Micro Focus Fortify Static Code Analyzer Software Version: 19.2.0 User Guide Document Release Date: November 2019 Software Release Date: November 2019 User Guide Legal Notices Micro Focus The Lawn 22-30 Old Bath Road Newbury, Berkshire RG14 1QN UK https://www.microfocus.com Warranty The only warranties for products and services of Micro Focus and its affiliates and licensors (“Micro Focus”) are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Micro Focus shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice. Restricted Rights Legend Confidential computer software. Except as specifically indicated otherwise, a valid license from Micro Focus is required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. Copyright Notice © Copyright 2003 - 2019 Micro Focus or one of its affiliates Trademark Notices Adobe™ is a trademark of Adobe Systems Incorporated. Microsoft® and Windows® are U.S. registered trademarks of Microsoft Corporation. UNIX® is a registered trademark of The Open Group. Documentation Updates The title page of this document contains the following identifying information: l Software Version number l Document Release Date, which changes each time the document is updated l Software Release Date, which indicates the release date of this version of the software This document was produced on November 06, 2019. To check for recent updates or to verify that you are using the most recent edition of a document, go to: https://www.microfocus.com/support-and-services/documentation Micro Focus Fortify Static Code Analyzer (19.2.0) Page 2 of 202 User Guide Contents Preface 11 Contacting Micro Focus Fortify Customer Support 11 For More Information 11 About the Documentation Set 11 Change Log 12 Chapter 1: Introduction 15 Fortify Static Code Analyzer 15 Fortify CloudScan 15 Fortify Scan Wizard 16 Fortify Software Security Content 16 About the Analyzers 17 Related Documents 18 All Products 19 Micro Focus Fortify CloudScan 19 Micro Focus Fortify Software Security Center 20 Micro Focus Fortify Static Code Analyzer 20 Chapter 2: Installing Fortify Static Code Analyzer 22 Fortify Static Code Analyzer Component Applications 22 About Downloading the Software 24 About Installing Fortify Static Code Analyzer and Applications 24 Installing Fortify Static Code Analyzer and Applications 25 Installing Fortify Static Code Analyzer and Applications Silently (Unattended) 26 Installing Fortify Static Code Analyzer and Applications in Text-Based Mode on Non-Windows Platforms 28 Manually Installing Fortify Security Content 28 About Upgrading Fortify Static Code Analyzer and Applications 29 Notes About Upgrading the Fortify Extension for Visual Studio 29 About Uninstalling Fortify Static Code Analyzer and Applications 30 Uninstalling Fortify Static Code Analyzer and Applications 30 Micro Focus Fortify Static Code Analyzer (19.2.0) Page 3 of 202 User Guide Uninstalling Fortify Static Code Analyzer and Applications Silently 31 Uninstalling Fortify Static Code Analyzer and Applications in Text-Based Mode on Non- Windows Platforms 31 Post-Installation Tasks 32 Running the Post-Install Tool 32 Migrating Properties Files 32 Specifying a Locale 32 Configuring for Security Content Updates 33 Configuring the Connection to Fortify Software Security Center 33 Removing Proxy Server Settings 34 Registering ASP.NET Applications 34 Chapter 3: Analysis Process Overview 35 Analysis Process 35 Parallel Processing 36 Translation Phase 36 Mobile Build Sessions 37 Mobile Build Session Version Compatibility 37 Creating a Mobile Build Session 37 Importing a Mobile Build Session 37 Analysis Phase 38 Higher-Order Analysis 38 Modular Analysis 39 Modular Command-Line Examples 39 Translation and Analysis Phase Verification 40 Chapter 4: Translating Java Code 41 Java Command-Line Syntax 41 Java Command-Line Options 42 Java Command-Line Examples 44 Handling Resolution Warnings 44 Java Warnings 44 Using FindBugs 45 Translating Java EE Applications 46 Translating the Java Files 46 Translating JSP Projects, Configuration Files, and Deployment Descriptors 46 Micro Focus Fortify Static Code Analyzer (19.2.0) Page 4 of 202 User Guide Java EE Translation Warnings 46 Translating Java Bytecode 47 Troubleshooting JSP Translation Issues 47 Chapter 5: Translating .NET Code 49 About Translating .NET Code 49 .NET Command-Line Syntax 50 Handling Translation Errors 50 .NET Translation Errors 51 ASP.NET Errors 51 Chapter 6: Translating C and C++ Code 52 C and C++ Code Translation Prerequisites 52 C and C++ Command-Line Syntax 52 Options for Code in Visual Studio Solution or MSBuild