Professional Documents
Culture Documents
ScanCentral Guide 20.2.0
ScanCentral Guide 20.2.0
ScanCentral Guide 20.2.0
Legal Notices
Micro Focus
The Lawn
22-30 Old Bath Road
Newbury, Berkshire RG14 1QN
UK
https://www.microfocus.com
Warranty
The only warranties for products and services of Micro Focus and its affiliates and licensors (“Micro Focus”) are set forth in the
express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an
additional warranty. Micro Focus shall not be liable for technical or editorial errors or omissions contained herein. The
information contained herein is subject to change without notice.
Copyright Notice
© Copyright 2011-2021 [[[Undefined variable _HPb_Branding_Variables. ]]]
Trademark Notices
All trademarks, service marks, product names, and logos included in this document are the property of their respective owners.
Documentation Updates
The title page of this document contains the following identifying information:
l Software Version number
l Document Release Date, which changes each time the document is updated
l Software Release Date, which indicates the release date of this version of the software
This document was produced on June 11, 2022. To check for recent updates or to verify that you are using the most recent
edition of a document, go to:
https://www.microfocus.com/support/documentation
Micro Focus or one of its affiliates Fortify ScanCentral SAST (20.2.0) Page 2 of 79
Installation, Configuration, and Usage Guide
Contents
Preface 7
Contacting Micro Focus or one of its affiliates Fortify Customer Support 7
For More Information 7
About the Documentation Set 7
Change Log 8
Chapter 1: Introduction 12
Intended Audience 12
Related Documents 12
All Products 13
Micro Focus or one of its affiliates Fortify Software Security Center 14
Micro Focus or one of its affiliates Fortify Static Code Analyzer 14
What's New in Micro Focus ScanCentral SAST 20.2.0 16
Product Name Change 16
Starting Clients Without Client Authentication 16
Version Compatibility Changes for Remote Translation 16
Changes to Version Compatibility Between the Controller and Clients 17
New Command Options 17
Changes to Auto-Update 18
Removed packagescanner Option 18
Renamed Properties in scancentral.properties 18
New -exclude-disabled-projects Option 18
Renamed ssc_cloudctrl_secret Option 19
Changed Default for client_auto_update 19
Fortify Static Code Analyzer Build Folder Automatically Cleared 19
Micro Focus or one of its affiliates Fortify ScanCentral SAST (20.2.0) Page 3 of 79
Installation, Configuration, and Usage Guide
Micro Focus or one of its affiliates Fortify ScanCentral SAST (20.2.0) Page 4 of 79
Installation, Configuration, and Usage Guide
Chapter 5: Working with ScanCentral SAST from Fortify Software Security Center 59
Configuring the Connection to Fortify Software Security Center 59
Submitting Scan Requests and Uploading Results to Fortify Software Security Center 60
Micro Focus or one of its affiliates Fortify ScanCentral SAST (20.2.0) Page 5 of 79
Installation, Configuration, and Usage Guide
Package Command 74
Arguments Command 76
Packagescanner Command 77
Progress Command 78
Accessing Help for Command-Line Options 78
Micro Focus or one of its affiliates Fortify ScanCentral SAST (20.2.0) Page 6 of 79
Installation, Configuration, and Usage Guide
Preface
Preface
l Download software
https://www.microfocus.com/support
Micro Focus or one of its affiliates Fortify ScanCentral SAST (20.2.0) Page 7 of 79
Installation, Configuration, and Usage Guide
Change Log
Change Log
The following table lists changes made to this document.
Software Release /
Document Version Changes
20.2.0 General
l The product name was changed from Fortify ScanCentral to
Fortify ScanCentral SAST to distinguish it from the newly
introduced Fortify ScanCentral DAST.
New topics
l "What's New in Micro Focus ScanCentral SAST 20.2.0" on
page 16
l "Changing Sensor Expiration Time" on page 40
l "Support for Multiple Fortify Static Code Analyzer Versions" on
page 40
l "Viewing Scan Request Status" on page 57
l "Viewing Client and Sensor Logs" on page 58
Modified topics
l A note that describes the difference between standalone and
embedded clients was added to "Fortify ScanCentral SAST
Components" on page 20.
l In "Configuring the ScanCentral SAST Controller" on page 23
ssc_cloudctrl_secret was replaced with ssc_
scancentral_ctrl_secret.
Micro Focus or one of its affiliates Fortify ScanCentral SAST (20.2.0) Page 8 of 79
Installation, Configuration, and Usage Guide
Change Log
Software Release /
Document Version Changes
l
In "Encrypting the Shared Secret" on page 25 ssc_
cloudctrl_secret was replaced with ssc_scancentral_
ctrl_secret.
l The procedure used to start the Controller was modified in
"Starting the ScanCentral SAST Components" on page 45.
l A note about the compatibility rules that apply to remote
translation was added to "Upgrading the ScanCentral SAST
Controller" on page 47.
l "Enabling and Disabling Auto-Updates of Clients and Sensors"
on page 50 was changed to reflect the change in the default
value for the client_auto_update property from true to
false.
l Command-line options used with the packagecanner tool were
changed in "Using the PackageScanner Tool" on page 56.
l Various changes were made to command-line options in
"Fortify ScanCentral SAST Command Options" on page 69.
Removed topics
What's New in Micro Focus Fortify ScanCentral 20.1.0
Micro Focus or one of its affiliates Fortify ScanCentral SAST (20.2.0) Page 9 of 79
Installation, Configuration, and Usage Guide
Change Log
Software Release /
Document Version Changes
Micro Focus or one of its affiliates Fortify ScanCentral SAST (20.2.0) Page 10 of 79
Installation, Configuration, and Usage Guide
Change Log
Software Release /
Document Version Changes
Micro Focus or one of its affiliates Fortify ScanCentral SAST (20.2.0) Page 11 of 79
Chapter 1: Introduction
With Fortify ScanCentral SAST (ScanCentral), Fortify Static Code Analyzer users can better
manage their resources by offloading code analysis tasks from their build machines to a cloud of
machines (sensors) provided for this purpose.
You can start a Fortify Static Code Analyzer analysis of your code from a ScanCentral client in
one of two ways:
l You can perform the translation phase on a local or build machine to generate a mobile build
session (MBS). The ScanCentral client then hands off the MBS to the ScanCentral Controller,
which distributes the MBS to the sensors. The sensors then perform the scanning phase of
the analysis.
l If your application version is written in a language supported for centralized translation, you
can also offload the translation phase of the analysis to your sensors. For information about
the languages supported for offloading translation, see "Creating ScanCentral SAST Clients"
on page 36. For information about the specific language versions supported, see the Micro
Focus Fortify Software System Requirements document.
If your code is written using a language other than one supported for offloading project
translation, the translation phase (less processor- and time-intensive than the scanning phase)
is completed on the build machine. After translation is completed, ScanCentral generates a
project package, which it then moves to a distributed cloud of machines (sensors) for scanning.
In addition to freeing up build machines, this process makes it easy to add more resources to the
cloud and grow the system as needed, without having to interrupt your build process. And,
Fortify Software Security Center can direct ScanCentral to output FPR files directly to the
server.
This content provides information on how to install, configure, and use ScanCentral to
streamline your static code analysis process.
Intended Audience
This content is written for anyone who intends to install, configure, or use ScanCentral to
offload the translation (for supported languages) and scanning phases of the Fortify Static Code
Analyzer process to ScanCentral sensors.
Related Documents
This topic describes documents that provide information about Micro Focus or one of its
affiliates Fortify software products.
