HP Fortify Static Code Analyzer Tools€¦ · HP Fortify Static Code Analyzer Tools Software Version 4.30 Properties Reference Guide Document Release Date: April 2015 Software Release

HP Fortify Static Code Analyzer ToolsSoftware Version 4.30

Properties Reference Guide

Document Release Date: April 2015Software Release Date: April 2015

Legal Notices

WarrantyThe only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.The information contained herein is subject to change without notice.Restricted Rights LegendConfidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license.Copyright Notice© Copyright 2015 Hewlett-Packard Development Company, L.P.Documentation UpdatesThe title page of this document contains the following identifying information:• Software Version number

• Document Release Date, which changes each time the document is updated

• Software Release Date, which indicates the release date of this version of the softwareTo check for recent updates or to verify that you are using the most recent edition of a document, go to:https://protect724.hp.com/welcomeYou will receive updated or new editions if you subscribe to the appropriate product support service. Contact your HP sales representative for details.Part Number: 1-16b3-2015-04-430-01

https://protect724.hp.com/welcome

Contents iii

ContentsPreface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .ivContacting HP Fortify Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ivFor More Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ivAbout the HP Fortify Software Security Center Documentation Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ivChapter 1: Properties Used in SCA Tools for Java Applications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5HP Fortify Properties (fortify.properties File) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Server Properties (server.properties File). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Chapter 2: Properties Used in SCA Tools for .NET Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25HP Fortify Properties (fortify.properties File) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25IDE Properties (fortify-ide.properties file) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28TFS Configuration Property. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Preface iv

Preface

Contacting HP Fortify SupportIf you have questions or comments about any part of this guide, contact HP Fortify using one of the following options.To Manage Your Support Cases, Acquire Licenses, and Manage Your Accounthttps://support.fortify.comTo Email [email protected] Call Support650.735.2215For More InformationFor more information about HP Enterprise Security Products:http://www.hpenterprisesecurity.comAbout the HP Fortify Software Security Center Documentation SetThe HP Fortify Software Security Center documentation set contains installation, user, and deployment guides for all HP Fortify Software Security Center products and components. In addition, you will find technical notes and release notes that describe new features, known issues, and last-minute updates. You can access the latest versions of these documents from the following HP ESP user community Protect724 website:https://protect724.hp.com/welcomeYou will need to register for an account.

https://support.fortify.com

http://www.hpenterprisesecurity.com

https://protect724.hp.com/welcome

Chapter 1: Properties Used in SCA Tools for Java Applications 5

Chapter 1: Properties Used in SCA Tools for Java ApplicationsThis chapter describes the properties used in the following Static Code Analyzer tools:• HP Fortify Audit Workbench• HP Fortify Process Designer• Custom Rules Editor• Plugins for Eclipse, JDeveloper, and IntelliJProperties are listed in alphabetical order in the following sections, based on the files in which they belong:• HP Fortify Properties (fortify.properties File) on page 6• Server Properties (server.properties File) on page 23


HP Fortify Properties (fortify.properties File)Table 2 lists properties that belong in the fortify.properties file. Some of these properties already exist in the file, while you must add others. The colored boxes in the Details column indicate which SCA tools use the property.Table 1 lists the SCA tool acronyms used in Table 2.Table 1: Acronyms for SCA tools

Acronym SCA ToolAWB Audit WorkbenchECP Eclipse Plugin (complete)ERP Eclipse Remediation PluginCRE Custom Rules EditorPD Process DesignerIRP IntelliJ Remediation Plugin IAP IntelliJ/Android Studio Analysis PluginJRP JDeveloper Remediation ExtensionTable 2: HP Fortify Properties

