Section 5. Exploring the Basic SCA Engine Command Line Arguments

Previous page
Table of content
Next page

5. Exploring the Basic SCA Engine Command Line Arguments

This exercise continues the introduction of the Source Code Analysis Engine. In this exercise, you will experiment with the basic command line arguments accepted by the SCA Engine.

  1. Consider the command line syntax:

    • For C and C++ source code, the syntax is:

      sourceanalyzer [options] compiler [compiler-flags] files

    • For Java source code, the syntax is:

      sourceanalyzer -cp classpath [options] files

    • For a .NET executable, the syntax is:

      sourceanalyzer [options] libdirs dirs executable

  2. Experiment with the following basic command line arguments using the sample programs from the previous exercise.

    • Compiler:

      For C and C++ code, the sourceanalyzer command is included in the compile line as a prefix to the actual build command, such as gcc or cl. For complex builds, the sourceanalyzer command is also used to intercept archiving commands, such as ar, and linking commands, such as link and ld. The SCA Engine interprets the flags passed in to the build command and adjusts its own operation accordingly, without affecting the actual build.

      For Java code, the compiler is implicitly javac.

    • Output Format: -format format

      This option specifies the output format. The default format is text. To select the Fortify Vulnerability Description Language (FVDL) format, which is the Fortify Software XML-based vulnerability description language, specify -format fvdl. You can also specify fvdl-zip, which produces a zipped FVDL file. FVDL is more verbose than text and is used by the Fortify Audit Workbench and other tools.

    • Output Location: -f filename

      This option specifies a file location to which the output will be written. By default, if a file location is not specified, the output is written to the console.

For a detailed description of the command line syntax and options supported by the SCA Engine, see the following topics in the Source Code Analysis Engine User's Guide:

  • "Using Source Code Analysis Engine from the Command Line"

  • "Using Source Code Analysis Engine Command Line Options"

The Source Code Analysis Engine User's Guide is located at:

Install_Directory/Documentation/SCA/index.htm


The next lesson, "Understanding Raw Analysis Results," explains how to interpret the results produced by the SCA Engine.

Exercises for the Reader

Beginner

  1. If a single source code base is used to build multiple executable programs, how can you use the SCA Engine to evaluate the programs independently?



Previous page
Table of content
Next page
Software Security. Building Security In
Software Security: Building Security In
ISBN: 0321356705
EAN: 2147483647
Year: 2004
Pages: 154
Authors: Gary McGraw
BUY ON AMAZON
MySQL Clustering
Information Dashboard Design: The Effective Visual Communication of Data
Pocket Guide to the National Electrical Code(R), 2005 Edition (8th Edition)
AutoCAD 2005 and AutoCAD LT 2005. No Experience Required
802.11 Wireless Networks: The Definitive Guide, Second Edition
Java All-In-One Desk Reference For Dummies
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy