[研究]OpenText sourceanalyzer.exe 25.3 用 filter 參數彈性排除某問題
2025-09-05
sourceanalyzer.exe 位於 C:\Program Files\Fortify\OpenText_SAST_Fortify_25.3.0\bin 目錄,是 OpenText Fortify SAST (SCA) 靜態程式原始碼安全性掃描工具的主程式。
不加任何參數會顯示版本
C:\>sourceanalyzer OpenText SAST (Fortify) CE 25.3.0.0014 Copyright (c) 2003-2025 Open Text For command-line help, type 'sourceanalyzer.exe -h' C:\> |
如果之前執行過,加上過 -encoding UTF-8 參數,則會顯示為
C:>sourceanalyzer Picked up JAVA_TOOL_OPTIONS: -Dfile.encoding=UTF-8 OpenText SAST (Fortify) CE 25.3.0.0014 Copyright (c) 2003-2025 Open Text For command-line help, type 'sourceanalyzer.exe -h' C:> |
所有參數
C:\>sourceanalyzer -h
OpenText SAST (Fortify) CE 25.3.0.0014
Copyright (c) 2003-2025 Open Text
Usage:
Clean:
sourceanalyzer.exe -b <build-id> -clean
Build:
sourceanalyzer.exe -b <build-id> <sca-build-opts>
Scan:
sourceanalyzer.exe -b <build-id> -scan <sca-scan-opts>
Detailed invocation:
Build:
sourceanalyzer.exe -b <build-id>
[ <sca-build-options> ]
<file-specifier>
sourceanalyzer.exe -b <build-id>
[ <sca-build-options> ]
<compiler> <compiler-options>
sourceanalyzer.exe -b <build-id>
[ <sca-build-options> ]
touchless <build-tool> [ <build-tool-options> ]
sourceanalyzer.exe -b <build-id>
[ <sca-build-options> ]
devenv <solution-file> /REBUILD
sourceanalyzer.exe -b <build-id>
[ <sca-build-options> ]
msbuild /t:rebuild <solution-or-project-file>
sourceanalyzer.exe -b <build-id>
[ <sca-build-options> ]
xcodebuild -project <xcodeproj-file>
sourceanalyzer.exe -b mybuild
-source-base-dir <webapp-root> <cfm-file-specifier>
Scan:
sourceanalyzer.exe -b <build-id> -scan
[ -f <output-file> ]
[ -scan-precision <level> ]
[ -rules <rules.xml> [ -no-default-rules ] ]
[ -filter <filter-file> ]
Clean:
sourceanalyzer.exe -b <build-id> -clean
Query:
sourceanalyzer.exe -b <build-id> { -show-build-warnings | -show-files }
sourceanalyzer.exe { -version | -show-build-ids }
sourceanalyzer.exe { -h | -? | -help }
Options
General Options
These options are applicable to all sourceanalyzer.exe invocations.
@<file> Reads command line options from the specified
file. Note that there is no space before the
file argument.
-debug Causes the build step to write additional
troubleshooting information to the log file.
Use if instructed by Fortify Customer Support.
Also see "-logfile".
-logfile <file> Specifies a destination for the log file.
-verbose Outputs verbose messages to the console.
-Xmx<num>M Specifies the maximum Java heap size.
Default is -Xmx1800M.
-autoheap Instructs SCA to set the maximum Java heap size
based on available physical memory. Use instead
of -Xmx. Enabled by default.
-fcontainer When run in a Docker container, instructs SCA
to detect and use only the memory allocated to
the container.
-version Shows the sourceanalyzer.exe version.
Command Options
Note: Only one "command" option is allowed per invocation.
-h Displays this help text.
-help
-?
-clean Deletes all intermediate files and build records.
When a build ID is also specified with -b, only
files and build records related to that build ID
are deleted.
-show-binaries See the user guide.
-show-build-tree See the user guide.
-show-build-ids Lists all the Fortify build IDs (analysis models).
-show-build-warnings Displays all the actionable warnings that
occurred during the translation phase of the build
ID specified by "-b".
-show-files Displays all the source files built into the model
specified by "-b".
-show-loc Displays lines of code processed for files built
into the model specified by "-b".
-scan Causes sourceanalyzer.exe to run an analysis.
(none) If no command option is present, a build step
is assumed.
Build Options
"Build" options translate source code into a Fortify analysis model.
-b <build-id> Specifies a unique name that identifies the
Fortify analysis model to be built. Also see
"-scan".
-build-label <label> Specifies an optional, arbitrary string value to
the Fortify analysis model. Will be included in
the output file.
-build-project <project> Specifies an optional, arbitrary string value to
the Fortify analysis model. Will be included in
the output file.
