Scanning projects locally

This topic describes how to use the Fortify Analysis Plugin to analyze your Java source code using the locally installed OpenText SAST to uncover security vulnerabilities.

OpenText strongly recommends that you periodically update the security content, which contains Rulepacks and external metadata. For information about how to update security content, see Updating Fortify Security Content.

If your project is an Android Gradle project, build the release target for the project so that the final project artifacts are generated before the scan. Doing this provides more accurate analysis results. You can either build the release target manually, before you start the scan, or later, as described in the following procedure.

To scan a project on the local system:

  1. Do one of the following:

    • Select Tools > Fortify > Analyze Project.
    • Right‑click a module, and then select Analyze Module.

    If your project is an Android Gradle project, the plugin prompts you to build the release target for the project so that the final project artifacts are generated. In the Rebuild the release target dialog box, click Yes.

  2. If prompted, specify the path to the OpenText SAST executable, and then click OK.

    The OpenText SAST scan starts. The progress bar at the bottom of the window displays the progress of events during the scan. After the scan is completed, the Fortify Analysis Plugin saves the resulting Fortify Project Results (FPR) file. By default, the analysis results are saved in the source project folder. You can specify a different output location before you start a scan (see Configuring Advanced Local Analysis Options).

  3. If the Fortify Analysis Plugin is configured to synchronize with Fortify Software Security Center:

    1. If prompted to login to Fortify Software Security Center:

      1. If you have not already configured the URL for Fortify Software Security Center, type the server URL in the SSC URL box.
      2. From the Login method menu, select the login method set up for you on Fortify Software Security Center.

      3. Depending on the selected login method, follow the procedure described in the following table.

        Login Method Procedure
        Username/Password Type your Fortify Software Security Center user name and password.
        Authentication Token

        Specify the decoded value of a Fortify Software Security Center authentication token of type ToolsConnectToken.

        For instructions about how to create an authentication token from Fortify Software Security Center, see the OpenText™ Fortify Software Security Center User Guide.
    2. Select the application version that corresponds to your IntelliJ or Android Studio project, and then click OK.

    If you have turned off synchronize project with Fortify Software Security Center, you can configure the connection later, and then upload the analysis results (see Uploading Analysis Results to Fortify Software Security Center).