Fortify Static Code Analyzer – Configuration Options

The Fortify SCA and Applications installer places a set of properties files on your system. Properties files contain configurable settings for Micro Focus Fortify Static Code Analyzer runtime analysis, output, and performance.

Fortify Static Code Analyzer Properties Files

The properties files are located in the <sca_install_dir>/Core/config directory.

The installed properties files contain default values. Fortify recommends that you consult with your project leads before you make changes to the properties in the properties files. You can modify any of the properties in the configuration file with any text editor. You can also specify the property on the command line with the -D option.

The following table describes the primary properties files.

Properties File Name Description
fortify-sca.properties Defines the Fortify Static Code Analyzer configuration properties.
fortify‑sca‑quickscan.properties Defines the configuration properties applicable for a Fortify Static Code Analyzer quick scan.

Properties File Format

In the properties file, each property consists of a pair of strings: the first string is the property name and the second string is the property value.

com.fortify.sca.fileextensions.htm=HTML

As shown above, the property sets the translation to use for .htm files. The property name is com.fortify.sca.fileextension.htm and the value is set to HTML.

Note: When you specify a path for Windows systems as the property value, you must escape any backslash character (\) with a backslash (for example: com.fortify.sca.ASPVirtualRoots.Library=C:\\WebServer\\CustomerA\\inc).

Disabled properties are commented out of the properties file. To enable these properties, remove the comment symbol (#) and save the properties file. In the following example, the com.fortify.sca.LogFile property is disabled in the properties file and is not part of the configuration:

# default location for the log file

#com.fortify.sca.LogFile=${com.fortify.sca.ProjectRoot}/sca/log/sca.log

Precedence of Setting Properties

Fortify Static Code Analyzer uses properties settings in a specific order. You can override any previously set properties with the values that you specify. Keep this order in mind when making changes to the properties files.

The following table lists the order of precedence for Fortify Static Code Analyzer properties.

Order Property Specification Description
1 Command line with the ‑D option Properties specified on the command line have the highest priority and you can specify them in any scan.
2 Fortify Static Code Analyzer quick scan configuration file Properties specified in the quick scan configuration file (fortify-sca-quickscan.properties) have the second priority, but only if you include the -quick option to enable quick scan mode. If quick scan is not invoked, this file is ignored.
3 Fortify Static Code Analyzer configuration file Properties specified in the Fortify Static Code Analyzer configuration file (fortify-sca.properties) have the lowest priority. Edit this file to change the property values on a more permanent basis for all scans.

Fortify Static Code Analyzer also relies on some properties that have internally defined default values.

fortify-sca.properties

The following table summarizes the properties available for use in the fortify-sca.properties file. See fortify-sca-quickscan.properties for additional properties that you can use in this properties file. The description for each property includes the value type, the default value, the equivalent command-line option (if applicable), and an example.

Property Name Description
com.fortify.sca.
BuildID
Specifies the build ID of the build.

Value Type: String

Default: (none)

Command-Line Option: -b

com.fortify.sca.
ProjectRoot
Specifies the folder to store intermediate files generated in the translation and scan phases. Fortify Static Code Analyzer makes extensive use of intermediate files located in this project root directory. In some cases, you achieve better performance for analysis by making sure this directory is on local storage rather than on a network drive.

Value Type: String (path)

Default (Windows): ${win32.LocalAppdata}\Fortify

Note: ${win32.LocalAppdata} is a special variable that points to the windows Local Application Data shell folder.

Default (Non-Windows): $home/.fortify

Command-Line Option: -project-root

Example: com.fortify.sca.ProjectRoot=
C:\Users\<user>\AppData\Local\

com.fortify.sca.
DisableDeadCode
Elimination
Dead code is code that can never be executed, such as code inside the body of an if statement that always evaluates to false. If this property is set to true, then Fortify Static Code Analyzer does not identify dead code, does not report dead code issues, and reports other vulnerabilities in the dead code, even though they are unreachable during execution.

Value Type: Boolean

Default: false

com.fortify.sca.
DeadCodeFilter
If set to true, Fortify Static Code Analyzer removes dead code issues, for example because the compiler generated dead code and it does not appear in the source code.

Value Type: Boolean

Default: true

com.fortify.sca.
fileextensions.java

com.fortify.sca.
fileextensions.cs

com.fortify.sca.
fileextensions.js

com.fortify.sca.
fileextensions.py

com.fortify.sca.
fileextensions.rb

com.fortify.sca.
fileextensions.aspx

com.fortify.sca.
fileextensions.php

Note: This is a partial list. For the complete list, see the properties file.

Specifies how to translate specific file extensions for languages that do not require build integration. The valid types are: ABAP, ACTIONSCRIPT, APEX, APEX_TRIGGER, ARCHIVE, ASPNET, ASP, ASPX, BITCODE, BYTECODE, CFML, COBOL, CSHARP, HTML, JAVA, JAVA_PROPERTIES, JAVASCRIPT, JSP, JSPX, MSIL, MXML, PHP, PLSQL, PYTHON, RUBY, RUBY_ERB, SCALA, SWIFT, TLD, SQL, TSQL, TYPESCRIPT, VB, VB6, VBSCRIPT, VISUAL_FORCE, and XML.

Value Type: String (valid language type)

Default: See the fortify-sca.properties file for the complete list.

Examples:

com.fortify.sca.fileextensions.java=JAVA
com.fortify.sca.fileextensions.cs=CSHARP
com.fortify.sca.fileextensions.js=TYPESCRIPT
com.fortify.sca.fileextensions.py=PYTHON
com.fortify.sca.fileextensions.rb=RUBY
com.fortify.sca.fileextensions.aspx=ASPNET
com.fortify.sca.fileextensions.php=PHP

You can also specify a value of oracle:<path_to_script> to programmatically supply a language type. Provide a script that accepts one command-line parameter of a file name that matches the specified file extension. The script must write the valid Fortify Static Code Analyzer file type (see previous list) to stdout and exit with a return value of zero. If the script returns a non-zero return code or the script does not exist, the file is not translated and Fortify Static Code Analyzer writes a warning to the log file.

