HP Fortify Static Code Analyzer: User Guide

HP Fortify Static Code Analyzer
Software Version: 4.40
User Guide
Document Release Date: November 2015

Software Release Date: November 2015
User Guide
Legal Notices
Warranty
The only warranties for HP products and services are set forth in the express warranty statements
accompanying such products and services. Nothing herein should be construed as constituting an
additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
The information contained herein is subject to change without notice.
Restricted Rights Legend

Confidential computer software. Valid license from HP required for possession, use or copying. Consistent
with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and
Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard
commercial license.
The software is restricted to use solely for the purpose of scanning software for security vulnerabilities that is
(i) owned by you; (ii) for which you have a valid license to use; or (iii) with the explicit consent of the owner of
the software to be scanned, and may not be used for any other purpose.
You shall not install or use the software on any third party or shared (hosted) server without explicit consent
from the third party.
Copyright Notice
© Copyright 2003 - 2015 Hewlett Packard Enterprise Development LP
Documentation Updates
The title page of this document contains the following identifying information:
l Software Version number
l Document Release Date, which changes each time the document is updated
l Software Release Date, which indicates the release date of this version of the software
To check for recent updates or to verify that you are using the most recent edition of a document, go to:
https://protect724.hp.com/welcome
You will receive updated or new editions if you subscribe to the appropriate product support service. Contact
your HP sales representative for details.
HP Fortify Static Code Analyzer (4.40) Page 2 of 136

User Guide
Contents
Preface 9
Contacting HP Fortify Support 9
For More Information 9
About the HP Fortify Software Security Center Documentation Set 9
Change Log 10
Chapter 1: Introduction 11
About the HP Fortify Software Security Center Components 11
About HP Fortify Static Code Analyzer 11
About Analyzers 12
About HP Fortify CloudScan 13
About the HP Fortify Scan Wizard 14
Related Documents 14
Chapter 2: Analysis Process Overview 15

About the Analysis Process 15
About the Translation Phase 16
About SCA Mobile Build Sessions 16
Creating a Mobile Build Session 17
Importing a Mobile Build Session 17
About the Analysis Phase 17
About Memory Considerations 18
About Parallel Analysis 18
About Verification of the Translation and Analysis Phase 18
Chapter 3: Translating Java Code 20

Java Command-Line Syntax 20
Java/J2EE Options 21
Java Command-Line Examples 22
Integrating with Ant using the SCA Compiler Adapter 22
Handling Resolution Warnings 23
Java Warnings 23

User Guide
Using FindBugs 23
Translating J2EE Applications 24
Prerequisite for Translating Code Using Legacy Versions of the J2EE SDK 25
Translating the Java Files 25
Translating JSP Projects, Configuration Files, and Deployment Descriptors 26
J2EE Warnings 26
Translating Java Bytecode 26
Chapter 4: Translating .NET Code 28

About Translating .NET Code 28
.NET Command-Line Syntax 28
.NET Command-Line Options 29
Translating Simple .NET Applications 29
Translating ASP.NET 1.1 (Visual Studio Version 2003) Projects 30
Handling Resolution Warnings 31
About .NET Warnings 31
About ASP.NET Warnings 32
Chapter 5: Translating C and C++ Code 33

C and C++ Command-Line Syntax 33
Build Integration 34
Modifying a Build Script to Invoke SCA 35
Touchless Build Integration 35
Scanning Pre-processed C and C++ Code 36
Chapter 6: Translating ABAP Code 37

About Translating ABAP Code 37
About Scanning ABAP Code 37
About INCLUDE Processing 38
Importing the HP Fortify ABAP Extractor Transport Request 38
Adding SCA to Your Favorites List 39
Running the HP Fortify ABAP Extractor 40
Chapter 7: Translating Ruby Code 43

Ruby Command-Line Syntax 43
Ruby Options 43
Adding Libraries 44
Adding Multiple Library Paths 44

User Guide
Adding Gem Paths 44
Chapter 8: Translating Flex and ActionScript 45

ActionScript Command-Line Syntax 45
Flex and ActionScript Command-Line Options 45
ActionScript Command-Line Examples 46
About Handling Resolution Warnings 47
About ActionScript Warnings 47
Chapter 9: Translating Code for Mobile Platforms 48

About Translating Objective-C++ Code 48
Prerequisites 48
Objective-C++ Command-Line Syntax 48
Xcode Compiler Errors 49
About Translating Google Android Code 49
Chapter 9: Translating COBOL Code 50

Preparing COBOL Source Files for Translation 50
COBOL Command-Line Syntax 51
About Auditing COBOL Scans 52
Chapter 10: Translating Other Languages 53

About Translating Python Code 53
Python Command-Line Options 54
About Translating ColdFusion Code 54
ColdFusion Command-Line Syntax 54
ColdFusion Options 55
About Translating SQL 55
PL/SQL Command-Line Example 55
T-SQL Command-Line Example 56
About Translating ASP/VBScript Virtual Roots 56
Classic ASP Command-Line Example 58
JavaScript Command-Line Example 58
VBScript Command-Line Example 58
PHP Command-Line Example 58
Chapter 11: Command-Line Utilities 59

About SCA Utilities 59

User Guide
Other Command-Line Utilities 60

Precompiling MS Visual Studio 2003 ASP.NET Pages 60
Checking the SCA Scan Status 61
SCAState Utility Options 61
About Working with FPR Files 63
Merging FPR Files 63
Displaying Analysis Results for an FPR File 64
Migrating Audit Data from Previous FPR Versions 66
Extracting a Source Archive from an FPR File 67
About Generating Reports 68
Generating a BIRT Report 68
Generating a Legacy Report 70
About Updating Security Content 71
Updating Security Content 71
Chapter 12: Troubleshooting and Support 73

Using the Log File to Debug Problems 73
About the Translation Failed Message 73
About JSP Translation Problems 74
About C/C++ Precompiled Header Files 74
Reporting Bugs and Requesting Enhancements 75
Appendix A: Command-Line Interface 76

Output Options 76
Translation Options 77
Analysis Options 78
Directives 79
Other Options 80
Specifying Files 81
Appendix B: Parallel Analysis Mode 82

About Parallel Analysis Mode 82
Hardware Requirements 82
Configuring Parallel Analysis Mode 82
Running in Parallel Analysis Mode 83
Appendix C: Using the Sourceanalyzer Ant Task 84

About the Sourceanalyzer Ant Task 84

User Guide
Using the Sourceanalyzer Ant Task 84

Ant Properties 86
Sourceanalyzer Task Options 86
Appendix D: Filtering the Analysis 90

About Filter Files 90
Filter File Example 90
Appendix E: MSBuild Integration 93

Setup for MSBuild Integration 93
Setting Windows Environment Variables for Touchless Integration of SCA 93
Adding Custom Tasks to your MSBuild Project 94
Adding Fortify.TranslateTask 96
Adding Fortify.ScanTask 96
Adding Fortify.CleanTask 97
Adding Fortify.SSCTask 97
Adding Fortify.CloudScanTask 98
Appendix F: Maven Integration 99

About the Maven Plugin 99
Installing the Maven Plugin 100
Testing the Maven Plugin 100
Updating the Maven Plugin 101
Using the Maven Plugin 101
Excluding Files from the Scan 103
Uninstalling the Maven Plugin 103
Additional Documentation 103
Appendix G: HP Fortify Scan Wizard 104

About HP Fortify Scan Wizard 104
Starting the HP Fortify Scan Wizard 105
Starting Scan Wizard on a System with SCA and Applications Installed 105
Starting HP Fortify Scan Wizard as a Stand-Alone Utility 106
Appendix H: Sample Files 107

About the Sample Files 107
Basic Samples 107
Advanced Samples 109

User Guide
Appendix I: Issue Tuning 111

Wrapper Detection 111
Interprocedural Constant Propagation 112
Selective Map Operation Tracking 112
Appendix J: Configuration Options 113

About HP Fortify Static Code Analyzer Properties Files 113
Properties File Format 113
Precedence of Setting Properties 114
fortify-sca.properties 115
fortify-sca-quickscan.properties 132
Send Documentation Feedback 136

User Guide
Preface
Preface
Contacting HP Fortify Support
If you have questions or comments about using this product, contact HP Fortify Technical Support
using one of the following options.
To Manage Your Support Cases, Acquire Licenses, and Manage Your Account
https://support.fortify.com
To Email Support
fortifytechsupport@hp.com
To Call Support
650.735.2215
For More Information

For more information on HP Enterprise Security Software products:
http://www.hpenterprisesecurity.com
About the HP Fortify Software Security Center

Documentation Set
The HP Fortify Software Security Center documentation set contains installation, user, and
deployment guides for all HP Fortify Software Security Center products and components. In addition,
you will find technical notes and release notes that describe new features, known issues, and last-
minute updates. You can access the latest versions of these documents from the following
HP ESP user community Protect724 website:
https://protect724.hp.com/welcome
You will need to register for an account.

User Guide
Change Log
Change Log
The following table lists changes made to this guide.
Software
Release-Version Change
4.40-01 Added:
l "Command-Line Utilities" on page 59 (was a separate user guide)
l "HP Fortify Scan Wizard" on page 104 (was a separate Technical Note)
l "Generating a BIRT Report " on page 68 command-line utility
Updated:
l "Maven Integration" on page 99
l "Translating Java Bytecode" on page 26
l "SCAState Utility Options" on page 61
l "Configuration Options" on page 113
Removed: "About Command Line Builds in Visual Studio 6.0" (no longer
supported)
4.30-01 Updated:
l "Configuration Options" on page 113
l Python information
l "Translating .NET Code" on page 28 with support for Visual Studio 2015
l iOS scanning information in "Translating Code for Mobile Platforms" on page
48
Added: Section on Java Bytecode in "Translating Java Code" on page 20
4.21-02 Removed: Build Monitor (deprecated)
4.21-01 Added: "Translating Ruby Code" on page 43

Updated: "Translating ABAP Code" on page 37

Chapter 1: Introduction
This guide provides instructions for using HP Fortify Static Code Analyzer to scan code on most major
programming platforms. This guide is intended for people responsible for security audits and secure
coding.
Topics covered in this section:
• About the HP Fortify Software Security Center Components 11

• About HP Fortify Static Code Analyzer 11
• About Analyzers 12
• About HP Fortify CloudScan 13
• About the HP Fortify Scan Wizard 14
• Related Documents 14
About the HP Fortify Software Security Center

Components
HP Fortify Static Code Analyzer (SCA) is a component of an HP Fortify Software Security Center
installation. The installation consists of one or more of the following analyzers:
l HP Fortify Static Code Analyzer: Analyzes your build code according to a set of rules specifically
tailored to provide the information necessary for the type of analysis performed.
l HP Fortify Runtime Application Protection: Monitors and protects deployed applications from
common attacks, unintended use, and targeted hacking. In addition, best security practices, such
as input verification and proper exception handling, can be consistently applied to deployed
applications.
l HP WebInspect Agent: Identifies vulnerabilities in pre-deployment applications during the QA
phase, preventing exposure to security flaws before they are exploited.
About HP Fortify Static Code Analyzer

SCA is a set of software security analyzers that search for violations of security-specific coding rules
and guidelines in a variety of languages. The SCA language technology provides rich data that enables
the analyzers to pinpoint and prioritize violations so that fixes are fast and accurate. SCA produces
analysis information that helps you deliver more secure software, as well as making security code
reviews more efficient, consistent, and complete. Its design allows you to quickly incorporate new
third-party and customer-specific security rules.

User Guide
At the highest level, using SCA involves:

1. Choosing to run SCA as a stand-alone process or integrating SCA as part of the build tool
2. Translating the source code into an intermediate translated format
3. Scanning the translated code and producing security vulnerability reports
4. Auditing the results of the scan, either by transferring the resulting FPR file to HP Fortify Audit
Workbench or HP Fortify Software Security Center for analysis, or directly with the results
displayed on screen
Note: For information on transferring results to HP Fortify Audit Workbench, see the HP Fortify
Audit Workbench User Guide.
About Analyzers
SCA comprises seven vulnerability analyzers: Buffer, Configuration, Content, Control Flow, Dataflow,
Semantic, and Structural. Each analyzer accepts a different type of rule specifically tailored to provide
the information necessary for the corresponding type of analysis performed. Rules are definitions that
identify elements in the source code that might result in security vulnerabilities or are otherwise unsafe.
The installation process downloads and updates the HP Fortify security content (secure coding
Rulepacks and external metadata) that SCA uses on your system. The HP Fortify Customer Portal
provides updated security content on a regular basis.
The following table lists and describes each SCA analyzer.
Analyzer Description
Buffer The Buffer Analyzer detects buffer overflow vulnerabilities that involve writing or
reading more data than a buffer can hold. The buffer can be either stack-allocated or
heap-allocated. The Buffer Analyzer uses limited interprocedural analysis to
determine whether or not there is a condition that causes the buffer to overflow. If
any execution path to a buffer leads to a buffer overflow, SCA reports it as a buffer
overflow vulnerability and points out the variables that could cause the overflow. If
the value of the variable causing the buffer overflow is tainted (user-controlled), then
SCA reports it as well and displays the dataflow trace to show how the variable is
tainted.
Configuration The Configuration Analyzer searches for mistakes, weaknesses, and policy
violations in an application's deployment configuration files. For example, the
Configuration Analyzer checks for reasonable timeouts in user sessions in a web
application.
Content The Content Analyzer searches for security issues and policy violations in HTML
content. In addition to static HTML pages, the Content Analyzer performs these
checks on files that contain dynamic HTML, such as PHP, JSP, and classic ASP
files.

User Guide
Analyzer Description
Control Flow The Control Flow Analyzer detects potentially dangerous sequences of operations.
By analyzing control flow paths in a program, the Control Flow Analyzer determines
whether a set of operations are executed in a certain order. For example, the Control
Flow Analyzer detects time of check/time of use issues and uninitialized variables,
and checks whether utilities, such as XML readers, are configured properly before
being used.
Dataflow The Dataflow Analyzer detects potential vulnerabilities that involve tainted data
(user-controlled input) put to potentially dangerous use. The Dataflow Analyzer uses
global, interprocedural taint propagation analysis to detect the flow of data between a
source (site of user input) and a sink (dangerous function call or operation). For
example, the Dataflow Analyzer detects whether a user-controlled input string of
unbounded length is being copied into a statically sized buffer, and detects whether a
user controlled string is used to construct SQL query text.
Semantic The Semantic Analyzer detects potentially dangerous uses of functions and APIs at
the intra-procedural level. Its specialized logic searches for buffer overflow, format
string, and execution path issues, but is not limited to these categories. For example,
the Semantic Analyzer detects deprecated functions in Java and unsafe functions in
C/C++, such as gets().
Structural The Structural Analyzer detects potentially dangerous flaws in the structure or
definition of the program. By understanding the way programs are structured, the
Structural Analyzer identifies violations of secure programming practices and
techniques that are often difficult to detect through inspection because they
encompass a wide scope involving both the declaration and use of variables and
functions. For example, the Structural Analyzer detects assignment to member
variables in Java servlets, identifies the use of loggers that are not declared static
final, and flags instances of dead code that is never executed because of a predicate
that is always false.
About HP Fortify CloudScan

With HP Fortify CloudScan (CloudScan), you can manage your resources by offloading the processor-
intensive scanning phase of the analysis from their build machines to a cloud of machines provisioned
for this purpose.
After the translation phase is completed on the build machine, CloudScan generates an mobile build
session and moves it to an available machine for scanning. In addition to freeing up the build machines,
this process makes it easy to grow the system by adding more resources to the cloud as needed,
without having to interrupt your build process. In addition, users of Software Security Center can direct
CloudScan to output the FPR file directly to the server.
For more information on HP Fortify CloudScan, see the HP Fortify CloudScan Installation,
Configuration, and Usage Guide.

User Guide
About the HP Fortify Scan Wizard

HP Fortify Scan Wizard is a utility that allows you to quickly and easily prepare and scan project code
using SCA. The Scan Wizard allows you to run your scans locally, or, if you are using HP Fortify
CloudScan, in a cloud of computers provisioned for taking care of the processor-intensive scanning
phase of the analysis.
For more information, see "About HP Fortify Scan Wizard" on page 104.
Related Documents
The following documents provide additional information about HP Fortify Static Code Analyzer:
l HP Fortify Static Code Analyzer Installation Guide
This document provides information on installing HP Fortify Static Code Analyzer and applications.
l HP Fortify Software Security Center System Requirements
This document contains information about the hardware and software requirements, supported
languages, compilers, and build tools for HP Fortify Static Code Analyzer.
l HP Fortify Static Code Analyzer Performance Guide
This document provides guidance on selecting the hardware required for scanning specific code
bases, optimizing memory usage, and improving performance.

Chapter 2: Analysis Process Overview
• About the Analysis Process 15

• About the Translation Phase 16
• About SCA Mobile Build Sessions 16
• About the Analysis Phase 17
• About Memory Considerations 18
• About Parallel Analysis 18
• About Verification of the Translation and Analysis Phase 18
About the Analysis Process

There are four distinct stages that make up the SCA source code analysis process:
1. Build Integration: Choosing whether to integrate SCA into the build compiler system. For
descriptions of build integration options, see "Integrating with Ant using the SCA Compiler
Adapter" on page 22, "Using the Sourceanalyzer Ant Task" on page 84, "Build Integration" on page
34 for C and C++, "Maven Integration" on page 99, and "MSBuild Integration" on page 93.
2. Translation: Gather source code using a series of commands and translate it into an intermediate
format associated with a build ID. The build ID is usually the name of the project being scanned.
For more information, see "About the Translation Phase" on the next page.
3. Analysis: Scan source files identified during the translation phase and generates an analysis
results file (typically in the HP Fortify project (FPR) format). FPR files have a .fpr file extension.
For more information, see "About the Analysis Phase" on page 17.
4. Verification of the translation and analysis: Verify that the source files were scanned using the
correct Rulepacks and that no errors were reported. For more information, see "About Verification
of the Translation and Analysis Phase" on page 18.
The following is an example of the sequence of commands you use to analyze code:
sourceanalyzer -b <build_id> -clean

sourceanalyzer -b <build_id> ...
sourceanalyzer -b <build_id> -scan -f results.fpr
To analyze more than one build at a time, add the additional builds as parameters:
sourceanalyzer -b <build_id1> -b <build_id2> -b <build_id3> -scan -f results.fpr

User Guide
About the Translation Phase

The basic command-line syntax for performing the first analysis step of the analysis process,
translating the files, is:
sourceanalyzer -b <build_id> ...<files>
or
sourceanalyzer -b <build_id> ... <compiler_command>
The translation phase consists of one or more invocations of SCA using the sourceanalyzer
command. A build ID (-b option) is used to tie the invocations together. Subsequent invocations of
sourceanalyzer add any newly specified source or configuration files to the file list associated with
the build ID.
After translation, you can use -show-build-warnings directive to list all warnings and errors that were
encountered during the translation phase:
sourceanalyzer -b <build_id> -show-build-warnings
To view all of the files associated with a particular build ID, use the -show-files directive:
sourceanalyzer -b <build_id> -show-files
The following chapters describe how to translate different types of source code:
l "Translating Java Code" on page 20
l "Translating .NET Code" on page 28
l "Translating C and C++ Code" on page 33
l "Translating ABAP Code" on page 37
l "Translating Ruby Code" on page 43
l "Translating Flex and ActionScript" on page 45
l "Translating Code for Mobile Platforms" on page 48
l "Translating Other Languages" on page 53
About SCA Mobile Build Sessions

With an SCA mobile build session, you can translate a project on one machine and analyze it on
another. When you create an SCA mobile build session, an MBS file which includes the files needed for
the analysis phase is created in the build session directory. You can then move the MBS file to a
different machine for analysis.

