Excluding Test Projects from Fortify Scan in Azure DevOps

Question

I am submitting a Fortify scan through an ADO Pipeline, using the Fortify Static Code Analyzer Assessment plugin. The pipeline is building the solution first, then scanning it. There are several unit test projects in my solution that I would like to exclude, but none of the solutions I've seen suggested seem to work. Is it because I cannot use a relative path? These are the options I've tried in the Additional Fortify SCA build options:

-exclude "**/UnitTests/**/*"
-exclude "**/UnitTests/*"
-exclude "*/UnitTests/*.*"
-exclude "**\UnitTests\*.*"

UnitTests is the name of the project in the .Net solution. And all files to exclude are directly under a folder by that name.

Answer 1

In the Additional Fortify SCA build options section, try this:

-exclude $(Build.SourcesDirectory)\UnitTests\ -exclude $(Build.SourcesDirectory)\**\UnitTests\

Use quotes if you have spaces in your sources directory. This should ignore the UnitTests folder in the root folder (if you have one), and any within sub-folders. I have found the last \ works better than \**.

Reference: SCA Guide 20.2 page 123 - Specifying Files and Directories

Answer 2

Try this:

-exclude "<dir>/**/UnitTests/**"

It matches all directories and files found in the named directory that have UnitTests in the path, including UnitTests as a file name. Also, on Windows, you can use the backslash character () as the directory separator instead of the forward slash (/).