Including Imported Modules and Packages

To translate Python applications and prepare for a scan, Fortify Static Code Analyzer searches for any imported modules and packages used by the application. Fortify Static Code Analyzer does not respect the PYTHONPATH environment variable, which the Python runtime system uses to find imported modules and packages.

Fortify Static Code Analyzer searches for imported modules and packages using the list of directories in the following order:

1. The common root directory for all project source files. which Fortify Static Code Analyzer calculates automatically. For example, if there are two project directories PrimaryDir/project1/* and PrimaryDir/project2/*, the common root directory is PrimaryDir.

   To remove the common root directory as a search target for imported modules and packages, include the -python-no-auto-root-calculation option in the translation command.

2. The directories specified with the -python-path option.

   Fortify Static Code Analyzer includes a subset of modules from the standard Python library (module "builtins", all modules originally written in C, and others) in the translation. Fortify Static Code Analyzer first searches for a standard Python library module in the set included with Fortify Static Code Analyzer and then in the paths specified with the -python-path option. If your Python code imports any module that Fortify Static Code Analyzer cannot find, it produces a warning. To make sure that all modules of the standard Python library are found, add the path to your standard Python library in the -python-path list.

3. The current directory that contains the file Fortify Static Code Analyzer is translating. For example, when Fortify Static Code Analyzer translates a PrimaryDir/project1/a.py, the directory PrimaryDir/project1 is added as the last directory to search for imported modules and packages.