Translating JavaScript projects with HTML files

If the project contains HTML files in addition to JavaScript files, set the com.fortify.sca.EnableDOMModeling property to true in the fortify-sca.properties file or on the command line as shown in the following example:

sourceanalyzer –b MyProject <js_file_or_dir> 
-Dcom.fortify.sca.EnableDOMModeling=true

When you set the com.fortify.sca.EnableDOMModeling property to true, this can decrease false negative reports of DOM-related attacks, such as DOM-related cross-site scripting issues.

If you enable this option, OpenText SAST generates JavaScript code to model the DOM tree structure in the HTML files. The duration of the analysis phase might increase (because there is more translated code to analyze).

If you set the com.fortify.sca.EnableDOMModeling property to true, you can also specify additional HTML tags for OpenText SAST to include in the DOM modeling with the com.fortify.sca.DOMModeling.tags property. By default, OpenText SAST includes the following HTML tags: body, button, div, form, iframe, input, head, html, and p.

For example, to additionaly include the HTML tags ul and li in the DOM model, use the following command:

sourceanalyzer –b MyProject <js_file_or_dir> 
-Dcom.fortify.sca.DOMModeling.tags=ul,li