Managing third-party Java and .NET exclusions

By default, third-party Java and .NET code is not scanned during IRX file generation. You can manage the third-party code that is excluded by following the instructions in this topic.

About this task

When you generate an IRX file for your code, third-party code is excluded so that your assessment does not include information and findings about code that you are not interested in analyzing. To modify what is excluded, follow the steps in this topic. If, instead, you want to include third-party code when scanning, see these topics:


  1. Locate the config directory of the extracted SAClientUtil_<version>_<os>.zip file (where <version> is the current version of the Command Line Utility).
  2. In this directory, locate the dot_net.exclusions (.NET) or java.exclusions (Java) file.
    Note: Other .exclusions files in this directory are experimental and modifying them will not affect third-party exclusions.
  3. Open the file in a text editor, where you will see that it is XML in this format:
    <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
        <package name="package_name"/>
  4. Edit the file to add packages to exclude.
    • Package names that are specified will match all packages with the same prefix (they will be treated as though they are followed by a wildcard). For example, if you add <package name="com.mycompany.common"/> as an exclusion, <package name="com.mycompany.common.action1"/> and <package name="com.mycompany.common.action2"/> will be excluded.
    • Only entries that are added to the <packages> container affect third-party exclusions. Adding classes and methods will not affect exclusions.
  5. Save the file and then generate an IRX file for your source code.

What to do next

If you modify exclusion files, you should follow these best practices:
  • Keep a back-up of modified exclusion files. In particular, remember that, if you upgrade to a new version of the Static Analyzer Command Line Utility, you will be downloading versions of the exclusion files without your updates. When updating the Command Line Utility, keep a copy of your modified exclusion files and then copy them over to the new Command Line Utility.
  • Keep modifications in a single block of XML entries so that you can easily copy and paste them if you need to.