Translation and Analysis Phase Properties

The properties for the fortify-sca.properties file in the following table are general properties that apply to the translation and/or analysis (scan) phase.

Property Name	Description
Translation and Scan
`com.fortify.sca. BuildID`	Specifies the build ID of the build. Value Type: String Default: (none) Command-Line Option: `-b`
`com.fortify.sca. CmdlineOptionsFileEncoding`	Specifies the encoding of the command-line options file provided with `@<filename>` (see Other Options). You can use this property, for example, to specify Unicode file paths in the options file. Valid encoding names are from the `java.nio.charset.Charset` Note: This property is only valid in the `fortify-sca.properties` file and does not work in the `fortify-sca-quickscan.properites` file or with the `-D` option. Value Type: String Default: JVM system default encoding Example: `com.fortify.sca.CmdlineOptionsFileEncoding=UTF-8`
`com.fortify.sca. DISabledLanguages`	Specifies a colon-separated list of languages to exclude from the translation phase. The valid language values are `abap`, `actionscript`, `apex`, `cfml`, `cobol`, `configuration`, `cpp`, `dart`, `dotnet`, `golang`, `java`, `javascript`, `jsp`, `kotlin`, `objc`, `php`, `plsql`, `python`, `ruby`, `scala`, `sql`, `swift`, `tsql`, `typescript`, and `vb`. Value Type: String Default: (none) Command-Line Option: `-disable-language`
`com.fortify.sca. EnabledLanguages`	Specifies a colon-separated list of languages to translate. The valid language values are `abap`, `actionscript`, `apex`, `cfml`, `cobol`, `configuration`, `cpp`, `dart`, `dotnet`, `golang`, `java`, `javascript`, `jsp`, `kotlin`, `objc`, `php`, `plsql`, `python`, `ruby`, `scala`, `sql`, `swift`, `tsql`, `typescript`, and `vb`. Value Type: String Default: All languages in the specified source are translated unless explicitly excluded with the `com.fortify.sca.DISabledLanguages` property. Command-Line Option: `-enable-language`
`com.fortify.sca. ProjectRoot`	Specifies the directory to store intermediate files generated in the translation and analysis phases. Fortify Static Code Analyzer makes extensive use of intermediate files located in this project root directory. In some cases, you achieve better performance for analysis by making sure this directory is on local storage rather than on a network drive. Value Type: String (path) Default (Windows): `${win32.LocalAppdata}\Fortify` Note: `${win32.LocalAppdata}` is a special variable that points to the windows Local Application Data shell folder. Default (Non-Windows): `$home/.fortify` Command-Line Option: `-project-root` Example: `com.fortify.sca.ProjectRoot= C:\Users\<username>\AppData\Local\`
Translation
`com.fortify.sca. fileextensions.java` `com.fortify.sca. fileextensions.cs` `com.fortify.sca. fileextensions.js` `com.fortify.sca. fileextensions.py` `com.fortify.sca. fileextensions.rb` `com.fortify.sca. fileextensions.aspx` `com.fortify.sca. fileextensions.php` Note: This is a partial list. For the complete list, see the properties file.	Specifies how to translate specific file extensions for languages that do not require build integration. The valid file extension types are `ABAP`, `ACTIONSCRIPT`, `APEX`, `APEX_OBJECT`, `APEX_TRIGGER`, `ARCHIVE`, `ASPNET`, `ASP`, `ASPX`, `BITCODE`, `BSP`, `BYTECODE`, `CFML`, `COBOL`, `CSHARP`, `DART`, `DOCKERFILE`, `FLIGHT`, `GENERIC`, `GO`, `HOCON`, `HTML`, `INI`, `JAVA`, `JAVA_PROPERTIES`, `JAVASCRIPT`, `JSP`, `JSPX`, `KOTLIN`, `MSIL`, `MXML`, `OBJECT`, `PHP`, `PLSQL`, `PYTHON`, `RUBY`, `RUBY_ERB`, `SCALA`, `SWIFT`, `SWC`, `SWF`, `TLD`, `SQL`, `TSQL`, `TYPESCRIPT`, `VB`, `VB6`, `VBSCRIPT`, `VISUAL_FORCE`, `VUE`, and `XML`. Value Type: String (valid language