Build secure software fast. Find security issues early and fix at the speed of DevOps.
Patterns to include in execution and reports.
Patterns to exclude from execution and reports.
Amount of CPU. The default machine has
0.75 CPU with
2880 MiB RAM.
Below is the list of options that are supported:
Options -encoding <encoding-name> Specifies the source file encoding. Default value is the platform default. -exclude <file-specifier> Excludes any files matched by <file-specifier> from the set of files to translate Java-specific Build Options These options should be used in conjunction with file specification options. -classpath <classpath> Uses the specified classpath value for Java -cp <classpath> builds. -extdirs Accepts a colon or semicolon separated list of directories. Any jar files found in these directories are included on the classpath. Equivalent to the -extdirs option to javac. -sourcepath Specifies the location of source files which will not be included in the scan but will be used for name resolution. Equivalent to the -sourcepath option to javac. The sourcepath is like classpath, except it uses source files rather than class files for resolution. -source <value> Indicates which version of the Java language the -jdk <value> Java code adheres to. Valid values are 1.5, 1.6, 1.7, 1.8, 1.9, 5, 6, 7, 8, and 9. Default is "1.8". -java-build-dir <dir> Used to specify one or more directories to which Java sources are being compiled. May also be specified at scan time. Scan Options -bin <binary> All source files compiled and linked into the specified binary are scanned. Multiple binaries may be specified. -disable-default-rule-type See the Fortify SCA User's Guide. -no-default-issue-rules See the Fortify SCA User's Guide. -no-default-sink-rules See the Fortify SCA User's Guide. -no-default-source-rules See the Fortify SCA User's Guide. -no-default-rules Indicates that Fortify SCA should not use its default rules. Must be used in conjunction with "-rules" -rules <specifier> Specifies custom rules file or directory. If a directory is specified, all files ending in ".bin" or ".xml" are included. This option may be used multple times. -quick Runs a quick scan. Quick scans complete faster at the cost of reduced accuracy. Additional Options --build-cmds Sequence of build commands to analyze. Please read the section below for the notes about specifying build commands. --work-dir Working directory of the above build commands. (default: repository root)
No tool specific severity levels are available.
Note: The incremental analysis cannot be supported for Fortify.
No tool specific experimental options are available.
It is required to build using
-b build_id option to be able to analyze/scan the build.
Please contact Rocro team firstname.lastname@example.org if you have trouble specifying the build commands.
Example build commands for building gzip v1.8 (git://git.savannah.gnu.org/gzip.git):
inspecode: tools: fortify: options: --build-cmds: - ./bootstrap - env CC="sourceanalyzer -b build_id $@ gcc" CXX="sourceanalyzer -b build_id $@ g++" ./configure - make
With default options:
inspecode: tools: fortify: default
With custom machine:
inspecode: tools: fortify: machine: cpu: 1.5 # 1.5 CPU, 5760 MiB RAM