Translation Options

The following table describes the translation options.

Translation Option Description

-b <build_id>

Specifies a build ID. Fortify Static Code Analyzer uses a build ID to track the files that are compiled and combined as part of a build, and then later, to scan those files.

Equivalent Property Name:
com.fortify.sca.BuildID

-disable-language <languages>

Specifies a colon-separated list of languages to exclude from the translation phase. The valid language values are abap, actionscript, apex, cfml, cobol, configuration, cpp, dart, dotnet, golang, java, javascript, jsp, kotlin, objc, php, plsql, python, ruby, scala, sql, swift, tsql, typescript, and vb.

Equivalent Property Name:
com.fortify.sca.DISabledLanguages

-enable-language <languages>

Specifies a colon-separated list of languages to translate. The valid language values are abap, actionscript, apex, cfml, cobol, configuration, cpp, dart, dotnet, golang, java, javascript, jsp, kotlin, objc, php, plsql, python, ruby, scala, sql, swift, tsql, typescript, and vb.

Equivalent Property Name:
com.fortify.sca.EnabledLanguages

-exclude
<file_specifiers>

Specifies the files to exclude from the translation. Files excluded from translation are also not scanned. Separate multiple file paths with semicolons (Windows) or colons (non-Windows). For example:

sourceanalyzer –cp "**/*.jar" "**/*" -exclude "**/Test/*.java"

This example excludes all Java files in any Test subdirectory. See Specifying Files and Directories for more information on how to use file specifiers.

Note: When you integrate the translation with most compilers or build tools, Fortify Static Code Analyzer translates all source files that the compiler or build tool processes even if this option specifies to exclude them. However, the Fortify Static Code Analyzer xcodebuild and MSBuild integrations do support the ‑exclude option.

Equivalent Property Name:
com.fortify.sca.exclude

-encoding <encoding_name>

Specifies the source file encoding type. Fortify Static Code Analyzer enables you to scan a project that contains differently encoded source files. To work with a multi-encoded project, you must specify the -encoding option in the translation phase, when Fortify Static Code Analyzer first reads the source code file. Fortify Static Code Analyzer remembers this encoding in the build session and propagates it into the FVDL file.

Valid encoding names are from the java.nio.charset.Charset.

Typically, if you do not specify the encoding type, Fortify Static Code Analyzer uses file.encoding from the java.io.InputStreamReader constructor with no encoding parameter. In a few cases (for example with the ActionScript parser), Fortify Static Code Analyzer defaults to UTF-8 encoding.

Equivalent Property Name:
com.fortify.sca.InputFileEncoding

-nc

When specified before a compiler command line, Fortify Static Code Analyzer translates the source file but does not run the compiler.

-noextension-type <file_type>

Specifies the file type for source files that have no file extension. The valid file type values are ABAP, ACTIONSCRIPT, APEX, APEX_OBJECT, APEX_TRIGGER, ARCHIVE, ASPNET, ASP, ASPX, BITCODE, BSP, BYTECODE, CFML, COBOL, CSHARP, DART, DOCKERFILE, FLIGHT, GENERIC, GO, HOCON, HTML, INI, JAVA, JAVA_PROPERTIES, JAVASCRIPT, JSP, JSPX, KOTLIN, MSIL, MXML, OBJECT, PHP, PLSQL, PYTHON, RUBY, RUBY_ERB, SCALA, SWIFT, SWC, SWF, TLD, SQL, TSQL, TYPESCRIPT, VB, VB6, VBSCRIPT, VISUAL_FORCE, VUE, and XML.

-project-root

Specifies the directory to store intermediate files generated in the translation and analysis phases. Fortify Static Code Analyzer makes extensive use of intermediate files located in this project root directory. In some cases, you can achieve better performance for analysis by making sure this directory is on local storage rather than on a network drive.

Equivalent Property Name:
com.fortify.sca.ProjectRoot