Example:
com.fortify.sca.fileextensions.jsp=
oracle:<path_to_script>

com.fortify.sca.
compilers.javac=
com.fortify.sca.
util.compilers.
JavacCompiler

com.fortify.sca.
compilers.c++=
com.fortify.sca.
util.compilers.
GppCompiler

com.fortify.sca.
compilers.make=
com.fortify.sca.
util.compilers.
TouchlessCompiler

com.fortify.sca.
compilers.mvn=
com.fortify.sca.
util.compilers.
MavenAdapter

Note: This is a partial list. For the complete list,
see the properties file.

Specifies custom-named compilers.

Value Type: String (compiler)

Default: See the Compilers section in the fortify-sca.properties file for the complete list.

Example:

To tell Fortify Static Code Analyzer that “my-gcc” is a gcc compiler:

com.fortify.sca.
compilers.my-gcc=
com.fortify.sca.util.compilers.
GccCompiler

Notes:

· Compiler names can begin or end with an asterisk (*), which matches zero or more characters.

· Execution of Apple LLVM clang/clang++ is not supported with the gcc/g++ command names. You can specify the following: com.fortify.sca.compilers.g++=
com.fortify.sca.util.compilers.
GppCompiler

com.fortify.sca.
UseAntListener
If set to true, Fortify Static Code Analyzer includes com.fortify.dev.ant.SCAListener in the compiler options.

Value Type: Boolean

Default: false

com.fortify.sca.
exclude
Specifies a file or a list of files to exclude from translation. Separate the file list with semicolons (Windows) or colons (non-Windows systems).

Note: Fortify Static Code Analyzer only uses this property during translation without build integration. When you integrate with a compiler or build tool, Fortify Static Code Analyzer translates all source files that the compiler or build tool processes even if they are specified with this property.

Value Type: String (list of file names)

Default: Not enabled

Command-Line Option: -exclude

Example: com.fortify.sca.exclude=
file1.x;file2.x

com.fortify.sca.
CmdlineOptionsFileEncoding
Specifies the encoding of the command-line options file provided with @<filename> (see Other Options). You can use this property, for example, to specify Unicode file paths in the options file. Valid encoding names are from the java.nio.charset.Charset

Note: This property is only valid in the fortify-sca.properties file and does not work in the fortify-sca-quickscan.properites file or with the ‑D option.

Value Type: String

Default: JVM system default encoding

Example: com.fortify.sca.CmdLineOptionsFileEncoding=UTF-8

com.fortify.sca.
InputFileEncoding
Specifies the source file encoding type. Fortify Static Code Analyzer allows you to scan a project that contains differently encoded source files. To work with a multi-encoded project, you must specify the ‑encoding option in the translation phase, when Fortify Static Code Analyzer first reads the source code file. Fortify Static Code Analyzer remembers this encoding in the build session and propagates it into the FVDL file.

Typically, if you do not specify the encoding type, Fortify Static Code Analyzer uses file.encoding from the java.io.InputStreamReader constructor with no encoding parameter. In a few cases (for example with the ActionScript parser), Fortify Static Code Analyzer defaults to UTF-8.

Value Type: String

Default: (none)

Command-Line Option: -encoding

Example:
com.fortify.sca.InputFileEncoding=UTF-16

com.fortify.sca.
xcode.TranslateAfterError
Specifies whether the xcodebuild touchless adapter continues translation if the xcodebuild subprocess exited with a non-zero exit code. If set to false, translation stops after encountering a non-zero xcodebuild exit code and the Fortify Static Code Analyzer touchless build halts with the same exit code. If set to true, the Fortify Static Code Analyzer touchless build executes translation of the build file identified prior to the xcodebuild exit, and Fortify Static Code Analyzer exits with an exit code of zero (unless some other error also occurs).

Regardless of this setting, if xcodebuild exits with a non-zero code, then the xcodebuild exit code, stdout, and stderr are written to the log file.

Value Type: Boolean

Default: false

com.fortify.sca.
Apex
If set to true, Fortify Static Code Analyzer uses Apex translation for files with the .cls extension and Visualforce translation for files with the .component extension.

Value Type: Boolean

Default: false

Command-Line Option: -apex

com.fortify.sca.
ApexObjectPath
Specifies the absolute path of the custom sObject JSON file sobjects.json.

Value Type: String

Default: (none)

Command-Line Option: -apex-sobject-path

com.fortify.sca.
AddImpliedMethods
If set to true, Fortify Static Code Analyzer generates implied methods when it encounters implementation by inheritance.

Value Type: Boolean

Default: true

com.fortify.sca.
DefaultAnalyzers
Specifies a comma- or colon-separated list of the types of analysis to perform. The valid values for this property are buffer, content, configuration, controlflow, dataflow, findbugs, nullptr, semantic, and structural.

Value Type: String

Default: This property is commented out and all analysis types are used in scans.

Command-Line Option: -analyzers

com.fortify.sca.
EnableAnalyzer
Specifies a comma- or colon-separated list of analyzers to use for a scan in addition to the default analyzers. The valid values for this property are buffer, content, configuration, controlflow, dataflow, findbugs, nullptr, semantic, and structural.

Value Type: String

Default: (none)

com.fortify.sca.
ExitCodeLevel
Extends the default exit code options. See Exit Codes for a description of the exit codes. The valid values are:

The valid values are:

· nothing—Returns exit codes 0, 1, 2, or 3. This is the default setting.

· warnings—Returns exit codes 0, 1, 2, 3, 4, or 5.

· errors—Returns exit codes 0, 1, 2, 3, or 5.

· no_output_file—Returns exit codes 0, 1, 2, 3, or 6.

Command-Line Option:
-exit-code-level

com.fortify.sca.
IncrementalBaseScan
If set to true, requests a full scan of a project for which you can run subsequent incremental scans.

Value Type: Boolean

Default: false

com.fortify.sca.
IncrementalScan
If set to true, requests an incremental rescan of a previously scanned project.

Value Type: Boolean

Default: false

com.fortify.sca.
hoa.Enable
If set to true, higher-order analysis is enabled.

Value Type: Boolean

Default: true

com.fortify.sca.
Phase0HigherOrder.
Languages
The languages for which to run higher-order analysis. Valid values are python, swift, ruby, javascript, and typescript.

