Cybersecurity
DevOps Cloud
IT Operations Cloud
There are three different methods that can be used to prevent the source code and/or source snippets from being included in the results file (FPR):
Using either of the first two methods listed above, the source code and source snippets can be prevented from being included in the results file. However the third option, because the FPR is being modified after the scan, will only allow us to remove the source code from the FPR (The source snippets cannot be removed after the FPR is generated).
1. Through the command line:
By passing the arguments -disable-source-rendering -Dcom.fortify.sca.FVDLDisableSnippets=true during the scanning phase as shown in the example below:
Clean Phase:
sourceanalyzer -b eightball -clean
Translation Phase:
sourceanalyzer -b eightball EightBall.java
Scan Phase (This will include both source snippets and the source code):
sourceanalyzer -b eightball -scan -f eightball.fpr
Scan Phase (This will prevent the source code from being inlcuded, but will still generate source snippets):
sourceanalyzer -b eightball -scan -f disable-sourcecode.fpr -disable-source-rendering -Dcom.fortify.sca.FVDLDisableSnippets=false
Scan Phase (This will prevent the source snippets from being created, but will still include the source code):
sourceanalyzer -b eightball -scan -f disable-snippets.fpr -Dcom.fortify.sca.FVDLDisableSnippets=true
Scan Phase (This will disable both source snippets and the source code):
sourceanalyzer -b eightball -scan -f disable-snippets-and-sourcecode.fpr -disable-source-rendering -Dcom.fortify.sca.FVDLDisableSnippets=true
In the above examples eightball is the build id.
2. By changing the fortify-sca.properties file:
To prevent the source code from being included the following option should be added or changed in the fortify-sca.properties file:
com.fortify.sca.FPRDisableSourceBundling = True
To prevent the source snippets from being included the following option should be added or changed in the <SCA install>/Core/config/fortify-sca.properties file:
com.fortify.sca.FVDLDisableSnippets = True
3. By using FPR utility:
The FPR utility can be used to remove and store the source code from an existing FPR. To remove the the source code using the FPR utility you will need to pass the following command line arguments:
-sourceArchive -extract -project <fprfilename>.fpr -f <outputArchive>.fsa
The -extract option instructs fprutility to remove the source code from the specified project.
The -project option is used to specify the FPR file the that the source code will be removed from.
The -f option is used to specify where the fprutility should store the extracted source code.
Below is an example of how to use the fprutility:
fprutility -sourceArchive -extract -project eightBall.fpr -f outputArchive.fsa
Note: The snippets are still present in the audit.fvdl when we extract the FPR.