Hi all,
I’ve been silent for the past several meetings because I don’t have much to add to the discussion. Furthermore, I believe Fortify does not really collect a lot of metrics. I just checked, and here is the list of what we collect:
- The time of the build, in milliseconds (int)
- The number of source files scanned (int)
- Total number of lines of code scanned (int)
- Lines of code scanned not including comments (int)
- Classpath provided for java code (string)
- Libdirs provided for .Net code (string)
- Set of all source files scanned, including the following metrics per file:
- Size (string)
- Timestamp (string)
- Total number of lines of code (int)
- Lines of code scanned not including comments (int)
- Type, e.g. java/python/etc (string)
- Encoding, e.g.
windows-1252
(string)
- The time taken to run the scan in seconds (int)
- Engine version (string)
- System properties (string)
- Command line (string)
- List of errors generated (string)
- Machine hostname (string)
- Machine username (string)
- Machine platform (string)
- List of inactive results and filters used during the scan
- List of licensed, unlicensed, and expired rulepacks used during the scan
Not even sure whether all of the above qualifies as metrics, but here it is.
Thanks!
k