Cybersecurity
DevOps Cloud
IT Operations Cloud
During a Fortify Static Code Analyzer scan, the Dataflow Analyzer might encounter a function for which it cannot complete the analysis and reports the following message:
Function <name> is too complex for <analyzer> analysis and will be skipped (<identifier>)
where:
The depth of analysis Fortify Static Code Analyzer performs sometimes depends on the available resources. Fortify Static Code Analyzer uses a complexity metric to trade off these resources against the number of vulnerabilities that it can find. Sometimes, this means giving up on a particular function when Fortify Static Code Analyzer does not have enough resources available. This is normally when you see the "Function too complex" messages
When you see this message, it does not necessarily mean that Fortify Static Code Analyzer completely ignored the function in the program. For example, the Dataflow Analyzer typically visits a function many times before completing the analysis, and might not have run into this complexity limit in the previous visits. In this case, the results include everything learned from the previous visits.
You can control the "give up" point using Fortify Static Code Analyzer properties called limiters. Different analyzers have different limiters.
This section contains the following topics:
Dataflow Analyzer Limiters
There are three types of complexity identifiers for the Dataflow Analyzer:
To resolve the issue identified by s, increase the stack size for by setting -Xss to a value greater than 16 MB.
To resolve the complexity identifier of m, increase the physical memory for Fortify Static Code Analyzer.
To resolve the complexity identifier of l, you can adjust the following limiters in the Fortify Static Code Analyzer property file <sca_install_dir>/Core/config/fortify-sca.properties or on the command line.
Property Name | Default Value |
---|---|
|
1000 |
|
4000 |
|
4 |
The MaxTaintDefForVar limiter is a dimensionless value expressing the complexity of a function, while MaxTaintDefForVarAbort is the upper bound for it. Use the MaxFieldDepth limiter to measure the precision when the Dataflow Analyzer analyzes any given object. Fortify Static Code Analyzer always tries to analyze objects at the highest precision possible.
If a given function exceeds the MaxTaintDefForVar limit at a given precision, the Dataflow Analyzer analyzes that function with lower precision (by reducing the MaxFieldDepth limiter). When you reduce the precision, it reduces the complexity of the analysis. When the precision cannot be reduced any further, Fortify Static Code Analyzer then proceeds with analysis at the lowest precision until either it finishes, or the complexity exceeds the MaxTaintDefForVarAbort limiter. In other words, Fortify Static Code Analyzer tries harder at the lowest precision to get at least some results from the function. If Fortify Static Code Analyzer reaches the MaxTaintDefForVarAbort limiter, it gives up on the function entirely and you get the "Function too complex" warning.
To resolve the complexity identifier of v, you can adjust the property com.fortify.sca.limiters.MaxFunctionVisits. This property sets the maximum number of times the taint propagation analyzer visits functions. The default is 50.
Control Flow and Null Pointer Analyzer Limiters
There are two types of complexity identifiers for both Control Flow and Null Pointer analyzers:
Due to the way that the Dataflow Analyzer handles function complexity, it does not take an indefinite amount of time. Control Flow and Null Pointer analyzers, however, can take an exceptionally long time when analyzing complex functions. Therefore, Fortify Static Code Analyzer provides a way to abort the analysis when this happens, and then you get the "Function too complex" message with a complexity identifier of t.
To change the maximum amount of time these analyzers spend to analyze functions, you can adjust the following property values in the Fortify Static Code Analyzer property file <sca_install_dir>/Core/config/fortify-sca.properties or on the command line.
Property Name |
Description |
Default Value |
---|---|---|
|
Sets the time limit (in milliseconds) for Control Flow analysis on a single function. | 600000 (10 minutes) |
|
Sets the time limit (in milliseconds) for Null Pointer analysis on a single function. | 300000 (5 minutes) |
To resolve the complexity identifier of m, increase the physical memory for Fortify Static Code Analyzer.
Note: If you increase these limiters or time settings, it makes the analysis of complex functions take longer. It is difficult to characterize the exact performance implications of a particular value for the limiters/time, because it depends on the specific function in question. If you never want to see the "Function too complex" warning, you can set the limiters/time to an extremely high value, however it can cause unacceptable scan time.