type) Default: See the `fortify-sca.properties` file for the complete list. Examples: `com.fortify.sca.fileextensions.java=JAVA` `com.fortify.sca.fileextensions.cs=CSHARP` `com.fortify.sca.fileextensions.js=TYPESCRIPT` `com.fortify.sca.fileextensions.py=PYTHON` `com.fortify.sca.fileextensions.swift=SWIFT` `com.fortify.sca.fileextensions.razor=ASPNET` `com.fortify.sca.fileextensions.php=PHP` `com.fortify.sca.fileextensions.tf=HCL` You can also specify a value of `oracle:<path_to_script>` to programmatically supply a language type. Provide a script that accepts one command-line parameter of a file name that matches the specified file extension. The script must write the valid Fortify Static Code Analyzer file type (see previous list) to stdout and exit with a return value of zero. If the script returns a non-zero return code or the script does not exist, the file is not translated and Fortify Static Code Analyzer writes a warning to the log file. Example: `com.fortify.sca.fileextensions.jsp= oracle:<path_to_script>`
`com.fortify.sca. compilers.javac= com.fortify.sca. util.compilers.JavacCompiler` `com.fortify.sca. compilers.c++= com.fortify.sca. util.compilers.GppCompiler` `com.fortify.sca. compilers.make= com.fortify.sca. util.compilers.TouchlessCompiler` `com.fortify.sca. compilers.mvn= com.fortify.sca. util.compilers.MavenAdapter` Note: This is a partial list. For the complete list, see the properties file.	Specifies custom-named compilers. Value Type: String (compiler) Default: See the Compilers section in the `fortify-sca.properties` file for the complete list. Example: To tell Fortify Static Code Analyzer that “my-gcc” is a gcc compiler: `com.fortify.sca. compilers.my-gcc= com.fortify.sca.util.compilers. GccCompiler` Notes: Compiler names can begin or end with an asterisk (*), which matches zero or more characters. Execution of clang/clang++ is not supported with the gcc/g++ command names. You can specify the following: `com.fortify.sca.compilers.g++= com.fortify.sca.util.compilers.GppCompiler`
`com.fortify.sca. UseAntListener`	If set to true, Fortify Static Code Analyzer includes `com.fortify.dev.ant.SCAListener` in the compiler options. Value Type: Boolean Default: `false`
`com.fortify.sca. exclude`	Specifies one or more files to exclude from translation. Separate multiple files with semicolons (Windows) or colons (non-Windows). See Specifying Files and Directories for more information on how to use file specifiers. Note: Fortify Static Code Analyzer only uses this property during translation without build integration. When you integrate with most compilers or build tools, Fortify Static Code Analyzer translates all source files that the compiler or build tool processes even if they are specified with this property. However, the Fortify Static Code Analyzer xcodebuild and MSBuild integrations do support the `-exclude` option. Value Type: String Default: Not enabled Command-Line Option: `-exclude` Example: `com.fortify.sca.exclude=file1.x;file2.x`
`com.fortify.sca. InputFileEncoding`	Specifies the source file encoding type. Fortify Static Code Analyzer allows you to scan a project that contains differently encoded source files. To work with a multi-encoded project, you must specify the `-encoding` option in the translation phase, when Fortify Static Code Analyzer first reads the source code file. Fortify Static Code Analyzer remembers this encoding in the build session and propagates it into the FVDL file. Typically, if you do not specify the encoding type, Fortify Static Code Analyzer uses `file.encoding` from the `java.io.InputStreamReader` constructor with no encoding parameter. In a few cases (for example with the ActionScript parser), Fortify Static Code Analyzer defaults to `UTF-8`. Value Type: String Default: (none) Command-Line Option: `-encoding` Example: `com.fortify.sca.InputFileEncoding=UTF-16`
