Commander
Commander
10861 views

sourceanalyzer optimization in CI

Jump to solution

Hello,

My team is trying to integrate Fortify in a CI; in this context our customer really care about performance time. 

For little projects there is no problem, but for large projects a scan requires 3h and more... so I am trying to configure the source analyzer in order to optimize the response time. Could you give me some advise? 

  • Remove some analyzers: source code of the customer is mainly Java, so I would try to remove the "buffer" analyzer, because I think that Buffer Overflow is not a problem in Java (it is a problem inside JVM, or if a jni is used);  is it correct ? Are there other analyzers that I could remove ? 
  • Does CPU / RAM impact on performance ? How much I can improve performance if I use 32 GB instead of 16 ? 
  • Use quickscan: how much this impacts on results accuracy? Can I combine quickscan with a fullscan out of CI (by merging into ssc) ? 

Thanks very much, 

Best Regards

0 Likes
1 Solution

Accepted Solutions
Vice Admiral
Vice Admiral

Hi there,

Are you running SCA scans on all projects whenever they are changed (triggered by new commits, for example)?
If so, I think that is probably too frequent, and it may make sense to instead run scans periodically, say once a day, once every couple of days, or once a week, and upload those to SSC to keep track of how the projects are progressing from a security standpoint.

The first thing I would try if you are interested in cutting down the scan time would be quick scan mode, but you should be careful as this limits the depth of the scan and will almost definitely yield fewer vulnerabilities than a full scan, this ultimately means there could be vulnerabilities in the application that SCA is not alerting you to. Quick scan is designed to focus on high-confidence, high-severity issues, and by default, it disables the controlflow and buffer analyzers, amongst other things. (More details available in the SCA user guide)
It has been carefully tuned by our R&D group to try to strike a balance between best results and best scan times, so I would strongly recommend trying it before manually tweaking options yourself.

It is worth considering if you can do regular quick scans of the larger projects (perhaps even as regularly as with every new code change), which may help flag up any newly introduced vulnerabilities, and also combine this with scheduled full scans, perhaps weekly during off hours or on the weekend.
Be careful that uploading quick scan results to SSC will be rejected by default, so as not to affect the trends and data about the project's status, so you will probably want to setup one project for quick scan results, and one for the full results if taking this approach.

There's also our performance guide available here, it has some guidelines about what you can do to affect performance and what to expect in terms of scan times and resource usage for differing sizes of projects: https://community.softwaregrp.com/t5/Fortify-Software-17-20/Fortify-Static-Code-Analyzer-Performance-Guide/ta-p/1622371)
(Though it is difficult to estimate based on project size alone, unfortunately)

That said, it's very possible that increasing the amount of resources, in particular RAM and CPU cores (in recent versions, where SCA is multi-threaded -- by default on in 17.20, enable-able in 17.10 with the -mt switch) will yield faster scans, so if you have machines with more resources available for the scans, I recommend trying them out for the scan to see how much of an affect it will have.

-Josh
Fortify L3 Support Engineer

 

View solution in original post

3 Replies
Vice Admiral
Vice Admiral

Hi there,

Are you running SCA scans on all projects whenever they are changed (triggered by new commits, for example)?
If so, I think that is probably too frequent, and it may make sense to instead run scans periodically, say once a day, once every couple of days, or once a week, and upload those to SSC to keep track of how the projects are progressing from a security standpoint.

The first thing I would try if you are interested in cutting down the scan time would be quick scan mode, but you should be careful as this limits the depth of the scan and will almost definitely yield fewer vulnerabilities than a full scan, this ultimately means there could be vulnerabilities in the application that SCA is not alerting you to. Quick scan is designed to focus on high-confidence, high-severity issues, and by default, it disables the controlflow and buffer analyzers, amongst other things. (More details available in the SCA user guide)
It has been carefully tuned by our R&D group to try to strike a balance between best results and best scan times, so I would strongly recommend trying it before manually tweaking options yourself.

It is worth considering if you can do regular quick scans of the larger projects (perhaps even as regularly as with every new code change), which may help flag up any newly introduced vulnerabilities, and also combine this with scheduled full scans, perhaps weekly during off hours or on the weekend.
Be careful that uploading quick scan results to SSC will be rejected by default, so as not to affect the trends and data about the project's status, so you will probably want to setup one project for quick scan results, and one for the full results if taking this approach.

There's also our performance guide available here, it has some guidelines about what you can do to affect performance and what to expect in terms of scan times and resource usage for differing sizes of projects: https://community.softwaregrp.com/t5/Fortify-Software-17-20/Fortify-Static-Code-Analyzer-Performance-Guide/ta-p/1622371)
(Though it is difficult to estimate based on project size alone, unfortunately)

That said, it's very possible that increasing the amount of resources, in particular RAM and CPU cores (in recent versions, where SCA is multi-threaded -- by default on in 17.20, enable-able in 17.10 with the -mt switch) will yield faster scans, so if you have machines with more resources available for the scans, I recommend trying them out for the scan to see how much of an affect it will have.

-Josh
Fortify L3 Support Engineer

 

View solution in original post

Commander
Commander

Thanks very much for the answer ! 

0 Likes
Cadet 3rd Class
Cadet 3rd Class

Hi team ,

We are using Fortify Static code analyzer version 17.2.0.Our Project is too huge and full scan takes 8 Hours of time We are trying to find some alternatives to scan the files Incremenatlly(Scan only the changed Files instead of Whole Project)

We wrote a plugin incorporating the Source Analyzer Command as Below

sourceanalyzer -b !BuildId! -source 1.6 -verbose -cp "!codeDirectory!/CODE/LIB/*.jar !codeDirectory!/CODE/ModuleLIB/*.jar"  !modifiedFileList!

Where modifiedFileList is the list of FIles which we changed 

The Problem is 

1)The scan is listing only few Issues like Password Hard coded/Key hardcoded

2)The scan is not finding all the Issue category(Like XSS Related Issues)

Please help us on this.Can we use local scan to find out all the issues on incremental Scan itself.

 

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.