Value Type: String (comma separated list of languages)

Default: python,ruby,swift,javascript,typescript

com.fortify.sca.
Phase0HigherOrder.Timeout.
Hard
Specifies the total time (in seconds) for higher-order analysis. When the analyzer reaches the hard timeout limit, it exits immediately.

Fortify recommends this timeout limit in case some issue causes the analysis to run too long. Fortify recommends that you set the hard timeout to about 50% longer than the soft timeout, so that either the fixpoint pass limiter or the soft timeout occurs first.

Value Type: Number

Default: 2700

com.fortify.sca.
MaxPassthroughChainDepth
Specifies the length of a taint path between input and output parameters in a function call.

Value Type: Integer

Default: 4

com.fortify.sca.
TypeInferenceLanguages
Comma- or colon-separated list of languages that use type inference. This setting improves the precision of the analysis for dynamically-typed languages.

Value Type: String

Default: javascript,python,ruby,typescript

com.fortify.sca.
TypeInferencePhase0
Timeout
The total amount of time (in seconds) that type inference can spend in phase 0 (the interprocedural analysis). Unlimited if set to zero or is not specified.

Value Type: Long

Default: 300

com.fortify.sca.
TypeInferenceFunctionTimeout
The amount of time (in seconds) that type inference can spend to analyze a single function. Unlimited if set to zero or is not specified.

Value Type: Long

Default: 60

com.fortify.sca.
DisableFunctionPointers
If set to true, disables function pointers during the scan.

Value Type: Boolean

Default: false

com.fortify.sca.
RulesFileExtensions
Specifies a list of file extensions for rules files. Any files in <sca_install_dir>/Core/config/rules (or a directory specified with the -rules option) whose extension is in this list is included. The .bin extension is always included, regardless of the value of this property. The delimiter for this property is the system path separator.

Value Type: String

Default: .xml

com.fortify.sca.
RulesFile
Specifies a custom Rulepack or directory. If you specify a directory, all of the files in the directory with the .bin and .xml extensions are included.

Value Type: String (path)

Default: (none)

Command-Line Option: -rules

com.fortify.sca.
NoDefaultRules
If set to true, rules from the default Rulepacks are not loaded. Fortify Static Code Analyzer processes the Rulepacks for description elements and language libraries, but no rules are processed.

Value Type: Boolean

Default: (none)

Command-Line Option: -no-default-rules

com.fortify.sca.
NoDefaultIssueRules
If set to true, disables rules in default Rulepacks that lead directly to issues. Still loads rules that characterize the behavior of functions. This can be helpful when creating custom issue rules.

Value Type: Boolean

Default: (none)

Command-Line Option: -no-default-issue-rules

com.fortify.sca.
NoDefaultSourceRules
If set to true, disables source rules in the default Rulepacks. This can be helpful when creating custom source rules.

Note: Characterization source rules are not disabled.

Value Type: Boolean

Default: (none)

Command-Line Option: -no-default-source-rules

com.fortity.sca.
NoDefaultSinkRules
If set to true, disables sink rules in the default Rulepacks. This can be helpful when creating custom sink rules.

Note: Characterization sink rules are not disabled.

Value Type: Boolean

Default: (none)

Command-Line Option: -no-default-sink-rules

com.fortify.sca.
CustomRulesDir
Sets the directory used to search for custom rules.

Value Type: String (path)

Default:
${com.fortify.Core}/config/customrules

com.fortify.sca.
EnableFindbugs
If set to true, FindBugs is enabled as part of the scan.

Value Type: Boolean

Default: true

Command-Line Option: -findbugs

com.fortify.sca.
findbugs.maxheap
Sets the maximum heap size for findbugs.

Value Type: String

Default: Maximum heap size for Fortify Static Code Analyzer

Example:
com.fortify.sca.findbugs.maxheap=500m

com.fortify.sca.
SuppressLowSeverity
If set to true, Fortify Static Code Analyzer ignores low severity issues found in a scan.

Value Type: Boolean

Default: true

com.fortify.sca.
LowSeverityCutoff
Specifies the cutoff level for severity suppression. Fortify Static Code Analyzer ignores any issues found with a lower severity value than the one specified for this property.

Value Type: Number

Default: 1.0

com.fortify.sca.
analyzer.controlflow.
EnableTimeOut
Specifies whether to enable Control Flow Analyzer timeouts.

Value Type: Boolean

Default: true

com.fortify.sca.
RegExecutable
On Windows platforms, specifies the path to the reg.exe system utility. Specify the paths in Windows syntax, not Cygwin syntax, even when you run Fortify Static Code Analyzer from within Cygwin. Escape backslashes with an additional backslash.

Value Type: String (path)

Default: reg

Example:
com.fortify.sca.RegExecutable=
C:\\Windows\\System32\\reg.exe

com.fortify.sca.
FilterFile
Specifies the path to a filter file for the scan. See Filter Files for more information.

Value Type: String (path)

Default: (none)

Command-Line Option: -filter

com.fortify.sca.
FilteredInstanceIDs
Specifies a comma-separated list of IIDs to be filtered out using a filter file.

Value Type: String

Default: (none)

com.fortify.sca.
BinaryName
Specifies a subset of source files to scan. Only the source files that were linked in the named binary at build time are included in the scan.

Value Type: String (path)

Default: (none)

Command-Line Option: -bin or ‑binary‑name

com.fortify.sca.
QuickScanMode
If set to true, Fortify Static Code Analyzer performs a quick scan. Fortify Static Code Analyzer uses the settings from fortify-sca-quickscan.properties, instead of the fortify-sca.properties configuration file.

Value Type: Boolean

Default: (not enabled)

Command-Line Option: -quick

com.fortify.sca.
ProjectTemplate
Specifies the issue template file to use for the scan. This only affects scans on the local machine. If you upload the FPR to Micro Focus Fortify Software Security Center server, it uses the issue template assigned to the application version.

Value Type: String

Default: (none)

Command-Line Option: -project-template

Example:
com.fortify.sca.ProjectTemplate=
test_issuetemplate.xml

com.fortify.sca.
ScanScaModule
If set to true, Fortify Static Code Analyzer performs modular scan of this project, which enables use of this library’s build ID with the include-modules option (or the com.fortify.sca.IncludeScaModules property) in subsequent scans.

