Managing third-party Java and .NET exclusions
By default, third-party Java and .NET code is not scanned during IRX file generation. You can manage the third-party code that is excluded by following the instructions in this topic.
About this task
When you generate an IRX file for your code, third-party code is excluded so that your assessment does not include information and findings about code that you are not interested in analyzing. To modify what is excluded, follow the steps in this topic.
Procedure
- Locate the config directory of the extracted <SAClientUtil_<version>_<os>.zip file (where <version> is the current version of the Command Line Utility).
-
In this directory, locate the dot_net.exclusions (.NET) or
java.exclusions (Java) file.
Note: Other .exclusions files in this directory are experimental and modifying them will not affect third-party exclusions.
-
Open the file in a text editor, where you will see that it is XML in this format:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <Exclusions> <packages> <package name="package_name"/> </packages> ... </Exclusions>
-
Edit the file to add packages to exclude.
Note:
- Package names that are specified will match all packages with the same prefix (they will be
treated as though they are followed by a wildcard). For example, if you add
<package name="com.mycompany.common"/>
as an exclusion,<package name="com.mycompany.common.action1"/>
and<package name="com.mycompany.common.action2"/>
will be excluded. - Only entries that are added to the
<packages>
container affect third-party exclusions. Adding classes and methods will not affect exclusions.
- Package names that are specified will match all packages with the same prefix (they will be
treated as though they are followed by a wildcard). For example, if you add
- Save the file and then generate an IRX file for your source code.
What to do next
- Keep a back-up of modified exclusion files. In particular, remember that, if you upgrade to a new version of the Static Analyzer Command Line Utility, you will be downloading versions of the exclusion files without your updates. When updating the Static Analyzer Command Line Utility, keep a copy of your modified exclusion files and then copy them over to the new Static Analyzer Command Line Utility.
- Keep modifications in a single block of XML entries so that you can easily copy and paste them if you need to.