fortify-sca-quickscan.properties
Fortify Static Code Analyzer offers a less in-depth scan known as a quick scan. This option scans the project in quick scan mode, using the property values in the fortify-sca-quickscan.properties
file. By default, a quick scan reduces the depth of the analysis and applies the Quick View filter set. The Quick View filter set provides only critical and high priority issues.
Note: Properties in this file are only used if you specify the -quick
option on the command line for your scan.
The following table provides two sets of default values: the default value for quick scans and the default value for normal scans. If only one default value is shown, the value is the same for both normal scans and quick scans.
Property Name | Description |
---|---|
|
Sets the time limit (in milliseconds) for Control Flow analysis on a single function. Value Type: Integer Quick Scan Default: Default: |
|
Specifies a comma- or colon-separated list of analyzers to disable during a scan. The valid analyzer names are Value Type: String Quick Scan Default: Default: (none) |
|
Specifies the filter set to use. You can use this property with an issue template to filter at scan-time instead of post-scan. See When set to Value Type: String Quick Scan Default: Default: (none) |
com.fortify.sca.
|
Disables the creation of the metatable, which includes information for the Function view in Fortify Audit Workbench. This metatable enables right-click on a variable in the source window to show the declaration. If C/C++ scans take an extremely long time, setting this property to true can potentially reduce the scan time by hours. Value Type: Boolean Quick Scan Default: Default: Command-Line Option: |
|
Disables source code inclusion in the FPR file. Prevents Fortify Static Code Analyzer from generating marked-up source code files during a scan. If you plan to upload FPR files that are generated as a result of a quick scan to Fortify Software Security Center, you must set this property to Value Type: Boolean Quick Scan Default: Default: Command-Line Option: |
|
Sets the time limit (in milliseconds) for Null Pointer analysis for a single function. The standard default is five minutes. If this value is set to a shorter limit, the overall scan time decreases. Value Type: Integer Quick Scan Default: Default: |
|
Disables path tracking for Control Flow analysis. Path tracking provides more detailed reporting for issues, but requires more scan time. To disable this for JSP only, set it to Value Type: String Quick Scan Default: (none) Default: |
|
Specifies the size limit for complex calculations in the Buffer Analyzer. Skips calculations that are larger than the specified size value in the Buffer Analyzer to improve scan time. Value Type: Integer Quick Scan Default: Default: |
|
Controls the maximum call depth through which the Dataflow Analyzer tracks tainted data. Increase this value to increase the coverage of dataflow analysis, which results in longer scan times. Note: Call depth refers to the maximum call depth on a dataflow path between a taint source and sink, rather than call depth from the program entry point, such as Value Type: Integer Quick Scan Default: Default: |
|
Sets the number of times taint propagation analyzer visits functions. Value Type: Integer Quick Scan Default: Default: |
com.fortify.sca.
|
Controls the maximum number of paths to report for a single dataflow vulnerability. Changing this value does not change the results that are found, only the number of dataflow paths displayed for an individual result. Note: Fortify does not recommend setting this property to a value larger than 5 because it might increase the scan time. Value Type: Integer Quick Scan Default: Default: |
|
Sets a complexity limit for the Dataflow Analyzer. Dataflow incrementally decreases precision of analysis on functions that exceed this complexity metric for a given precision level. Value Type: Integer Quick Scan Default: Default: |
|
Sets a hard limit for function complexity. If complexity of a function exceeds this limit at the lowest precision level, the analyzer skips analysis of the function. Value Type: Integer Quick Scan Default: Default: |