Java Translation Command-Line Syntax

To translate Java code, all types defined in a library that are referenced in the code must have a corresponding definition in the source code, a class file, or a JAR file. Include all source files on the Fortify Static Code Analyzer command line.

If your project contains Java code that refers to Kotlin code, make sure that the Java and Kotlin code are translated in the same Fortify Static Code Analyzer instance so that the Java references to Kotlin elements are resolved correctly. Kotlin to Java interoperability does not support Kotlin files provided by the –sourcepath option. For more information about the –sourcepath option, see Java Command-Line Options

The basic command-line syntax to translate Java code is shown in the following example:

sourceanalyzer -b <build_id> -cp <classpath> <files>

With Java code, Fortify Static Code Analyzer can either:

• Emulate the compiler, which might be convenient for build integration
• Accept source files directly, which is convenient for command-line scans

For information about integrating Fortify Static Code Analyzer with Ant, see Integrating with Ant.

To have Fortify Static Code Analyzer emulate the compiler, type:

sourceanalyzer -b <build_id> javac [<translation_options>]

To pass files directly to Fortify Static Code Analyzer, type:

sourceanalyzer -b <build_id> -cp <classpath> [<translation_options>] 
<files> | <file_specifiers>   

where:

• <translation_options> are options passed to the compiler.

• -cp <classpath> specifies the class path to use for the Java source code.

  Include all JAR dependencies normally used to build the project. Separate multiple paths with semicolons (Windows) or colons (non-Windows).

  Similar to javac, Fortify Static Code Analyzer loads classes in the order they appear in the class path. If there are multiple classes with the same name in the list, Fortify Static Code Analyzer uses the first loaded class. In the following example, if both A.jar and B.jar include a class called MyData.class, Fortify Static Code Analyzer uses the MyData.class from A.jar.

  sourceanalyzer -cp A.jar:B.jar myfile.java

  Fortify strongly recommends that you avoid using duplicate classes with the -cp option.

  Fortify Static Code Analyzer loads JAR files in the following order:

  1. From the -cp option
  2. From jre/lib
  3. From <sca_install_dir>/Core/default_jars

  This enables you to override a library class by including the similarly-named class in a JAR specified with the -cp option.

For descriptions of all the available Java-specific command-line options, see Java Command-Line Options.