Commodore Commodore
Commodore
5062 views

Scanning a jar

Is it possible to scan a .jar file with SCA.  I'm trying to do the following and it's not working.

sourceanalyzer -b iasveo -source 1.6 -show-build-warnings -Dcom.fortify.sca.fileextensions.jar=ARCHIVE "C:\Program Files (x86)\JAD\iasveo-2.1.jar"

Any ideas?

Thanks,

Mike

Tags (1)
0 Likes
1 Reply
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class

TL;DR: No. You need the sources.

Mostly, JARs are used to bundle the binaries/byte code/compiled stuff. Since Fortify is a static code analysis tool, it needs the source code.

For the rare case that you have a JAR, which contains the source code only, you first need to unzip it. Than run the sourceanalyzer from the root folder with a file filter, e.g. in your case something like this: sourceanalyzer -b iasveo -source 1.6 -show-build-warnings **/*.java

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.