fortify-rules.properties

This topic describes the properties available for use in the fortify-rules.properties file.


Improving Results

Use these properties to modify behavior of scan results, either enabling new sets of rules, filtering rules, or enabling correlation of results with OpenText DAST.

Property name Description
com.fortify.sca.rules.EnableRuleComments
If set to true, enables the ability to prevent issues appearing in results using the // FortifyRemove() comments. For more information, see Filtering using FortifyRemove comments
Value Type: Boolean
Default: true
com.fortify.sca.rules.IsLibrary

If set to true, enables new entrypoint rules in code that adds WEB ,XSS, and PRIVATE taint to every public function variable (certain exclusions apply). (Currently only Java and JVM languages apply)

Value type: Boolean

Default: false
com.fortify.sca.rules.enablePQCRules

If set to true, enables rules to identify issues related to Post-Quantum Cryptographic threats. See security content updates and documentation for more details, including which languages and libraries are supported. 

Value type: Boolean

Default: false

DAST Correlation & Verification

Property name Description
com.fortify.sca.rules.enable_wi_correlation

If set to true and OpenText SAST scans an application with a supported framework, produces a results file to be imported into OpenText™ Dynamic Application Security Testing to improve results.

Value type: Boolean

Default: false

Google Cloud Function Integration

Scanning Google Cloud Functions either provide a JSON or YAML cloud build config file or set the properties in the below table to optimize results.
Property name Description
com.fortify.sca.rules.GCPFunctionName

Name of the serverless function called when no JSON/YAML cloud build config file exists.

Value type: String

Default: (none)
com.fortify.sca.rules.GCPHttpTrigger

If set to true, the scanned cloud function is an HTTP trigger.

Value type: Boolean

Default: false

Properties to Customize Regular Expressions

Although many techniques are used to identify vulnerabilities in code, some rules have to rely upon regular expressions to try to find identifiers in code, and these can often be configured by properties. The following table describes a list of properties that can be used to modify the regular expressions used by the rules.

It is advised to set these within the fortify-rules.properties file instead of directly on the command line to prevent clashes between regular expression and shell syntax.

Property name Description

com.fortify.sca.rules.password_regex.global

The regular expression to match password identifiers across all languages unless a language-specific rules property is set.

Value type: String

Default: (?i)(s|_)?(user|usr|member|admin|guest|login|default|
new|current|old|client|server|proxy|sqlserver|
my|mysql|mongo|mongodb|db|database|ldap|smtp|
email|email(_)?smtp)?(_|\.)?(pass(wd|word|phrase)|secret)

com.fortify.sca.rules.password_regex.abap

Regular expression to match password identifiers in ABAP code. Setting this property overrides the global regex password rules property.

Value type: String

Default: (value for com.fortify.sca.rules.password_regex.global)

com.fortify.sca.rules.password_regex.actionscript

Regular expression to match password identifiers in ActionScript code. Setting this property overrides the global regex password rules property.

Value type: String

Default: (value for com.fortify.sca.rules.password_regex.global)
com.fortify.sca.rules.password_regex.apex

Regular expression to match password identifiers in Salesforce Apex code. Setting this property overrides the global regex password rules property.

Value type: String

Default: (value for com.fortify.sca.rules.password_regex.global)

com.fortify.sca.rules.password_regex.cfml

Regular expression to match password identifiers in ColdFusion (CFML) code. Setting this property overrides the global regex password rules property.

Value type: String

Default: (none)

com.fortify.sca.rules.password_regex.cobol

Regular expression to match password identifiers in COBOL code. Setting this property overrides the global regex password rules property.

Value type: String

Default: (value for com.fortify.sca.rules.password_regex.global)

com.fortify.sca.rules.password_regex.config

Regular expression to match password identifiers in XML. Setting this property overrides the global regex password rules property. Do not use regular expression modifiers. The value is case-insensitive.

Value type: String

Default: (s|_)?(user|usr|member|admin|guest|login|default|
new|current|old|client|server|proxy|sqlserver|
my|mysql|mongo|mongodb|db|database|ldap|smtp|
email|email(_)?smtp)?(_|\.)?pass(wd|word|phrase)

com.fortify.sca.rules.password_regex.cpp

Regular expression to match password identifiers in C and C++ code. Setting this property overrides the global regex password rules property.