-build-version <version> Specifies an optional, arbitrary string value to
the Fortify analysis model. Will be included in
the output file.
-encoding <encoding-name> Specifies the source file encoding.
Default value is the platform default.
Compiler Integration Build Options
These options are used when integrating OpenText SAST (Fortify) with a compiler.
<compiler> <compiler-opts> Specifies the compiler command line. The file
being compiled will be added to the analysis
model, and the compiler will be invoked.
touchless <build-tool> Specifies a build tool command. The build tool
[ <build-tool-options> ] will be invoked, and any file being compiled
will be added to the analysis model.
-nc When specified, the compiler is not invoked.
File Specification Build Options
These options are used to pass source files directly to OpenText SAST (Fortify).
<file-specifier> Expression denoting a file or a group of files,
optionally matching a pattern:
file1.java - a file
file*.java - files matching expression
"path/**/*.java" - recursive expression matches.
Note: Always escape ** expressions in quotes.
-exclude <file-specifier> Excludes any files matched by <file-specifier>
from the set of files to translate
Java-specific Build Options
These options should be used in conjunction with file specification options.
-classpath <classpath> Uses the specified classpath value for Java
-cp <classpath> builds.
-extdirs Accepts a colon or semicolon separated list
of directories. Any jar files found in
these directories are included on the
classpath. Equivalent to the -extdirs option
to javac.
-sourcepath Specifies the location of source files which will
not be included in the scan but will be used for
name resolution. Equivalent to the -sourcepath
option to javac.
The sourcepath is like classpath, except it uses
source files rather than class files for
resolution.
-source <value> Indicates which version of the Java language the Java
-jdk <value> code adheres to. Valid values are 1.8, 8, 11, 17, 21.
Default is "11".
-java-build-dir <dir> Used to specify one or more directories to which
Java sources are being compiled. May also be
specified at scan time.
Other Language-Specific Build Options
-source-base-dir <root> The base directory for a ColdFusion application.
-python-path Add an import directory for a Python application.
-apex Set ".cls" file extension to Apex language.
(detected based on file content by default). Equivalent to
-Dcom.fortify.sca.fileextensions.cls=APEX
-apex-sobject-path Add file to load SObject types in Apex application.
Scan Options
-b <build-id> Specifies the build ID. The build ID is used
to track which files are compiled and linked
as part of a build, to later scan those files.
This option may be specified more than once to
include multiple build IDs in the same scan.
-bin <binary> All source files compiled and linked into the
specified binary are scanned. Multiple binaries
may be specified.
-disable-default-rule-type See the user guide.
-f <file> The file to which analysis results are written.
Default is stdout.
-filter <file> Specifies a filter file. For more information,
see the user guide.
-scan-policy <policy> Specifies a scan policy for vulnerability prioritization.
Valid values are classic, security, devops. Default is security.
For more information, see the user guide.
-java-build-dir <dir> Used to specify one or more directories to which
Java sources have been compiled. May also be
specified at build time.
-no-default-issue-rules See the user guide.
-no-default-sink-rules See the user guide.
-no-default-source-rules See the user guide.
-no-default-rules Indicates that OpenText SAST (Fortify) should not use its
default rules. Must be used in conjunction with
"-rules"
-rules <specifier> Specifies custom rules file or directory. If a
directory is specified, all files ending in ".bin"
or ".xml" are included.
This option may be used multiple times.
-quick Runs a quick scan. Quick scans complete faster at
the cost of reduced accuracy.
-scan-precision <level> Configures the depth, precision and speed of the scan
-p <level> with configuration properties specific for the level.
The valid values are 1, 2, 3, and 4.
-quiet Disables the command line progress bar.
-scan Causes OpenText SAST (Fortify) to perform analysis against a
model. The model must be specified with "-b".
Build Sessions
-export-build-session <file.mbs>
Store the translated model specified by -b to the
specified file.
-import-build-session <file.mbs>
Load the specified file into a build model. If
the build ID of the model already exists in the
model registry, the import fails with the message
that a build already exists with that ID.
License Directives
-store-license-pool-credentials "<lim_url>|<lim_pool_name>|<lim_pool_pwd>|<proxy_url>|<proxy_user>|<proxy_pwd>"
Stores your LIM license pool credentials to
allow OpenText SAST (Fortify) to use the
LIM for licensing. Proxy information is optional.
-clear-license-pool-credentials
Removes the LIM license pool credentials from
the fortify-sca.properties file.
-request-detached-lease <duration>
Requests a detached lease from the LIM license
pool for exclusive use on this system for the
specified duration (in minutes).
