sca-quickscan.properties) have the second
priority, but only if you include the -quick option to enable quick
scan mode.
Fortify Static Code Properties specified in the scan precision property files have the
Analyzer scan precision second priority, but only if you include the -scan-precision
property files option to enable scan precision.
3 Fortify Static Code Properties specified in the Fortify Static Code Analyzer
Analyzer configuration configuration file (fortify-sca.properties) have the lowest
file priority. Edit this file to change the property values on a more
permanent basis for all scans.
Fortify Static Code Analyzer also relies on some properties that have internally defined default values.
User Guide
fortify-sca.properties
The following table summarizes the properties available for use in the fortify-sca.properties file.
See "fortify-sca-quickscan.properties" on page 211 for additional properties that you can use in this
properties file. The description for each property includes the value type, the default value, the
equivalent command-line option (if applicable), and an example.
com.fortify.sca. Specifies the build ID of the build.

BuildID
Value Type: String
Default: (none)
Command-Line Option: -b
com.fortify.sca. Specifies the folder to store intermediate files generated in

ProjectRoot the translation and scan phases. Fortify Static Code
Analyzer makes extensive use of intermediate files located
in this project root directory. In some cases, you achieve
better performance for analysis by making sure this
directory is on local storage rather than on a network
drive.
Value Type: String (path)
Default (Windows):
${win32.LocalAppdata}\Fortify
Note: ${win32.LocalAppdata} is a special variable

that points to the windows Local Application Data
shell folder.
Default (Non-Windows): $home/.fortify

Command-Line Option: -project-root
Example: com.fortify.sca.ProjectRoot=
C:\Users\<user>\AppData\Local\
com.fortify.sca. Dead code is code that can never be executed, such as

DisableDeadCode code inside the body of an if statement that always
Elimination evaluates to false. If this property is set to true, then
Fortify Static Code Analyzer does not identify dead code,
User Guide
does not report dead code issues, and reports other

vulnerabilities in the dead code, even though they are
unreachable during execution.
Value Type: Boolean
Default: false
com.fortify.sca. If set to true, Fortify Static Code Analyzer removes dead

DeadCodeFilter code issues, for example because the compiler generated
dead code and it does not appear in the source code.
Value Type: Boolean
Default: true
com.fortify.sca. Specifies how to translate specific file extensions for

fileextensions.java languages that do not require build integration. The valid
com.fortify.sca. types are: ABAP, ACTIONSCRIPT, APEX, APEX_
fileextensions.cs TRIGGER, ARCHIVE, ASPNET, ASP, ASPX, BITCODE,
BYTECODE, CFML, COBOL, CSHARP, DOCKERFILE, GO,
com.fortify.sca.
fileextensions.js
HTML, JAVA, JAVA_PROPERTIES, JAVASCRIPT, JSP,
JSPX, KOTLIN, MSIL, MXML, PHP, PLSQL, PYTHON,
com.fortify.sca. RUBY, RUBY_ERB, SCALA, SWIFT, TLD, SQL, TSQL,
fileextensions.py
TYPESCRIPT, VB, VB6, VBSCRIPT, VISUAL_FORCE, and
com.fortify.sca. XML.
fileextensions.rb
Value Type: String (valid language type)
com.fortify.sca.
fileextensions.aspx Default: See the fortify-sca.properties file for the
com.fortify.sca. complete list.
fileextensions.php Examples:
Note: This is a partial list. For the com.fortify.sca.fileextensions.java=JAVA
complete list, see the properties file. com.fortify.sca.fileextensions.cs=CSHARP
com.fortify.sca.fileextensions.js=TYPESCRIP
T
com.fortify.sca.fileextensions.py=PYTHON
com.fortify.sca.fileextensions.rb=RUBY
com.fortify.sca.fileextensions.aspx=ASPNET
com.fortify.sca.fileextensions.php=PHP
User Guide
You can also specify a value of oracle:<path_to_

script> to programmatically supply a language type.
Provide a script that accepts one command-line parameter
of a file name that matches the specified file extension.
The script must write the valid Fortify Static Code
Analyzer file type (see previous list) to stdout and exit
with a return value of zero. If the script returns a non-zero
return code or the script does not exist, the file is not
translated and Fortify Static Code Analyzer writes a
warning to the log file.
Example:
com.fortify.sca.fileextensions.jsp=
oracle:<path_to_script>
com.fortify.sca. Specifies custom-named compilers.

compilers.javac=
com.fortify.sca.
Value Type: String (compiler)
util.compilers.
Default: See the Compilers section in the fortify-
JavacCompiler
sca.properties file for the complete list.
com.fortify.sca.
compilers.c++= Example:
com.fortify.sca. To tell Fortify Static Code Analyzer that “my-gcc” is a gcc
util.compilers.
compiler:
GppCompiler
com.fortify.sca. com.fortify.sca.
compilers.make= compilers.my-gcc=
com.fortify.sca. com.fortify.sca.util.compilers.
util.compilers. GccCompiler
TouchlessCompiler
Notes:
com.fortify.sca.
compilers.mvn= l Compiler names can begin or end with an asterisk
com.fortify.sca. (*), which matches zero or more characters.
util.compilers. l Execution of Apple LLVM clang/clang++ is not
MavenAdapter
supported with the gcc/g++ command names. You
Note: This is a partial list. For the can specify the following:
complete list, com.fortify.sca.compilers.g++=
see the properties file. com.fortify.sca.util.compilers.
GppCompiler
User Guide
com.fortify.sca. If set to true, Fortify Static Code Analyzer includes

UseAntListener com.fortify.dev.ant.SCAListener in the compiler
options.
Value Type: Boolean
Default: false
com.fortify.sca. Specifies a file or a list of files to exclude from translation.