Property Detailscom.fortify.SCAExecutablePath Default: <Fortify Install Dir>/bin/sourceanalyzer.exeSpecifies file path to sourceanalyzer.exe. Audit Workbench and the analysis IDE plugins (Eclipse, IntelliJ) use this property.SCA Tools Affected:

com.fortify.WorkingDirectory Defaults:• Windows: ${win32.LocalAppdata}/Fortify• Unix: ${user.home}/.fortifySpecifies the HP Fortify working directory to contain all user configuration and working files for all HP Fortify products. To configure this property, you must have write access to the directory.SCA Tools Affected:


com.fortify.audit.ui.DisableAddingFolders Default: falseIf set to true, disables the add folder functionality in Audit Workbench and the HP Fortify Plugin for Eclipse.Tools Affected:

com.fortify.audit.ui.DisableBugtrackers Default: falseIf set to true, disables bugtracker integration in Audit Workbench and the HP Fortify Plugin for Eclipse. Tools Affected:

com.fortify.audit.ui.DisableEditingCustomTags Default: falseIf set to true, removes the ability to edit custom tags from Audit Workbench and the HP Fortify Plugin for Eclipse.Tools Affected:

com.fortify.audit.ui.DisableSuppress Default: falseIf set to true, removes the ability to suppress issues in Audit Workbench and the HP Fortify Plugin for Eclipse.Tools Affected:

com.fortify.AuthenticationKey Default: ${com.fortify.WorkingDirectory}/config/toolsSpecifies the directory to contain the Software Security Center client authentication token.Tools Affected:

com.fortify.awb.Debug Default: falseIf set to true, Audit Workbench runs in debug mode.Tools Affected:

Table 2: HP Fortify Properties (Continued)

Property Details


com.fortify.awb.javaExtensions Default: noneSpecifies the file extensions (comma-delimited) for Audit Workbench or the HP Fortify Plugin for Eclipse to treat as Java files during scanning. If no value is specified, Audit Workbench and the Eclipse plugin recognize java, jsp, and jspx files as Java files. The property is used only to determine whether a project includes Java files and to add Java-specific controls to the Advanced Scan panel. Tools Affected:

com.fortify.awb.LinuxFontAdjust Default: 0Specifies the font size to use on Linux platforms. Audit Workbench adds the specified size to original font size. Tools Affected:

com.fortify.awb.MacFontAdjust Default: 2Specifies size to tune font size for Mac platform. Audit Workbench adds the specified size to the original font size. Tools Affected:

com.fortify.awb.WindowsFontAdjust Default: 0Specifies size to tune font size for Windows platform. Audit Workbench adds the specified size to original font size. Tools Affected:

com.fortify.Debug Default: falseIf set to true, runs all SCA tools in debug mode.Tools Affected:


Property Details


com.fortify.DisableDescriptionXMLEscaping Default: falseIf set to true, disables XML escaping issue description (for example, changing " in xml/fvdl to ").Tools Affected:

com.fortify.DisableExternalEntryCorrelation Default: falseIf set to true, parses URL in ExternalEntries/Entry in audit.fvdl. <ExternalEntries> <Entry name=" HTML Form" type="URL">

<URL>/auth/PerformChangePass.action</URL>

<SourceLocation path="pages/content/ChangePass.jsp" line="16" lineEnd="16" colStart="0" colEnd="0" snippet="1572130B944CEC7A3D98775A499AE8FA#pages/content/ChangePass.jsp:16:16"/>

</Entry>

</ExternalEntries> Tools Affected:


Property Details


com.fortify.DisableMinVirtCallConfidenceComputation Default: falseIf set to true, disables computing minimum virtual call confidence.Static Code Analyzer supports the com.fortify.sca.rendering.EnableMinVirtualConfidence property. If com.fortify.sca.rendering.EnableMinVirtualConfidence is set to true, Static Code Analyzer adds the virtual call confidence on node of issues coming out of the dataflow analyzer as follows: <Node id="9">

<SourceLocation path="Main.java" line="37" lineEnd="37" colStart="0" colEnd="0" contextId="3" snippet="97294340A2A14F412A93D3F017BC2BB4#Main.java:37:37"/>

<Action type="OutCall">nextElement(return)</Action>

<Knowledge>

<Fact primary="false" type="Confidence">Confidence: 0.58 (Virtual Call)</Fact>

<Fact primary="false" type="Call">Virtual : ForInter.Pasta.Penne.nextElement</Fact> </Knowledge> </Node> Audit Workbench and the Eclipse plugins use this attribute to compute minimum virtual call confidence and enable issue filtering. For example, it can be used to filter out all issues that contain virtual call with confidence lower than 0.46.Tools Affected:

com.fortify.DisableRemovedIssuePersistance Default: falseIf set to true, disables removed issue persistence (clears removed issues from the results file).Tools Affected:

com.fortify.DisableReportCategoryRendering Default: falseIf set to true, disables rendering issue description into report.Tools Affected:


