Mobile Build Sessions

With a Fortify Static Code Analyzer mobile build session (MBS), you can translate a project on one machine and scan it on another. A mobile build session (MBS file) includes all the files needed for the analysis phase. To improve scan time, you can perform the translation on the build computer, and then move the build session (MBS file) to a better equipped computer for the scan. The developers can run translations on their own computers and use only one powerful computer to run large scans.

To include regular expression analysis (see Regular Expression Analysis) for your project, Fortify recommends that you include -Dcom.fortify.sca.MobileBuildSessions=true in the command to create the MBS file so that the source code is included in the MBS. This enables regular expression analysis to work for the scan on a different computer.

You must have the same version of Fortify Security Content (Rulepacks) installed on both the system where you are performing the translation and the system where you are performing the analysis.

Mobile Build Session Version Compatibility

The Fortify Static Code Analyzer version on the translate machine must be compatible with the Fortify Static Code Analyzer version on the analysis machine. The version number format is <major>.<minor>.<patch>.<build_number> (for example, 23.2.0.0140). The <major> and <minor> portions of the Fortify Static Code Analyzer version numbers on both the translation and the analysis machines must match. For example, 23.2.0 and 23.2.x are compatible. To determine the Fortify Static Code Analyzer version number, type sourceanalyzer -v on the command line.

You can obtain the build ID and the Fortify Static Code Analyzer version from an MBS file with the following command:

sourceanalyzer -import-build-session <file>.mbs 
-Dcom.fortify.sca.ExtractMobileInfo=true

Creating a Mobile Build Session

On the machine where you performed the translation, issue the following command to generate a mobile build session:

sourceanalyzer -b <build_id> -export-build-session <file>.mbs

where <file>.mbs is the file name you provide for the Fortify Static Code Analyzer mobile build session.

To include source code in the MBS file, run the following command:

sourceanalyzer -b <build_id> -Dcom.fortify.sca.MobileBuildSessions=true -export-build-session <file>.mbs

Importing a Mobile Build Session

After you move the <file>.mbs file to the machine where you want to perform the scan, import the mobile build session into the Fortify Static Code Analyzer project root directory.

To import the mobile build session, type the following command:

sourceanalyzer -import-build-session <file>.mbs

After you import your Fortify Static Code Analyzer mobile build session, you can proceed to the analysis phase. Perform a scan with the same build ID that was used in the translation.

You cannot merge multiple mobile build sessions into a single MBS file. Each exported build session must have a unique build ID. However, after all the build IDs are imported on the same Fortify Static Code Analyzer installation, you can scan multiple build IDs in one scan with the -b option (see Analysis Phase).