Micro Focus or one of its affiliates Fortify ScanCentral SAST (20.2.0) Page 12 of 79
Installation, Configuration, and Usage Guide
Related Documents
Note: You can find the Micro Focus or one of its affiliates Fortify Product Documentation at
https://www.microfocus.com/support/documentation. All guides are available in both PDF
and HTML formats. Product help is available within the Fortify WebInspect products.
All Products
The following documents provide general information for all products. Unless otherwise noted,
these documents are available on the Micro Focus Product Documentation website.
About Micro Focus or one of its This paper provides information about how to access
affiliates Fortify Product Software Micro Focus or one of its affiliates Fortify product
Documentation documentation.
About_Fortify_Docs_<version>.pdf Note: This document is included only with the
product download.
Micro Focus or one of its affiliates This document provides the details about the
Fortify Software System environments and products supported for this version
Requirements of Fortify Software.
Fortify_Sys_Reqs_<version>.pdf
Micro Focus or one of its affiliates This document provides an overview of the changes
Fortify Software Release Notes made to Fortify Software for this release and important
information not included elsewhere in the product
FortifySW_RN_<version>.pdf
documentation.
What’s New in Micro Focus or one This document describes the new features in Fortify
of its affiliates Fortify Software Software products.
<version>
Fortify_Whats_New_<version>.pdf
Micro Focus or one of its affiliates Fortify ScanCentral SAST (20.2.0) Page 13 of 79
Installation, Configuration, and Usage Guide
Related Documents
Micro Focus or one of its affiliates This document provides Fortify Software Security
Fortify Software Security Center Center users with detailed information about how to
User Guide deploy and use Software Security Center. It provides
all of the information you need to acquire, install,
SSC_Guide_<version>.pdf
configure, and use Software Security Center.
It is intended for use by system and instance
administrators, database administrators (DBAs),
enterprise security leads, development team
managers, and developers. Software Security Center
provides security team leads with a high-level
overview of the history and current status of a project.
Micro Focus or one of its affiliates This document describes how to install and use Fortify
Fortify Static Code Analyzer User Static Code Analyzer to scan code on many of the
Guide major programming platforms. It is intended for
people responsible for security audits and secure
SCA_Guide_<version>.pdf
coding.
Micro Focus or one of its affiliates Fortify ScanCentral SAST (20.2.0) Page 14 of 79
Installation, Configuration, and Usage Guide
Related Documents
Micro Focus or one of its affiliates This document provides the information that you need
Fortify Static Code Analyzer to create custom rules for Fortify Static Code Analyzer.
Custom Rules Guide This guide includes examples that apply rule-writing
concepts to real-world security issues.
SCA_Cust_Rules_Guide_
<version>.zip Note: This document is included only with the
product download.
Micro Focus or one of its affiliates This document describes how to use Fortify Audit
Fortify Audit Workbench User Workbench to scan software projects and audit
Guide analysis results. This guide also includes how to
integrate with bug trackers, produce reports, and
AWB_Guide_<version>.pdf
perform collaborative auditing.
Micro Focus or one of its affiliates This document provides information about how to
Fortify Plugins for Eclipse User install and use the Fortify Complete and the Fortify
Guide Remediation Plugins for Eclipse.
Eclipse_Plugins_Guide_
<version>.pdf
Micro Focus or one of its affiliates This document describes how to install and use both
Fortify Plugins for JetBrains IDEs the Fortify Analysis Plugin for IntelliJ IDEA and
and Android Studio User Guide Android Studio and the Fortify Remediation Plugin for
IntelliJ IDEA, Android Studio, and other JetBrains IDEs.
JetBrains_AndStud_Plugins_Guide_
<version>.pdf
Micro Focus or one of its affiliates This document describes how to install, configure, and
Fortify Jenkins Plugin User Guide use the plugin. This documentation is available at
https://www.microfocus.com/documentation/fortify-
Jenkins_Plugin_Guide_
jenkins-plugin.
<version>.pdf
Micro Focus or one of its affiliates This document describes how to install and use Fortify
Fortify Security Assistant Plugin for Security Assistant plugin for Eclipse to provide alerts
Eclipse User Guide to security issues as you write your Java code.
SecAssist_Eclipse_Guide_
<version>.pdf
Micro Focus or one of its affiliates Fortify ScanCentral SAST (20.2.0) Page 15 of 79
Installation, Configuration, and Usage Guide
What's New in Micro Focus ScanCentral SAST 20.2.0
Micro Focus or one of its affiliates This document provides information about how to
Fortify Extension for Visual Studio install and use the Fortify extension for Visual Studio
User Guide to analyze, audit, and remediate your code to resolve
security-related issues in solutions and projects.
VS_Ext_Guide_<version>.pdf
Micro Focus or one of its affiliates This document describes the properties used by
Fortify Static Code Analyzer Tools Fortify Static Code Analyzer tools.
Properties Reference Guide
SCA_Tools_Props_Ref_
<version>.pdf
Micro Focus or one of its affiliates Fortify ScanCentral SAST (20.2.0) Page 16 of 79
Installation, Configuration, and Usage Guide
What's New in Micro Focus ScanCentral SAST 20.2.0
l Jobs from version 20.2.x standalone clients are assigned to Fortify Static Code Analyzer only
20.2.x (the Fortify Static Code Analyzer version must match the client version).
l Jobs from an embedded client (on SCA and Apps)
Note: These changes apply to remote translation only. Remote scans are not affected.
l The 20.2.0 version Controller now assigns jobs submitted from ScanCentral version 19.2.x
and 20.1.x clients to Fortify Static Code Analyzer versions 20.1.x only.
l You can no longer use Fortify Static Code Analyzer 19.2.x with a version 20.2.0 Controller for
remote translations and scans.
l Jobs from a version 20.2.0 standalone client are assigned only to Fortify Static Code Analyzer
version 20.2.0. (The Fortify Static Code Analyzer version must match the client version).
New ScanCentral SAST Client OptionsThe following new build options are
supported for ScanCentral SAST clients:
l
The -bc (--build-command) option specifies custom build parameters for preparing and
building a project.
l
The -skipBuild option disables the project preparation build step before packaging.
Micro Focus or one of its affiliates Fortify ScanCentral SAST (20.2.0) Page 17 of 79
Installation, Configuration, and Usage Guide
What's New in Micro Focus ScanCentral SAST 20.2.0
l
Use the new ) -snm(--scan_node_modules option, which applies to both start and
package commands, to include node_modules dependencies in packages.
For more information, see "Fortify ScanCentral SAST Command Options" on page 69.
Changes to Auto-Update
With this release, if automatic updates of your clients and sensors is enabled, auto-update works
as follows:
l Embedded clients and sensors are updated automatically with patch installation.
l Standalone clients are automatically updated with major ScanCentral SAST upgrades and
with patch installations.
l Embedded clients and sensors follow the expected client failure logic in case of failed
upgrades.
l Standalone clients follow the expected client failure logic in case of failed upgrades,
depending on upgrade type.
l
Auto-updates work regardless of whether values are set for the client_auth_token and
worker_auth_token properties. If, on the Controller, no value is set for client_auth_
token and the client.properties file is missing, or if the file does not contain the
client_auth_token property, auto-update still works.
l Version 20.1.x clients and sensors cannot be auto-updated to version 20.2.0.
Micro Focus or one of its affiliates Fortify ScanCentral SAST (20.2.0) Page 18 of 79
Installation, Configuration, and Usage Guide
What's New in Micro Focus ScanCentral SAST 20.2.0
Micro Focus or one of its affiliates Fortify ScanCentral SAST (20.2.0) Page 19 of 79
Chapter 2: Fortify ScanCentral SAST
Components
A Fortify ScanCentral SAST installation includes the following three components:
l ScanCentral client: A build machine on which Fortify Static Code Analyzer translates your
code and generates Fortify Static Code Analyzer mobile build sessions (MBS). The translated
source code, along with optional and required data, such as custom rules and Fortify Static
Code Analyzer command-line arguments, are uploaded to the ScanCentral Controller.
