HPE Security Fortify Static Code Analyzer User Guide SCA 17.10

HPE_SCA_Guide_17.10

User Manual:

Open the PDF directly: View PDF .
Page Count: 138

Download
Open PDF In Browser	View PDF

HPE Security
Fortify Static Code Analyzer
Software Version: 17.10

User Guide

Document Release Date: April 2017
Software Release Date: April 2017

User Guide

Legal Notices
Warranty
The only warranties for Hewlett Packard Enterprise Development products and services are set forth in the express warranty
statements accompanying such products and services. Nothing herein should be construed as constituting an additional
warranty. HPE shall not be liable for technical or editorial errors or omissions contained herein.
The information contained herein is subject to change without notice.

Restricted Rights Legend
Confidential computer software. Valid license from HPE required for possession, use or copying. Consistent with FAR 12.211
and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items
are licensed to the U.S. Government under vendor's standard commercial license.
The software is restricted to use solely for the purpose of scanning software for security vulnerabilities that is (i) owned by
you; (ii) for which you have a valid license to use; or (iii) with the explicit consent of the owner of the software to be scanned,
and may not be used for any other purpose.
You shall not install or use the software on any third party or shared (hosted) server without explicit consent from the third
party.

Copyright Notice
© Copyright 2003 - 2017 Hewlett Packard Enterprise Development LP

Trademark Notices
Adobe™ is a trademark of Adobe Systems Incorporated.
Microsoft® and Windows® are U.S. registered trademarks of Microsoft Corporation.
UNIX® is a registered trademark of The Open Group.

Documentation Updates
The title page of this document contains the following identifying information:
l

Software Version number

l

Document Release Date, which changes each time the document is updated

l

Software Release Date, which indicates the release date of this version of the software

To check for recent updates or to verify that you are using the most recent edition of a document, go to:
https://www.protect724.hpe.com/community/fortify/fortify-product-documentation
You will receive updated or new editions if you subscribe to the appropriate product support service. Contact your HPE sales
representative for details.

HPE Security Fortify Static Code Analyzer (17.10)

Page 2 of 138

User Guide

Contents
Preface
Contacting HPE Security Fortify Support
For More Information
About the Documentation Set

8
8
8
8

Change Log

9

Chapter 1: Introduction
HPE Security Fortify Static Code Analyzer
HPE Security Fortify CloudScan
HPE Security Fortify Scan Wizard
About the Analyzers
Related Documents
All Products
HPE Security Fortify Software Security Center
HPE Security Fortify Static Code Analyzer
Technology Previews

11
11
11
12
12
13
14
14
16
17

Chapter 2: Analysis Process Overview
Analysis Process
Translation Phase
Mobile Build Sessions
Mobile Build Session Version Compatibility
Creating a Mobile Build Session
Importing a Mobile Build Session
Analysis Phase
Incremental Analysis
Parallel Processing
Translation and Analysis Phase Verification

18
18
19
20
20
20
20
21
21
22
22

Chapter 3: Translating Java Code
Java Command-Line Syntax
Java Command-Line Options
Java Command-Line Examples
Handling Resolution Warnings
Java Warnings

23
23
24
26
26
26

HPE Security Fortify Static Code Analyzer (17.10)

Page 3 of 138

User Guide

Using FindBugs
Translating Java EE Applications
Translating the Java Files
Translating JSP Projects, Configuration Files, and Deployment Descriptors
Java EE Translation Warnings
Translating Java Bytecode
Chapter 4: Translating .NET Code

27
28
28
28
28
29
30

.NET Command-Line Syntax
.NET Command-Line Options
Translating Simple .NET Applications
Handling Translation Errors
.NET Translation Errors
ASP.NET Errors

30
31
32
33
33
33

Chapter 5: Translating C and C++ Code
Prerequisites
C and C++ Command-Line Syntax
Scanning Pre-processed C and C++ Code

34
34
34
35

Chapter 6: Translating JavaScript Code
Translating Pure JavaScript Projects
Skipping Translation of JavaScript Library Files
Translating JavaScript Projects with HTML Files
Including External JavaScript or HTML in Translation
Scanning JavaScript Code

36
36
36
37
37
38

Chapter 7: Translating Ruby Code
Ruby Command-Line Syntax
Ruby Command-Line Options
Adding Libraries
Adding Gem Paths

39
39
39
40
40

Chapter 8: Translating ABAP Code
About Scanning ABAP Code
INCLUDE Processing
Importing the Transport Request
Adding Fortify Static Code Analyzer to Your Favorites List
Running the HPE Security Fortify ABAP Extractor

41
41
42
42
43
44

HPE Security Fortify Static Code Analyzer (17.10)

Page 4 of 138

User Guide

Chapter 9: Translating Code for Mobile Platforms
Translating Apple iOS Projects
Prerequisites
Xcodebuild Integration Command-Line Syntax
Translating Android Projects

47
47
47
47
48

Chapter 9: Translating Apex and Visualforce Code

49

Prerequisites
Apex and Visualforce Command-Line Syntax
Apex and Visualforce Command-Line Options

49
49
49

Chapter 10: Translating Flex and ActionScript
ActionScript Command-Line Syntax
Flex and ActionScript Command-Line Options
ActionScript Command-Line Examples
Handling Resolution Warnings
ActionScript Warnings

51
51
51
52
53
53

Chapter 11: Translating COBOL Code

54

Preparing COBOL Source Files for Translation
COBOL Command-Line Syntax
COBOL Command-Line Options

54
55
55

Chapter 12: Translating Other Languages
Translating Python Code
Python Command-Line Options
Translating ColdFusion Code
ColdFusion Command-Line Syntax
ColdFusion Command-Line Options
Translating SQL
PL/SQL Command-Line Example
T-SQL Command-Line Example
Translating ASP/VBScript Virtual Roots
Classic ASP Command-Line Example
VBScript Command-Line Example
PHP Command-Line Example

57
57
58
58
58
59
59
59
60
60
62
62
62

Chapter 13: Integrating into a Build
Build Integration
Make Example

63
63
64

HPE Security Fortify Static Code Analyzer (17.10)

Page 5 of 138

User Guide

Devenv Example
Modifying a Build Script to Invoke Fortify Static Code Analyzer
Touchless Build Integration
Ant Integration
Gradle Integration
Maven Integration
Installing and Updating the Maven Plugin
Testing the Maven Plugin Installation
Using the Maven Plugin
Excluding Files from the Scan
MSBuild Integration
Setting Windows Environment Variables for Touchless MSBuild Integration
Using the Touchless MSBuild Integration
Chapter 14: Command-Line Interface
Output Options
Translation Options
Analysis Options
Other Options
Directives
Specifying Files

64
64
65
65
66
66
66
67
68
69
69
70
70
72
72
74
75
77
79
79

Chapter 15: Command-Line Utilities
Fortify Static Code Analyzer Utilities
Other Command-Line Utilities
Checking the Fortify Static Code Analyzer Scan Status
SCAState Utility Command-Line Options
Working with FPR Files from the Command Line
Merging FPR Files
Displaying Analysis Results for an FPR File
Migrating Audit Data from Previous FPR Versions
Extracting a Source Archive from an FPR File
Generating Reports from the Command Line
Generating a BIRT Report
Generating a Legacy Report
About Updating Security Content
Updating Security Content

