Analysis process

There are four distinct phases that make up the analysis process:

1. Build Integration—Choose whether to integrate OpenText SAST into your build tool. For descriptions of build integration options, see Integrating into a Build.
2. Translation—Gathers source code using a series of commands and translates it into an intermediate format associated with a build ID. The build ID is usually the name of the project you are translating. For more information, see About the Translation Phase.
3. Analysis—Scans source files identified in the translation phase and generates an analysis result file (typically in the Fortify Project Results (FPR) format). FPR files have the .fpr extension. For more information, see About the Analysis Phase.
4. Verification of translation and analysis—Verifies that the source files were scanned using the correct Rulepacks and that no errors were reported. For more information, see About Verification of the Translation and Analysis Phase.

OpenText recommends that you perform translation and analysis commands from a user account with least privilege access. OpenText does not recommend that you run OpenText SAST as a root user or translate a project that requires root access, because it might not work properly.

The following is the fundamental sequence of commands to translate and analyze code:

1. Remove all existing OpenText SAST temporary files for the specified build ID.

   sourceanalyzer -b MyProject -clean
   

   Always begin an analysis with this step to analyze a project with a previously used build ID.

2. Translate the project code.

   sourceanalyzer -b MyProject <files_to_analyze> 
   

   For most languages, this step can consist of multiple calls to sourceanalyzer with the same build ID. For more details, see Translation Phase.

3. Analyze the project code and save the results in a Fortify Project Results(FPR) file.

   sourceanalyzer -b MyProject -scan -f MyResults.fpr

   For more information, see Analysis Phase.