Note: A client can be either an embedded client, which resides on the same machine as
Fortify Static Code Analyzer, or a standalone client, which is independent of Fortify Static
Code Analyzer.
Within an SCA and Apps installation, the files used for ScanCentral SAST sensors and
embedded clients are the same. The only difference is how you invoke their functionality
from the command line. To use ScanCentral SAST as a sensor, you run ScanCentral using
the worker command. To use ScanCentral SAST as a client to initiate a scan, you invoke
it using the start command. Sensor functionality depends on Fortify Static Code
Analyzer. So, you can have a standalone client, but not a standalone sensor.
The interface for issuing Fortify ScanCentral SAST commands is installed on your clients. You
can use this interface to create or identify a Fortify Static Code Analyzer mobile build session,
set the parameters for the scan, and communicate your intentions to the ScanCentral
Controller.
Note: A standalone client that does not require that Fortify Static Code Analyzer be
installed may pack the code with dependencies into a package to send to the Controller
for further translation and scanning.
l ScanCentral Controller: A standalone web application that receives the Fortify Static Code
Analyzer mobile build sessions and scan instructions from ScanCentral clients (or project
packages with translation and scan instructions), routes the information to sensors, and
(optionally) uploads scan results (FPR files) to Fortify Software Security Center.
l ScanCentral sensors: Distributed network of computers set up to receive Fortify Static Code
Analyzer mobile build sessions (MBSs) and scan code using Fortify Static Code Analyzer. If
your applications are written in a supported language, the sensors can also perform the
translation phase of the analysis. For information about the languages supported for
performing translation, see "Creating ScanCentral SAST Clients" on page 36.
Note: The minimum installation requires three physical or virtual machines: a Fortify
ScanCentral SAST client, a sensor, and a Controller. A Fortify Software Security Center
server is optional.
Micro Focus or one of its affiliates Fortify ScanCentral SAST (20.2.0) Page 20 of 79
Installation, Configuration, and Usage Guide
Installing and Configuring the Fortify ScanCentral SAST Components
Note: As you set up your ScanCentral environment, you can use subnets to segment your
build machines from the sensors. The build machines need only communicate with the
ScanCentral Controller, which in turn communicates with the sensors.
l ScanCentral sensors
For information about hardware and software requirements for these components, see the
Micro Focus Fortify Software System Requirements document.
This section contains the following topics:
Caution! Before you install the Controller, you must first download and configure a Java
Runtime Environment (JRE). For information about supported JRE versions, see the Micro
Focus Fortify Software System Requirements guide. For information about how to
download and configure JRE, see the documentation for the supported JRE version.
Jobs are deleted from the Controller after seven days, unless you change the job_expiry_
delay variable value of 168 hours in the config.properties file. (You can find the
config.properties file in the <sc_controller_dir>/tomcat/webapps/scancentral-
ctrl/WEB-INF/classes directory.)
Caution! The name of the directory into which you install the Controller must not include
spaces.
Micro Focus or one of its affiliates Fortify ScanCentral SAST (20.2.0) Page 21 of 79
Installation, Configuration, and Usage Guide
Installing and Configuring the Fortify ScanCentral SAST Components
l
Extract the contents of the Fortify_ScanCentral_Controller_<version>_x64.zip file
to a directory that does not include either the <sca_install_dir> or the <ssc_install_
dir>.
After you install the ScanCentral Controller, <sc_controller_dir> resembles the following:
bin/
tomcat/
readme.txt
See Next
"Configuring the ScanCentral SAST Controller" on the next page
For information about how to update your Controller, see "About Upgrading ScanCentral SAST
Components" on page 47 and "Upgrading the ScanCentral SAST Controller" on page 47.
See Also
"Installing and Uninstalling the ScanCentral SAST Controller as a Service" below
service.bat install
This creates a service with the name "Tomcat9."
To install the Controller as a service with a different name:
Micro Focus or one of its affiliates Fortify ScanCentral SAST (20.2.0) Page 22 of 79
Installation, Configuration, and Usage Guide
Installing and Configuring the Fortify ScanCentral SAST Components
1. Check to make sure that the JRE_HOME and JAVA_HOME environment variables are correctly
configured.
2. Check to make sure that the CATALINA_HOME environment variable is either empty or set
up to point to the ScanCentral SAST Tomcat directory.
3. Navigate to the <sc_controller_dir>/tomcat/bin directory, and then run the
following:
service.bat remove
To uninstall the controller as a service with a name other than Apache Tomcat 9.0:
1. Stop the service.
2. Navigate to the <sc_controller_dir>/tomcat/bin directory, and then run the
following:
service.bat remove <service_name>
See Also
"Configuring the ScanCentral SAST Controller" below
Caution! To avoid potential conflicts, Fortify recommends that you run the Controller on a
Tomcat Server instance other than the instance that Fortify Software Security Center uses.
Micro Focus or one of its affiliates Fortify ScanCentral SAST (20.2.0) Page 23 of 79
Installation, Configuration, and Usage Guide
Installing and Configuring the Fortify ScanCentral SAST Components
2. Open the config.properties file in a text editor, and then configure the properties listed
in the following table.
Option Description
client_auto_ If set to true, this enables the Controller to automatically update all
update outdated sensors and clients. For details, see "Enabling and
Disabling Auto-Updates of Clients and Sensors" on page 50.
ssc_url URL for the Fortify Software Security Center server; all uploads are
sent to this address.
Example: https://<ssc_host>:<port>/ssc
this_url URL for the Controller; used in emails to refer to this server for
manual job result downloads.
Example: https://<controller_
host>:8443/scancentral-ctrl
ssc_ Password that Fortify Software Security Center uses to request data
scancentral_ from the Controller. Specify a string that contains no spaces or
ctrl_secret backslashes.
(Optional) Use an encrypted shared secret. For instructions on how
to encrypt a shared secret, see "Encrypting the Shared Secret" on
Micro Focus or one of its affiliates Fortify ScanCentral SAST (20.2.0) Page 24 of 79
Installation, Configuration, and Usage Guide
Installing and Configuring the Fortify ScanCentral SAST Components
Option Description
If your remote IP address is different than the configured Fortify Software Security
Center URL, you can use one of the following properties to set up the remote IP address.
Micro Focus or one of its affiliates Fortify ScanCentral SAST (20.2.0) Page 25 of 79
Installation, Configuration, and Usage Guide
Installing and Configuring the Fortify ScanCentral SAST Components
l
worker_auth_token, smtp_auth_pass and ssc_scancentral_ctrl_secret properties
in the config.properties file on the Controller
l
worker_auth_token property in the worker.properties file on a sensor
l
client_auth_token property in the client.properties file on a client
The pwtool generates a new key stored in the file on the path specified in step 1, or reuses
an existing file on specified path.
3. Copy the new encrypted secret, and paste it as the value for one of the following properties
in the config.properties file:
l
worker_auth_token
l
smtp_auth_pass
l
ssc_scancentral_ctrl_secret
l client_auth_token
Tip: Fortify recommends that you assign separate, unique shared secrets for the
worker_auth_token, smtp_auth_pass, and ssc_scancentral_ctrl_secret
properties.
4. Create two additional encrypted shared secrets (steps 1 and 2) and, in the
config.properties file, paste these as values for the two properties to which you did not
already assign an encrypted secret in step 3.