Property Details


com.fortify.DisplayEventID Default: falseIf set to true, displays event id in tooltip of issue node in the issues panel of Audit Workbench and the Plugin for Eclipse.Tools Affected:

com.fortify.eclipse.Debug Default: falseIf set to true, runs the Eclipse plugin in debug mode.Tools Affected:

com.fortify.InstallationUserName Default: ${user.name} Specifies default user name for logging in to Software Security Center for the first time. Audit Workbench and all IDE plugins use this property. Tools Affected:

com.fortify.remediation.PaginateIssues Default: falseIf set to true or if no value is specified, the JDeveloper, IntelliJ, and Eclipse remediation plugins use pagination during issue download.If set to false, these plugins download all issues at once. Tools Affected:

com.fortify.remediation.PaginationCount Default: 1000If com.fortify.remediation.PaginateIssues is set to true, specifies page count.Tools Affected:


Property Details


com.fortify.locale Default: en (English)Specifies Fortify locale (for rules and metadata only).Other possible values are:es (Spanish)ja (Japanese)ko (Korean)zh_CN (Simplified Chinese)zh_TW (Chinese, Traditional)Tools Affected:

com.fortify.model.CheckSig Default: true (normal) / false (minimum load) If set to true, verifies signature in FPR.If com.fortify.model.UseIssueParseFilters is set to true, then com.fortify.model.MinimalLoad is set to true, com.fortify.model.IssueCutoffStartIndex is not null, com.fortify.model.IssueCutoffEndIndex is not null, com.fortify.model.IssueCutoffByCategoryStartIndex is not null or com.fortify.model.IssueCutoffByCategoryEndIndex is not null, com.fortify.model.CheckSig is false, and the signature in FPRs are not verified.Tools Affected:

com.fortify.model.CustomDescriptionsHeader Default: noneSpecifies custom prefix for the description header. It prepends your text to the Description/Recommendation header, so that you see “MY Recommendations” instead of “Custom Recommendations.”Note: To update description headers, HP Fortify recommends that you use <CustomDescriptionRule> with <Header> text instead.Tools Affected:

com.fortify.model.DisableChopBuildID Default: falseIf set to true, does not shorten the build ID, even if the build ID exceeds 250 characters.Tools Affected:


Property Details


com.fortify.model.DisableContextPool Default: falseIf set to true, disables loading of the ContextPool section of the audit.fvdl file.If null or false, loads the ContextPool section of the audit.fvd file.This property can be configured if com.fortify.model.MinimalLoad is not set to true. If com.fortify.model.MinimalLoad is set to true, then com.fortify.model.DisableContextPool is set to true automatically.Tools Affected:

com.fortify.model.DisableDescription Default: falseIf set to true, disables loading the Description section from audit.fvdl. This property can be configured if com.fortify.model.MinimalLoad is not set to true. If com.fortify.model.MinimalLoad is true, then com.fortify.model.DisableDescription is automatically set to true. Tools Affected:

com.fortify.model.DisableEngineData Default: falseIf set to true, disables loading the EngineData section of audit.fvdl to save memory while opening large FPR files. These data are displayed on the Analysis Information tab of Project Summary pane. The property can help if too many analysis warnings occur during a scan. However, HP Fortify recommends that you instead set a limit for com.fortify.model.MaxEngineErrorCount to open FPR files that have a large number of SCA warnings.Tools Affected:

com.fortify.model.DisableHotspotFilterSets Default: falseDetermines whether to hide the default Hotspot and Data Validation filter sets in Audit Workbench and Eclipse plugin if the current project template does not contain these filter sets.Tools Affected:


