Fortify SCA

Use the Fortify SCA bundled plugin to analyze the source code of an application for security issues.

Static Code Analyzer (SCA) identifies the root causes of software security vulnerabilities and delivers accurate, risk-ranked results with line-of-code remediation guidance.


The Fortify SCA plugin requires Fortify SCA (and the tools that it uses, such as Microsoft Visual Studio) to be installed and configured correctly for the named user account that Tomcat will run as.

Note: Fortify SCA may not work if Common Tomcat runs as a Windows service under the LocalSystem account.

Back to top

Create server configuration file

The Fortify SCA plugin's server configuration file is required and is located in:


Property Description

Specifies one of the following:

  • The full path to Fortify SCA sourcecodeanalyzer executable.
  • A wrapper script that sets extra parameters such as memory size.

For example:

C:\\Program Files\\HP_Fortify\\HP_Fortify_SCA_and_Apps_<version>\\bin\\sourceanalyzer.exe


Specifies the full path to the Fortify SCA report generator, for example:

C:\\Program Files\\HP_Fortify\\HP_Fortify_SCA_and_Apps_<version>\\bin\\ReportGenerator.bat


Specifies the full path to Microsoft Visual Studio, for example:

C:\\Program Files (x86)\\Microsoft Visual Studio <version>\\Common7\\IDE\\devenv.exe

Example server configuration file:

Copy code
sourceAnalyzerPath=C:\\Program Files\\HP_Fortify\\HP_Fortify_SCA_and_Apps_4.30\\bin\\sourceanalyzer.exe
visualStudioExecutablePath=C:\\Program Files (x86)\\Microsoft Visual Studio 10.0\\Common7\\IDE\\devenv.exe

Back to top

Configure plugin settings

When you add the Fortify SCA plugin to a chain, specify the plugin's configuration details.

To configure the plugin step:

  1. Enter a name for this step in the chain.

  2. Select a custom translation option:

    Yes Use a custom translation string. Enter a string in Custom translation options but only include phase options and exclude '-b'.
    No Select translation options (see the table below).
  3. (Optional) For Analysis phase, enter additional rulepack files or directories, one per line. You can specify an absolute path or one that is relative to the root of the stream. Use the sourceanalyzer Ant task rules attribute.

  4. To create a PDF of the report, select Generate PDF report and enter the path of a report template. You can specify an absolute path or one that is relative to the root of the stream. If you do not specify a report template the default is used. Use the ReportGenerator utility's template option.

    Translator type Option Description
    Java sources Sources include pattern

    Enter patterns for Java sources, for example:

    src/**/ *.java

    Default pattern: **/*.java


    Enter a Java class path. The format is the same as javac (colon or semi-colon separated list of paths). Use the sourceanalyzer Ant task classpath attribute.
    Resolution source path Enter a path to a Java resolution sources directory. Sources are used for resolution not analysis. Use the sourceanalyzer Ant task sourcepath attribute.

    Java version

    Specify the JDK version the Java code is written for. Use the sourceanalyzer Ant task source attribute.
    .NET sources Solution file path Enter the relative path to a solution file.
    Other sources

    Include pattern

    Enter an include pattern for other sources, for example:

    **/ *.sql

Back to top

See also: