You can run the test configuration from the command line (e.g., as part of the automated CI process) or directly from within the IDE where the Parasoft tool is installed.
See Integration with Your Build Tool for command line execution.Refer Refer to the following documentation for details on running within the IDE:
Executing the test configuration on your complete project using the default settings may take a significant amount of time. One of the purposes of this step is to determine a baseline so that you can make decisions on how to balance resources to meet your compliance policy. You may determine that splitting checkers across several test configurations tuned for different milestones or development phases will be necessary.
By default, test configurations limit the code analysis results to 1000 violations per checker. If a rule is violating more than 1000 times, it means one of three things:
Refer to the DTP documentation for details on how to change this setting.
Reducing False Positives
Locally executing the test configuration on a representative sample of your code will help you determine the appropriate contexts for minimizing false positives. View the results after the initial execution and update the configuration based on the following factors:
- Parameterization: Many checkers can be parameterized and may need to be tuned to your codebase. You should disable these checkers if they do not provide value based on your project. See Updating Your Configuration for additional information.
- Age and criticality: Many projects include older code that should not be touched because knowledge about the code is no longer available or because it is extremely sensitive. Proper controls should be put in place to suppress violations related to this kind of code. Do not run SAST on any cod that you either have no intention of fixing or where your policy prevents fixing without specific circumstances. See Updating Your Configuration for additional information.
Parasoft DTP has a powerful AI component that your team can train to surface the most important results, while avoiding issues you’re likely to suppress. If you have already been using a Parasoft code analysis tool, then you can train the AI based on your history. If you are new to the Parasoft security solution, then you can manually train the AI to select some violations for you to process.
An AI is only as good as your ability to teach it, so take care to be thoughtful and accurate when classifying violations. Refer to the DTP documentation for details.
There are several ways to view code analysis results. By default, Parasoft tools output results to the <TOOL_INSTALL>/reports directory, but you can customize the directory, as well as format (HTML, PDF, XML) when you deploy your tool. You can open the report or load the results into the desktop instances of your Parasoft tools.