81
81
82
82
83
84
85
86
88
89
90
90
92
92
93

Chapter 16: Troubleshooting
Exit Codes

95
95

HPE Security Fortify Static Code Analyzer (17.10)

Page 6 of 138

User Guide

Using the Log File to Debug Problems
Translation Failed Message
JSP Translation Problems
C/C++ Precompiled Header Files
Reporting Issues and Requesting Enhancements

96
96
97
97
98

Appendix A: Parallel Analysis Mode

99

Enabling Parallel Analysis Mode

99

Appendix B: Filtering the Analysis
Filter Files
Filter File Example

100
100
100

Appendix C: Scan Wizard
Preparing to use the Scan Wizard
Starting the Scan Wizard
Starting Scan Wizard on a System with Fortify SCA and Applications Installed
Starting Scan Wizard as a Stand-Alone Utility

103
103
104
104
105

Appendix D: Sample Files
Basic Samples
Advanced Samples

106
106
107

Appendix E: Configuration Options
Fortify Static Code Analyzer Properties Files
Properties File Format
Precedence of Setting Properties
fortify-sca.properties
fortify-sca-quickscan.properties

110
110
110
111
111
134

Send Documentation Feedback

138

HPE Security Fortify Static Code Analyzer (17.10)

Page 7 of 138

User Guide
Preface

Preface
Contacting HPE Security Fortify Support
If you have questions or comments about using this product, contact HPE Security Fortify Technical
Support using one of the following options.
To Manage Your Support Cases, Acquire Licenses, and Manage Your Account
https://support.fortify.com
To Email Support
fortifytechsupport@hpe.com
To Call Support
1.844.260.7219

For More Information
For more information about HPE Security software products: http://www.hpe.com/software/fortify

About the Documentation Set
The HPE Security Fortify Software documentation set contains installation, user, and deployment
guides for all HPE Security Fortify Software products and components. In addition, you will find
technical notes and release notes that describe new features, known issues, and last-minute updates.
You can access the latest versions of these documents from the following HPE Security user community
website:
https://www.protect724.hpe.com/community/fortify/fortify-product-documentation
You will need to register for an account.

HPE Security Fortify Static Code Analyzer (17.10)

Page 8 of 138

User Guide
Change Log

Change Log
The following table lists changes made to this document. Revisions to this document are published
between software releases only if the changes made affect product functionality.
Software Release /
Document Version

Changes

17.10

Added:
"Skipping Translation of JavaScript Library Files" on page 36 - New
property file settings to skip translation of library files
l "Translating Apex and Visualforce Code" on page 49 - New supported
language
l "COBOL Command-Line Options" on page 55 - New section to describe
the COBOL specific command-line options
l "Parallel Analysis Mode" on page 99 - New implementation of parallel
analysis mode
Updated:
l

"Java Command-Line Options" on page 24- Describes a change to the
-sourcepath option
l "Using the Touchless MSBuild Integration" on page 70 - Added a note
about running MSBuild projects in parallel mode
Removed:
l

l

16.20

The Appendix "Issue Tuning" - Issues addressed in this appendix are no
longer valid

Added:
"Incremental Analysis" on page 21 - New feature
l "Gradle Integration" on page 66 - New feature
l "Exit Codes" on page 95
Updated:
l

l

l

l

l

l

"Translating .NET Code" on page 30 - New implementation for
.NET translation
"Integrating into a Build" on page 63 - Combined all the build
integration information into one chapter
"Including External JavaScript or HTML in Translation" on page 37 Added how to specify proxy server information
"Translation Options" on page 74 - Added more information about the
-encoding option
"fortify-sca.properties" on page 111 - Removed

HPE Security Fortify Static Code Analyzer (17.10)

Page 9 of 138

User Guide
Change Log

Software Release /
Document Version

Changes
com.fortify.sca.jsp.UseNativeParser property because the

Jasper-based non-native JSP parser was removed, added equivalent
command-line options for relevant properties
l Command-line option descriptions now include equivalent property
names where applicable
Removed:
l

l
l

l

l

16.10

"Prerequisite for Translating Code Using Legacy Versions of the J2EE
SDK" (no longer supported)
"Using the Sourceanalyzer Ant Task" (no longer supported)
"Precompiling MS Visual Studio 2003 ASP.NET Pages" (no longer
supported)
"Translating ASP.NET 1.1 (Visual Studio Version 2003)" Projects (no
longer supported)
The com.fortify.sca.IldasmPath property (no longer used with
.NET translation)

Added:
"Translating JavaScript Code" on page 36
Updated:
l

l

l

l

l
l

"Translating Code for Mobile Platforms" on page 47 - Added Swift
language as supported
"Updating Security Content" on page 93 - Added two new fortifyupdate
utility options
"Generating a BIRT Report " on page 90 - Additional output format
(XLS)
"Maven Integration" on page 66
"Advanced Samples" on page 107 - Added two Riches samples (Java
and .NET)

HPE Security Fortify Static Code Analyzer (17.10)

Page 10 of 138

Chapter 1: Introduction
This guide provides instructions for using HPE Security Fortify Static Code Analyzer (Fortify Static
Code Analyzer) to scan code on most major programming platforms. This guide is intended for people
responsible for security audits and secure coding.
This section contains the following topics:
HPE Security Fortify Static Code Analyzer
About the Analyzers
Related Documents

11
12
13

HPE Security Fortify Static Code Analyzer
Fortify Static Code Analyzer is a set of software security analyzers that search for violations of securityspecific coding rules and guidelines in a variety of languages. The Fortify Static Code Analyzer language
technology provides rich data that enables the analyzers to pinpoint and prioritize violations so that
fixes are fast and accurate. Fortify Static Code Analyzer produces analysis information to help you
deliver more secure software, as well as make security code reviews more efficient, consistent, and
complete. Its design enables you to quickly incorporate new third-party and customer-specific security
rules.
At the highest level, using Fortify Static Code Analyzer involves:
1. Running Fortify Static Code Analyzer as a stand-alone process or integrating Fortify Static Code
Analyzer in a build tool
2. Translating the source code into an intermediate translated format
3. Scanning the translated code and producing security vulnerability reports
4. Auditing the results of the scan, either by opening the results (FPR file) in HPE Security Fortify
Audit Workbench or uploading them to HPE Security Fortify Software Security Center for analysis,
or directly with the results displayed on screen
Note: For information about how to transfer results to Audit Workbench, see the HPE Security
Fortify Audit Workbench User Guide.

HPE Security Fortify CloudScan
You can use HPE Security Fortify CloudScan (Fortify CloudScan) to manage your resources by
offloading the processor-intensive scanning phase of the Fortify Static Code Analyzer analysis from
build machines to a cloud of machines provisioned for this purpose.
After the translation phase is completed on the build machine, Fortify CloudScan generates a mobile
build session and moves it to an available machine for scanning. In addition to freeing up the build
machines, this process makes it easy to expand the system by adding more resources to the cloud as

HPE Security Fortify Static Code Analyzer (17.10)

Page 11 of 138

User Guide
Chapter 1: Introduction

needed, without having to interrupt the build process. In addition, users of Fortify Software Security
Center can direct Fortify CloudScan to output the FPR file directly to the server.
For more information about Fortify CloudScan, see the HPE Security Fortify CloudScan Installation,
Configuration, and Usage Guide.

