Fortify® Source Code Analyzer

User’s Guide

Version 5.2
August 2008
Copyright © 2003-2008 Fortify® Software, Inc.August 29, 2008 4:49 pm
All Rights Reserved. Printed in the United States of America.

Fortify Software, Inc.

2215 Bridgepointe Pkwy
Suite 400
San Mateo, CA 94404

Fortify Software, Inc. ("Fortify") and its licensors retain all ownership rights to this document (the "Document"). Use of
the Document is governed by applicable copyright law. Fortify may revise this Document from time to time without
notice.

THIS DOCUMENT IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN NO EVENT SHALL FORTIFY BE
LIABLE FOR INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY KIND ARISING FROM
ANY ERROR IN THIS DOCUMENT, INCLUDING WITHOUT LIMITATION ANY LOSS OR INTERRUPTION OF
BUSINESS, PROFITS, USE OR DATA. FORTIFY RESERVES THE RIGHT TO MODIFY OR REMOVE ANY OF THE
FEATURES OR COMPONENTS DESCRIBED IN THIS DOCUMENT FROM THE FINAL PRODUCT, WITHOUT
NOTICE.

Fortify is a registered trademark of Fortify Software, Inc.

Brand and product names in this Document are trademarks of their respective owners.

Fortify Source Code Analyzer User’s Guide

Table of Contents
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Chapter 1: Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Overview of Fortify SCA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Overview of the Analyzers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Overview of the Analysis Phases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Example of Analysis Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Memory Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Translation Phase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Fortify SCA Per Use License Only, Verifying Available Lines . . . . . . . . . . . . . . . . . . . . . . 6
Analysis Phase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Verification of the Translation and Analysis Phase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Chapter 2: Translating Java Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Java Command Line Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Java Command Line Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Integrating with Ant using the Fortify Ant Compiler Adapter. . . . . . . . . . . . . . . . . . . . . . . . . 10
Translating J2EE Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Working with JSP Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
XML Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Call Graph . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Handling Resolution Warnings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Java Warnings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
J2EE Warnings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Using FindBugs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Chapter 3: Translating .NET Source Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Visual Studio .NET . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Translating Simple .NET Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Translating ASP.NET 1.1 (Visual Studio Version 2003) Projects . . . . . . . . . . . . . . . . . . . . . . 16
Handling Resolution Warnings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
.NET Warnings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
ASP.NET Warnings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Chapter 4: Translating C/C++ Code. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

C and C++ Command Line Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

C and C++ Command Line Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Integrating with Make . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Using the Fortify Touchless Build Adapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Modifying a Makefile to Invoke Fortify SCA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Fortify Source Code Analyzer User’s Guide iii

 Using Fortify Build Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Fortify Build Monitor Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Configuring Fortify Build Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Monitoring Builds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Example of Monitoring a Project . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Visual Studio .NET . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Visual Studio 6.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Chapter 5: Translating Other Languages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Command Line Syntax for Other Languages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Configuration Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Configuring the SQL the Procedural Extension . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Configuring ASP/VBScript Virual Roots. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Other Language Command Line Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Example of Translating PL/SQL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Example of Translating T-SQL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Example of Translating PHP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Example of Translating Classic ASP written with VBScript . . . . . . . . . . . . . . . . . . . . . . . 27
Example of Translating JavaScript . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Example of Translating VB Script File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Example of Translating ColdFusion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Translating COBOL Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Supported Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Preparing COBOL Source Files for Translation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
COBOL Command Line Syntax. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Auditing a COBOL Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Chapter 6: Troubleshooting and Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Using the Log File to Debug Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Translation Failed Message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
JSP Translation Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
ASPX Translation Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
C/C++ Precompiled Header Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Reporting Bugs and Requesting Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Appendix A: Managing Per Use Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

About the Fortify SCA Per Use Edition. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Managing Your Portal User Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Changing your Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Purchasing Additional Lines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Transferring Lines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

iv Fortify Source Code Analyzer User’s Guide

 Transferring Lines to a Machine with Internet Access. . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Transferring Lines to a Machine without Internet Access . . . . . . . . . . . . . . . . . . . . . . . . 37
Appendix B: Command Line Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Command Line Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Output Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Analysis Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
ColdFusion Option. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Java/J2EE Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
.NET Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Build Integration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Directives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Runtime Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Line Transfer Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Other Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Specifying Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Appendix C: Using the sourceanalyzer Ant Task. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Using the Ant sourceanalyzer Task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Ant properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
sourceanalyzer Task Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Appendix D: Advanced Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Creating a Filter File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Filter File Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Using Properties to Control Runtime Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Specifying the Order of Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Appendix E: Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Java RunTime Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Fortify Source Code Analyzer User’s Guide v

vi Fortify Source Code Analyzer User’s Guide
Preface
This guide describes how to use Fortify® SCA.

If you have questions or comments about any part of this guide, contact Fortify at:

Technical Support

650.358.5679

[email protected]

Corporate Headquarters

2215 Bridgepointe Pkwy

Suite 400

San Mateo, CA 94404

650.358.5600

[email protected]

Web Site

http://www.fortify.com

Fortify Source Code Analyzer User’s Guide 1

2 Fortify Source Code Analyzer User’s Guide
Chapter 1: Introduction
This chapter contains the following sections:

• Overview of Fortify SCA

• Overview of the Analyzers
• Overview of the Analysis Phases

Overview of Fortify SCA

Fortify SCA is a set of software security analyzers that search for violations of security-specific
coding rules and guidelines in a variety of languages. The rich data provided by Fortify SCA
language technology enables the analyzers to pinpoint and prioritize violations so that fixes can be
fast and accurate. This not only delivers more secure software, but it helps to make security code
reviews more efficient, consistent, and complete, especially when large code bases are involved.
The modular architecture lets you quickly upload new, third party, and customer-specific security
rules.

At the highest level, using Fortify SCA involves:

1. Optionally integrating Fortify SCA into the build process

2. Performing a two-phase analysis across the code base, producing security vulnerability reports
3. Optionally transferring results to Audit Workbench and Fortify Team Server for analysis and
review
Note: For information on transferring results to Audit Workbench, Fortify Team Server, and Fortify
Manager and creating customer-specific security rules, see the Audit Workbench User’s Guide.

Overview of the Analyzers

Fortify SCA is comprised of five distinct analyzers: data flow, control flow, semantic, structural, and
configuration. Each analyzer accepts a different type of rule specifically tailored to provide the
information necessary for the corresponding type of analysis performed. Rules are definitions that
identify elements in source code that can result in security vulnerabilities or are otherwise unsafe.

Rules are organized according to the analyzer that uses them, resulting in rules that are specific to
the data flow, control flow, semantic, structural, and configuration analyzers. The high-level rule
types are further divided to reflect the category of the issue or type of information represented by the
rule.

For information on the various types of rules and their respective uses, see the Secure Coding
Rulepack Reference.

The following table lists and describes each Fortify source code analyzer.

Fortify Source Code Analyzer User’s Guide 3

 Table 1: Fortify Source Code Analyzers

Analyzer Description

Data Flow The data flow analyzer detects potential vulnerabilities that involve
tainted data (user-controlled input) put to potentially dangerous use.
The data flow analyzer uses global, inter-procedural taint propagation
analysis to detect the flow of data between a source (site of user input)
and a sink (dangerous function call or operation). For example, the
data flow analyzer detects whether a user-controlled input string of
unbounded length is being copied into a statically-sized buffer, and
detects whether a user controlled string is being used to construct SQL
query text.

Control Flow The control flow analyzer detects potentially dangerous sequences of
operations. By analyzing control flow paths in a program, the control
flow analyzer determines whether a set of operations are executed in a
certain order. For example, the control flow analyzer detects time of
check/time of use issues and uninitialized variables, and checks
whether utilities, such as XML readers, are configured properly before
being used.

Semantic The semantic analyzer detects potentially dangerous uses of functions

and APIs at the intra-procedural level. Its specialized logic searches for
buffer overflow, format string, and execution path issues, but is not
limited to these categories. A call to any potentially dangerous function
can be flagged by the semantic analyzer. For example, the semantic
analyzer detects deprecated functions in Java and unsafe functions in
C/C++, such as gets().

Structural The structural analyzer detects potentially dangerous flaws in the

structure or definition of the program. By understanding the way
programs are structured, the structural analyzer identifies violations of
secure programming practices and techniques that are often difficult to
detect through inspection because they encompass a wide scope
involving both the declaration and use of variables and functions. For
example, the structural analyzer detects assignment to member
variables in Java servlets, identifies the use of loggers that are not
declared static final, and flags instances of dead code that will never be
executed because of a predicate that is always false.

Configuration The configuration analyzer searches for mistakes, weaknesses, and

policy violations in an application's deployment configuration files. For
example, the configuration analyzer checks for reasonable timeouts in
user sessions in a web application.

Overview of the Analysis Phases

The source code analysis process consists of the following phases:

• Translation: Source code gathered using a series of commands is translated into an

intermediate format which is associated with a build ID. The build ID is usually the name of the
project being scanned.
• For per use license only, verification of the number of available lines: Once the files are
translated, verify that the number of available lines is equal to or greater than the amount
required to scan the translated files.
• Analysis: Source files identified during the translation phase are scanned and an analysis
results file, typically in the Fortify project (FPR) format, is generated. FPR files are indicated by
the .fpr file extension.

4 Fortify Source Code Analyzer User’s Guide

 • Verification of the translation and analysis: Ensure that the source files were scanned using
the correct rulepacks and that no significant errors were reported.

Example of Analysis Commands

The following is an example of the sequence of commands you use to analyze code:

> sourceanalyzer -b <build_id> -clean

> sourceanalyzer -b <build_id> ...
> sourceanalyzer -b <build_id> -scan -f results.fpr

Additional Confirmation for Fortify SCA Per Use

The following shows the additional sequence of commands when using Fortify SCA with a per use
license to analyze code:

Running this scan will deduct <number-of-lines> scan lines from

your account. Would you like to proceed? [y/n] y
<number-of-lines> scan lines deducted. <number-of-lines> remaining

Note: You can run the scan in silent mode, which suppresses the prompt and automatically deducts
lines, by using the command line option, -auth-silent, or by setting the
com.fortify.sca.PPSilent property to true.

Memory Considerations
By default, Fortify SCA uses up to 600 MB of memory. If this is not sufficient to analyze a particular
code base, you might have to provide more memory in the scan phase. This can be done by passing
the -Xmx option to the sourceanalyzer command.

For example, to make 1000 MB available to Fortify SCA, include the option -Xmx1000M.

You can also use the SCA_VM_OPTS environment variable to set the memory allocation.

Note: Do not allocate more memory for Fortify SCA than the machine has available, because this
will degrade performance. As a guideline, assuming that no other memory-intensive processes are
running, do not allocate more than 2/3 of the available physical memory.

Translation Phase
The basic command line syntax for performing the first analysis phase, translating the files, is:

sourceanalyzer -b <build_id> ...

The translation phase consists of one or more invocations of Fortify SCA using the
sourceanalyzer command. A build ID (-b <build_id>) is used to tie together the invocations.

Subsequent invocations of sourceanalyzer add any newly-specified source or configuration files

to the file list associated with the build ID.

At the end of translation, you can use -show-build-warnings to list all warnings and errors that
were encountered during the translation process:

sourceanalyzer -b <build_id> -show-build-warnings

To view all of the files associated with a particular build ID, use the -show-files directive:

sourceanalyzer -b <build_id> -show-files

The following chapters describe how to translate different types of source code:

• Translating Java Code

Fortify Source Code Analyzer User’s Guide 5

 • Translating .NET Source Code
• Translating C/C++ Code
• Translating Other Languages, such as ColdFusion, Classic ASP and JavaScript

Fortify SCA Per Use License Only, Verifying Available Lines

When using Fortify SCA with a per use license, the basic command line syntax to display the
number of available lines is:

sourceanalyzer -auth-query
For translated projects, display the total number of lines required to analyze the project using the
-show-loc option. Fortify SCA counts lines of code (LOC) in a project that are executable, and
excludes lines such as comments and blank lines. The command to display the number of lines is:

sourceanalyzer -b <build_id> -show-loc

If the number of available lines is less than the amount required to analyze the project, request lines
from the Per Use Portal account before continuing with the analysis phase. See “Managing Per Use
Accounts” on page 35 for details.

Analysis Phase
This topic describes the syntax for the analysis phase: scanning the intermediate files created during
the translation and creating the analysis results file. The phase consists of one invocation of
sourceanalyzer. You specify the build ID and include the -scan directive and any required analysis
or output options.

