I am posting this question in order to gain understanding of how the Static Assembler utility picks candidate rules for generating the java classes. We heavily rely on this feature to complete Static Code Scanning using Fortify for every single app in our enterprise before each release and we often come across different set of security vulnerability arising from OOTB code even when we are on the same PegaRULES version. When we run Static Assembler on an Application, we have seen some rules but not ALL from Pega OOTB rulesets being included in the PRGenJava folder. When 2 different applications are used for generating PRGenJava, different combinations of OOTB rules are included in the generated PRGenJava even if both of the apps are built on the same PegaRULES app and leveraging similar OOTB features. What is the internal logic for the assembler to pick the OOTB rules ?