HPE Security Fortify Scan Wizard
HPE Security Fortify Scan Wizard (Scan Wizard) is a utility that enables you to quickly and easily
prepare and scan project code using Fortify Static Code Analyzer. With the Scan Wizard, you can run
your scans locally, or, if you are using HPE Security Fortify CloudScan, in a cloud of computers
provisioned to manage the processor-intensive scan phase of the analysis.
For more information, see "Scan Wizard" on page 103.

About the Analyzers
Fortify Static Code Analyzer comprises seven vulnerability analyzers: Buffer, Configuration, Content,
Control Flow, Dataflow, Semantic, and Structural. Each analyzer accepts a different type of rule
specifically tailored to provide the information necessary for the corresponding type of analysis
performed. Rules are definitions that identify elements in the source code that might result in security
vulnerabilities or are otherwise unsafe.
The installation process downloads and updates the HPE Security Fortify security content (secure
coding Rulepacks and external metadata) that Fortify Static Code Analyzer uses on your system. The
Fortify Customer Portal provides updated security content on a regular basis.
The following table lists and describes each analyzer.
Analyzer

Description

Buffer

The Buffer Analyzer detects buffer overflow vulnerabilities that involve writing or
reading more data than a buffer can hold. The buffer can be either stack-allocated
or heap-allocated. The Buffer Analyzer uses limited interprocedural analysis to
determine whether or not there is a condition that causes the buffer to overflow. If
any execution path to a buffer leads to a buffer overflow, Fortify Static Code
Analyzer reports it as a buffer overflow vulnerability and points out the variables
that could cause the overflow. If the value of the variable causing the buffer
overflow is tainted (user-controlled), then Fortify Static Code Analyzer reports it as
well and displays the dataflow trace to show how the variable is tainted.

Configuration The Configuration Analyzer searches for mistakes, weaknesses, and policy violations
in application deployment configuration files. For example, the Configuration
Analyzer checks for reasonable timeouts in user sessions in a web application.
Content

The Content Analyzer searches for security issues and policy violations in HTML
content. In addition to static HTML pages, the Content Analyzer performs these
checks on files that contain dynamic HTML, such as PHP, JSP, and classic ASP files.

HPE Security Fortify Static Code Analyzer (17.10)

Page 12 of 138

User Guide
Chapter 1: Introduction

Analyzer

Description

Control Flow

The Control Flow Analyzer detects potentially dangerous sequences of operations.
By analyzing control flow paths in a program, the Control Flow Analyzer determines
whether a set of operations are executed in a certain order. For example, the Control
Flow Analyzer detects time of check/time of use issues and uninitialized variables,
and checks whether utilities, such as XML readers, are configured properly before
being used.

Dataflow

The Dataflow Analyzer detects potential vulnerabilities that involve tainted data
(user-controlled input) put to potentially dangerous use. The Dataflow Analyzer
uses global, interprocedural taint propagation analysis to detect the flow of data
between a source (site of user input) and a sink (dangerous function call or
operation). For example, the Dataflow Analyzer detects whether a user-controlled
input string of unbounded length is copied into a statically sized buffer, and detects
whether a user-controlled string is used to construct SQL query text.

Semantic

The Semantic Analyzer detects potentially dangerous uses of functions and APIs at
the intra-procedural level. Its specialized logic searches for buffer overflow, format
string, and execution path issues, but is not limited to these categories. For example,
the Semantic Analyzer detects deprecated functions in Java and unsafe functions in
C/C++, such as gets().

Structural

The Structural Analyzer detects potentially dangerous flaws in the structure or
definition of the program. By understanding the way programs are structured, the
Structural Analyzer identifies violations of secure programming practices and
techniques that are often difficult to detect through inspection because they
encompass a wide scope involving both the declaration and use of variables and
functions. For example, the Structural Analyzer detects assignment to member
variables in Java servlets, identifies the use of loggers that are not declared static
final, and flags instances of dead code that is never executed because of a predicate
that is always false.

Related Documents
This topic describes documents that provide information about HPE Security Fortify Static Code
Analyzer.
Note: The Protect724 site location is https://www.protect724.hpe.com/community/fortify/fortifyproduct-documentation.

HPE Security Fortify Static Code Analyzer (17.10)

Page 13 of 138

User Guide
Chapter 1: Introduction

All Products
The following documents provide general information for all products.
Document / File Name

Description

HPE Security Fortify Software
System Requirements

This document provides the
Included with product
details about the environments download and on the
and products supported for this Protect724 site
version of HPE Security Fortify
Software.

HPE_Sys_Reqs_.pdf
HPE Security Fortify Software
Release Notes
HPE_FortifySW_RN_
.txt

What’s New in HPE Security
Fortify Software 
HPE_Whats_New_
.pdf
HPE Security Fortify Open
Source and Third-Party
License Agreements
HPE_OpenSrc_.pdf
HPE Security Fortify Glossary
HPE_Glossary.pdf

Location

This document provides an
overview of the changes made
to HPE Security Fortify
Software for this release and
important information not
included elsewhere in the
product documentation.

Included on the Protect724 site

This document describes the
new features in HPE Security
Fortify Software products.

Included on the Protect724 site

This document provides open
source and third-party software
license agreements for software
components used in HPE
Security Fortify Software.

Included with product
download and on the
Protect724 site

This document provides
definitions for HPE Security
Fortify Software terms.

Included with product
download and on the
Protect724 site

HPE Security Fortify Software Security Center
The following documents provide information about HPE Security Fortify Software Security Center.
Document / File Name

Description

HPE Security Fortify Software This document provides Fortify
Security Center User Guide
Software Security Center users
with detailed information about
HPE_SSC_Guide_
how to deploy and use Fortify
.pdf
Software Security Center. It
provides all of the information
HPE_SSC_Help_
you need to acquire, install,

HPE Security Fortify Static Code Analyzer (17.10)

Location
Included with product
download and on the
Protect724 site

Page 14 of 138

User Guide
Chapter 1: Introduction

Document / File Name

Description

Location

configure, and use Fortify
Software Security Center.
It is intended for use by system
and instance administrators,
database administrators (DBAs),
enterprise security leads,
development team managers,
and developers. Fortify Software
Security Center provides security
team leads with a high-level
overview of the history and
current status of a project.
HP Fortify Software Security
Center User Guide: Legacy
User Interface
HP_Fortify_SSC_User_Guide_
Legacy.pdf
PDF only; no help file

HPE Security Fortify Software
Security Center Process
Designer Guide: Legacy User
Interface
HPE_SSC_Proc_Design_
Guide_Legacy_.pdf
HPE_SSC_Proc_Design_Help_


HP Fortify Software Security
Center Installation and
Configuration Guide: Legacy
User Interface
HP_Fortify_SSC_Install_and_
Config_Guide_Legacy.pdf

This document is the user guide
for HP Software Security Center
version 4.30. The legacy (4.30)
user interface is available from
the Fortify Software Security
Center version 17.10 user
interface. Specific areas of
functionality are available only in
the 4.30 interface.