exclude Separate the file list with semicolons (Windows) or colons
(non-Windows systems).
Note: Fortify Static Code Analyzer only uses this

property during translation without build integration.
When you integrate with a compiler or build tool,
Fortify Static Code Analyzer translates all source files
that the compiler or build tool processes even if they
are specified with this property.
Value Type: String (list of file names)

Default: Not enabled
Command-Line Option: -exclude

Example: com.fortify.sca.exclude=
file1.x;file2.x
com.fortify.sca. Specifies the encoding of the command-line options file

CmdlineOptionsFileEncoding provided with @<filename> (see "Other Options" on
page 120). You can use this property, for example, to
specify Unicode file paths in the options file. Valid
encoding names are from the
java.nio.charset.Charset
Note: This property is only valid in the fortify-

sca.properties file and does not work in the
fortify-sca-quickscan.properites file or with
the -D option.
Value Type: String

Default: JVM system default encoding
User Guide
Example:
com.fortify.sca.CmdLineOptionsFileEncoding=
UTF-8
com.fortify.sca. Specifies the source file encoding type. Fortify Static Code
InputFileEncoding Analyzer allows you to scan a project that contains
differently encoded source files. To work with a multi-
encoded project, you must specify the -encoding option
in the translation phase, when Fortify Static Code
Analyzer first reads the source code file. Fortify Static
Code Analyzer remembers this encoding in the build
session and propagates it into the FVDL file.
Typically, if you do not specify the encoding type, Fortify
Static Code Analyzer uses file.encoding from the
java.io.InputStreamReader constructor with no
encoding parameter. In a few cases (for example with the
ActionScript parser), Fortify Static Code Analyzer defaults
to UTF-8.
Value Type: String
Default: (none)
Command-Line Option: -encoding

Example:
com.fortify.sca.InputFileEncoding=UTF-16
com.fortify.sca. Specifies whether the xcodebuild touchless adapter

xcode.TranslateAfterError continues translation if the xcodebuild subprocess exited
with a non-zero exit code. If set to false, translation stops
after encountering a non-zero xcodebuild exit code and
the Fortify Static Code Analyzer touchless build halts with
the same exit code. If set to true, the Fortify Static Code
Analyzer touchless build executes translation of the build
file identified prior to the xcodebuild exit, and Fortify
Static Code Analyzer exits with an exit code of zero
(unless some other error also occurs).
Regardless of this setting, if xcodebuild exits with a non-
zero code, then the xcodebuild exit code, stdout, and
stderr are written to the log file.
User Guide
Value Type: Boolean
Default: false
com.fortify.sca. If set to true, Fortify Static Code Analyzer uses Apex

Apex translation for files with the .cls extension and
Visualforce translation for files with the .component
extension.
Value Type: Boolean
Default: false
Command-Line Option: -apex
com.fortify.sca. Specifies the absolute path of the custom sObject JSON

ApexObjectPath file sobjects.json.
Value Type: String
Default: (none)
Command-Line Option: -apex-sobject-path
com.fortify.sca. If set to true, Fortify Static Code Analyzer generates

AddImpliedMethods implied methods when it encounters implementation by
inheritance.
Value Type: Boolean
Default: true
com.fortify.sca. Specifies a comma- or colon-separated list of the types of

DefaultAnalyzers analysis to perform. The valid values for this property are
buffer, content, configuration, controlflow,
dataflow, findbugs, nullptr, semantic, and
structural.
Value Type: String
Default: This property is commented out and all analysis
types are used in scans.
Command-Line Option: -analyzers
com.fortify.sca. Specifies a comma- or colon-separated list of analyzers to

EnableAnalyzer use for a scan in addition to the default analyzers. The
User Guide
valid values for this property are buffer, content,

configuration, controlflow, dataflow, findbugs,
nullptr, semantic, and structural.
Value Type: String
Default: (none)
com.fortify.sca. Extends the default exit code options. See "Exit Codes" on
ExitCodeLevel page 156 for a description of the exit codes. The valid
values are:
The valid values are:
l nothing—Returns exit codes 0, 1, 2, or 3. This is the

default setting.
l warnings—Returns exit codes 0, 1, 2, 3, 4, or 5.
l errors—Returns exit codes 0, 1, 2, 3, or 5.
l no_output_file—Returns exit codes 0, 1, 2, 3, or 6.
com.fortify.sca. If set to true, higher-order analysis is enabled.

hoa.Enable
Value Type: Boolean
Default: true
com.fortify.sca. The languages for which to run higher-order analysis.

Phase0HigherOrder. Valid values are python, swift, ruby, javascript, and
Languages typescript.
Value Type: String (comma-separated list of languages)
Default:
python,ruby,swift,javascript,typescript
com.fortify.sca. Specifies the total time (in seconds) for higher-order

Phase0HigherOrder.Timeout. analysis. When the analyzer reaches the hard timeout limit,
Hard it exits immediately.
Fortify recommends this timeout limit in case some issue
causes the analysis to run too long. Fortify recommends
that you set the hard timeout to about 50% longer than
the soft timeout, so that either the fixpoint pass limiter or
the soft timeout occurs first.
User Guide
Value Type: Number
Default: 2700
com.fortify.sca. Specifies the scan precision. Scans with a lower precision

PrecisionLevel level are performed faster. The valid values are 1 and 2.
Value Type: Number
Default: (none)
Command-Line Option: -scan-precision | -p
com.fortify.sca. Specifies the length of a taint path between input and

MaxPassthroughChainDepth output parameters in a function call.
Value Type: Integer
Default: 4
com.fortify.sca. Comma- or colon-separated list of languages that use type

TypeInferenceLanguages inference. This setting improves the precision of the
analysis for dynamically-typed languages.
Value Type: String
Default: javascript,python,ruby,typescript
com.fortify.sca. The total amount of time (in seconds) that type inference
TypeInferencePhase0 can spend in phase 0 (the interprocedural analysis).
Timeout Unlimited if set to zero or is not specified.
Value Type: Long
Default: 300
com.fortify.sca. The amount of time (in seconds) that type inference can
TypeInferenceFunctionTimeout spend to analyze a single function. Unlimited if set to zero
or is not specified.
Value Type: Long
Default: 60
com.fortify.sca. If set to true, disables function pointers during the scan.