Property Details


com.fortify.model.DisableProgramInfo Default: falseThis property can be configured if com.fortify.model.MinimalLoad is not true. If com.fortify.model.MinimalLoad is true, then this property is set to true automatically.If set to true, prevents the loading of metatable from the ProgramData section of FPR files. If set to false, loads metatable from the FPR file.Tools Affected:

com.fortify.model.DisableProgramPoint Default: false If set to true, disables loading of the ProgramPoint section from the runtime.fvdl file.Tools Affected:

com.fortify.model.DisableReplacementParsing Default: falseIf set to true, disables replacing conditional description.This property can be configured if com.fortify.model.MinimalLoad is not true. If com.fortify.model.MinimalLoad is true, then this property is set to true automatically. Tools Affected:

com.fortify.model.DisableSnippets Default: falseIf set to true, disables the loading of the Snippets section from the audit.fvdl file.If set to (none) or false, loads Snippets section from the audit.fvdl file.This property can be configured if com.fortify.model.MinimalLoad is false. If com.fortify.model.MinimalLoad is set to true, then com.fortify.model.DisableSnippets is automatically set to true. Tools Affected:


Property Details


com.fortify.model.DisableUnifiedInductions Default: falseIf set to true, disables the loading of the UnifiedInductionPool section of the audit.fvdl file.If set to (none) or false, loads the UnifiedInductionPool section of the audit.fvdl file.This property can be configured if com.fortify.model.MinimalLoad is not true. If com.fortify.model.MinimalLoad is set to true, then com.fortify.model.DisableUnifiedInductions is set to true automatically. Tools Affected:

com.fortify.model.DisableUnifiedPool Default: falseIf set to true, disables the loading of the UnifiedNodePool section from the audit.fvdl file.If set to (none) or false, loads the UnifiedNodePool section from the audit.fvdl file.This property can be configured if "com.fortify.model.MinimalLoad" is not true. If com.fortify.model.MinimalLoad is true, then com.fortify.model.DisableUnifiedPool is set to true automatically. If the value is not specified or false, this property is set to none.Tools Affected:

com.fortify.model.DisableUnifiedTrace Default: falseIf set to true, disables the loading of the UnifiedTracePool section from the audit.fvdl file.If set to (none) or false, loads the UnifiedTracePool section from the audit.fvdl file.This property can be configured if com.fortify.model.MinimalLoad is not true. If com.fortify.model.MinimalLoad is true, then com.fortify.model.DisableUnifiedTrace is set to true automatically. If a value is not specified or is false, com.fortify.model.DisableUnifiedTrace is set to none. Tools Affected:


Property Details


com.fortify.model.EnablePathElementBaseIndexShift Default: noneIf set to true, enables backward compatibility with pre-2.5 migrated projects.Tools Affected:

com.fortify.model.EnableSourceCorrelation Default: falseIf set to true, takes dataflow source into consideration for issue correlation. The default is false since correlations with runtime results may be not reliable with this setting turned on.Tools Affected:

com.fortify.model.ExecMemorySetting Default: 600 - iidmigrator and RuntimeBridge

300 - fortifyupdate-exeSpecifies the JVM heap memory size for Audit Workbench launching external utilities such as iidmigrator, event2fpr, and fortifyupdate.Tools Affected:

com.fortify.model.ForceIIDMigration Default: falseIf set to true, forces running Instance ID migration during a merge.Tools Affected:

com.fortify.model.FullReportFilenames Default: falseIf set to true, uses full file name in reports.Tools Affected:

com.fortify.model.IIDmigratorOptions Default: noneSpecifies options (space-delimited values) for iidmigrator run by FPRUtility or Audit Workbench\Eclipse. For more information, see iidmigrator help.Tools Affected:


Property Details


com.fortify.model.IssueCutoffByCategoryStartIndex Default: 0Specifies the start index for issue cut-off by category.Tools Affected:

com.fortify.model.IssueCutoffByCategoryEndIndex Default: java.lang.Integer.MAX_VALUESpecifies the end index for issue cut-off by category.Tools Affected:

com.fortify.model.IssueCutoffStartIndex Default: 0Specifies the start index for issue cut-off.Select the first issue (by number) to be loaded.Tools Affected:

com.fortify.model.IssueCutoffEndIndex Default: java.lang.Integer.MAX_VALUEDetermines the end index for issue cut-off.Select the last issue to be loaded (by number).Tools Affected:

com.fortify.model.MaxEngineErrorCount Default: 2500Determines how many errors reported by the analysis engine to are to be loaded by Audit Workbench/Eclipse or FPRUtility. To allow an unlimited number, specify -1.This drastically speeds up loading of some large FPR files. HP Fortify recommends that you keep the default value of 2500 since this is the most that Audit Workbench can display.Tools Affected: Also used by FPRUtility.bat


