Fortify SCA Exclude Multiple Files

Question

With the sourceanalyzer, how can I provide multiple file/path exclusions during translation?

Following the example from: Fortify SCA exclude test folder\files

/src/main/xyz/pqr/Abc.java /src/main/xyz/test/abc.xsd /src/test/xyz/Xyz.java

I have tried adding multiple -exclude flags, as well as different delimiters, with no luck.

Answer 1

I was working from an Azure DevOps Pipeline using fortify Translate batchscript task. In this environment it worked to add multiple -exclude flags:

 steps:
- task: BatchScript@1
  displayName: 'Fortify Translate JavaScript'
  inputs:
    filename: '$(FORTIFYSCA)\sourceanalyzer.exe'
    arguments: '-debug -verbose -b $(Build.ApplicationName) $(Build.SourcesDirectory)\**\*.js -exclude node_modules\**\* -exclude coverage\**\*'

Answer 2

I am using the VS 2015 addin for Fortify scan. I sorted out the files I want to skip. I created a new filter and saved the results in a separate folder apart from Critical, High, etc. This way the selected files were avoided from the final result.

Answer 3

If you use the Scan Wizard and review the resultant .bat file, you can see how they are invoking sourceanalyzer. For your particular question, you can create an argument file like so:

-exclude "/src/main/xyz/pqr/Abc.java"
-exclude "/src/main/xyz/test/abc.xsd"
-exclude "/src/test/xyz/Xyz.java"

Name it something like Exclude.args and then invoke sourceanalyzer like so:

sourceanalyzer.exe -b MyBuild @Exclude.args