Cadet 1st Class
Cadet 1st Class

SCA integration with Visual Studio 2015 broke


I am using a standalone installation of Static Code Analyzer integrated with Visual Studio 2015. I run Fortify against my C# code from within the Visual Studio IDE using Fortify button appears in the menu. All was going well till recently, when my company decided to move my workstation from one domain to another. After the move , Fortify menu is gone from all my Visual Studio projects, after some poking i observed that as Fortify keeps its working directory in the user profile, and domain move created a new profile hence the old integration with Visual Studio is broken now. Please, remember that i still have a copy of my old user profile and can see the working folder \AppData\Local\Fortify...

My biggest worry is that i don't have to redo the audits on my entire codebase (thousands of lines of code), as there are hundreds of suppressed findings with appropriate justifications. what are my options here?

- can i point Fortify working folder to my old profile in properties here \Core\config\ ? that magically, makes everything to start working as before...

- if i have to reinstall the plugin, can i take the old audit file that has suppressed/not an issue findings with justifications and apply to the new installation? if yes, where does that file resides?

-Also, what is the best way to handle such situations ? Please be aware that its a standalone installation, no SCC option available.

Will really appreciate your help!!

Best regards,

Amjad Akhtar


5 Replies
Cadet 1st Class
Cadet 1st Class

Any suggestions folks?

Vice Admiral Vice Admiral
Vice Admiral

Hi Amjad,

Regarding you question about the previous scans and losing all the good the work you did to suppressed findings, justifications, etc.

That analysis information should not be lost, it should be stored in the Fortify scan results on your machine. These are stored in a file with an extension of .fpr. When scanning like you do via Visual Studio, that FPR file is typically stored in the same location as the Visual Studio solution file. For instance

C:\Users\me\source\repos\MyVSProject\MyProject.sln    << VS solution file

The directory above would also contain the FPR scan file, scan-myproject.sln.fpr

Inside this file are all the findings, plus all the analysis information, such as which items you suppressed, comments and justifications you added, etc.

If you cannot locate these files, try searching your machine for files with an .fpr extension.


Regarding the loss of the Fortify option in Visual Studio itself, I suspect that when you installed this it was not installed for "All Users" and there fore when the domain change happened, this extension was lost. 

You should be able to just re-install the VS extension.



Cadet 1st Class
Cadet 1st Class

Mr Helsens, thanks so much for the response!

I found .fpr files at two locations...

1- In local workspace( mapped to Team Foundation Server workspace), I do checkin/checkout to my version control from this folder. I do see .sln and .fpr files in the root of each solution folders.

2- C:\Users\username\AppData\Local\Fortify\VS-14.0-16.20\xxxVS Studio solution names\scan.fpr

The size and timestamps are almost the same for both .frp, so its fair to assume that Fortify keeps .fpr at both locations?

I do agree with you that Fortify was not installed for all users and installing the Fortify extensions again should resolve it.

However, I am wondering if my local workspace folder is changed, will I have to apply/merge .fpr in visual studio to include my previous audit work?

Once again, thanks so much for your the valuable input.





Vice Admiral Vice Admiral
Vice Admiral

Glad I was able to help, looks like the MicroFocus support team is also replying with more specifics. best of luck!

Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

Hello Amjad,

Your work is not lost as all audit information is stored in the FPR which would be located under the old user directory,

eg c:\users\olduser\AppData\Local\Fortify\VS14.0-<sca_ver>\<solution-or-project-filename>\Scan_filename.[sln|csproj].fpr

Depending on what Fortify analyze option was used, "Analyze Solution" or "Analyze Project", will determine the FPR filename.


"Analyze Solution" will have a file eg Scan_filename.sln.fpr

"Analyze Project" will have a file eg Scan_filename.csproj.fpr

Here are the steps that was tested on our side to get this to work for a different domain user on the same host machine.

1. install VS Plugin for the new user by locating and running VS plugin installer
eg C:\Users\olduser\AppData\Local\fortify-installer\VS2015\FortifyPackage.vsix

2. start VS 2015 and from the menu go to Fortify which will request to specify the SCA installation directory. Point it to the SCA directory eg c:\Program Files\Fortify\Fortify_SCA_and_Apps_<ver>.

3. close VS 2015

4. rename C:\Users\newuser\AppData\Local\fortify

5. copy C:\Users\olduser\AppData\Local\fortify to C:\Users\newuser\AppData\Local

6. start VS 2015 and open the VS project or solution

7. open the FPR by going to the menu Fortify -> Open Audit Project



You should now be able to see the audit comments and analysis tag information that was previously saved for the VS project or solution.

If you have any follow-up questions, please open a new Fortify SCA case and reference this thread for further assistance.

Thank you,
Richard Pinaroc
Fortify Technical Support
Fortify SCA & SSC Certified Professional
Micro Focus

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.