Property Details


com.fortify.model.MergeResolveStrategy Default: DefaultToMasterValueSpecifies merge resolve strategy from:• DefaultToMasterValue (use primary project)• DefaultToImportValue (use secondary project)• NoStrategy (prompt for project to use)Tools Affected:

com.fortify.model.MinimalLoad Default: falseIf set to true, minimizes the data loaded from an FPR file.Tools Affected:

com.fortify.model.NProcessingThreads Default: Number of available processorsSpecifies the number of threads to process FPR files.If com.fortify.model.PersistDataToDisk is set to true, defaults to 1 thread.If the specified number exceeds the number of available processors:int maxThreads = java.lang.Runtime.getRuntime().availableProcessors(), then Fortify uses the number of available processors as the number of threads used to process FPR files.Tools Affected: Also used by FPRUtility.bat

com.fortify.model.PersistDataToDisk Default: falseIf set to true, enables a persistence strategy to reduce the memory footprint and use disk drive to swap FPR data out of memory.Tools Affected:


Property Details


com.fortify.model.PersistenceBlockSize Default: 250When com.fortify.model.PersistenceStrategy is set to CUSTOM, com.fortify.model.PersistenceBlockSize specifies the number of attribute values that comprise a single block of attributes. These blocks are cached to disk and read back in as needed. A higher number decreases the total number of cache files, but increases the file size and the amount of memory that is read in each time.Tools Affected:

com.fortify.model.PersistenceQueueCapacity Default: queue is unboundedWhen com.fortify.model.PersistenceStrategy is set to CUSTOM, this property specifies the maximum number of attribute value blocks that can exist in producer/consumer queue.Tools Affected:

com.fortify.model.PersistenceStrategy Default: CUSTOMIf com.fortify.model.PersistDataToDisk is set to true, this property specifies persistence algorithm (to push data from memory to disk).Tools Affected:

com.fortify.model.PriorityImpactThreshold Default: 2.5F Specifies priority impact threshold as follows:• High = values >= 2.5 • Low = values < 2.5 • Critical = High Impact && High Likelihood • Hot = High Impact && Low Likelihood• Medium = Low Impact && High Likelihood• Low = Low Impact && Low LikelihoodTools Affected:


Property Details


com.fortify.model.PriorityLikelihoodThreshold Default: 2.5F Specifies priority likelihood threshold as follows:• High = values >= 2.5 • Low = values < 2.5 • Critical = High Impact && High Likelihood • Hot = High Impact && Low Likelihood • Medium = Low Impact && High Likelihood • Low = Low Impact && Low LikelihoodTools Affected:

com.fortify.model.report.targetEnv Defaults:• On Windows: xp• On Linux: openOffice• On OSX: macSpecifies the target environment for generating RTF format reports. You can control RTF format generation with the following setting:com.fortify.model.report.targetEnv=<format>valid <format> values:• For xp, set the options required for RTF documents to display correctly in Microsoft Word XP (2002) and later. • For word2000, set the options required for RTF documents to display correctly in Microsoft Word 2000 and Microsoft Word 97.• For openOffice, set the options required for RTF documents to display correctly in OpenOffice.Org Writer. • For mac, set the options required for RTF documents to display correctly in Microsoft Word for Mac. Tools Affected:

com.fortify.model.report.useSystemLocale Default: falseIf set to true, uses system locale for report output. If set to false, uses com.fortify.locale in the fortify.properties file. If a value is not specified, use java.util.Locale.getDefault().Tools Affected:


Property Details


com.fortify.model.ReportLineLimit Default: 500Specifies the character limit for each issue code snippet in reports.Tools Affected:

com.fortify.model.UseIIDMigrationFile Default: none Specifies full path of the iid migration file to use. Tools Affected: Also used by FPRUtility.bat

com.fortify.model.UseIssueParseFilters Default: falseIf set to true, respects IssueParseFilters.properties settings.Tools Affected:

com.fortify.model.UseOldIIDMigrationAttributes Default: falseIf set to true, uses attributes of old issue during iid migration while merging similar issues of old and new scans.Tools Affected:

com.fortify.RemovedIssuePersistanceLimit Default: 1000Specifies how many removed issues to keep.Tools Affected:

com.fortify.search.defaultSyntaxVer Default: 2Determines whether the AND and OR operators are used in searches. These are enabled in search syntax by default. To block the use of the AND and OR operators, set the value to 1. To use ANDs and ORs with no parentheses, set the value to 2.Tools Affected:


