Displaying Analysis Results Information from an FPR File

The FPRUtility -information option displays information about the analysis results. You can obtain information to:

Validate signatures
Examine any errors associated with the FPR
Obtain the number of issues for each analyzer, vulnerability category, or custom grouping
Obtain lists of issues (including some basic information). You can filter these lists.
Obtain list of issues (with additional metadata). You can filter these lists.
Obtain the list of analyzed files and the number of lines of code (LOC) for each file. You can also compare the LOC with another FPR.

To display signature information for the analysis:

FPRUtility -information -signature -project <project>.fpr -f <output>.txt

To display a full analysis error report for the FPR:

FPRUtility -information -errors -project <project>.fpr -f <output>.txt

To display the number of issues per vulnerability category or analyzer:

FPRUtility -information -categoryIssueCounts -project <project>.fpr 
FPRUtility -information -analyzerIssueCounts -project <project>.fpr

To display the number of issues for a custom grouping based on a search:

FPRUtility -information -search -query <search_expression> \
[-categoryIssueCounts] [-analyzerIssueCounts] \
[-includeSuppressed] [-includeRemoved] \
-project <project>.fpr -f <output>.txt

By default, the result does not include suppressed and removed issues. To include suppressed or removed issues, use the -includeSuppressed or -includeRemoved options.

To display information for issues in CSV format:

FPRUtility -information -listIssues \
-search [-queryAll | -query <search_expression>] \
[-categoryIssueCounts] [-analyzerIssueCouts] \
[-includeSuppressed] [-includeRemoved] \
-project <project>.fpr -f <output>.csv -outputFormat CSV

To display information for all issues from the most recent scan (excluding suppressed and removed issues) using the Quick View filter set:

FPRUtility -information -listIssues \
-search -queryAllExistingUnsuppressed \
-filterSet "Quick View" \
[-categoryIssueCounts] [-analyzerIssueCouts] \
-project <project>.fpr -f <output>.txt

To display a comparison of the number of lines of code for analyzed files in two FPRs:

FPRUtility -information -loc -project <project>.fpr \
-compareTo <oldproject>.fpr -f <output>.txt

FPRUtility Information Options

The following table lists the FPRUtility options that apply to project information. Specify one of the following options to indicate what information to display with the -information command:

FPRUtility Option	Description
`-information`	Required. Displays information for the project.
`-signature`	Displays the signature for analysis results and rules.
`-mappings`	Displays the migration mappings report.
`-errors`	Displays a full error report for the FPR.
`-versions`	Displays the OpenText SAST and OpenText Secure Coding Rulepacks versions used in the static scan.
`-functionsMeta`	Displays all functions that the static analyzer encountered in CSV format. To filter which functions are displayed, include `-excludeCoveredByRules`, and `-excludeFunctionsWithSource`.
`-categoryIssueCounts`	Displays the number of issues for each vulnerability category.
`-analyzerIssueCounts`	Displays the number of issues for each analyzer.
`-search <query_option>`	Use `-search -query <search_expression>` to display the number of issues in the result of your specified search expression. To display the number of issues per vulnerability category or analyzer, add the optional `-categoryIssueCounts` and `-analyzerIssueCounts` options to the search option. Use the `-includeSuppressed` and `-includeRemoved` options to include suppressed or removed issues. Use `-search -queryAll` to search all the issues in the FPR including suppressed and removed issues. Use `-search ‑queryAllExistingUnsuppressed` to search all the issues in the FPR excluding suppressed and removed issues.
`-loc`	Displays the list of analyzed files each with the number of lines of code (LOC) in the following format: `<filename>: <total_loc> (<executable_loc>)` where <total_loc> is the approximate number of lines that contain code constructs (comments are excluded). Ignore the <executable_loc> metric. It is no longer used. For FPR files created using OpenText SAST version 24.2 and later, the <executable_loc> value always matches the <total_loc> value. Also, <total_loc> includes all lines of code (including comments and blank lines). Use `-compareTo <project>.fpr` with this option to compare the number of lines of code with another FPR. The comparison output includes the following information: `+` indicates new analyzed files `-` indicates removed analyzed files `` indicates files with a different number of lines of code. The difference in the number of lines of code is shown next to the executable LOC number as in (`+`N or `-`N). For example: ` ProjectA/main.jsp: 115 +15 (85 +15)` In the previous example, the comparison shows that the number of lines of code in `main.jsp` is different between the two FPR files. There are 15 additional total LOC.
`-project <project>.fpr`	Specifies the FPR from which to extract the results information.
`-listIssues`	Displays the location for each issue in one of the following formats: `<sink_filename>:<line_num>` or `<sink_filename>:<line_num>` (`<category>` \| `<analyzer>`) You can also use the `-listIssues` option with `-search` and with both issueCounts grouping options. If you group by `-categoryIssueCounts`, then the output includes (<analyzer>) and if you group by `‑analyzerIssueCounts`, then the output includes (<category>). If you specify the `-outputFormat CSV` option, then each issue is displayed on one line in the format: `"<instanceid>", "<category>", "<sink_filename>:<line_num>", "<analyzer>"`
`-listIssuesWithMetadata`	Displays the location for each issue with the following additional metadata: `<audience>, <confidence>, <friority>, <likelihood>, <impact>, <probability>, <accuracy>` Use one of the following format: `<sink_filename>:<line_num>` or `<sink_filename>:<line_num>` (`<category>` \| `<analyzer>`\|`<audience>`\|`<friority>`) You can also use the `-listIssuesWithMetadata` option with `-search` and with both issueCounts grouping options. If you group by `-categoryIssueCounts`, then the output includes (<analyzer>) and if you group by `‑analyzerIssueCounts`, then the output includes (<category>). If you specify the `-outputFormat CSV` option, then each issue is displayed on one line in the format: `"<instanceid>", "<category>", "<audience>", "<confidence>", "<friority>", "<likelihood>", "<impact>", "<probability>", "<accuracy>" "<sink_filename>:<line_num>", "<analyzer>"`
`-filterSet <filterset_name>`	Displays only the issues and counts that pass the filters specified in the filter set. Filter sets are ignored without this option. You must use `-search` with this option.
`-f <output>`	Specifies the output file. The default is `System.out`.
`-outputFormat TEXT` \| `CSV`	Specifies the output format. The default value is `TEXT`.
`-debug`	Displays debug information that can be helpful to troubleshoot issues with FPRUtility.

FPRUtility Signature Exit Codes

Upon completion of the -information -signature command, FPRUtility provides one of the exit codes described in the following table.

Exit Code	Description
0	The project is signed, and all the signatures are valid.
1	The project is signed, and some, but not all, of the signatures passed the validity test.
2	The project is signed but none of the signatures are valid.
3	The project had no signatures to validate.