Andrew B
Visitor.
4713 views

maven properties file location

Ok, so I'm trying to get exclusions to work with fortify scanning using maven. I've got everything working except for the exclusions. The documentation says to create a *.exclusions file and add com.fortify.sca.exclude="fileA;fileB;fileC" to the file. However, it does not say where to put the file. Do I put it in the maven directory? Or do I put it in the Fortify directory? Any help on this would be appreciated.

0 Likes
3 Replies
Highlighted
mlacasse Super Contributor.
Super Contributor.

Re: maven properties file location

Hi Andrew,

Here are a few examples of exclusions that should help. (its a little picky)

Exclude a single file

 mvn com.hpe.security.fortify.maven.plugin:sca-maven-plugin:17.20:translate -Dfortify.sca.buildId=rabbit -Dfortify.sca.debug=true -Dfortify.sca.translateLogfile=sca.translate-fileexclude.log
-Dfortify.sca.exclude="**/demo/rabbit/jca/ejb/RabbitDemoMDB.java"
 
Exclude all *.java files in a specific folder
mvn com.hpe.security.fortify.maven.plugin:sca-maven-plugin:17.20:translate -Dfortify.sca.buildId=rabbit -Dfortify.sca.debug=true -Dfortify.sca.translateLogfile=sca.translate-fileexclude.log
-Dfortify.sca.exclude="**/demo/rabbit/jca/ejb/*.java"
 
Excluded a folder
mvn com.hpe.security.fortify.maven.plugin:sca-maven-plugin:17.20:translate -Dfortify.sca.buildId=rabbit -Dfortify.sca.debug=true -Dfortify.sca.translateLogfile=sca.translate-fileexclude.log
-Dfortify.sca.exclude="**/demo/rabbit/jca/ejb/*.*"
 
If you are looking to add these directly to the properties (which would effect any code you are translating on this system)
Then it would be the <install directory> \core\config\fortify-sca..properties file
-Mark
Fortify Support
Andrew B
Visitor.

Re: maven properties file location

Thank you for the prompt response. Since we are calling mvn directly and having it call source analyzer, using the properties file would be the best option. Below I reference the documentation in Appendix F of the user guide, is this what you are referring to as the properties file? Based on the documentation, the file shouldn't already exist, thus making it seem like the properties file would go somewhere else. Is this in fact not correct and the properties file you are referencing is the only way to have a properties file done?

 

Excluding Files from the Scan

If you don’t want to include all of the files in your project or solution, you can direct SCA to exclude selected files from your scan:

  1. Create an exclusion file in a text editor.

  2. Add the following line to the file you just created:

       com.fortify.sca.exclude="fileA;fileB;fileC"

    Note: File names must be separated with a semicolon. Wild cards are supported; asingle asterisk (*) can be used to match part of a file name while two asterisks (**) can be used to recursively match directories. For more information on wild cards, see

  3. Add the following code to the translation step:

       -Dfortify.sca.properties.file=my.exclusions
0 Likes
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

Re: maven properties file location

Hi Andrew,

I'm not sure what version of the guide you are using, but this is from the current 18.10 SCA user guide and perhaps it is more clear.

Excluding Files from the Scan
If you do not want to include all of the files in your project or solution, you can direct Fortify Static Code
Analyzer to exclude selected files from your scan. To specify the files you want to exclude, add the -D option with the fortify.sca.exclude property to the translate step as shown in the following
example:
-Dfortify.sca.exclude="fileA;fileB;fileC;"
Note: On Windows, separate the file names with a semicolon; and on all other platforms use a colon.
Wild cards are supported; use a single asterisk (*) to match part of a file name and use two asterisks
(**) to recursively match directories.
For example, for a Java 1.8 project, issue the following command to translate the source code and
exclude three source files:
mvn com.fortify.sca.plugins.maven:sca-maven-plugin:<ver>:translate
-Dfortify.sca.source.version=1.8 -Dfortify.sca.exclude="fileA;fileB;fileC;"

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.