`com.fortify.sca. RegExecutable`	On Windows platforms, specifies the path to the `reg.exe` system utility. Specify the paths in Windows syntax, not Cygwin syntax, even when you run Fortify Static Code Analyzer from within Cygwin. Escape backslashes with an additional backslash. Value Type: String (path) Default: `reg` Example: `com.fortify.sca.RegExecutable= C:\\Windows\\System32\\reg.exe`
`com.fortify.sca. xcode.TranslateAfterError`	Specifies whether the xcodebuild touchless adapter continues translation if the xcodebuild subprocess exited with a non-zero exit code. If set to false, translation stops after encountering a non-zero xcodebuild exit code and the Fortify Static Code Analyzer touchless build halts with the same exit code. If set to true, the Fortify Static Code Analyzer touchless build executes translation of the build file identified prior to the xcodebuild exit, and Fortify Static Code Analyzer exits with an exit code of zero (unless some other error also occurs). Regardless of this setting, if xcodebuild exits with a non-zero code, then the xcodebuild exit code, stdout, and stderr are written to the log file. Value Type: Boolean Default: `false`
Scan
`com.fortify.sca. AddImpliedMethods`	If set to true, Fortify Static Code Analyzer generates implied methods when it encounters implementation by inheritance. Value Type: Boolean Default: `true`
`com.fortify.sca. alias.Enable`	If set to true, enables alias analysis. Value Type: Boolean Default: `true`
`com.fortify.sca. analyzer.controlflow.EnableTimeOut`	Specifies whether to enable Control Flow Analyzer timeouts. Value Type: Boolean Default: `true`
`com.fortify.sca. BinaryName`	Specifies a subset of source files to scan. Only the source files that were linked in the named binary at build time are included in the scan. Value Type: String (path) Default: (none) Command-Line Option: `-bin` or `-binary-name`
`com.fortify.sca. DeadCodeFilter`	If set to true, Fortify Static Code Analyzer removes dead code issues, for example because the compiler generated dead code and it does not appear in the source code. Value Type: Boolean Default: `true`
`com.fortify.sca. DefaultAnalyzers`	Specifies a comma- or colon-separated list of the types of analysis to perform. The valid values for this property are `buffer`, `content`, `configuration`, `controlflow`, `dataflow`, , `nullptr`, `semantic`, and `structural`. Value Type: String Default: This property is commented out and all analysis types are used in scans. Command-Line Option: `-analyzers`
`com.fortify.sca. DisableDeadCodeElimination`	Dead code is code that can never be executed, such as code inside the body of an `if` statement that always evaluates to false. If this property is set to true, then Fortify Static Code Analyzer does not identify dead code, does not report dead code issues, and reports other vulnerabilities in the dead code, even though they are unreachable during execution. Value Type: Boolean Default: `false`
`com.fortify.sca. DisableFunctionPointers`	If set to true, disables function pointers during the scan. Value Type: Boolean Default: `false`
`com.fortify.sca. EnableAnalyzer`	Specifies a comma- or colon-separated list of analyzers to use for a scan in addition to the default analyzers. The valid values for this property are `buffer`, `content`, `configuration`, `controlflow`, `dataflow`, `nullptr`, `semantic`, and `structural`. Value Type: String Default: (none)
`com.fortify.sca. ExitCodeLevel`	Extends the default exit code options. See Exit Codes for a description of the exit codes and the valid values for this property.