Note: By default, Fortify SCA includes the source code in the FPR.

The basic command line syntax for the analysis phase is:

sourceanalyzer -b <build_id> -scan -f results.fpr

The command line syntax to silently analyze a project for Fortify SCA with a per use license is:

sourceanalyzer -b <build-id> -auth-silent -scan -f results.fpr

This runs the scan without the prompt to deduct the lines. For more information about the command
line options, see “Command Line Interface” on page 39.

Additional Steps for Fortify SCA Per Use

If you are using Fortify SCA with a per use license, Fortify SCA displays the number of lines required
to scan the project and prompts you before deducting the lines.

Enter y (yes) to continue with the scan as follows:

Running this scan will deduct <number-of-lines> scan lines from

your account. Would you like to proceed? [y/n] y
<number-of-lines> scan lines deducted. <number-of-lines> remaining

Note: You can re-scan a set of translated files. This allows you to scan the same project with
different rules, updated rulepacks, and/or scan settings without using additional scan lines.

Verification of the Translation and Analysis Phase

The Results Certification feature of Audit Workbench verifies that the analysis is complete. Results
certification shows specific information about the code scanned by Fortify SCA, including:

• List of files scanned, with file sizes and timestamps

6 Fortify Source Code Analyzer User’s Guide

 • Java classpath used for the translation
• List of rulepacks used for the analysis
• List of Fortify SCA runtime settings and command line arguments
• List of errors or warnings encountered during translation or analysis
• Machine/platform information
To view results certification information, open the FPR file in Audit Workbench and select Tools -
Project Summary - Certification.

Fortify Source Code Analyzer User’s Guide 7

8 Fortify Source Code Analyzer User’s Guide
Chapter 2: Translating Java Code
This chapter describes how to translate Java source code for analysis with Fortify SCA.

The following topics are included:

• Java Command Line Syntax

• Java Command Line Examples
• Integrating with Ant using the Fortify Ant Compiler Adapter
• Translating J2EE Applications
• Using FindBugs

Java Command Line Syntax

This topic describes the Fortify SCA command syntax for translating Java source code.

The basic command line syntax for Java is:

sourceanalyzer -b <build_id> -cp <classpath> <file_list>

With Java code, Fortify SCA can either emulate the compiler, which may be convenient for build
integration, or accept source files directly, which is more convenient for command line scans.

Note: For a description of all the options you can use with the sourceanalyzer command, see
“Command Line Interface” on page 39.

To have Fortify SCA emulate the compiler, enter:

sourceanalyzer -b <build_id> javac [<translation options>]

To pass files directly to Fortify SCA, enter:

sourceanalyzer -b <build_id> -cp <classpath> [<translation options>]

<files>|<file specifiers>

where:

<translation options>

are options passed to the compiler.

-cp <classpath>

specifies the classpath to be used for the Java source code. A classpath is a list of build directories
and jar files. The format is the same as expected by javac (colon or semicolon-separated list of
paths). You can use Fortify SCA file specifiers.

-cp "build/classes:lib/*.jar"

Note: If you do not specify the classpath with this option, the CLASSPATH environment variable is
used.

For more information, see “Java/J2EE Options” on page 41. For information about file specifiers,
see “Specifying Files” on page 45.

Java Command Line Examples

To translate a single file named MyServlet.java with j2ee.jar on the classpath, enter:

sourceanalyzer -b MyServlet -cp lib/j2ee.jar MyServlet.java

To translate all .java files in the src directory using all jar files in the lib directory as a classpath:

Fortify Source Code Analyzer User’s Guide 9

 sourceanalyzer -b MyProject -cp "lib/*.jar" "src/**/*.java"

To translate and compile the MyCode.java file while using the javac compiler:

sourceanalyzer -b mybuild javac -classpath libs.jar MyCode.java

Integrating with Ant using the Fortify Ant Compiler Adapter

Fortify SCA provides an Ant Compiler Adapter that you can use as an easy way to translate Java
source files if your project uses an Ant build file. This integration requires setting only two Ant
properties, and can be done on the command line without modifying the Ant build.xml file. When
the build runs, Fortify SCA intercepts all javac task invocations and translates the Java source files
as they are compiled. Note that any JSP files, configuration files, or any other non-Java source files
that are part of the application need to be translated in a separate step.

The following steps must be taken to use the Compiler Adapter:

• The sourceanalyzer executable must be on the system PATH.

• sourceanalyzer.jar (located in Core/lib) must be on Ant's classpath.
• The build.compiler property must be set to com.fortify.dev.ant.SCACompiler.
• The sourceanalyzer.buildid property must be set to the build ID.
The following examples show how to run an Ant build using the Compiler Adapter without modifying
the build file:

ant -Dbuild.compiler=com.fortify.dev.ant.SCACompiler
-Dsourceanalyzer.buildid=MyBuild
-lib <install_dir>/Core/lib/sourceanalyzer.jar
The -lib option is only available in Ant version 1.6 or higher. In older versions you must set the
CLASSPATH environment variable or copy sourceanalyzer.jar to Ant's lib directory.

Alternatively, with Ant 1.6 or newer, the following shorthand can be used to run Ant with the compiler
adapter:

sourceanalyzer -b <build-id> ant [ant-options]

By default, 600 MB of memory is allocated to Fortify SCA for translation. Increase the memory
allocation when using the Ant Compiler Adapter using the -Dsourceanalyzer.maxHeap option
as follows:

ant -Dbuild.compiler=com.fortify.dev.ant.SCACompiler
-Dsourceanalyzer.buildid=MyBuild
-lib <install_directory>/Core/lib/sourceanalyzer.jar
-Dsourceanalyzer.maxHeap=1000M

Translating J2EE Applications

Translating J2EE applications involves processing Java source files, J2EE components such as JSP
files, deployment descriptors such as web.xml, and configuration files such as struts-
config.xml.

The steps include:

1. Translating the Java files.

Refer to the samples earlier in this chapter.
2. Translating the JSP files.
Refer to the sample below.

10 Fortify Source Code Analyzer User’s Guide

 3. Processing the configuration files.
An example is:
sourceanalyzer -b my_buildid "mydirectory/myfile.xml"

Working with JSP Projects

To translate JSP files, Fortify SCA requires that the JSP files are in a standard Web Application
Archive (WAR) layout. If your source directory is already organized in a WAR layout, you can
translate JSP files directly from the source directory. If this is not the case, you may need to deploy
your application and translate the JSP files from the deployment directory.

If your JSP files use any tag libraries, such as JSTL, ensure that the libraries’ jar files are in the
WEB-INF/lib directory. Otherwise, the JSP compiler will not resolve the tag libraries and could
produce incorrect results.

By default, Fortify SCA uses a version of the Jasper JSP compiler to compile JSP files into Java files
during the translation phase. However, if your web application is developed specifically for an
application server, you must use the JSP compiler for that application server when performing the
translation.

To support this, Fortify SCA provides the following command line options:

• -appserver supported values: weblogic/websphere

• -appserver-home
For Weblogic, the path to the directory containing the server/lib directory
For WebSphere, the path to the directory containing the bin/JspBatchCompiler script
• -appserver-version supported values:
Weblogic versions 7, 8, 9, and 10
WebSphere version 6
If you are using an application server that is not listed, use the default internal Fortify JSP compiler.

For example:

sourceanalyzer -b my_buildid -cp "WEB-INF/lib/*.jar" "WEB-INF/**/*.jsp"

XML Configuration Files

Fortify SCA uses the web.xml configuration file during the project scan for the following
information:

• servlet tags
• servlet-mapping tags
• filter tags
• filter-mapping tags
• error-page tags
These tags are used to determine how the servlets and filers defined in the .java and .jsp files
are connected.
If a struts servlet is detected, Fortify SCA extracts the configuration file to process the following top-
level tags:

• form-beans
• global forwards
• action mappings

Fortify Source Code Analyzer User’s Guide 11

 This data connects struts actions to follow how taint may propogate through an application.

Call Graph
Using data from the XML and struts configuration files, Fortify SCA builds a call graph to track
potential taint from servlet to servlet and to struts actions. For information about what is extracted
from the configuration files, see “XML Configuration Files” on page 11.

Handling Resolution Warnings

To see all warnings that were generated during your build, enter the following command before you
start the scan phase:

sourceanalyzer -b <build_id> -show-build-warnings

Java Warnings
You may see the following warnings for Java:

Unable to resolve type...

Unable to resolve function...

Unable to resolve field...

Unable to locate import...

Unable to resolve symbol...

Multiple definitions found for function...

Multiple definitions found for class...

These warnings are typically caused by missing resources. For example, some of the .jar and
class files required to build the application have not been specified. To resolve the warnings, make
sure that you have included all of the required files that your application uses.

J2EE Warnings
You may see the following warnings for J2EE applications:

Could not locate the root (WEB-INF) of the web application. Please build
your web application and try again. Failed to parse the following jsp
files:

<list of .jsp file names>

This warning displays because your Web application is not deployed in the standard WAR directory
format or does not contain the full set of required libraries. To resolve the warning, ensure that your
web application is in an exploded WAR directory format with the correct WEB-INF/lib and WEB-
INF/classes directories containing all of the .jar and .class files required for your application.
You should also verify that you have all of the TLD files for all of the tags that you have and the
corresponding .jar files with their tag implementations.

Using FindBugs
FindBugs (http://findbugs.sourceforge.net) is a static analysis tool that detects quality issues in Java
code. You can run FindBugs with Fortify SCA and the results will be integrated into the analysis
results file. Unlike Fortify SCA, which runs on Java source files, FindBugs runs on Java bytecode.

12 Fortify Source Code Analyzer User’s Guide

 Therefore, before running an analysis on your project, you should first compile the project and
produce the class files.

To demonstrate how to run FindBugs automatically with Fortify SCA, compile the sample code,
Warning.java, as follows:

1. Go to the following directory:

<install_directory>/Samples/advanced/findbugs
2. Enter the following command to compile the sample:
mkdir build
javac -d build Warning.java
3. Scan the sample with FindBugs and Fortify SCA as follows:
sourceanalyzer -b findbugs_sample -java-build-dir build Warning.java
sourceanalyzer -b findbugs_sample -scan -findbugs -f
findbugs_sample.fpr
4. Examine the analysis results in Audit Workbench:
auditworkbench findbugs_sample.fpr
The output contains the following issue categories:

• Bad casts of Object References (1)

• Dead local store (2)
• Equal objects must have equal hashcodes (1)
• Object model violation (1)
• Unwritten field (2)
• Useless self-assignment (2)
If you group by Analyzer, you can see that the Fortify SCA Structural analyzer produced one warning
and FindBugs produced eight. The Object model violation warning produced by Fortify SCA
on line 25 is similar to the Equal objects must have equal hash codes warning produced
by FindBugs. In addition, FindBugs produces two sets of warnings (Useless self-assignment
and Dead local store) about the same issues on lines 6 and 7. To avoid overlapping results,
apply the filter.txt filter file by using the -filter option during the scan. Note that the filtering
is not complete because each tool filters at a different level of granularity. To demonstrate how to
avoid overlapping results, scan the sample code using filter.txt as follows:

sourceanalyzer -b findbugs_sample -scan -findbugs -filter filter.txt

-f findbugs_sample.fpr

Fortify Source Code Analyzer User’s Guide 13

14 Fortify Source Code Analyzer User’s Guide
Chapter 3: Translating .NET Source Code
This chapter describes how to use Fortify SCA to translate Microsoft Visual Studio .NET and
ASP.NET applications built with:

• .NET Versions 1.1 and 2.0

• Visual Studio .NET version 2003
• Visual Studio .NET version 2005
Fortify SCA works on the Microsoft Intermediate Language (MSIL), and therefore supports all of the
.NET languages that compile to MSIL, including C# and VB .NET.

The following topics are included:

• Visual Studio .NET

• Translating Simple .NET Applications
• Translating ASP.NET 1.1 (Visual Studio Version 2003) Projects
Note: The easiest way to analyze a .NET application is to use a Fortify Secure Coding Plug-in for
Visual Studio, which automates the process of gathering information about the project.

Visual Studio .NET

If you perform command line builds with Visual Studio .NET, you can easily integrate source code
analysis by wrapping the build command line with an invocation of sourceanalyzer. For this to
work, you must have the Secure Coding Package for your version of Visual Studio installed.

