Not understanding how to scan from AWB after modifing source code

Question

My project is fairly small C project. Running sourceanalyzer from a command line finishes in about 3 minutes for both translation and scan.

The documentation says if the .fpr was generated from the command line and I need to re-scan from AWB, the Update Project Translation button is greyed (which it is). But if I modify the source code, the documentation says I must first update the translation before I can re-scan the code, which means I have to run sourceanalyzer from the command line again (since the option is greyed-out in AWB.) However, using sourceanalyzer re-writes the .fpr, which means I lose all my audits and custom filters that I created in AWB.

Question 1: Can I run sourceanalyzer from the command line for both translation and scan without losing the audit work and custom filters I created in AWB?

The next logical step seemed to be create the .fpr from AWB. But if I try to use AWB to start a new project using Advanced Scan... , it takes over an hour to complete the Generating intermediate files - JtsWrapper.java step. When it's done, the results show 0 issues.

Question 2: How do I use AWB to start a new project on a C project that doesn't use Java? When I select Start New Project -> Advanced Scan , it asks for the Java version. Does that mean it thinks my project is a Java project?

This is how I use sourceanalyzer :

sourceanalyzer -clean

sourceanalyzer -64 -b myproj \
           -build-label myproj \
           -build-project myproj \
           -build-version 1.0.0 \
            touchless make -j6 -k 

sourceanalyzer -64 -b myproj \
             -build-label myproj \
             -build-project myproj \
             -build-version 1.0.0 \
             -scan \
             -f myproj.fpr

Answer 1

Question 1)

There are two options for keeping your previous/existing comments, audits, and filters when creating a new scan.

a) If you scan a second time and have the -f pointing to your existing .fpr file that has the modifications, sourceanalyzer will automatically merge the new results into that .fpr.

b) There is a commandline utility to merge two files together:

fprutility -merge -project <old.fpr> -source <new.fpr> -f <merged.fpr>

When you said, "The next logical step seemed to be create the .fpr from AWB." I disagree. Being able to produce a scan at the commandline makes the process repeatable and automatable. AWB and the IDE plug-ins are all a front end for the sourceanalyzer.exe .

Question 2)

I am not sure what version of Fortify SCA you are using, but when I point the advanced scan at the c++ sample project ( <HPE Fortify Install Dir>/Samples/Basic/cpp ) I do not get asked about Java Versions (I am using version 16.10).

Couple of things about your commandline arguments:

• -64 is automatically for several version now (not sure when the switch was made)
• -build-label myproj is optional
• -build-project myproj is optional
• -build-version 1.0.0 is optional