Included with product
download and on the
Protect724 site

This document provides
information about how to start
the Process Designer, configure
its connection to your Fortify
Software Security Center
instance, and then use it to work
with Fortify Software Security
Center process templates, which
are used only in the Fortify
Software Security Center legacy
(version 4.30) user interface.

Included with product
download and on the
Protect724 site

This document provides system
Included with product
and database administrators with download and on the
complete instructions on how to Protect724 site
configure Fortify Software
Security Center server software
using the legacy (v4.30) user
interface.

PDF only; no help file
HPE Security Fortify Software
Security Center Process
Designer Guide: Legacy User
Interface

This legacy document provides
information about how to start
the Process Designer, configure
its connection to your Fortify

HPE Security Fortify Static Code Analyzer (17.10)

Included with product
download and on the
Protect724 site

Page 15 of 138

User Guide
Chapter 1: Introduction

Document / File Name

Description

HPE_SSC_Proc_Design_
Guide_Legacy_.pdf

Software Security Center
instance, and then use it to work
with Fortify Software Security
Center process templates.

HPE_SSC_Proc_Design_Help_


Location

HPE Security Fortify Static Code Analyzer
The following documents provide information about Static Code Analyzer.
Document / File Name

Description

Location

HPE Security Fortify Static
Code Analyzer User Guide

This document describes how
to use Fortify Static Code
Analyzer to scan code on many
of the major programming
platforms. It is intended for
people responsible for security
audits and secure coding.

Included with product
download and on the
Protect724 site

This document contains
installation instructions for
Fortify Static Code Analyzer
and Applications.

Included with product
download and on the
Protect724 site

This document provides
guidelines for selecting
hardware to scan different
types of codebases and offers
tips for optimizing memory
usage and performance.

Included with product
download and on the
Protect724 site

This document provides the
information that you need to
create custom rules for Fortify
Static Code Analyzer. This
guide includes examples that
apply rule-writing concepts to
real-world security issues.

Included with product
download

HPE_SCA_Guide_
.pdf
HPE_SCA_Help_
HPE Security Fortify Static
Code Analyzer Installation
Guide
HPE_SCA_Install_
.pdf
HPE_SCA_Install_Help_

HPE Security Fortify Static
Code Analyzer Performance
Guide
HPE_SCA_Perf_Guide_
.pdf
PDF only; no help file
HPE Security Fortify Static
Code Analyzer Custom Rules
Guide
HPE_SCA_Cust_Rules_Guide_
.zip
PDF only; no help file

HPE Security Fortify Static Code Analyzer (17.10)

Page 16 of 138

User Guide
Chapter 1: Introduction

Technology Previews
Document / File Name

Description

Location

HPE Security Fortify Static
Code Analyzer Higher Order
Analysis Technology Preview

This document describes the
Fortify Static Code Analyzer
Higher Order Analyzer.

Included with product
download and on the
Protect724 site

HPE_SCA_HighOrderAnalysis_
TP_.pdf
PDF only; no help file

HPE Security Fortify Static Code Analyzer (17.10)

Page 17 of 138

Chapter 2: Analysis Process Overview
This section contains the following topics:
Analysis Process
Translation Phase
Mobile Build Sessions
Analysis Phase
Incremental Analysis
Parallel Processing
Translation and Analysis Phase Verification

18
19
20
21
21
22
22

Analysis Process
There are four distinct phases that make up the analysis process:
1. Build Integration—Choose whether to integrate Fortify Static Code Analyzer into your build tool.
For descriptions of build integration options, see "Integrating into a Build" on page 63.
2. Translation—Gathers source code using a series of commands and translates it into an
intermediate format associated with a build ID. The build ID is usually the name of the project you
are translating. For more information, see "Translation Phase" on the next page.
3. Analysis—Scans source files identified in the translation phase and generates an analysis results
file (typically in the Fortify Project Results (FPR) format). FPR files have the .fpr file extension.
For more information, see "Analysis Phase" on page 21.
4. Verification of translation and analysis—Verifies that the source files were scanned using the
correct Rulepacks and that no errors were reported. For more information, see "Translation and
Analysis Phase Verification" on page 22.
The following is an example of the sequence of commands you use to translate and analyze code:
sourceanalyzer -b  -clean
sourceanalyzer -b  ...
sourceanalyzer -b  -scan -f results.fpr

The three commands in the previous example illustrates the following steps in the analysis process:
1. Remove all existing Fortify Static Code Analyzer temporary files for the specified build ID. Always
begin an analysis with this step to analyze a project with a previously used build ID.
2. Translate the project code. This step can consist of multiple calls to sourceanalyzer with the same
build ID.
3. Analyze the project code and produce the results file (FPR).

HPE Security Fortify Static Code Analyzer (17.10)

Page 18 of 138

User Guide
Chapter 2: Analysis Process Overview

Translation Phase
To successfully translate a project that is normally compiled, make sure that you have any dependencies
required to build the project available. The chapters for each type of source code describe any specific
requirements.
The basic command-line syntax to perform the first step of the analysis process, file translation, is:
sourceanalyzer -b  ...

or
sourceanalyzer -b  ... 

The translation phase consists of one or more invocations of Fortify Static Code Analyzer using the
sourceanalyzer command. Fortify Static Code Analyzer uses a build ID (-b option) to tie the
invocations together. Subsequent invocations of sourceanalyzer add any newly specified source or
configuration files to the file list associated with the build ID.
After translation, you can use the -show-build-warnings directive to list all warnings and errors that
were encountered during the translation phase:
sourceanalyzer -b  -show-build-warnings

To view all of the files associated with a particular build ID, use the -show-files directive:
sourceanalyzer -b  -show-files

The following chapters describe how to translate different types of source code:
l
l
l
l
l
l
l
l
l
l

"Translating Java Code" on page 23
"Translating .NET Code" on page 30
"Translating C and C++ Code" on page 34
"Translating JavaScript Code" on page 36
"Translating Ruby Code" on page 39
"Translating ABAP Code" on page 41
"Translating Code for Mobile Platforms" on page 47
"Translating Flex and ActionScript" on page 51
"Translating COBOL Code" on page 54
"Translating Other Languages" on page 57

HPE Security Fortify Static Code Analyzer (17.10)

Page 19 of 138

User Guide
Chapter 2: Analysis Process Overview

Mobile Build Sessions
With a Fortify Static Code Analyzer mobile build session, you can translate a project on one machine
and analyze it on another. A mobile build session (MBS file) includes all the files needed for the analysis
phase. You can then move the MBS file to a different machine for analysis.