The following example demonstrates the command line syntax for Visual Studio .NET:

sourceanalyzer -b my_buildid devenv Sample1.sln /REBUILD debug

This performs the translation phase on all files built by Visual Studio. Be sure to do a clean or a
rebuild so that all files are included. You can then perform the analysis phase, as in the following
example:

sourceanalyzer -b my_buildid -scan -f results.fpr

Translating Simple .NET Applications

You can also use Fortify SCA command line interface for processing .NET applications. Instructions
are provided for both .NET 1.1 (Visual Studio 2003) and .NET 2.0 (Visual Studio 2005) versions.

Prepare your application for analysis using one of the following methods:

• Perform a complete rebuild of your project with the "debug" configuration enabled, using either
the Visual Studio IDE plug-in for Audit Workbench or the command line. Compiling your project
with debug enabled provides information that Fortify SCA uses for presenting the results.
• Obtain all of the third party .dll files, project output .dll files, and corresponding .pbd files
for your projects. Note that Fortify SCA ignores any .dll file passed as an input argument if the
corresponding .pdb file does not exist in the same folder. It is therefore imperative that you
include all of the .pdb files for all your project .dll files.
Note: .pdb files are not required for third party libraries.
Run Fortify SCA to analyze the .NET application from the command line as follows:

• For Visual Studio .NET Version 2003, enter:

sourceanalyzer -vsversion 7.1 -b MyBuild
-libdirs ProjOne/Lib;ProjTwo/Lib ProjOne/bin/Debug ProjTwo/bin/Debug

Fortify Source Code Analyzer User’s Guide 15

 where:
• MyBuild is the build identifier
• ProjOne/Lib;ProjTwo/Lib is a semicolon-separated list of paths to folders or DLLs
with third party DLLs
• ProjOne/bin/Debug ProjTwo/bin/Debug are the output folders
• For Visual Studio .NET Version 2005, enter:
sourceanalyzer -vsversion 8.0 -b MyBuild
-libdirs ProjOne/Lib;ProjTwo/Lib ProjOne/bin/Debug ProjTwo/bin/Debug
where:
• MyBuild is the build identifier
• ProjOne/Lib;ProjTwo/Lib is a semicolon-separated list of paths to folders or DLLs
with third party DLLs
• ProjOne/bin/Debug ProjTwo/bin/Debug are the output folders
Note: Standard .NET DLLs used in your project are automatically picked up by Fortify SCA, so
you do not need to include them in the command line.
If your project is large, you can perform the translation phase separately for each output folder
using the same build ID, as follows:
sourceanalyzer -vsversion <version_number> -b <build_id>
-libdirs <paths> <folder_1>
...
sourceanalyzer -vsversion <version_number> -b <build_id>
-libdirs <paths> <folder_n>
where:
• <version_number> is either 7.1 or 8.0
• <build_id> is the build ID
• <paths> is a semicolon-separated list of paths to folders or DLLs with third party DLLs
• <folder_1> and <folder_n> are the output folders
Note: Fortify SCA requires the appropriate version of Visual Studio, even if you are using the
command line interface.

Translating ASP.NET 1.1 (Visual Studio Version 2003) Projects

As discussed previously, Fortify SCA works on MSIL generated by the .NET compilers. For
ASP.NET projects, web components such as .aspx files need to be compiled before they can be
analyzed. However, there is no standard compiler for .aspx files. The .NET 1.1 runtime
automatically compiles them when they are accessed from a browser.

To facilitate the .aspx compilation phase, Fortify Software provides a simple tool that compiles all
of the .aspx files in your project. The tool is located in the Fortify installation directory at:

\Tools\fortify_aspnet_compiler\fortify_aspnet_compiler.exe

To analyze ASP.NET 1.1 solutions:

1. Perform a complete rebuild of the solution.

2. For each of the web projects in the solution, delete the following folder:
%SYSTEMROOT%\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET
Files\<web_application_name>
3. For each of the web projects in the solution, run the following command:

16 Fortify Source Code Analyzer User’s Guide

 fortify_aspnet_compiler <url_to_the_web_site>
<source_root_of_the_web_project>
where:
<url_to_the_web_site> is the URL for your web site, such as
http://localhost/WebApp
<source_root_of_the_web_project> is the source location of your web project, such as
<VS_project_location>\WebApp
4. Perform the translation phase for the DLLs built in Step 1. Enter the following command using
the same build ID as in the following steps:
sourceanalyzer -b <build_id> "<VS_project_location>\**\*.dll"
5. Perform the translation phase for the web components. For each of the web projects in the
solution, enter the following when you invoke sourceanalyzer:
sourceanalyzer -b <build_id>
%SYSTEMROOT%\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET
Files\<web_application_name>
6. Include the configuration files and any Microsoft T-SQL source files that you have:
sourceanalyzer -b <build_id> "<solution_root>\**\*.config"
<"t-sql_src>\**\*.sql">
Note: These steps are all automated if you use the Secure Coding Package for Microsoft Visual
Studio.

Handling Resolution Warnings

To see all warnings that were generated during your build, enter the following command before you
start the scan phase:

sourceanalyzer -b <build_id> -show-build-warnings

.NET Warnings
You may see the following warnings for .NET:

Cannot locate class... in the given search path and the Microsoft .NET
Framework libraries.

These warnings are typically caused by missing resources. For example, some of the .DLL files
required to build the application have not been specified. To resolve the warnings, make sure that
you have included all of the required files that your application uses. If you still see a warning and
the classes it lists are empty interfaces with no members, you can ignore the warning. If the interface
is not empty, contact Technical Support.

ASP.NET Warnings
You may see the following warnings for ASP.NET applications:

Failed to parse the following aspx files:

<list of .aspx file names>

This warning displays because your Web application is not deployed correctly or does not contain
the full set of required libraries, or it uses the Global Access Cache (GAC). If your application is a
.NET version 1.1 application, you may also have access issues from Microsoft IIS. Verify that you
can access the application from a browser without authentication or access errors. If your web
application uses the GAC, you must add the .DLL files to the project separately to ensure a
successful scan. Fortify SCA does not load .DLL files from the GAC.

Fortify Source Code Analyzer User’s Guide 17

18 Fortify Source Code Analyzer User’s Guide
Chapter 4: Translating C/C++ Code
This chapter describes how to translate C and C++ source code for analysis with Fortify SCA.

C and C++ Command Line Syntax

The basic command line syntax for translating a single file is:

sourceanalyzer -b <build_id> <compiler> [<compiler options>]

where:

• <compiler> is the name of the compiler you want to use during a project build scan, such as
gcc or cl.
• <compiler options> are options passed to the compiler that are typically used to compile
the file.

C and C++ Command Line Examples

The following is a simple usage example:

To translate a file named helloworld.c using the gcc compiler, enter:

sourceanalyzer -b my_buildid gcc helloworld.c

Note: This also compiles the file.

Integrating with Make

You can use either of the following methods to use Fortify SCA with Make:

• Using the Fortify Touchless Build Adapter

• Modifying a Makefile to Invoke Fortify SCA

Using the Fortify Touchless Build Adapter

To use the Fortify touchless build adapter to integrate with makefiles, run the following command:

sourceanalyzer -b <build_id> touchless make

Fortify SCA runs the make command. When make invokes any command that Fortify SCA
determines is a compiler, the command is processed by Fortify SCA. Note that the makefile is not
modified.

For information about informing Fortify SCA about specially-named compilers, see the
com.fortify.sca.compilers.* property in “Using Properties to Control Runtime Options” on
page 55.

This method of build integration is not limited to make. Any build command that executes a compiler
process can be used with this system; just replace the 'make' section of the above command with
the command used to run a build.

Note: The Fortify touchless build adapter does not function correctly if:

• The build script invokes the compiler with an absolute path or if the build script overrides the
executable search path.
• The build script does not create a new process to run the compiler. Many Java build tools,
including Ant, operate this way.

Fortify Source Code Analyzer User’s Guide 19

 Modifying a Makefile to Invoke Fortify SCA
To modify a makefile to invoke Fortify SCA, replace any calls to the compiler, archiver, or linker in the
makefile with calls to Fortify SCA. These tools are typically specified in a special variable in the
makefile, as in the following example:

CC=gcc
CXX=g++
AR=ar

The step can be as simple as prepending these tool references in the makefile with Fortify SCA and
the appropriate options:

CC=sourceanalyzer -b mybuild gcc

CXX=sourceanalyzer -b mybuild g++
AR=sourceanalyzer -b mybuild ar

Using Fortify Build Monitor

This section describes how to use Fortify Build Monitor to scan C/C++ projects automatically during
a build on Windows and view the results. It includes examples that use sample projects provided
with Fortify SCA.

This section covers the following topics:

• Fortify Build Monitor Overview

• Configuring Fortify Build Monitor
• Monitoring Builds
• Example of Monitoring a Project

Fortify Build Monitor Overview

The following options are available from the Fortify Build Monitor menu:

Table 2: Fortify Build Monitor Options

Option Description

Monitor Enables the monitoring. Build Monitor intercepts and translate the next
build on the machine.

Build Done Stops the monitor after the build is complete.

Scan Scans the code that was monitored during the build.

Scan Settings Controls the rulepacks and memory settings.

Set Results Folder Controls where Fortify SCA outputs the results.

Stay on Top Keeps the Fortify Build Monitor window on top of other windows.

Minimize to Tray Shows the Fortify Build Monitor as an icon in the task bar.

Exit Closes the Fortify Build Monitor.

Show Messages Shows or hides the messages in the lower area of the window.
Messages include Scan Messages, Errors, and Monitor Driver
information. You can click Detailed Messages at the bottom of the
window.

20 Fortify Source Code Analyzer User’s Guide

 Table 2: Fortify Build Monitor Options

Option Description

Help Displays online help.

Reset Resets the Fortify Build Monitor to its beginning state.

Configuring Fortify Build Monitor

This section covers the following topics:

• Setting Up the Results Folder

• Setting Fortify SCA Scan Options

Setting Up the Results Folder

Fortify Build Monitor outputs results in FPR format to a local folder. You can change the output
folder. Fortify Build Monitor replaces the results each time a scan is performed. Results are not
archived.

To change the results folder:

1. Select Action - Set Results Folder.

The Browse for Folder dialog displays.
2. Select a folder and click OK.
Fortify Build Monitor will output the results to the selected folder.

Setting Fortify SCA Scan Options

Fortify Build Monitor scans the project using Fortify SCA. You can adjust the following scan settings:

• Allocate memory: Increase or decrease the amount of memory allocated to Fortify SCA
• Secure Coding Rulepacks and custom rulepacks: Change which rulepacks Fortify SCA
uses to analyze the source code
• User: Only monitor builds run by the current user
To change the scan options:

1. Select Action - Scan Settings.

The Fortify Build Monitor: Scan Settings dialog displays.
2. To change the memory allocation, select a value.
Note: Entering an invalid option sets the memory to unlimited.
3. To add or remove rulepacks, click Rulepacks.
4. To view the Fortify SCA command line options, click Preview.
5. Click Done.
The Fortify SCA scan options are changed.

Monitoring Builds
For C/C++ projects and solutions on Windows, Fortify SCA includes the Fortify Build Monitor, which
is a graphical user interface tool that automates analysis during builds.

To analyze C/C++ source code builds on Windows:

1. Select Start - Program Files - Fortify Software - Fortify SCA - Build Monitor.

Fortify Source Code Analyzer User’s Guide 21

 2. Click Monitor.
After the monitor initiates a green light icon displays.
3. Create a complete build of your project in your build environment.
4. Check that the build has finished successfully.
5. Return to the Fortify Build Monitor window and click Build Done.
6. Fortify SCA outputs the results to a subfolder, specify a name for the folder for the output. If the
folder already exists, Fortify SCA cleans the folder before starting the scan.
7. Click Scan.
Fortify SCA displays the results and saves an FPR file in the folder you specified.

Note: To view the results, open the FPR file in Audit Workbench or using the Secure Coding
Package for Microsoft Visual Studio.

Example of Monitoring a Project

This example for Windows users analyzes the sample C++ code project named qwik-smtpd. It
uses Microsoft Visual Studio and the Fortify Build Monitor.

To analyze the qwik-smtpd project:

1. Using Microsoft Visual Studio, open and build the qwik-smtpd project located in the
Tutorial/C/source directory.
2. Select Start - Program Files - Fortify Software - Fortify SCA - Build Monitor.
3. Click Monitor.
4. Minimize the window.
5. In Microsoft Visual Studio, rebuild the project.
Note: Since nothing in the project changed, you must use the rebuild option.
6. Check that build has finished successfully.
7. Return to the Fortify Build Monitor window and click Build Done.
8. Specify the location of the build output.
9. Click Scan.
Fortify SCA saves an FPR file in the folder you specified.