DisableFunctionPointers
Value Type: Boolean
User Guide
Default: false
com.fortify.sca. Specifies a list of file extensions for rules files. Any files in
RulesFileExtensions <sca_install_dir>/Core/config/rules (or a
directory specified with the -rules option) whose
extension is in this list is included. The .bin extension is
always included, regardless of the value of this property.
The delimiter for this property is the system path
separator.
Value Type: String
Default: .xml
com.fortify.sca. Specifies a custom Rulepack or directory. If you specify a

RulesFile directory, all of the files in the directory with the .bin and
.xml extensions are included.
Default: (none)
Command-Line Option: -rules
com.fortify.sca. If set to true, rules from the default Rulepacks are not
NoDefaultRules loaded. Fortify Static Code Analyzer processes the
Rulepacks for description elements and language libraries,
but no rules are processed.
Value Type: Boolean
Default: (none)
Command-Line Option: -no-default-rules
com.fortify.sca. If set to true, disables rules in default Rulepacks that lead

NoDefaultIssueRules directly to issues. Still loads rules that characterize the
behavior of functions. This can be helpful when creating
custom issue rules.
Value Type: Boolean
Default: (none)
Command-Line Option: -no-default-issue-rules
User Guide
com.fortify.sca. If set to true, disables source rules in the default

NoDefaultSourceRules Rulepacks. This can be helpful when creating custom
source rules.
Note: Characterization source rules are not disabled.
Value Type: Boolean

Default: (none)
Command-Line Option: -no-default-source-rules
com.fortity.sca. If set to true, disables sink rules in the default Rulepacks.

NoDefaultSinkRules This can be helpful when creating custom sink rules.
Note: Characterization sink rules are not disabled.
Value Type: Boolean

Default: (none)
Command-Line Option: -no-default-sink-rules
com.fortify.sca. Sets the directory used to search for the Fortify provided
DefaultRulesDir encrypted rules files.
Default:
${com.fortify.Core}/config/rules
com.fortify.sca. Sets the directory used to search for custom rules.

CustomRulesDir
Default:
${com.fortify.Core}/config/customrules
com.fortify.sca. If set to true, FindBugs is enabled as part of the scan.

EnableFindbugs
Value Type: Boolean
Default: true
Command-Line Option: -findbugs
com.fortify.sca. Sets the maximum heap size for findbugs.

findbugs.maxheap
User Guide
Value Type: String

Default: Maximum heap size for Fortify Static Code
Analyzer
Example:
com.fortify.sca.findbugs.maxheap=500m
com.fortify.sca. If set to true, Fortify Static Code Analyzer ignores low

SuppressLowSeverity severity issues found in a scan.
Value Type: Boolean
Default: true
com.fortify.sca. Specifies the cutoff level for severity suppression. Fortify

LowSeverityCutoff Static Code Analyzer ignores any issues found with a
lower severity value than the one specified for this
property.
Value Type: Number
Default: 1.0
com.fortify.sca. Specifies whether to enable Control Flow Analyzer

analyzer.controlflow. timeouts.
EnableTimeOut
Value Type: Boolean
Default: true
com.fortify.sca. On Windows platforms, specifies the path to the reg.exe

RegExecutable system utility. Specify the paths in Windows syntax, not
Cygwin syntax, even when you run Fortify Static Code
Analyzer from within Cygwin. Escape backslashes with an
additional backslash.
Default: reg
Example:
com.fortify.sca.RegExecutable=
C:\\Windows\\System32\\reg.exe
com.fortify.sca. Specifies the path to a filter file for the scan. See "Filter
FilterFile Files" on page 165 for more information.
User Guide

Default: (none)
Command-Line Option: -filter
com.fortify.sca. Specifies a comma-separated list of IIDs to be filtered out

FilteredInstanceIDs using a filter file.
Value Type: String
Default: (none)
com.fortify.sca. Specifies a subset of source files to scan. Only the source

BinaryName files that were linked in the named binary at build time are
included in the scan.
Default: (none)
Command-Line Option: -bin or -binary-name
com.fortify.sca. If set to true, Fortify Static Code Analyzer performs a

QuickScanMode quick scan. Fortify Static Code Analyzer uses the settings
from fortify-sca-quickscan.properties, instead
of the fortify-sca.properties configuration file.
Value Type: Boolean
Default: (not enabled)
Command-Line Option: -quick
com.fortify.sca. Specifies the issue template file to use for the scan. This
ProjectTemplate only affects scans on the local machine. If you upload the
FPR to Micro Focus Fortify Software Security Center
server, it uses the issue template assigned to the
application version.
Value Type: String
Default: (none)
Command-Line Option: -project-template

Example:
com.fortify.sca.ProjectTemplate=
User Guide
test_issuetemplate.xml
com.fortify.sca. If set to true, Fortify Static Code Analyzer performs

ScanScaModule modular scan of this project, which enables use of this
library's build ID with the include-modules option (or
the com.fortify.sca.IncludeScaModules property)
in subsequent scans.
This property is ignored if the -scan command-line option
is specified.
Value Type: Boolean
Default: false
Command-Line Option: -scan-module
com.fortify.sca. Specifies a comma- or colon-separated list of build IDs for

IncludeScaModules libraries pre-scanned as separate modules to use in the
project scan. Each build ID must denote an existing
scanned library.
Value Type: String (build IDs)
Default: (none)
Command-Line Option: -include-modules

Example:
com.fortify.sca.IncludeScaModules=LibA,LibB
com.fortify.sca. If set to true, enables alias analysis.

alias.Enable
Value Type: Boolean
Default: true
com.fortify.sca. Specifies a list of functions to hide from all analyzers.

