Modular analysis

This release includes a technology preview of modular analysis. With modular analysis, you can pre-scan libraries (and sublibraries) separately from your core project. You can then include these pre-scanned libraries when you scan the core project. Doing this might improve the core project analysis performance because you do not rescan the libraries every time you scan the core project. Modular analysis also enables you to scan a project that references a library without requiring the library's source code, OpenText SAST translated files, or custom rules used to scan the library. This has the added benefit that you only need to audit issues in your core application. The analysis results are more streamlined to code that you directly control and therefore you do not need to worry about issues in code that you do not own.

Modular analysis is currently available for libraries and applications developed in Java and Jakarta EE (Java EE).

In this release, you might not see any performance improvements from modular analysis. OpenText is working to optimize the performance of modular analysis in future releases.

You must rescan your libraries whenever you:

Update to a new version of OpenText SAST
Update your Fortify security content
Change the libraries

Modular command-line examples

To translate and scan a library separately, type:

sourceanalyzer -b LibA MyLibs/A/*.java
sourceanalyzer -b LibA -scan-module

To translate and scan the core project and include multiple pre-scanned libraries:

sourceanalyzer -b MyProj MyProj/*.java
sourceanalyzer -b MyProj -scan -include-modules LibA,LibB

For a description of the options shown in the previous examples, see Analysis Options.