Fortify Java annotations
OpenText provides two versions of the Fortify Java annotations library.
Annotations with the retention policy set to CLASS (
FortifyAnnotations-CLASS.jar).With this version of the library, Fortify Java annotations are propagated to the bytecode during compilation.
Annotations with the retention policy set to SOURCE (
FortifyAnnotations-SOURCE.jar).With this version of the library, Fortify Java annotations are not propagated to the bytecode after the code that uses them is compiled.
If you use OpenText Application Security Software products to analyze bytecode of your applications (for example, with OpenTextâ„¢ Core Application Security assessments), then use the version with the annotation retention policy set to CLASS. If you use OpenText Application Security Software products to analyze the source code of your applications, you can use either version of the library. However, OpenText strongly recommends that you use the library with a retention policy set to SOURCE.
It is a security risk to leave Fortify Java annotations in production code because they can leak information about potential security problems in the code. OpenText recommends that you use annotations with the retention policy set to CLASS only for internalanalysis, and never use them in your application production builds.
This section outlines the annotations available. A sample application is included in the OpenText_SAST_Fortify_Samples_<version>.zip archive in the advanced/javaAnnotations directory. A README.txt file included in the directory describes the sample application, problems that might arise from it, and how to fix these problems using Fortify Java annotations.
There are two limitations with Fortify Java annotations:
- Each annotation can specify only one input and/or one output.
- You can apply only one annotation of each type to the same target.
OpenText provides three main types of annotations:
You also can write rules to support your own custom annotations. Contact Customer Support for more information.