UniversalBlacklist
Value Type: String (colon-separated list)
Default: .*yyparse.*
com.fortify.sca. Specifies whether or not Fortify Static Code Analyzer runs

MultithreadedAnalysis in parallel analysis mode.
Value Type: Boolean
User Guide
Default: true
com.fortify.sca. Specifies the number of threads for parallel analysis mode.

ThreadCount Add this property only if you need to reduce the number
of threads used because of a resource constraint. If you
experience an increase in scan time or problems with your
scan, a reduction in the number of threads used might
solve the problem.
Value type: Integer
Default: (number of available processor cores)
com.fortify.sca. Add a colon-separated list of languages to exclude from

DISabledLanguages the translation phase. The valid language values are abap,
actionscript, apex, cfml, cobol, cpp, csharp,
golang, java, javascript, jsp, kotlin, objc, php,
plsql, python, ruby, scala, sql, swift, tsql,
typescript, and vb.
Value Type: String
Default: (none)
Command-Line Option: -disable-language
com.fortify.sca. Specifies a colon-separated list of languages to translate.

EnabledLanguages The valid language values are abap, actionscript,
apex, cfml, cobol, cpp, csharp, golang, java,
javascript, jsp, kotlin, objc, php, plsql, python,
ruby, scala, sql, swift, tsql, typescript, and vb.
Value Type: String
Default: All languages in the specified source are
translated unless explicitly excluded with the
com.fortify.sca.DISabledLanguages property.
Command-Line Option: -enable-language
com.fortify.sca. Specifies the Java source code version to the Java

JdkVersion translator.
Value Type: String
User Guide
Default: 1.8
Command-Line Option: -jdk
com.fortify.sca. Specifies the class path used to analyze Java source code.
JavaClasspath Specify the paths as a semicolon-separated list (Windows)
or a colon-separated list (non-Windows systems).
Value Type: String (paths)
Default: (none)
Command-Line Option: -cp or -classpath
com.fortify.sca. Specifies the application server to process JSP files. The

Appserver valid values are weblogic or websphere.
Value Type: String
Default: (none)
Command-Line Option: -appserver
com.fortify.sca. Specifies the application server's home directory. For

AppserverHome WebLogic, this is the path to the directory that contains
server/lib. For WebSphere, this is the path to the
directory that contains the JspBatchCompiler script.
Default: (none)
Command-Line Option: -appserver-home
com.fortify.sca. Specifies the version of the application server.

AppserverVersion
Value Type: String
Default: (none)
Command-Line Option: -appserver-version
com.fortify.sca. Specifies directories to include implicitly on the class path

JavaExtdirs for WebLogic and WebSphere application servers.
Value Type: String
Default: (none)
User Guide
Command-Line Option: -extdirs
com.fortify.sca. Specifies a colon- or semicolon-separated list of source file

JavaSourcepath directories that are not included in the scan but are used
for name resolution. The source path is similar to
classpath, except it uses source files rather than class files
for resolution.
Default: (none)
Command-Line Option: -sourcepath
com.fortify.sca. If set to true, Fortify Static Code Analyzer only translates

JavaSourcepathSearch source files that are referenced by the target file list.
Otherwise, Fortify Static Code Analyzer translates all files
included in the source path.
Value Type: Boolean
Default: true
com.fortify.sca. Specifies semicolon- or colon-separated list of directories

DefaultJarsDirs of commonly used JAR files. The JAR files located in these
directories are appended to the end of the class path
option (-cp).
Value Type: String
Default: (none)
com.fortify.sca If set to true, the JSP parser uses JSP security manager.
jsp.UseSecurityManager
Value Type: Boolean
Default: true
com.fortify.sca. Specifies the encoding for JSPs.

jsp.DefaultEncoding
Value Type: String (encoding)
Default: ISO-8859-1
com.fortify.sca. If set to true, excludes any disabled projects in a

ExcludeDisabledProjects .NET solution file from the set of projects to translate.
User Guide
Value Type: Boolean
Default: false
Command-Line Option: -exclude-disabled-
projects
WinForms. Set various .NET options.

TransformDataBindings
Value Type: Boolean and String
WinForms.
TransformMessageLoops Defaults and Examples:
WinForms. WinForms.TransformDataBindings=true
TransformChange
NotificationPattern WinForms.TransformMessageLoops=true
WinForms. WinForms.TransformChangeNotificationPattern
CollectionMutation =
Monitor.Label true
WinForms. WinForms.CollectionMutationMonitor.Label=
ExtractEventHandlers WinFormsDataSource
WinForms.ExtractEventHandlers=true
com.fortify.sca. If set to true, Fortify Static Code Analyzer generates

EnableDOMModeling JavaScript code to model the DOM tree that an HTML file
generated during the translation phase and identifies
DOM-related issues (such as cross-site scripting issues).
Enable this property if the code you are
translatingincludes HTML files that have embedded or
referenced JavaScript code.
Note: Enabling this property can increase the

translation time.
Value Type: Boolean
Default: false
com.fortify.sca If you set the com.fortify.sca.EnableDOMModeling

DOMModeling.tags property to true, you can specify additional HTML tags for
Fortify Static Code Analyzer to include in the DOM
modeling.
Value Type: String (comma-separated HTML tag names)
User Guide
Default: body, button, div, form, iframe, input, head,

html, and p.
Example:
com.fortify.sca.DOMModeling.tags=ul,li
com.fortify.sca. Specifies trusted domain names where Fortify Static Code

