Translation and analysis phase properties

The properties for the fortify-sca.properties file in the following table are general properties that apply to the translation and/or analysis (scan) phase.

Property name	Description
Translation and scan
`com.fortify.sca. BuildID`	Specifies the build ID of the build. Value type: String Default: (none) Command-line option: `-b`
`com.fortify.sca. CmdlineOptionsFileEncoding`	Specifies the encoding of the command-line options file provided with `@<filename>` (see Other options). You can use this property, for example, to specify Unicode file paths in the options file. Valid encoding names are from the `java.nio.charset.Charset` Note: This property is only valid in the `fortify-sca.properties` file and does not work in the `fortify-sca-quickscan.properites` file or with the `-D` option. Value type: String Default: JVM system default encoding Example: `com.fortify.sca.CmdlineOptionsFileEncoding=UTF-8`
`com.fortify.sca. DISabledLanguages`	Specifies a colon-separated list of languages to exclude from the translation phase. The valid language values are `abap`, `actionscript`, `apex`, `cfml`, `cobol`, `configuration`, `cpp`, `dart`, `dotnet`, `golang`, `objc`, `php`, `python`, `ruby`, `swift`, and `vb`. Value type: String Default: (none) Command-line option: `-disable-language`
`com.fortify.sca. EnabledLanguages`	Specifies a colon-separated list of languages to translate. The valid language values are `abap`, `actionscript`, `apex`, `cfml`, `cobol`, `configuration`, `cpp`, `dart`, `dotnet`, `golang`, `objc`, `php`, `python`, `ruby`, `swift`, and `vb`. Value type: String Default: All languages in the specified source are translated unless explicitly excluded with the `com.fortify.sca.DISabledLanguages` property. Command-line option: `-enable-language`
`com.fortify.sca. DisableCompilerName`	If set to true, OpenText SAST includes build script files that have the same name as a build tool (such as gradlew) during translation as source files. Value type: Boolean Default: `false` Command-line option: `-disable-compiler-resolution`
`com.fortify.sca. ProjectRoot`	Specifies the directory to store intermediate files generated in the translation and analysis phases. OpenText SAST makes extensive use of intermediate files located in this project root directory. In some cases, you achieve better performance for analysis by making sure this directory is on local storage rather than on a network drive. Value type: String (path) Default (Windows): `${win32.LocalAppdata}/Fortify` Note: `${win32.LocalAppdata}` is a variable that points to the Windows Local Application Data shell folder. Default (non-Windows): `$home/.fortify` Command-line option: `-project-root` Example: `com.fortify.sca.ProjectRoot= C:\Users\<username>\AppData\Local\`
Translation
`com.fortify.sca. fileextensions.java` `com.fortify.sca. fileextensions.cs` `com.fortify.sca. fileextensions.js` `com.fortify.sca. fileextensions.py` `com.fortify.sca. fileextensions.rb` `com.fortify.sca. fileextensions.aspx` `com.fortify.sca. fileextensions.php` Note: This is a partial list. For the complete list, see the properties file.	Specifies how to translate specific file name extensions of languages that do not require build integration. The valid extension types are `ABAP`, `ACTIONSCRIPT`, `APEX`, `APEX_OBJECT`, `APEX_TRIGGER`, `ARCHIVE`, `ASPNET`, `ASP`, `ASPX`, `BITCODE`, `BSP`, `BYTECODE`, `CFML`, `COBOL`, `CSHARP`, `DART`, `DOCKERFILE`, `FLIGHT`, `GENERIC`, `GO`, `HCL`, `HOCON`, `HTML`, `INI`, `JAVA`, `JAVA_PROPERTIES`, `JAVASCRIPT`, `JINJA`, `JSON`, `JSP`, `JSPX`, `JUPYTER`, `KOTLIN`, `MSIL`, `MXML`, `OBJECT`, `PHP`, `PLSQL`, `PYTHON`, `RUBY`, `RUBY_ERB`, `SCALA`, `SWIFT`, `SWC`, `SWF`, `TLD`, `SQL`, `TSQL`, `TYPESCRIPT`, `VB`, `VB6`, `VBSCRIPT`, `VISUAL_FORCE`, `VUE`, and `XML`, and `YAML`. Value type: String (valid language type) Default: See the `fortify-sca.properties` file for the complete list. Examples: `com.fortify.sca.fileextensions.java=JAVA` `com.fortify.sca.fileextensions.cs=CSHARP` `com.fortify.sca.fileextensions.js=TYPESCRIPT` `com.fortify.sca.fileextensions.py=PYTHON` `com.fortify.sca.fileextensions.swift=SWIFT` `com.fortify.sca.fileextensions.razor=ASPNET` `com.fortify.sca.fileextensions.php=PHP` `com.fortify.sca.fileextensions.tf=HCL` You can also specify a value of `oracle:<path_to_script>` to programmatically supply a language type. Provide a script that accepts one command-line parameter of a file name that matches the specified extension. The script must write the valid OpenText SAST file type (see previous list) to stdout and exit with a return value of zero. If the script returns a non-zero return code or the script does not exist, the file is not translated and OpenText SAST writes a warning to the log file. Example: `com.fortify.sca.fileextensions.jsp= oracle:<path_to_script>`