User Guide
The version of SCA on both the translate and analysis machines must be compatible when using
mobile build sessions. The SCA version number follows the pattern: major.minor+patch.buildnumber
(for example, 6.40.0089). The SCA versions must match the major and minor portions of the version
number (for example: 6.40 and 6.4x are compatible).
Creating a Mobile Build Session

On the machine where the translation was performed, issue the following command to generate an
SCA mobile build session:
sourceanalyzer -b <build_id> -export-build-session <file.mbs>
where <file.mbs> is the file name you assign for the SCA mobile build session.
Importing a Mobile Build Session

Once you move the MBS file to the machine where you want to run the analysis, type the following
command:
sourceanalyzer -import-build-session <file.mbs>
where <file.mbs> is the SCA mobile build session.

After you have imported your SCA mobile build session, you are ready to proceed to the analysis
phase.
About the Analysis Phase

The analysis phase scans the intermediate files created during translation and creates the vulnerability
results file. The analysis phase consists of one invocation of sourceanalyzer. You specify the build
ID and include the -scan directive and any required analysis or output options (see "Analysis Options"
on page 78 and "Output Options" on page 76).
The basic command-line syntax for the analysis phase is:
sourceanalyzer -b <build_id> -scan -f results.fpr
Note: By default, SCA includes the source code in the FPR file.
To combine multiple builds into a single scan, add the additional builds to the command line:
sourceanalyzer -b <build_id1> -b <build_id2> -b <build_id3> -scan -f results.fpr

User Guide
About Memory Considerations

When running SCA, the amount of physical RAM required is dependent on a number of factors. These
factors, which include the size and complexity of the source file, make it impossible to quantify and
provide guidance. Each customer situation is unique. If you encounter a low memory error, increasing
the amount of memory available to SCA might resolve the problem.
By default, SCA uses up to 1800 MB of memory. If this is not sufficient to analyze a particular code
base, you might have to provide more memory in the scan phase. Use the sourceanalyzer -Xmx
option to the specify the amount of memory for a scan.
For example, to make 32 GB available to SCA, include the option -Xmx32G.
You can also use the SCA_VM_OPTS environment variable to set the memory allocation.
Important: Do not allocate more memory for SCA than the machine has available, because this
degrades performance. As a guideline, assuming that no other memory-intensive processes are
running, do not allocate more than 2/3 of the available physical memory.
About Parallel Analysis

Beginning with Software Security Center version 4.00, SCA supports parallel processing for large
projects. If your project scan takes longer than an hour or two to complete, you can decrease the time
necessary to complete the scan by enabling parallel processing. Parallel processing allows you to take
advantage of multiple CPUs and cores within a single machine and automatic memory tuning.
For information on enabling parallel analysis for your projects, see "Parallel Analysis Mode" on page 82.
About Verification of the Translation and

Analysis Phase
The Result Certification feature of HP Fortify Audit Workbench verifies that the analysis is complete.
The project summary in Audit Workbench shows specific information about SCA scanned code
including:
l List of files scanned, with file sizes and timestamps
l Java classpath used for the translation
l List of Rulepacks used for the analysis
l List of SCA runtime settings and command-line options
l List of errors or warnings encountered during translation or analysis
l Machine and platform information

User Guide
To view result certification information, open the FPR file in Audit Workbench and select Tools >
Project Summary > Certification. For more information, see the HP Fortify Audit Workbench User
Guide.

Chapter 3: Translating Java Code
• Java Command-Line Syntax 20

• Integrating with Ant using the SCA Compiler Adapter 22
• Handling Resolution Warnings 23
• Using FindBugs 23
• Translating J2EE Applications 24
• Translating Java Bytecode 26
Java Command-Line Syntax

The basic command-line syntax for translating Java code is:
sourceanalyzer -b <build_id> -cp <classpath> <file_list>
With Java code, SCA can either emulate the compiler, which might be convenient for build integration,
or accept source files directly, which is more convenient for command-line scans.
To tell SCA to emulate the compiler, type:
sourceanalyzer -b <build_id> javac [<translation options>]
To pass files directly to SCA, type:
sourceanalyzer -b <build_id> -cp <classpath> [<translation options>]

<files>|<file specifiers>
where:
l <translation options> are options passed to the compiler.
l -cp <classpath> specifies the class path to use for the Java source code. A class path is the path
that the Java runtime environment searches for classes and other resource files. The format is the
same as expected by javac (colon- or semicolon-separated list of paths). You can use SCA file
specifiers as shown in the following example:
-cp "build/classes:lib/*.jar"
For more information, see "Java/J2EE Options" on the next page. For information about file specifiers,
see "Specifying Files" on page 81.

User Guide
Java/J2EE Options
The following table describes the Java/J2EE options.
Java/J2EE Options Description
-appserver Specifies the application server for processing JSP files.

weblogic | websphere
-appserver-home <path> Specifies the application server’s home.

l For Weblogic, this is the path to the directory containing the
server/lib directory.
l For WebSphere, this is the path to the directory containing
the JspBatchCompiler script.
-appserver-version <version> Specifies the version of the application server. See the HP
Fortify Software Security Center System Requirements
document for supported versions.
-cp <classpath> | Specifies the class path to use for analyzing Java source code.
-classpath <classpath> The format is same as javac: a colon- or semicolon-separated
list of paths. You can use SCA file specifiers.
-extdirs <dirs> Similar to the javac extdirs option, accepts a colon- or

semicolon-separated list of directories. Any jar files found in
these directories are included implicitly on the class path.
-java-build-dir <dirs> Specifies one or more directories to which Java sources have
been compiled. You must specify this for Findbugs results as
described in "Analysis Options" on page 78.
-source <version> | Indicates the JDK version for which the Java code is written.
-jdk <version> Valid values for <version> are 1.4, 1.5, 1.6, 1.7, and 1.8.
The default is 1.5.
-sourcepath <dir> Specifies the location of source files that are not included in the
scan but are used for name resolution. The source path is
similar to classpath, except it uses source files rather than
class files for resolution.

User Guide
Java Command-Line Examples

To translate a single file named MyServlet.java with j2ee.jar as the class path, type:
sourceanalyzer -b MyServlet -cp lib/j2ee.jar MyServlet.java
To translate all .java files in the src directory using all jar files in the lib directory as a class path,
type:
sourceanalyzer -b MyProject -cp "lib/*.jar" "src/**/*.java"
To translate and compile the MyCode.java file using the javac compiler, type:
sourceanalyzer -b MyProject javac -classpath libs.jar MyCode.java
Integrating with Ant using the SCA Compiler

Adapter
SCA provides an Ant Compiler Adapter that you can use to translate Java source files if your project
uses an Ant build file. This integration requires setting two Ant properties, and can be done on the
command line without modifying the Ant build.xml file. When the build runs, SCA intercepts all javac
task invocations and translates the Java source files as they are compiled.
Note: You must translate any JSP files, configuration files, or any other non-Java source files that
are part of the application in a separate step.
To use the Ant Compiler Adapter, do the following:

l Ensure that the sourceanalyzer executable is on the system PATH.
l Set the build.compiler property to com.fortify.dev.ant.SCACompiler.
l Set the sourceanalyzer.buildid property to the build ID.
The following example shows how to run an Ant build using the Ant Compiler Adapter without modifying
the build file:
ant -Dbuild.compiler=com.fortify.dev.ant.SCACompiler
-Dsourceanalyzer.buildid=MyBuild
-lib <Installation_Dir>/Core/lib/sourceanalyzer.jar
The -lib option is available in Ant version 1.6 or later.

Alternatively, you can use the following shorthand to run Ant with the Compiler Adapter:
sourceanalyzer -b <build_id> ant [<ant_options>]

User Guide
By default, 1800 MB of memory is allocated to SCA for translation. Increase the memory allocation
when using the SCA Compiler Adapter using the -Dsourceanalyzer.maxHeap option as follows:
ant -Dbuild.compiler=com.fortify.dev.ant.SCACompiler
-Dsourceanalyzer.buildid=MyBuild
-lib <Installation_Dir>/Core/lib/sourceanalyzer.jar
-Dsourceanalyzer.maxHeap=2000M
Handling Resolution Warnings

To see all warnings that were generated during your build, type the following command before you start
the scan phase:
Java Warnings
You might see the following warnings for Java:
Unable to resolve type...
Unable to resolve function...
Unable to resolve field...
Unable to locate import...
Unable to resolve symbol...
Multiple definitions found for function...
Multiple definitions found for class...
These warnings are typically caused by missing resources. For example, some of the .jar and class
files required to build the application might not have been specified. To resolve the warnings, make sure
that you include all of the required files that your application uses.
Using FindBugs
FindBugs (http://findbugs.sourceforge.net) is a static analysis tool that detects quality issues in Java
code. You can run FindBugs with SCA and the results are integrated into the analysis results file.
Unlike SCA, which runs on Java source files, FindBugs runs on Java bytecode. Therefore, before
running an analysis on your project, you should first compile the project and produce the class files.

User Guide
To see an example of how to run FindBugs automatically with SCA, compile the sample code
Warning.java as follows:
1. Go to the following directory:
<Installation_Dir>/Samples/advanced/findbugs
2. Enter the following commands to compile the sample:
mkdir build
javac -d build Warning.java
3. Scan the sample with FindBugs and SCA as follows:
sourceanalyzer -b findbugs_sample -java-build-dir build Warning.java
sourceanalyzer -b findbugs_sample -scan -findbugs -f findbugs_sample.fpr
4. Examine the analysis results in HP Fortify Audit Workbench:
auditworkbench findbugs_sample.fpr
The output contains the following issue categories:

l Bad casts of Object References (1)
l Dead local store (2)
l Equal objects must have equal hashcodes (1)
l Object model violation (1)
l Unwritten field (2)
l Useless self-assignment (2)
If you group by analyzer, you can see that the SCA Structural Analyzer produced one issue and
FindBugs produced eight. The Object model violation issue produced by SCA on line 25 is similar
to the Equal objects must have equal hash codes issue produced by FindBugs. In addition,
FindBugs produces two sets of issues (Useless self-assignment and Dead local store) about the
same vulnerabilities on lines 6 and 7. To avoid overlapping results, apply the filter.txt filter file by
using the -filter option during the scan. Note that the filtering is not complete because each tool
filters at a different level of granularity. To see how to avoid overlapping results, scan the sample code
using filter.txt as follows:
sourceanalyzer -b findbugs_sample -scan -findbugs -filter filter.txt

-f findbugs_sample.fpr
Translating J2EE Applications

Translating J2EE applications involves processing Java source files and J2EE components such as
JSP files, deployment descriptors, and configuration files. While you can process all the pertinent files
in a J2EE application using a single-step process, your project might require that you break the
procedure into its components for integration in a build process or to meet the needs of various

User Guide
stakeholders within your organization. The following sections provide information on each component,
followed by an all-in-one process.
Prerequisite for Translating Code Using Legacy

Versions of the J2EE SDK
To translate code developed using a version of the J2EE SDK earlier than 1.5, you must add the
following list of files JAR files to the class path:
commons-logging.jar
j2ee.jar
jasper2_jasper-runtime.jar
xercesImpl-2.0.2.jar
The following JSP tag libraries might also be required:
commons-validator.jar
jsp-api.jar
jstl.jar
log4j-1.2.9.jar
saxpath.jar
standard.jar
struts.jar
struts-el.jar
Optionally, you can put the JSP tag library files in a subdirectory named jsp_tag_lib.
Add the files using the class path option (-cp).
Note: In versions of SCA earlier than version 4.10, the JAR files listed above were included in the
<Installation_Dir>/Core/default_jars directory.
To identify a directory or directories where SCA should look for files each time you run a scan, you can
set the com.fortify.sca.DefaultJarsDirs property in the fortify-sca.properties file. For more
information, see "fortify-sca.properties" on page 115.
Translating the Java Files

When translating J2EE applications, use the same procedure for translating the Java files. For
examples, see "Java Command-Line Examples" on page 22.

User Guide
Translating JSP Projects, Configuration Files, and

Deployment Descriptors
In addition to translating the Java files in your J2EE application, you might also need to translate JSP
files, configuration files, and deployment descriptors.Your JSP files must be part of a Web Application
Archive (WAR). If your source directory is already organized in a WAR layout, you can translate the
JSP files directly from the source directory. If not, you might need to deploy your application and
translate the JSP files from the deployment directory.
For example:
sourceanalyzer -b <build_id> /**/*.jsp /**/*.xml
where /**/*.jsp refers to the location of your JSP project files and /**/*.xml refers to the location of
your configuration and deployment descriptor files.
J2EE Warnings
You might see the following warnings for J2EE applications:
Could not locate the root (WEB-INF) of the web application. Please build your web
application and try again. Failed to parse the following jsp files:
<list of .jsp file names>
This warning indicates that your web application is not deployed in the standard WAR directory format
or does not contain the full set of required libraries. To resolve the warning, ensure that your web
application is in an exploded WAR directory format with the correct WEB-INF/lib and
WEB-INF/classes directories containing all of the .jar and .class files required for your application.
Also verify that you have all of the TLD files for all of your tags and the corresponding JAR files with
their tag implementations.
Translating Java Bytecode

In addition to translating source code, you can translate the bytecode in your project. You must specify
two configuration properties and include the bytecode files for the SCA translation phase.
For best results, HP Fortify recommends that the bytecode is compiled with full debug information
(javac -g).
To include bytecode in the SCA translation:
1. Add the following properties to the fortify-sca.properties file (or include these properties on
the command line using the -D option):
com.fortify.sca.fileextensions.class=BYTECODE
com.fortify.sca.fileextensions.jar=ARCHIVE

User Guide
This specifies how SCA processes .class and .jar files.

2. In the translation phase of the SCA analysis process, include the Java bytecode files that you
want to translate. For best performance, specify only the .jar or .class files that require
scanning.
In the following example, the .class files are translated:
sourceanalyzer -b MyProject -cp "lib/*.jar" "src/**/*.class"
HP Fortify recommends that you do not translate Java bytecode and JSP/Java code in the same
call to sourceanalyzer. Use multiple invocations of sourceanalyzer with the same build ID
when translating a project that contains both bytecode and JSP/Java code that you want to scan.

