Hi,
Is there a way to print the total Lines of code for a fortify application ?
In Fortify SSC , we could see Executable LOC but I want the total lines of code for an application in fortify
Please suggest..
Cybersecurity
DevOps Cloud
IT Operations Cloud
Hi,
Is there a way to print the total Lines of code for a fortify application ?
In Fortify SSC , we could see Executable LOC but I want the total lines of code for an application in fortify
Please suggest..
Before we talk about How, let's mention what is the LOC entry. Please note that Fortify's method for calculating LOC is changing with our next release, 24.2. Historically, we counted LOC, but also eLOC, with content and attempted to strip out whitespace, yet our counts always seemed slightly low to users. We could narrow it down to only live statements, but that becomes challenging, or argumentative, for different languages. At this time, we will be standardizing on counting everything that holds a Newline, including whitespace and comments, et al. Please be aware of this change if your metrics have been utilizing the prior LOC/eLOC entries from Fortify, that you may see a bump in those metrics with this release.
While not truly printable, a common method to check LOC is to open the FPR/scan in Audit Workbench ("AWB") and find that information in the Project Summary screens.
To get the LOC printable, you could use FPRutility, a command line tool that comes with Fortify SCA. It has a number of {-information} options and can also be used to Merge separate scans into a single scan. If your pipeline auto-uploads the finished scan file to the SSC Server, you might need to use the foritfyclient, another CLI tool, to download the completed/post-processing FPR file from that SSC project in order to then read the summary details (locally) on the combined results
e.g.
+++++++++++++++++++++++++++++++++++++++++++++++++++
fprutility -h
fprutility -information -loc -project "FSCA results NOV2023.fpr" -f output.txt
notepad output.txt
Listing all analyzed files with the line of code counts (LOC), in the following format <file>: <detected_loc> (<analyzed_loc>)
tools/source/ansible-for-devops-master/ansible-for-devops-master/.github/FUNDING.yml: 4 (4)
tools/source/ansible-for-devops-master/ansible-for-devops-master/.github/workflows/ci.yml: 143 (143)
....
Users/Administrator/AppData/Local/Fortify/sca23.1/build/ansible/_fortify_libraries_/express/node_modules/@types/serve-static/index.d.ts: 26 (12)
Summary of file types:
dockerfile: 4 files; 0 LOC; (0 analyzed LOC)
generic: 7 files; 0 LOC; (0 analyzed LOC)
hocon: 1 files; 0 LOC; (0 analyzed LOC)
html: 4 files; 0 LOC; (0 analyzed LOC)
java_properties: 3 files; 0 LOC; (0 analyzed LOC)
json: 2 files; 20 LOC; (20 analyzed LOC)
php: 1 files; 29 LOC; (18 analyzed LOC)
python: 5 files; 643 LOC; (519 analyzed LOC)
typescript: 12 files; 470 LOC; (271 analyzed LOC)
yaml: 122 files; 3,386 LOC; (3,386 analyzed LOC)
+++++++++++++++++++++++++++++++++++++++++++++++++++
Hey, thankyou so much for your answer. But I' getting the below error when I use the command -
FPRUtility -information -loc -project "filename.fpr" -f outputloc.txt
[Warning]: The property com.fortify.model.CheckSig is not a valid property.
[Error]: Unrecognized argument: -loc
We are using Fortify 18.2. Please suggest ..
Any particular reason you are still using version 18.20 and haven't upgraded?