JavaScript.src.domain. Analyzer can download referenced JavaScript files for the
whitelist scan. Delimit the URLs with vertical bars.
Value Type: String
Default: (none)
Example: com.fortify.sca.JavaScript.
src.domain.whitelist=
http://www.xyz.com|http://www.123.org
com.fortify.sca. If set to true, JavaScript code embedded in JSP, JSPX,

DisableJavascript PHP, and HTML files is not extracted and not scanned.
Extraction
Value Type: Boolean
Default: false
com.fortify.sca. Specifies a list of comma- or colon-separated JavaScript

skip.libraries.ES6 technology library files that are not translated. You can
com.fortify.sca. use regular expressions in the file names. Note that the
skip.libraries.jQuery regular expression '(-\d\.\d\.\d)?' is automatically
com.fortify.sca.
inserted before .min.js or .js for each file name
skip.libraries.javascript
included in the
com.fortify.sca.skip.libraries.jQuery
com.fortify.sca. property value.
skip.libraries.typescript
Value Type: String
Defaults:
l ES6: es6-shim.min.js,system-polyfills.js,
shims_for_IE.js
l jQuery: jquery.js,jquery.min.js,
jquery-migrate.js,jquery-migrate.min.js,
jquery-ui.js,jquery-ui.min.js,
jquery.mobile.js,jquery.mobile.min.js,
jquery.color.js,jquery.color.min.js,
User Guide
jquery.color.svg-names.js,
jquery.color.svg-names.min.js,
jquery.color.plus-names.js,
jquery.color.plus-names.min.js,
jquery.tools.min.js
l javascript: bootstrap.js,
bootstrap.min.js,
typescript.js,
typescriptServices.js
l typescript: typescript.d.ts,
typescriptServices.d.ts
com.fortify.sca. If set to true, files included with an import statement are

follow.imports included in the JavaScript translation.
Value Type: Boolean
Default: true
com.fortify.sca. If set to true, only imported node_modules are included in

exclude.unimported.node.modul the JavaScript translation.
es
Value Type: Boolean
Default: true
com.fortify.sca. Specifies the PHP version. For a list of valid versions, see
PHPVersion the Micro Focus Fortify Software System Requirements.
Value Type: String
Default: 7.0
Command-Line Option: -php-version
com.fortify.sca. Specifies the PHP source root.

PHPSourceRoot
Value Type: Boolean
Default: (none)
Command-Line Option: -php-source-root
com.fortify.sca. Specifies a colon- or semicolon-separated list of additional

PythonPath import directories. Fortify Static Code Analyzer does not
respect PYTHONPATH environment variable that the
User Guide
Python runtime system uses to find import files. Use this

property to specify the additional import directories.
Default: (none)
Command-Line Option: -python-path
com.fortify.sca. Specifies the Python source code version you want to

PythonVersion scan. The valid values are 2 and 3.
Value Type: Number
Default: 2
Command-Line Option: -python-version
com.fortify.sca. Specifies path to Django templates. Fortify Static Code

DjangoTemplateDirs Analyzer does not use the TEMPLATE_DIRS setting from
the Django settings.py file.
Default: (none)
Command-Line Option: -django-template-dirs
com.fortify.sca. Specifies that Fortify Static Code Analyzer does not

DjangoDisableAutodiscover automatically discover Django templates.
Value Type: Boolean
Default: (none)
Command-Line Option: -django-disable-

autodiscover
com.fortify.sca. Specifies one or more paths to directories that contain

RubyLibraryPaths Ruby libraries.
Default: (none)
Command-Line Option: -ruby-path
com.fortify.sca. Specifies the path(s) to a RubyGems location. Set this

RubyGemPaths
User Guide
value if the project has associated gems to scan.

Default: (none)
Command-Line Option: -rubygem-path
com.fortify.sca. Specifies a semicolon-separated list (Windows) or a colon-

FlexLibraries separated list (non-Windows systems) of libraries to "link"
to. This list must include flex.swc, framework.swc, and
playerglobal.swc (which are usually located in the
frameworks/libs directory in your Flex SDK root). Use
this property primarily to resolve ActionScript.
Default: (none)
Command-Line Option: -flex-libraries
com.fortify.sca. Specifies the root location of a valid Flex SDK. The folder
FlexSdkRoot must contain a frameworks folder that contains a flex-
config.xml file. It must also contain a bin folder that
contains an mxmlc executable.
Default: (none)
Command-Line Option: -flex-sdk-root
com.fortify.sca. Specifies any additional source directories for a Flex

FlexSourceRoots project. Separate the list of directories with semicolons
(Windows) or colons (non-Windows systems).
Default: (none)
Command-Line Option: -flex-source-root
com.fortify.sca. If set to true, Fortify Static Code Analyzer adds ABAP

AbapDebug statements to debug messages.
Value Type: String (statement)
User Guide
Default: (none)
com.fortify.sca. When Fortify Static Code Analyzer encounters an ABAP

AbapIncludes 'INCLUDE' directive, it looks in the named directory.
Default: (none)
com.fortify.sca. If set to true, specifies fixed-format COBOL to direct

CobolFixedFormat Fortify Static Code Analyzer to only look for source code
between columns 8-72 in all lines of code.
Value Type: Boolean
Default: false
Command-Line Option: -fixed-format
com.fortify.sca. Sets the SQL language variant. The valid values are PLSQL
SqlLanguage (for Oracle PL/SQL) and TSQL (for Microsoft T-SQL).
Value Type: String (SQL language type)
Default: TSQL
Command-Line Option: -sql-language
com.fortify.sca. If set to true, Fortify Static Code Analyzer treats

CfmlUndefinedVariablesAreTain undefined variables in CFML pages as tainted. This serves
ted as a hint to the Dataflow Analyzer to watch out for
register-globals-style vulnerabilities. However, enabling
this property interferes with dataflow findings where a
variable in an included page is initialized to a tainted value
in an earlier-occurring included page.
Value Type: Boolean
Default: false
com.fortify.sca. If set to true, make CFML files case-insensitive for

CaseInsensitiveFiles applications developed using a case-insensitive file system
and scanned on case-sensitive file systems.
Value Type: Boolean
User Guide
com.fortify.sca. Specifies the base directory for ColdFusion projects.