This property is ignored if the -scan command-line option is specified.

Value Type: Boolean

Default: false

Command-Line Option: -scan-module

com.fortify.sca.
IncludeScaModules
Specifies a comma- or colon-separated list of build IDs for libraries pre-scanned as separate modules to use in the project scan. Each build ID must denote an existing scanned library.

Value Type: String (build IDs)

Default: (none)

Command-Line Option: -include-modules

Example:
com.fortify.sca.IncludeScaModules=LibA,LibB

com.fortify.sca.
alias.Enable
If set to true, enables alias analysis.

Value Type: Boolean

Default: true

com.fortify.sca.
UniversalBlacklist
Specifies a list of functions to blacklist from all analyzers.

Value Type: String (colon-separated list)

Default: .*yyparse.*

com.fortify.sca.
MultithreadedAnalysis
Specifies whether or not Fortify Static Code Analyzer runs in parallel analysis mode.

Value Type: Boolean

Default: true

com.fortify.sca.
ThreadCount
Specifies the number of threads for parallel analysis mode. Add this property only if you need to reduce the number of threads used because of a resource constraint. If you experience an increase in scan time or problems with your scan, a reduction in the number of threads used might solve the problem.

Value type: Integer

Default: (number of available processor cores)

com.fortify.sca.
DISabledLanguages
Add a colon-separated list of languages to exclude from the translation phase. The valid language values are abap, actionscript, apex, cfml, cobol, cpp, csharp, java, javascript, jsp, objc, php, plsql, python, ruby, scala, swift, tsql, typescript, vb.

Value Type: String

Default: (none)

Command-Line Option: -disable-language

com.fortify.sca.
EnabledLanguages
Specifies a colon-separated list of languages to translate. The valid language values are abap, actionscript, apex, cfml, cobol, cpp, csharp, java, javascript, jsp, objc, php, plsql, python, ruby, scala, swift, tsql, typescript, vb.

Value Type: String

Default: All languages in the specified source are translated unless explicitly excluded with the com.fortify.sca.DISabledLanguages property.

Command-Line Option: -enable-language

com.fortify.sca.
JdkVersion
Specifies the Java source code version to the Java translator.

Value Type: String

Default: 1.8

Command-Line Option: -jdk

com.fortify.sca.
JavaClasspath
Specifies the class path used to analyze Java source code. Specify the paths as a semicolon-separated list (Windows) or a colon-separated list (non-Windows systems).

Value Type: String (paths)

Default: (none)

Command-Line Option: -cp or -classpath

com.fortify.sca.
Appserver
Specifies the application server to process JSP files. The valid values are weblogic or websphere.

Value Type: String

Default: (none)

Command-Line Option: -appserver

com.fortify.sca.
AppserverHome
Specifies the application server’s home directory. For WebLogic, this is the path to the directory that contains server/lib. For WebSphere, this is the path to the directory that contains the JspBatchCompiler script.

Value Type: String (path)

Default: (none)

Command-Line Option: -appserver-home

com.fortify.sca.
AppserverVersion
Specifies the version of the application server.

Value Type: String

Default: (none)

Command-Line Option: -appserver-version

com.fortify.sca.
JavaExtdirs
Specifies directories to include implicitly on the class path for WebLogic and WebSphere application servers.

Value Type: String

Default: (none)

Command-Line Option: -extdirs

com.fortify.sca.
JavaSourcepath
Specifies a colon- or semicolon-separated list of source file directories that are not included in the scan but are used for name resolution. The source path is similar to classpath, except it uses source files rather than class files for resolution.

Value Type: String (paths)

Default: (none)

Command-Line Option: -sourcepath

com.fortify.sca.
JavaSourcepathSearch
If set to true, Fortify Static Code Analyzer only translates source files that are referenced by the target file list. Otherwise, Fortify Static Code Analyzer translates all files included in the source path.

Value Type: Boolean

Default: true

com.fortify.sca.
DefaultJarsDirs
Specifies semicolon- or colon-separated list of directories of commonly used JAR files. The JAR files located in these directories are appended to the end of the class path option (-cp).

Value Type: String

Default: (none)

com.fortify.sca
jsp.UseSecurityManager
If set to true, the JSP parser uses JSP security manager.

Value Type: Boolean

Default: true

com.fortify.sca.
jsp.DefaultEncoding
Specifies the encoding for JSPs.

Value Type: String (encoding)

Default: ISO-8859-1

com.fortify.sca
DotnetVersion
Specifies the .NET framework version. See the Micro Focus Fortify Software System Requirements for a list of supported versions.

Value Type: String

Default: (the latest supported version)

Command-Line Option: ‑dotnet-version

com.fortify.sca
DotnetCoreVersion
Specifies the .NET Core version.

Value Type: String

Default: (none)

Command-Line Option: ‑dotnet-core-version

com.fortify.sca
DotnetStdVersion
Specifies the .NET Standard version.

Value Type: String

Default: (none)

Command-Line Option: ‑dotnet-std-version

com.fortify.sca.
DotnetLibdirs
Specifies the semicolon-delimited list of directories where third-party DLL files are located. Used for default .NET library files.

Value Type: String (path)

Default: (none)

Command-Line Option: ‑libdirs

com.fortify.sca.
DotnetLibdirsOnly
If set to true, disables use of runtime .NET libraries corresponding to target .Net framework version and only uses the libraries referenced by the com.fortify.sca.
DotnetLibdirs property or the -libdirs command-line option.

Value Type: Boolean

Default: false

Command-Line Option: ‑libdirs‑only

com.fortify.sca.
NugetCacheDir
Overrides the default path to the NuGet cache directory.

Value Type: String (path)

Default: The .nuget/packages folder in the current user’s home directory (Windows environment variable: USERPROFILE)

Command-Line Option: ‑nuget-cache-dir

com.fortify.sca.
DotnetSharedFiles
Specifies a semicolon-separated list of the source files for all Shared Projects included in the project you are translating.

Value Type: String (files)

Default: (none)

Command-Line Option: ‑dotnet-shared-files

com.fortify.sca.
DotnetOutputDir
Specifies the output directory where the binary (EXE or DLL) built from the project is placed.