5. Uncomment the following line (property) in the config.properties file:
Pwtools_keys_file=d:\SecretKeys\SecretKey.txt
6. Save the config.properties file.
Micro Focus or one of its affiliates Fortify ScanCentral SAST (20.2.0) Page 26 of 79
Installation, Configuration, and Usage Guide
Installing and Configuring the Fortify ScanCentral SAST Components
o
For a client used as part of Fortify Static Code Analyzer and applications, run <sca_
install_dir>\bin\pwtool.bat <pwtool_key_filepath>
o
For a standalone client, run <client_install_dir>\bin\pwtool.bat <pwtool_
key_filepath>
l On a Linux system:
o
For a client used as part of Fortify Static Code Analyzer and applications, run <sca_
install_dir>/bin/pwtool <path_to_pwtool.keys>
o
For a standalone client, run <client_install_dir>/bin/pwtool <path_to_
pwtool.keys>
2. When prompted, type the password to encode, and then press Enter.
The pwtool generates a new key in the file on the specified path, or reuses an existing file
and prints the encrypted password.
3. Copy the new encrypted secret, and paste it as the value for the client_auth_token
property in the client.properties file.
4. Add the following to the client.properties file:
pwtool_keys_file=<pwtool_key_filename>
See Also
"Configuring the ScanCentral SAST Controller" on page 23
"Creating ScanCentral SAST Sensors" on page 39
Micro Focus or one of its affiliates Fortify ScanCentral SAST (20.2.0) Page 27 of 79
Installation, Configuration, and Usage Guide
Installing and Configuring the Fortify ScanCentral SAST Components
Note: By default, in enabled and enforced modes, all application versions are assigned to
the Default pool.
Micro Focus or one of its affiliates Fortify ScanCentral SAST (20.2.0) Page 28 of 79
Installation, Configuration, and Usage Guide
Installing and Configuring the Fortify ScanCentral SAST Components
(only) specified
See Also
"Configuring the ScanCentral SAST Controller" on page 23
Note: The following sections show examples of how to create a connection. For the most
current information, see your Apache Tomcat documentation.
Micro Focus or one of its affiliates Fortify ScanCentral SAST (20.2.0) Page 29 of 79
Installation, Configuration, and Usage Guide
Installing and Configuring the Fortify ScanCentral SAST Components
l On a Windows system:
%JAVA_HOME%\bin\keytool -genkey -alias <alias_name> -keyalg RSA -keystore
<mykeystore>
l On a Linux system:
$JAVA_HOME/bin/keytool -genkey -alias <alias_name> -keyalg RSA -keystore
<mykeystore>
Prompt Value
What is your first and Type your hostname. You can use your fully-qualified domain
last name? name here.
Note: If you plan to provide an IP address as the
hostname, then you must also provide the -ext
san=ip:<ip_ address> parameter to keytool. Without
the -ext san=ip:<ip_address> parameter, the SSL
handshake fails.
What is the name of Name to identify the group that is to use the cert.
your organizational
unit?
What is the two-letter If your server is located in the United States, type US.
country code for this
unit?
Micro Focus or one of its affiliates Fortify ScanCentral SAST (20.2.0) Page 30 of 79
Installation, Configuration, and Usage Guide
Installing and Configuring the Fortify ScanCentral SAST Components
Prompt Value
Enter key password for Password for your Tomcat server key. Press Return / Enter
<tomcat><Return if to use the same password you established for your keystore.
same as keystore (Fortify recommends that you create a new key password.)
password>:
3. To export the certificate from the Tomcat keystore, open a command prompt and type one
of the following:
l On a Windows system:
4. Add the following connector to the server.xml file in the tomcat\conf directory:
<Connector port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="<mykeystore>" "keystorePass="<mypassword>"
clientAuth="false" sslProtocol="TLS"/>
Note: The default server.xml file installed with Tomcat includes an example
<connector> element for an SSL connector.
5. Navigate to one of the following directories, and then open the config.properties file in
a text editor:
l
(Windows) <sc_controller_dir>\tomcat\webapps\scancentral-ctrl\WEB-
INF\classes
l
(Linux) <sc_controller_dir>/tomcat/webapps/scancentral-ctrl/WEB-
INF/classes
6. Update the this_url property, with your https address and port.
Example: this_url=https://<controller_host>:8443/scancentral-ctrl
7. Restart your Tomcat server.
8. Set up your clients and sensors. For information about how to set up the ScanCentral SAST
clients and sensors, see "Creating ScanCentral SAST Clients" on page 36 and, "Creating
ScanCentral SAST Sensors" on page 39, respectively.
Micro Focus or one of its affiliates Fortify ScanCentral SAST (20.2.0) Page 31 of 79
Installation, Configuration, and Usage Guide
Installing and Configuring the Fortify ScanCentral SAST Components
9. Add your self-signed certificate to the java keystore on all entities that communicate with
the Controller (includes all clients, sensors, and Fortify Software Security Center
installations) as follows:
a. For ScanCentral SASTclients and sensors, open a command prompt and type the
following:
cd <sca_install_dir>\jre\bin
Where <sca_install_dir> is the directory where the sensor or client is installed.
For a installation or for standalone ScanCentral SAST clients, open a command prompt
and type one of the following:
o On Windows:
cd %JAVA_HOME%\jre\bin
o On Linux:
cd $JAVA_HOME/jre/bin
Where YourCertFile.cer is the same certificate file that you exported in step 1.
Micro Focus or one of its affiliates Fortify ScanCentral SAST (20.2.0) Page 32 of 79
Installation, Configuration, and Usage Guide
Installing and Configuring the Fortify ScanCentral SAST Components
2. The keytool prompts you for the information described in the following table.
Prompt Data
What is your first and last Type your hostname. You can use your fully qualified
name? domain name here.
What is the name of your Type the name of the group that is to use the certificate.
organizational unit? (This can be anything you want.)
What is the name of your Type the name of your organization (This can be
organization? anything you want.)
What is the name of your City Type the city or locality. (This can be anything you
or Locality? want.)
What is the name of your Type the state or province. (This can be anything you
State or Province? want.)
What is the two-letter If your server is located in the United States, type US.
country code for this unit?
Enter key password for Type a password for your Tomcat server key, or press
<tomcat><Return if Return to use the same password you established for
same as keystore your keystore. Fortify recommends that you create a
password>: new password.
Micro Focus or one of its affiliates Fortify ScanCentral SAST (20.2.0) Page 33 of 79
Installation, Configuration, and Usage Guide
Installing and Configuring the Fortify ScanCentral SAST Components
l On a Linux system:
4. Send the CSR file to the certificate signing authority you have chosen.
5. Once you receive your certificate from the certificate signing authority, import it into the
keystore that you created, as follows:
l On a Windows system:
l On a Linux system:
The root CA already exists in the cacerts file of your JDK, so you are just installing the
intermediate CA for your certificate signing authority.
Note: If you purchased your certificate from VeriSign, you must first import the chain
certificate. You can find the specific chain certificate on the VeriSign website or click
the link for the chain certificate in the email you received from VeriSign with your
certificate.
l On a Windows system:
%JAVA_HOME%\bin\keytool -import -alias IntermediateCA -trustcacerts-
file "chainCert.crt" -keystore "<mykeystore>"
l On a Linux system:
6. Add the following connector to the server.xml file in the tomcat\config directory:
Micro Focus or one of its affiliates Fortify ScanCentral SAST (20.2.0) Page 34 of 79
Installation, Configuration, and Usage Guide
Installing and Configuring the Fortify ScanCentral SAST Components
keystoreFile="<mykeystore>" keystorePass="<mypassword>"
clientAuth="false" sslProtocol="TLS"/>
<sc_controller_dir>\tomcat\webapps\scancentral-ctrl\WEB-
INF\classes\config.properties
On a Linux system:
<sc_controller_dir>/tomcat/webapps/scancentral-ctrl/WEB-
INF/classes/config.properties
b. Update the this_url property with your https address and port.
