Fortify Static Code Analyzer – Troubleshooting Scanning Complex Functions

During a Fortify Static Code Analyzer scan, the Dataflow Analyzer might encounter a function for which it cannot complete the analysis and reports the following message:

Function <name> is too complex for <analyzer> analysis and will be skipped (<identifier>)

where:

· <name> is the name of the source code function

· <analyzer> is the name of the analyzer

· <identifier> is the type of complexity, which is one of the following:

o l: Too many distinct locations

o m: Out of memory

· s: Stack size too small

· t: Analysis taking too much time

· v: Function visits exceed the limit

The depth of analysis Fortify Static Code Analyzer performs sometimes depends on the available resources. Fortify Static Code Analyzer uses a complexity metric to tradeoff these resources against the number of vulnerabilities that it can find. Sometimes, this means giving up on a particular function when Fortify Static Code Analyzer does not have enough resources available. This is normally when you see the “Function too complex” messages.

When you see this message, it does not necessarily mean that Fortify Static Code Analyzer completely ignored the function in the program. For example, the Dataflow Analyzer typically visits a function many times before completing the analysis, and might not have run into this complexity limit in the previous visits. In this case, the results include anything learned from the previous visits.

You can control the “give up” point using Fortify Static Code Analyzer properties called limiters. Different analyzers have different limiters.

Dataflow Analyzer Limiters

There are three types of complexity identifiers for the Dataflow Analyzer:

· l: Too many distinct locations

· m: Out of memory

· s: Stack size too small

· v: Function visits exceed the limit

To resolve the issue identified by s, increase the stack size for by setting ‑Xss to a value greater than 16 MB.

To resolve the complexity identifier of m, increase the physical memory for Fortify Static Code Analyzer.

To resolve the complexity identifier of l, you can adjust the following limiters in the Fortify Static Code Analyzer property file <sca_install_dir>/Core/config/fortify-sca.properties or on the command line.

Property Name Default Value
com.fortify.sca.
limiters.MaxTaintDefForVar
1000
com.fortify.sca.
limiters.MaxTaintDefForVarAbort
4000
com.fortify.sca.
limiters.MaxFieldDepth
4

The MaxTaintDefForVar limiter is a dimensionless value expressing the complexity of a function, while MaxTaintDefForVarAbort is the upper bound for it. Use the MaxFieldDepth limiter to measure the precision when the Dataflow Analyzer analyzes any given object. Fortify Static Code Analyzer always tries to analyze objects at the highest precision possible.

If a given function exceeds the MaxTaintDefForVar limit at a given level of precision, the Dataflow Analyzer analyzes that function with a lower level of precision (by reducing the MaxFieldDepth limiter). When you reduce the precision, it reduces the complexity of the analysis. When the precision cannot be reduced any further, Fortify Static Code Analyzer then proceeds with analysis at the lowest precision level until either it finishes, or the complexity exceeds the MaxTaintDefForVarAbort limiter. In other words, Fortify Static Code Analyzer tries harder at the lowest precision level than at higher precision levels, to get at least some results from the function. If Fortify Static Code Analyzer reaches the MaxTaintDefForVarAbort limiter, it gives up on the function entirely and you get the “Function too complex” warning.

To resolve the complexity identifier of v, you can adjust the property com.fortify.sca.limiters.MaxFunctionVisits. This property sets the maximum number of times the taint propagation analyzer visits functions. The default is 50.

Control Flow and Null Pointer Analyzer Limiters

There are two types of complexity identifiers for both Control Flow and Null Pointer analyzers:

· m: Out of memory

· t: Analysis taking too much time

Due to the way that the Dataflow Analyzer handles function complexity, it does not take an indefinite amount of time. Control Flow and Null Pointer analyzers, however, can take a very long time when analyzing very complex functions. Therefore, Fortify Static Code Analyzer provides a way to abort the analysis when this happens, and then you get the “Function too complex” message with a complexity identifier of t.

To change the maximum amount of time these analyzers spend analyzing functions, you can adjust the following property values in the Fortify Static Code Analyzer property file <sca_install_dir>/Core/config/fortify-sca.properties or on the command line.

Property Name Description Default Value
com.fortify.sca.
CtrlflowMaxFunctionTime
Sets the time limit (in milliseconds) for Control Flow analysis on a single function. 600000 (10 minutes)
com.fortify.sca.
NullPtrMaxFunctionTime
Sets the time limit (in milliseconds) for Null Pointer analysis on a single function. 300000 (5 minutes)

To resolve the complexity identifier of m, increase the physical memory for Fortify Static Code Analyzer.

Note: If you increase these limiters or time settings, it makes the analysis of complex functions take longer. It is difficult to characterize the exact performance implications of a particular value for the limiters/time, because it depends on the specific function in question. If you never want to see the “Function too complex” warning, you can set the limiters/time to an extremely high value, however it can cause unacceptable scan time.

Leave a Comment