Value Type: String (path)

Default: (none)

Command-Line Option: ‑dotnet-output-dir

com.fortify.sca.
DotnetWebRoot
Specifies the root (home) directory of an ASP.NET project.

Value Type: String (path)

Default: (none)

Command-Line Option: ‑dotnetwebroot

com.fortify.sca.
WebSiteProject
If set to true, the project is of type WebSite.

Value Type: Boolean

Default: false

Command-Line Option: ‑dotnet-website

com.fortify.sca.
DotnetWebAppLibs
Specifies a semicolon-separated list of additional reference DLLs needed to translate ASP.NET pages.

Value Type: String (path)

Default: (none)

Command-Line Option: ‑dotnet-applibs

com.fortify.sca.
DotnetCodeBehind
Specifies a semicolon-separated list of source files that are bound to ASP.NET pages (referred to as code-behind files).

Value Type: String (path)

Default: (none)

Command-Line Option: ‑dotnet-codebehind

com.fortify.sca.
AspNetCore
If set to true, indicates a web project (ASP.NET or ASP.NET Core) that targets the .NET Core or .NET Standard framework.

Value Type: Boolean

Default: false

Command-Line Option: ‑aspnetcore

com.fortify.sca.
DotnetAssemblyName
Specifies the name of the target .NET assembly as specified in Visual Studio project settings.

Value Type: String

Default: (none)

Command-Line Option: ‑dotnet‑assembly-name

com.fortify.sca.
DotnetAlias
Specifies a list of external aliases for a specified DLL file in the following format: <alias1>,<alias2>,..=<path_to_dll>. You can include multiple aliases as a semicolon-separated list of pairs.

Value Type: String

Default: (none)

Command-Line Option: ‑cs-extern-alias

com.fortify.sca.
DotnetPreprocessorSymbols
Specifies a semicolon-separated list of preprocessor symbols used in the source code.

Value Type: String

Default: (none)

Command-Line Option: ‑dotnet‑preproc-symbols

com.fortify.sca.
VBCompileOptions
Specifies any special compilation options required for the correct translation of the source code, such as OptionStrict, OptionInfer, and OptionExplicit.

Value Type: String

Default: (none)

Command-Line Option: ‑vb-compile-options

com.fortify.sca.
VBGlobalImports
Specifies a semicolon-separated list of namespaces imported for all source files in the project.

Value Type: String

Default: (none)

Command-Line Option: ‑vb-imports

com.fortify.sca.
VBMyType
Specifies the value for the _MYTYPE preprocessor symbol that is specified in the <MyType> tag in the project settings. This is required if the source code to be translated uses My namespace.

Value Type: String

Default: (none)

Command-Line Option: ‑vb-mytype

com.fortify.sca.
VBRootNamespace
Specifies the root namespace for the project as specified in Visual Studio project settings.

Value Type: String

Default: (none)

Command-Line Option: ‑vb-root

com.fortify.sca.
XamarinAndroidVersion
Specifies the target Android SDK version for Xamarin Android projects.

Value Type: String

Default: (the latest installed version)

Command-Line Option: -xamarin-android-version

com.fortify.sca.
XamariniOSVersion
Specifies the target iOS SDK version for Xamarin iOS projects.

Value Type: String

Default: (the latest installed version)

Command-Line Option: -xamarin-ios-version

WinForms.
TransformDataBindings

WinForms.
TransformMessageLoops

WinForms.
TransformChange
NotificationPattern

WinForms.
CollectionMutation
Monitor.Label

WinForms.
ExtractEventHandlers

Set various .NET options.

Value Type: Boolean and String

Defaults and Examples:

WinForms.TransformDataBindings=true

WinForms.TransformMessageLoops=true

WinForms.TransformChangeNotificationPattern=
true

WinForms.CollectionMutationMonitor.Label=
WinFormsDataSource

WinForms.ExtractEventHandlers=true

com.fortify.sca.
EnableDOMModeling
If set to true, Fortify Static Code Analyzer generates JavaScript code to model the DOM tree that an HTML file generated during the translation phase and identifies DOM-related issues (such as cross-site scripting issues). Enable this property if the code you are translatingincludes HTML files that have embedded or referenced JavaScript code.

Note: Enabling this property can increase the translation time.

Value Type: Boolean

Default: false

com.fortify.sca
DOMModeling.tags
If you set the com.fortify.sca.EnableDOMModeling property to true, you can specify additional HTML tags for Fortify Static Code Analyzer to include in the DOM modeling.

Value Type: String (comma-separated HTML tag names)

Default: body, button, div, form, iframe, input, head, html, and p.

Example:
com.fortify.sca.DOMModeling.tags=ul,li

com.fortify.sca.
JavaScript.src.domain.
whitelist
Specifies trusted domain names where Fortify Static Code Analyzer can download referenced JavaScript files for the scan. Delimit the URLs with vertical bars.

Value Type: String

Default: (none)

Example: com.fortify.sca.JavaScript.
src.domain.whitelist=
http://www.xyz.com|http://www.123.org

com.fortify.sca.
DisableJavascript
Extraction
If set to true, JavaScript code embedded in JSP, JSPX, PHP, and HTML files is not extracted and not scanned.

Value Type: Boolean

Default: false

com.fortify.sca.
skip.libraries.ES6

com.fortify.sca.
skip.libraries.jQuery

com.fortify.sca.
skip.libraries.javascript

com.fortify.sca.
skip.libraries.typescript

Specifies a list of comma- or colon-separated JavaScript technology library files that are not translated. You can use regular expressions in the file names. Note that the regular expression '(‑\d\.\d\.\d)?' is automatically inserted before .min.js or .js for each file name included in the com.fortify.sca.skip.libraries.jQuery property value.

Value Type: String

Defaults:

· ES6: es6-shim.min.js,system-polyfills.js,
shims_for_IE.js

· jQuery: jquery.js,jquery.min.js,
jquery-migrate.js,jquery-migrate.min.js,
jquery-ui.js,jquery-ui.min.js,
jquery.mobile.js,jquery.mobile.min.js,
jquery.color.js,jquery.color.min.js,
jquery.color.svg-names.js,
jquery.color.svg-names.min.js,
jquery.color.plus-names.js,
jquery.color.plus-names.min.js,
jquery.tools.min.js

· javascript: bootstrap.js,
bootstrap.min.js,
typescript.js,
typescriptServices.js

· typescript: typescript.d.ts,
typescriptServices.d.ts

com.fortify.sca.
follow.imports
If set to true, files included with an import statement are included in the JavaScript translation.

