Translating Java bytecode

OpenText recommends that you do not translate Java bytecode and JSP/Java code in the same call to sourceanalyzer. Use multiple invocations of sourceanalyzer with the same build ID to translate a project that contains both bytecode and JSP/Java code.

To translate bytecode:

1. Add the following properties to the fortify-sca.properties file (or include these properties on the command line using the -D option):

   com.fortify.sca.fileextensions.class=BYTECODE
com.fortify.sca.fileextensions.jar=ARCHIVE

   This specifies how OpenText SAST processes .class and .jar files.

2. Do one of the following:

   • Request that OpenText SAST decompile the bytecode classes to regular Java files for inclusion in the translation.

     Add the following property to the fortify-sca.properties file:

     com.fortify.sca.DecompileBytecode=true

     or include this property on the command line for the translation phase with the -D option:

     sourceanalyzer -b MyProject -Dcom.fortify.sca.DecompileBytecode=true -cp "lib/*.jar" "src/**/*.class"

   • Request that OpenText SAST translate bytecode without decompilation.

     For best results, OpenText recommends that the bytecode be compiled with full debug information (javac -g).

     Include bytecode in the translation phase by specifying the Java bytecode files that you want to translate. For best performance, specify only the .jar or .class files that require scanning. In the following example, the .class files are translated:

     sourceanalyzer -b MyProject -cp "lib/*.jar" "src/**/*.class"