Mobile Build Session Version Compatibility
The Fortify Static Code Analyzer version on the translate machine must be compatible with the Fortify
Static Code Analyzer version on the analysis machine. The version number format is:
major.minor+patch.buildnumber (for example, 17.10.0140). The major and minor portions of the
Fortify Static Code Analyzer version numbers on both the translation and the analysis machines must
match. For example, 17.10 and 17.1x are compatible.
Note: Before version 16.10, the major portion of the Fortify Static Code Analyzer version number
was not the same as the Fortify Software Security Center version number.
To determine the Fortify Static Code Analyzer version number, type sourceanalyzer -version on
the command line.

Creating a Mobile Build Session
On the machine where you performed the translation, issue the following command to generate a
mobile build session:
sourceanalyzer -b  -export-build-session 

where  is the file name you provide for the Fortify Static Code Analyzer mobile build
session.

Importing a Mobile Build Session
After you move the MBS file to the machine where you want to run the analysis, you need to import the
mobile build session.
If necessary, you can obtain the build ID and Fortify Static Code Analyzer version from an MBS file
using the following command:
sourceanalyzer -import-build-session 
-Dcom.fortify.sca.ExtractMobileInfo=true

where  is the Fortify Static Code Analyzer mobile build session.
To import the mobile build session, type the following command:
sourceanalyzer -import-build-session 

HPE Security Fortify Static Code Analyzer (17.10)

Page 20 of 138

User Guide
Chapter 2: Analysis Process Overview

After you import your Fortify Static Code Analyzer mobile build session, you can proceed to the
analysis phase.

Analysis Phase
The analysis phase scans the intermediate files created during translation and creates the vulnerability
results file (FPR). The analysis phase consists of one invocation of sourceanalyzer. You specify the
build ID and include the -scan directive and any required analysis or output options (see "Analysis
Options" on page 75 and "Output Options" on page 72).
The basic command-line syntax for the analysis phase is:
sourceanalyzer -b  -scan -f results.fpr

Note: By default, Fortify Static Code Analyzer includes the source code in the FPR file.
To combine multiple builds into a single scan command, add the additional builds to the command line:
sourceanalyzer -b  -b  -b  -scan -f
results.fpr

Incremental Analysis
With incremental analysis, you can run a full analysis on a project, and then run subsequent incremental
scans to analyze only the code that changed since the initial full scan. This reduces the scan time for
subsequent incremental scans on the project.
Incremental analysis supports the Configuration and the Semantic analyzers. You can run incremental
analysis on projects written in the following languages: Java, C/C++, C#, and Visual Basic.
When you use incremental analysis, consider the following:
l

l

You must use the same build ID that you used in the initial complete analysis in all subsequent
incremental scans.
When you specify the same FPR file name for the initial complete scan and the subsequent scans, all
issues are automatically merged with the previous scan.
When Fortify Static Code Analyzer merges the issue results, issues fixed in prior incremental scans
are shown as removed, existing issues are shown as updated, and any new issues are shown as new.
Otherwise all the issues found in the subsequent scan are shown as new and there is no record of
previously fixed issues or existing issues. For more information about viewing results by these
groupings in Audit Workbench, see HPE Security Fortify Audit Workbench User Guide.

HPE Security Fortify Static Code Analyzer (17.10)

Page 21 of 138

User Guide
Chapter 2: Analysis Process Overview

To use incremental analysis, translate the code, and then run the initial full scan with the incremental-base option. For example:
sourceanalyzer -b  ...
sourceanalyzer -b  -scan -incremental-base -f results.fpr

After you modify the project source code, translate the entire project, and then run any subsequent
scans with the -incremental option. Specify the same  that you specified in the initial full
scan. For example:
sourceanalyzer -b  ...
sourceanalyzer -b  -scan -incremental -f results.fpr

Parallel Processing
Fortify Static Code Analyzer supports parallel processing in the analysis phase (parallel analysis mode)
to reduce the scan time of large projects. This takes advantage of all CPU cores available on your
system. When running Fortify Static Code Analyzer in parallel analysis mode, avoid running other
substantial processes during the Fortify Static Code Analyzer execution because it expects to have the
full resources of your hardware available for the scan.
For information about enabling parallel processing for your projects, see "Parallel Analysis Mode" on
page 99.

Translation and Analysis Phase Verification
Audit Workbench result certification indicates whether the code analysis during a scan is complete and
valid. The project summary in Audit Workbench shows the following specific information about Fortify
Static Code Analyzer scanned code:
List of files scanned, with file sizes and timestamps
l Java class path used for the translation (if applicable)
l Rulepacks used for the analysis
l Fortify Static Code Analyzer runtime settings and command-line options
l Any errors or warnings encountered during translation or analysis
l Machine and platform information
To view result certification information, open the FPR file in Audit Workbench and select Tools >
Project Summary > Certification. For more information, see the HPE Security Fortify Audit
Workbench User Guide.
l

HPE Security Fortify Static Code Analyzer (17.10)

Page 22 of 138

Chapter 3: Translating Java Code
This section contains the following topics:
Java Command-Line Syntax
Handling Resolution Warnings
Using FindBugs
Translating Java EE Applications
Translating Java Bytecode

23
26
27
28
29

Java Command-Line Syntax
To translate Java code, all types defined in a library that are referenced in the code must have a
corresponding definition in the source code, a class file, or a JAR file. Include all source files on the
Fortify Static Code Analyzer command line.
The basic command-line syntax to translate Java code is:
sourceanalyzer -b  -cp  

With Java code, Fortify Static Code Analyzer can either emulate the compiler, which might be
convenient for build integration, or accept source files directly, which is more convenient for commandline scans. For information about integrating Fortify Static Code Analyzer with Ant, see "Ant
Integration" on page 65.
To have Fortify Static Code Analyzer emulate the compiler, type:
sourceanalyzer -b  javac []

To pass files directly to Fortify Static Code Analyzer, type:
sourceanalyzer -b  -cp  []
|

where:
l

 are options passed to the compiler.

l

-cp  specifies the class path to use for the Java source code. A class path is the path

that the Java runtime environment searches for classes and other resource files. Include all JAR
dependencies normally used to build the project. The format is the same as what javac expects
(colon- or semicolon-separated list of paths).

HPE Security Fortify Static Code Analyzer (17.10)

Page 23 of 138

User Guide
Chapter 3: Translating Java Code

Similar to javac, Fortify Static Code Analyzer loads classes in the order they appear in the class path.
If there are multiple classes with the same name in the list, Fortify Static Code Analyzer uses the first
loaded class. In the following example, if both A.jar and B.jar include a class called
MyData.class, Fortify Static Code Analyzer uses the MyData.class from A.jar.
sourceanalyzer -cp A.jar:B.jar myfile.java

HPE strongly recommends that you avoid using duplicate classes with the -cp option.
Fortify Static Code Analyzer loads JAR files in the following order:
a. From the -cp option
b. From jre/lib
c. From /Core/default_jars
This enables you to override a library class by including the similarly-named class in a JAR specified
with the -cp option.
For more information, see "Java Command-Line Options" below.

