fortify-sca-quickscan.properties

Fortify Static Code Analyzer offers a less in-depth scan known as a quick scan. This option scans the project in quick scan mode, using the property values in the fortify-sca-quickscan.properties file. By default, a quick scan reduces the depth of the analysis and applies the Quick View filter set. The Quick View filter set provides only critical and high priority issues.

Note: Properties in this file are only used if you specify the -quick option on the command line for your scan.

The following table provides two sets of default values: the default value for quick scans and the default value for normal scans. If only one default value is shown, the value is the same for both normal scans and quick scans.

Property Name Description

com.fortify.sca.
CtrlflowMaxFunctionTime

Sets the time limit (in milliseconds) for Control Flow analysis on a single function.

Value Type: Integer

Quick Scan Default: 30000

Default: 600000

com.fortify.sca.
DisableAnalyzers

Specifies a comma- or colon-separated list of analyzers to disable during a scan. The valid analyzer names are buffer, content, configuration, controlflow, dataflow, nullptr, semantic, and structural.

Value Type: String

Quick Scan Default: controlflow:buffer

Default: (none)

com.fortify.sca.
FilterSet

Specifies the filter set to use. You can use this property with an issue template to filter at scan-time instead of post-scan. See com.fortify.sca.ProjectTemplate described in Translation and Analysis Phase Properties to specify an issue template that contains the filter set to use.

When set to Quick View, this property runs rules that have a potentially high impact and a high likelihood of occurring and rules that have a potentially high impact and a low likelihood of occurring. Filtered issues are not written to the FPR and therefore this can reduce the size of an FPR. For more information about filter sets, see the OpenTextâ„¢ Fortify Audit Workbench User Guide.

Value Type: String

Quick Scan Default: Quick View

Default: (none)

com.fortify.sca.
FPRDisableMetatable

Disables the creation of the metatable, which includes information for the Function view in Fortify Audit Workbench. This metatable enables right-click on a variable in the source window to show the declaration. If C/C++ scans take an extremely long time, setting this property to true can potentially reduce the scan time by hours.

Value Type: Boolean

Quick Scan Default: true

Default: false

Command-Line Option: -disable-metatable

com.fortify.sca.
FPRDisableSourceBundling

Disables source code inclusion in the FPR file. Prevents Fortify Static Code Analyzer from generating marked-up source code files during a scan. If you plan to upload FPR files that are generated as a result of a quick scan to Fortify Software Security Center, you must set this property to false.

Value Type: Boolean

Quick Scan Default: true

Default: false

Command-Line Option: -disable-source-bundling

com.fortify.sca.
NullPtrMaxFunctionTime

Sets the time limit (in milliseconds) for Null Pointer analysis for a single function. The standard default is five minutes. If this value is set to a shorter limit, the overall scan time decreases.

Value Type: Integer

Quick Scan Default: 10000

Default: 300000

com.fortify.sca.
TrackPaths

Disables path tracking for Control Flow analysis. Path tracking provides more detailed reporting for issues, but requires more scan time. To disable this for JSP only, set it to NoJSP. Specify None to disable all functions.

Value Type: String

Quick Scan Default: (none)

Default: NoJSP

com.fortify.sca.
limiters.ConstraintPredicateSize

Specifies the size limit for complex calculations in the Buffer Analyzer. Skips calculations that are larger than the specified size value in the Buffer Analyzer to improve scan time.

Value Type: Integer

Quick Scan Default: 10000

Default: 500000

com.fortify.sca.
limiters.MaxChainDepth

Controls the maximum call depth through which the Dataflow Analyzer tracks tainted data. Increase this value to increase the coverage of dataflow analysis, which results in longer scan times.

Note: Call depth refers to the maximum call depth on a dataflow path between a taint source and sink, rather than call depth from the program entry point, such as main().

Value Type: Integer

Quick Scan Default: 3

Default: 5

com.fortify.sca.
limiters.MaxFunctionVisits

Sets the number of times taint propagation analyzer visits functions.

Value Type: Integer

Quick Scan Default: 5

Default: 50

com.fortify.sca.
limiters.MaxPaths

Controls the maximum number of paths to report for a single dataflow vulnerability. Changing this value does not change the results that are found, only the number of dataflow paths displayed for an individual result.

Note: Fortify does not recommend setting this property to a value larger than 5 because it might increase the scan time.

Value Type: Integer

Quick Scan Default: 1

Default: 5

com.fortify.sca.
limiters.MaxTaintDefForVar

Sets a complexity limit for the Dataflow Analyzer. Dataflow incrementally decreases precision of analysis on functions that exceed this complexity metric for a given precision level.

Value Type: Integer

Quick Scan Default: 250

Default: 1000

com.fortify.sca.
limiters.MaxTaintDefForVarAbort

Sets a hard limit for function complexity. If complexity of a function exceeds this limit at the lowest precision level, the analyzer skips analysis of the function.

Value Type: Integer

Quick Scan Default: 500

Default: 4000