Value Type: Boolean

Default: true

com.fortify.sca.
exclude.unimported.node.modules
If set to true, only imported node_modules are included in the JavaScript translation.

Value Type: Boolean

Default: true

com.fortify.sca.
PHPVersion
Specifies the PHP version. For a list of valid versions, see the Micro Focus Fortify Software System Requirements.

Value Type: String

Default: 7.0

Command-Line Option: -php-version

com.fortify.sca.
PHPSourceRoot
Specifies the PHP source root.

Value Type: Boolean

Default: (none)

Command-Line Option: -php-source-root

com.fortify.sca.
PythonPath
Specifies a colon- or semicolon-separated list of additional import directories. Fortify Static Code Analyzer does not respect PYTHONPATH environment variable that the Python runtime system uses to find import files. Use this property to specify the additional import directories.

Value Type: String (path)

Default: (none)

Command-Line Option: -python-path

com.fortify.sca.
PythonVersion
Specifies the Python source code version you want to scan. The valid values are 2 and 3.

Value Type: Number

Default: 2

Command-Line Option: -python-version

com.fortify.sca.
DjangoTemplateDirs
Specifies path to Django templates. Fortify Static Code Analyzer does not use the TEMPLATE_DIRS setting from the Django settings.py file.

Value Type: String (paths)

Default: (none)

Command-Line Option: -django-template-dirs

com.fortify.sca.
DjangoDisableAutodiscover
Specifies that Fortify Static Code Analyzer does not automatically discover Django templates.

Value Type: Boolean

Default: (none)

Command-Line Option: ‑django-disable-autodiscover

com.fortify.sca.
PythonLegacy
Specifies to translate python 2 code with the legacy Python translator. Only use this property if the translation without the option fails and Micro Focus Fortify Customer Support has recommended that you use it.

Value Type: Boolean

Default: false

Command-Line Option:-python-legacy

com.fortify.sca.
RubyLibraryPaths
Specifies one or more paths to directories that contain Ruby libraries.

Value Type: String (path)

Default: (none)

Command-Line Option: -ruby-path

com.fortify.sca.
RubyGemPaths
Specifies the path(s) to a RubyGems location. Set this value if the project has associated gems to scan.

Value Type: String (path)

Default: (none)

Command-Line Option: -rubygem-path

com.fortify.sca.
FlexLibraries
Specifies a semicolon-separated list (Windows) or a colon-separated list (non-Windows systems) of libraries to “link” to. This list must include flex.swc, framework.swc, and playerglobal.swc (which are usually located in the frameworks/libs directory in your Flex SDK root). Use this property primarily to resolve ActionScript.

Value Type: String (path)

Default: (none)

Command-Line Option: -flex-libraries

com.fortify.sca.
FlexSdkRoot
Specifies the root location of a valid Flex SDK. The folder must contain a frameworks folder that contains a flex-config.xml file. It must also contain a bin folder that contains an mxmlc executable.

Value Type: String (path)

Default: (none)

Command-Line Option: ‑flex‑sdk‑root

com.fortify.sca.
FlexSourceRoots
Specifies any additional source directories for a Flex project. Separate the list of directories with semicolons (Windows) or colons (non-Windows systems).

Value Type: String (path)

Default: (none)

Command-Line Option: ‑flex‑source‑root

com.fortify.sca.
AbapDebug
If set to true, Fortify Static Code Analyzer adds ABAP statements to debug messages.

Value Type: String (statement)

Default: (none)

com.fortify.sca.
AbapIncludes
When Fortify Static Code Analyzer encounters an ABAP ‘INCLUDE’ directive, it looks in the named directory.

Value Type: String (path)

Default: (none)

com.fortify.sca.
CobolFixedFormat
If set to true, specifies fixed-format COBOL to direct Fortify Static Code Analyzer to only look for source code between columns 8-72 in all lines of code.

Value Type: Boolean

Default: false

Command-Line Option: -fixed-format

com.fortify.sca.
SqlLanguage
Sets the SQL language variant. The valid values are PLSQL (for Oracle PL/SQL) and TSQL (for Microsoft T-SQL).

Value Type: String (SQL language type)

Default: TSQL

Command-Line Option: -sql-language

com.fortify.sca.
CfmlUndefinedVariablesAreTainted
If set to true, Fortify Static Code Analyzer treats undefined variables in CFML pages as tainted. This serves as a hint to the Dataflow Analyzer to watch out for register-globals-style vulnerabilities. However, enabling this property interferes with dataflow findings where a variable in an included page is initialized to a tainted value in an earlier-occurring included page.

Value Type: Boolean

Default: false

com.fortify.sca.
CaseInsensitiveFiles
If set to true, make CFML files case-insensitive for applications developed using a case-insensitive file system and scanned on case-sensitive file systems.

Value Type: Boolean

Default: (not enabled)

com.fortify.sca.
SourceBaseDir
Specifies the base directory for ColdFusion projects.

Value Type: String (path)

Default: (none)

Command-Line Option: -source-base-dir

com.fortify.sca.
FVDLDisableDescriptions
If set to true, excludes Fortify security content descriptions from the analysis results file (FVDL).

Value Type: Boolean

Default: false

Command-Line Option: -fvdl-no-descriptions

com.fortify.sca.
FVDLDisableProgramData
If set to true, excludes the ProgramData section from the analysis results file (FVDL).

Value Type: Boolean

Default: false

Command-Line Option: -fvdl-no-progdata

com.fortify.sca.
FVDLDisableEngineData
If set to true, excludes the engine data from the analysis results file (FVDL).

Value Type: Boolean

Default: false

Command-Line Option: -fvdl-no-enginedata

com.fortify.sca.
FVDLDisableSnippets
If set to true, excludes code snippets from the analysis results file (FVDL).