SourceBaseDir
Default: (none)
Command-Line Option: -source-base-dir
com.fortify.sca. If set to true, excludes Fortify security content

FVDLDisableDescriptions descriptions from the analysis results file (FVDL).
Value Type: Boolean
Default: false
Command-Line Option: -fvdl-no-descriptions
com.fortify.sca. If set to true, excludes the ProgramData section from the

FVDLDisableProgramData analysis results file (FVDL).
Value Type: Boolean
Default: false
Command-Line Option: -fvdl-no-progdata
com.fortify.sca. If set to true, excludes the engine data from the analysis
FVDLDisableEngineData results file (FVDL).
Value Type: Boolean
Default: false
Command-Line Option: -fvdl-no-enginedata
com.fortify.sca. If set to true, excludes code snippets from the analysis

FVDLDisableSnippets results file (FVDL).
Value Type: Boolean
Default: false
Command-Line Option: -fvdl-no-snippets
com.fortify.sca. If set to true, excludes the label evidence from the analysis
FVDLDisableLabelEvidence results file (FVDL).
Value Type: Boolean
User Guide
Default: false
com.fortify.sca. Specifies location of the style sheet for the analysis results.
FVDLStylesheet
Default:
${com.fortify.Core}/resources/sca/fvdl2html
.xsl
com.fortify.sca. The file to which results are written.

ResultsFile
Value Type: String
Default: (none)
Command-Line Option: -f
Example:
com.fortify.sca.ResultsFile=myresults.fpr
com.fortify.sca. If set to true, Fortify Static Code Analyzer appends results

OutputAppend to an existing results file.
Value Type: Boolean
Default: false
Command-Line Option: -append
com.fortify.sca. Controls the output format. The valid values are fpr,
Renderer fvdl, text, and auto. The default of auto selects the
output format based on the file extension of the file
provided with the -f option.
Value Type: String
Default: auto
Command-Line Option: -format
com.fortify.sca. If set to true, Fortify Static Code Analyzer prints results as

ResultsAsAvailable they become available. This is helpful if you do not specify
the -f option (to specify an output file) and print to
stdout.
Value Type: Boolean
User Guide
Default: false
com.fortify.sca. Specifies a name for the scanned project. Fortify Static

BuildProject Code Analyzer does not use this name but includes it in
the results.
Value Type: String
Default: (none)
Command-Line Option: -build-project
com.fortify.sca. Specifies a label for the scanned project. Fortify Static

BuildLabel Code Analyzer does not use this label but includes it in the
results.
Value Type: String
Default: (none)
Command-Line Option: -build-label
com.fortify.sca. Specifies a version number for the scanned project. Fortify

BuildVersion Static Code Analyzer does not use this version number
but it is included in the results.
Value Type: String
Default: (none)
Command-Line Option: -build-version
com.fortify.sca. Output information in a format that scripts or Fortify

MachineOutputMode Static Code Analyzer tools can use rather than printing
output interactively. Instead of a single line to display scan
progress, a new line is printed below the previous one on
the console to display updated progress.
Value Type: Boolean
com.fortify.sca. Sets the number of lines of code to display surrounding an

SnippetContextLines issue. The two lines of code on each side of the line where
the error occurs are always included. By default, five lines
are displayed.
User Guide
Value Type: Number
Default: 2
com.fortify.sca. If set to true, Fortify Static Code Analyzer copies source

MobileBuildSessions files into the build session directory.
Value Type: Boolean
Default: false
com.fortify.sca. If set to true, Fortify Static Code Analyzer extracts the

ExtractMobileInfo build ID and the Fortify Static Code Analyzer version
number from the mobile build session.
Note: Fortify Static Code Analyzer does not extract

the mobile build with this property.
Value Type: Boolean
Default: false
com.fortify.sca. If set to true, Fortify Static Code Analyzer overwrites the

ClobberLogFile log file for each run of sourceanalyzer.
Value Type: Boolean
Default: false
Command-Line Option: -clobber-log
com.fortify.sca. Specifies the default log file name and location.

LogFile
Default:
${com.fortify.sca.ProjectRoot}/log/sca.log
and ${com.fortify.sca.ProjectRoot}/log/sca_
FortifySupport.log
Command-Line Option: -logfile
com.fortify.sca. Specifies the minimum log level for both log files. The valid
LogLevel values are: DEBUG, INFO, WARN, ERROR, and FATAL. For
more information, see "Accessing Log Files" on page 162
and "Configuring Log Files" on page 162.
User Guide
Value Type: String
Default: INFO
com.fortify.sca. If set to true, Fortify Static Code Analyzer writes

PrintPerformanceDataAfterScan performance-related data to the Fortify Support log file
after the scan is complete. This value is automatically set to
true when in debug mode.
Value Type: Boolean
Default: false
com.fortify.sca. Includes debug information in the Fortify Support log file,

Debug which is only useful for Micro Focus Fortify Customer
Support to help troubleshoot.
Value Type: Boolean
Default: false
Command-Line Option: -debug
com.fortify.sca. This is the same as the com.fortify.sca.Debug

DebugVerbose property, but it includes more details, specifically for parse
errors.
Value Type: Boolean
Command-Line Option: -debug-verbose
com.fortify.sca. If set to true, includes verbose messages in the Fortify

Verbose Support log file.
Value Type: Boolean
Command-Line Option: -verbose
com.fortify.sca. If set to true, enables additional debugging for

DebugTrackMem performance information to be written to the Fortify
Support log.
Value Type: Boolean
User Guide
Command-Line Option: -debug-mem
com.fortify.sca. If set to true, enables additional timers to track

