Quick scans and Micro Focus Fortify Software Security Center server—To avoid overwriting the results of a full scan, by default Fortify Software Security Center ignores uploaded FPR files scanned in quick scan mode.
Quick scan mode provides a way to quickly scan your projects for major issues. By default, quick scan mode searches for high‐confidence, high‐severity issues. Although the scan is faster than a full scan, it does not provide as robust a result set.
The depth of the Fortify Static Code Analyzer analysis sometimes depends on the available resources. Fortify Static Code Analyzer uses a complexity metric to trade off these resources with the number of vulnerabilities that it can find. Sometimes, this means giving up on a particular function when it does not look like Fortify Static Code Analyzer has enough resources available.
Fortify Static Code Analyzer enables the user to control the “cutoff” point by using Fortify Static Code Analyzer limiter properties. The different analyzers have different limiters. You can run a predefined set of these limiters using a quick scan. See the fortify-sca-quickscan.properties for descriptions of the limiters.
To enable quick scan mode, use the ‑quick
option with ‑scan
option. With quick scan mode enabled, Fortify Static Code Analyzer applies the properties from the <sca_install_dir>
/Core/config/fortify-sca-quickscan.properties
file, in addition to the standard <sca_install_dir>
/Core/config/fortify-sca.properties
file. You can adjust the limiters that Fortify Static Code Analyzer uses by editing the fortify-sca-quickscan.properties
file. If you modify fortify-sca.properties
, it also affects quick scan behavior. Fortify recommends that you do performance tuning in quick scan mode, and leave the full scan in the default settings to produce a highly accurate scan. For description of the quick scan mode properties, see Fortify Static Code Analyzer Properties Files.
· Run full scans periodically—A periodic full scan is important as it might find issues that quick scan mode does not detect. Run a full scan at least once per software iteration. If possible, run a full scan periodically when it will not interrupt the development workflow, such as on a weekend.
· Compare quick scan with a full scan—To evaluate the accuracy impact of a quick scan, perform a quick scan and a full scan on the same codebase. Open the quick scan results in Micro Focus Fortify Audit Workbench and merge it into the full scan. Group the issues by New Issue to produce a list of issues detected in the full scan but not in the quick scan.
Quick scans and Micro Focus Fortify Software Security Center server—To avoid overwriting the results of a full scan, by default Fortify Software Security Center ignores uploaded FPR files scanned in quick scan mode.
本站声明:内容源自https://www.softwaretesttips.com/fortify-static-code-analyzer-improving-performance-quick-scan/(ST)