Property Details


com.fortify.StoreOriginalDescriptions Default: falseIf set to true, stores original plain text issue descriptions (before parsing) as well as the parsed ones with tags replaced with specific values.Tools Affected:

com.fortify.taintFlagBlacklist Default: noneSpecifies taint flags to exclude (comma-delimited values).Tools Affected:

com.fortify.UseSourceProjectTemplate Default: falseIf set to true, forces the use of filter sets and folders from the project template associated with the secondary project. The filter sets and folders from the primary project are used by default. Tools Affected: Also used by FPRUtility.bat


Property Details


Server Properties (server.properties File)Table 3 lists properties that belong in the server.properties file. This file is used by all HP Fortify SCA command-line tools, standalone applications, and plugins.Because some of the values are encrypted, you must use the scapostinstall tool to configure this file. For information about how to use the scapostinstall tool, see the HP Fortify Static Code Analyzer Installation and Configuration Guide. Table 3: Server Properties

Property Detailsautoupgrade.server Default: http://localhost:8180/ssc/update-site/installers Specifies SCA_and_Apps AutoUpdate server, which enables users to check for new versions of the SCA_and_Apps installer on a web server and run the installer if an update is available.Tools Affected:

install.auto.upgrade Default: falseIf set to true, enables Audit Workbench AutoUpdate function.Tools Affected:

rp.update.from.manager Default: falseIf set to true, updates security contents from Software Security Center instead of from the Rulepack update server. Tools Affected:

rulepack.auto.update Default: falseIf set to true, updates security content automatically.Tools Affected:

rulepack.days Default: 15Specifies the interval (in days) between security content updates.Tools Affected:


rulepackupdate.proxy.port Default: noneSpecifies the proxy server port to access the Rulepack server (uploadclient.proxy.port is used if rp.update.from.manager is set to true).Tools Affected:

rulepackupdate.proxy.server Default: noneSpecifies proxy server name to access the Rulepack server (uploadclient.proxy.server is used if rp.update.from.manager is set to true).Tools Affected:

rulepackupdate.server Default: https://update.fortify.comDetermines Rulepack server location.Tools Affected:

uploadclient.proxy.port Default: noneSpecifies the proxy server port to use to access Software Security Center server.Tools Affected:

uploadclient.proxy.server Default: noneSpecifies the proxy server name to use to access Software Security Center server.Tools Affected:

uploadclient.server Default: http://localhost:8180/sscSpecifies the URL of the Software Security Center server.Tools Affected:

Table 3: Server Properties (Continued)

Property Details

Chapter 2: Properties Used in SCA Tools for .NET Applications 25

Chapter 2: Properties Used in SCA Tools for .NET ApplicationsThe following sections describe the properties used by the following HP Fortify Static Code Analyzer tools:• HP Fortify Package for Microsoft Visual Studio• HP Fortify Scanning Package for Microsoft Visual StudioProperties are listed in alphabetical order based on the files in which they belong:• HP Fortify Properties (fortify.properties File) on page 25• IDE Properties (fortify-ide.properties file) on page 28• TFS Configuration Property on page 28HP Fortify Properties (fortify.properties File)Table 4 lists the properties that belong in the fortify.properties file. Some of these properties already exist in the file, while others must be added.Table 4: HP Fortify Properties

Property Detailscom.fortify.audit.ui.DisableBugtrackers Default: falseIf set to true, disables bug tracker integration.com.fortify.audit.ui.DisableSuppress Default: falseIf set to true, disables issue suppression.com.fortify.AuthenticationKey Default: com.fortify.AuthenticationKeySpecifies the directory used to store the manager client authentication token.com.fortify.Debug Default: falseIf set to true, runs all SCA tools in debug mode.com.fortify.model.CustomDescriptionsHeader Default: none Specifies a custom description header.com.fortify.model.ForceIIDMigration Default: falseIf set to true, forces Instance ID Migration.


