This website uses cookies. By continuing to browse or login to this website, you consent to the use of cookies. Learn more.
OK
cmews
Absent Member.
Absent Member.
‎2014-08-15 20:02
21521 views

how to exclude source files from scan?

The scan is picking up source files in maven target directory....so how would I exclude the directory from being scanned?

 

For our continuous builds, we are using the maven sca fortify plugin, which supports a <filter> option, which in theory, will use a filter file to use when performing a scan, but can't find any details on what would be in the filter file?  But would filters even do what I want, e.g. exclude source files from being scanned?

 

There's also a comman line argument -exclude, but I can't get that to work either.  Documentation suggests  that writing -exclude "**.Test.java" would work, but doesn't (at least not when using Audit Workbench), nor is there any documentation on what patterns it really expects.      

 

 

Labels (1)
Labels
0 Likes
Reply
Report Inappropriate Content
2 Replies
cmews
Absent Member.
Absent Member.
‎2014-08-15 20:24

extra note on this, after playing with exclude in Audit Workbench.  Letting workbench build the command line, the options look  like -exclude "c:\dev\my_project\my_module\src\test", which will ignore all files under that path.  But writing it as -exclude "**\src\test", or -exclude "**\test", does not.  So despite what the Fortify documentation says, wildcard patterns don't work?    Please tell me that's not true, there's got to be some way to wildcard a path.....

0 Likes
Reply
Report Inappropriate Content
Mark_Egloff
Captain Captain
Captain
‎2014-09-03 11:07

Hi Cmews

 

I just coded a quick example with Fortify SCA 3.8 and it works without any issues. did you solved your issue?

 

If not may be the result below help you to test the scenario.

 

I added simple some sources from the orginal examples which you will find in the installation directory of the Fortify SCA into a new directory structure:

 

P:\Documents\Projects\Fortify\example\eightball
P:\Documents\Projects\Fortify\example\nullpointer
P:\Documents\Projects\Fortify\example\scan.cmd
P:\Documents\Projects\Fortify\example\trial.fpr
P:\Documents\Projects\Fortify\example\eightball\0
P:\Documents\Projects\Fortify\example\eightball\1
P:\Documents\Projects\Fortify\example\eightball\2
P:\Documents\Projects\Fortify\example\eightball\EightBall.java
P:\Documents\Projects\Fortify\example\eightball\README.txt
P:\Documents\Projects\Fortify\example\nullpointer\source
P:\Documents\Projects\Fortify\example\nullpointer\source\NullPointerSample.java

 

Afterwards I executed the follwoing commands (batch file "scan.cmd" located on the "example" directory).

 

 

@echo off
sourceanalyzer -b trial -clean
sourceanalyzer -b trial -cp "." -exclude "**\nullpointer\**\*" "**\*.java" 
pause
sourceanalyzer -b trial -show-files
pause
sourceanalyzer -b trial -scan -f trial.fpr
pause

 

 

The example shows how the "nullpointer" files get excluded. You can test this by listing the files after the transformation step.

 

In case your sceanrio is more sophisticated you may also have a look at the "ant" or "maven" integration. Please refer for this ti the SCA manual. 

 

regards

Mark

 

0 Likes
Reply
Report Inappropriate Content
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.