Example: this_url=https://<controller_host>:8443/scancentral-ctrl
See Also
"Securing the Controller for Authorized Client Use Only" below
Micro Focus or one of its affiliates Fortify ScanCentral SAST (20.2.0) Page 35 of 79
Installation, Configuration, and Usage Guide
Installing and Configuring the Fortify ScanCentral SAST Components
Allowing CloudScan Clients that do not Support Client Authentication to Connect to the
Controller
If you have CloudScan version 19.2.0 or earlier clients that do not support client authentication,
you can enable them to connect to the Controller.
To enable CloudScan version 19.2.0 or earlier clients to connect to the Controller:
1. Navigate to the ControllerTomcat/webapps/cloud-ctrl/WEB-INF/classes
directory and open the config.properties file in a text editor.
2. Set the allow_insecured_clients_with_empty_token property to true.
If you set the allow_insecured_clients_with_empty_token property to false, only
clients that support the client_auth_token can connect to Controller.
Note: If a client (CloudScan 19.2.1 or ScanCentral 20.1.0 and later client) supports the
client_auth_token property and that property value is left unspecified, the client cannot
connect to the Controller even if the allow_insecured_clients_with_empty_token is
set to true, unless the client_auth_token value on the Controller is also left unspecified.
Micro Focus or one of its affiliates Fortify ScanCentral SAST (20.2.0) Page 36 of 79
Installation, Configuration, and Usage Guide
Installing and Configuring the Fortify ScanCentral SAST Components
l PHP
l Java
l ABAP (Advanced Business Application Programming)
l Apex (Salesforce)
l Classic ASP (ASP Classic)
l Adobe ColdFusion
l PL/SQL / T-SQL
l Microsoft TypeScript
l Visual Basic 6.0
l .NET applications (C#, VB.NET, .NET Core, ASP.NET, and .NET Standard)
Caution! As you specify an installation path, make sure that the path name contains no
spaces.
Updating a Client
Important! If your Controller version is later than your Fortify Static Code Analyzer
installation version, Fortify recommends that you update the ScanCentral SAST client to the
Micro Focus or one of its affiliates Fortify ScanCentral SAST (20.2.0) Page 37 of 79
Installation, Configuration, and Usage Guide
Installing and Configuring the Fortify ScanCentral SAST Components
same version as the ScanCentral Controller. This ensures you are running the most recent
code.
Tip: After you configure a client, you can copy the configuration files and use them to
create other clients.
See Also
"(Windows only) Configuring Sensors to Offload Translation For .NET Languages" on page 42
"Configuring Sensors to Use the Progress Command when Starting on Java" on page 41
Micro Focus or one of its affiliates Fortify ScanCentral SAST (20.2.0) Page 38 of 79
Installation, Configuration, and Usage Guide
Installing and Configuring the Fortify ScanCentral SAST Components
Note: If you use Windows, you can install the sensor as a Windows service. For instructions,
see "Creating a ScanCentral SAST Sensor as a Service" below.
To create a sensor:
1. Log in to the build machine using an account that is not an administrator or root.
2. Install Fortify Static Code Analyzer 20.2.0. (For instructions, see the Micro Focus or one of
its affiliates Fortify Static Code Analyzer User Guide.)
3. Create a file named worker.properties in the <sca_install_dir>\Core\config
directory.
4. Add the following property to the worker.properties file:
worker_auth_token=<value_set_in_controller_configuration>
5. Specify either a clear text password, or an encrypted shared secret (password the
Controller uses to communicate with the sensor) as the worker.properties value. For
information about how to generate an encrypted shared secret, see "Encrypting the Shared
Secret on a Sensor" on page 27.
6. Save and close your worker.properties file.
Micro Focus or one of its affiliates Fortify ScanCentral SAST (20.2.0) Page 39 of 79
Installation, Configuration, and Usage Guide
Installing and Configuring the Fortify ScanCentral SAST Components
Micro Focus or one of its affiliates Fortify ScanCentral SAST (20.2.0) Page 40 of 79
Installation, Configuration, and Usage Guide
Installing and Configuring the Fortify ScanCentral SAST Components
Important! If you clone VMs, you must remove the worker_persist.properties file
from sensor work directory (current directory when starting sensor) after cloning.
Note: Use sensor machines dedicated to ScanCentral SAST and run sensors under a
dedicated username. Run only one sensor instance per machine, and do not run any other
Java processes under the same username after you start the ScanCentral Controller.
If the Controller and Fortify Software Security Center run on different machines, you must check
to make sure that scancentral-ctrl\WEB-INF\classes\config.properties (ssc_url,
this_url) and the ScanCentral Controller URL set on Fortify Software Security Center (select
Administration > Configuration > ScanCentral SAST) resolve to the correct IP addresses.
Check to make sure that the following channels of communication are not blocked by a firewall
or other tool:
l Controller to Fortify Software Security Center port (for scan uploads)
l Fortify Software Security Center to the ScanCentral Controller port (for Fortify ScanCentral
SAST administration console functionality)
l Clients to the ScanCentral Controller port
l Sensors to the ScanCentral Controller port
l Clients to the Fortify Software Security Center port (required only if Fortify Software Security
Center is in lock down mode, or if the -sscurl option is used)
Micro Focus or one of its affiliates Fortify ScanCentral SAST (20.2.0) Page 41 of 79
Installation, Configuration, and Usage Guide
Installing and Configuring the Fortify ScanCentral SAST Components
sca_jxm_access_file=<path_to_access_file>
sca_jmx_password_file=<path_to_password_file>
sca_jmx_password=<password>
sca_jxm_user=<user_role>
sca_jmx_auth=true
5. Save and close the worker.properties file.
After you complete this configuration, ScanCentral SAST clients start on the specified port
using JMX password authentication. Make sure that the port is not already bound.
Important! If you use sca_jmx_auth, you can start only one sensor. Any attempt to
open a new Fortify Static Code Analyzer instance results in a bind port error. To have
multiple sensors on a machine, you must have several ScanCentral SAST instances,
each with its own worker.properties file.
l NuGet (optional)
Beginning with (CloudScan) version 19.2.0, remote translation and scanning for .NET and
ASP.NET projects were supported. ScanCentral SAST supports the same MSBuild versions as
Fortify Static Code Analyzer. (.NET packaging and scanning works only on Windows systems.)
The requirements for using this feature are as follows:
l Configure at least one sensor with the software required to support .NET capability.
l Clients must have the software required to build and pack .NET projects installed.
Micro Focus or one of its affiliates Fortify ScanCentral SAST (20.2.0) Page 42 of 79
Installation, Configuration, and Usage Guide
Installing and Configuring the Fortify ScanCentral SAST Components
Micro Focus or one of its affiliates Fortify ScanCentral SAST (20.2.0) Page 43 of 79
Installation, Configuration, and Usage Guide
Installing and Configuring the Fortify ScanCentral SAST Components
ProjectRoot
+- MySolution.sln
+- SubprojectA
+- SubprojectA.csproj
+- ...
+- SubprojectB
+- SubprojectB.csproj
+- ...