Value type: String

Default: (value for com.fortify.sca.rules.password_regex.global)

com.fortify.sca.rules.password_regex.dart

Regular expression to match password identifiers in Dart code. Setting this property overrides the global regex password rules property.

Value type: String

Default: (value for com.fortify.sca.rules.password_regex.global)

com.fortify.sca.rules.password_regex.dotnet

Regular expression to match password identifiers in .NET code. Setting this property overrides the global regex password rules property.

Value type: String

Default: (value for com.fortify.sca.rules.password_regex.global)

com.fortify.sca.rules.password_regex.docker

Regular expression to match password identifiers in Dockerfiles. Setting this property overrides the global regex password rules property.

Value type: String

Default: .*pass(wd|word|phrase).*

com.fortify.sca.rules.password_regex.golang

Regular expression to match password identifiers in Go code. Setting this property overrides the global regex password rules property.

Value type: String

Default: (value for com.fortify.sca.rules.password_regex.global)

com.fortify.sca.rules.password_regex.java

Regular expression to match password identifiers in Java code. Setting this property overrides the global regex password rules property.

Value type: String

Default: (value for com.fortify.sca.rules.password_regex.global)

com.fortify.sca.rules.password_regex.javascript

Regular expression to match password identifiers in JavaScript and TypeScript code. Setting this property overrides the global regex password rules property.

Value type: String

Default: (value for com.fortify.sca.rules.password_regex.global)

com.fortify.sca.rules.password_regex.json

Regular expression to match password identifiers in JSON. Setting this property overrides the global regex password rules property.

Value type: String

Default: (?i).*pass(wd|word|phrase).*

com.fortify.sca.rules.password_regex.jsp

Regular expression used to match password identifiers in JSP code. Setting this property overrides the global regex password rules property.

Value type: String

Default: (value for com.fortify.sca.rules.password_regex.global)

com.fortify.sca.rules.password_regex.objc

Regular expression to match password identifiers in Objective-C and Objective-C++ code. Setting this property overrides the global regex password rules property.

Value type: String

Default: (?i)(s|_)?(user|usr|member|admin|guest|login|default|
new|current|old|client|server|proxy|sqlserver|
my|mysql|mongo|mongodb|db|database|ldap|smtp|
email|email(_)?smtp)?(_|\.)?(token|pin|pass(wd|word|phrase))

com.fortify.sca.rules.password_regex.php

Regular expression to match password identifiers in PHP code. Setting this property overrides the global regex password rules property.

Value type: String

Default: (value for com.fortify.sca.rules.password_regex.global)
com.fortify.sca.rules.password_regex.powershell

Regular expression to match password identifiers in PowerShell files. Setting this property overrides the global regex password rules property.

Value type: String

Default: (?i)([a-z_]*|\{.*)(pass(wd|word|phrase)|pwd)(.*\}|[a-z_]*)

com.fortify.sca.rules.password_regex.properties

Regular expression to match password identifiers in Properties files. Setting this property overrides the global regex password rules property.

Value type: String

Default: (value for com.fortify.sca.rules.password_regex.global)

com.fortify.sca.rules.password_regex.python

Regular expression to match password identifiers in Python code. Setting this property overrides the global regex password rules property.

Value type: String

Default: (value for com.fortify.sca.rules.password_regex.global)

com.fortify.sca.rules.password_regex.ruby

Regular expression to match password identifiers in Ruby code. Setting this property overrides the global regex password rules property.

Value type: String

Default: (value for com.fortify.sca.rules.password_regex.global)

com.fortify.sca.rules.password_regex.sql

Regular expression to match password identifiers in SQL code. Setting this property overrides the global regex password rules property.

Value type: String

Default: (value for com.fortify.sca.rules.password_regex.global)

com.fortify.sca.rules.password_regex.swift

Regular expression to match password identifiers in Swift code. Setting this property overrides the global regex password rules property.