`com.fortify.sca. FilterFile`	Specifies the path to a filter file for the scan. See Excluding Issues with Filter Files for more information. Value Type: String (path) Default: (none) Command-Line Option: `-filter`
`com.fortify.sca. FilteredInstanceIDs`	Specifies a comma-separated list of IIDs to be filtered out using a filter file. Value Type: String Default: (none) Example: `com.fortify.sca.FilteredInstanceIDs=CA4E1623A2424919B98EC19FCA279FFA,4418B3DC072647158B3758E6183C14CD`
`com.fortify.sca. hoa.Enable`	If set to true, higher-order analysis is enabled. Value Type: Boolean Default: `true`
`com.fortify.sca. IncludeScaModules`	Specifies a comma- or colon-separated list of build IDs for libraries pre-scanned as separate modules to use in the project scan. Each build ID must denote an existing scanned library. Value Type: String (build IDs) Default: (none) Command-Line Option: `-include-modules` Example: `com.fortify.sca.IncludeScaModules=LibA,LibB`
`com.fortify.sca. LowSeverityCutoff`	Specifies the cutoff level for severity suppression. Fortify Static Code Analyzer ignores any issues found with a lower severity value than the one specified for this property. Value Type: Number Default: `1.0`
`com.fortify.sca. MaxPassthroughChainDepth`	Specifies the length of a taint path between input and output parameters in a function call. Value Type: Integer Default: `4`
`com.fortify.sca. MultithreadedAnalysis`	Specifies whether Fortify Static Code Analyzer runs in parallel analysis mode. Value Type: Boolean Default: `true`
`com.fortify.sca. Phase0HigherOrder.Languages`	Specifies a comma-separated list of languages for which to run higher-order analysis. Valid values are `python`, `swift`, `ruby`, `javascript`, and `typescript`. Value Type: String Default: `python,ruby,swift,javascript,typescript`
`com.fortify.sca. Phase0HigherOrder.Timeout.Hard`	Specifies the total time (in seconds) for higher-order analysis. When the analyzer reaches the hard timeout limit, it exits immediately. Fortify recommends this timeout limit in case some issue causes the analysis to run too long. Fortify recommends that you set the hard timeout to about 50% longer than the soft timeout, so that either the fixpoint pass limiter or the soft timeout occurs first. Value Type: Number Default: `2700`
`com.fortify.sca. PrecisionLevel`	Specifies the scan precision. Scans with a lower precision level are performed faster. The valid values are `1`, `2`, `3`, and `4`. Value Type: Number Default: (none) Command-Line Option: `-scan-precision` \| `-p`
`com.fortify.sca. ProjectTemplate`	Specifies the issue template file to use for the scan. This only affects scans on the local machine. If you upload the FPR to Fortify Software Security Center, it uses the issue template assigned to the application version. Value Type: String Default: (none) Command-Line Option: `-project-template` Example: `com.fortify.sca.ProjectTemplate= test_issuetemplate.xml`
`com.fortify.sca. QuickScanMode`	If set to true, Fortify Static Code Analyzer performs a quick scan. Fortify Static Code Analyzer uses the settings from `fortify-sca-quickscan.properties`, instead of the `fortify-sca.properties` configuration file. Value Type: Boolean Default: (not enabled) Command-Line Option: `-quick`
`com.fortify.sca. ScanPolicy`	Specifies the scan policy used to prioritize reported vulnerabilities. The valid scan policy values are `classic`, `security`, and `devops`. Value Type: String Default: `classic` Command-Line Option: `-sc` or `-scan-policy`
`com.fortify.sca. ScanScaModule`	If set to true, Fortify Static Code Analyzer performs modular scan of this project, which enables use of this library's build ID with the `include-modules` option (or the `com.fortify.sca.IncludeScaModules` property) in subsequent scans. For more information, see Configuring Scan Speed with Speed Dial. This property is ignored if the `-scan` command-line option is specified. Value Type: Boolean Default: false Command-Line Option: `-scan-module`
`com.fortify.sca. SuppressLowSeverity`	If set to true, Fortify Static Code Analyzer ignores low severity issues found in a scan. Value Type: Boolean Default: `true`
`com.fortify.sca. ThreadCount`	Specifies the number of threads for parallel analysis mode. Add this property only if you need to reduce the number of threads used because of a resource constraint. If you experience an increase in scan time or problems with your scan, a reduction in the number of threads used might solve the problem. Value type: Integer Default: (number of available processor cores)
`com.fortify.sca. TypeInferenceFunctionTimeout`	The amount of time (in seconds) that type inference can spend to analyze a single function. Unlimited if set to zero or is not specified. Value Type: Long Default: `60`
`com.fortify.sca. TypeInferenceLanguages`	Comma- or colon-separated list of languages that use type inference. This setting improves the precision of the analysis for dynamically-typed languages. Value Type: String Default: `javascript,python,ruby,typescript`
`com.fortify.sca. TypeInferencePhase0Timeout`	Specifies the total amount of time (in seconds) that type inference can spend in phase 0 (the interprocedural analysis). Unlimited if set to zero or is not specified. Value Type: Long Default: `300`
`com.fortify.sca. UniversalBlacklist`	Specifies a colon-separated list of functions to hide from all analyzers. Value Type: String Default: `.yyparse.`