Note: To view the results, open the FPR file in Audit Workbench or using the Secure Coding

Package for Microsoft Visual Studio.

22 Fortify Source Code Analyzer User’s Guide

Visual Studio .NET
If you perform command line builds with Visual Studio .NET, you can easily integrate source code
analysis by simply wrapping the build command line with an invocation of sourceanalyzer. For
this to work, you must have the Fortify Secure Coding Plug-in for your version of Visual Studio
installed.

Consider the following example

sourceanalyzer -b my_buildid devenv MyProject.sln /REBUILD

This performs the translation phase on all files built by Visual Studio. Be sure to do a clean or a
rebuild so that all files are included.

Visual Studio 6.0

If you perform command line builds with Visual Studio 6.0, you can integrate source code analysis
by wrapping the build command line with an invocation of sourceanalyzer.

Consider the following example:

sourceanalyzer -b my_buildid msdev MyProject.dsp /MAKE "MyProject DEBUG"

/REBUILD

This performs the translation phase on all files built by the Visual Studio. Be sure to do a clean or a
rebuild so that all files are included, as described in your Visual Studio documentation.

Fortify Source Code Analyzer User’s Guide 23

24 Fortify Source Code Analyzer User’s Guide
Chapter 5: Translating Other Languages
This chapter describes how to translate other programming languages for analysis with Fortify SCA .

This section includes the following topics:

• Command Line Syntax for Other Languages

• Other Language Command Line Examples
• Translating COBOL Code

Command Line Syntax for Other Languages

This topic describes the Fortify SCA command syntax for translating other languages.

The basic command line syntax for other languages is:

sourceanalyzer -b <build_id> <file_list>

Enter the following to perform translation on ColdFusion source code:

sourceanalyzer -b <build -id> -source-base-dir <dir> <files|file

specifiers>

where:

• <build_id> specifies the build ID for the project

• <dir> specifies the root directory of the web application
• <files|file specifiers> specifies the CFML source code files
ColdFusion Note: Fortify SCA calculates the relative path to each CFML source file by using the
-source-base-dir directory as the starting point, then uses these relative paths when generating
instance IDs. If the entire application source tree is moved to a different directory, the instance IDs
generated by a security analysis should remain the same if you specify an appropriate value for
-source-base-dir.

For a description of all the options you can use with the sourceanalyzer command, see
“Command Line Interface” on page 39.

File specifiers are shown in the following table:

Table 3: File Specifiers

File Specifier Description

<dirname> All files found under the named directory or any subdirectories

<dirname>/**/ Any file named Example.js found under the named directory
Example.js or any subdirectories

<dirname>/*.js Any file with the extension .js found in the named directory

<dirname>/**/*.js Any file with the extension .js found under the named
directory or any subdirectories

<dirname>/**/* All files found under the named directory or any subdirectories
(same as <dirname>)

Fortify Source Code Analyzer User’s Guide 25

 Note: Windows and many Unix shells automatically try to expand arguments containing the '*'
character, so file-specifier expressions should be quoted. Also, on Windows, enter the backslash (\)
instead of the forward slash (/).

Configuration Considerations
This section covers the following topics:

• Configuring the SQL the Procedural Extension

• Configuring ASP/VBScript Virual Roots

Configuring the SQL the Procedural Extension

By default, files with the extension .sql are assumed to be T-SQL rather than PL/SQL on Windows
platforms. If you are using Windows and have PL/SQL files with the .sql extension, you should
configure Fortify SCA to treat them as PL/SQL. To change the default behavior, set the
com.fortify.sca.fileextensions.sql property in fortify-sca.properties to "TSQL"
or "PLSQL".

Configuring ASP/VBScript Virual Roots

If your classic ASP/VBScript application uses virtual includes, for example:

<!--include virtual=”/myweb/foo.inc”>

Specify the physical location of the myweb application by passing the following property value:

com.fortify.sca.ASPVirtualRoots=<semicoloon separated list of full paths

to virtual roots used>

For example, if the IIS virtual root /myweb is located at C:\webapps\myweb-folder, then your
property value should be:

-Dcom.fortify.sca.ASPVirtualRoots=c:\webapps\myweb-folder

If you add this line to the fortify-sca.properties file, you must escape the \ character, as follows:

com.fortify.sca.ASPVirtualRoots=c:\\webapps\\myweb-folder

Other Language Command Line Examples

This section includes the following examples:

• Example of Translating PL/SQL

• Example of Translating T-SQL
• Example of Translating PHP
• Example of Translating Classic ASP written with VBScript
• Example of Translating JavaScript
• Example of Translating VB Script File
• Example of Translating ColdFusion

Example of Translating PL/SQL

The following example demonstrates syntax for translating two PL/SQL files:

sourceanalyzer -b MyProject x.pks y.pks

26 Fortify Source Code Analyzer User’s Guide

 The following example demonstrates how to translate all PL/SQL files under the sources directory:

sourceanalyzer -b MyProject "sources/**/*.pks"

Example of Translating T-SQL

The following example demonstrates syntax for translating two T-SQL files:

sourceanalyzer -b MyProject x.sql y.sql

The following example demonstrates how to translate all T-SQL files under the sources directory:

sourceanalyzer -b MyProject "sources\**\*.sql"

Note: This example assumes the com.fortify.sca.fileextensions.sql property in

fortify-sca.properties is set to "TSQL".

Example of Translating PHP

To translate a single file named MyPHP.php, enter:

sourceanalyzer -b mybuild "MyPHP.php"

Example of Translating Classic ASP written with VBScript

To translate a single file named MyASP.asp, enter:

sourceanalyzer -b mybuild "MyASP.asp"

Example of Translating JavaScript

To translate all JavaScript files under the scripts directory, enter:

sourceanalyzer -b mybuild "scripts/*.js"

Example of Translating VB Script File

To translate a VB file named myApp.vb, enter:

sourceanalyzer -b mybuild "myApp.vb"

Example of Translating ColdFusion

The following example demonstrates syntax for translating two CFML files:

sourceanalyzer -b MyProject -source-base-dir . Page1.cfm Page2.cfm

The following example demonstrates how to translate all CFML files under the
C:\MySite directory:

sourceanalyzer -b MySite -source-base-dir C:\MySite "C:\MySite\**\*.cfm"

Fortify Source Code Analyzer User’s Guide 27

Translating COBOL Code
This section contains the following topics:

• Supported Technologies
• Preparing COBOL Source Files for Translation
• COBOL Command Line Syntax
• Auditing a COBOL Scan

Supported Technologies
Fortify SCA supports IBM Enterprise COBOL for IBM z/OS and is compatible with the following
systems:

• CICS
• IMS
• DB/2 embedded SQL
• IBM WebSphere MQ

Preparing COBOL Source Files for Translation

Fortify SCA runs only on the supported systems listed in the Fortify System Requirements data
sheet, not on mainframe computers. This means that before you can scan a COBOL program, you
must copy the following program components to the system running Fortify SCA:

• The COBOL source code

• All copybook files used by the COBOL source code
• All SQL INCLUDE files referenced by the COBOL source code

Preparing COBOL Source Code Files

Fortify SCA requires that COBOL source code files have either the .cob or .cbl filename
extension.

Preparing COBOL Copybook Files

Fortify SCA does not identify copybooks by extension. All copybook files should therefore retain the
names used in the COBOL source code COPY statements.

COBOL Command Line Syntax

Free-format COBOL is the default translation and scanning mode for Fortify SCA. The basic syntax
for translating a single free-format COBOL source code file is:

sourceanalyzer -b <build-id> *.cbl *.cob

The basic syntax for scanning a translated free-format COBOL program is:

sourceanalyzer -b <build-id> -scan -f <FPR file name>

Working with Fixed-Format COBOL

Fortify SCA also supports fixed-format COBOL. When translating and scanning fixed-format
COBOL, both the translation and scanning command lines must include the -fixed-format
command line option. For example, the translation line syntax would look like:

sourceanalyzer -b <build-id> -fixed-format *.cbl *.cob

28 Fortify Source Code Analyzer User’s Guide

 And the scanning line syntax would look like:

sourceanalyzer -b <build-id> -scan -fixed-format -f <FPR file name>

Searching for COBOL Copybooks

Use the copydirs command line option to direct Fortify SCA to search a list of paths for copybooks
and SQL INCLUDE files. For example, the command line syntax would look like the following:

sourceanalyzer -b coboltest -copydirs c:\cobol\copybooks *.cob *.cbl

Auditing a COBOL Scan

After using the command line to scan the application, you can upload the resulting FPR file to Audit
Workbench or Fortify Team Server and audit the application’s issues.

Fortify SCA does not currently support custom rules for COBOL applications.

Fortify Source Code Analyzer User’s Guide 29

30 Fortify Source Code Analyzer User’s Guide
Chapter 6: Troubleshooting and Support
This chapter contains the following topics:

• Troubleshooting
• Reporting Bugs and Requesting Enhancements

Troubleshooting
This section contains the following troubleshooting topics:

• Using the Log File to Debug Problems

• Translation Failed Message
• JSP Translation Problems
• ASPX Translation Problems
• C/C++ Precompiled Header Files

Using the Log File to Debug Problems

If you encounter warnings and problems when you run Fortify SCA, re-run Fortify SCA using the -
debug option. This generates a file named sca.log in the following directory:

• On Windows: C:\Documents and Settings\<username>\Local

Settings\Application Data\Fortify\sca5.0\log
• On other platforms: $HOME/.fortify/sca5.0/log
Email the sca.log file as a zip file to [email protected] for further investigation.

Translation Failed Message

If your C/C++ application builds successfully but you see one or more "translation failed" messages
when building with Fortify SCA, edit the <install_directory>/Core/config/fortify-
sca.properties file to change the following line:

com.fortify.sca.cpfe.options= --remove_unneeded_entities --suppress_vtbl

to

com.fortify.sca.cpfe.options=-w --remove_unneeded_entities --
suppress_vtbl

Re-run the build to print the errors encountered by the translator. If the output indicates an
incompatibility between your compiler and the Fortify translator, send your output to Fortify Technical
Support for further investigation.

JSP Translation Problems

Fortify SCA uses either the built-in or your specific application server's JSP compiler to translate
JSP files into Java files for analysis.

If the JSP parser encounters problems when Fortify SCA is converting JSP files to Java files for
analysis, you will see a message similar to the following:

Failed to translate the following jsps into analysis model. Please see the
log file for any errors from the jsp parser and the user manual for hints
on fixing those
<List of JSP file names>

Fortify Source Code Analyzer User’s Guide 31

 This typically happens due to one or more of the following reasons:

• The web application is not laid out in a proper deployable WAR directory format
• You are missing some JAR files or classes required for the application
• Some tag libraries or their definitions (TLD) are missing from your application
To obtain more information about the problem, perform the following steps:

1. Open the Fortify SCA log file in an editor.

2. Search for the strings Jsp parser stdout: and Jsp parser stderr:.
These errors are generated by the JSP parser that was used. Resolve the errors and rerun Fortify
SCA.

For more information about scanning J2EE applications, see “Translating J2EE Applications” on
page 10.

ASPX Translation Problems

Fortify SCA compiles ASPX files to DLLs for analysis as follows:

• If you are using .NET 2.0 or later and Visual Studio 2005, using the Microsoft aspnet_compile
compiler
• If you are using .NET 1.1 and Visual Studio 2003, trying to fetch ASPX files one at a time from
the web site
The compilation step can fail if:

• You have access or authentication problems with accessing the web application
• You are missing some required DLLs
In either case, you will see a message similar to the following:

Failed to translate the following aspx files into analysis model. Please
see the log file for any errors from the aspx precompiler and the user
manual for hints on fixing those.
<List of ASPX file names>

If you are using the plug-in, enable plug-in debugging and examine the plug-in log file for any errors
generated by the ASPX precompiler.

If you are using the command line tool, fortify_aspnet_compiler, you should see the error
messages on the console.

If you still cannot determine the cause of the problem, try to access some of the failed ASPX files
from your browser and see what kind of errors display. If you see messages such as cannot
locate assembly, ensure that you have the missing DLLs and rerun Fortify SCA.

If you can access the failed ASPX files from the browser, but Fortify SCA still fails to scan it, contact
Fortify Technical Support for additional help.

For more information about scanning ASP.NET applications, see “Translating ASP.NET 1.1 (Visual
Studio Version 2003) Projects” on page 16.

32 Fortify Source Code Analyzer User’s Guide

 C/C++ Precompiled Header Files
Some C/C++ compilers support a feature termed "precompiled header files," which can speed up
compilation. Some compilers' implementations of this feature have subtle side-effects. When the
feature is enabled, the compiler may accept erroneous source code without warnings or errors. This
can result in a discrepancy where Fortify SCA reports translation errors even when your compiler
does not.

If you use the precompiled header feature of your compiler, make sure your source code compiles
cleanly by disabling precompiled headers and doing a full build.

Reporting Bugs and Requesting Enhancements

Feedback is critical to the success of this product. To request enhancements or patches, or to report
bugs, send an email to Technical Support at:

[email protected]

Be sure to include the following information in the email body:

• Product: Fortify SCA
• Version Number: To determine the version number, run the following:
sourceanalyzer -version
• Platform: (such as PC)
• OS: (such as Windows 2000)
When requesting enhancements, include a description of the feature enhancement.
When reporting bugs, provide enough details for the issue to be duplicated. The more descriptive
you are, the faster we can analyze and fix the issue. Also include the log files, or the relevant
portions of them, from when the issue occurred.

Fortify Source Code Analyzer User’s Guide 33

34 Fortify Source Code Analyzer User’s Guide
Appendix A: Managing Per Use Accounts
This chapter covers the following topics:

• About the Fortify SCA Per Use Edition

• Managing Your Portal User Account
• Transferring Lines

About the Fortify SCA Per Use Edition

The Fortify SCA Per Use edition analyzes source code by the number of source code lines in a
project. Your company purchases lines of code (LOC) packs from Fortify Software. The lines are
stored in an account on the Per Use Portal. When you want to use Fortify SCA to analyze source
code, you transfer lines from the online account to your local instance. Once transferred those lines
are unlocked and appear as “available lines”. Transferred lines can only be used by the instance of
Fortify SCA that requested them.

Fortify SCA deducts lines for each project you analyze. When you run out of lines, you must get
additional lines before you can scan another project. Transferring lines and creating a request file for
transfers requires the following:

• Company account on the Per Use Portal with available LOCs

• User name and password for the Per Use Portal
• Internet access
• A Fortify SCA Per Use edition installed on your build machine
Note: Transfer lines from the Per Use Portal to an instance of Fortify SCA only. Transferring unused
lines back to the Per Use Portal or between Fortify SCA instances is not supported.

Figure 1: Per Use Portal

Fortify Source Code Analyzer User’s Guide 35

Managing Your Portal User Account
To use the Fortify SCA Per Use edition you must have a user account on the Fortify Per Use Portal.
This account allows you to request lines.

The Per User Portal administrator configures the user accounts and provides the Fortify SCA Per
Use edition license key. When the administrator sets up an account, the default password is
automatically emailed to you.

Your user profile includes:

• Your username (email address) and password

• Contact information, such as your telephone number
• Record of lines allocated to your user account

Changing your Password

When the administrator sets up your account, the Fortify Software portal sends you an email that
contains a default password and a link to the Fortify Per Use Portal. This section explains how to log
into the site and update your password.

To change your password:

1. Open the link in the email or enter the following URL:

https://per-use.fortify.com
2. Enter your username, which is your email address where you received a default password, and
the password.
3. Click Customer Detail.
4. Enter a new password.
5. Confirm new password.
6. Click Save.

Purchasing Additional Lines

Fortify Software technical support representative can add lines to an existing account. Under some
circumstances the technical support representative can also transfer lines back into the main
account.

A technical support representative can only add lines if:

• You are a licensed user of Fortify SCA Per Use edition

• Your company has an account on the Fortify Per Use Portal
• You have a user account
• You are authorized to add lines to the account

Transferring Lines
This section explains how to transfer lines from the Per Use Portal account to Fortify SCA. The
following is required to transfer lines:

• Fortify SCA Per Use edition is installed on a build machine

• You have an account on the Per Use Portal, http://per-use.fortify.com.
• Your company has scan lines available in the account
Note: To purchase lines, contact a Fortify Software technical support.

36 Fortify Source Code Analyzer User’s Guide

 Transfer lines using one of the following methods:

• Transferring Lines to a Machine with Internet Access

• Transferring Lines to a Machine without Internet Access

Transferring Lines to a Machine with Internet Access

Users with Fortify SCA Per Use edition clients that have internet access can send requests to
transfer lines from the per use account to their local client. If the lines are available, the lines are
deducted from the account and transferred directly to the client.

After the transfer, the per use account shows the lines allocated. The local client shows the lines as
available.

To request lines:

1. Enter the sourceanalyzer command with the following option:

sourceanalyzer -auth-request
2. Enter the information, including the number of lines, per user account user name, and
password.
If the lines you requested are available, they are automatically transferred to your client.

Transferring Lines to a Machine without Internet Access

Users of offline Fortify SCA instances must manually generate a request file, transfer the file to a
computer with Internet access, log into the portal, and upload the request file. They must then
download and install the corresponding response file to transfer lines from the account to Fortify
SCA.

After the response file is created, the account shows the lines as allocated. However the lines are
not available on Fortify SCA until after the response file is downloaded and installed.

To transfer lines manually:

1. Generating a Request for Lines

2. Uploading the Request for Lines
3. Installing the Line Certificate

Generating a Request for Lines

For users of Fortify SCA that do not have internet access, generate a request file that contains the
number of lines that you want to allocate.

To generate a request file:

1. Enter the sourceanalyzer command with the following option:

sourceanalyzer -auth-gen-request <request-file-name>
2. Follow the prompts to enter the request information.
A request file is created in the directory where you ran the command.

Uploading the Request for Lines

When you upload a request file and the account has the lines available, a certficate file is created.
The requested number of lines are deducted from the account. To complete the transfer the user
downloads the certificate and installs it.

To generate a line response file:

Fortify Source Code Analyzer User’s Guide 37

 1. Copy the request file to a computer with internet access.
2. Log in to the Per Use Portal, http://per-use.fortify.com.
Note: Your user name is your email address.
3. Click Request Lines.
4. Click Browse and locate the request file.
5. Click Upload.
After the request file is processed, a transation ID (Txn ID) displays.
6. Click the transation ID to download the certificate file to your local host.

Installing the Line Certificate

For offline Fortify SCA instances, manually install the certificate to add lines.

To transfer lines using the certificate file:

1. Copy the certifcate to the machine where Fortify SCA is installed.

2. Enter the sourceanalyzer command with the following option:
sourceanalyzer -auth-import-response <response-file-name>
When the process completes a message displays the number of lines available.

38 Fortify Source Code Analyzer User’s Guide

Appendix B: Command Line Interface
This appendix describes the Command Line options available for Fortify SCA.

Command Line Options

This section lists and describes Fortify SCA command line options:

• Output Options
• Analysis Options
• ColdFusion Option
• Java/J2EE Options
• .NET Options
• Build Integration Options
• Runtime Options
• Line Transfer Options
• Other Options
If you are using the ANT sourceanalyzer task, a subset of command line options is available. For
information about these options and their syntax, see “sourceanalyzer Task Options” on page 49.

Output Options
The following table describes the output options.

Table 4: Output Options

Output Option Description

-append Appends results to the file specified with -f. If this option is
not specified, Fortify SCA overwrites the file. To use this
option, the output file format must be .fpr or .fvdl. For
information on the -format output option, see the
description in this table.

Note: When -append is passed to SCA and the output file

specified with the -f option contains the results of an earlier
scan, the resulting FPR contains the issues from the earlier
scan as well as issues from the current scan. The build
information and program data (lists of sources and sinks)
sections are also merged.

The engine data section, which includes rule pack

information, command line options, system properties,
warnings and errors, and other information about the
execution of sourceanalyzer (as opposed to information
about the program being analyzed), is not merged, in part
because there is no way to meaningfully merge this data
from multiple scans. Because engine data is not merged
with -append, we do not certify results generated with
-append.

In general, -append should only be used when it is not

possible to analyze an entire application at once.

Fortify Source Code Analyzer User’s Guide 39

 Table 4: Output Options

Output Option Description

-build-label <label> The label of the project being scanned. The label is not used
by Fortify SCA but is included in the analysis results.

-build-project <project> The name of the project being scanned. The name is not
used by Fortify SCA but is included in the analysis results.

-build-version <version> The version of the project being scanned. The version is not
used by Fortify SCA but is included in the analysis results.

-f <file> The file to which results are written. If you do not specify an
output file, the output is written to the terminal.

-format <format> Controls the output format. Valid options are fpr, fvdl,
text, and auto. The default is auto, which selects the
output format based on the file extension.
Note: If you are using result certification, you must specify
the fpr format. See the Audit Workbench User’s Guide for
information on result certification.

-html-report Creates an HTML summary of the results produced. The

output format must be .fpr. The report file is given the
same base name as the results output file.

Analysis Options
The following table describes the analysis options.

Table 5: Analysis Options

Analysis Option Description

-disable-default-rule- Disables all rules of the specified type in the default

type <type> rulepacks.Can be used multiple times to specify multiple
rule types.
Where the value of type is the XML tag minus the suffix
“Rule”. For example, use DataflowSource for
DataflowSourceRule elements. You can also specify
specific sections of characterization rules, such as
Characterization:Controlflow, Characterization:Issue, and
Characterization:Generic.
Type is case-insensitive.

-filter <file_name> Specifies a results filter file. For information about filter files,
see “Creating a Filter File” on page 53.

-findbugs Enables FindBugs analysis for Java code. The Java class
directories must have been specified with the -java-
build-dir option, described in “Java/J2EE Options” on
page 41.

-no-default-issue-rules Disables rules in default rulepacks that lead directly to

issues. Still loads rules that characterize the behavior of
functions.
Note: This equivalent to disabling the following rule types:
DataflowSink, Semantic, Controlflow, Structural,
Configuration, Content, Statistical, Internal, and
Characterization:Issue.

40 Fortify Source Code Analyzer User’s Guide

 Table 5: Analysis Options

Analysis Option Description

-no-default-rules Specifies not to load rules from the default rulepacks. Fortify
SCA processes the rulepacks for description elements and
language libraries, but no rules are processed.

-no-default-source-rules Disables source rules in the default rulepacks.

Note: Characterization source rules are not disabled.

-no-default-sink-rules Disables sink rules in the default rulepacks.

Note: Characterization sink rules are not disabled.

-disable-source- Source files are not included in the FPR file.

rendering

-quick Scans the project in Quick Scan Mode, using the fortify-
sca-quickscan.properties file. By default, this scan
searches for high-confidence, high-severity issues. For
more information about Quick Scan Mode, see the Audit
Workbench User’s Guide.

-rules Specifies a custom rulepack or directory. Can be used

[<file>|<directory>] multiple times to specify multiple rulepack files. If you
specify a directory, all of the files in the directory with the
.bin and .xml extensions are included.

-scan Causes Fortify SCA to perform analysis for the specified

build ID.

-source-archive Use with Fortify Team Server, renders source files into a
<archive_file.zip> separate archive rather than including them in the FPR file.

ColdFusion Option
The following table describes the ColdFusion option.

Table 6: ColdFusion Options

ColdFusion Option Description

-source-base-dir The web application’s root directory.

Java/J2EE Options
The following table describes the Java/J2EE options.

Table 7: Java/J2EE Options

Java/J2EE Options Description

-appserver Specifies the application server for processing JSP files:

weblogic or websphere.

Fortify Source Code Analyzer User’s Guide 41

 Table 7: Java/J2EE Options

Java/J2EE Options Description

-appserver-home Specifies the application server’s home.

For Weblogic, this is the path to the directory containing the
server/lib directory.
For WebSphere, this is the path to the directory containing
the bin/JspBatchCompiler script.

-appserver-version Specifies the version of the application server.

For Weblogic, valid values are 7, 8, 9, and 10.
For WebSphere, the valid value is 6.

-cp <classpath>, Specifies the classpath to use for analyzing Java source
-classpath <classpath> code. The format is same as javac: a colon or semicolon-
separated list of paths. You can use Fortify SCA file
specifiers.
Note: If you do not specify the classpath with this option, the
CLASSPATH environment variable is used.

-extdirs <dirs> Similar to the javac extdirs option, accepts a colon or

semicolon-separated list of directories. Any jar files found in
these directories are included implicitly on the classpath.

-java-build-dir Specifies one or more directories to which Java sources

have been compiled. Must be specified for FindBugs results,
as described in “Analysis Options” on page 40.

-source <version> Indicates which version of the JDK the Java code is written
for. Valid values for version are 1.3, 1.4, 1.5, and 1.6.
The default is 1.4.

-sourcepath Specifies the location of source files which will not be

included in the scan but will be used for name resolution.
The sourcepath is like classpath, except it uses source files
rather than class files for resolution.

.NET Options
The following table describes the .NET options.

Table 8: .NET Options

.NET Options Description

-libdirs <dirs> Accepts a colon or semicolon-separated list of directories

where system DLLs are located.

-dotnet-sources Specifies where to look for source files for additional

<directory name> information. This option is automatically passed from the
Fortify SCA plug-ins, Audit Workbench, and Fortify Team
Server, but when you are running SCA manually, you must
provide it yourself.

This option causes SCA to attempt to find any .NET

classes, enums, or interfaces that are not explicitly declared
in the compiled project.

42 Fortify Source Code Analyzer User’s Guide

 Table 8: .NET Options

.NET Options Description

-vsversion <version> Specifies Visual Studio version. Valid values for version
are 7.1 for Visual Studio Version 2003 and 8.0 for Visual
Studio Version 2005, and the default value is 7.1.

Build Integration Options

The following table describes the build integration options.

Table 9: Build Integration Options

Build Integration Options Description

-b <build_id> Specifies the build ID. The build ID is used to track which
files are compiled and combined to be part of a build and
later to scan those files.

-bin <binary> Used with -scan to specify a subset of source files to scan.
Only the source files that were linked in the named binary at
build time are included in the scan. Can be used multiple
times to specify the inclusion of multiple binaries in the scan.

-exclude <file_pattern> Removes files from the list of files to translate.

For example: sourceanalyzer –cp "**/*.jar"
"**/*" -exclude "**/Test.java"
Note: The -exclude option works when input files are
specified on the command line; it does not work with
compiler integration.

-nc When specified before a compiler command line, Fortify

SCA processes the source file but does not run the
compiler.

Directives
The following directives can be used to list information about translation steps that have been taken.
Only one directive can be used at a time and cannot be used in conjunction with normal translation
or analysis steps.

Table 10:

Directives Description

-clean Deletes all Fortify SCA intermediate files and build

records. When a build ID is also specified, only files
and build records relating to that build ID are
deleted.

-show-binaries Displays all objects that were created but not used
in the production of any other binaries. If fully
integrated into the build, it lists all of the binaries
produced.

Fortify Source Code Analyzer User’s Guide 43

 Table 10:

Directives Description

-show-build-ids Displays a list of all known build IDs.

Note: This option may erase build IDs generated by
previous versions of Fortify SCA.

-show-build-tree Displays all files used to create binary and all files
used to create those files in a tree layout. If the -
bin binary option is not present, the tree is
displayed for each binary.
Note: This option can generate an extensive
amount of information.

-show-files Lists the files in the specified build ID. When the -
bin option is present, displays only the source files
that went into the binary.

-show-build-warnings Use with -b <build_id> to show all errors and

warnings from the translation phase on the console.
Note: These errors and warnings display in the
results certification panel of Audit Workbench.

Runtime Options
The following table describes the runtime options.

Table 11: Runtime Options

Runtime Options Description

-auth-silent Available on Fortify SCA Per Use edition only.

Suppresses the prompt that displays the number of lines the
scan requires to analyze the source code. With this option,
the lines are automatically deducted.
Note: If the scan requires more lines than are available, the
scan fails with an error indicating how many additional lines
are required.

-64 Runs Fortify SCA under the 64-bit JRE. If no 64-bit JRE is
available, Fortify SCA fails.

-logfile <file_name> Specifies the log file that is produced by Fortify SCA.

-quiet Disables the command line progress bar.

-verbose Sends verbose status messages to the console.

-Xmx <size> Specifies the maximum amount of memory used by Fortify

SCA. By default, it uses up to 600 MB of memory
(-Xmx600M), which can be insufficient for large code bases.
When specifying this option, ensure that you do not allocate
more memory than is physically available, because this
degrades performance. As a guideline, assuming no other
memory intensive processes are running, do not allocate
more than 2/3 of the available memory.

44 Fortify Source Code Analyzer User’s Guide

 Line Transfer Options
The Fortify SCA Per Use edition has the following line transfer options. Table 12 describes the
options to show the number of available lines and to transfer lines from the Per Use Portal account
to a local instance of Fortify SCA.

Table 12: Line Transfer Options

Option Description

-auth-gen-request Creates a file that contains a request for lines.

Note: You must manually upload the request file to the Per
<request-file-name>
Use Portal to receive a response file that allocates lines to
the Fortify SCA instance.

-auth-query Shows the number of lines available.

-auth-request Sends a request to transfer lines from Per Use Portal

account to the Fortify SCA instance. This option requires
internet access.
Note: If the account has insufficient lines, the request fails.

-auth-import-response Installs a response file that allocates lines to the Fortify

<response-file-name> SCA instance.
Note: The file can only be installed on the instance that
generated the request.

-show-loc Use with -b build_id to determine how many lines of

code were translated. This option returns the total number
of lines required to analyze the project.

Other Options
The following table describes other options.

Table 13: Other Options

Other Options Description

@<filename> Reads command line options from the specified file.

-encoding Specifies the source file encoding type. This option is the
<encoding_name> same as the javac encoding option.

-h, -?, -help Prints this summary of command line options.

-version Displays the version number.

-debug Enables debug mode which is useful during troubleshooting.

-build-migration-map Runs the InstanceID mapper at the end of a scan. See

<old_fpr_file> Fortify Source Code Analysis: Migrating Audit Data from 4.x
to 5.0 for details.

Specifying Files
File specifiers are expressions that allow you to easily pass a long list of files to Fortify SCA using
wildcard characters. Fortify SCA recognizes two types of wildcard characters: '*' matches part of a

Fortify Source Code Analyzer User’s Guide 45

 filename, and '**' recursively matches directories. You can specify one or more files, one or more
file specifiers, or a combination of files and file specifiers.

<files> | <file specifiers>

File specifiers can take the following forms:

Table 14: File Specifiers

File Specifier Description

<dirname> All files found under the named directory or any subdirectories

<dirname>/**/Example.java Any file named Example.java found under the named

directory or any subdirectories

<dirname>/*.java Any file with the extension .java found in the named
directory

<dirname>/**/*.java Any file with the extension .java found under the named
directory or any subdirectories

<dirname>/**/* All files found under the named directory or any subdirectories
(same as dirname)

Note: Windows and many Unix shells automatically try to expand arguments containing the '*'
character, so file-specifier expressions should be quoted. Also, on Windows, the backslash
character (\) may be used as the directory separator instead of the forward slash (/).

File specifiers do not apply to C or C++ languages.

46 Fortify Source Code Analyzer User’s Guide

Appendix C: Using the sourceanalyzer Ant Task
The sourceanalyzer Ant task provides a convenient way to integrate Fortify SCA into your Ant
build. As discussed in Translating Java Code, translation of Java source files that are part of an Ant
build is most easily accomplished using the SCA Compiler Adapter, which automatically captures
input to javac task invocations. The sourceanalyzer task provides a convenient and flexible way
to accomplish other translation tasks and to run analysis.

This section describes how to use the sourceanalyzer Ant task and provides an example of a
sample build file with a self-contained analysis target.rs. It contains the following topics:

• Using the Ant sourceanalyzer Task

• Ant properties
• sourceanalyzer Task Options

Using the Ant sourceanalyzer Task

As with the SCA Compiler Adapter, using the sourceanalyzer task requires
sourceanalyzer.jar to be on Ant's classpath, and the sourceanalyzer executable to be on
the PATH.

The first step to using the sourceanalyzer task is to include a typedef in the build.xml file as
follows:

<typedef name="sourceanalyzer"
classname="com.fortify.dev.ant.SourceanalyzerTask"/>

Note: Only Ant 1.6 and higher supports top-level typedef of the sourceanalyzer task. For Ant 1.5
and lower, include the typedef in the target where the sourceanalyzer task is used.

Once this typedef is included, targets can be defined that invoke the sourceanalyzer task to
perform translation and analysis operations exactly as if running sourceanalyzer from the
command line. The sourceanalyzer task syntax is similar to that of the command line interface,
but Ant fileset and path primitives can be leveraged.

The following is an example of a snippet from an Ant build.xml file which provides a target users
can call to generate Fortify SCA results for the project. This snippet assumes that the targets clean
and compile and the path jsp.classpath are defined elsewhere in the file. It also uses verbose
and log to create a separate Fortify SCA log file for the build.

<available classname="com.fortify.dev.ant.SourceanalyzerTask"
property="fortify.present"/>
<property name="sourceanalyzer.buildid" value="mybuild"/>
<!-- For debugging in a separate Fortify SCA log file -->
<property name="fortify.debug" value="false" />
<property name="fortify.verbose" value="false" />
<mkdir dir="${code.build}/log" />
<mkdir dir="${code.build}/audit" />
<tstamp/>
<target name="fortify" if="fortify.present">
<typedef name="sourceanalyzer"
classname="com.fortify.dev.ant.SourceanalyzerTask"/>
<!-- call clean to ensure that all source files are recompiled -->
<antcall target="clean"/>

Fortify Source Code Analyzer User’s Guide 47

 <!-- call the compile target using the SCA Compiler Adapter to -->
<!-- translate all source files-->
<antcall target="compile">
<!-- Log SCA in separate file -->
<param name="com.fortify.sca.Debug"
value="${fortify.debug}" />
<param name="com.fortify.sca.Verbose"
value="${fortify.verbose}" />
<param name="com.fortify.sca.LogFile"
value="${code.build}/log/${sourceanalyzer.buildid}-
${DSTAMP}-${TSTAMP}.log" />
<param name="build.compiler"
value="com.fortify.dev.ant.SCACompiler" />

</antcall>
<!-- capture all configuration files in WEB-INF directory -->
<echo>sourceanalyzer ${web-inf}</echo>
<sourceanalyzer buildid="${sourceanalyzer.buildid}">
<fileset dir="${web-inf}">
<include name="**/*.properties"/>
<include name="**/*.xml"/>
</fileset>
</sourceanalyzer>
<!-- translate all jsp files-->
<echo>sourceanalyzer ${basedir} jsp</echo>
<sourceanalyzer buildid="${sourceanalyzer.buildid}">
<fileset dir="${basedir}">
<include name="**/*.jsp"/>
</fileset>
<classpath refid="jsp.classpath"/>
</sourceanalyzer>
<!-- run analysis -->
<echo>sourceanalyzer scan</echo>
<sourceanalyzer buildid="${sourceanalyzer.buildid}"
scan="true"
resultsfile="issues.fpr"
/ >
</target>

Ant properties
Any Ant property that begins with com.fortify is relayed to the sourceanalyzer task via -D.
For example, setting the com.fortify.sca.ProjectRoot property results in -
Dcom.fortify.sca.ProjectRoot=<value> being passed to the sourceanalyzer task. This
is also used for the SCACompiler adapter. These properties can be set either in the build file, using
the <property> task for example, or on the Ant command line using the -D<property=<value>
syntax.

When using the SCACompiler adapter via the build.compiler setting, the
sourceanalyzer.build Ant property is equivalent to the buildID attribute of the
sourceanalyzer task, and the sourceanalyzer.maxHeap is equivalent to maxHeap. You can
use either the command line or your build script to set these properties.

48 Fortify Source Code Analyzer User’s Guide

sourceanalyzer Task Options
The following table contains the command line options for the sourceanalyzer task. Path values
use colon (:) or semi-colon (;) delimited lists of file names.

Table 15: Sourceanalyzer Task Command Line Options

Attribute Command Line Option Description

append -append Appends results to the file specified

with the -f option. If this option is not
specified, Fortify SCA overwrites the
file.
Note: To use this option, the output file
format must be .fpr or .fvdl. For
information on the -format output
option, see the description in this table.

appserver -appserver Specifies the application server: Valid

<appserver> options are weblogic or websphere

appserverHome -apperserver-home Specifies the application server's home

<directory> directory.
For Weblogic, this is the path to the
directory containing server/lib
directory.
For WebSphere, this is the path to the
directory containing the bin/
JspBatchCompiler script.

appserverVersion -apperserver-version Specifies the version of the application

<version_number> server.
For Weblogic: versions 7, 8, 9, and 10
For WebSphere: version 6

bootclasspath -bootclasspath Specifies the JDK bootclasspath.