Value type: String

Default: (?i)(s|_)?(user|usr|member|admin|guest|login|default|
new|current|old|client|server|proxy|sqlserver|
my|mysql|mongo|mongodb|db|database|ldap|smtp|
email|email(_)?smtp)?(_|\.)?(token|pin|pass(wd|word|phrase))

com.fortify.sca.rules.password_regex.vb

Regular expression to match password identifiers in VB6 code. Setting this property overrides the global regex password rules property.

Value type: String

Default: (value for com.fortify.sca.rules.password_regex.global)

com.fortify.sca.rules.password_regex.yaml

Regular expression to match password identifiers in YAML. Setting this property overrides the global regex password rules property.

Value type: String

Default: (?i).*pass(wd|word|phrase).*

com.fortify.sca.rules.key_regex.global

The regular expression to match key identifiers across all languages unless a language-specific regex key rules property is set.

Value type: String

Default: (?i)((enc|dec)(ryption|rypt)?|crypto|secret|private)(_)?key

com.fortify.sca.rules.key_regex.abap

Regular expression to match key identifiers in ABAP code. Setting this property overrides the global regex key rules property.

Value type: String

Default: (value for com.fortify.sca.rules.key_regex.global)

com.fortify.sca.rules.key_regex.actionscript

Regular expression to match key identifiers in ActionScript code. Setting this property overrides the global regex key rules property.

Value type: String

Default: (value for com.fortify.sca.rules.key_regex.global)

com.fortify.sca.rules.key_regex.cfml

Regular expression to match key identifiers in CFML code. Setting this property overrides the global regex key rules property.

Value type: String

Default: (value for com.fortify.sca.rules.key_regex.global)

com.fortify.sca.rules.key_regex.cpp

Regular expression to match key identifiers in C and C++ code. Setting this property overrides the global regex key rules property.

Value type: String

Default: (value for com.fortify.sca.rules.key_regex.global)

com.fortify.sca.rules.key_regex.golang

Regular expression to match key identifiers in Go code. Setting this property overrides the global regex key rules property.

Value type: String

Default: (value for com.fortify.sca.rules.key_regex.global)

com.fortify.sca.rules.key_regex.java

Regular expression to match key identifiers in Java code. Setting this property overrides the global regex key rules property.

Value type: String

Default: (value for com.fortify.sca.rules.key_regex.global)

com.fortify.sca.rules.key_regex.javascript

Regular expression to match key identifiers in JavaScript and TypeScript code. Setting this property overrides the global regex key rules property.

Value type: String

Default: (value for com.fortify.sca.rules.key_regex.global)

com.fortify.sca.rules.key_regex.jsp

Regular expression to match key identifiers in JSP code. Setting this property overrides the global regex key rules property.

Value type: String

Default: (value for com.fortify.sca.rules.key_regex.global)

com.fortify.sca.rules.key_regex.objc

Regular expression used to match key identifiers in Objective-C and Objective-C++ code. Setting this property overrides the global regex key rules property.

Value type: String

Default: (value for com.fortify.sca.rules.key_regex.global)

com.fortify.sca.rules.key_regex.php

Regular expression to match key identifiers in PHP code. Setting this property overrides the global regex key rules property.

Value type: String

Default: (value for com.fortify.sca.rules.key_regex.global)

com.fortify.sca.rules.key_regex.python

Regular expression to match key identifiers in Python code. Setting this property overrides the global regex key rules property.

Value type: String

Default: (value for com.fortify.sca.rules.key_regex.global)

com.fortify.sca.rules.key_regex.ruby

Regular expression used to match key identifiers in Ruby code. Setting this property overrides the global regex key rules property.

Value type: String

Default: (value for com.fortify.sca.rules.key_regex.global)

com.fortify.sca.rules.key_regex.sql

Regular expression to match key identifiers in SQL code. Setting this property overrides the global regex key rules property.

Default: (value for com.fortify.sca.rules.key_regex.global)

com.fortify.sca.rules.key_regex.swift

Regular expression used to match key identifiers in Swift code. Setting this property overrides the global regex key rules property.

Value type: String

Default: (value for com.fortify.sca.rules.key_regex.global)

com.fortify.sca.rules.key_regex.vb

Regular expression to match key identifiers in Visual Basic 6 code. Setting this property overrides the global regex key rules property.

Value type: String

Default: (value for com.fortify.sca.rules.key_regex.global)