Analyzing Library code
Library code refers to reusable software components or modules that are designed to be integrated into other applications. Unlike application code, which contains the business logic and entry points of a specific program, library code is typically:
- Generic and reusable across multiple projects
- Lacks a main entry point (e.g., main() method)
- Provides functionality that other applications consume (e.g., utility classes, frameworks, SDKs)
As library code is intended to be called from other application code, it typically will not provide interfaces for user-controllable data itself, minimizing the results that SAST technologies can typically find.
Library code and application code comparision
|
Feature |
Application code |
Library code |
|
Entry point |
Typically, yes |
No |
|
Purpose |
Implement business logic |
Provides reusable functionality |
|
Usage |
Standalone or deployed |
Embedded in other apps |
|
Analysis focus |
Full program behavior |
API exposure and usage patterns |
Analyzing library code effectively
To scan library code effectively, you should configure the OpenText SAST to treat the code as a library.
Translate the code as normal as per the language. Go to the appropriate section of this user guide for finding more information about analyzing the appropriate language.
Once ready to scan, set the following property during the scan step:
com.fortify.sca.rules.IsLibrary=true
When this property is enabled, the analysis engine understands to mimic calls from an outside application calling the library code in order to provide a more thorough analysis.
Other use cases
In addition to libraries, there are many declarative endpoint frameworks that make application code appear similar to library code.
If your web API is using a framework that we do not currently have coverage for (see [Supported technologies]), then enabling this property may also mimic coverage of the framework, though it may also lead to some additional incorrect flows.