-release-detached-lease
Releases a detached lease back to the license
pool.
EXAMPLES
Build examples:
Generic (Java, configuration, PHP, JavaScript, ASP/VBScript, VB6):
sourceanalyzer.exe -b mybuild .
sourceanalyzer.exe -b mybuild file1.java file2.java
sourceanalyzer.exe -b mybuild *.bas *.cls *.frm
sourceanalyzer.exe -b mybuild "site/**/*.php"
ColdFusion translation:
sourceanalyzer.exe -b mybuild -source-base-dir /www/app "/www/app/**/*.cfm"
SQL translation:
sourceanalyzer.exe -b mybuild -Dcom.fortify.sca.fileextensions.sql=PLSQL *.sql
sourceanalyzer.exe -b mybuild -Dcom.fortify.sca.fileextensions.sql=TSQL *.sql
C/C++ builds:
sourceanalyzer.exe -b mybuild gcc -c test.c
sourceanalyzer.exe -b mybuild CL.EXE /o HelloWorld HelloWorld.c
sourceanalyzer.exe -b mybuild make
sourceanalyzer.exe -b mybuild devenv myproject.msproj /REBUILD
Objective-C/C++ builds:
sourceanalyzer.exe -b mybuild clang -ObjC HelloWorld.m
sourceanalyzer.exe -b mybuild xcodebuild -project myproject.xcodeproj
.NET builds:
sourceanalyzer.exe -b mybuild devenv myproj.sln /REBUILD
sourceanalyzer.exe -b mybuild msbuild /t:rebuild myproj.csproj
Java specific builds:
sourceanalyzer.exe -b mybuild -cp lib/dependency.jar "src/**/*.java"
sourceanalyzer.exe -b mybuild -cp mytaglibs.jar webapp/*.jsp
sourceanalyzer.exe -b mybuild touchless ant
J2EE specific builds:
sourceanalyzer.exe -b mybuild -cp "app/WEB-INF/lib/*.jar" app/*.jsp
Scan step:
sourceanalyzer.exe -b mybuild -scan -f results.fpr
See OpenText(TM) Static Application Security Testing (Fortify) User Guide for a complete explanation of each option.
You can open a support case for Fortify products online using
our customer support system. This streamlined procedure is designed to
provide easier access and improved customer satisfaction.
Access your account at https://softwaresupport.softwaregrp.com/.
C:\>
|
例如:run.bat
set FORTIFY_TEMPLATE=D:\FortifyTemplate\MyTemplate.xml set WORKSPACE=D:\WORKSPACE set SubFolder=Solution1 set JOB_NAME=JOB_Solution1 sourceanalyzer.exe -b %JOB_NAME% -clean sourceanalyzer.exe -b %JOB_NAME% devenv .\Solution1\Solution1.sln /Rebuild sourceanalyzer.exe -b %JOB_NAME% -scan -64 -verbose -Xmx14G -format "fpr" -f "%WORKSPACE%\%SubFolder%\Solution1.fpr" ReportGenerator.bat -template %FORTIFY_TEMPLATE% -format "pdf" -f "%WORKSPACE%\%SubFolder%\Solution1.pdf" -source "%WORKSPACE%\%SubFolder%\Solution1.fpr" |
它沒有預設可排除 Critical. High, Medium, Low, Info 的參數,必須使用 Filter File,預設沒有提供,需要自己建立
ChatGPT 說它是個 .xml 檔案,實測沒用,正確做法,請參考官方資訊。
Excluding issues with filter files (用過濾文件排除問題)
https://www.microfocus.com/documentation/fortify-static-code-analyzer-and-tools/2530/sast-ugd-html-25.3.0/doc/2263_25.3/a697d25fe15a_usingfilterfiles.html
Filter file example (過濾文件範例)
https://www.microfocus.com/documentation/fortify-static-code-analyzer-and-tools/2530/sast-ugd-html-25.3.0/doc/2263_25.3/a697d25fe15a_filterfileexample.html
例如:filter.txt
priority <= low |
The priority values in ascending order are low, medium, high, and critical.
sourceanalyzer -b mybuild -scan -f results.fpr -filter filter.txt |
實測,確實在 .fpr 報告就排除了 Low,.所以靠 .fpr 產出的 .pdf 當然也沒有。
下圖,排除前
下圖,排除後
********************************************************************************
也可以用特定 Filter Sets 來排除
Using filter sets to exclude issues
範例
sourceanalyzer -b MyProject -scan -project-template IssueTemplate.xml
-Dcom.fortify.sca.FilterSet=OWASP_Filter -f MyFilteredResults.fpr
(完)
相關
沒有留言:
張貼留言