How to change Java version in Fortify SCA

Question

My Java-Maven project is implemented in Java 1.8. I have integrated my Maven build with Fortify SCA, by installing Fortify and adding the dependancies in my project's pom.xml. However, during the scans, it gives me the below log

[INFO] --- sca-maven-plugin:4.30:scan (default-cli) @ projectname ---
[INFO]                    Packaging -> jar
[INFO]        Top-Level Artifact ID -> null
[INFO]                  Build Label -> projectname-0.1.SNAPSHOT
[INFO]                Build Version -> 0.1.SNAPSHOT
[INFO]           Build Project Name -> projectname
[INFO]                     Build ID -> projectname-0.1.SNAPSHOT
[INFO]                 Results File -> /Users/workspaceneon/projectname/target/projectname-0.1.SNAPSHOT.fpr
[INFO]   Location of SCA Executable -> sourceanalyzer
[INFO]                     Scan Log -> /Users/workspaceneon/projectname/target/sca-scan.log
[INFO]             FindBugs Results -> true
[INFO]                Fail on Error -> true
[INFO]                Upload to SSC -> false
[INFO] Issues will not be tracked and trended without uploading to SSC.
[INFO] *** !! Scanning individual sub-project - projectname !! ***
[INFO] Created output dir /Users/workspaceneon/projectname/target
[INFO] cmd: "/bin/sh -c sourceanalyzer -scan -Xmx800M @/Users/workspaceneon/projectname/target/sca-scan-args.txt"
Fortify Static Code Analyzer 6.30.0086
Fortify Static Code Analyzer 6.30.0086

Also, the Java version is reported to be

[INFO]               Source Version -> 1.6

You can see the version of my Fortify in the above console log.

I feel Fortify is scanning my project assuming it to be a Java 1.6 project. My question is, how can I tell Fortify to scan it as a 1.8 project, and report errors accordingly?

Answer 1

Use the command line parameter

-Dfortify.sca.source.version=1.8

or with Maven:

1. In your projects:

   <fortify.sca.source.version>1.8</fortify.sca.source.version>
   

2. And in the Maven integration:

   <profile>
   <id>sca-translate</id>
   <activation>
       <activeByDefault>false</activeByDefault>
   </activation>
   <build>
       <plugins>
           <plugin>
               <groupId>com.fortify.ps.maven.plugin</groupId>
               <artifactId>${maven-sca-plugin.name}</artifactId>
               <version>${maven-sca-plugin.version}</version>
               <inherited>true</inherited>
               <configuration>
                   <source>${fortify.sca.source.version}</source>
                   <maxHeap>${fortify.sca.Xmx}</maxHeap>
                   <jre64>${fortify.sca.64bit}</jre64>
                   <failOnSCAError>${fortify.failOnError}</failOnSCAError>
               </configuration>
               <executions>
                   <execution>
                       <inherited>true</inherited>
                       <id>default-clean</id>
                       <phase>clean</phase>
                       <goals>
                           <goal>clean</goal>
                       </goals>
                   </execution>
                   <execution>
                       <inherited>true</inherited>
                       <id>default-translate</id>
                       <phase>install</phase>
                       <goals>
                           <goal>translate</goal>
                       </goals>
                   </execution>
               </executions>
           </plugin>
       </plugins>
   </build>
   

Answer 2

Issue: [sourceanalyzer] [warning]: Assuming Java source level to be 1.8 as it was not specified. Note that the default value may change in future versions.

To resolve this in ant follow the following . 

<taskdef name="sourceanalyzer" classname="com.fortify.dev.ant.SourceanalyzerTask"> 
        <classpath>
            <fileset dir="${FORTIFY_HOME}/Core/lib">
                <include name="sourceanalyzer.jar" />
            </fileset>
        </classpath>
    </taskdef>
<sourceanalyzer buildid="${FORTIFY_BUILD_ID}" source = "1.8"> 

Adding source removes this warning