<classpath>

buildID -b <build_ID> Specifies the build ID. The build ID is

used to track which files are compiled
and linked as part of a build and later to
scan those files.

buildLabel -build-label Specifies the label of the project being

<build_label> scanned. The label is not used by
Fortify SCA but is included in the
analysis results.

buildProject -build-project Specifies the name of the project being

<project_name> scanned. The name is not used by
Fortify SCA but is included in the
analysis results.

buildVersion -build-version The version of the project being

<version> scanned. The version is not used by
Fortify SCA but is included in the
analysis results.

Fortify Source Code Analyzer User’s Guide 49

 Table 15: Sourceanalyzer Task Command Line Options

Attribute Command Line Option Description

classpath -cp <classpath> Specifies the classpath to be used for

Java source code. Format is same as
javac (colon or semicolon-separated
list of paths).

clean -clean This option resets the build ID. The

default value is false.

debug -debug This option enables the debug mode,

which is useful during troubleshooting.

disableAnalyzers -disable-analyzer This option takes a colon-delimited list

<list_of_analyzers> of analyzers so that you can disable
multiple analyzers at once if necessary.

enableAnalyzers -enable-analyzer This option takes a colon-delimited list

<list_of_analyzers> of analyzers so that you can enable
multiple analyzers at once if necessary.

encoding -encoding Specifies the source file encoding type.

<encoding_type> This option is the same as the javac
encoding option.

extdirs -extdirs Similar to the javac extdirs option,

<list_of_dirs> accepts a colon or semicolon
separated list of directories. Any jar
files found in these directories are
included implicitly on the classpath.

filter -filter <file_name> Specifies the filter file.

findbugs -findbugs Setting this to true enables FindBugs

analysis. The default value is false.

format -format Controls the output format. Valid

<format_type> options are fpr, fvdl, text, and
auto. The default is auto, which
selects the output format based on the
file extension.
Note: If you are using results
certification, you must specify the fpr
format. See the Audit Workbench
User’s Guide for information on results
certification.

htmlReport -html-report Specifies the creation of an HTML

summary of the results produced. The
output format must be fpr or fvdl.
The report file will be given the same
base name as the results output file.
The default value is false.

javaBuildDir -java-build-dir Specifies one or more directors to

<directory> which Java sources have been
compiled. Must be specified for the
findbugs option, as described above.

50 Fortify Source Code Analyzer User’s Guide

 Table 15: Sourceanalyzer Task Command Line Options

Attribute Command Line Option Description

jdk -source <value> Indicates which version of the JDK the

Java code is written for. Valid values for
this option are 1.3, 1.4, 1.5, and
1.6. The default is 1.4..
Note: The source and JDK options
are the same. If both options are
specified, the option that is specified
last will take precedence.

jdkBootclasspath -jdk-bootclasspath Specifies the JDK bootclasspath.

<classpath>

logfile -logfile <file_name> Specifies the log file that is produced

by Fortify SCA.

maxHeap -Xmx <size> Specifies the maximum amount of

memory used by Fortify SCA. By
default, it uses up to 600 MB of
memory (600M), which can be
insufficient for large code bases.

When specifying this option, ensure

that you do not allocate more memory
than is physically available, because
this will degrade performance. As a
guideline, assuming no other memory
intensive processes are running, do not
allocate more than 2/3 of the available
memory.

noDefaultRules -no-default-rules Setting this option specifies that Fortify

SCA should not apply default rules
when scanning.

resultsfile -f The file to which the results are written.

<absolute_path_file
name>

rules -rules The rules option takes a list of rules

<delimited_rules_lis files, delimited by the path separator (
t> this is a semi-colon (;) on Windows,
and a colon (:) on other platforms. For
each element in this list, SCA is passed
the -rules <file> command.

scan -scan Setting this option determines whether

Fortify SCA should perform analysis on
the provided build ID. The default value
is false.

source -source <value> Indicates which version of the JDK the

Java code is written for. Valid values for
this option are 1.3, 1.4, 1.5, and
1.6. The default is 1.4..
Note: The source and JDK options
are the same. If both options are
specified, the option that is specified
last will take precedence.

Fortify Source Code Analyzer User’s Guide 51

 Table 15: Sourceanalyzer Task Command Line Options

Attribute Command Line Option Description

sourcepath -sourcepath Specifies the location of source files

<directory> which will not be included in the scan
but will be used for resolution.

use64bit -64 Runs Fortify SCA under the 64-bit JRE.

If no 64-bit JRE is available, Fortify
SCA fails.

verbose -verbose Setting this option sends verbose

status messages to the console.

The bootclasspath, classpath, extdirs, and options may also be specified as nested
elements, as with the Ant javac task. Source files can be specified via nested <fileset> elements.

The following table includes sourceanalyzer elements.

Table 16: Sourceanalyzer Task Nested Elements

Element Ant Type Description

fileset Fileset Specifies the files to pass to Fortify SCA.

classpath Path Specifies the classpath to be used for Java source code.

bootclasspath Path Specifies the JDK bootclasspath.

extdirs Path Similar to the javac extdirs option. Any jar files found
in these directories are included implicitly on the
classpath.

sourcepath Path Specifies the location of source files which will not be
included in the scan but will be used for resolution.

52 Fortify Source Code Analyzer User’s Guide

Appendix D: Advanced Options
This chapter describes the following advanced options:

• Creating a Filter File

• Using Properties to Control Runtime Options

Creating a Filter File

You can create a text file for filtering out specific vulnerability instances, vulnerability categories, and
rules when you run the sourceanalyzer command. Items that are filtered out are not displayed in
scan results and are not available to auditors.

The filter file is specified by the -filter analysis option, followed by the <filter file.txt>
name.

Note: Fortify Software recommends that you use this feature only if you are an advanced user. Do
not use this feature during standard audits because auditors should be able to see and evaluate all
issues found by Fortify SCA.

A filter file is a flat text file that can be created with any text editor. The file functions as a blacklist,
such that only the filter items you do not want are specified one per line. The following filter types
can be entered on a line:

• Category
• Instance ID
• Rule ID
The filters are applied at different times in the analysis process, according to the type of filter.
Category and rule ID filters are applied during the initialization phase before any scans have taken
place, whereas an instance ID filter is applied after the analysis phase.

For example, the following output is a result from a scan of the EightBall.java, located in the
/Samples/basic/eightball directory in your Fortify installation directory.

From the command line, navigate to the eightball directory and execute the following commands
to build, scan, and analyze the eightball sample.

>sourceanalayzer -b eightball Eightball.java

>sourceanalayzer -b eightball -scan
After Fortify SCA finishes, you should see 6 detected issues that look similar to the following. Note
that the 32-digit hexadecimal instance identifiers have been replaced with hash marks (####) for
readability.

[#### : low : Unchecked Return Value : semantic]

EightBall.java(12) : Reader.read()

[#### : medium : Path Manipulation : dataflow]

EightBall.java(12) : ->new FileReader(0)
EightBall.java(6) : <=>(filename)
EightBall.java(4) : ->EightBall.main(0)

[#### : medium : Unreleased Resource : Streams : controlflow]

EightBall.java(12) : start -> loaded : new FileReader(...)
EightBall.java(12) : loaded -> loaded : <inline expression> refers
to an allocated resource

Fortify Source Code Analyzer User’s Guide 53

 EightBall.java(12) : java.io.IOException thrown
EightBall.java(12) : loaded -> loaded : return
EightBall.java(12) : loaded -> loaded : <inline expression> no
longer refers to an allocated resource
EightBall.java(12) : loaded -> end_of_scope : end scope : Resource
leaked : java.io.IOException thrown

EightBall.java(12) : start -> loaded : new FileReader(...)

EightBall.java(12) : loaded -> loaded : <inline expression> refers
to an allocated resource
EightBall.java(14) : loaded -> loaded : <inline expression> no
longer refers to an allocated resource
EightBall.java(14) : loaded -> end_of_scope : end scope : Resource
leaked

[#### : low : J2EE Bad Practices : Leftover Debug Code : structural]

EightBall.java(4)

[####: low : Poor Logging Practice : Use of a System Output Stream :

structural]
EightBall.java(10)

[#### : low : Poor Logging Practice : Use of a System Output Stream :

structural]
EightBall.java(13)

Filter File Contents

The sample filter file, test_filter.txt does the following:

• Removes all results related to the Poor Logging Practice category

• Removes the Unreleased Resource based on its instance ID
• Removes any data flow issues that were generated from a specific rule ID
The test_filter.txt file used in this example contains the following text:

#This is a category that will be filtered from scan output

Poor Logging Practice

#This is an instance ID of a specific issue to be filtered from scan

#output
####

#This is a specific Rule ID that leads to the reporting of a specific

#issue in the scan output. In this case the example is a data flow
#sink for a Path Manipulation #issue.
####

You can create a file to test the filtered output by copying the above text into a file. Make sure you
substitute the #### placeholders with actual instance and rule IDs. You can obtain this information
using Audit Workbench.

54 Fortify Source Code Analyzer User’s Guide

 The following command is executed using the -filter option to specify the test_filter.txt:

[C:\Program Files\Fortify Software\Fortify SCA 5.2\Samples\basic\

eightball]>sourceanlayzer -b eightball -scan -filter test_filter.txt

You should see results similar to the following:

[F7A138CDE5235351F6A4405BA4AD7C53 : low : Unchecked Return Value :

semantic]
EightBall.java(12) : Reader.read()

[#### : medium : Unreleased Resource : Streams : controlflow]

EightBall.java(12) : start -> loaded : new FileReader(...)
EightBall.java(12) : loaded -> loaded : <inline expression> refers to
an allocated resource
EightBall.java(12) : java.io.IOException thrown
EightBall.java(12) : loaded -> loaded : return
EightBall.java(12) : loaded -> loaded : <inline expression> no longer
refers to an allocated resource
EightBall.java(12) : loaded -> end_of_scope : end scope : Resource
leaked : java.io.IOException thrown

EightBall.java(12) : start -> loaded : new FileReader(...)

EightBall.java(12) : loaded -> loaded : <inline expression> refers to
an allocated resource
EightBall.java(14) : loaded -> loaded : <inline expression> no longer
refers to an allocated resource
EightBall.java(14) : loaded -> end_of_scope : end scope : Resource
leaked

[BB9F74FFA0FF75C9921D0093A0665BEB : low : J2EE Bad Practices : Leftover

Debug Code : structural]

EightBall.java(4)

Using Properties to Control Runtime Options

You can use properties to define runtime options for Fortify SCA, including analysis, output, and
performance tuning options. These properties can be set in four different places:

• fortify-sca.properties contains the global set of default properties

• fortify-sca.properties (for Windows installations) or .fortify-sca.properties (for
non-Windows installations) contains your locally defined properties
• On the command line by specifying -D<property_name>=<property_value>
• fortify-sca-quickscan.properties contains the set of properties that are used when
SCA runs in Quick Scan mode.
The fortify-sca.properties and fortify-sca-quickscan.properties files are located
in the <install_directory>/Core/config directory. The fortify.properties file is
located in either your Windows user directory or your Unix home directory.

You can edit all properties files directly.

Fortify Source Code Analyzer User’s Guide 55

 Specifying the Order of Properties
Fortify SCA processes properties in a specific order, using this order to override any previously-set
properties with the values that you specify. You should keep this processing order in mind when
making changes to the properties files.

Property definitions are processed in the following order:

• Properties specified on the command line have the highest precedence and can be specified
during any scan.
• Properties specified in the fortify-sca-quickscan.properties file are processed
second, but only when the -quick option is used to operate in Quick Scan mode. If Quick Scan
is not invoked, this file is ignored.
• Properties specified in the local fortify.properties file are processed third. Change
values in this file on a scan-by-scan basis to fine-tune your installation.
• Properties specified in the global fortify-sca.properties file are processed last. You
should edit this file if you want to change the property values on a more permanent basis for all
scans.
Fortify SCA also relies on some properties that have internally-defined default values.

The following table lists properties that can be defined. The default values are listed. If you want to
use Quick Scan Mode, or want to tune your application, you can make the changes as described in
Table 18: Tuning Performance Properties.

