Package command

Use the package command to create a ZIP archive (project package) of your project. You can either:

  • Upload this project package to the Controller with the OpenText ScanCentral SASTstart command

  • Run an analysis with a locally installed OpenText SAST using the PackageScanner tool

  • Upload this project package to OpenText Core Application Security for analysis

To avoid a packaging failure for projects with file paths that contain an umlaut, you must first add the com.fortify.sca.CmdlineOptionsFileEncoding property to the <sast_install_dir>/Core/config/fortify‑sca.properties file and specify a value for it that is not ASCII encoding.

Package command optionDescription

-bt,
--build-tool <name>

Specifies the name of the build tool used for the project. The valid values for <name> are dotnet, gradle, msbuild (Windows only), mvn, and none.

If not specified, OpenText ScanCentral SAST automatically detects the build tool based on the project files being scanned.

-bc,
--build-command <commands>

(For use with Maven, Gradle, dotnet, and MSBuild) Specifies custom build parameters for preparing and building the project. The following example build command starts a Gradle build before packaging:

-Prelease=true clean customTask build

If you use the -bc option, and the build fails, OpenText ScanCentral SAST stops working on the build.

(Gradle only) If you do not use  -bc, the default command, default tasks, and target are invoked. If the build fails, OpenText ScanCentral SAST displays a warning, but continues to work and then displays a message to indicate that the build procedure failed and you might get incomplete results.

-bf,
--build-file <file>

Specifies the build file if you are not using a default name such as build.gradle or pom.xml.

-q,
--quiet

Prevents the printing of stdout from the build execution.
-skipBuild

Disables the project preparation build step if your projects use Gradle or Maven before packaging. If you use this option, any -bc option specified is ignored. If your project does not use a build tool, you can use this option to prevent OpenText ScanCentral SAST from automatically restoring dependencies using a package manager (for languages such as Go, JavaScript/TypeScript, PHP, and Python).

-t,
--include-test

Includes the test source set (Gradle), the test scope (Maven), or projects in your solution that reference NUnit, xunit, or MSTest (.NET).

-exclude <file_paths>

Specifies files or directories (with absolute or relative path, or Ant-style path pattern) to exclude from a project package (repeatable). Separate multiple file paths with semicolons (Windows) or colons (Linux).

For example, you might use this option to exclude a few test files from the project package.

-include <file_paths>

Specifies files or directories (with absolute or relative path, or Ant-style path pattern) to include in a project package (repeatable). Only file paths for files within the current working directory are included. Separate multiple file paths with semicolons (Windows) or colons (Linux).

For example, you might use this option if you have only a few files you want to include in the project package. You can combine this option with the -exclude option to exclude specific files from the included path. For example commands, see Generating a OpenText ScanCentral SAST package.

-hv,
--php-version <version>

Specifies the PHP version. If not specified, OpenText ScanCentral SAST automatically detects the installed PHP version.

-oss,
--open-source-scan

(For use with OpenText Core Application Security only) Specifies to generate and collect additional files for open source software composition analysis. For details, see the OpenText™ Core Application Security User Guide.

-sdu,
--skip-debricked-update

(For use with OpenText Core Application Security only) Specifies not to check for an updated version of the Debricked CLI. If this option is specified and no Debricked CLI is currently installed, then OpenText ScanCentral SAST generates and collects the additional files for open source software composition analysis without the Debricked CLI.

You must also specify the -oss option to use this feature.

-pyr,
--python-requirements <file>

Specifies the Python project requirements file to install and collect dependencies.

-pyv,
--python-virtual-env<dir>

Specifies the Python virtual environment location.

-yv,
--python-version <version>

Specifies the Python version to automatically find the installed Python. The valid values are 2 and 3. This option is ignored if OpenText ScanCentral SAST client is started under a Python virtual environment or if ‑python-virtual-env is specified.

-targs,
--translation-args<option>

Specifies an OpenText SAST translation option (repeatable)

For multiple translation options, use multiple -targs options. If the translation option has a path parameter that includes a space, enclose the path in single quotes.

For a list of OpenText SAST options you can use with the ‑targs option, see Options accepted for -targs (‑‑translation-args).

-o,
--output <file>

Specifies the output file name. The file extension must be *.zip. If not specified, OpenText ScanCentral SAST writes the project package to a ZIP archive with the name fortifypackage.zip.

-dnr
--debricked-no-resolve
Disables the Debricked resolve command that is automatically executed when the OpenText ScanCentral SAST client package command is run with the -oss option. Use this option if you want to prepare the Debricked files manually using the Debricked CLI directly, and to ensure that the OpenText ScanCentral SAST client does not overwrite these prepared files.

See also

Generating a ScanCentralSAST Package

Using the PackageScanner tool