Fortify 18.20 - Ignores Typescript (.ts) files

Supposedly, Fortify 18.20 supports Typescript.

But when I run the Scan Wizard, I don't see TypeScript listed as a supported language.
wizard.png

You can see there are typescript files in the same root folder as files that are recognized.

wizard2.png

But it's not just an issue with the Scan Wizard. Even if I simply run SCA from the command prompt, it still doesn't scan the .ts files.

As far as I know, I have nothing specified the excludes my TypeScript files. Nothing on the command line. Nothing I can find in the core properties files.

What do I have to do to get Fortify 18.20 SCA to include and scan .ts source files?

  • Hi Ed,

    There is indeed an issue with Scan Wizard not showing the .ts files and I have reported this to our development.team. However, the .ts files should be scanned anyway using Scan Wizard or not. Per the SCA guide, you should also have this property set for the scan:
    -Dcom.fortify.sca.Phase0HigherOrder.Languages=javascript,typescript 

    Note that Scan Wizard does not currently include this property in the script.

     

  • I have included that property, and still the sourceanalyzer does NOT scan any .ts files.

    These are the properties I have added so that typescript files are scanned, which according to the documentation are needed, but still no typescript files are scanned:

    com.fortify.sca.Phase0HigherOrder.Languages=javascript,typescript  # I have also tried just typescript without success
    com.fortify.sca.hoa.Enable=true
    com.fortify.sca.EnableDOMModeling=true # docs say is needed 4 AngularJS (using Angular--not sure I need it)

    Please tell me how I can scan a Typescript project.

  • Verified Answer

    I finally was able to scan a Typescript project (Angular). Looks like the only way right now is to explicitly tell the analyzer that you want to scan .ts files. This is how I did it:

    sourceanalyzer -b <build_id> clean 
    sourceanalyzer -b <build_id> <path_to_code_root>/**/*.ts
    sourceanalyzer -Xmx14745M -Xms400M -Xss24M -b <build_id> -quick -scan -f results.fpr

    Note that in the last step I used the "quick" option and specified some max memory. That's because I'm running this on my laptop. If you want to run the full scan without sacrificing accuracy (not a quick scan), don't use that flag, but make sure you have more than 16 GB of memory available, and you don't have to specify -X** flags.

  • You should be able to edit the fortify-sca.properties file which is in the

    C:\Program Files\Fortify\Fortify_SCA_and_Apps_18.20\Core\config

    directory on my computer.

    Add ",ts" to the value "com.fortify.sca.DefaultFileTypes".  Fortify should ignore any extensions which weren't in there - I have no idea why it wasn't added with 18.20, but it should have been.