The following command (invoked from project root folder) creates a fortify-sca.settings
file under ProjectRoot:
scancentral arguments -targs -exclude Src/SubprojectB
The following command (invoked from project root folder) starts the remote translation of the
project, with SubprojectB excluded:
scancentral -url <sc_controller_url> start -bt msbuild -bf
<MySolution.sln>
Micro Focus or one of its affiliates Fortify ScanCentral SAST (20.2.0) Page 44 of 79
Installation, Configuration, and Usage Guide
Installing and Configuring the Fortify ScanCentral SAST Components
cd <sc_controller_dir>\tomcat\bin
On a Linux system:
cd <sc_controller_dir>/tomcat/bin
3. Run one of the following commands:
l
On a Windows system, run startup.bat.
Note: If Tomcat is running as a service, rather than running start.bat, you can
just start the service.
l
On a Linux system, run ./startup.sh.
Micro Focus or one of its affiliates Fortify ScanCentral SAST (20.2.0) Page 45 of 79
Installation, Configuration, and Usage Guide
Installing and Configuring the Fortify ScanCentral SAST Components
On a Linux system:
Note: Make sure that you run a given sensor consistently from the same directory.
Otherwise, its UUID changes and, if ScanCentral SAST is connected to Fortify Software
Security Center, Fortify Software Security Center identifies it as different sensor.
Start Fortify Software Security Center. If ScanCentral SAST is integrated with Fortify Software
Security Center, after you log in to Fortify Software Security Center, notice that the Fortify
header now includes the SCANS link. If you do not see the SCANS link in the header, log out,
open a new browser window, and then log in again. If the SCANS link is still missing from the
header, check to make sure that the connection between Fortify Software Security Center and
ScanCentral SAST is set up. (See "Configuring the Connection to Fortify Software Security
Center" on page 59.)
cd <sc_controller_dir>\tomcat\bin
On a Linux system:
cd <sc_controller_dir>/tomcat/bin
2. Type one of the following commands:
On a Windows system:
shutdown.bat
On a Linux system:
./shutdown.sh
Micro Focus or one of its affiliates Fortify ScanCentral SAST (20.2.0) Page 46 of 79
Chapter 3: About Upgrading ScanCentral
SAST Components
ScanCentral SAST-related functionality in Fortify Software Security Center requires an updated
ScanCentral SAST Controller and sensors. If you do not need sensor metrics, you can use sensor
versions earlier than version 16.10. You can use existing ScanCentral SAST clients without
limiting functionality (unless you want to specify that a scan request from a client target a
specific sensor pool). If you need remote translation and scan functionality, use client, sensor,
and Controller 19.1.0 or later version.
Important! You must upgrade the Controller before you upgrade the ScanCentral SAST
sensors and clients, and before you upgrade the Fortify Software Security Center server.
Caution! A version 20.2.0 sensor does not support packages generated by version 20.1.0
clients. If you want to offload translation for scan projects uploaded by CloudScan client
19.2.0, do not upgrade your sensors to ScanCentral SAST version 20.2.0.
Caution! Before you upgrade the Controller, you must first download and configure a Java
Runtime Environment (JRE). For information about supported JRE versions, see the Micro
Focus Fortify Software System Requirements guide. For information about how to
download and configure JRE, see the Oracle documentation for the supported JRE version.
Micro Focus or one of its affiliates Fortify ScanCentral SAST (20.2.0) Page 47 of 79
Installation, Configuration, and Usage Guide
Upgrading ScanCentral SAST Sensors
Note: If you do not allow all jobs to finish before you shut down the Controller,
some jobs fail after the upgrade, and the failure may not be evident for some time.
(See the worker_inactive_delay configuration parameter in the <new_sc_
controller_dir>/tomcat/webapps/scancentral-ctrl/WEB-
INF/classes/config.properties file.)
Micro Focus or one of its affiliates Fortify ScanCentral SAST (20.2.0) Page 48 of 79
Installation, Configuration, and Usage Guide
Upgrading ScanCentral SAST Sensors
4. Install or upgrade Fortify Static Code Analyzer based on the instructions provided in the
Micro Focus Fortify Static Code Analyzer User Guide.
5. Check the <sca_install_dir>\Core\config directory to make sure that the
worker.property file resides there.
6. Add the following property to the worker.properties file:
worker_auth_token=<value_set_in_controller_configuration>
7. Specify either a clear text password, or an encrypted shared secret (password the
Controller uses to communicate with the sensor) as the worker.properties value. For
information about how to generate an encrypted shared secret, see "Encrypting the Shared
Secret on a Sensor" on page 27.
8. Save the worker.properties file.
9. Start the sensors.
See Also
"About Upgrading ScanCentral SAST Components" on page 47
"Enabling and Disabling Auto-Updates of Clients and Sensors" on the next page
"Upgrading the ScanCentral SAST Controller" on page 47
"Creating ScanCentral SAST Clients" on page 36
"Creating ScanCentral SAST Sensors" on page 39
Micro Focus or one of its affiliates Fortify ScanCentral SAST (20.2.0) Page 49 of 79
Installation, Configuration, and Usage Guide
Enabling and Disabling Auto-Updates of Clients and Sensors
Important! ScanCentral SAST clients and sensors check for updates only if you use the -
url, -sscurl, or -ssctoken options. The package command will not start the update
process.
Important! If Fortify Static Code Analyzer and applications are installed in a location that
requires that a user have administrator privileges to modify them (for example, program
files), in order to update the sensor, you must start it with administrator privileges.
Otherwise, the sensor cannot write files to disk. If auto-update is enabled, the update
process on sensors and clients must finish successfully before the sensor can start.
See Also
"About Upgrading ScanCentral SAST Components" on page 47
"Upgrading the ScanCentral SAST Controller" on page 47
Micro Focus or one of its affiliates Fortify ScanCentral SAST (20.2.0) Page 50 of 79
Chapter 4: Submitting Scan Requests
Depending on the language used to develop your source code, you can request a scan that
offloads only the scanning phase of code analysis, or a scan that offloads both project
translation and scanning to your ScanCentral SAST sensors.
You can pass any relevant Fortify Static Code Analyzer scan tuning option (for example, –Xmx to
specify the amount of memory for a scan) on the command line after the –scan keyword. If you
use options such as –build-label, -build-application, or –build-version, make sure
that you escape any quotes around the parameter. For example:
If the submission succeeds, you receive a token ID. The Fortify ScanCentral SAST sensor pulls
the scan request from the Controller, processes it, and publishes the results to the Controller.
For information about the options to use for larger scans, see the Micro Focus or one of its
affiliates Fortify Static Code Analyzer User Guide.
Note: Jobs submitted (and FPRs) can be no larger than 1GB. Before you start large scans,
review "Optimizing Scan Performance" on page 68.
Micro Focus or one of its affiliates Fortify ScanCentral SAST (20.2.0) Page 51 of 79
Installation, Configuration, and Usage Guide
Offloading Both Translation and Scanning
Note: The -bt option is required for all technologies. For projects without a build tool, -bt
is set to none.
In the examples shown in the following table, ScanCentral SAST is integrated with Fortify
Software Security Center, email is configured for ScanCentral SAST, and Fortify Software
Security Center, the Controller, and sensors are up and running.
Objective Command
Micro Focus or one of its affiliates Fortify ScanCentral SAST (20.2.0) Page 52 of 79
Installation, Configuration, and Usage Guide
Translating Python Projects
You can use ScanCentral SAST to work with Python in any of three ways. You can start
ScanCentral SAST in a prepared virtual environment (see "Starting ScanCentral SAST in a
Virtual Environment" below). You can use an existing virtual environment, without activating
that virtual environment (see "Starting ScanCentral SAST in an Unactivated Virtual
Environment" on the next page). In this case, ScanCentral SAST activates the virtual
environment itself. Finally, you can start the job outside of a virtual environment (see "Starting
ScanCentral SAST Outside of a Virtual Environment" on the next page).