Value Type: Boolean

Default: false

Command-Line Option: -fvdl-no-snippets

com.fortify.sca.
FVDLDisableLabelEvidence
If set to true, excludes the label evidence from the analysis results file (FVDL).

Value Type: Boolean

Default: false

com.fortify.sca.
FVDLStylesheet
Specifies location of the style sheet for the analysis results.

Value Type: String (path)

Default:
${com.fortify.Core}/resources/sca/fvdl2html.xsl

com.fortify.sca.
ResultsFile
The file to which results are written.

Value Type: String

Default: (none)

Command-Line Option: -f

Example: com.fortify.sca.ResultsFile=results.fpr

com.fortify.sca.
OutputAppend
If set to true, Fortify Static Code Analyzer appends results to an existing results file.

Value Type: Boolean

Default: false

Command-Line Option: -append

com.fortify.sca.
Renderer
Controls the output format. The valid values are fpr, fvdl, text, and auto. The default of auto selects the output format based on the file extension of the file provided with the -f option.

Value Type: String

Default: auto

Command-Line Option: -format

com.fortify.sca.
ResultsAsAvailable
If set to true, Fortify Static Code Analyzer prints results as they become available. This is helpful if you do not specify the -f option (to specify an output file) and print to stdout.

Value Type: Boolean

Default: false

com.fortify.sca.
BuildProject
Specifies a name for the scanned project. Fortify Static Code Analyzer does not use this name but includes it in the results.

Value Type: String

Default: (none)

Command-Line Option: -build-project

com.fortify.sca.
BuildLabel
Specifies a label for the scanned project. Fortify Static Code Analyzer does not use this label but includes it in the results.

Value Type: String

Default: (none)

Command-Line Option: -build-label

com.fortify.sca.
BuildVersion
Specifies a version number for the scanned project. Fortify Static Code Analyzer does not use this version number but it is included in the results.

Value Type: String

Default: (none)

Command-Line Option: -build-version

com.fortify.sca.
MachineOutputMode
Output information in a format that scripts or Fortify Static Code Analyzer tools can use rather than printing output interactively. Instead of a single line to display scan progress, a new line is printed below the previous one on the console to display updated progress.

Value Type: Boolean

Default: (not enabled)

com.fortify.sca.
SnippetContextLines
Sets the number of lines of code to display surrounding an issue. The two lines of code on each side of the line where the error occurs are always included. By default, five lines are displayed.

Value Type: Number

Default: 2

com.fortify.sca.
MobileBuildSession
If set to true, Fortify Static Code Analyzer copies source files into the build session.

Value Type: Boolean

Default: false

com.fortify.sca.
ExtractMobileInfo
If set to true, Fortify Static Code Analyzer extracts the build ID and the Fortify Static Code Analyzer version number from the mobile build session.

Note: Fortify Static Code Analyzer does not extract the mobile build with this property.

Value Type: Boolean

Default: false

com.fortify.sca.
ClobberLogFile
If set to true, Fortify Static Code Analyzer overwrites the log file for each run of sourceanalyzer.

Value Type: Boolean

Default: false

Command-Line Option: -clobber-log

com.fortify.sca.
LogFile
Specifies the default log file name and location.

Value Type: String (path)

Default: ${com.fortify.sca.ProjectRoot}/log/sca.logand ${com.fortify.sca.ProjectRoot}/log/sca_FortifySupport.log

Command-Line Option: -logfile

com.fortify.sca.
LogLevel
Specifies the minimum log level for both log files. The valid values are: DEBUG, INFO, WARN, ERROR, and FATAL. For more information, see Accessing Log Files and Configuring Log Files.

Value Type: String

Default: INFO

com.fortify.sca.
PrintPerformanceDataAfterScan
If set to true, Fortify Static Code Analyzer writes performance-related data to the Fortify Support log file after the scan is complete. This value is automatically set to true when in debug mode.

Value Type: Boolean

Default: false

com.fortify.sca.
Debug
Includes debug information in the Fortify Support log file, which is only useful for Micro Focus Fortify Customer Support to help troubleshoot.

Value Type: Boolean

Default: false

Command-Line Option: -debug

com.fortify.sca.
DebugVerbose
This is the same as the com.fortify.sca.Debug property, but it includes more details, specifically for parse errors.

Value Type: Boolean

Default: (not enabled)

Command-Line Option: -debug-verbose

com.fortify.sca.
Verbose
If set to true, includes verbose messages in the Fortify Support log file.

Value Type: Boolean

Default: (not enabled)

Command-Line Option: -verbose

com.fortify.sca.
DebugTrackMem
If set to true, enables additional debugging for performance information to be written to the Fortify Support log.

Value Type: Boolean

Default: (not enabled)

Command-Line Option: -debug-mem

com.fortify.sca.
CollectPerformanceData
If set to true, enables additional timers to track performance.

Value Type: Boolean

Default: (not enabled)

com.fortify.sca.
Quiet
If set to true, disables the command-line progress information.

Value Type: Boolean

Default: false

Command-Line Option: -quiet

com.fortify.sca.
MonitorSca
If set to true, Fortify Static Code Analyzer monitors its memory use and warns when JVM garbage collection becomes excessive.

Value Type: Boolean

Default: true

com.fortify.sca.
cpfe.command
Sets the location of the CPFE binary to use in the translation phase.

Value Type: String (path)

Default:
${com.fortify.Core}/private-bin/sca/cpfe48

com.fortify.sca.
cpfe.441
If set to true, Fortify Static Code Analyzer uses CPFE version 4.4.1.

Value Type: Boolean

Default: false

com.fortify.sca.
cpfe.441.command
Sets the location of the CPFE binary (version 4.4.1) to use in the translation phase.

Value Type: String (path)

Default:
${com.fortify.Core}/private-bin/sca/cpfe441.rfct

com.fortify.sca.
cpfe.options
Adds options to the CPFE command line to use when translating C/C++ code.

Value Type: String

Default:
--remove_unneeded_entities --suppress_vtbl
-tused

com.fortify.sca.
cpfe.file.option
Sets the name of CPFE option that specifies the output (for example NST) file name.

