How to scan files without file name extensions
Question
I have code files without file name extensions. Can I scan them with Fortify?
Answer
Fortify uses file name extensions to determine the language contained in each file. It uses this information to know how to parse the file and which rulepacks to apply to it. However there are instances, such as customizations exported from some COTS tools, where code files are generated without extensions. Fortify can be used to scan these files, however it is necessary to explicitly associate the files with a language.
This association is done using the -noextension-type flag on the Fortify command line. Using the sourceanalyzer command-line tool, specify the -noextension-type flag followed by the language of the files to be scanned (a full listing of the languages that may be specified is available in the SCA Users’ Guide). The files to be scanned must also be provided. If more than one language is in use by the files without extensions, each language must be translated separately.
For example, if file1, file2, and file 3 are in HTML and file4, file5 and file6 are in JavaScript and file7 is a dockerfile, we could scan them as follows:
sourceanalyzer -b buildid -noextension-type HTML file1 file2 file3 ...
sourceanalyzer -b buildid -noextension-type JAVASCRIPT file4 file5 file6 ...
sourceanalyzer -b buildid -noextension-type DOCKERFILE file7 ...
sourceanalyzer -b buildid -scan -f results.fpr