Chapter 4: Translating .NET Code
• About Translating .NET Code 28

• .NET Command-Line Syntax 28
• Translating Simple .NET Applications 29
• Translating ASP.NET 1.1 (Visual Studio Version 2003) Projects 30
• Handling Resolution Warnings 31
About Translating .NET Code

This chapter describes how to use SCA to translate Microsoft Visual Studio .NET and
ASP.NET applications built with:
l .NET Versions 1.1 and later
l Visual Studio 2010
SCA works on the Common Intermediate Language (CIL), and therefore supports all of the .NET
languages that compile to CIL, including C# and VB .NET.
Note: The easiest way to analyze a .NET application is to use the HP Fortify Package for
Microsoft Visual Studio, which automates the process of gathering information about the project.
.NET Command-Line Syntax

HP Fortify recommends using the Visual Studio Command Prompt to run these commands. If you
perform command-line builds with Visual Studio .NET, you can integrate static analysis by wrapping
the build command line with an invocation of sourceanalyzer. For this to work, you must have the
HP Fortify Package for Microsoft Visual Studio for your version of Visual Studio installed.
The following example demonstrates the command-line syntax for Visual Studio .NET:
sourceanalyzer -b my_buildid devenv Sample1.sln /REBUILD debug
This performs the translation phase on all files built by Visual Studio. Be sure to do a clean or a rebuild
so that all files are included. You can then perform the analysis phase, as in the following example:
sourceanalyzer -b my_buildid -scan -f results.fpr

User Guide
.NET Command-Line Options

The following table describes the .NET command-line options.
.NET Options Description
-libdirs <dirs> Specifies a semicolon-separated list of directories where system or third-

party DLLs are located.
-dotnet-sources Specifies where to look for source files for additional information. This
<directory name> option is automatically passed from the HP Fortify Package for Microsoft
Visual Studio and Audit Workbench but when you are running SCA
manually, you must provide it.
This option causes SCA to attempt to find any .NET classes, enums, or
interfaces that are not explicitly declared in the compiled project.
-vsversion <version> Specifies the version number that corresponds to the Visual
Studio version you are using.
l Visual Studio 2010: 10.0
Translating Simple .NET Applications

You can also use SCA the command-line interface for processing .NET applications.
Prepare your application for analysis using one of the following methods:
l Perform a complete rebuild of your project with the “debug” configuration enabled. Compiling your
project with debug enabled provides information that SCA uses for presenting the results.
l Obtain all of the third-party DLL files, project output DLL files, and corresponding PDB files for your
projects. Note that SCA ignores any DLL file passed as an input argument if the corresponding PDB
file does not exist in the same folder. Therefore you must include all of the PDB files for all your
project DLL files.
Note: PDB files are required for third-party libraries.
Run SCA to analyze the .NET application from the command line as follows:
sourceanalyzer -vsversion <version> -b <build_id>

-libdirs <ProjOne/Lib;ProjTwo/Lib> <folder_1 folder_2>
where <folder_1 folder_2> are the output folders.
Note: Standard .NET DLL files used in your project are automatically picked up by SCA, so you do

User Guide
not need to include them in the command line.
If your project is large, you can perform the translation phase separately for each output project using
the same build ID, as follows:

-libdirs <paths> <project_1_source_files>
...
-libdirs <paths> <project_n_source_files>
where <project_1_source_files> and <project_n_source_files> are the output projects.
Note: SCA requires the appropriate version of Visual Studio unless you are using MSBuild. For
information about using SCA with MSBuild, see "MSBuild Integration" on page 93.
Translating ASP.NET 1.1 (Visual Studio Version

2003) Projects
As discussed previously, SCA works on CIL generated by the .NET compilers. For ASP.NET projects,
web components such as ASPX files need to be compiled before they are analyzed. However, there is
no standard compiler for ASPX files. The .NET 1.1 runtime automatically compiles them when they are
accessed from a browser.
To facilitate the ASPX compilation phase, HP Fortify Software provides a simple tool that compiles all
of the ASPX files in your project. The tool is located in: <Installation_Dir>\Tools\fortify_
aspnet_compiler\fortify_aspnet_compiler.exe.
To analyze ASP.NET 1.1 solutions:
1. Perform a complete rebuild of the solution.
2. For each of the web projects in the solution, delete the following folder:
%SYSTEMROOT%\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\<web_

application_name>
3. For each of the web projects in the solution, run the following command:
fortify_aspnet_compiler <url_to_the_website> <source_root_of_the_web_

project>
where:
l <url_to_the_website> is the URL for your website, such as http://localhost/WebApp
l <source_root_of_the_web_project> is the source location of your web project, such as
<VS_project_location>\WebApp

User Guide
4. Perform the translation phase for the DLL files built in Step 1. Type the following command using
the same build ID as in the following steps:
sourceanalyzer -b <build_id> "<VS_project_location>\**\*.dll"
5. Perform the translation phase for the web components. For each of the web projects in the
solution, type the following when you invoke sourceanalyzer:
sourceanalyzer -b <build_id>
%SYSTEMROOT%\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\<web_
application_name>
6. Include the configuration files and any Microsoft T-SQL source files that you have:
sourceanalyzer -b <build_id> "<solution_root>\**\*.config"

<"t-sql_src>\**\*.sql">
Note: These steps are all automated if you use the HP Fortify Package for Microsoft Visual
Studio.
Handling Resolution Warnings

the scan phase:
About .NET Warnings

You may see the following warnings for .NET:
Cannot locate class... in the given search path and the Microsoft .NET Framework
libraries.
These warnings are typically caused by missing resources. For example, some of the DLL files
required to build the application have not been specified. To resolve the warnings, make sure that you
have included all of the required files that your application uses. If you still see a warning and the
classes it lists are empty interfaces with no members, you can ignore the warning. If the interface is not
empty, contact HP Fortify Technical Support.

User Guide
About ASP.NET Warnings

You may see the following warnings for ASP.NET applications:
Failed to parse the following aspx files:

<list of .aspx file names>
This warning indicates that your web application is not deployed correctly, does not contain the full set
of required libraries, or it uses the Global Access Cache (GAC). If your web application uses the GAC,
you must add the DLL files to the project separately to ensure a successful scan. SCA does not load
DLL files from the GAC.

Chapter 5: Translating C and C++ Code
• C and C++ Command-Line Syntax 33

• Build Integration 34
• Modifying a Build Script to Invoke SCA 35
• Touchless Build Integration 35
• Scanning Pre-processed C and C++ Code 36
C and C++ Command-Line Syntax

Command-line options passed to the compiler affect preprocessor execution and can enable or disable
language features and extensions. To ensure that SCA interprets your source code in the same way as
the compiler, the translation step for C-language source code requires the complete compiler command
line. Prefix your original compiler command with sourceanalyzer command and options.
The basic command-line syntax for translating a single file is:
sourceanalyzer -b <build_id> [<SCA_options>] <compiler> [<compiler_options>]

<file.c>
where:
l <compiler> is the name of the C compiler you want to use, such as gcc, g++, or cl. See the HP
Fortify Software Security Center System Requirements document for a list of supported C
compilers.
l <SCA_options> are options passed to SCA.
l <compiler_options> are options passed to the C compiler.
l <file.c> must be in ASCII or UTF-8 encoding.
Note: All SCA options must precede the compiler options.
The compiler command must successfully complete when executed on its own. If the compiler
command fails, then the sourceanalyzer command prefixed to the compiler command also fails.
For example, if you compile a file with the command:
gcc -I. -o hello.o -c helloworld.c
then you can translate this file with the following command:
sourceanalyzer -b my_buildid gcc -I. -o hello.o -c helloworld.c

User Guide
SCA executes the original compiler command as part of the translation phase. In the previous example,
the command produces both the translated source suitable for scanning, and the object file hello.o
from the gcc execution. You can use the SCA -nc option to disable the compiler execution.
Build Integration
You can translate entire projects in a single operation. Prefix your original build operation with the
sourceanalyzer command and the SCA options.
The command-line syntax for translating a complete project is:
sourceanalyzer -b <build_id> [<SCA_options>] <build_tool> [<build_tool_options>]
where <build_tool> is the name of your build tool, such as make, gmake, devenv, or xcodebuild. See
the HP Fortify Software Security Center System Requirements document for a list of supported build
tools. SCA executes your build tool and intercepts all compiler operations to collect the specific
command line used for each input.
Note: SCA only sees the compiler commands that the build tool executes. If you do not clean your
project before executing the build, then SCA only sees those files that the build tool recompiles.
Successful build integration requires that the build tool:

l Executes a compiler supported by SCA
l Executes the compiler on the OS path search, not with a hardcoded path (This requirement does not
apply to xcodebuild integration)
l Executes the compiler, rather than executing a subprocess that then executes the compiler
If you cannot meet these requirements in your environment, see "Modifying a Build Script to Invoke
SCA" on the next page.
Example 1
If you build your project with the following build commands:
make clean
make
make install
then you can simultaneously translate and compile the entire project with the following commands:
make clean
sourceanalyzer -b <build_id> make
make install

User Guide
Example 2
If you build a Visual Studio .NET project with the following build command:
devenv MyProject.sln /REBUILD
then you can translate and compile the project with the command:
sourceanalyzer -b <build_id> devenv MyProject.sln /REBUILD
Note: Integration with Visual Studio .NET requires that you have installed the HP Fortify Package
for Microsoft Visual Studio for your specific version of Visual Studio.
Modifying a Build Script to Invoke SCA

As an alternative to build integration, you can modify your build script to prefix each compiler, linker,
and archiver operation with sourceanalyzer. For example, a makefile often defines variables for the
names of these tools:
CC=gcc
CXX=g++
LD=ld
AR=ar
You can prepend the tool references in the makefile with the sourceanalyzer command and the
appropriate SCA options.
CC=sourceanalyzer -b mybuild gcc

CXX=sourceanalyzer -b mybuild g++
LD=sourceanalyzer -b mybuild ld
AR=sourceanalyzer -b mybuild ar
When you use the same build ID for each operation, SCA automatically combines each of the
separately-translated files into a single translated project.
Touchless Build Integration

SCA includes a generic build tool called touchless that enables translation of projects using build
systems that SCA does not directly support. The command-line syntax for touchless build integration
is:
sourceanalyzer -b <build_id> touchless <build_command>

User Guide
For example, if you use a python script called build.py to compute dependencies and execute
appropriately-ordered C compiler operations. You might then execute your build by running:
python build.py
SCA does not have native support for such a build design. However, you can use the touchless build
tool to translate and build the entire project with the single command:
sourceanalyzer -b <build_id> touchless python build.py
The same requirements for successful build integration with supported build system described earlier in
this chapter apply to touchless integration with unsupported build systems.
Scanning Pre-processed C and C++ Code

If, prior to compilation, your C/C++ build executes a third-party C preprocessor that SCA does not
support, you must invoke the SCA translation on the intermediate file. SCA touchless build integration
automatically translates the intermediate file provided that your build executes the unsupported
preprocessor and supported compiler as two commands connected by a temporary file rather than a
pipe chain.

Chapter 6: Translating ABAP Code
• About Translating ABAP Code 37

• About Scanning ABAP Code 37
• Importing the HP Fortify ABAP Extractor Transport Request 38
• Adding SCA to Your Favorites List 39
• Running the HP Fortify ABAP Extractor 40
About Translating ABAP Code

Translating ABAP code is similar to translating other operating language code, however, it requires
additional steps to extract the code from the SAP database and prepare it for scanning. See "Importing
the HP Fortify ABAP Extractor Transport Request" on the next page for more information. This chapter
assumes you have SCA running and have a basic understanding of SCA, SAP, and ABAP.
About Scanning ABAP Code

To translate ABAP code, the HP Fortify ABAP Extractor program downloads source files to the
presentation server, and optionally, invokes SCA. You need to use an account with permissions to
download files to the local system and execute OS commands.
Because the extractor program is executed online, you may receive a max dialog work process
time reached exception if the volume of sources files selected for extraction exceeds the allowable
process run time. You can often work around this by downloading large projects as a series of smaller
Extractor tasks. For example, if your project consists of four different packages, download each
package separately into the same project directory.
If the exception occurs frequently, work with your SAP Basis administrator to increase the maximum
time limit (rdisp/max_wprun_time).
When a PACKAGE is extracted from ABAP, the HP Fortify ABAP Extractor extracts everything from
TDEVC with a parentcl field that matches the package name. It then recursively extracts everything
else from TDEVC with a parentcl field equal to those already extracted from TDEVC. The field extracted
from TDEVC is devclass.
The devclass values are treated as a set of program names and handled the same way as a program
name, which you may optionally provide.
Programs are extracted from TRDIR by matching the name field against either the program name given
by the user in the selection screen or by comparing with the list of values extracted from TDEVC if a
package was provided. The rows from TRDIR are those for which the name field has the given program
name and the expression LIKE programname is used to extract rows.

User Guide
This final list of names is used with READ REPORT to get code out of the SAP system. This method does
read classes and methods out as well as merely REPORTs, for the record.
Each READ REPORT call produces a file in the temporary folder on the local system. This set of files is
what sourceanalyzer translates and scans, producing an FPR file that you can open with HP Fortify
Audit Workbench.
About INCLUDE Processing

As source code is downloaded, the HP Fortify ABAP Extractor checks for INCLUDE statements in the
source. When found, it downloads the include targets to the local machine for analysis as well.
Importing the HP Fortify ABAP Extractor

Transport Request
ABAP scanning is available as a premium component of SCA. If you purchased a license that includes
this capability, you need to import the HP Fortify ABAP Extractor transport request on your SAP
Server.
The HP Fortify transport request is located in the SAP_Extractor.zip package. The package is
located in the Tools directory:
<Installation_Dir>/Tools/SAP_Extractor.zip
The HP Fortify ABAP Extractor package, SAP_Extractor.zip, contains the following files:
l K9000XX.NSP (where the “XX” is the release number)
l R9000XX.NSP (where the “XX” is the release number)
These files make up the SAP transport request and should be imported into your SAP system from
outside your local Transport Domain. Your SAP administrator or an individual authorized to install
transport requests on the system should import the transport request.
The NSP files contain a program, a transaction (YSCA), and the program user interface. Once imported
into your system and properly configured, you can extract your code from the SAP database and
prepare it for SCA scanning.
Installation Note
The HP Fortify ABAP Extractor transport request was created on a system running SAP release 7.02,
SP level 0006. If you are running a different SAP release, you might get a transport request import error:
Install release does not match the current version.
This causes the installation to fail. To resolve this issue:
1. Run the transport request import again.
The Import Transport Request dialog box opens.
2. Click the Options tab.
3. Select the Ignore Invalid Component Version check box.
4. Complete the import procedure.

User Guide
Adding SCA to Your Favorites List

Adding SCA to your Favorites list is optional, but doing so can make it quicker to access and launch
SCA scans. The following steps assume that you use the user menu in your day-to-day work. If your
work is done from a different menu, add the Favorites link to the menu that you use. Before you create
the SCA entry, the SAP server should be running and you should be in the SAP Easy Access area of
your web-based client.
1. From the SAP Easy Access menu, type S000 in the transaction box.
The SAP Menu opens.
2. Right-click the Favorites folder and select Insert transaction.
The Manual entry of a transaction dialog box opens.
3. Type YSCA in the Transaction Code box.

4. Click the green check mark button .
The Launch SCA item should appear in the Favorites list.

User Guide
5. Click the Extract ABAP code and launch SCA link to launch the HP Fortify ABAP Extractor.
Running the HP Fortify ABAP Extractor

To run the HP Fortify ABAP Extractor:
1. Launch the program from the Favorites link, the transaction code, or by manually launching the
YHP_FORTIFY_SCA object.

User Guide
2. Fill in the requested information.
Section Data
Objects Enter the name of the Software Component, Package, Program, or BSP
Application you want to scan.
Sourceanalyzer FPR File Path: Type the directory where you want to store your FPR file.
parameters Include the name you want assigned to the FPR file in the path name.
Working Directory: Type the directory where the extracted source code
should be copied.
Build-ID: Type the build ID for the scan.
Translation Parameters: List any optional sourceanalyzer translation
arguments.
Scan Parameters: List any optional sourceanalyzer scan arguments.
ZIP File Name: Type a ZIP file name if you would like your output provided in
a compressed package.
Maximum Call-chain Depth: A global SAP-function F is not downloaded
unless F was explicitly selected or unless F can be reached through a chain
of function calls which starts in explicitly-selected code and whose length is
this number or less.

User Guide
Section Data
Actions Download: Check this box to instruct SCA to download the source code
extracted from your SAP database.
Build: Check this box to instruct SCA to translate all downloaded ABAP
code and store it under the specified Build-ID.
Scan: Check this box to request a scan.
Launch AWB: Check this box to launch Audit Workbench and load the FPR.
Create ZIP: Check this box to request the output be compressed.
Process in Background: Check this box to request that processing occur in
the background.
3. Click Execute.

Chapter 7: Translating Ruby Code
• Ruby Command-Line Syntax 43

• Adding Libraries 44
• Adding Multiple Library Paths 44
• Adding Gem Paths 44
Ruby Command-Line Syntax

The basic command-line syntax for translating Ruby code is:
sourceanalyzer –b <build_id> <rb_file>
where <rb_file> is the name of the Ruby file to be scanned. To include multiple Ruby files, separate
them with a space, as shown in the following example:
sourceanalyzer –b <build_id> file1.rb file2.rb file3.rb
In addition to listing individual Ruby files, you can use the asterisk (*) wild card to select all Ruby files in
a specified directory. For example, to find all of the Ruby files in a directory called src, use the
following sourceanalyzer command:
sourceanalyzer –b <build_id> src/*.rb
Ruby Options
The following table describes the Ruby translation options.
Ruby Option Description
-ruby-path Specifies the path(s) to directories containing Ruby libraries (see "Adding Libraries
" on the next page)
-rubygem-path Specifies the path(s) to a RubyGems location (see "Adding Gem Paths" on the
next page)

User Guide
Chapter 7: Translating Ruby Code
Adding Libraries
If your Ruby source code requires a specific library, add the Ruby library to the sourceanalyzer
command. For example, if you have a utils.rb file that resides in the
/usr/share/ruby/myPersonalLibrary directory, then add the following to the sourceanalyzer
command:
-ruby-path=/usr/share/ruby/myPersonalLibrary
Adding Multiple Library Paths

To use multiple libraries, use a delimited list. On Windows, separate the paths with a semicolon; and on
all other platforms use a colon, as in the following non-Windows example:
-ruby-path=/path/one:/path/two:/path/three
Adding Gem Paths

To add all RubyGems and their dependency paths, import all RubyGems. To do this, first obtain the
Ruby gem paths by running the gem env command and under GEM PATHS look for a directory similar
to:
/home/myUser/gems/ruby-version
This directory should contain another directory called gems which contains directories for all the gem
files installed on the system, so for this example you would set:
-rubygem-path=/home/myUser/gems/ruby-version/gems
If you have multiple gems directories, add them using a delimited list such as:
-rubygem-path=/path/to/gems:/another/path/to/more/gems
Note: On Windows systems, separate the gems directories with a semicolon.

Chapter 8: Translating Flex and
ActionScript
• ActionScript Command-Line Syntax 45

• About Handling Resolution Warnings 47
ActionScript Command-Line Syntax

The basic command-line syntax for translating ActionScript is:
sourceanalyzer -b <build_id> -flex-libraries <listOfLibraries> <listOfFiles>
where:
<listOfLibraries> is a semicolon-separated list (Windows) or a colon-separated list (non-Windows
systems) of library names to which you want to "link" and <listOfFiles> are the files to translate.
Flex and ActionScript Command-Line Options

Use the following command-line options to translate Flex files. You can also specify this information in
the properties configuration file (fortify-sca.properties) as noted in each description.
Option Description
-flex-sdk-root The location of the root of a valid Flex SDK. This folder should contain a
frameworks folder that contains a flex-config.xml file. It should also
contain a bin folder that contains an MXMLC executable.
You can set also set the SDK root location using the
com.fortify.sca.FlexSdkRoot property.
-flex-libraries A colon- or semicolon-separated list (colon on most platforms, semicolon on

Windows) of library names that you want to “link” to. In most cases, this list
includes flex.swc, framework.swc, and playerglobal.swc (usually found
in frameworks/libs/ in your Flex SDK root).
You can set also set the Flex libraries using the
com.fortify.sca.FlexLibraries property.
Note: You can specify SWC or SWF files as Flex libraries (SWZ is not
currently supported).

User Guide
Chapter 8: Translating Flex and ActionScript
Option Description
-flex-source-roots A colon- or semicolon-separated list of root directories in which MXML

sources are located. Normally, these contain a subfolder named com. For
instance, if a Flex source root is given that is pointing to foo/bar/src, then
foo/bar/src/com/fortify/manager/util/Foo.mxml is transformed into
an object named com.fortify.manager.util.Foo (an object named Foo in
the package com.fortify.manager.util).
You can set also set the MXML source locations using the
com.fortify.sca.FlexSourceRoots property.
Note: -flex-sdk-root and –flex-source-roots are primarily for MXML translation, and are
optional if you are scanning pure ActionScript. Use –flex-libraries for resolving all
ActionScript.
SCA translates MXML files into ActionScript and then runs them through an ActionScript parser. The
generated ActionScript is intended to be simple to analyze; not rigorously correct like the Flex run-time
model. As a consequence of this, you might get parse errors with MXML files. For instance, the XML
parsing could fail, the translation to ActionScript could fail, and the parsing of the resulting ActionScript
could also fail. If you see any errors that do not have a clear connection to the original source code,
notify HP Fortify Technical Support.
ActionScript Command-Line Examples

The following examples illustrate command-line syntax for typical scenarios for translating
ActionScript.
Example 1
The following example is for a simple application that contains only one MXML file and a single SWF
library (MyLib.swf):
sourceanalyzer -b MyFlexApp -flex-libraries lib/MyLib.swf -flex-sdk-root

/home/myself/flex-sdk/ -flex-source-roots . my/app/FlexApp.mxml
This identifies the location of the libraries to include, and also identifies the Flex SDK and the Flex
source root locations. The single MXML file, located in /my/app/FlexApp.mxml, results in translating
the MXML application as a single ActionScript class called FlexApp and located in the my.app
package.

User Guide
Chapter 8: Translating Flex and ActionScript
Example 2
The following example is for an application in which the source files are relative to the src directory. It
uses a single SWF library, MyLib.swf, and the Flex and framework libraries from the Flex SDK:
sourceanalyzer -b MyFlexProject -flex-sdk-root /home/myself/flex-sdk/

-flex-source-roots src/ -flex-libraries lib/MyLib.swf src/**/*.mxml src/**/*.as
In this example, we locate the Flex SDK. We use SCA file specifiers to include the .as and .mxml files
in the src folder. It is not necessary to explicitly specify the .SWC files located in the –flex-sdk-root,
although this example does so for the purposes of illustration. SCA automatically locates all .SWC files
in the specified Flex SDK root, and it assumes that these are libraries intended for use in translating
ActionScript or MXML files.
Example 3
In this example, the Flex SDK root and Flex libraries are specified in a properties file since typing in the
data is time consuming and it tends to be constant. We divide the application into two sections and
store them in folders: a main section folder and a modules folder. Each folder contains a src folder
where the paths should start. Wild cards are used in file specifiers to pick up all the .mxml and .as files
in both of the src folders. An MXML file in main/src/com/foo/util/Foo.mxml is translated as an
ActionScript class named Foo in the package com.foo.util, for example, with the source roots
specified here:
sourceanalyzer -b MyFlexProject -flex-source-roots main/src:modules/src

./main/src/**/*.mxml ./main/src/**/*.as ./modules/src/**/*.mxml
./modules/src/**/*.as
About Handling Resolution Warnings

the scan phase:
About ActionScript Warnings

You might receive a message similar to:
The ActionScript front end was unable to resolve the following imports: a.b at
y.as:2. foo.bar at somewhere.as:5. a.b at foo.mxml:8.
This error occurs when SCA cannot find all of the required libraries. You might need to specify
additional SWC or SWF Flex libraries (-flex-libraries option, or
com.fortify.sca.FlexLibraries property) so that SCA can complete the analysis.

Chapter 9: Translating Code for Mobile
Platforms
• About Translating Objective-C++ Code 48

• About Translating Google Android Code 49
About Translating Objective-C++ Code

This section describes how to translate Objective-C++ source code for iOS applications.
Prerequisites
l Xcode command-line tools must be installed in the path.
l Projects must use the non-fragile Objective-C++ runtime (ABI version 2 or 3).
l Use Apple’s xcode-select command-line utility to set your Xcode path. SCA uses the system's
global Xcode configuration to find the Xcode toolchain and headers.
Objective-C++ Command-Line Syntax

The command-line syntax for translating a single Objective-C++ project is:
sourceanalyzer -b <build_id> xcodebuild [<compiler options>]
where:
<compiler options> are options passed to Xcode.
The following examples illustrate usage patterns for the supported compilers. Run the following
command samples from the directory where the project files are located.
To translate an Xcode Objective-C++ project, type:
xcodebuild [<options>] clean (Optional. Clean the previous build artifacts.)

sourceanalyzer -b my_buildid -clean
sourceanalyzer -b my_buildid xcodebuild [<options>]

User Guide
Chapter 9: Translating Code for Mobile Platforms
To scan the application artifact files:
sourceanalyzer -b my_buildid -scan -f result.fpr
Note: The source code is compiled when you run these commands.
Xcode Compiler Errors

If you receive Xcode compiler errors, this might be due to the inclusion of Clang options added after
your version of SCA was released. To remove the errors, type the following after xcodebuild:
ARCHS=i386
GCC_TREAT_WARNINGS_AS_ERRORS=NO
where ARCHS=i386 represents the architectures (ABIs, processor models) to which the binary is
targeted.
About Translating Google Android Code

Translating Google Android code is similar to translating Java code. See "Translating Java Code" on
page 20 for more information.

Chapter 9: Translating COBOL Code
• Preparing COBOL Source Files for Translation 50

• COBOL Command-Line Syntax 51
• About Auditing COBOL Scans 52
For a list of supported technologies for translating COBOL code, see the HP Fortify Software Security
Center System Requirements document.
Note: To scan COBOL with SCA, you must have a specialized HP Fortify license specific for
COBOL scanning capabilities. Contact HP Fortify Software for more information about scanning
COBOL and the necessary license required.
Preparing COBOL Source Files for Translation

SCA runs only on the supported systems listed in the HP Fortify Software Security Center System
Requirements document, not on mainframe computers. Before you can scan a COBOL program, you
must copy the following program components to the system running SCA:
l The COBOL source code
l All copybook files used by the COBOL source code
l All SQL INCLUDE files referenced by the COBOL source code
SCA processes only top-level COBOL sources. Do not include copybook or SQL INCLUDE files in the
directory or the subdirectory where the COBOL sources reside. HP Fortify suggests that you place
your COBOL source code in a folder called sources/ and your copybooks in a folder called
copybooks/. These folders should be at the same level. Your translate command should emulate the
following structure:
sourceanalyzer -b <build_id> -noextension-type COBOL -copydirs copybooks/

sources/
If your COBOL source code contains:
COPY FOO
where FOO is a copybook file or an SQL INCLUDE file, then the corresponding file in the copybooks
folder or the SQL INCLUDE folder, as specified with the -copydirs option, should be FOO. The COPY
command can also take a directory-file-path structure rather than a just a file name. The same translate
command structure should be followed, using a directory-file-path structure rather than just the file
name.

User Guide
Preparing COBOL Source Code Files

If you are retrieving COBOL source files from a mainframe without COB or CBL file extensions (which
is typical for COBOL file names), then you must include the following in the translation command line:
-noextension-type COBOL <directory-file-path>
Specify the directory and folder with all COBOL files as the argument to SCA, and SCA processes all
the files in that directory and folder without any need for COBOL file extensions.
Preparing COBOL Copybook Files

SCA does not identify copybooks by extension. All copybook files should therefore retain the names
used in the COBOL source code COPY statements. Copybook files should not be placed in the same
folder as the main COBOL source files, but instead, in a directory named copybooks/ at the same level
as the folder containing your COBOL source files.
If the copybooks have file extensions, use the -copy-extensions option to specify the copybook file
extensions. You can specify one or more file extensions (separate multiple extensions with colons).
For example:
-copy-extensions <ext1>:<ext2>
COBOL Command-Line Syntax

Free-format COBOL is the default translation and scanning mode for SCA. The basic syntax for
translating a single free-format COBOL source code file is:
sourceanalyzer -b <build_id>
The basic syntax for scanning a translated free-format COBOL program is:
sourceanalyzer -b <build_id> -scan -f <result.fpr>
Working with Fixed-Format COBOL

SCA also supports fixed-format COBOL. When translating and scanning fixed-format COBOL, both the
translation and scanning command lines must include the -fixed-format command-line option. For
example:
sourceanalyzer -b <build_id> -fixed-format
An example of the scan command-line syntax is:
sourceanalyzer -b <build_id> -scan -fixed-format -f <result.fpr>

User Guide
If your COBOL code is IBM Enterprise COBOL, then it is most likely fixed format. If the COBOL
translation command appears to hang indefinitely, terminate the translation by pressing Ctrl+C several
times, and then repeat the translation command with the -fixed-format option.
Searching for COBOL Copybooks

Use the copydirs command-line option to direct SCA to search a list of paths for copybooks and SQL
INCLUDE files. For example:
sourceanalyzer -b <build_id> -copydirs c:\cobol\copybooks
About Auditing COBOL Scans

After using the command line to scan the application, you can upload the resulting FPR file to HP
Fortify Audit Workbench or HP Fortify Software Security Center and audit the application’s issues.
SCA does not currently support custom rules for COBOL applications.

Chapter 10: Translating Other Languages
• About Translating Python Code 53

• About Translating ColdFusion Code 54
• About Translating SQL 55
• About Translating ASP/VBScript Virtual Roots 56
• Classic ASP Command-Line Example 58
• JavaScript Command-Line Example 58
• VBScript Command-Line Example 58
• PHP Command-Line Example 58
About Translating Python Code

SCA translates Python applications, and treats files with the .py extension as Python source code. To
translate Python applications and prepare the application for a scan, SCA searches any import files for
the application. SCA does not respect the PYTHONPATH environment variable which the Python runtime
system uses to find imported files, so this information should be provided directly to SCA using the
-python-path option. In addition, some applications add additional import directories during runtime
initialization.
To add paths for additional import directories, use the following sourceanalyzer command-line option:
-python-path <pathname>
Note: SCA translates Python applications using all import files located in the directory path
defined by the -python-path <pathname> option. Subsequently, translation might take long time
to complete.
Using the Django Framework with Python

To scan code created using the Django framework, set the following properties in the
fortify-sca.properties configuration file:
com.fortify.sca.limiters.MaxPassThroughChainDepth=8
com.fortify.sca.limiters.MaxChainDepth=8
During the translation phase, use the following option:
-django-template-dirs <path/to/template/dirs>

User Guide
Python Command-Line Options

The following table describes the Python options.
Python Option Description
-python-path <path> Specifies the path for additional import directories. SCA does
not respect the PYTHONPATH environment variable that the
Python runtime system uses to find imported files. Use the
-python-path option to specify additional import directories.
-django-template-dirs <path> Specifies to scan code created using the Django framework
where <path> is the location of the Django template directories.
About Translating ColdFusion Code

To treat undefined variables in a CFML page as tainted, uncomment the following line in
<Installation_Dir>/Core/config/fortify-sca.properties:
#com.fortify.sca.CfmlUndefinedVariablesAreTainted=true
Doing so serves as a hint to the Dataflow Analyzer to watch out for register-globals-style
vulnerabilities. However, enabling this property interferes with Dataflow findings in which a variable in
an included page is initialized to a tainted value in an earlier-occurring included page.
ColdFusion Command-Line Syntax

Type the following to translate ColdFusion source code:
sourceanalyzer -b <build_id> -source-base-dir <dir> <files> | <file specifiers>
where:
l <build_id> specifies the build ID for the project
l <dir> specifies the root directory of the web application
l <files> | <file specifiers> specifies the CFML source code files
Note: SCA calculates the relative path to each CFML source file by using the
-source-base-dir directory as the starting point, then uses these relative paths when generating
instance IDs. If the entire application source tree is moved to a different directory, the instance IDs
generated by a security analysis should remain the same if you specify an appropriate parameter
for -source-base-dir.
For a description of how to use <file specifiers>, see "Specifying Files" on page 81.

User Guide
ColdFusion Options
The following table describes the ColdFusion options.
ColdFusion Option Description
-source-base-dir The web application's root directory.

<web_app_root_dir> <files> | <file specifiers>
-source-archive <zip_file> The application’s source archive

repository. You must include the -scan
and -f options to use this option.
About Translating SQL

By default, files with the .sql extension are assumed to be T-SQL rather than PL/SQL on Windows
platforms. If you are using Windows and have PL/SQL files with the .sql extension, you should
configure SCA to treat them as PL/SQL. To change the default behavior, set the
com.fortify.sca.fileextensions.sql property in fortify-sca.properties to TSQL or PLSQL.
Type one of the following to specify the SQL type being translated on Windows platforms:
sourceanalyzer -b <build_id> -sql-language TSQL <files>
or
sourceanalyzer -b <build_id> -sql-language PL/SQL <files>
PL/SQL Command-Line Example

The following example shows the syntax for translating two PL/SQL files:
sourceanalyzer -b MyProject x.pks y.pks
The following example shows how to translate all PL/SQL files in the sources directory:
sourceanalyzer -b MyProject "sources/**/*.pks"

User Guide
T-SQL Command-Line Example

The following example shows the syntax for translating two T-SQL files:
sourceanalyzer -b MyProject x.sql y.sql
The following example shows how to translate all T-SQL files in the sources directory:
sourceanalyzer -b MyProject "sources\**\*.sql"
Note: This example assumes the com.fortify.sca.fileextensions.sql property in fortify-

sca.properties is set to TSQL.
About Translating ASP/VBScript Virtual Roots

SCA allows you to handle ASP virtual roots. For web servers that use virtual directories as aliases that
map to physical directories, SCA allows you to use an alias.
For instance, you can have virtual directories named Include and Library, which refer to the physical
directories C:\WebServer\CustomerOne\inc and C:\WebServer\CustomerTwo\Stuff, respectively.
For example, the ASP/VBScript code for an application using virtual includes, is as follows:

The above ASP code refers to the actual physical directory, as follows:
C:\Webserver\CustomerOne\inc\Task1\foo.inc
The real directory replaces the virtual directory name Include in that instance.
Accommodating Virtual Roots

To indicate to SCA the mapping of each virtual directory, you must set the
com.fortify.sca.ASPVirtualRoots.name_of_virtual_directory property as part of your
command-line invocation of souceanalyzer as follows:
sourceanalyzer -Dcom.fortify.sca.ASPVirtualRoots.<name_of_virtual_
directory>=<full path to corresponding physical directory>
Note: On Windows, if the physical path has spaces in it, you must enclose the property setting in
double-quotes:
sourceanalyzer "-Dcom.fortify.sca.ASPVirtualRoots.<name_of_virtual_
directory>=<full path to corresponding physical directory>"

User Guide
To expand on the example in the previous section, the property value that you must pass along should
be:
-Dcom.fortify.sca.ASPVirtualRoots.Include=”C:\WebServer\CustomerOne\inc”
-Dcom.fortify.sca.ASPVirtualRoots.Library="C:\WebServer\CustomerTwo\Stuff”
Doing so causes the mapping of Include to its directory and Library to its directory.
When SCA encounters the include directive:

SCA first checks to see if your project contains a physical directory named Include. If there is no such
physical directory, SCA looks through its own run-time properties and sees that:
-Dcom.fortify.sca.ASPVirtualRoots.Include="C:\WebServer\CustomerOne\inc"
This tells SCA that virtual directory Include is actually the directory:
C:\WebServer\CustomerOne\inc. This causes SCA to look for this file:
C:\WebServer\CustomerOne\inc\Task1\foo.inc.
Alternately, if you choose to set this property in the fortify-sca.properties file, which is located in
<Installation_Dir>\Core\config, you must escape the backslash character (\) in the path of the
physical directory:
com.fortify.sca.ASPVirtualRoots.Library=C:\\WebServer\\CustomerTwo\\Stuff
com.fortify.sca.ASPVirtualRoots.Include=C:\\WebServer\\CustomerOne\\inc
Note: The previous version of the ASPVirtualRoot property is still valid. You can use it on the SCA
command line as follows:
-Dcom.fortify.sca.ASPVirtualRoots=C:\WebServer\CustomerTwo\Stuff;
C:\WebServer\CustomerOne\inc
This prompts SCA to search through the listed directories in the order specified when it is resolving a
virtual include directive.
Using Virtual Roots Example

You have a file as follows:
C:\files\foo\bar.asp
You can specify this file by using the following include:

<property name="fortify.debug" value="false" />
<property name="fortify.verbose" value="false" />
<mkdir dir="${code.build}/log" />
<mkdir dir="${code.build}/audit" />
<tstamp/>
<property=”com.fortify.sca.PPSSilent” value=”true” />
<target name="fortify" if="fortify.present">
<typedef name="sourceanalyzer"
classname="com.fortify.dev.ant.SourceanalyzerTask"/>

<antcall target="clean"/>


<antcall target="compile">

<param name="com.fortify.sca.Debug" value="${fortify.debug}" />
<param name="com.fortify.sca.Verbose"
value="${fortify.verbose}" />
<param name="com.fortify.sca.LogFile"
value="${code.build}/log/${sourceanalyzer.buildid}-${DSTAMP}-${TSTAMP}.log"
/>
<param name="build.compiler"
value="com.fortify.dev.ant.SCACompiler" />
</antcall>


<echo>sourceanalyzer ${web-inf}</echo>
<sourceanalyzer buildid="${sourceanalyzer.buildid}">
<fileset dir="${web-inf}">
<include name="**/*.properties"/>
<include name="**/*.xml"/>
</fileset>
</sourceanalyzer>


<echo>sourceanalyzer ${basedir} jsp</echo>
<sourceanalyzer buildid="${sourceanalyzer.buildid}">
<fileset dir="${basedir}">
<include name="**/*.jsp"/>
</fileset>
<classpath refid="jsp.classpath"/>
</sourceanalyzer>

User Guide


<echo>sourceanalyzer scan</echo>
<sourceanalyzer buildid="${sourceanalyzer.buildid}"
scan="true" resultsfile="issues.fpr" />
</target>
Ant Properties
Any Ant property that begins with com.fortify is relayed to the sourceanalyzer task using the -D
option. For example, setting the com.fortify.sca.ProjectRoot property results in
-Dcom.fortify.sca.ProjectRoot=<value> being passed to the sourceanalyzer task. This is also
used for the SCA Compiler adapter. You can set these properties either in the build file, using the
<property> task for example, or on the Ant command line using the -D<property=<value> syntax.
When using the SCA Compiler adapter via the build.compiler setting, the sourceanalyzer.build
Ant property is equivalent to the buildID attribute of the sourceanalyzer task, and the
sourceanalyzer.maxHeap is equivalent to maxHeap. You can use either the command line or your build
script to set these properties.
Sourceanalyzer Task Options

The following table contains the command-line options for the sourceanalyzer task. Path values use
colon- or semicolon-delimited lists of file names.
Attribute Command-Line Option Description
append -append Appends results to the file specified with the -f

option. If this option is not specified, SCA
overwrites the file.
Note: To use this option, the output file format

must be .fpr or .fvdl. For information on the
-format output option, see the description in
this table.
appserver -appserver weblogic | Specifies the application server: Valid options are
websphere weblogic and websphere.
appserverHome -appserver-home Specifies the application server's home directory.

<path>
l For Weblogic, this is the path to the directory
containing server/lib directory.
l For WebSphere, this is the path to the directory
containing the bin/JspBatchCompiler script.

User Guide
appserverVersion -appserver-version See the HP Fortify Software Security Center

version> System Requirements document for supported
versions.
bootclasspath -bootclasspath Specifies the JDK bootclasspath.

<classpath>
buildID -b <build_ID> Specifies the build ID. The build ID is used to track
which files are compiled and linked as part of a
build and later to scan those files.
buildLabel -build-label <label> Specifies the label of the project being scanned.
SCA does not use the label but is included in the
analysis results.
buildProject -build-project Specifies the name of the project being scanned.

<project> SCA does not use the name but is included in the
analysis results.
buildVersion -build-version Specifies the version of the project being scanned.

<version> SCA does not use the version but it is included in
the analysis results.
classpath -cp <classpath> Specifies the classpath to be used for Java source
code. Format is same as javac (colon- or
semicolon-separated list of paths).
clean -clean Resets the build ID. The default value is false.
debug -debug Enables the debug mode, which is useful during

troubleshooting.
disableAnalyzers -disable-analyzer Disables multiple analyzers at once if necessary.

<list_of_analyzers> The <list_of_analyzers> is a colon-delimited list of
analyzers.
enableAnalyzers -enable-analyzer Enables multiple analyzers at once if necessary.

<list_of_analyzers> The <list_of_analyzers> is a colon-delimited list of
analyzers.
encoding -encoding Specifies the source file encoding type. This option
<encoding_type> is the same as the javac encoding option.
extdirs -extdirs Similar to the javac extdirs option, accepts a

<list_of_dirs> colon- or semicolon-separated list of directories.
Any JAR files found in these directories are
included implicitly on the classpath.
filter -filter <file> Specifies the filter file.

User Guide
findbugs -findbugs Enables FindBugs analysis when set to true. The

default value is false.
format -format Controls the output format. Valid options are fpr,
<format_type> fvdl, text, and auto. The default is auto, which
selects the output format based on the file
extension.
Note: If you are using results certification, you

must specify the fpr format. See the HP
Fortify Audit Workbench User Guide for
information on results certification.
javaBuildDir -java-build-dir Specifies one or more directories to which Java

<dir> sources have been compiled. Must be specified for
the findbugs attribute.
jdk -source <version> Indicates the JDK version that the Java code is
written for. Valid values for <version> are 1.4,
1.5, 1.6, 1.7, and 1.8. The default is 1.5.
Note: The source and JDK options are the

same. If both options are specified, the option
that is specified last takes precedence.
jdkBootclasspath -jdk-bootclasspath Specifies the JDK bootclasspath.

<classpath>
logfile -logfile <file_name> Specifies the log file that SCA produces.
maxHeap -Xmx <size> Specifies the maximum amount of memory SCA

uses . By default, it uses up to 1800 MB of memory
(1800M), which can be insufficient for large code
bases.
When specifying this option, ensure that you do not

allocate more memory than is physically available,
because this degrades performance. As a
guideline, assuming no other memory intensive
processes are running, do not allocate more than
2/3 of the available memory.
noDefaultRules -no-default-rules Specifies that SCA should not apply default rules
when scanning.
quick -quick Launches an SCA quick scan instead of a regular

scan. Set value to true to launch a quick scan.
The default value is false.

User Guide
resultsfile -f <absolute_path_ Specifies the file to which the results are written.
file_name>
rules -rules <list_of_ Specifies a custom Rulepack or directory. The

rules> rules option takes a list of rules files, delimited by
the path separator. This is a semicolon on
Windows, and a colon on other platforms. For each
element in this list, SCA is passed the -rules
<file> command.
scan -scan Setting this option determines whether SCA should

perform analysis on the provided build ID. The
default value is false.
source -source <version> Indicates the JDK version that the Java code is
written for. Valid values for <version> are 1.4,
1.5, 1.6, 1.7, and 1.8. The default is 1.5.
Note: The source and JDK options are the

same. If both options are specified, the option
that is specified last takes precedence.
sourcepath -sourcepath <dir> Specifies the location of source files that are not
included in the scan but are used for name
resolution. The source path is similar to classpath,
except that it uses source files rather than class
files for resolution.
verbose -verbose Sends verbose status messages to the console.
You can also specify the bootclasspath, classpath, extdirs options as nested elements, as with
the Ant javac task. You can specify source files with nested <fileset> elements.
The following table describes sourceanalyzer elements.
Element Ant Type Description
fileset Fileset Specifies the files to pass to SCA.
classpath Path Specifies the classpath to be used for Java source code.
bootclasspath Path Specifies the JDK bootclasspath.
extdirs Path Similar to the javac extdirs option. Any jar files in these directories
are included implicitly on the classpath.
sourcepath Path Specifies the location of source files that are not included in the scan
but are used for resolution.

Appendix D: Filtering the Analysis
• About Filter Files 90

• Filter File Example 90
About Filter Files

You can create a file to filter out particular vulnerability instances, rules, and vulnerability categories
when you run the sourceanalyzer command. You specify the file using the -filter analysis option.
Note: HP Fortify recommends that you only use this feature if you are an advanced user, and that
you do not use this feature during standard audits, because auditors should be able to see and
evaluate all issues SCA finds.
A filter file is a text file that you can create with any text editor. The file functions as a blacklist, where
only the filter items you do not want are specified. Each filter item is an a separate line in the filter file.
You can enter the following filter types:
l Category
l Instance ID
l Rule ID
The filters are applied at different times in the analysis process, according to the type of filter. Category
and rule ID filters are applied during the initialization phase before any scans have taken place,
whereas an instance ID filter is applied after the analysis phase.
Filter File Example

As an example, the following output resulted from a scan of the EightBall.java, located in the
<Installation_Dir>/Samples/basic/eightball directory.
The following commands are executed to produce the analysis results:
sourceanalyzer -b eightball Eightball.java

sourceanalyzer -b eightball -scan
The following results show seven detected issues:
[F7A138CDE5235351F6A4405BA4AD7C53 : low : Unchecked Return Value : semantic ]

EightBall.java(12) : Reader.read()

User Guide
[63C4F599F304C400E4BB77AB3EF062F6 : high : Path Manipulation : dataflow ]

EightBall.java(12) : ->new FileReader(0)
EightBall.java(8) : <=> (filename)
EightBall.java(8) : <->Integer.parseInt(0->return)
EightBall.java(4) : ->EightBall.main(0)
[EFE997D3683DC384056FA40F6C7BD0E8 : critical : Path Manipulation : dataflow ]

[60AC727CCEEDE041DE984E7CE6836177 : high : Unreleased Resource : Streams :

controlflow ]
EightBall.java(12) : start -> loaded : new FileReader(...)
EightBall.java(12) : loaded -> loaded : <inline expression> refers to an
allocated resource
EightBall.java(12) : java.io.IOException thrown
EightBall.java(12) : loaded -> loaded : throw
EightBall.java(12) : loaded -> loaded : <inline expression> no longer refers
to an allocated resource
EightBall.java(12) : loaded -> end_of_scope : end scope : Resource leaked :
java.io.IOException thrown
EightBall.java(12) : start -> loaded : new FileReader(...)
EightBall.java(12) : loaded -> loaded : <inline expression> refers to an
allocated resource
EightBall.java(14) : loaded -> loaded : <inline expression> no longer refers
to an allocated resource
EightBall.java(14) : loaded -> end_of_scope : end scope : Resource leaked
[BB9F74FFA0FF75C9921D0093A0665BEB : low : J2EE Bad Practices : Leftover Debug

Code : structural ]
EightBall.java(4)
[FF0D787110C7AD2F3ACFA5BEB6E951C3 : low : Poor Logging Practice : Use of a

System Output Stream : structural ]
EightBall.java(10)
[FF0D787110C7AD2F3ACFA5BEB6E951C4 : low : Poor Logging Practice : Use of a

System Output Stream : structural ]
EightBall.java(13)
The following sample filter file does the following:

l Removes all results related to the Poor Logging Practice category
l Removes the Unreleased Resource based on its instance ID
l Removes any data flow issues that were generated from a specific rule ID
The sample filter file contains the following text:
#This is a category that will be filtered from scan output

Poor Logging Practice

User Guide
#This is an instance ID of a specific issue to be filtered from scan output

60AC727CCEEDE041DE984E7CE6836177
#This is a specific Rule ID that leads to the reporting of a specific issue in

#the scan output: in this case the data flow sink for a Path Manipulation issue.
823FE039-A7FE-4AAD-B976-9EC53FFE4A59
You can test the filtered output by copying the above text and pasting it into a file with the name test_
filter.txt.
Execute the following command to use the -filter option and the test_filter.txt file:
sourceanalyzer -b eightball -scan -filter test_filter.txt
The following results are from filtering the analysis:
[F7A138CDE5235351F6A4405BA4AD7C53 : low : Unchecked Return Value : semantic]

EightBall.java(12) : Reader.read()
[63C4F599F304C400E4BB77AB3EF062F6 : high : Path Manipulation : dataflow ]

EightBall.java(8) : <->Integer.parseInt(0->return)
[BB9F74FFA0FF75C9921D0093A0665BEB : low : J2EE Bad Practices : Leftover Debug

Code : structural]
EightBall.java(4)

Appendix E: MSBuild Integration
SCA provides the ability to translate your .NET source code as part of your MSBuild build process.
With the SCA MSBuild integration, you can translate files on machines where Microsoft Visual Studio
has not been installed. See the HP Fortify Software Security Center System Requirements document
for the supported MSBuild versions. The MSBuild executable allows for the translation of the following
project/source code types:
l C/C++ Console Applications (Visual Studio 2010 and above only)
l C/C++ Libraries (Visual Studio 2010 and above only)
l Visual C# and Visual Basic Websites
l Visual C# and Visual Basic Libraries
l Visual C# and Visual Basic web Applications
l Visual C# and Visual Basic Console Applications
This section describes how to launch an SCA analysis as part of your MSBuild project.
• Setup for MSBuild Integration 93

• Setting Windows Environment Variables for Touchless Integration of SCA 93
• Adding Custom Tasks to your MSBuild Project 94
Setup for MSBuild Integration

The following is only required if the machine where you run MSBuild does not include a copy of
Microsoft Visual Studio:
l Add com.fortify.sca.IldasmPath=<Path_to_Ildasm.exe> to the <Installation_
Dir>\Core\config\fortify-sca.properties file.
Setting Windows Environment Variables for

Touchless Integration of SCA
When integrating SCA into your MSBuild process, there are a number of Windows environment
variables that you can set. If you do not set these variables, SCA assumes a default set of variables
and uses those. After you set the appropriate Windows environment variables, successive builds use
the same set until you change the environment variables. The following table lists the environment
variables that you can set.

User Guide
Environment Variable Definition Default
FORTIFY_MSBUILD_BUILDID Specifies the SCA build ID Build ID specified on the

command line
FORTIFY_MSBUILD_DEBUG Puts the logger and SCA into False

debug mode
FORTIFY_MSBUILD_MEM Specifies the memory used to 1800 MB

invoke SCA (for example,
-Xmx2000M)
FORTIFY_MSBUILD_LOG Specifies the location for the log ${win32.LocalAppdata}

file /Fortify/MSBuildPlugin
FORTIFY_MSBUILD_SCALOG Specifies the location (absolute Location specified by the

path) for the SCA log com.fortify.sca.LogFile
property in the fortify-
sca.properties file
FORTIFY_MSBUILD_LOGALL Specifies whether the plugin logs False

every message passed to it (this
creates a large amount of
information)
Touchless integration requires the FortifyMSBuildTouchless.dll located in the <Installation_

Dir>/Core/lib directory. It must be run from a Visual Studio command prompt.
The following is an example of the command used to run the build and launch an SCA analysis using
the default environment variables, or those you have previously set:
sourceanalyzer -b buildid msbuild <solution_file> <msbuild_options>
Alternatively, you can call MSBuild to launch a build and SCA analysis:
Msbuild <solution_file> /logger:"C:\Program Files\HP Fortify\

HP_Fortify_SCA_and_Apps_<version>\Core\lib\FortifyMSBuildTouchless.dll"
<msbuild_options>
Adding Custom Tasks to your MSBuild Project

Instead of using the touchless integration method, you can add custom tasks to your MSBuild project
to invoke SCA. You must add these tasks to an MSBuild project, not a solution.
The following table lists the custom tasks you can add to your MSBuild project.
Custom Task Required Parameters Optional Parameters
Fortify.TranslateTask l BuildID - build ID for the l References - list of DLLs to

translation be passed via the libdirs
command

User Guide
l BinariesFolder - directory where l JVMSettings - memory

the files to be translated reside settings to pass to SCA
l VSVersion - version of the .NET l LogFile - location of the SCA
DLLs used log file
l Debug - whether to enable
debug mode for task and SCA
Fortify.ScanTask l BuildID - build ID for the scan l JVMSettings - memory

l Output - name of the FPR file to settings to pass to SCA
be generated l LogFile - location of the SCA
log file
l Debug - whether to enable
Fortify.CleanTask l BuildID - build ID for the scan l Debug - whether to enable

Fortify.SSCTask l AuthToken - should be defined or l Debug - whether to enable

use username and password debug mode for task and SCA
l Project - project name l Username - necessary if
l ProjectVersion - project version (if AuthToken is not specified
undefined, a ProjectID and l Password - necessary if
ProjectVersionID must be AuthToken is not specified
defined) l ProjectID - used with
l FPRFile - name of the file to ProjectVersionID if Project
upload to SSC and ProjectVersion are not
l SSCURL - URL for the SSC specified
l ProjectVersionID - used with
ProjectID if Project and
ProjectVersion are not
specified
l Proxy - necessary if a proxy
is required
Fortify.CloudScanTask l BuildID - build ID for the l Debug - whether to enable

translation debug mode for task and SCA
l SSCUpload - whether to upload The following parameters are
output to SSC only used when SSCUpload is
l CloudURL - Cloud URL set to true:
or l SSCToken - SSC token
l SSCURL - URL for the SSC l Project - project to upload to

in SSC
l VersionName - project
version you want to upload to

User Guide
on SSC
The following parameter is only
used when SSCUpload is set to
false:
l FPRName - name for the
FPR file
Adding Fortify.TranslateTask
To add the Fortify.TranslateTask custom task to your MSBuild project:
1. Create a task to identify and locate FortifyMSBuildTasks.dll:
<UsingTask TaskName="Fortify.TranslateTask" AssemblyFile="<Installation_

Dir>\Core\lib\FortifyMSBuildTasks.dll" />
2. Create a new target or add the following custom target to an existing target to invoke the custom
task:
<Target Name="FortifyBuild" AfterTargets="AfterBuild" Outputs="dummy.out">

<TranslateTask
BinariesFolder="$(OutDir)"
BuildID="TempTask"
VSVersion="<Visual Studio Version>"
JVMSettings="-Xmx1000M"
LogFile="trans_task.log"
Debug="true" />
</Target>
The FortifyBuild target is invoked after the AfterBuild target is run. The AfterBuild target is one
of several default targets defined in the MSBuild target file. All required parameters must be specified.
Note: If adding a new target when running MSBuild 2.0 or 3.5, you must remove the string
AfterTargets="AfterBuild" and replace FortifyBuild with AfterBuild.
Adding Fortify.ScanTask
The following code adds the Fortify.ScanTask custom task to your MSBuild project:
<UsingTask TaskName="Fortify.TranslateTask"
AssemblyFile="<Installation_Dir>\Core\lib\FortifyMSBuildTasks.dll" />
<UsingTask TaskName="Fortify.ScanTask" AssemblyFile="<Installation_Dir>\Core

\lib\FortifyMSBuildTasks.dll" />

User Guide

<TranslateTask
BuildID="TempTask"
Debug="true" />
<ScanTask
BuildID="TempTask"
LogFile="scan_task.log"
Debug="true"
Output="Scan.fpr" />
</Target>
Adding Fortify.CleanTask
The following example adds the Fortify.CleanTask custom task to your MSBuild project:
<UsingTask TaskName="Fortify.CleanTask"
<CleanTask BuildID="TempTask" />

</Target>
Adding Fortify.SSCTask
The following example adds the Fortify.SSCTask custom task to your MSBuild project:
<UsingTask TaskName="Fortify.TranslateTask"
<UsingTask TaskName="Fortify.ScanTask"
<UsingTask TaskName="Fortify.SSCTask"
AssemblyFile=<Installation_Dir>\Core\lib\FortifyMSBuildTasks.dll" />

<TranslateTask

User Guide

BuildID="TempTask"
Debug="true" />
<ScanTask BuildID="TempTask"
LogFile="scan_task.log"
Debug="true"
Output="Scan.fpr" />
<SSCTask
Username="admin"
Password="admin"
Project="Test Project"
ProjectVersion="Test Version 1"
FPRFile="SSC.fpr"
SSCURL="http://localhost:8180/ssc" />
</Target>
Adding Fortify.CloudScanTask
If you are using CloudScan to process your scans, you can send the translated output to your cloud-
based resource. The following example adds the Fortify.CloudScanTask custom task to your
MSBuild project:
<UsingTask TaskName=”Fortify.CloudScanTask”
AssemblyFile=”<Installation_Dir>\Core\lib\FortifyMSBuildTasks.dll”/>

<CloudScanTask
BuildID="TempTask"
SSCUpload="false"
FPRName="Scan.fpr"
CloudURL="http://localhost:8080/cloud-ctrl" />
</Target>

Appendix F: Maven Integration
• About the Maven Plugin 99

• Installing the Maven Plugin 100
• Using the Maven Plugin 101
• Excluding Files from the Scan 103
• Uninstalling the Maven Plugin 103
• Additional Documentation 103
About the Maven Plugin

SCA includes a Maven plugin which provides a means for you to add SCA clean, translation, scan, and
FPR upload capabilities to your Maven project builds. You can use the plugin directly or integrate its
functionality into your build process.
The Maven plugin is located in <Installation_Dir>/Samples/advanced/maven-plugin.
The following table describes the contents of the maven-plugin directory.
File/Directory Description
pom.xml Project object model file
README.TXT README text file that provides installation and usage instructions
samples Directory that contains two sample project directories: EightBall and
MyEnterpriseApp
settings.xml XML file that establishes the namespace to be used as it relates to Maven
settings
sca-maven-plugin Directory that contains source code, assemblies, and other source files
xcodebuild Directory that contains source code files to support an Xcode Maven project
For information about supported versions of Maven, see the HP Fortify Software Security Center
System Requirements document.

User Guide
Installing the Maven Plugin

The following Maven plugin installation instructions assume that the path to the SCA bin folder is in
your PATH environment variable.
To install the Maven plugin:
1. Open a terminal or command window and navigate to the maven-plugin directory:
<Installation_Dir>/Samples/advanced/maven-plugin
2. At the prompt, type:
mvn clean install
Testing the Maven Plugin

After installing the Maven plugin, use one of the included sample files to ensure your installation is
working properly.
To test the Maven plugin using the EightBall sample file:
1. Add the directory containing the sourceanalyzer executable to the path environment variable.
For example:
export set PATH=$PATH:/path_to_HP_Fortify_SCA_and_Apps/bin
or
set PATH=%PATH%;path_to_HP_Fortify_SCA_and_Apps\bin
2. Type sourceanalyzer -h to test the path setting.

It should display the sourceanalyzer help.
3. Navigate to the Eightball directory: <Installation_Dir>/Samples/advanced/maven-
plugin/samples/EightBall.
4. Type:
mvn com.fortify.ps.maven.plugin:sca-maven-plugin:<ver>:clean
where <ver> is the version of the Maven plugin you are using. If the version is not specified,
Maven uses the latest version of Maven plugin that is installed in the local repository.
Note: To determine the version of the Maven plugin, open the pom.xml file located in
<Installation_Dir>/Samples/advanced/maven-plugin in a text editor. The Maven plugin
version is specified in the <version> element.

User Guide
5. If the command in Step 4 completed successfully, then the Maven plugin is installed correctly.
Maven is not installed correctly, if you get the following error message:
[ERROR] Error resolving version for plugin 'com.fortify.ps.maven.plugin:sca-

maven-plugin' from the repositories
Check the Maven local repository and try to install the Maven plugin again.
Updating the Maven Plugin

If you have a previous version of the Maven plugin installed, you can upgrade to the latest version.
To update the Maven plugin on your system:
1. Open a terminal or command window and navigate to the maven-plugin directory.
<Installation_Dir>/Samples/advanced/maven-plugin
2. At the prompt, type:
mvn install
Using the Maven Plugin

You can run the package locally or integrate it as part of your build process. During the translation
phase, the SCA Maven plugin searches your JAR file from the local repository and tries to resolve
classes in your application.
Note: In the following steps, three versions of SCA commands are provided. You can only use the
Short Goal Name version of each command if you have placed a copy of the settings.xml file in
the local repository.
To manually scan your code using the Maven plugin:

1. Install the target application in the local repository:
mvn install
2. Clean out the previous build using one of the following commands:
Complete mvn com.fortify.ps.maven.plugin:sca-maven-plugin:<ver>:clean
Without Version mvn com.fortify.ps.maven.plugin:sca-maven-plugin:clean

ID
Short Goal Name mvn sca:clean

User Guide
3. Translate the code using one of the following commands:
Complete mvn com.fortify.ps.maven.plugin:sca-maven-plugin:<ver>:translate
Without mvn com.fortify.ps.maven.plugin:sca-maven-plugin:translate

Version ID
Short Goal mvn sca:translate

Name
4. Scan the code using one of the following commands:
Complete mvn com.fortify.ps.maven.plugin:sca-maven-plugin:<ver>:scan
Without Version mvn com.fortify.ps.maven.plugin:sca-maven-plugin:scan

ID
Short Goal Name mvn sca:scan
where <ver> is the version of the Maven plugin you are using.
Note: If you do not specify the version, Maven calls the latest version of the sca-maven-plugin in
the local repository.
To scan your files as part of your build system:

1. Install the target application in the local repository:
mvn install
2. Clean out the previous build:
3. Translate the code using one of the following options:
Translation Command Options
sourceanalyzer -b <build_id> [<SCA build options>] mvn

com.fortify.ps.maven.plugin:sca-maven-plugin:<ver>:translate

com.fortify.ps.maven.plugin:sca-maven-plugin:translate
sourceanalyzer -b <build_id> [<SCA build options>] mvn sca:translate
Note: To use this version of the command, you must have placed a copy of the
settings.xml file in the local repository.
4. Run the scan:
sourceanalyzer -b <build_id> [<SCA scan options>] -scan -f result.fpr

User Guide
Excluding Files from the Scan

If you do not want to include all of the files in your project or solution, you can direct SCA to exclude
selected files from your scan.
Add the -D option with the following property to the translate step to specify the files you want to
exclude:
-Dfortify.sca.exclude="fileA;fileB;fileC;"
Note: On Windows, separate the file names with a semicolon; and on all other platforms use a
colon. Wild cards are supported; use a single asterisk (*) to match part of a file name and use two
asterisks (**) to recursively match directories.
For example, for the sample EightBall project, you would issue the following command to translate the
source code:
mvn com.fortify.ps.maven.plugin:sca-maven-plugin:<ver>:translate
-Dfortify.sca.source.version=1.6 -Dfortify.sca.exclude="fileA;fileB;fileC;
Uninstalling the Maven Plugin

To uninstall the Maven plugin, manually delete all files from the <Maven_Local_
Repository>/repository/com/fortify/ps/maven/plugin directory.
Additional Documentation
After the Maven plugin is properly installed, a new directory is included in the following location:
<Installation_Dir>/Samples/advanced/maven-plugin/target/site
To access the documentation, open the index.html file. There are sections on the available options,
basic usage guide, uploading scans to Software Security Center, and FAQs.

Appendix G: HP Fortify Scan Wizard
• About HP Fortify Scan Wizard 104

• Starting the HP Fortify Scan Wizard 105
About HP Fortify Scan Wizard

HP Fortify Scan Wizard uses the information you provide to create a script that translates and scans
project code using HP Fortify Static Code Analyzer (SCA) and optionally, uploads the results directly to
Software Security Center. You can use HP Fortify Scan Wizard to run your scans locally, or, if you are
using HP Fortify CloudScan, in the cloud.
Note: If you generate a script on a Windows system, you cannot run that script on a non-Windows
system. Likewise, if you generate a script on a non-Windows system, you cannot run it on a
Windows system.

User Guide
To use HP Fortify Scan Wizard, you need the following:

l Location of the build directory or directories of the project to be scanned
l Access to the build directory or directories of the project to be scanned
l If you are scanning Java code, the version of the Java JDK used to develop the code
l If you plan to use HP Fortify CloudScan to scan your code, the URL of the cloud server
l (Optional) Location of custom rule files
If you plan to upload your scan results to HP Fortify Software Security Center, you also need:
l Your Software Security Center logon credentials
l The Software Security Center server URL
l An upload authentication token
Note: If you do not have an upload token, you can use the HP Fortify Scan Wizard to generate
one. To do this, you must have Software Security Center logon credentials.
If you do not have HP Fortify Software Security Center logon credentials, you must have the following:
l Project name
l Project version name
Note: Scan Wizard uses a default scan memory setting of 90% of the total available memory if it is
greater than 4 GB, otherwise the default memory setting is 2/3 the total available memory. Adjust
the scan memory as necessary in the Translation and Scan step of the wizard.
Starting the HP Fortify Scan Wizard

How you start the HP Fortify Scan Wizard depends on whether you installed SCA analyzers and
applications locally or if you are using the HP Fortify Scan Wizard as a stand-alone utility on your
system.
Starting Scan Wizard on a System with SCA and

Applications Installed
To start the HP Fortify Scan Wizard with SCA analyzers and applications installed locally, do one of
the following, based on your operating system:
l On a Windows system, click Start > All Programs > HP Fortify SCA and Applications
<version> > Scan Wizard.
l On a Linux system, navigate to the HP_Fortify/HP_Fortify_SCA_and_Apps_
<version>/bin directory, and then run the ScanWizard file from the command line.
l On a Macintosh system, navigate to the HP_Fortify/HP_Fortify_SCA_and_Apps_
<version>/bin directory, and then double-click ScanWizard.

User Guide
Starting HP Fortify Scan Wizard as a Stand-Alone

Utility
To start the wizard as a stand-alone utility:
1. Download and uncompress the HP Fortify Scan Wizard package for your operating system.
2. Navigate to the HP-Fortify-<version>-Scan-Wizard/bin directory.
3. Do one of the following:
l On a Windows system, double-click the ScanWizard.cmd file.
l On a Linux system, run the ScanWizard file.
l On a Macintosh system, double-click the ScanWizard file.

Appendix H: Sample Files
• About the Sample Files 107

• Basic Samples 107
• Advanced Samples 109
About the Sample Files

Your HP Fortify software installation includes a number of sample files that you can use when testing
or learning to use SCA. The sample files are located in the following directory:
<Installation_Dir>/Samples
Inside the Samples directory are two sub-directories: basic and advanced. Each code sample includes
a README.txt file that provides instructions on scanning the code in SCA and viewing the output in
Audit Workbench.
The basic sub-directory includes an assortment of simple language-specific samples. The advanced
subdirectory includes more advanced samples and code samples that enable you to integrate SCA
with your bug tracking system.
Basic Samples
The following table provides a list of the sample files in the basic sub-directory (<Installation_
Dir>/Samples/basic), a brief description of the sample file, and a list of the vulnerabilities identified.
Folder Name Description Vulnerabilities
cpp Includes a C++ sample file and instructions for testing a simple Command
data flow vulnerability (requires a gcc or cl compiler). Injection
Memory Leak
database Includes a database.pks sample file. This SQL sample includes Access
issues that can be found in SQL code. Control:
Database

User Guide
Folder Name Description Vulnerabilities
eightball Includes EightBall.java, a Java application that exhibits bad Path

error handling. It requires an integer as an argument. If you supply Manipulation
a file name instead of an integer, it displays the contents of the
Unreleased
file.
Resource:
Streams
J2EE Bad
Practices:
Leftover Debug
Code
formatstring Includes formatstring.c file (requires a gcc or cl compiler) . Format String
javascript Includes sample.js, a JavaScript file. Cross Site

Scripting (XSS)
Open Redirect
nullpointer Includes NullPointerSample.java file. Null

Dereference
php Includes both sink.php and source.php files. Analyzing Cross Site
source.php surfaces simple dataflow vulnerabilities and a Scripting
dangerous function.
SQL Injection
sampleOutput Includes a sample output file (WebGoat5.0.fpr) from the Example input
WebGoat project located in the Samples/advanced/webgoat for Audit
directory. Workbench.
stackbuffer Includes stackbuffer.c. A gcc or cl compiler is required. Buffer Overflow
toctou Includes toctou.c file. Time-of-

Check/Time-of-
Use (Race
Condition)
vb6 Includes command-injection.bas file. Command

Injection
SQL Injection
vbscript Includes source.asp and sink.asp files. SQL Injection

User Guide
Advanced Samples
The following table provides a list of the sample files in the advanced subdirectory (<Installation_
Dir>/Samples/advanced).
Folder Name Description
BugTrackerPluginAlm Includes the same functionality as the built-in ALM plugin so that you
can use it as a guide to creating your own plugin.
BugTrackerPluginBugzilla Includes the Bugzilla plugin that uses the public API. This is used in
Software Security Center.
BugTrackerPluginJira Includes the same functionality as the built-in JIRA plugin.
c++ Includes sample solutions for different supported versions of Microsoft

Visual Studio.
You should have SCA and the HP Fortify Package for Microsoft Visual
Studio plugin installed for the Visual Studio version you are using.
The code includes a Command Injection issue and an Unchecked
Return Value issue.
configuration Includes a sample J2EE application that has vulnerabilities in its web
module deployment descriptor web.xml.
crosstier Includes a sample that has vulnerabilities spanning multiple application

technologies (Java, PL/SQL, JSP, struts). The output should contain
several issues of different types, including two Access Control
vulnerabilities. One of these is a cross-tier result. It has a data flow trace
from user input in Java code that can affect a SELECT statement in
PL/SQL.
csharp Includes a simple C# program that has SQL injection vulnerabilities.

Versions are included for different supported versions of Visual Studio.
After successful completion of the scan, you should see the SQL
Injection vulnerabilities and one Unreleased Resource vulnerability.
Other categories might also be present, depending on the Rulepacks
used in the scan.
customrules Includes several simple source code samples and Rulepack files that
illustrate rules interpreted by four different analyzers: Semantic,
Dataflow, Control Flow, and Configuration. This directory also includes
several miscellaneous real-world rules samples that you can use for
scanning real applications.
ejb Includes a sample J2EE cross-tier application with Servlets and EJBs.

User Guide
Folder Name Description
filters Includes a sample that uses the sourceanalyzer -filter option. See
"About Filter Files" on page 90.
findbugs Includes a sample that demonstrates how to run FindBugs static

analysis tool (http://findbugs.sourceforge.net/) together with SCA and
filter out results that overlap.
java1.5 Includes ResourceInjection.java. The result file should have a Path

Manipulation result and a J2EE Bad Practices result.
javaAnnotations Includes a sample application that illustrates problems that might arise
from its use and how to fix the problems using the Fortify Java
Annotations. The goal of this example is to illustrate how the use of
Fortify Annotations can result in increased accuracy in the reported
vulnerabilities. The accompanying Java Annotations Sample.txt file
describes the potential problems and solutions associated with
vulnerability results.
JavaDoc JavaDoc directory for the public-api and WSClient.
maven-plugin Includes tests that you can run on any project that uses Maven (for
instance those included in the samples directory or WebGoat:
http://code.google.com/p/webgoat).
webgoat Includes the WebGoat test J2EE web application provided by the Open
Web Application Security Project (www.owasp.org). This directory
contains the WebGoat 5.0 sources. You can use WebGoat Java
sources directly for Java vulnerability scanning with SCA.

Appendix I: Issue Tuning
This appendix lists properties that impact the number of issues that SCA reports. The default settings
have been designed to provide optimal results and you should not alter them unless you are
experiencing an issue or HP Fortify Technical Support has instructed you to do so.
Issue tuning allows you to fine tune the number and quality of result you receive from an SCA scan.
This is an advanced topic and should not be necessary for the majority of users.
If you feel that SCA is reporting too many or too few issues of a particular type, you might need to
adjust a property to exclude or include additional issues. Before making any changes, you might want
to contact support and discuss the issue you are experiencing.
The following areas can be tuned:
• Wrapper Detection 111

• Interprocedural Constant Propagation 112
• Selective Map Operation Tracking 112
If you need to turn one or more of these analysis features off, edit the fortify-sca.properties file,
located in the <Installation_Dir>/Core/config directory.
Wrapper Detection
Wrapper detection identifies methods that wrap map operations. In SCA, map operations insert <key,
value> pairs to, or retrieve <key, value> pairs from, an associative map. When a tainted value is
inserted or retrieved, its taint may get propagated through the map.
The HP Fortify Software Security Research team (SSR) provides rules describing how various APIs
implement map insertion and retrieval. Taint propagation occurs when methods matching those
specified in the rules are invoked. If SCA cannot compute the map keys used at those methods, then it
promotes taint from a single value to all values in the map. This introduces false positives.
A function is treated as a wrapper method when it:
l Contains a callsite to a method identified by an SSR rule as a map operation or already identified by
SCA as a wrapper
l Directly passes its parameters to the map operation
l Directly passes the map operation's return value to its own return
The effects of successful wrapper identification include:
l Reduction of false issue reports from the Dataflow Analyzer by reducing the number of issues
reported with mismatched map insertions and retrievals
l Improved readability of dataflow issue reports by replacing unknown map keys, shown as '?', with
explicit key values

User Guide
Appendix I: Issue Tuning
The following property controls the behavior of wrapper detection:

com.fortify.sca.EnableWrapperDetection. Setting this property to true, enables wrapper
detection.
Interprocedural Constant Propagation

Programming languages provide keywords to indicate that a variable is a constant, unchanging value
throughout an entire program. However, some software fails to consistently apply these keywords to
constant variables. Interprocedural Constant Propagation identifies explicit constants and variables
that are not defined as constants but have unchanging values, and it then propagates those constant
values throughout all functions in the program.
The properties listed in the following table control Interprocedural Constant Propagation.
Property Name Description
com.fortify.sca. Enables or disables propagation of constant

EnableInterproceduralConstantResolution values across function boundaries.
com.fortify.sca. If set to true, disables identification of constant

DisableInferredConstants variables without explicit const or final
keywords.
Selective Map Operation Tracking

Selective Map Operation Tracking analysis greatly reduces the prevalence of unresolved map keys.
This analysis allows SCA to find true positives in global classes without introducing an increase in the
number of false positives. You configure this algorithm with a property key that accepts four values.
The default value, classrule, is appropriate in most situations. If you find that too many issues are
suppressed, you can change the value and compare the results received.
The values listed in the following table control Selective Map Operation Tracking.
Analysis Property Value Description
com.fortify.sca. classrule This is the default value of the property. SCA analyzes dataflow
RequireMapKeys operations on maps global by classrule only when it can
determine keys.
never Set this property to never to disable Selective Map Operation

Tracking analysis. All map operations are analyzed.
globals Set this property to globals to increase the aggressiveness of

the analysis. SCA analyzes data flow operations on all global
maps only when it can determine keys.
always Set this property to always for maximum aggressiveness. SCA

processes data flow operations on all maps only when it can
determine keys.

Appendix J: Configuration Options
The HP Fortify SCA and Applications installer places a set of properties files on your system during
installation. Properties files contain configurable settings for runtime analysis, output, and performance
of HP Fortify Static Code Analyzer.
• About HP Fortify Static Code Analyzer Properties Files 113

• Precedence of Setting Properties 114
• fortify-sca.properties 115
• fortify-sca-quickscan.properties 132
About HP Fortify Static Code Analyzer

Properties Files
The properties files are located in the <Installation_Dir>/Core/config directory.
The installed properties files contain default values. HP Fortify recommends consulting with your
project leads before making changes to the properties in the properties files. You can modify any of the
properties in the configuration file using a text editor or define the property on the command line using
the -D option.
The following table describes the primary properties files. Additional properties files are described in
HP Fortify Static Code Analyzer Tools Properties Reference Guide.
Properties File Name Description
fortify-sca.properties Defines the SCA configuration properties.
fortify-sca-quickscan.properties Defines the configuration properties applicable for an SCA

quick scan.
Properties File Format

In the properties file, each property consists of a pair of strings: the first string is the property name and
the second string is the property value.
com.fortify.sca.SqlLanguage = TSQL
As shown above, the property sets the SQL language variant. The property name is
com.fortify.sca.SqlLanguage and the value is set to TSQL.

User Guide
Note: When specifying a path for Windows systems as the property value, you must escape any
backslash character (\) with a backslash. For example:
com.fortify.sca.ASPVirtualRoots.Library=C:\\WebServer\\CustomerA\\inc.
Disabled properties are commented out of the properties file. To enable these properties, remove the
comment symbol (#) and save the properties file. In the following example, the
com.fortify.sca.LogFile property is disabled in the properties file and is not part of the
configuration:
# default location for the log file

#com.fortify.sca.LogFile=${com.fortify.sca.ProjectRoot}/sca/log/sca.log
Precedence of Setting Properties

SCA uses properties settings in a specific order. Using this order, you can override any previously set
properties with the values that you specify. Keep this order in mind when making changes to the
properties files.
The order of precedence with SCA properties is:
Order Property Specification Description
1 Command line with the Properties specified on the command line have the highest
-D option priority and can be specified during any scan.
2 SCA Quick Scan Properties specified in the Quick Scan configuration file

configuration file (fortify-sca-quickscan.properties) have the second
priority, but only if you include the -quick option to enable Quick
Scan mode. If Quick Scan is not invoked, this file is ignored.
3 SCA configuration file Properties specified in the SCA configuration file (fortify-

sca.properties) have the lowest priority. Edit this file if you
want to change the property values on a more permanent basis
for all scans.
SCA also relies on some properties that have internally defined default values.

User Guide
fortify-sca.properties
The following table summarizes the properties available for use in the fortify-sca.properties file.
See "fortify-sca-quickscan.properties" on page 132 for additional properties that you can use in this
properties file.
com.fortify.sca. By default, if a scan is interrupted, the partial results are written

AbortedScanOverwrites to a different output file: <output>.partial.fpr instead of
Output <output>.fpr. If this property is set to true, the interrupted
result are written to the normal output file (<output>.fpr),
which overwrites any full‐scan results that might exist in that
file.
Value type: Boolean
Default: false
com.fortify.sca. Specifies the application server for processing JSP files. The

Appserver valid values are weblogic or websphere.
Value type: String
Default: (none)
com.fortify.sca. Specifies the application server's home directory. For

AppserverHome WebLogic, this is the path to the directory containing
server/lib. For WebSphere, this is the path to the directory
containing the JspBatchCompiler script.
Value type: String (path)
Default: (none)
com.fortify.sca. Specifies the version of the application server.

AppserverVersion
Value type: String
Default: (none)
com.fortify.sca. Specifies a semicolon delimited list of full paths to virtual roots

ASPVirtualRoots. used.
<virtual_path>
Value type: String
Default: (none)
Example:
com.fortify.sca.ASPVirtualRoots.Library=
c:\\WebServer\\CustomerTwo\\Stuff
com.fortify.sca.ASPVirtualRoots.Include=
c:\\WebServer\\CustomerOne\\inc

User Guide
com.fortify.sca. If set to true, rules from the default Rulepacks are not loaded.
NoDefaultRules SCA processes the Rulepacks for description elements and
language libraries, but no rules are processed.
Value type: Boolean
Default: (none)
com.fortify.sca. If set to true, disables rules in default Rulepacks that lead

NoDefaultIssueRules directly to issues. Still loads rules that characterize the behavior
of functions. This can be helpful when creating custom issue
rules.
Value type: Boolean
Default: (none)
com.fortity.sca. If set to true, disables sink rules in the default Rulepacks. This
NoDefaultSinkRules can be helpful when creating custom sink rules.
Note: Characterization sink rules are not disabled.
Value type: Boolean
Default: (none)
com.fortify.sca. If set to true, disables source rules in the default Rulepacks.

NoDefaultSourceRules This can be helpful when creating custom source rules.
Note: Characterization source rules are not disabled.
Value type: Boolean
Default: (none)
com.fortify.sca. Specifies the folder for storing intermediate files generated

ProjectRoot during translation and scanning.
Default (Windows): ${win32.LocalAppdata}\Fortify
Note: ${win32.LocalAppdata} is a special variable that

points to the windows Local Application Data shell folder.
Default (Non-Windows): $home/.fortify

Example:com.fortify.sca.ProjectRoot=
C:\Users\<user>\AppData\Local\
com.fortify.sca. Specifies a comma- or colon-separated list of the types of

DefaultAnalyzers analysis to perform. The valid values for this property are:
buffer, content, configuration, controlflow, dataflow,
findbugs, nullptr, semantic, and structural.

User Guide
Value type: String

Default: This property is commented out and all analysis types
are utilized during scans.
com.fortify.sca. Specifies a comma- or colon-separated list of analyzers you

EnableAnalyzer want to use for a scan in addition to the default analyzers. The
valid values for this property are: buffer, content,
configuration, controlflow, dataflow, findbugs, nullptr,
semantic, and structural.
Value type: String
Default: (none)
com.fortify.sca. Sets the directory used to search for custom rules.

CustomRulesDir
Default:
${com.fortify.Core}/config/customrules
com.fortify.sca. Specifies how to translate specific file extensions for languages

fileextensions.cfm that do not require build integration. The valid types are: ABAP,
ACTIONSCRIPT, ARCHIVE, ASP, ASPX, BITCODE,
com.fortify.sca.
BYTECODE, CFML, COBOL, CSHARP, HTML, JAVA,
fileextensions.cs
JAVA_PROPERTIES, JAVASCRIPT, JSP, JSPX, MSIL,
com.fortify.sca. MXML, PHP, PLSQL, PYTHON, RUBY, RUBY_ERB, TLD,
fileextensions.java SQL, TSQL, VB, VB6, VBSCRIPT, and XML.
com.fortify.sca. Value type: String (language)
fileextensions.js
Default: See the fortify-sca.properties file for the
com.fortify.sca. complete list.
fileextensions.py
Examples:
com.fortify.sca.
com.fortify.sca.fileextensions.cfm=CFML
fileextensions.rb
com.fortify.sca.fileextensions.cs=CSHARP
com.fortify.sca. com.fortify.sca.fileextensions.java=JAVA
fileextensions.aspx com.fortify.sca.fileextensions.js=
JAVASCRIPT
Note: This is a partial list. For com.fortify.sca.fileextensions.py=PYTHON
the complete list, see the com.fortify.sca.fileextensions.rb=RUBY
properties file.
com.fortify.sca. If set to true, SCA uses the native JSP parser of an application
jsp.UseNativeParser server to parse JSP files. Otherwise, SCA uses the Jasper
parser.
Value type: Boolean
Default: true

User Guide
Example:
com.fortify.sca.jsp.UseNativeParser=
false
com.fortify.sca If set to true, the JSP parser uses JSP security manager.
jsp.UseSecurityManager
Value type: Boolean
Default: true
com.fortify.sca. Specifies the encoding for JSPs.

jsp.DefaultEncoding
Value type: String (encoding)
Default: ISO-8859-1
com.fortify.sca. Sets the SQL language variant. The valid values are PLSQL (for
SqlLanguage Oracle PL/SQL) and TSQL (for Microsoft T-SQL).
Value type: String (SQL language type)
Default: TSQL
com.fortify.sca. Specifies custom-named compilers.

compilers.javac=
Value type: String (compiler)
com.fortify.sca.
util.compilers. Default: See the Compilers section in the fortify-
JavacCompiler sca.properties file for the complete list.
com.fortify.sca. Example:
compilers.c++=
To tell SCA that “my-gcc” is a gcc compiler:
com.fortify.sca.
util.compilers. com.fortify.sca.
GppCompiler compilers.my-gcc=
com.fortify.sca.util.compilers.
com.fortify.sca.
GccCompiler
compilers.make=
com.fortify.sca. Note: Compiler names can begin or end with an asterisk (*)
util.compilers. which matches zero or more characters.
TouchlessCompiler
com.fortify.sca.
compilers.mvn=
com.fortify.sca.
util.compilers.
MavenAdapter
Note: This is a partial list. For

the complete list,
see the properties file.

User Guide
com.fortify.sca. If set to true, SCA generates JavaScript code to model the

EnableDOMModeling DOM tree generated by an HTML file during the translation
phase and identify DOM-related issues (such as cross-site
scripting issues). Enable this property if the code you are
scanning includes JQuery or any HTML files that include
JavaScript. Note that enabling this property can increase the
translation and scan time.
Value type: Boolean
Default: false
com.fortify.sca. Specifies trusted domain names where SCA can download

JavaScript.src.domain. referenced JavaScript files for the scan. Delimit the URLs with
whitelist vertical bars.
Value type: String
Default: (none)
Example: com.fortify.sca.JavaScript.
src.domain.whitelist=
http://www.xyz.com|http://www.123.org
com.fortify.sca. If set to true, JavaScript code embedded in PHP, JSP, JSPX,

DisableJavascript PHP, and HTML files is not extracted and not scanned.
Extraction
Value type: Boolean
Default: false
com.fortify.sca. If set to true, higher-order analysis is enabled.

hoa.Enable
Value type: Boolean
Default: true
com.fortify.sca. The languages on which to run phase 0 higher order analysis.

Phase0HigherOrder.
Value type: String (comma separated list of languages)
Languages
Default: python,ruby
com.fortify.sca. Comma- or colon-separated list of languages using type

TypeInferenceLanguages inference.
Value type: String
Default: javascript,python,ruby
com.fortify.sca. The total amount of time (in seconds) that type inference is

TypeInferencePhase0 allowed to spend in phase 0 (the interprocedural analysis).
Timeout Unlimited if set to 0 or is not specified.
Value type: Long
Default: 300

User Guide
com.fortify.sca. The amount of time (in seconds) that type inference is allowed
TypeInferenceFunctionTimeout to spend analyzing a single function. Unlimited if set to 0 or not
specified.
Value type: Long
Default: 60
com.fortify.sca. If set to true, disables function pointers during the scan.

DisableFunctionPointers
Value type: Boolean
Default: false
com.fortify.sca. If set to true, enables propagation of constant values across

EnableInterprocedural function boundaries.
ConstantResolution
Value type: Boolean
Default: true
com.fortify.sca. If set to false, disables all wrapper detection

EnableWrapperDetection
Value type: Boolean
Default: true
com.fortify.sca. This property allows SCA to compromise a small number of true

RequireMapKeys positives in exchange for a tremendous reduction of false
positives. See "Selective Map Operation Tracking" on page 112
for more information. The valid values are classrule, never,
globals, and always.
Value type: String
Default: classrule
com.fortify.sca. Dead code is code that can never be executed, such as code
DisableDeadCodeElimination inside the body of an if statement that always evaluates to
false. If this property is set to true, then SCA does not identify
dead code, does not report dead code issues, and reports other
vulnerabilities in the dead code, even though they cannot be
reached during execution.
Value type: Boolean
Default: false
com.fortify.sca. If set to true, removes dead code issues, for example because
DeadCodeFilter the dead code was generated by a compiler and does not
appear in the source code.
Value type: Boolean
Default: true

User Guide
com.fortify.sca. If set to true, excludes descriptions from the analysis results file
FVDLDisableDescriptions (FVDL).
Value type: Boolean
Default: false
com.fortify.sca. If set to true, excludes the ProgramData section from the

FVDLDisableProgramData analysis results file (FVDL).
Value type: Boolean
Default: false
com.fortify.sca. If set to true, excludes the engine data from the analysis results
FVDLDisableEngineData file (FVDL).
Value type: Boolean
Default: false
com.fortify.sca. If set to true, excludes code snippets from the analysis results
FVDLDisableSnippets file (FVDL).
Value type: Boolean
Default: false
com.fortify.sca. If set to true, excludes the label evidence from the analysis
FVDLDisableLabelEvidence results file (FVDL).
Value type: Boolean
Default: false
com.fortify.sca. Specifies location of the style sheet for the analysis results.
FVDLStylesheet
Default:
${com.fortify.Core}/resources/sca/fvdl2html.xsl
com.fortify.sca. Specifies the default log file location.

LogFile
Default: ${com.fortify.sca.ProjectRoot}/log/sca.log
com.fortify.sca. When this property is set, it enables log rotation for the SCA
LogMaxSize log. The value is the number bytes that SCA can write to the log
file before it is rotated. Must be used with
com.fortify.sca.LogMaxFiles.
Value type: Number
Default: (none)

User Guide
com.fortify.sca. The number of log files to include in the log file rotation set.
LogMaxFiles When all files are filled, the first file in the rotation is overwritten.
The value must be at least 1. This property must be used with
com.fortify.sca.LogMaxSize.
Value type: Number
Default: (none)
com.fortify.sca. If set to true, SCA overwrites the log file for each new scan.
ClobberLogFile
Value type: Boolean
Default: false
com.fortify.sca. If set to true, no prefix is added to the log file name by default.
SuppressLogPrefix
Value type: Boolean
Default: true
com.fortify.sca. If set to true, SCA writes performance-related data to the log file
PrintPerformanceDataAfterSca after the scan is complete. This value is automatically set to
n true when in debug mode.
Value type: Boolean
Default: false
com.fortify.sca. If set to true, SCA monitors its memory use and warns when
MonitorSca JVM garbage collection becomes excessive.
Value type: Boolean
Default: true
com.fortify.sca. Sets the location of the CPFE binary to use in the translation

cpfe.command phase.
Default:
${com.fortify.Core}/private-bin/sca/cpfe48
com.fortify.sca. If set to true, SCA uses CPFE version 4.4.1.

cpfe.441
Value type: Boolean
Default:
com.fortify.sca. Sets the location of the CPFE binary (version 4.4.1) to use in
cpfe.441.command the translation phase.
Default:
${com.fortify.Core}/private-bin/sca/cpfe441.rfct

User Guide
com.fortify.sca. Adds options to the CPFE command line to use when

cpfe.options translating C/C++ code.
Value type: String
Default:
--remove_unneeded_entities --suppress_vtbl -tused
com.fortify.sca. Sets the name of CPFE option that specifies the output (for
cpfe.file.option example NST) file name.
Value type: String
Default: --gen_c_file_name
Example: com.fortify.sca.cpfe.file.option=
--gen_c_file_name
com.fortify.sca. If set to true, CPFE handles multibyte characters in the source

cpfe.multibyte code. This allows SCA to handle code with multibyte encoding,
such as SJIS (Japanese).
Value type: Boolean
Default: false
com.fortify.sca. If set to true, any CPFE warnings are included in the SCA log.
cpfe.CaptureWarnings
Value type: Boolean
Default: false
com.fortify.sca. If set to true, CPFE fails if there is an error.

cpfe.FailOnError
Value type: Boolean
Default: false
com.fortify. If set to true, any failure to open a source file (including headers)
cpfe.IgnoreFileOpen is considered a warning instead of an error.
Failures
Value type: Boolean
Default: false
com.fortify.sca. If set to true, findbugs is enabled as part of the scan.

EnableFindbugs
Value type: Boolean
Default: true
com.fortify.sca. Sets the maximum heap size for findbugs.

findbugs.maxheap
Value type: String
Default: Maximum heap size for SCA
Example: com.fortify.sca.findbugs.maxheap=500m

User Guide
com.fortify.sca. If set to true, SCA treats undefined variables in CFML pages as

CfmlUndefinedVariablesAreTai tainted. Doing so serves as a hint to the Dataflow Analyzer to
nted watch out for register-globals-style vulnerabilities. However,
enabling this property interferes with dataflow findings in which
a variable in an included page is initialized to a tainted value in
an earlier-occurring included page.
Value type: Boolean
Default: false
com.fortify.sca. If set to true, SCA generates implied methods when

AddImpliedMethods implementation by inheritance is encountered.
Value type: Boolean
Default: true
com.fortify.sca. Specifies the Java source code version to the Java translator.
JdkVersion
Value type: String
Default: 1.5
com.fortify.sca. If set to true, SCA ignores low severity issues found during a
SuppressLowSeverity scan.
Value type: Boolean
Default: true
com.fortify.sca. Specifies the cutoff level for severity suppression. SCA ignores
LowSeverityCutoff any issues found with a lower severity value than the one
specified for this property.
Value type: Number
Default: 1.0
com.fortify.sca. Specifies the location of commonly used JAR files. The JAR
DefaultJarsDirs files located in these directories are appended to the end of the
class path option (-cp). You can supply a semicolon- or colon-
separated list of directories.
For a list of the JAR files necessary for translating J2EE code
created with an old version of the J2EE SDK, see "Prerequisite
for Translating Code Using Legacy Versions of the J2EE SDK"
on page 25.
Value type: String
Default: (none)
com.fortify.sca. Specifies a (colon-separated) list of rule IDs for the Control

analyzer.controlflow. Flow Analyzer to skip.
liveness.skip.rules

User Guide
Value type: String
Default: (none)
Example:
com.fortify.sca.analyzer.
controlflow.liveness.skip.rules=
B530C5D6-3C71-48C5-9512-72A7F4911822
com.fortify.sca. If set to true, optimizes returning machine data in the Control

analyzer.controlflow. Flow Analyzer.
EnableRefRuleOptimization
Value type: Boolean
Default: false
com.fortify.sca. If set to true, enables liveness optimization in Control Flow

analyzer.controlflow. Analyzer.
EnableLivenessOptimization
Value type: Boolean
Default:false
com.fortify.sca. Specifies whether to enable Control Flow Analyzer timeouts.

analyzer.controlflow.
Value type: Boolean
EnableTimeOut
Default: true
com.fortify.sca. On Windows platforms, specifies the path to the reg.exe

RegExecutable system utility. Paths should be in Windows syntax, not Cygwin
syntax, even when SCA is run from within Cygwin.
Backslashes must be escaped with an additional backslash.
Default: reg
Example: com.fortify.sca.RegExecutable=
C:\\Windows\\System32\\reg.exe
WinForms. Set various .NET options.

TransformDataBindings
Value type: Boolean and String
WinForms.
Defaults and Examples:
TransformMessageLoops
WinForms.TransformDataBindings=true
WinForms.
TransformChange WinForms.TransformMessageLoops=true
NotificationPattern
WinForms.TransformChangeNotificationPattern=true
WinForms.
WinForms.CollectionMutationMonitor.Label=WinFormsDa
CollectionMutationMonitor.
taSource
Label
WinForms.ExtractEventHandlers=true

User Guide
WinForms.
ExtractEventHandlers
com.fortify.sca. Sets the number of lines of code to display surrounding an

SnippetContextLines issue. The two lines of code on each side of the line where the
error occurs are always included. By default, there are a total of
five lines displayed.
Value type: Number
Default: 2
com.fortify.sca. Specifies a file or a list of files to exclude from translation. The

exclude file list should be semicolon-separated (Windows) or a colon-
separated list (non-Windows systems).
Note: SCA only uses this property when translating

without build integration. When using integration with a
compiler or build tool, SCA translates all source files
processed by the build tool even if they are specified in with
this property.
Value type: String (list of file names)

Default: Not enabled
Example: com.fortify.sca.exclude=file1.x;file2.x
com.fortify.sca. Specifies the path to a filter file for the scan. See "About Filter
FilterFile Files" on page 90 for more information.
Default: (none)
com.fortify.sca. If set to true, SCA includes debug information in the log file.
Debug
Value type: Boolean
Default: false
com.fortify.sca. This is the same as -debug option, but includes more details,
DebugVerbose specifically with parse errors.
Value type: Boolean
Default: (not enabled)
com.fortify.sca. If set to true, enables additional debugging for performance

DebugTrackMem times.
Value type: Boolean

User Guide
com.fortify.sca. If set to true, enables additional timers for tracking performance.

CollectPerformanceData
Value type: Boolean
com.fortify.sca. If set to true, includes verbose messages in the log file.

Verbose
Value type: Boolean
com.fortify.sca. If set to true, disables the command-line progress information.

Quiet
Value type: Boolean
Default: false
com.fortify.sca. This property is deprecated. Use the com.fortify.sca.quiet

DisplayProgress property instead.
Value type: Boolean
Default:true
com.fortify.sca. Output information in a format usable by scripts or SCA tools

MachineOutputMode rather than printing output in an interactive fashion. Instead of a
single line displaying scan progress, a new line is printed below
the previous one on the console to display updated progress.
Value type: Boolean
com.fortify.sca. The file to which results are written.

ResultsFile
Value type: String
Default: (none)
Example: com.fortify.sca.ResultsFile=results.fpr
com.fortify.sca. If set to true, make CFML files case-insensitive so that

CaseInsensitiveFiles applications can be developed using a case-insensitive file
system and scanned on case-sensitive file systems.
Value type: Boolean
com.fortify.sca. Specifies a list of file extensions for rules files. Any files in
RulesFileExtensions <Installation_Dir>/Core/config/rules (or a directory
specified with the -rules option) whose extension is in this list
is included. The .bin extension is always included, regardless
of the value of this property. The delimiter for this property is the
system path separator.
Value type: String

User Guide
Default: .xml
com.fortify.sca. Specifies a custom Rulepack or directory. If you specify a

RulesFile directory, all of the files in the directory with the .bin and .xml
extensions are included.
Default: (none)
com.fortify.sca. Specifies the class path to use for analyzing Java source code.
JavaClasspath On Windows systems it is semicolon-delimited, for other
operating systems it is colon-delimited.
Value type: String (paths)
Default: (none)
com.fortify.sca. Specifies a semicolon-separated list (Windows) or a colon-

FlexLibraries separated list (non-Windows systems) of libraries to "link" to.
This list should include flex.swc, framework.swc, and
playerglobal.swc (which are usually located in the
frameworks/libsdirectory in your Flex SDK root). This
property is used primarily for resolving ActionScript.
Default:(none)
com.fortify.sca. Specifies the root location of a valid Flex SDK. The folder
FlexSdkRoot should contain a frameworks folder that contains a flex-
config.xml file. It should also contain a bin folder that
contains an mxmlc executable.
Default:(none)
com.fortify.sca. Specifies any additional source directories for a Flex project.

FlexSourceRoots The list of directories should be semicolon-separated
(Windows) or a colon-separated list (non-Windows systems).
Default: (none)
com.fortify.sca. Specifies the semicolon-delimited list of directories where third-

DotnetLibdirs party DLL files are located. Used for default .NET library files.
Default: (none)
com.fortify.sca. If set to true, SCA adds ABAP statements to debug messages.

AbapDebug
Value type: String (statement)

User Guide
Default: (none)
com.fortify.sca. When SCA encounters an ABAP 'INCLUDE' directive, it looks

AbapIncludes in the named directory.
Default: (none)
com.fortify.sca. Specifies the build ID of the build.

BuildID
Value type: String
Default: (none)
com.fortify.sca. Specifies a name for the project being scanned. SCA does not
BuildProject use this name but is included within the results.
Value type: String
Default: (none)
com.fortify.sca. Specifies a label for the project being scanned. SCA does not
BuildLabel use this label but is included within the results.
Value type: String
Default: (none)
com.fortify.sca. Specifies a version number for the project being scanned. This
BuildVersion version number is not used by SCA but is included within the
results.
Value type: String
Default: (none)
com.fortify.sca. If set to true, SCA copies source files into the build session.
MobileBuildSession
Value type: Boolean
Default: false
com.fortify.sca. Specifies a subset of source files to scan. Only the source files
BinaryName that were linked in the named binary at build time are included in
the scan.
Default: (none)
com.fortify.sca. Specifies the path(s) to directories containing Ruby libraries.

RubyLibraryPaths
Default: (none)
com.fortify.sca. Specifies the path(s) to a RubyGems location. This value must

User Guide
RubyGemPaths be set if the project has associated gems which should be

scanned.
Default: (none)
com.fortify.sca. If set to true, SCA appends results to an existing results file.

OutputAppend
Value type: Boolean
Default: false
com.fortify.sca. Controls the output format. The valid values are fpr, fvdl,
Renderer text, and auto. The default of auto selects the output format
based on the file extension of the file provided with the -f
option.
Value type: String
Default: auto
com.fortify.sca. If set to true, SCA performs a quick scan. SCA uses the
QuickScanMode settings from fortify-sca-quickscan.properties, instead
of the fortify-sca.properties configuration file.
Value type: Boolean
com.fortify.sca. If set to true, SCA prints results as they become available. This
ResultsAsAvailable is helpful if you are not using -f option (to specify an output file)
and are printing to stdout.
Value type: Boolean
Default: false
com.fortify.sca. Specifies the application template file you want to use for this
ProjectTemplate scan. This only affects scans on the local machine. If uploaded
to Software Security Center server, it uses the application
template used for that application version. You can also specify
a default application template.
Value type: String
Default: (none)
Example:
com.fortify.sca.ProjectTemplate=
test_filter.txt
com.fortify.sca. Specifies the source file encoding type during translation. SCA
InputFileEncoding allows scanning a project that contains different encoded
source files. To work with a multi-encoded project, you must
specify the -encoding option at the translation step, when SCA

User Guide
first reads the source code file. This encoding is remembered in

the build session and is propagated into the FVDL file.
Value type: String
Default: (none)
com.fortify.sca. If set to true, enables alias analysis.

alias.Enable
Value type: Boolean
Default: true
com.fortify.sca. Specifies the base directory for ColdFusion projects.

SourceBaseDir
Default: (none)
com.fortify.sca. Path to the Ildasm.exe tool used to disassemble .NET

IldasmPath Intermediate Language (IL). Frequently required for .NET static
analysis.
Default: (none)
com.fortify.sca. Sets the Visual Studio version for .NET projects. See
VsVersion "Translating Simple .NET Applications" on page 29 for a list of
valid version numbers.
Value type: String
Default: (none)
Example: com.fortify.sca.VsVersion=14.0
com.fortify.sca. Specifies a list of functions to blacklist from all analyzers.

UniversalBlacklist
Value type: String (colon-separated list)
Default: .*yyparse.*
com.fortify.sca. Specifies paths for additional import directories. SCA does not
PythonPath respect PYTHONPATH environment variable that the Python
runtime system uses to find import files. Use this to specify the
additional import directories.
Default: (none)
com.fortify.sca. Specifies path to django templates. SCA does not use the
DjangoTemplateDirs TEMPLATE_DIRS setting from the Django settings.py file.
Value type: String (paths)
Default: (none)

User Guide
com.fortify.sca. Sets the heap size for the workers. The amount of memory
RmiWorkerMaxHeap required varies from project to project, but you do not have to
allocate as much memory for the workers as you do for the
master JVM. This property accepts values in kilobytes (K),
megabytes (M), or Gigabytes (G).
You might need to experiment with this property if you
experience low memory warnings, crashes, or do not achieve a
speed increase.
Value type: String
Default: (heap size of master JVM)
Example: com.fortify.sca.RmiWorkerMaxHeap=500M
com.fortify.sca. Specifies the number of threads for multithreaded mode. Only

ThreadCount add this property if you need to reduce the number of threads
used because of a resource constraint. If you experience an
increase in the scan time or problems with your scan, reducing
the number of threads used might solve the problem.
Value type: Integer
Default: (number of available processor cores)
com.fortify.sca. If set to true, SCA includes

UseAntListener com.fortify.dev.ant.SCAListener in the compiler
arguments.
Value type: Boolean
Default: false
com.fortify.sca. If set to true, disables ASP external entries in analysis.

DisableASPExternalEntries
Value type: Boolean
Default: false
fortify-sca-quickscan.properties
SCA offers a less-intensive scan known as a quick scan. This option scans the project in Quick Scan
mode, using the property values in the fortify-sca-quickscan.properties file. By default, a Quick
Scan searches for high-confidence, high-severity issues only. For more information about Quick Scan
mode, see the HP Fortify Audit Workbench User Guide.
Note: Properties in this file are processed only if you specify the -quick option on the command
line when invoking your scan.

User Guide
The table provides two sets of default values: the default value for quick scans and the default value for
normal scans. If only one default value is shown, the value is the same for both normal scans and quick
scans.
com.fortify.sca. Sets the time limit (in milliseconds) for controlflow analysis
CtrlflowMaxFunctionTime on a single function.
Value type: Integer
Quick scan default: 30000
Default: 600000
com.fortify.sca. Specifies a comma- or colon-separated list of analyzers to

DisableAnalyzers disable during a scan. The valid values for this property
are: buffer, content, configuration, controlflow,
dataflow, findbugs, nullptr, semantic, structural,
and tracerintegration.
Value type: String
Quick scan default: controlflow:buffer
Default: (none)
com.fortify.sca. Specifies the filter set to use. You can use this property
FilterSet with an application template to filter at scan time instead of
post-scan.
When set to Quick View, this property runs rules that have
a potentially high impact and a high likelihood of occurring
and rules that have a potentially high impact and a low
likelihood of occurring. Running only a subset of the
defined rules allows the SCA scan to complete more
quickly. This causes SCA to run only those rules that can
cause issues identified in the named filter set, as defined
by the default project template for your application. For
more information about filter sets, see the HP Fortify Audit
Workbench User Guide.
Value type: String
Quick scan default: Quick View
Default: (none)
com.fortify.sca. Disables the creation of the metatable, which includes

FPRDisableMetatable creation of the information for the Function view in Audit
Workbench and allows right-click on a variable in the
source window to show the declaration. If C/C++ scans
are taking an extremely long time, setting this property can
reduce the scan time by hours.
Value type: Boolean

User Guide
Quick scan default: true

Default: false
com.fortify.sca. Disables source code inclusion in the FPR file. Prevents

FPRDisableSourceBundling SCA from generating marked-up source code files during a
scan. If you plan to upload FPR files that are generated as
a result of a quick scan to Software Security Center, you
must set this property to false.
Value type: Boolean
Quick scan default: true
Default: false
com.fortify.sca. Sets the time limit (in milliseconds) for Null Pointer
NullPtrMaxFunctionTime analysis for a single function. The standard default is five
minutes. Setting it to a shorter limit decreases overall
scanning time.
Value type: Integer
Default: 300000
com.fortify.sca. Disables path tracking for controlflow analysis. Path

TrackPaths tracking provides more detailed reporting for issues, but
requires more scanning time. You can disable this for JSP
only by setting it to NoJSP. Specify None to disable all
functions.
Value type: String
Quick scan default: (none)
Default: NoJSP
com.fortify.sca. Specifies the size limit for complex calculations in the

limiters.ConstraintPredicateSize Buffer Analyzer. Skips calculations that are larger than the
specified size value in the Buffer Analyzer to improve
scanning time.
Value type: Integer
Default: 500000
com.fortify.sca. Controls the maximum call depth through which the

limiters.MaxChainDepth Dataflow Analyzer tracks tainted data. Increasing this
value increases the coverage of data flow analysis, and
results in longer analysis times.

User Guide
Note: Call depth refers to the maximum call depth on

a data flow path between a taint source and sink,
rather than call depth from the program entry point,
such as main().
Value type: Integer

Default: 5
com.fortify.sca. Sets the number of times taint propagation analyzer visits

limiters.MaxFunctionVisits functions.
Value type: Integer
Default: 50
com.fortify.sca. Controls the maximum number of paths to report for a

limiters.MaxPaths single data flow vulnerability. Changing this value does not
change the results that are found, only the number of data
flow paths displayed for an individual result.
Value type: Integer
Default: 5
com.fortify.sca. Sets a complexity limit for DataFlow analysis. DataFlow

limiters.MaxTaintDefForVar incrementally decreases precision of analysis on functions
that exceed this complexity metric for a given precision
level.
Value type: Integer
Default: 1000
com.fortify.sca. Sets a hard limit for function complexity. If complexity of a

limiters.MaxTaintDefForVarAbort function exceeds this limit at the lowest precision level, the
analyzer skips analysis of the function.
Value type: Integer
Default: 4000

Send Documentation Feedback
If you have comments about this document, you can contact the documentation team by email. If an
email client is configured on this system, click the link above and an email window opens with the
following information in the subject line:
Feedback on User Guide (Fortify Static Code Analyzer 4.40)
Just add your feedback to the email and click send.
If no email client is available, copy the information above to a new message in a web mail client, and
send your feedback to HPFortifyTechPubs@hp.com.
We appreciate your feedback!

HP Fortify Static Code Analyzer: User Guide

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

HP Fortify Static Code Analyzer: User Guide

Загружено:

Авторское право:

Доступные форматы

HP Fortify Static Code Analyzer

Software Version: 4.40

Document Release Date: November 2015

Restricted Rights Legend

HP Fortify Static Code Analyzer (4.40) Page 2 of 136

Chapter 2: Analysis Process Overview 15

Chapter 3: Translating Java Code 20

HP Fortify Static Code Analyzer (4.40) Page 3 of 136

Chapter 4: Translating .NET Code 28

Chapter 5: Translating C and C++ Code 33

Chapter 6: Translating ABAP Code 37

Chapter 7: Translating Ruby Code 43

HP Fortify Static Code Analyzer (4.40) Page 4 of 136

Adding Gem Paths 44

Chapter 8: Translating Flex and ActionScript 45

Chapter 9: Translating Code for Mobile Platforms 48

Chapter 9: Translating COBOL Code 50

Chapter 10: Translating Other Languages 53

Chapter 11: Command-Line Utilities 59

HP Fortify Static Code Analyzer (4.40) Page 5 of 136

Other Command-Line Utilities 60

Chapter 12: Troubleshooting and Support 73

Appendix A: Command-Line Interface 76

Appendix B: Parallel Analysis Mode 82

Appendix C: Using the Sourceanalyzer Ant Task 84

HP Fortify Static Code Analyzer (4.40) Page 6 of 136

Using the Sourceanalyzer Ant Task 84

Appendix D: Filtering the Analysis 90

Appendix E: MSBuild Integration 93

Appendix F: Maven Integration 99

Appendix G: HP Fortify Scan Wizard 104

Appendix H: Sample Files 107

HP Fortify Static Code Analyzer (4.40) Page 7 of 136

Appendix I: Issue Tuning 111

Appendix J: Configuration Options 113

Send Documentation Feedback 136

HP Fortify Static Code Analyzer (4.40) Page 8 of 136

For More Information

About the HP Fortify Software Security Center

HP Fortify Static Code Analyzer (4.40) Page 9 of 136

4.21-02 Removed: Build Monitor (deprecated)

4.21-01 Added: "Translating Ruby Code" on page 43

HP Fortify Static Code Analyzer (4.40) Page 10 of 136

• About the HP Fortify Software Security Center Components 11

About the HP Fortify Software Security Center

About HP Fortify Static Code Analyzer

HP Fortify Static Code Analyzer (4.40) Page 11 of 136

At the highest level, using SCA involves:

HP Fortify Static Code Analyzer (4.40) Page 12 of 136

About HP Fortify CloudScan

HP Fortify Static Code Analyzer (4.40) Page 13 of 136

About the HP Fortify Scan Wizard

HP Fortify Static Code Analyzer (4.40) Page 14 of 136

• About the Analysis Process 15

About the Analysis Process

sourceanalyzer -b <build_id> -clean

sourceanalyzer -b <build_id1> -b <build_id2> -b <build_id3> -scan -f results.fpr

HP Fortify Static Code Analyzer (4.40) Page 15 of 136

About the Translation Phase

sourceanalyzer -b <build_id> ...<files>

sourceanalyzer -b <build_id> ... <compiler_command>

sourceanalyzer -b <build_id> -show-build-warnings

sourceanalyzer -b <build_id> -show-files