Micro Focus or one of its affiliates Fortify ScanCentral SAST (20.2.0) Page 53 of 79
Installation, Configuration, and Usage Guide
Translating Python Projects
Micro Focus or one of its affiliates Fortify ScanCentral SAST (20.2.0) Page 54 of 79
Installation, Configuration, and Usage Guide
Translating Apex Projects
Note: For information on using the -sargs and -targs options, see the "Arguments
Command" section in "Submitting Scan Requests" on page 51.
Note: For information on using the -sargs and -targs options, see the "Arguments
Command" section in "Submitting Scan Requests" on page 51.
Micro Focus or one of its affiliates Fortify ScanCentral SAST (20.2.0) Page 55 of 79
Installation, Configuration, and Usage Guide
Using the PackageScanner Tool
Option Description
Micro Focus or one of its affiliates Fortify ScanCentral SAST (20.2.0) Page 56 of 79
Installation, Configuration, and Usage Guide
Retrieving Scan Results from the Controller
Option Description
You can also view scan request status from the Fortify Software Security Center user interface.
For instructions, see the Micro Focus Fortify Software Security Center User Guide.
Micro Focus or one of its affiliates Fortify ScanCentral SAST (20.2.0) Page 57 of 79
Installation, Configuration, and Usage Guide
Viewing Client and Sensor Logs
Micro Focus or one of its affiliates Fortify ScanCentral SAST (20.2.0) Page 58 of 79
Chapter 5: Working with ScanCentral SAST
from Fortify Software Security Center
While you can deploy the Controller in standalone mode, communication with Fortify Software
Security Center provides additional benefits. If Fortify Software Security Center is integrated
with ScanCentral SAST, then the Fortify Software Security Center Scans view includes the
ScanCentral SAST pages, which are described in the following table.
Scan Requests View and export ScanCentral SAST scan request details
Cancel prepared scan requests
Sensor Pools Create and manage groups of sensors to which you can target
scan requests.
For detailed information, see the Micro Focus Fortify Software Security Center User Guide.
See Also
"Configuring the Connection to Fortify Software Security Center" below
Micro Focus or one of its affiliates Fortify ScanCentral SAST (20.2.0) Page 59 of 79
Installation, Configuration, and Usage Guide
Submitting Scan Requests and Uploading Results to Fortify Software Security Center
7. Click SAVE.
8. Restart the Fortify Software Security Center server.
Important! You must use the same or a later version of ScanCentral SAST as the
Fortify Static Code Analyzer version installed on your clients.
See Also
"Working with ScanCentral SAST from Fortify Software Security Center" on the previous page
"Starting the ScanCentral SAST Components" on page 45
Note: The Fortify Software Security Center user account must have permission to upload
scan results for the application version, and must have access to the application version on
Fortify Software Security Center. A user who submits a ScanCentral SAST job for upload to
a Fortify Software Security Center application version must use a token that was obtained
Micro Focus or one of its affiliates Fortify ScanCentral SAST (20.2.0) Page 60 of 79
Installation, Configuration, and Usage Guide
Submitting Scan Requests and Uploading Results to Fortify Software Security Center
using an account that has permission to upload scan results. If a Fortify Software Security
Center user is assigned to a target application version with a view-only role, and that user
requests a token and uses it to submit the job, the upload fails.
Sample Output
ID Name Version
3 Logistics 2.5
2 Logistics 1.3
8 RWI 2.0
5 RWI 1.0
3. To submit your job and upload your scan results to a Fortify Software Security
Center application version, run one of the following commands:
Typically, the steps above are combined into a scripted flow from a build server.
Micro Focus or one of its affiliates Fortify ScanCentral SAST (20.2.0) Page 61 of 79
Appendix A: Configuring Sensor Auto-
Start
The following procedures are designed to provide general guidance to enable sensor auto-start
and may not be appropriate in all environments. Fortify strongly recommends that you review
the instructions with your system administrator and make any changes required for your
environment.
This section contains the following topics:
Enabling Sensor Auto-Start on Windows as a Service 62
Enabling ScanCentral Sensor Auto-Start on Windows as a Scheduled Task 63
Enabling ScanCentral Sensor Auto-Start on a Linux System 66
Micro Focus or one of its affiliates Fortify ScanCentral SAST (20.2.0) Page 62 of 79
Installation, Configuration, and Usage Guide
Enabling ScanCentral Sensor Auto-Start on Windows as a Scheduled Task
Troubleshooting
Review the following logs to troubleshoot issues encountered during the configuration of sensor
auto-start as a Windows service:
l Main ScanCentral SAST sensor log:
On Windows
C:\Windows\System32\config\systemprofile\AppData\Local\Fortify\
scanCentral\scancentral.log
On Linux
.fortify/scancentral/log/scancentral.log
l Sensor temporary folders that contain MBS files, Fortify Static Code Analyzer log files, and
generated FPR files: c:\ScanCentralWorkdir\<job_token>
l
Sensor stdOut and stdErr logs: c:\ScanCentralWorkdir\workerout.log and
c:\ScanCentralWorkdir\workererr.log
Note: Before you start a sensor, check to make sure that the log files are not open in an
application. Open log files prevent procrun from writing to the file.
l
Commons-daemon log: c:\ScanCentralWorkdir\<year_month_day>.log
Micro Focus or one of its affiliates Fortify ScanCentral SAST (20.2.0) Page 63 of 79
Installation, Configuration, and Usage Guide
Enabling ScanCentral Sensor Auto-Start on Windows as a Scheduled Task
Micro Focus or one of its affiliates Fortify ScanCentral SAST (20.2.0) Page 64 of 79
Installation, Configuration, and Usage Guide
Enabling ScanCentral Sensor Auto-Start on Windows as a Scheduled Task
7. Check to make sure that the At startup trigger is enabled, and then click OK.
8. Select the Settings tab.
Micro Focus or one of its affiliates Fortify ScanCentral SAST (20.2.0) Page 65 of 79
Installation, Configuration, and Usage Guide
Enabling ScanCentral Sensor Auto-Start on a Linux System
9. Make sure the Stop the task if it runs longer than check box is cleared, and then click OK.
10. Click Save.
11. Restart the machine.
The script output in the taskout.txt file indicates whether the sensor started successfully.
You can also start and stop the scheduled task manually from the Task Scheduler interface
when logged into the machine.
Defaults !requiretty
Micro Focus or one of its affiliates Fortify ScanCentral SAST (20.2.0) Page 66 of 79
Installation, Configuration, and Usage Guide
Enabling ScanCentral Sensor Auto-Start on a Linux System
vi /etc/rc.d/rc.local
4. Check the setup:
a. Reboot and log in to the machine as “root.”
b. To verify the processes under root, type:
ps -x | grep java
c. Verify that the output shows that the sensor is not started under root.
d. To verify the processes under the user, type:
tail -f/opt/<sca_install_dir>/bin/workerout.txt
Example: tail -f/Fortify/Fortify_SCA_and_Apps_
<version>/bin/workerout.txt
Micro Focus or one of its affiliates Fortify ScanCentral SAST (20.2.0) Page 67 of 79
Appendix B: Optimizing Scan Performance
If you plan to regularly scan large applications, Fortify recommends that you run a manual test
scan on hardware that is equivalent to the hardware on which your sensor is installed.
To optimize your scan:
1. To set the Fortify Static Code Analyzer scan parameters for optimal performance, adjust
the memory settings to align with your hardware.
For information about how to tune Fortify Static Code Analyzer, see the Micro Focus or one
of its affiliates Fortify Static Code Analyzer User Guide.