`com.fortify.sca. compilers.javac= com.fortify.sca. util.compilers.JavacCompiler` `com.fortify.sca. compilers.c++= com.fortify.sca. util.compilers.GppCompiler` `com.fortify.sca. compilers.make= com.fortify.sca. util.compilers.TouchlessCompiler` `com.fortify.sca. compilers.mvn= com.fortify.sca. util.compilers.MavenAdapter` Note: This is a partial list. For the complete list, see the properties file.	Specifies custom-named compilers. Value type: String (compiler) Default: See the Compilers section in the `fortify-sca.properties` file for the complete list. Example: To tell OpenText SAST that “my-gcc” is a gcc compiler: `com.fortify.sca. compilers.my-gcc= com.fortify.sca.util.compilers. GccCompiler` Notes: Compiler names can begin or end with an asterisk (*), which matches zero or more characters. Execution of clang/clang++ is not supported with the gcc/g++ command names. You can specify the following: `com.fortify.sca.compilers.g++= com.fortify.sca.util.compilers.GppCompiler`
`com.fortify.sca. UseAntListener`	If set to true, OpenText SAST includes `com.fortify.dev.ant.SCAListener` in the compiler options. Value type: Boolean Default: `false`
`com.fortify.sca. exclude`	Specifies one or more files to exclude from translation. Separate multiple files with semicolons (Windows) or colons (non-Windows). See Specifying files and directories for more information on how to use file specifiers. Value type: String Default: Not enabled Command-line option: `-exclude` Example: `com.fortify.sca.exclude=file1.x;file2.x`
`com.fortify.sca. InputFileEncoding`	Specifies the source file encoding type. OpenText SAST allows you to scan a project that contains differently encoded source files. To work with a multi-encoded project, you must specify the `-encoding` option in the translation phase, when OpenText SAST first reads the source code file. OpenText SAST remembers this encoding in the build session and propagates it into the FVDL file. Typically, if you do not specify the encoding type, OpenText SAST uses `file.encoding` from the `java.io.InputStreamReader` constructor with no encoding parameter. In a few cases (for example with the ActionScript parser), OpenText SAST defaults to `UTF-8`. Value type: String Default: (none) Command-line option: `-encoding` Example: `com.fortify.sca.InputFileEncoding=UTF-16`
`com.fortify.sca. RegExecutable`	On Windows platforms, specifies the path to the `reg.exe` system utility. Specify the paths in Windows syntax, not Cygwin syntax, even when you run OpenText SAST from within Cygwin. Escape backslashes with an additional backslash. Value type: String (path) Default: `reg` Example: `com.fortify.sca.RegExecutable= C:\\Windows\\System32\\reg.exe`
`com.fortify.sca. xcode.TranslateAfterError`	Specifies whether the xcodebuild touchless adapter continues translation if the xcodebuild subprocess exited with a non-zero exit code. If set to false, translation stops after encountering a non-zero xcodebuild exit code and the OpenText SAST touchless build halts with the same exit code. If set to true, the OpenText SAST touchless build executes translation of the build file identified prior to the xcodebuild exit, and OpenText SAST exits with an exit code of zero (unless some other error also occurs). Regardless of this setting, if xcodebuild exits with a non-zero code, then the xcodebuild exit code, stdout, and stderr are written to the log file. Value type: Boolean Default: `false`
Scan
`com.fortify.sca. AddImpliedMethods`	If set to true, OpenText SAST generates implied methods when it encounters implementation by inheritance. Value type: Boolean Default: `true`
`com.fortify.sca. alias.Enable`	If set to true, enables alias analysis. Value type: Boolean Default: `true`
`com.fortify.sca. analyzer.controlflow.EnableTimeOut`	Specifies whether to enable Control Flow Analyzer timeouts. Value type: Boolean Default: `true`
`com.fortify.sca. BinaryName`	Specifies a subset of source files to scan. Only the source files that were linked in the named binary at build time are included in the scan. Value type: String (path) Default: (none) Command-line option: `-bin` or `-binary-name`
`com.fortify.sca. DefaultAnalyzers`	Specifies a comma- or colon-separated list of the types of analysis to perform. The valid values for this property are `buffer`, `content`, `configuration`, `controlflow`, `dataflow`, , `nullptr`, `semantic`, and `structural`. Value type: String Default: This property is commented out and all analysis types are used in scans. Command-line option: `-analyzers`
`com.fortify.sca. DisableFunctionPointers`	If set to true, disables function pointers during the scan. Value type: Boolean Default: `false`
`com.fortify.sca. EnableAnalyzer`	Specifies a comma- or colon-separated list of analyzers to use for a scan in addition to the default analyzers. The valid values for this property are `buffer`, `content`, `configuration`, `controlflow`, `dataflow`, `nullptr`, `semantic`, and `structural`. Value type: String Default: (none)
`com.fortify.sca. ExitCodeLevel`	Extends the default exit code options. See Exit codes for a description of the exit codes and the valid values for this property.
`com.fortify.sca. FilterFile`	Specifies the path to a filter file for the scan. See Excluding issues with filter files for more information. Value type: String (path) Default: (none) Command-line option: `-filter`
`com.fortify.sca. FilteredInstanceIDs`	Specifies a comma-separated list of IIDs to be filtered out using a filter file. Value type: String Default: (none) Example: `com.fortify.sca.FilteredInstanceIDs=CA4E1623A2424919B98EC19FCA279FFA,4418B3DC072647158B3758E6183C14CD`
`com.fortify.sca. FilteredRuleLanguages`	Specifies a comma- or colon-separated list of languages for which to remove rules. The valid language values are `abap`, `actionscript`, `apex`, `cfml`, `cobol`, `configuration`, `cpp`, `dart`, `dotnet`, `golang`, `objc`, `php`, `python`, `ruby`, `swift`, and `vb` Value type: String Default: (none) Example: `com.fortify.sca.FileredRuleLanguages=apex:php`
`com.fortify.sca. MaxPassthroughChainDepth`	Specifies the length of a taint path between input and output parameters in a function call. Value type: Integer Default: `4`
`com.fortify.sca. MultithreadedAnalysis`	Specifies whether OpenText SAST runs in parallel analysis mode. Value type: Boolean Default: `true`
`com.fortify.sca. Phase0HigherOrder.Languages`	Specifies a comma-separated list of languages for which to run higher-order analysis. Higher-order analysis improves the ability to track dataflow through higher-order code, which is commonly used in modern dynamic languages. Valid values are `python`, `swift`, `ruby`, `javascript`, and `typescript`. Value type: String Default: `python,ruby,swift,javascript,typescript`
`com.fortify.sca. Phase0HigherOrder.Timeout.Hard`	Specifies the total time (in seconds) for higher-order analysis. When the analyzer reaches the hard timeout limit, it exits immediately. OpenText recommends this timeout limit in case some issue causes the analysis to run too long. OpenText recommends that you set the hard timeout to about 50% longer than the soft timeout, so that either the fixpoint pass limiter or the soft timeout occurs first. Value type: Number Default: `2700`
`com.fortify.sca. PrecisionLevel`	Specifies the scan precision. Scans with a lower precision level are performed faster. The valid values are `1`, `2`, `3`, and `4`. Value type: Number Default: (none) Command-line option: `-scan-precision` \| `-p`
`com.fortify.sca. ProjectTemplate`	Specifies the issue template file to use for the scan. This only affects scans on the local machine. If you upload the FPR to Fortify Software Security Center, it uses the issue template assigned to the application version. Value type: String Default: (none) Command-line option: `-project-template` Example: `com.fortify.sca.ProjectTemplate= test_issuetemplate.xml`
`com.fortify.sca. QuickScanMode`	If set to true, OpenText SAST performs a quick scan. OpenText SAST uses the settings from `fortify-sca-quickscan.properties`, instead of the `fortify-sca.properties` configuration file. Value type: Boolean Default: (not enabled) Command-line option: `-quick`
`com.fortify.sca. ScanPolicy`	Specifies the scan policy for prioritizing reported vulnerabilities (see Applying a scan policy to the analysis). The valid scan policy values are `classic`, `security`, and `devops`. Value type: String Default: `security` Command-line option: `-sc` or `-scan-policy`
`com.fortify.sca. ThreadCount`	Specifies the number of threads for parallel analysis mode. Add this property only if you need to reduce the number of threads used because of a resource constraint. If you experience an increase in scan time or problems with your scan, a reduction in the number of threads used might solve the problem. Value type: Integer Default: (number of available processor cores)
`com.fortify.sca. TypeInferenceFunctionTimeout`	The amount of time (in seconds) that type inference can spend to analyze a single function. Unlimited if set to zero or is not specified. Value type: Long Default: `60`
`com.fortify.sca. TypeInferenceLanguages`	Comma- or colon-separated list of languages that use type inference. This setting improves the precision of the analysis for dynamically-typed languages. Value type: String Default: `javascript,python,ruby,typescript`
`com.fortify.sca. TypeInferencePhase0Timeout`	Specifies the total amount of time (in seconds) that type inference can spend in phase 0 (the interprocedural analysis). Unlimited if set to zero or is not specified. Value type: Long Default: `300`
`com.fortify.sca. UniversalBlacklist`	Specifies a colon-separated list of functions to hide from all analyzers. Value type: String Default: `.yyparse.`