Java Command-Line Options
The following table describes the Java command-line options (for Java SE and Java EE).
Java/Java EE Option

Description

-appserver
weblogic | websphere

Specifies the application server to process JSP files.
Equivalent property name:
com.fortify.sca.AppServer

-appserver-home 

Specifies the application server’s home.
For WebLogic, this is the path to the directory that
contains the server/lib directory.
l For WebSphere, this is the path to the directory that
contains the JspBatchCompiler script.
Equivalent property name:
l

com.fortify.sca.AppServerHome
-appserver-version


Specifies the version of the application server. See the
HPE Security Fortify Software System Requirements
document for supported versions.
Equivalent property name:
com.fortify.sca.AppServerVersion

-cp  |
-classpath 

Specifies the class path to use for analyzing Java source code.
The format is same as javac: a colon- or semicolon-separated
list of paths. You can use Fortify Static Code Analyzer file
specifiers as shown in the following example:

HPE Security Fortify Static Code Analyzer (17.10)

Page 24 of 138

User Guide
Chapter 3: Translating Java Code

Java/Java EE Option

Description
-cp "build/classes:lib/*.jar"

For information about file specifiers, see "Specifying Files" on
page 79.
Equivalent property name:
com.fortify.sca.JavaClasspath
-extdirs 

Similar to the javac extdirs option, accepts a colon- or
semicolon-separated list of directories. Any JAR files found in
these directories are included implicitly on the class path.
Equivalent property name:
com.fortify.sca.JavaExtdirs

-java-build-dir 

Specifies one or more directories to which Java sources have
been compiled. You must specify this for FindBugs results as
described in "Analysis Options" on page 75.

-source  |
-jdk 

Indicates the JDK version for which the Java code is written.
Valid values for  are 1.5, 1.6, 1.7, and 1.8. The
default is 1.8.
Equivalent property name:
com.fortify.sca.JdkVersion

-sourcepath 

Specifies a colon- or semicolon-separated list of directories
that contain source code that is not included in the scan but is
used for name resolution. The source path is similar to class
path, except it uses source files instead of class files for
resolution. Only source files that are referenced by the target
file list are translated. To translate all files included in the
source path, add
-Dcom.fortify.sca.JavaSourcepathSearch=false to
the command line.
Equivalent property name:
com.fortify.sca.JavaSourcePath

HPE Security Fortify Static Code Analyzer (17.10)

Page 25 of 138

User Guide
Chapter 3: Translating Java Code

Java Command-Line Examples
To translate a single file named MyServlet.java with javaee.jar as the class path, type:
sourceanalyzer -b MyServlet -cp lib/javaee.jar MyServlet.java

To translate all .java files in the src directory using all JAR files in the lib directory as a class path,
type:
sourceanalyzer -b MyProject -cp "lib/*.jar" "src/**/*.java"

To translate and compile the MyCode.java file with the javac compiler, type:
sourceanalyzer -b MyProject javac -classpath libs.jar MyCode.java

Handling Resolution Warnings
To see all warnings that were generated during translation, type the following command before you
start the scan phase:
sourceanalyzer -b  -show-build-warnings

Java Warnings
You might see the following warnings for Java:
Unable to resolve type...
Unable to resolve function...
Unable to resolve field...
Unable to locate import...
Unable to resolve symbol...
Multiple definitions found for function...
Multiple definitions found for class...

These warnings are typically caused by missing resources. For example, some of the .jar and .class
files required to build the application might not have been specified. To resolve the warnings, make sure
that you include all of the required files that your application uses.

HPE Security Fortify Static Code Analyzer (17.10)

Page 26 of 138

User Guide
Chapter 3: Translating Java Code

Using FindBugs
FindBugs (http://findbugs.sourceforge.net) is a static analysis tool that detects quality issues in Java
code. You can run FindBugs with Fortify Static Code Analyzer and the results are integrated into the
analysis results file. Unlike Fortify Static Code Analyzer, which runs on Java source files, FindBugs runs
on Java bytecode. Therefore, before you run an analysis on your project, first compile the project and
produce the class files.
To see an example of how to run FindBugs automatically with Fortify Static Code Analyzer, compile the
sample code Warning.java as follows:
1. Go to the following directory:
/Samples/advanced/findbugs

2. Type the following commands to compile the sample:
mkdir build
javac -d build Warning.java

3. Scan the sample with FindBugs and Fortify Static Code Analyzer as follows:
sourceanalyzer -b findbugs_sample -java-build-dir build Warning.java
sourceanalyzer -b findbugs_sample -scan -findbugs -f findbugs_
sample.fpr

4. Examine the analysis results in Audit Workbench:
auditworkbench findbugs_sample.fpr

The output contains the following issue categories:
Bad casts of Object References (1)
l Dead local store (2)
l Equal objects must have equal hashcodes (1)
l Object model violation (1)
l Unwritten field (2)
l Useless self-assignment (2)
If you group by analyzer, you can see that the Fortify Static Code Analyzer Structural Analyzer
produced one issue and FindBugs produced eight. The Object model violation issue Fortify
Static Code Analyzer detected on line 25 is similar to the Equal objects must have equal hash
codes issue that FindBugs detected. In addition, FindBugs produces two sets of issues (Useless
self-assignment and Dead local store) about the same vulnerabilities on lines 6 and 7. To avoid
overlapping results, use the -filter option during the scan to apply the filter.txt filter file. Note
l

HPE Security Fortify Static Code Analyzer (17.10)

Page 27 of 138

User Guide
Chapter 3: Translating Java Code

that the filtering is not complete because each tool filters at a different level of granularity. To see how
to avoid overlapping results, scan the sample code using filter.txt as follows:
sourceanalyzer -b findbugs_sample -scan -findbugs -filter filter.txt
-f findbugs_sample.fpr

Translating Java EE Applications
To translate Java EE applications, Fortify Static Code Analyzer processes Java source files and Java
EE components such as JSP files, deployment descriptors, and configuration files. While you can process
all the pertinent files in a Java EE application in one step, your project might require that you break the
procedure into its components for integration in a build process or to meet the needs of various
stakeholders in your organization.

Translating the Java Files
To translate Java EE applications, use the same procedure used to translate Java files. For examples, see
"Java Command-Line Examples" on page 26.

Translating JSP Projects, Configuration Files, and Deployment
Descriptors
In addition to translating the Java files in your Java EE application, you might also need to translate JSP
files, configuration files, and deployment descriptors. Your JSP files must be part of a Web Application
Archive (WAR). If your source directory is already organized in a WAR layout, you can translate the JSP
files directly from the source directory. If not, you might need to deploy your application and translate
the JSP files from the deployment directory.
For example:
sourceanalyzer -b  /**/*.jsp /**/*.xml

where /**/*.jsp refers to the location of your JSP project files and /**/*.xml refers to the location
of your configuration and deployment descriptor files.

Java EE Translation Warnings
You might see the following warning in the translation of Java EE applications:
Could not locate the root (WEB-INF) of the web application. Please build
your web application and try again. Failed to parse the following jsp
files:


HPE Security Fortify Static Code Analyzer (17.10)

Page 28 of 138

User Guide
Chapter 3: Translating Java Code

This warning indicates that your web application is not deployed in the standard WAR directory format
or does not contain the full set of required libraries. To resolve the warning, make sure that your web
application is in an exploded WAR directory format with the correct WEB-INF/lib and
WEB-INF/classes directories containing all of the .jar and .class files required for your
application. Also verify that you have all of the TLD files for all of your tags and the corresponding JAR
files with their tag implementations.

