Exclude files and folder with an ANT build

Hello,

I trying to exclude some folders from the scan with ANT build but it's doesn't work. The list under the folders still scanned.

I use Jenking pipeline with the current command

sh "'${FORTIFY_HOME}/bin/sourceanalyzer' -b ${BUILD_ID} -Dfortify.sca.exclude=/src/myfolder/**/*:../foler2/* ant build-war"

Can someone help me ?

Thanks

  • hi - I have also become interested in this topic - someone in SAP is building with ant and I want to show them how to capture using sourceanalyzer - but of course we want to exclude some files.

    I tried normal syntax, and put the verbose/debug/log. It shows the exclude is read - but then I get the "no files matched the filter".

    The only other way I can sort of exclude is to remove the respective nst's from the build dir - but that is nasty.

  • Look up the -exclude option in the SCA Users Guide. You will see it does not work with most build integrations, including ANT.

  • and hence the way to exclude in ANT is???

    I agree that mvn doesnt do this either - you are supposed to edit the pom.xml and add in fortify plugin specific code to exclude. So I hacked their plugin an allowed exclude to work from the CLI and asked MicroFocus to consider modifying it. They declined and suggested you can exclude BEFORE you get to the mvn part.

    That is what I also tried to ant - it doesnt work - what I would like to know is how one is supposed to exclude with ant

  • A few things I have seen done in this case... 1) Delete the unwanted NST files as you suggested. 2) Create an ant target that excludes the unwanted files and scan that.. 3) Perform a full scan and use filters after the fact to remove those findings.

  • yeah I think 2 makes the most sense or 4] rather than a filter, audit the findings once on the SSC, they should go away forever more.

    I will ask the team to look into [2]

    What I did notice - when I used ant to capture the build (compared to their file scan and cp) I ran in 58 minutes compared with their 5 hours ... Me thinks they are already scanning unnecessary code!