How to exclude files and folders when using Fortify with MSBuild

Question

I "translate" my sources with msbuild using the following command:

sourceanalyzer -b sample -exclude "**/*.xml" "**/Test/**" msbuild sample.sln /maxcpucount:1

After this is done I analyze the source with:

sourceanalyzer -b sample -scan -f result.fpr

The sample.sln solution contains a lot of test projects too. Those projects produce a lot of findings I’m not interested in. How can I exclude those projects? They are all in "Test" sub folders. I’ve tried the –exclude switch with no luck. I guess it is ignored when building with msbuild.

The analyzer also produces findings for xml files which comes with 3rd party libraries. This is interesting but I do not want to have them in my report. The exclude does also not work here.

Answer 1

I don't use MSBuild, but the documentation mentions that MSBuild integrations do support the -exclude option.

• Try upgrading to the latest version. Ensure that you get the latest bugfixes.
• Use absolute file/directory paths, as noted by chuchu42 above. Relative paths didn't work in my project using Fortify client 24.4.0.
• Try putting the patterns to include before the patterns to exclude. This might be needed only for older Fortify versions, but I continue doing it. For example:

sourceanalyzer -b v1.x -source 1.8 /project/src \
  -exclude /project/node_modules:/project/src/vendors \
  -verbose -Xmx3500M

From the documentation of Micro Focus Fortify Static Code Analyzer (23.1.0), User Guide, Chapter 18: Command-Line Interface:

-exclude <file_specifiers>

Specifies the files to exclude from the translation. Files excluded from translation are also not scanned. Separate multiple file paths with semicolons (Windows) or colons (non-Windows). For example:

sourceanalyzer –cp "**/*.jar" "**/*" -exclude "**/Test/*.java"

This example excludes all Java files in any Test subdirectory. See "Specifying Files and Directories" on page 134 for more information on how to use file specifiers.

Note: When you integrate the translation with most compilers or build tools, Fortify Static Code Analyzer translates all source files that the compiler or build tool processes even if this option specifies to exclude them. However, the Fortify Static Code Analyzer xcodebuild and MSBuild integrations do support the -exclude option.

Answer 2

here is the official Fortify documentation (from version 17.10):

File specifiers are expressions that allow you to pass a long list of files to Fortify Static Code Analyzer using wild card characters. Fortify Static Code Analyzer recognizes two types of wild card characters: a single asterisk character () matches part of a file name, and double asterisk characters (**) recursively matches directories. You can specify one or more files, one or more file specifiers, or a combination of files and file specifiers.*

<files> | <file specifiers>

The following table describes the different file specifiers forms:

• dirname : All files found in the named directory or any subdirectories.
• dirname/**/Example.java: Any file named Example.java found in the named directory or any subdirectories.
• dirname/*.java: Any file with the extension .java found in the named directory.
• dirname/**/*.java: Any file with the extension .java found in the named directory or any subdirectories.
• /**/*: All files found in the named directory or any subdirectories (same as ).

Note: Windows and many Unix shells automatically expand parameters that contain the asterisk character (), so you must enclose file-specifier expressions in quotes. Also, on Windows, you can use the backslash character () as the directory separator instead of the forward slash (/).*

File specifiers do not apply to C, C++, or Objective-C++ languages.

According to the above documentation, you would have to pass all "Test" subfolders paths:

-exclude path1/**/*|path2/**/*|etc..

but the last documentation line is saying that it will not be supported in C/C++/ObjectiveC++.