Value Type: String

Default: --gen_c_file_name

Example:
com.fortify.sca.cpfe.file.option=
--gen_c_file_name

com.fortify.sca.
cpfe.multibyte
If set to true, CPFE handles multibyte characters in the source code. This enables Fortify Static Code Analyzer to handle code with multibyte encoding, such as SJIS (Japanese).

Value Type: Boolean

Default: false

com.fortify.sca.
cpfe.CaptureWarnings
If set to true, any CPFE warnings are included in the Fortify Static Code Analyzer log.

Value Type: Boolean

Default: false

com.fortify.sca.
cpfe.FailOnError
If set to true, CPFE fails if there is an error.

Value Type: Boolean

Default: false

com.fortify.sca.
cpfe.IgnoreFileOpen
Failures
If set to true, any failure to open a source file (including headers) is considered a warning instead of an error.

Value Type: Boolean

Default: false

com.fortify.sca.
ASPVirtualRoots.
<virtual_path>
Specifies a semicolon delimited list of full paths to virtual roots used.

Value Type: String

Default: (none)

Example:
com.fortify.sca.ASPVirtualRoots.Library=
c:\\WebServer\\CustomerTwo\\Stuff
com.fortify.sca.ASPVirtualRoots.Include=
c:\\WebServer\\CustomerOne\\inc

com.fortify.sca.
DisableASPExternalEntries
If set to true, disables ASP external entries in the analysis.

Value Type: Boolean

Default: false

fortify-sca-quickscan.properties

Fortify Static Code Analyzer offers a less-intensive scan known as a quick scan. This option scans the project in quick scan mode, using the property values in the fortify-sca-quickscan.properties file. By default, a quick scan searches for high-confidence, high-severity issues only.

Note: Properties in this file are only used if you specify the -quick option on the command line for your scan.

The table provides two sets of default values: the default value for quick scans and the default value for normal scans. If only one default value is shown, the value is the same for both normal scans and quick scans.

Property Name Description
com.fortify.sca.
CtrlflowMaxFunctionTime
Sets the time limit (in milliseconds) for Control Flow analysis on a single function.

Value Type: Integer

Quick Scan Default: 30000

Default: 600000

com.fortify.sca.
DisableAnalyzers
Specifies a comma- or colon-separated list of analyzers to disable during a scan. The valid values for this property are: buffer, content, configuration, controlflow, dataflow, findbugs, nullptr, semantic, and structural.

Value Type: String

Quick Scan Default: controlflow:buffer

Default: (none)

com.fortify.sca.
FilterSet
Specifies the filter set to use. You can use this property with an issue template to filter at scan-time instead of post-scan. See com.fortify.sca.ProjectTemplate described in fortify-sca.properties to specify an issue template that contains the filter set to use.

When set to Quick View, this property runs rules that have a potentially high impact and a high likelihood of occurring and rules that have a potentially high impact and a low likelihood of occurring. Filtered issues are not written to the FPR and therefore this can reduce the size of an FPR. For more information about filter sets, see the Micro Focus Fortify Audit Workbench User Guide.

Value Type: String

Quick Scan Default: Quick View

Default: (none)

com.fortify.sca.
FPRDisableMetatable
Disables the creation of the metatable, which includes information for the Function view in Micro Focus Fortify Audit Workbench. This metatable enables right-click on a variable in the source window to show the declaration. If C/C++ scans take an extremely long time, setting this property to true can potentially reduce the scan time by hours.

Value Type: Boolean

Quick Scan Default:true

Default: false

Command-Line Option: -disable-metatable

com.fortify.sca.
FPRDisableSourceBundling
Disables source code inclusion in the FPR file. Prevents Fortify Static Code Analyzer from generating marked-up source code files during a scan. If you plan to upload FPR files that are generated as a result of a quick scan to Fortify Software Security Center, you must set this property to false.

Value Type: Boolean

Quick Scan Default: true

Default: false

Command-Line Option: ‑disable‑source‑bundling

com.fortify.sca.
NullPtrMaxFunctionTime
Sets the time limit (in milliseconds) for Null Pointer analysis for a single function. The standard default is five minutes. If this value is set to a shorter limit, the overall scan time decreases.

Value Type: Integer

Quick Scan Default: 10000

Default: 300000

com.fortify.sca.
TrackPaths
Disables path tracking for Control Flow analysis. Path tracking provides more detailed reporting for issues, but requires more scan time. To disable this for JSP only, set it to NoJSP. Specify None to disable all functions.

Value Type: String

Quick Scan Default: (none)

Default: NoJSP

com.fortify.sca.
limiters.ConstraintPredicateSize
Specifies the size limit for complex calculations in the Buffer Analyzer. Skips calculations that are larger than the specified size value in the Buffer Analyzer to improve scan time.

Value Type: Integer

Quick Scan Default: 10000

Default: 500000

com.fortify.sca.
limiters.MaxChainDepth
Controls the maximum call depth through which the Dataflow Analyzer tracks tainted data. Increase this value to increase the coverage of dataflow analysis, which results in longer scan times.

Note: Call depth refers to the maximum call depth on a dataflow path between a taint source and sink, rather than call depth from the program entry point, such as main().

Value Type: Integer

Quick Scan Default: 3

Default: 5

com.fortify.sca.
limiters.MaxFunctionVisits
Sets the number of times taint propagation analyzer visits functions.

Value Type: Integer

Quick Scan Default: 5

Default: 50

com.fortify.sca.
limiters.MaxPaths
Controls the maximum number of paths to report for a single dataflow vulnerability. Changing this value does not change the results that are found, only the number of dataflow paths displayed for an individual result.

Note: Fortify does not recommend setting this property to a value larger than 5 because it might increase the scan time.

Value Type: Integer

Quick Scan Default: 1

Default: 5

com.fortify.sca.
limiters.MaxTaintDefForVar
Sets a complexity limit for the Dataflow Analyzer. Dataflow incrementally decreases precision of analysis on functions that exceed this complexity metric for a given precision level.

Value Type: Integer

Quick Scan Default: 250

Default: 1000

com.fortify.sca.
limiters.MaxTaintDefForVarAbort
Sets a hard limit for function complexity. If complexity of a function exceeds this limit at the lowest precision level, the analyzer skips analysis of the function.

Value Type: Integer

Quick Scan Default: 500

Default: 4000