Translating Java Bytecode
In addition to translating source code, you can translate the bytecode in your project. You must specify
two configuration properties and include the bytecode files in the Fortify Static Code Analyzer
translation phase.
For best results, HPE recommends that the bytecode be compiled with full debug information
(javac -g).
To include bytecode in the Fortify Static Code Analyzer translation:
1. Add the following properties to the fortify-sca.properties file (or include these properties
on the command line using the -D option):
com.fortify.sca.fileextensions.class=BYTECODE
com.fortify.sca.fileextensions.jar=ARCHIVE

This specifies how Fortify Static Code Analyzer processes .class and .jar files.
2. In the Fortify Static Code Analyzer translation phase, specify the Java bytecode files that you want
to translate. For best performance, specify only the .jar or .class files that require scanning.
In the following example, the .class files are translated:
sourceanalyzer -b MyProject -cp "lib/*.jar" "src/**/*.class"

HPE recommends that you do not translate Java bytecode and JSP/Java code in the same call to
sourceanalyzer. Use multiple invocations of sourceanalyzer with the same build ID to
translate a project that contains both bytecode and JSP/Java code.

HPE Security Fortify Static Code Analyzer (17.10)

Page 29 of 138

Chapter 4: Translating .NET Code
This chapter describes how to use Fortify Static Code Analyzer to translate Visual Studio .NET and
ASP.NET applications built with Visual Studio. See the HPE Security Fortify Software System
Requirements document for supported versions of Visual Studio.
Fortify Static Code Analyzer analyzes code written in C#, VB.NET, and ASP.NET (including .cshtml,
.vbhtml, and .xaml files).
Note: The easiest way to analyze a .NET application is to use the HPE Security Fortify Package for
Visual Studio, which automatically gathers all the required project information.
This section contains the following topics:
.NET Command-Line Syntax
Translating Simple .NET Applications
Handling Translation Errors

30
32
33

.NET Command-Line Syntax
HPE recommends that you use the Visual Studio Command Prompt to run these commands. If you
perform command-line builds with Visual Studio .NET, you can wrap the build command line with an
invocation of Fortify Static Code Analyzer to integrate static analysis. You must have the
HPE Security Fortify Package for Visual Studio for your version of Visual Studio installed.
The following example demonstrates the command-line syntax for Visual Studio .NET:
sourceanalyzer -b my_buildid devenv Sample1.sln /REBUILD debug

This performs the translation phase on all files built with Visual Studio. Make sure that you clean or
rebuild the project to have all files included.
Note: When you translate .NET code this way, you do not need to specify any of the .NET
command-line options described in ".NET Command-Line Options" on the next page.
HPE Security Fortify Package for Visual Studio automatically gathers all information needed for
translation and provides it to Fortify Static Code Analyzer.
You can then perform the analysis phase, as shown in the following example:
sourceanalyzer -b my_buildid -scan -f results.fpr

HPE Security Fortify Static Code Analyzer (17.10)

Page 30 of 138

User Guide
Chapter 4: Translating .NET Code

.NET Command-Line Options
The following table describes the .NET command-line options.
Note: These options are not required if you translate the code with the Visual Studio Command
Prompt and you have HPE Security Fortify Package for Visual Studio installed.
.NET Option

Description

-dotnet-version


Specifies the .NET framework version. See the HPE Security Fortify
Software System Requirements for a list of supported versions. This adds
the location of .NET framework libraries (DLLs) for the specified .NET
framework version to the list of directories/paths specified by the –
libdirs option, unless the –libdirs-only option is specified.

-libdirs 
| 

Specifies a semicolon-separated list of directories where referenced system
or third-party DLLs are located. You can also specify paths to specific DLLs
with this option.

-libdirs-only

Sets the list of directories or paths to only those specified by the -libdirs
option. Otherwise, Fortify Static Code Analyzer includes the location of the
.NET framework libraries (DLLs) that correspond to the .NET framework
version specified with the –dotnet-version option.

-dotnet-preprocsymbols 

Specifies a semicolon-separated list of preprocessor symbols used in the
source code. For example:
-dotnet-preproc-symbols "DEBUG;TRACE"

-dotnet-assemblyname 

Specifies the name of the target .NET assembly as specified in Visual Studio
project settings.

-dotnetwebroot


.NET Web projects only. Specifies the home directory of an ASP.NET
project.

-cs-extern-alias


C# projects only. Specifies a list of external aliases for a specified DLL file
in the following format: alias1,alias2,..=. If multiple
DLLs are assigned external aliases, specify multiple -cs-extern-alias
options on the command line.

-vb-root


.VB.NET projects only. Specifies the root namespace for the project as
specified in Visual Studio project settings.

-vb-imports


VB.NET projects only. Specifies a semicolon-separated list of namespaces
imported for all source files in the project.

HPE Security Fortify Static Code Analyzer (17.10)

Page 31 of 138

User Guide
Chapter 4: Translating .NET Code

.NET Option

Description

-vb-mytype


VB.NET projects only. Specifies the value for the _MYTYPE preprocessor
symbol that is specified in the  tag in the project settings. This is
required if the source code to be translated uses My namespace.

-vb-webproject

VB.NET projects only. Indicates that the project is a pure Web project (no
code-behind the source files).

-vb-compileoptions 

VB.NET projects only. Specifies any special compilation options required
for the correct translation of the source code, such as OptionStrict,
OptionInfer, and OptionExplicit.
The format for  is a comma-separated list of:
=On | Off. For example:
-vb-compile-options
"OptionStrict=On,OptionExplicit=Off"

-vsversion


(Deprecated - Replaced by -dotnet-version option) Specifies the
version number that corresponds to your Visual Studio version.
l
l
l

Visual Studio 2012: 11.0
Visual Studio 2013: 12.0
Visual Studio 2015: 14.0

Translating Simple .NET Applications
You can use the Fortify Static Code Analyzer command-line interface to translate .NET applications.
To prepare your application for analysis, you need:
l
l

All the C#, VB.NET, and ASP.NET source files
All third-party DLLs
Note: To translate binaries instead of source files, completely rebuild your project with the Debug
configuration enabled. Include the PDB and binary files in the Fortify Static Code Analyzer
translation.

Run Fortify Static Code Analyzer to translate the .NET application from the command line as follows:
sourceanalyzer -dotnet-version  -b 
-libdirs   

Note: You can improve translation by providing information using the command-line options
described in ".NET Command-Line Options" on the previous page. Unless you specify the
-libdirs-only option, Fortify Static Code Analyzer uses the .NET framework DLLs that

HPE Security Fortify Static Code Analyzer (17.10)

Page 32 of 138

User Guide
Chapter 4: Translating .NET Code

correspond to the target .NET framework version your project uses (specified with the –dotnetversion option) so you do not need to include them with the –libdirs option on the command
line.
If your project is large, you can perform the translation phase separately for each project and use the
same build ID, as follows:
sourceanalyzer -dotnet-version  -b 
-libdirs  
...
sourceanalyzer -dotnet-version  -b 
-libdirs  

where  and  are the output projects.

Handling Translation Errors
To see all warnings that Fortify Static Code Analyzer generated during translation, type the following
command before you start the scan phase:
sourceanalyzer -b  -show-build-warnings

.NET Translation Errors
You might see the following error for .NET:
Translator execution failed. Please consult the Troubleshooting section of
the User Manual. Translator returned status 

This error indicates that the Fortify Static Code Analyzer could not successfully translate of all the
source files in your project. Report this issue to HPE Security Fortify Technical Support for
investigation.

ASP.NET Errors
Any error reported for ASP.NET translation is prefixed with ASP.Net Translation: and is followed
by detailed information about the error. This error indicates that the Fortify Static Code Analyzer could
not successfully translate all the ASP.NET pages in your project. Report this issue to
HPE Security Fortify Technical Support for investigation.

HPE Security Fortify Static Code Analyzer (17.10)

Page 33 of 138

Chapter 5: Translating C and C++ Code
This section contains the following topics:
Prerequisites
C and C++ Command-Line Syntax
Scanning Pre-processed C and C++ Code

34
34
35

Prerequisites
Make sure that you have any dependencies required to build the project available, including headers for
third-party libraries. Fortify Static Code Analyzer translation does not require object files and
static/dynamic library files.

C and C++ Command-Line Syntax
Command-line options passed to the compiler affect preprocessor execution and can enable or disable
language features and extensions. For Fortify Static Code Analyzer to interpret your source code in the
same way as the compiler, the translation phase for C/C++ source code requires the complete compiler
command line. Prefix your original compiler command with the sourceanalyzer command and
options.
The basic command-line syntax for translating a single file is:
sourceanalyzer -b  []  [] 

where:
l

 is the name of the C/C++ compiler you use, such as gcc, g++, or cl. See the

HPE Security Fortify Software System Requirements document for a list of supported C/C++
compilers.
l

 are options passed to Fortify Static Code Analyzer.

l

 are options passed to the C/C++ compiler.

l

 must be in ASCII or UTF-8 encoding.

Note: All Fortify Static Code Analyzer options must precede the compiler options.
The compiler command must successfully complete when executed on its own. If the compiler command
fails, then the sourceanalyzer command prefixed to the compiler command also fails.
For example, if you compile a file with the following command:
gcc -I. -o hello.o -c helloworld.c

HPE Security Fortify Static Code Analyzer (17.10)

Page 34 of 138

User Guide
Chapter 5: Translating C and C++ Code

then you can translate this file with the following command:
sourceanalyzer -b my_buildid gcc -I. -o hello.o -c helloworld.c

Fortify Static Code Analyzer executes the original compiler command as part of the translation phase. In
the previous example, the command produces both the translated source suitable for scanning, and the
object file hello.o from the gcc execution. You can use the Fortify Static Code Analyzer -nc option
to disable the compiler execution.

Scanning Pre-processed C and C++ Code
If, before compilation, your C/C++ build executes a third-party C preprocessor that Fortify Static Code
Analyzer does not support, you must invoke the Fortify Static Code Analyzer translation on the
intermediate file. Fortify Static Code Analyzer touchless build integration automatically translates the
intermediate file provided that your build executes the unsupported preprocessor and supported
compiler as two commands connected by a temporary file rather than a pipe chain.

HPE Security Fortify Static Code Analyzer (17.10)

Page 35 of 138

Chapter 6: Translating JavaScript Code
You can analyze JavaScript projects that can contain either pure JavaScript source files or a combination
of JavaScript and HTML files.
This section contains the following topics:
Translating Pure JavaScript Projects
Skipping Translation of JavaScript Library Files
Translating JavaScript Projects with HTML Files
Including External JavaScript or HTML in Translation
Scanning JavaScript Code

36
36
37
37
38

Translating Pure JavaScript Projects
The basic command-line syntax to translate JavaScript is:
sourceanalyzer –b  

where  is the either the name of the JavaScript file to be translated or a directory
that contains multiple JavaScript files. You can also translate multiple files by specifying *.js for the
.

Skipping Translation of JavaScript Library Files
You can avoid translating specific JavaScript library files by adding them to the appropriate property
setting in the fortify-sca.properties file. Files specified in the following properties are not
translated:
l

com.fortify.sca.skip.libraries.AngularJS

l

com.fortify.sca.skip.libraries.ES6

l

com.fortify.sca.skip.libraries.jQuery

l

com.fortify.sca.skip.libraries.javascript

Each property specifies a list of comma- or colon-separated file names (without path information).
The files specified in these properties apply to both local files and files on the internet. Suppose, for
example, that the JavaScript code includes the following JavaScript library file reference:


HPE Security Fortify Static Code Analyzer (17.10)

Page 36 of 138

User Guide
Chapter 6: Translating JavaScript Code

By default, the com.fortify.sca.skip.libraries.AngularJS property in the fortifysca.properties file includes the angular.min.js file, and therefore the file shown in the previous
example is not translated. Also, any local copy of the angular.min.js file is not translated.
You can use regular expressions for the file names. Note that the regular expression '(\d+\.\d+\.\d+)?' is automatically inserted before .min.js or .js for each file name included in the
com.fortify.sca.skip.libraries.jQuery property value.
Note: You can also exclude local files or entire directories with the -exclude command line option.
For more information about this option, see "Translation Options" on page 74.

Translating JavaScript Projects with HTML Files
If the project contains HTML files in addition to pure JavaScript, set the
com.fortify.sca.EnableDOMModeling property to true in the fortify-sca.properties file or
on the command line as follows:
sourceanalyzer –b  
-Dcom.fortify.sca.EnableDOMModeling=true

When you set the com.fortify.sca.EnableDOMModeling property to true, Fortify Static Code
Analyzer generates JavaScript code to model the DOM tree structure in the HTML files.
Note: If you enable this option, the duration of the analysis phase might increase (because there is
more translated code to analyze). However, if you leave the default value of false, you might get
reports of false negatives of DOM-related attacks, such as DOM-based cross-site scripting.
If you set the com.fortify.sca.EnableDOMModeling property to true, you can also specify
additional HTML tags for Fortify Static Code Analyzer to include in the DOM modeling using the
com.fortify.sca.DOMModeling.tags property. By default, Fortify Static Code Analyzer includes a
limited set of DOM element tags such as html, head, input, button, and iframe.
For example, to include the HTML tags div and p in the DOM model, use the following command:
sourceanalyzer –b  
-Dcom.fortify.sca.DOMModeling.tags=”div,p”

Including External JavaScript or HTML in Translation
To include external JavaScript or HTML files that are specified with the src attribute, you can whitelist
specific domains to have Fortify Static Code Analyzer download and include them in translation. To do
this, specify one or more domains with the
com.fortify.sca.JavaScript.src.domain.whitelist property.
Note: You can also set this property globally in the fortify-sca.properties file.

HPE Security Fortify Static Code Analyzer (17.10)

Page 37 of 138

User Guide
Chapter 6: Translating JavaScript Code

For example, you might have the following statement in your HTML file: