Quick scan

Quick scan mode provides a way to quickly scan your projects for critical- and high-priority issues. OpenText SAST performs the scan faster by reducing the depth of the analysis. It also applies the Quick View filter set. Quick scan settings are configurable. For more details about the configuration of quick scan mode, see fortify-sca-quickscan.properties.

Quick scans are a great way to get many applications through an assessment so that you can quickly find issues and begin remediation. The performance improvement you get depends on the complexity and size of the application. Although the scan is faster than a full scan, it does not provide as robust a result set. OpenText recommends that you run full scans whenever possible.

Limiters

The depth of the OpenText SAST analysis sometimes depends on the available resources. OpenText SAST uses a complexity metric to trade off these resources with the number of vulnerabilities that it can find. Sometimes, this means giving up on a particular function when it does not look like OpenText SAST has enough resources available.

OpenText SAST enables the user to control the “cutoff” point by using OpenText SAST limiter properties. The different analyzers have different limiters. You can run a predefined set of these limiters using a quick scan. See the fortify-sca-quickscan.properties for descriptions of the limiters.

To enable quick scan mode, use the -quick option with -scan option. With quick scan mode enabled, OpenText SAST applies the properties from the <sast_install_dir>/Core/config/fortify-sca-quickscan.properties file, in addition to the standard <sast_install_dir>/Core/config/fortify-sca.properties file. You can adjust the limiters that OpenText SAST uses by editing the fortify-sca-quickscan.properties file. If you modify fortify-sca.properties, it also affects quick scan behavior. OpenText recommends that you do performance tuning in quick scan mode, and leave the full scan in the default settings to produce a highly accurate scan. For description of the quick scan mode properties, see Properties files.

Using quick scan and full scan

• Run full scans periodically—A periodic full scan is important as it might find issues that quick scan mode does not detect. Run a full scan at least once per software iteration. If possible, run a full scan periodically when it will not interrupt the development workflow, such as on a weekend.
• Compare quick scan with a full scan—To evaluate the accuracy impact of a quick scan, perform a quick scan and a full scan on the same codebase. Open the quick scan results in Fortify Audit Workbench and merge it into the full scan. Group the issues by New Issue to produce a list of issues detected in the full scan but not in the quick scan.
• Quick scans and Fortify Software Security Center—To avoid overwriting the results of a full scan, by default Fortify Software Security Center ignores uploaded FPR files scanned in quick scan mode. However, you can configure a Fortify Software Security Center application version so that FPR files scanned in quick scan are processed. For more information, see analysis results processing rules in the OpenText™ Applicaton Security User Guide.