Translating Java Bytecode

Fortify recommends that you do not translate Java bytecode and JSP/Java code in the same call to sourceanalyzer. Use multiple invocations of sourceanalyzer with the same build ID to translate a project that contains both bytecode and JSP/Java code.

To translate bytecode:

1. Add the following properties to the fortify-sca.properties file (or include these properties on the command line using the -D option):

   com.fortify.sca.fileextensions.class=BYTECODE
com.fortify.sca.fileextensions.jar=ARCHIVE

   This specifies how Fortify Static Code Analyzer processes .class and .jar files.

2. Do one of the following:

   • Request that Fortify Static Code Analyzer decompile the bytecode classes to regular Java files for inclusion in the translation.

     Add the following property to the fortify-sca.properties file:

     com.fortify.sca.DecompileBytecode=true

     or include this property on the command line for the translation phase with the -D option:

     sourceanalyzer -b MyProject -Dcom.fortify.sca.DecompileBytecode=true -cp "lib/*.jar" "src/**/*.class" 

   • Request that Fortify Static Code Analyzer translate bytecode without decompilation.

     For best results, Fortify recommends that the bytecode be compiled with full debug information (javac -g).

     Include bytecode in the Fortify Static Code Analyzer translation phase by specifying the Java bytecode files that you want to translate. For best performance, specify only the .jar or .class files that require scanning. In the following example, the .class files are translated:

     sourceanalyzer -b MyProject -cp "lib/*.jar" "src/**/*.class"