CollectPerformanceData performance.
Value Type: Boolean
com.fortify.sca. If set to true, disables the command-line progress

Quiet information.
Value Type: Boolean
Default: false
Command-Line Option: -quiet
com.fortify.sca. If set to true, Fortify Static Code Analyzer monitors its

MonitorSca memory use and warns when JVM garbage collection
becomes excessive.
Value Type: Boolean
Default: true
com.fortify.sca. Sets the location of the CPFE binary to use in the

cpfe.command translation phase.
Default:
${com.fortify.Core}/private-bin/sca/cpfe48
com.fortify.sca. If set to true, Fortify Static Code Analyzer uses CPFE

cpfe.441 version 4.4.1.
Value Type: Boolean
Default: false
com.fortify.sca. Sets the location of the CPFE binary (version 4.4.1) to use
cpfe.441.command in the translation phase.
User Guide
Default:
${com.fortify.Core}/private-
bin/sca/cpfe441.rfct
com.fortify.sca. Adds options to the CPFE command line to use when

cpfe.options translating C/C++ code.
Value Type: String
Default:
--remove_unneeded_entities --suppress_vtbl
-tused
com.fortify.sca. Sets the name of CPFE option that specifies the output
cpfe.file.option (for example NST) file name.
Value Type: String
Default: --gen_c_file_name
Example:
com.fortify.sca.cpfe.file.option=
--gen_c_file_name
com.fortify.sca. If set to true, CPFE handles multibyte characters in the

cpfe.multibyte source code. This enables Fortify Static Code Analyzer to
handle code with multibyte encoding, such as SJIS
(Japanese).
Value Type: Boolean
Default: false
com.fortify.sca. If set to true, any CPFE warnings are included in the

cpfe.CaptureWarnings Fortify Static Code Analyzer log.
Value Type: Boolean
Default: false
com.fortify.sca. If set to true, CPFE fails if there is an error.

cpfe.FailOnError
Value Type: Boolean
Default: false
com.fortify.sca. If set to true, any failure to open a source file (including

cpfe.IgnoreFileOpen
User Guide
Failures headers) is considered a warning instead of an error.

Value Type: Boolean
Default: false
com.fortify.sca. Specifies a semicolon delimited list of full paths to virtual

ASPVirtualRoots. roots used.
<virtual_path>
Value Type: String
Default: (none)
Example:
com.fortify.sca.ASPVirtualRoots.Library=
c:\\WebServer\\CustomerTwo\\Stuff
com.fortify.sca.ASPVirtualRoots.Include=
c:\\WebServer\\CustomerOne\\inc
com.fortify.sca. If set to true, disables ASP external entries in the analysis.

DisableASPExternalEntries
Value Type: Boolean
Default: false
fortify-sca-quickscan.properties
Fortify Static Code Analyzer offers a less in-depth scan known as a quick scan. This option scans the
project in quick scan mode, using the property values in the fortify-sca-quickscan.properties
file. By default, a quick scan reduces the depth of the analysis and applies the Quick View filter set. The
Quick View filter set provides only critical and high priority issues.
Note: Properties in this file are only used if you specify the -quick option on the command line for
your scan.
The table provides two sets of default values: the default value for quick scans and the default value for
normal scans. If only one default value is shown, the value is the same for both normal scans and quick
scans.
com.fortify.sca. Sets the time limit (in milliseconds) for Control Flow
CtrlflowMaxFunctionTime analysis on a single function.
Value Type: Integer
User Guide
Quick Scan Default: 30000

Default: 600000
com.fortify.sca. Specifies a comma- or colon-separated list of analyzers

DisableAnalyzers to disable during a scan. The valid values for this
property are: buffer, content, configuration,
controlflow, dataflow, findbugs, nullptr,
semantic, and structural.
Value Type: String
Quick Scan Default: controlflow:buffer

Default: (none)
com.fortify.sca. Specifies the filter set to use. You can use this property
FilterSet with an issue template to filter at scan-time instead of
post-scan. See
com.fortify.sca.ProjectTemplate described in
"fortify-sca.properties" on page 182 to specify an issue
template that contains the filter set to use.
When set to Quick View, this property runs rules that

have a potentially high impact and a high likelihood of
occurring and rules that have a potentially high impact
and a low likelihood of occurring. Filtered issues are not
written to the FPR and therefore this can reduce the
size of an FPR. For more information about filter sets,
see the Micro Focus Fortify Audit Workbench User
Guide.
Value Type: String
Quick Scan Default: Quick View

Default: (none)
com.fortify.sca. Disables the creation of the metatable, which includes

FPRDisableMetatable information for the Function view in Micro Focus
Fortify Audit Workbench. This metatable enables right-
click on a variable in the source window to show the
declaration. If C/C++ scans take an extremely long time,
setting this property to true can potentially reduce the
User Guide
scan time by hours.

Value Type: Boolean
Quick Scan Default:true

Default: false
Command-Line Option: -disable-metatable
com.fortify.sca. Disables source code inclusion in the FPR file. Prevents

FPRDisableSourceBundling Fortify Static Code Analyzer from generating marked-
up source code files during a scan. If you plan to upload
FPR files that are generated as a result of a quick scan
to Fortify Software Security Center, you must set this
property to false.
Value Type: Boolean
Quick Scan Default: true

Default: false
Command-Line Option: -disable-source-
bundling
com.fortify.sca. Sets the time limit (in milliseconds) for Null Pointer
NullPtrMaxFunctionTime analysis for a single function. The standard default is
five minutes. If this value is set to a shorter limit, the
overall scan time decreases.
Value Type: Integer
Quick Scan Default:10000

Default:300000
com.fortify.sca. Disables path tracking for Control Flow analysis. Path

