Hi all, I’ve been silent for the past several meetings because I don’t have much to add to the discussion. Furthermore, I believe Fortify does not really collect a lot of metrics. I just checked, and here is the list of what we collect: The time of the build, in milliseconds (int) The number of source files scanned (int) Total number of lines of code scanned (int) Lines of code scanned not including comments (int) Classpath provided for java code (string) Libdirs provided for .Net code (string) Set of all source files scanned, including the following metrics per file: Size (string) Timestamp (string) Total number of lines of code (int) Lines of code scanned not including comments (int) Type, e.g. java/python/etc (string) Encoding, e.g. windows-1252 (string) The time taken to run the scan in seconds (int) Engine version (string) System properties (string) Command line (string) List of errors generated (string) Machine hostname (string) Machine username (string) Machine platform (string) List of inactive results and filters used during the scan List of licensed, unlicensed, and expired rulepacks used during the scan Not even sure whether all of the above qualifies as metrics, but here it is. Thanks! k