My project is fairly small C project. Running sourceanalyzer from a command line finishes in about 3 minutes for both translation and scan.
The documentation says if the .fpr was generated from the command line and I need to re-scan from AWB, the Update Project Translation button is greyed (which it is). But if I modify the source code, the documentation says I must first update the translation before I can re-scan the code, which means I have to run sourceanalyzer from the command line again (since the option is greyed-out in AWB.) However, using sourceanalyzer re-writes the .fpr, which means I lose all my audits and custom filters that I created in AWB.
Question 1: Can I run sourceanalyzer from the command line for both translation and scan without losing the audit work and custom filters I created in AWB?
The next logical step seemed to be create the .fpr from AWB. But if I try to use AWB to start a new project using Advanced Scan... , it takes over an hour to complete the Generating intermediate files - JtsWrapper.java step. When it's done, the results show 0 issues.
Question 2: How do I use AWB to start a new project on a C project that doesn't use Java? When I select Start New Project -> Advanced Scan , it asks for the Java version. Does that mean it thinks my project is a Java project?
This is how I use sourceanalyzer :
sourceanalyzer -clean
sourceanalyzer -64 -b myproj \
-build-label myproj \
-build-project myproj \
-build-version 1.0.0 \
touchless make -j6 -k
sourceanalyzer -64 -b myproj \
-build-label myproj \
-build-project myproj \
-build-version 1.0.0 \
-scan \
-f myproj.fpr
Question 1)
There are two options for keeping your previous/existing comments, audits, and filters when creating a new scan.
a) If you scan a second time and have the -f pointing to your existing .fpr file that has the modifications, sourceanalyzer
will automatically merge the new results into that .fpr.
b) There is a commandline utility to merge two files together:
fprutility -merge -project <old.fpr> -source <new.fpr> -f <merged.fpr>
When you said, "The next logical step seemed to be create the .fpr from AWB." I disagree. Being able to produce a scan at the commandline makes the process repeatable and automatable. AWB and the IDE plug-ins are all a front end for the sourceanalyzer.exe
.
Question 2)
I am not sure what version of Fortify SCA you are using, but when I point the advanced scan at the c++ sample project ( <HPE Fortify Install Dir>/Samples/Basic/cpp
) I do not get asked about Java Versions (I am using version 16.10).
Couple of things about your commandline arguments:
-64
is automatically for several version now (not sure when the switch was made) -build-label myproj
is optional -build-project myproj
is optional -build-version 1.0.0
is optional
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.