Scanning large and complex projects

Exceptionally large codebases might require some configuration to ensure a complete scan, including using OpenText SAST to scan the code in smaller sections. While Fortify Audit Workbench enables you to edit OpenText SAST command options, you can handle large, complex scans more successfully directly through the command console. In addition, if a system has memory constraints, OpenText SAST must compete with the Fortify Audit Workbench for resources, which might result in slow or failed scans.

Use the Advanced Static Analysis wizard for projects that have source code in multiple directories, special translation or build requirements, or that have files that you want to exclude from the project.

Fortify Audit Workbench filters out unsupported files within the selected source code directories.

To scan a new project:

  1. Start Fortify Audit Workbench.

  2. Under Start New Project, click Advanced Scan.

  3. Select the root directory of the project, and then click Select Folder.

    The Advanced Static Analysis wizard opens.

    The following image shows the wizard options when you select a Java project. The options are different for other programming languages.

    Advanced Static Analysis wizard

    The wizard automatically includes all supported files in the scan.

  4. (Optional) To add files from another directory:

    1. Click Add Directory.

    2. Select the folder that contains the files you want to add to the scan, and then click Select Folder.

      The navigation pane displays the directory and Fortify Audit Workbench adds all supported files to the scan. (To remove the directory, right-click the folder, and then select Remove Root.)

  5. (Optional) To exclude files or directories that contain, for example, test source code, right-click the file or directory, and then click Exclude.

  6. For Java projects, set the following:

    1. Select the build directories and JAR files, and then click Classpath Directory.

      If you do not select the classpath directory, OpenText SAST uses the CLASSPATH environment variable value.

      The folder turns blue, and the files are added to the class path.

    2. From the Java Version list, select the Java version of the project.

  7. In the Build ID box, type a build ID.

    The root directory is the default build ID.

  8. To specify a different output file path than the default, in the Output file box, type the path and file name for the FPR file that OpenText SAST will generate.

  9. To perform a quick scan, select the Enable Quick Scan Mode check box.

    For information about quick scans, see Quick Scan Mode.

  10. Click Next.

    The analysis process includes the following phases:

    • During the clean phase, OpenText SAST removes files from previous translation of the project.
    • During the translation phase, OpenText SAST translates source code identified in the previous page into an intermediate format that is associated with a build ID. The build ID is typically the project.
    • During the scan phase, OpenText SAST scans source files identified during the translation phase and generates analysis results, in the Fortify Project Results (FPR) format.

  11. (Optional) To skip an analysis phase, clear the Enable clean, Enable translation, or Enable scan check box.

    For example, if the security content has changed but the project has not changed, you might want to skip both the clean and the translation phases so that OpenText SAST scans the project without translating it again.

  12. Modify the command-line options for each OpenText SAST analysis phase to suit your requirements.

  13. (Optional) To specify the amount of memory OpenText SAST used for analysis:

    1. Click Configure Memory.

    2. Adjust the slider to the amount of memory required.

      Fortify Audit Workbench displays the amount of memory you set for OpenText SAST followed by the amount of memory on your system.

    3. Click OK.

  14. (Optional) To analyze the source code using an installed custom Rulepack, or to turn off a Rulepack, do the following:

    The Additional Options dialog box opens.

    1. Click Configure Rulepacks.

    2. In the Installed Fortify Security Content list, clear the check boxes that correspond to any Rulepacks you want to make unavailable during the scan.

      For instructions on how to add custom security content, see Importing Custom Security Content.

    3. Click OK.

  15. From the Advanced Static Analysis wizard, click Next.

    Advanced Static Analysis Scan Settings page
  16. Select your scan settings, and then click Scan.

OpenText SAST starts the scan and displays progress information throughout the process. If OpenText SAST encounters any problems scanning the source code, it displays a warning.

After the scan is complete, Fortify Audit Workbench loads the audit project and displays the analysis results.