Project 53 Scanning Pre-processed C and C++ Code 53 Chapter 7: Translating JavaScript and TypeScript 54 Translating Pure JavaScript Projects 54 Excluding Dependencies 54 Excluding NPM Dependencies 55 Translating JavaScript Projects with HTML Files 55 Including External JavaScript or HTML in the Translation 56 Chapter 8: Translating Python Code 58 Python Translation Command-Line Syntax 58 Including Import Files 58 Including Namespace Packages 59 Using the Django Framework with Python 59 Python Command-Line Options 59 Python Command-Line Examples 61 Chapter 9: Translating Code for Mobile Platforms 62 Micro Focus Fortify Static Code Analyzer (19.2.0) Page 5 of 202 User Guide Translating Apple iOS Projects 62 iOS Project Translation Prerequisites 62 iOS Code Analysis Command-Line Syntax 63 Translating Android Projects 63 Android Project Translation Prerequisites 63 Android Code Analysis Command-Line Syntax 64 Filtering Issues Detected in Android Layout Files 64 Chapter 10: Translating Ruby Code 65 Ruby Command-Line Syntax 65 Ruby Command-Line Options 65 Adding Libraries 66 Adding Gem Paths 66 Chapter 11: Translating Go Code 67 Go Command-Line Options 67 Chapter 12: Translating Apex and Visualforce Code 68 Apex Translation Prerequisites 68 Apex and Visualforce Command-Line Syntax 68 Apex and Visualforce Command-Line Options 69 Downloading Customized Salesforce Database Structure Information 69 Chapter 13: Translating COBOL Code 71 Preparing COBOL Source Files for Translation 71 COBOL Command-Line Syntax 72 COBOL Command-Line Options 73 Chapter 14: Translating Other Languages 74 Translating PHP Code 74 PHP Command-Line Options 74 Chapter 14: Translating Go Code 75 Go Command-Line Options 75 Translating ABAP Code 76 Micro Focus Fortify Static Code Analyzer (19.2.0) Page 6 of 202 User Guide INCLUDE Processing 77 Importing the Transport Request 77 Adding Fortify Static Code Analyzer to Your Favorites List 78 Running the Fortify ABAP Extractor 79 Uninstalling the Fortify ABAP Extractor 83 Translating Flex and ActionScript 83 Flex and ActionScript Command-Line Options 84 ActionScript Command-Line Examples 85 Handling Resolution Warnings 86 ActionScript Warnings 86 Translating ColdFusion Code 86 ColdFusion Command-Line Syntax 86 ColdFusion Command-Line Options 87 Translating SQL 87 PL/SQL Command-Line Example 87 T-SQL Command-Line Example 88 Translating Scala Code 88 Translating ASP/VBScript Virtual Roots 88 Classic ASP Command-Line Example 90 VBScript Command-Line Example 90 Chapter 15: Integrating into a Build 91 Build Integration 91 Make Example 92 Devenv Example 92 Modifying a Build Script to Invoke Fortify Static Code Analyzer 92 Touchless Build Integration 93 Ant Integration 93 Gradle Integration 94 Maven Integration 94 Installing and Updating the Fortify Maven Plugin 94 Testing the Fortify Maven Plugin Installation 95 Using the Fortify Maven Plugin 96 MSBuild Integration 97 Using MSBuild Integration 97 Micro Focus Fortify Static Code Analyzer (19.2.0) Page 7 of 202 User Guide Using the Touchless MSBuild Integration 98 Chapter 16: Command-Line Interface 100 Translation Options 100 Analysis Options 102 Output Options 106 Other Options 109 Directives 110 Specifying Files 111 Chapter 17: Command-Line Utilities 113 Fortify Static Code Analyzer Utilities 113 About Updating Security Content 114 Updating Security Content 114 fortifyupdate Command-Line Options 115 Working with FPR Files from the Command Line 116 Merging FPR Files 116 Displaying Analysis Results Information from an FPR File 118 Extracting a Source Archive from an FPR File 122 Allocating More Memory for FPRUtility 123 Generating Reports from the Command Line 123 Generating a BIRT Report 124 Generating a Legacy Report 126 Checking the Fortify Static Code Analyzer Scan Status 127 SCAState Utility Command-Line Options 127 Chapter 18: Improving Performance 130 Hardware Considerations 130 Sample Scans 131 Tuning Options 132 Breaking Down Codebases 133 Quick Scan 134 Limiters 134 Using Quick Scan and Full Scan 134 Micro Focus Fortify Static Code Analyzer (19.2.0) Page 8 of 202 User Guide Limiting Analyzers and Languages 135 Disabling Analyzers 135 Disabling Languages 135 Optimizing FPR Files 136 Filter Files 136 Excluding Issues from the FPR with Filter Sets 136 Excluding Source Code from the FPR 137 Reducing the FPR File Size 138 Opening Large FPR Files 139 Monitoring Long Running Scans 140 Using the SCAState Utility 140 Using JMX Tools 141 Using JConsole 141 Using Java VisualVM 141 Chapter 19: Troubleshooting 142 Exit Codes 142 Translation Failed Message 143 Memory