how to exclude source files from scan?
The scan is picking up source files in maven target directory....so how would I exclude the directory from being scanned?
For our continuous builds, we are using the maven sca fortify plugin, which supports a <filter> option, which in theory, will use a filter file to use when performing a scan, but can't find any details on what would be in the filter file? But would filters even do what I want, e.g. exclude source files from being scanned?
There's also a comman line argument -exclude, but I can't get that to work either. Documentation suggests that writing -exclude "**.Test.java" would work, but doesn't (at least not when using Audit Workbench), nor is there any documentation on what patterns it really expects.
extra note on this, after playing with exclude in Audit Workbench. Letting workbench build the command line, the options look like -exclude "c:\dev\my_project\my_module\src\test", which will ignore all files under that path. But writing it as -exclude "**\src\test", or -exclude "**\test", does not. So despite what the Fortify documentation says, wildcard patterns don't work? Please tell me that's not true, there's got to be some way to wildcard a path.....
I just coded a quick example with Fortify SCA 3.8 and it works without any issues. did you solved your issue?
If not may be the result below help you to test the scenario.
I added simple some sources from the orginal examples which you will find in the installation directory of the Fortify SCA into a new directory structure:
Afterwards I executed the follwoing commands (batch file "scan.cmd" located on the "example" directory).
sourceanalyzer -b trial -clean
sourceanalyzer -b trial -cp "." -exclude "**\nullpointer\**\*" "**\*.java"
sourceanalyzer -b trial -show-files
sourceanalyzer -b trial -scan -f trial.fpr
The example shows how the "nullpointer" files get excluded. You can test this by listing the files after the transformation step.
In case your sceanrio is more sophisticated you may also have a look at the "ant" or "maven" integration. Please refer for this ti the SCA manual.