Configuring Scan Speed with Speed Dial
You can configure the speed and depth of the scan by specifying a precision level for the analysis phase. You can use these precision levels to adjust the scan time to fit for example, into a pipeline and quickly find a set of vulnerabilities while the developer is still working on the code. Although scans with the speed dial settings are faster than a full scan, it does not provide as robust a result set. Fortify recommends that you run full scans whenever possible.
The precision level controls the depth and precision of the scan by associating configuration properties with each level. The configuration properties files for each level are in the <sca_install_dir>/Core/config/scales directory. There is one file for each level: (level-<precision_level>.properties). You can modify the settings in these files to create your own specific precision levels.
Notes:
-
By default, Fortify Software Security Center blocks uploaded analysis results that were created with a precision level less than four. However, you can configure your Fortify Software Security Center application version so that uploaded audit projects scanned with these precision levels are processed.
-
If you merge a speed dial scan with a full scan, this might remove issues from previous scans that still exist in your application (and would be detected again with a full scan).
To specify the speed dial setting for a scan, include the -scan-precision (or -p) option in the scan phase as shown in the following example:
sourceanalyzer -b MyProject -scan -scan-precision <level> -f MyResults.fpr
Note: You cannot use the speed dial setting and the -quick option in the same scan command.
The following table describes the four precision levels.
| Precision Level | Description |
|---|---|
| 1 | This is the quickest scan and is recommended if you are scanning a few files. By default, a scan with this precision level disables the Buffer Analyzer, Control Flow Analyzer, Dataflow Analyzer, and Null Pointer Analyzer. |
| 2 |
By default, a scan with this precision level enables all analyzers. The scan runs quicker by performing with reduced limiters. This results in fewer issues detected. |
| 3 | This precision level improves intermediate development scan speeds by up to 50% (with a reduction in reported issues). Specifically, this level improves the scan time for typed languages such as Java and C/C++. |
| 4 | This is equivalent to a full scan. |
You can also specify the scan precision level with the com.fortify.sca.PrecisionLevel property in the fortify-sca.properties file. For example:
com.fortify.sca.PrecisionLevel=1