2. Run the scan.
3. Note the size of the resulting FPR file and scan log. To ensure that the ScanCentral
Controller and Fortify Software Security Center can accept FPR or log files larger than 1 GB,
increase the following file size threshold:
l
Navigate to the <scancentral_install_dir>\tomcat\webapps\scancentral-
ctrl directory on Windows (<scancentral_install_
dir>/tomcat/webapps/scancentral-ctrl on Linux) , open the
config.properties file, and then set the Controller threshold as follows:
max_upload_size=<max_fpr_or_logfile_size_in_MB>
Micro Focus or one of its affiliates Fortify ScanCentral SAST (20.2.0) Page 68 of 79
Appendix C: Fortify ScanCentral SAST
Command Options
This appendix provides information about the command-line options that you can use with
Fortify ScanCentral SAST.
Global Options
This section provides information about the command-line options that you can use with Fortify
ScanCentral SAST.
-h <command> Get help for the selected command. To see all command help,
type
or
-h all.
--help <command>
-ssctoken <token> Specify the Fortify Software Security Center cloud authorization
token.
-sscurl <url> Specify the Fortify Software Security Center server URL.
Status Command
Use the status command to check the status of the Controller or a job.
Option Description
Micro Focus or one of its affiliates Fortify ScanCentral SAST (20.2.0) Page 69 of 79
Installation, Configuration, and Usage Guide
Start Command
Start Command
Use the start command to start a remote scan.
Option Description
-bc, --build-command For use with Maven, Gradle and MSBuild. Specifies custom
<commands> build parameters for preparing and building a project. For
example, to invoke a Gradle build before packaging:
-Prelease=true clean customTask build
If you use the -bc option, and the build fails, ScanCentral
stops working on the build.
-bf, --build-file <file> Specifies the build file, unless it has a default name such
as build.gradle or pom.xml. You cannot use this
option with the -scan option.
-block Waits for the job to complete, and then downloads the
result.
-bt, --build-tool <name> Specifies the build tool name used for the project. You
cannot use this option with the -scan option.
Micro Focus or one of its affiliates Fortify ScanCentral SAST (20.2.0) Page 70 of 79
Installation, Configuration, and Usage Guide
Start Command
Option Description
-email <address> Specifies the email address for job status notifications.
-f, --output-file <file> Specifies the name for the local FPR file output.
-filter <file> Specifies the filter file to use during a scan (repeatable).
-log, --log-file <file> Specifies the name for the local log file output.
-o, --overwrite Overwrites the existing FPR or log with new data.
-pool, --submit-to-pool <uuid> Specifies the sensor pool to which to submit the job.
-projroot, --project-root <dir> Specifies the project directory for the mobile build session
export.
-q, --quiet Prevents the printing of stdout from the build execution.
-rules <file/dir> Specifies custom rules file or directory to use during the
Micro Focus or one of its affiliates Fortify ScanCentral SAST (20.2.0) Page 71 of 79
Installation, Configuration, and Usage Guide
Start Command
Option Description
scan (repeatable).
-scan Sets the point beyond which all arguments are for
sourceanalyzer. You cannot use this option with the
--build-tool or --package option.
-sp, --save-package <file> Specifies the package file to save after uploading. The file
extension must be *.zip.
-t, --include-test Includes test source set (Gradle) or test scope (Maven) to
scan (for Java projects only).
-upload, --upload-to-ssc Uploads the FPR to Fortify Software Security Center upon
completion.
-uptoken, --ssc-upload-token Specifies the Fortify Software Security Center file upload
<token> token.
-yv, --python-version <version> Specifies the Python version to automatically find the
installed Python. Allowed values: 2 or 3. This flag is
Micro Focus or one of its affiliates Fortify ScanCentral SAST (20.2.0) Page 72 of 79
Installation, Configuration, and Usage Guide
Retrieve Command
Option Description
Retrieve Command
Use the retrieve command to download the result of a remote scan job.
Option Description
-f, --output-file <file> Specify the file name for local FPR output.
-log, --log-file <file> Specify the file name for local log output.
Cancel Command
Use the cancel command to cancel a remote scan job.
Option Description
Worker Command
Use the worker command to start or test a sensor.
Option Description
Micro Focus or one of its affiliates Fortify ScanCentral SAST (20.2.0) Page 73 of 79
Installation, Configuration, and Usage Guide
Package Command
Package Command
Use the package command to create a zip package of the specified project.
Option Description
-bf, --build-file <file> Specify the build file if you are not using a
default name such as build.gradle or
pom.xml. You cannot use this option with the
-scan option.
-bt, --build-tool <name> Specify the build tool name used for the
project. You cannot use this option with the -
scan option.
-o, --output <file> Specify the output file name. The file
extension must be *.zip.
Micro Focus or one of its affiliates Fortify ScanCentral SAST (20.2.0) Page 74 of 79
Installation, Configuration, and Usage Guide
Package Command
Option Description
Micro Focus or one of its affiliates Fortify ScanCentral SAST (20.2.0) Page 75 of 79
Installation, Configuration, and Usage Guide
Arguments Command
Arguments Command
Use the arguments command to generate a settings file for additional Fortify Static Code
Analyzer command-line options.
Option Description
-p, --project-dir <directory> Specify the project directory in which to create the
Fortify Static Code Analyzer translation and scan
additional arguments file.
Important! The -targs and -sargs options take a single string argument. To specify
multiple translation or scan arguments, use multiple -targs and (or) -sargs options. If the
translation or scan option has a path parameter that includes a space, enclose the path in
single quotes.
Micro Focus or one of its affiliates Fortify ScanCentral SAST (20.2.0) Page 76 of 79
Installation, Configuration, and Usage Guide
Packagescanner Command
{
"translationArgs": [
"-Xmx4G",
"-cp",
"myProject Dir/path to/lib/*.jar",
"-exclude",
"myProject Dir/path to/src/*.jar"
],
"scanArgs": [
"-Xms256M",
"-analyzers",
"controlflow,dataflow"
]
Packagescanner Command
Use the help command (-h or --help) to get the information listed in the following table.
Option Description
-b, --build-id <id> Specifies the build ID. Fortify Static Code Analyzer uses
the build ID to track which files are compiled and
combined as part of a build, and later, to scan those
files.
Micro Focus or one of its affiliates Fortify ScanCentral SAST (20.2.0) Page 77 of 79
Installation, Configuration, and Usage Guide
Progress Command
Option Description
Progress Command
Use the progress command to get the progress of a Fortify Static Code Analyzer scan.
Important! If your projects are based on Java 11, and you want to use the progress
command to check the progress of your scans, some minor sensor configuration is required.
For instructions, see "Configuring Sensors to Use the Progress Command when Starting on
Java" on page 41.
Micro Focus or one of its affiliates Fortify ScanCentral SAST (20.2.0) Page 78 of 79
Send Documentation Feedback
If you have comments about this document, you can contact the documentation team by email.
Note: If you are experiencing a technical issue with our product, do not email the documentation
team. Instead, contact Micro Focus Fortify Customer Support at
https://www.microfocus.com/support so they can assist you.
If an email client is configured on this computer, click the link above to contact the documentation
team and an email window opens with the following information in the subject line:
Feedback on Installation, Configuration, and Usage Guide (Fortify ScanCentral SAST 20.2.0)
Just add your feedback to the email and click send.
If no email client is available, copy the information above to a new message in a web mail client, and
send your feedback to FortifyDocTeam@microfocus.com.
We appreciate your feedback!
Micro Focus or one of its affiliates Fortify ScanCentral SAST (20.2.0) Page 79 of 79