Using the PackageScanner tool

If you have OpenText SAST locally installed, you can run an analysis of a project package without sending it to the Controller. The PackageScanner tool takes a project package created by the OpenText ScanCentral SAST client package command, generates OpenText SAST commands, and then translates and scans it using a locally installed OpenText SAST.

You can also use the PackageScanner tool to perform only a translation on the project package and then submit the project package to the Controller for analysis.

You can find the PackageScanner tool in the <sast_install_dir>/bin/ directory. To configure the location of PackageScanner log, use the SCANNER_LOG environment variable. For example, export SCANNER_LOG=/mylogs/packagescanner.

The default value for PackageScanner:

Windows: <user_app_data>\Local\Fortify\packagescanner-<version>\log
Linux: <user_home>\.fortify\packagescanner-<version>\log

You can set Java system properties for the PackageScanner tool to use by adding them to the SCANCENTRAL_VM_OPTS environment variable. For example, to specify a temp directory that has a short path in Windows, type:

set SCANCENTRAL_VM_OPTS=-Djava.io.tmpdir=C:\mytemp

The following table describes the PackageScanner tool command-line options.

Packagescanner option	Description
`-f`, `--fpr <file>.fpr`	(Optional) Specifies the FPR file to which scan results are written. This option required unless you are including the `--no-scan` option to perform the translation only on the project package.
`-p`, `--package <package_name>.zip`	(Required) Specifies the path to the project package file generated by the OpenText ScanCentral SAST client with the `package` command.
`-b`, `--build-id <id>`	(Optional) Specifies the build ID. OpenText SAST uses the build ID to track which files are compiled and combined as part of a build, and later, to scan those files. If you do not specify a build ID, PackageScanner automatically generates one. This option is required if you are including the `--no-scan` option so that you can perform the scan later with OpenText SAST after the translation phase is complete.
`-noscan`, `--no-scan`	(Required to skip the scan phase) Specifies for PackageScanner to only translate the project package and no scan phase is performed. Include the build ID (`--build-id` option) with this option. Use this option if you plan to perform the scan phase as a separate step.
`-sca`, `--sca-path <path>`	(Optional if started from OpenText SAST) Specifies the path to the OpenText SAST executable. If the OpenText ScanCentral SAST client is part of the OpenText SAST installation (embedded), the path is determined automatically.
`-targs`, `--translation-arguments<translation_options>`	(Optional) Specifies OpenText SAST translation options. Enclose multiple options in quotes separated by spaces or repeat this option for each OpenText SAST option and parameter.
`-sargs`, `--scan-arguments <scan_options>`	(Optional) Specifies OpenText SAST scan options. Enclose multiple options in quotes separated by spaces or repeat this option for each OpenText SAST option and parameter.
`-tlog`, `--sca-translation-log <log_file_path>`	(Optional) Specifies a log file for translation commands. By default, PackageScanner creates the log file in a temporary directory, which is removed after the program execution.
`-slog`, `--sca-scan-log <path>`	(Optional) Specifies a log file for scan commands. By default, PackageScanner creates the log file in a temporary directory, which is removed after the program execution.
`-workdir`, `--working-dir <dir>`	(Optional) Specifies a directory where the project package is unpacked and PackageScanner creates the OpenText SAST project root directory. By default, PackageScanner creates this directory in a temporary location and removes it after the program execution (unless the `-debug` option is specified).
`-debug`	(Optional) Enables debug logging for OpenText ScanCentral SAST clients and sensors.
`-v`, `--version`	(Optional) Displays the PackageScanner tool version.

The following are example PackageScanner commands:

packagescanner --package package.zip --fpr results.fpr 
packagescanner --package package.zip --fpr results.fpr --translation-arguments "-debug -verbose" --scan-arguments "-debug -verbose"
packagescanner --package JavaApackage.zip --fpr results.fpr --translation-arguments "-build-label myJavaBuildA"
packagescanner --package package.zip --fpr results.fpr --sca-translation-log trans.log --sca-scan-log scan.log
packagescanner --package package.zip --fpr results.fpr --sca-path C:\appsecurity\bin\sourceanalyzer.exe
packagescanner --package package.zip --fpr results.fpr --working-dir C:\packageScannerTemp

The following example performs a local translation and a remote scan by creating a project package with the package command, performing the local translation with the PackageScanner tool, and then submitting the scan to the Controller:

scancentral package -o MyProjPackage.zip
packagescanner -package MyProjPackage.zip -b xyz --no-scan
scancentral -sscurl <ssc_url> -ssctoken <token> start -b xyz -scan

See also

Generating a ScanCentral SAST Package