Quick Scan

Quick scan mode provides a way to quickly scan your projects for critical- and high-priority issues. Fortify Static Code Analyzer performs the scan faster by reducing the depth of the analysis. It also applies the Quick View filter set. Quick scan settings are configurable. For more details about the configuration of quick scan mode, see fortify-sca-quickscan.properties.

Quick scans are a great way to get many applications through an assessment so that you can quickly find issues and begin remediation. The performance improvement you get depends on the complexity and size of the application. Although the scan is faster than a full scan, it does not provide as robust a result set. Fortify recommends that you run full scans whenever possible.

Limiters

The depth of the Fortify Static Code Analyzer analysis sometimes depends on the available resources. Fortify Static Code Analyzer uses a complexity metric to trade off these resources with the number of vulnerabilities that it can find. Sometimes, this means giving up on a particular function when it does not look like Fortify Static Code Analyzer has enough resources available.

Fortify Static Code Analyzer enables the user to control the “cutoff” point by using Fortify Static Code Analyzer limiter properties. The different analyzers have different limiters. You can run a predefined set of these limiters using a quick scan. See the fortify-sca-quickscan.properties for descriptions of the limiters.

To enable quick scan mode, use the -quick option with -scan option. With quick scan mode enabled, Fortify Static Code Analyzer applies the properties from the <sca_install_dir>/Core/config/fortify-sca-quickscan.properties file, in addition to the standard <sca_install_dir>/Core/config/fortify-sca.properties file. You can adjust the limiters that Fortify Static Code Analyzer uses by editing the fortify-sca-quickscan.properties file. If you modify fortify-sca.properties, it also affects quick scan behavior. Fortify recommends that you do performance tuning in quick scan mode, and leave the full scan in the default settings to produce a highly accurate scan. For description of the quick scan mode properties, see Fortify Static Code Analyzer Properties Files.

Using Quick Scan and Full Scan

• Run full scans periodically—A periodic full scan is important as it might find issues that quick scan mode does not detect. Run a full scan at least once per software iteration. If possible, run a full scan periodically when it will not interrupt the development workflow, such as on a weekend.
• Compare quick scan with a full scan—To evaluate the accuracy impact of a quick scan, perform a quick scan and a full scan on the same codebase. Open the quick scan results in Fortify Audit Workbench and merge it into the full scan. Group the issues by New Issue to produce a list of issues detected in the full scan but not in the quick scan.
• Quick scans and Fortify Software Security Center—To avoid overwriting the results of a full scan, by default Fortify Software Security Center ignores uploaded FPR files scanned in quick scan mode. However, you can configure a Fortify Software Security Center application version so that FPR files scanned in quick scan are processed. For more information, see analysis results processing rules in the OpenText™ Fortify Software Security Center User Guide.