Fortify Static Code Analyzer – Improving Performance – Limiting Analyzers and Languages

Occasionally, you might find that a significant amount of the scan time is spent either running one particular analyzer or analyzing a particular language. It is possible that this particular analyzer or language is not important to your security requirements. You can limit the specific analyzers that run and the specific languages that Fortify Static Code Analyzer translates.

Disabling Analyzers

To disable specific analyzers, include the ‑analyzers option to Fortify Static Code Analyzer at scan time with a colon- or comma-separated list of analyzers you want to enable. The full list of analyzers is: buffer, content, configuration, controlflow, dataflow, findbugs, nullptr, semantic, and structural.

For example, to run a scan that only includes the Dataflow, Control Flow, and Buffer analyzers, use the following scan command:

sourceanalyzer -b <build_id> -analyzers dataflow:controlflow:buffer -scan -f myResults.fpr

You can also do the same thing by setting com.fortify.sca.DefaultAnalyzers in the Fortify Static Code Analyzer property file <sca_install_dir>/Core/config/fortify-sca.properties. For example, to achieve the equivalent of the previous scan command, set the following in the properties file:

com.fortify.sca.DefaultAnalyzers=dataflow:controlflow:buffer

Disabling Languages

To disable specific languages, include the ‑disable‑language option in the translation phase, which specifies a list of languages that you want to exclude. The full list of valid language parameters is:

abap, actionscript, apex, cfml, cpp, cobol, configuration, dotnet, java, javascript, jsp, objc, php, plsql, python, ruby, scala, sql, swift, tsql, typescript, vb

For example, to perform a translation that excludes SQL and PHP files, use the following command:

sourceanalyzer ‑b <build_id> <src_files> ‑disable-language sql:php

You can also disable languages by setting the com.fortify.sca.DISabledLanguages property in the Fortify Static Code Analyzer properties file <sca_install_dir>/Core/config/fortify‑sca.properties. For example, to achieve the equivalent of the previous translation command, set the following in the properties file:

com.fortify.sca.DISabledLanguages=sql:php

Leave a Comment