Table 17: Fortify Properties

Property Name

Default Value Description

com.fortify.sca.AbortedScanOverwritesOutput

false By default, if a scan is interrupted, the partial results are written to

a different output file: <output>.partial.fpr instead of
<output>.fpr. If this property is set to true, the interrupted
result are written to the normal outfile (<output>.fpr), which
overwrites any full-scan results that may be present in that file.

com.fortify.sca.Appserver

(none) Specifies the application server for processing JSP files:

weblogic or websphere

com.fortify.sca.Appserver.Home

(none) Specifies the application server’s home.

For Weblogic, this is the path to the directory containing
server/lib directory.
For WebSphere, this is the path to the directory containing the
bin/JspBatchCompiler script.

com.fortify.sca.Appserver.Version

(none) Specifies the version of the application server.

For Weblogic, valid values are 7, 8, 9, and 10.
For WebSphere, the valid value is 6.

56 Fortify Source Code Analyzer User’s Guide

 Table 17: Fortify Properties

Property Name

Default Value Description

com.fortify.sca.fileextensions.*

(none) Controls how Fortify SCA handles files with given extensions.
See fortify-sca.properties for examples.

com.fortify.sca.FPRDisableSrcHtml

(none) If true, disables source code rendering into the FPR file.

com.fortify.sca.NoDefaultRules

(none) If true, rules from the default rulepacks are not loaded. Fortify
SCA processes the rulepacks for description elements and
language libraries, but no rules are processed.

com.fortify.sca.NoDefaultIssueRules

(none) If true, disables rules in default rulepacks that lead directly to

issues. Still loads rules that characterize the behavior of
functions.
Note: This equivalent to disabling the following rule types:
DataflowSink, Semantic, Controlflow, Structural, Configuration,
Content, Statistical, Internal, and Characterization:Issue.

com.fortify.sca.DisableDefaultRuleTypes

(none) Disables the specified type of rule in the default rulepacks; where
type is the XML tag minus the suffix “Rule”. For example, use
DataflowSource for DataflowSourceRule elements. You can also
specify specific sections of characterization rules, such as
Characterization:Controlflow, Characterization:Issue, and
Characterization:Generic. Type is case-insensitive.
Use a colon delimited list to specify multiple types of rules.

com.fortify.sca.NoDefaultSinkRules

(none) If true, disables sink rules in the default rulepacks.

Note: Characterization sink rules are not disabled.

com.fortify.sca.NoDefaultSourceRules

(none) If true, disables source rules in the default rulepacks.

Note: Characterization source rules are not disabled.

com.fortify.sca.ProjectRoot

(platform dependent) Directory used by Fortify SCA to store intermediate files

generated during scans.

com.fortify.sca.DefaultFileTypes

java,jsp,sql,pks,pkh,pkb,xml Comma-separated list of file extensions that are picked up by

,properties,config,dll,exe default by Fortify SCA.

com.fortify.sca.compilers.*

(none) Can be used to inform Fortify SCA about specially-named

compilers. See fortify-sca.properties for examples.

Fortify Source Code Analyzer User’s Guide 57

 Table 17: Fortify Properties

Property Name

Default Value Description

com.fortify.sca.FVDLDisableProgramData

false If true, causes the ProgramData section to be excluded from

the analysis results (FVDL output).

com.fortify.sca.FVDLDisableSnippets

false If true, code snippets are not included in the analysis results
(FVDL output).

com.fortify.sca.LogFile

${com.fortify.sca.Pro The default location for the Fortify SCA log file.
jectRoot}/log/sca.log

com.fortify.sca.LogMaxSize

(none) When this property is set, it enables log rotation for the Fortify
SCA log. The value is the number bytes that can be written to the
log file before it is rotated. Must be used with
com.fortify.sca.LogMaxFiles.

com.fortify.sca.LogMaxFiles

(none) The number of log files to include in the log file rotation set. When
all files are filled, the first file in the rotation is overwritten. The
value must be at least 1. Must be used with
com.fortify.sca.LogMaxSize.

com.fortify.sca.Debug

false Produces a debug log file. This log file is for Technical Support
purposes.

com.fortify.sca.PPSSilent

false Prompts the user with the number of lines the scan requires to
analyze the source code. Set to true to suppress the prompt and
automatically deduct the lines.
Note: If the scan requires more lines than are available, the scan
fails with an error indicating how many additional lines are
required.

com.fortify.sca.UnicodeInputFile

(none) When set to true, this property indicates that the input file is UTF-
8 based and begins with a byte-order mark (BOM). Typically, you
should only set this property if you see a lexical error at Line 1,
Column 1, indicating that the BOM is present.

com.fortify.rules.SkipRulePacks

(none) Semicolon-delimited list of rulepacks to exclude from the default

set. This property controls which rulepacks are used by Fortify
SCA by default. All rulepacks installed in
<install_directory>/Core/config/rules are used by
default unless they are on this list.

58 Fortify Source Code Analyzer User’s Guide

 Table 17: Fortify Properties

Property Name

Default Value Description

com.fortify.sca.limiters.MaxChainDepth

5 Controls the maximum call depth through which the data flow
analyzer tracks tainted data. Increasing this value increases the
coverage of data flow analysis, and results in longer analysis
times. This property can be changed if you are using Quick Scan
Mode: see the following table for the suggested value to use.
Note: In this case, call depth refers to the maximum call depth on
a data flow path between a taint source and sink, rather than call
depth from the program entry point, such as main().

com.fortify.sca.limiters.MaxFieldDepth

4 Controls the maximum granularity of taint tracking through data

structure member fields. This value is the number of nested fields
through which taint will be tracked before the entire structure is
considered tainted. Increasing this value improves the accuracy
of analysis by reducing false positives, and normally increases
analysis time.

com.fortify.sca.limiters.MaxPaths

5 Controls the maximum number of paths to report for a single data

flow vulnerability. Changing this value does not change the
results that are found, only the number of data flow paths
displayed for an individual result.

com.fortify.sca.limiters.MaxIndirectResolutionsForCall

128 Controls the maximum number of virtual functions that are

followed at a given call site.

The following table describes the properties that can be used to tune default scanning performance.
They have different defaults for Quick Scan mode, which can be adjusted by editing the fortify-
sca-quickscan.properties file. If you want to use the recommended tuning parameters, you
do not need to edit this file; however, you may find that you want to experiment with other settings to
fine-tune your specific application.

Remember that properties in this file are processed only if you specify the -quick option on the
command line when invoking your scan.

Fortify Source Code Analyzer User’s Guide 59

 Table 18: Performance Tuning Properties

Property Name

Values Description

com.fortify.sca.FilterSet

Default value is not set. When set to targeted, this property runs rules only for the
targeted filter set. Running only a subset of the defined rules
Quick Scan value: Targeted. allows the Fortify SCA scan to complete more quickly. This
causes SCA to run only those rules that can cause issues
identified in the named filter set, as defined by the default
project template for your application. For more information
about project templates, see the Audit Workbench User’s
Guide.

com.fortify.sca.FPRDisableSrcHtml

Default value: False. When set to true, this property prevents the generation of
marked-up source files required for Fortify Team Server. If you
Quick Scan value: True. plan to upload FPRs that are generated as a result of a quick
scan, you must set this property to false.

com.fortify.sca.limiters.ConstraintPredicateSize

Default value: 50000. Skips calculations defined as very complex in the buffer
analyzer to improve scanning time.
Quick Scan value: 10000.

com.fortify.sca.limiters.BufferConfidenceInconclusiveOnTimeout

Default value: true. Skips calculations defined as very complex in the buffer
analyzer to improve scanning time.
Quick Scan value: false.

com.fortify.sca.limiters.MaxChainDepth

Default value: 5. Controls the maximum call depth through which the data flow
analyzer tracks tainted data. Increasing this value increases
Quick Scan value: 4. the coverage of data flow analysis, and results in longer
analysis times.

Note: In this case, call depth refers to the maximum call depth
on a data flow path between a taint source and sink, rather
than call depth from the program entry point, such as
main().

com.fortify.sca.limiters.MaxTaintDefForVar

Default value: 1000. This property sets the complexity limit for data flow precision
backoff. Data flow incrementally decreases precision of
Quick Scan value: 500. analysis for functions that exceed this complexity metric for a
given precision level.

com.fortify.sca.limiters.MaxTaintDefForVarAbort

Default value: 4000. This property sets a hard limit for function complexity. If
complexity of a function exceeds this limit at the lowest
Quick Scan value: 1000. precision level, the analyzer will not analyze that function.

60 Fortify Source Code Analyzer User’s Guide

 Table 18: Performance Tuning Properties

Property Name

Values Description

com.fortify.sca.DisableGlobals

Default value: false. This property prevents the tracking of tainted data through
global variables to allow faster scanning.
Quick Scan value: false.

com.fortify.sca.CtrlflowSkipJSPs

Default value: false. This property skips control flow analysis of JSPs in your
project.
Quick Scan value: false.

com.fortify.sca.NullPtrMaxFunctionTime

Default value: 300000. This property sets a time limit, in milliseconds, for Null Pointer
analysis for a single function. The default is five minutes.
Quick Scan value: 30000. Setting it to a shorter limit decreases overall scanning time.

com.fortify.sca.CtrlflowMaxFunctionTime

Default value: 600000. This property sets a time limit, in milliseconds, for control flow
analysis for a single function. The default is 10 minutes.
Quick Scan value: 30000.

com.fortify.sca.TrackPaths

By default, this property is not This property disables path tracking for control flow analysis.
set. Path tracking provides more detailed reporting for issues, but
requires more scanning time. You can disable this for JSP
Quick Scan value: NoJSP. only by setting it to NoJSP, or for all functions by setting it to
None.

Fortify Source Code Analyzer User’s Guide 61

62 Fortify Source Code Analyzer User’s Guide
Appendix E: Acknowledgements
Fortify Software acknowledges the following:

• Java RunTime Environment

Java RunTime Environment

The Fortify Source Code Analysis distribution CD-ROM media includes the Sun Java RunTime
Environment (JRE). The following statements are included to comply with the terms of JRE
distribution.

This product includes code licensed from RSA Security, Inc.

Some portions licensed from IBM are available at http://oss.software.ibm.com/icu4j/.

Fortify Source Code Analyzer User’s Guide 63

64 Fortify Source Code Analyzer User’s Guide
Index encoding 45
help 45
Java/J2EE 41
Symbols other 45
.NET command line options 42 output 39
@filename option 45 runtime 44
A version 45
command line syntax
about
ColdFusion 25
results certification 6
Java 9, 25
analysis command line options 40
configuring
analyzing
Build Monitor 21
.NET 15
results folder 21
.NET 1.1 15
creating
.NET 2.0 15
filter files 53
ASP.NET 1.1 16
ColdFusion 25 D
J2EE 10 debug option 45
JSP files 11 E
Visual Studio .NET 2003 15
encoding option 45
Visual Studio 2005 15
example
Ant
Build Monitor 22
task parameters 47
ASP.NET 1.1 F
analyzing 16 file specifiers 25, 46
B filter files
creating 53
build
FindBugs
scan options 21
integrating with 12
build integration command line options 43
Fortify SCA Properties 55
Build Monitor
configuring 21 H
example 22 help option 45
options 20
overview 20
I
results folder 21 integrating
scan options 21 with FindBugs 12
starting 21 with Make 19
builds J
monitoring 21 J2EE
C analyzing 10
C and C++ command line options 41
command line examples 19 Java
ColdFusion command line options 41
analyzing 25 command line syntax 9, 25
command line example 27 file specifiers 25, 46
command line options 41 JSP files
command line syntax 25 analyzing 11
command line examples M
.Net 15 Make
C and C++ 19 integrating with 19
ColdFusion 27 monitoring
command line options builds 20, 21
.NET 42
analysis 40
O
build integration 43 options
ColdFusion 41 Build Monitor 20
debug 45 output command line options 39

Fortify Source Code Analyzer User’s Guide 65

overview
Build Monitor 20
P
properties file 55
R
results certification
viewing 6
runtime command line options 44
runtime properties 55
S
scan
monitoring build 21
SQL notes 26
starting
Build Monitor 21
T
task parameters 47
touchless build adapter 19
translating
Classic ASP 25
JavaScript 25
other languages 25
PHP 25
PLSQL 25
SQL 25
TSQL 25
VB 6 25
VBScript 25
V
version option 45
viewing
results certification 6
Visual Studio
Fortify plug-in 15

66 Fortify Source Code Analyzer User’s Guide