com.fortify.model.PriorityImpactThreshold Default: 2.5F Specifies priority impact threshold.Valid values:• High = values >= 2.5 • Low = values < 2.5 • Critical = High Impact && High Likelihood • Hot = High Impact && Low Likelihood • Medium = Low Impact && High Likelihood • Low = Low Impact && Low Likelihoodcom.fortify.model.PriorityLikelihoodThreshold Default: 2.5F Specifies priority likelihood threshold.Valid values:• High = values >= 2.5 • Low = values < 2.5 • Critical = High Impact && High Likelihood • Hot = High Impact && Low Likelihood • Medium = Low Impact && High Likelihood • Low = Low Impact && Low Likelihoodcom.fortify.model.UseIIDMigrationFile Default: none Specifies full path of iid migration filecom.fortify.SCAExecutablePath Default: <Fortify Install Dir>/bin/sourceanalyzer.exe Specifies file path to sourceanalyzer.exe.com.fortify.search.defaultSyntaxVer Default: 2Determines whether the AND and OR operators are used in searches. These are enabled in search syntax by default. To block the use of the AND and OR operators, set the value to 1.com.fortify.visualstudio.vm.args Default: -Xmx256mSpecifies JVM argscom.fortify.VS.ASPNetCompilerExecutable Default: none Specifies file path to the aspnet_compiler.exe file.com.fortify.VS.ASPNetVirtualMap.<name_of_virtual_dir> Default: noneDetermines the mapping between the virtual root and full path to the corresponding physical directory.com.fortify.VS.ASPVirtualRoot Default: noneSpecifies ASP Virtual Root.


Property Details


com.fortify.VS.ASPVirtualRootProp Default: noneSpecifies the property key required to get the ASP Virtual Root from the ASP.NET project.com.fortify.VS.Debug Default: falseIf set to true, runs the HP Fortify Package for Visual Studio in debug mode.com.fortify.VS.DisableCIntegration Default: falseIf set to true, disables C/C++ build integration in Visual Studio.com.fortify.VS.disableMigrationCheck Default: falseIf set to true, disables iid migration checking. com.fortify.VS.DisablePassingIldasmPath Default: falseIf set to true, disables passing ILDASM path to SCA with -Dcom.fortify.sca.IldasmPath.com.fortify.VS.DisableReferenceLibDirsAndExcludes Default: falseIf set to true, disables using references added to a project.com.fortify.VS.IlDasmPath Default: noneSpecifies the file path to ildasm.exe.com.fortify.VS.ListProjectProperties Default: falseIf set to true, lists Visual Studio project properties in a log file.com.fortify.VS.NETFrameworkRoot Default: noneSpecifies the file path to .NET Framework root. com.fortify.VS.RequireASPPrecompilation Default: trueIf set to true, stops translation whenever ASP precompilation fails.com.fortify.VS.skipASPPreCompilation Default: falseIf set to true, causes SCA to translate the default ASP output instead of running the aspnet_compiler.com.fortify.VS.SkipASPPrecompilation Default: falseIf set to true, causes SCA to translate the default ASP output instead of running the aspnet_compilercom.fortify.WorkingDirectory Default: C:\Users\<login user>\AppData\Local\Fortify Specifies the HP Fortify working directory.


Property Details


IDE Properties (fortify-ide.properties file)Table 5 lists the properties that belong in the fortify-ide.properties file.

TFS Configuration PropertyThe following property is in the TFSconfiguration.properies file:server.url

Default: noneDescription: Specifies TFS (Team Foundation Server) location.

Table 5: IDE Properties

Property Detailshide.secondary.source.files Default: falseIf set to true, hides source files that also have auto-generated source files from the IDE. For example, if you create a form in CS, a separate.designer.cs file is created (form.cs and Form.desinger.cs are created). The files are hidden if they are tagged as "secondary" file type in the fvdl file.rulepack.auto.update Default: falseIf set to true, updates security content automatically.rulepack.days Default: 15Specifies frequency (in days) of security content updates.

Documents

HP Fortify Static Code Analyzer Tools€¦ · HP Fortify Static Code Analyzer Tools Software Version 4.30 Properties Reference Guide Document Release Date: April 2015 Software Release