TrackPaths tracking provides more detailed reporting for issues,
but requires more scan time. To disable this for JSP
only, set it to NoJSP. Specify None to disable all
functions.
Value Type: String
Quick Scan Default: (none)
User Guide
Default: NoJSP
com.fortify.sca. Specifies the size limit for complex calculations in the

limiters.ConstraintPredicateSize Buffer Analyzer. Skips calculations that are larger than
the specified size value in the Buffer Analyzer to
improve scan time.
Value Type: Integer

Default: 500000
com.fortify.sca. Controls the maximum call depth through which the

limiters.MaxChainDepth Dataflow Analyzer tracks tainted data. Increase this
value to increase the coverage of dataflow analysis,
which results in longer scan times.
Note: Call depth refers to the maximum call depth

on a dataflow path between a taint source and sink,
rather than call depth from the program entry
point, such as main().
Value Type: Integer

Default: 5
com.fortify.sca. Sets the number of times taint propagation analyzer

limiters.MaxFunctionVisits visits functions.
Value Type: Integer

Default: 50
com.fortify.sca. Controls the maximum number of paths to report for a

limiters.MaxPaths single dataflow vulnerability. Changing this value does
not change the results that are found, only the number
of dataflow paths displayed for an individual result.
Note: Fortify does not recommend setting this

property to a value larger than 5 because it might
User Guide
increase the scan time.
Value Type: Integer

Default: 5
com.fortify.sca. Sets a complexity limit for the Dataflow Analyzer.

limiters.MaxTaintDefForVar Dataflow incrementally decreases precision of analysis
on functions that exceed this complexity metric for a
given precision level.
Value Type: Integer

Default: 1000
com.fortify.sca. Sets a hard limit for function complexity. If complexity

limiters.MaxTaintDefForVarAbort of a function exceeds this limit at the lowest precision
level, the analyzer skips analysis of the function.
Value Type: Integer

Default: 4000
Send Documentation Feedback
If you have comments about this document, you can contact the documentation team by email.
Note: If you are experiencing a technical issue with our product, do not email the documentation
team. Instead, contact Micro Focus Fortify Customer Support at
https://www.microfocus.com/support so they can assist you.
If an email client is configured on this computer, click the link above to contact the documentation team
and an email window opens with the following information in the subject line:
Feedback on User Guide (Fortify Static Code Analyzer 20.2.0)
Just add your feedback to the email and click send.
If no email client is available, copy the information above to a new message in a web mail client, and send
your feedback to FortifyDocTeam@microfocus.com.
We appreciate your feedback!

SCA Guide 20.2.0

Uploaded by

Copyright:

Available Formats

SCA Guide 20.2.0

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SCA Guide 20.2.0

Uploaded by

Copyright:

Available Formats

Micro Focus

Fortify Static Code Analyzer

Document Release Date: Revision 1: December 2020

Restricted Rights Legend

Micro Focus Fortify Static Code Analyzer (20.2.0) Page 2 of 216

Chapter 2: Installing Fortify Static Code Analyzer 25

Micro Focus Fortify Static Code Analyzer (20.2.0) Page 3 of 216

About Upgrading Fortify Static Code Analyzer and Applications 35

Chapter 3: Analysis Process Overview 41

Chapter 4: Translating Java Code 47

Micro Focus Fortify Static Code Analyzer (20.2.0) Page 4 of 216

Translating Java EE Applications 52

Chapter 5: Translating Kotlin Code 55

Chapter 6: Translating Visual Studio and MSBuild Projects 58

Chapter 7: Translating C and C++ Code 64

Micro Focus Fortify Static Code Analyzer (20.2.0) Page 5 of 216

Chapter 8: Translating JavaScript and TypeScript Code 67

Chapter 9: Translating Python Code 71

Chapter 10: Translating Code for Mobile Platforms 74

Chapter 11: Translating Go Code 77

Chapter 12: Translating Ruby Code 79

Micro Focus Fortify Static Code Analyzer (20.2.0) Page 6 of 216

Adding Gem Paths 80

Chapter 13: Translating Apex and Visualforce Code 81

Chapter 14: Translating COBOL Code 84

Chapter 15: Translating Other Languages and Configurations 88

Micro Focus Fortify Static Code Analyzer (20.2.0) Page 7 of 216

Translating ASP/VBScript Virtual Roots 101

Chapter 16: Integrating into a Build 105

Chapter 17: Command-Line Interface 112

Chapter 18: Command-Line Utilities 125

Micro Focus Fortify Static Code Analyzer (20.2.0) Page 8 of 216

Extracting a Source Archive from an FPR File 134

Chapter 19: Improving Performance 142

Chapter 20: Troubleshooting 156

Micro Focus Fortify Static Code Analyzer (20.2.0) Page 9 of 216

Java Heap Exhaustion 157

Appendix A: Filtering the Analysis 165

Appendix B: Fortify Scan Wizard 168

Appendix C: Sample Projects 170

Appendix D: Fortify Java Annotations 175

Micro Focus Fortify Static Code Analyzer (20.2.0) Page 10 of 216

Dangerous Annotations 179

Appendix E: Configuration Options 180

Send Documentation Feedback 216

Micro Focus Fortify Static Code Analyzer (20.2.0) Page 11 of 216

Contacting Micro Focus Fortify Customer Support

l Browse documentation and knowledge articles

l Explore the Community

For More Information

About the Documentation Set

Micro Focus Fortify Static Code Analyzer (20.2.0) Page 12 of 216

20.2.0 / Revision Updated:

Micro Focus Fortify Static Code Analyzer (20.2.0) Page 13 of 216

l "Gradle Integration" on page 107 - Added information about using the

Micro Focus Fortify Static Code Analyzer (20.2.0) Page 14 of 216

MISRA and PCI SSF reports

Micro Focus Fortify Static Code Analyzer (20.2.0) Page 15 of 216

output format and added options to exclude information from the