Fortify Static Code Analyzer – Incremental Analysis

With Micro Focus Fortify Static Code Analyzer incremental analysis, you can run a full analysis on a project, and then run subsequent incremental scans to analyze only the code that changed since the initial full scan. This reduces the scan time for subsequent incremental scans on the project.

Incremental analysis supports the Configuration and the Semantic analyzers. You can run incremental analysis on projects written in the following languages: Java, C/C++, C#, and Visual Basic.

When you use Fortify Static Code Analyzer incremental analysis, consider the following:

· You must use the same build ID that you used in the initial complete analysis in all subsequent incremental scans.

· When you specify the same FPR file name for the initial complete scan and the subsequent scans, all issues are automatically merged with the previous scan.

When Fortify Static Code Analyzer merges the issue results, issues fixed in prior incremental scans are shown as removed, existing issues are shown as updated, and any new issues are shown as new. Otherwise all the issues found in the subsequent scan are shown as new and there is no record of previously fixed issues or existing issues.

To use incremental analysis, translate the code, and then run the initial full scan with the ‑incremental‑base option. For example:

sourceanalyzer -b <build_id> ...
sourceanalyzer -b <build_id> -scan -incremental-base -f <results>.fpr

After you modify the project source code, translate the entire project, and then run any subsequent scans with the -incremental option. Specify the same <build_id> that you specified in the initial full scan. For example:

sourceanalyzer -b <build_id> ...
sourceanalyzer -b <build_id> -scan -incremental -f <results>.fpr