Monitoring Long Running Scans in Fortify SCA


When you run Fortify Static Code Analyzer, large and complex scans can often take a long time to complete. During the scan it is not always clear what is happening.
While Fortify recommends that you provide your debug logs to the Customer Support team, there are a couple of ways to see what Fortify Static Code Analyzer is doing and how it is performing in real-time.

This section contains the following topics:

  • Using the SCAState Tool
  • Using JMX Tools

Using the SCAState Tool
The SCAState command-line tool enables you to see up-to-date state analysis information during the analysis phase. The SCAState tool is located in the <sca_install_dir>/bin directory. In addition to a live view of the analysis, it also provides a set of timers and counters that show where Fortify Static Code Analyzer spends its time during the analysis phase. For more information about how to use SCAState, see the Checking the Fortify Static Code Analyzer Scan Status.

Using JMX Tools
You can use tools to monitor Fortify Static Code Analyzer with JMX technology. These tools can provide a way to track Fortify Static Code Analyzer performance over time. For more information about these tools, see the full Oracle documentation available at:

Note: These are third-party tools and Fortify does not provide or support them.

This section contains the following topics:

  1. Using JConsole
  2. Using Java VisualVM

Using JConsole
JConsole is an interactive monitoring tool that complies with the JMX specification. The disadvantage of JConsole is that you cannot save the output.
To use JConsole, you must first set some additional JVM parameters. Set the following environment variable:

export SCA_VM_OPTS=""
After the JMX parameters are set, start a Fortify Static Code Analyzer scan. During the scan, start JConsole to monitor Fortify Static Code Analyzer locally or remotely with the following command:

jconsole <host_name>:9090

Using Java VisualVM
Java VisualVM offers the same capabilities as JConsole. It also provides more detailed information on the JVM and enables you to save the monitor information to an application snapshot file. You can store these files and open them later with Java VisualVM.

Similar to JConsole, before you can use Java VisualVM, you must set the same JVM parameters described in Using JConsole.

After the JVM parameters are set, start the scan. You can then start Java VisualVM to monitor the scan either locally or remotely with the following command:

jvisualvm <host_name>:9090


Support Tip
Comment List