community.microfocus.com · Preface iii Preface Contacting HP Fortify Support If you have questions...
Transcript of community.microfocus.com · Preface iii Preface Contacting HP Fortify Support If you have questions...
HP Fortify Static Code AnalyzerSoftware Version 4.30
User Guide
DocumentReleaseDate:April2015
SoftwareReleaseDate:April2015
Legal Notices
Warranty
TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatementsaccompanyingsuchproductsandservices.Nothinghereinshouldbeconstruedasconstitutinganadditionalwarranty.HPshallnotbeliablefortechnicaloreditorialerrorsoromissionscontainedherein.
Theinformationcontainedhereinissubjecttochangewithoutnotice.
Restricted Rights Legend
Confidentialcomputersoftware.ValidlicensefromHPrequiredforpossession,useorcopying.ConsistentwithFAR12.211and12.212,CommercialComputerSoftware,ComputerSoftwareDocumentation,andTechnicalDataforCommercialItemsarelicensedtotheU.S.Governmentundervendor'sstandardcommerciallicense.
Copyright Notice
©Copyright2003‐2015Hewlett‐PackardDevelopmentCompany,L.P.
DocumentationUpdates
Thetitlepageofthisdocumentcontainsthefollowingidentifyinginformation:
• SoftwareVersionnumber
• DocumentReleaseDate,whichchangeseachtimethedocumentisupdated
• SoftwareReleaseDate,whichindicatesthereleasedateofthisversionofthesoftware
Tocheckforrecentupdatesortoverifythatyouareusingthemostrecenteditionofadocument,goto:
https://protect724.hp.com
You will also receive updated or new editions if you subscribe to the appropriate product support service. Contact your HP sales representative for details.
PartNumber:1‐16b3‐2015‐04‐430‐02
Preface iii
Preface
Contacting HP Fortify SupportIfyouhavequestionsorcommentsaboutusingthisproduct,contactHPFortifyTechnicalSupportusingoneofthefollowingoptions.
ToManageYourSupportCases,AcquireLicenses,andManageYourAccount
https://support.fortify.com
ToEmailSupport
ToCallSupport
650.735.2215
For More InformationFormoreinformationonHPEnterpriseSecuritySoftwareproducts:http://www.hpenterprisesecurity.com
About the HP Fortify Software Security Center Documentation SetTheHPFortifySoftwareSecurityCenterdocumentationsetcontainsinstallation,user,anddeploymentguidesforallHPFortifySoftwareSecurityCenterproductsandcomponents.Inaddition,youwillfindtechnicalnotesandreleasenotesthatdescribenewfeatures,knownissues,andlast‐minuteupdates.YoucanaccessthelatestversionsofthesedocumentsfromtheHPESPusercommunityProtect724website(https://protect724.hp.com/welcome).Youwillneedtoregisterforanaccount.
Change Log iv
Change LogThefollowingtabletrackschangesmadetothisguide.
Software Release‐version Date Change
4.30‐01 3/12/2014 Updated:AppendixI:ConfigurationProperties
Updated:Pythoninformation
Update:Translating.NETchapterwithsupportforVisualStudio2014
Updated:iOSscanninginformationinTranslatingCodeforMobilePlatformschapter
Added:SectiononJavaBytecodeintheTranslatingJavachapter
4.21‐02 10/8/2014 Removed:BuildMonitor(deprecated)
4.21‐01 11/20/2014 Added:TranslatingRubychapter
Updated:TranslatingABAP
4.10‐01 3/22/2014 Updated:iOSsection
Contents v
Contents
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .iii
ContactingHPFortifySupport.........................................................................iii
ForMoreInformation .................................................................................iii
AbouttheHPFortifySoftwareSecurityCenterDocumentationSet....................................................................................iii
Change Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .iv
Chapter 1: Introduction............................................................................. 10
AbouttheIntendedAudience ......................................................................... 10
AbouttheHPFortifySoftwareSecurityCenterComponents ........................................... 10
RelatedDocuments ................................................................................... 11
Chapter 2: HPFortifyStaticCodeAnalyzer .......................................................... 12
AboutHPFortifyStaticCodeAnalyzer ................................................................ 12
AboutParallelAnalysis ........................................................................... 12AboutAnalyzers.................................................................................. 12AbouttheAnalysisProcess....................................................................... 13AboutAnalysisCommands ....................................................................... 14AboutMemoryConsiderations ................................................................... 14AbouttheTranslationPhase...................................................................... 14AbouttheAnalysisPhase ......................................................................... 15AboutVerificationoftheTranslationandAnalysisPhase.......................................... 15AbouttheHPFortifyScanWizard ................................................................ 16AboutHPFortifyCloudScan...................................................................... 16
Chapter 3: TranslatingJavaCode .................................................................... 17
AboutJavaCommandLineSyntax..................................................................... 17
AboutJavaCommandLineExamples.................................................................. 17
IntegratingwithAntusingtheHPFortifyAntCompilerAdapter ....................................... 18
HandlingResolutionWarnings........................................................................ 18
JavaWarnings.................................................................................... 19
UsingFindBugs....................................................................................... 19
TranslatingJ2EEApplications ........................................................................ 20
PrerequisiteforTranslatingCodeUsingLegacyVersionsoftheJ2EESDK ......................... 20TranslatingtheJavaFiles ......................................................................... 20TranslatingJSPProjects,ConfigurationFiles,andDeploymentDescriptors........................ 20TranslatingJavaByteCode........................................................................ 21J2EEWarnings................................................................................... 21
Chapter 4: Translating.NETSourceCode............................................................ 22
AbouttheVisualStudioCommandPrompt ............................................................ 22
AboutVisualStudio.NET............................................................................. 22
Contents vi
TranslatingSimple.NETApplications ................................................................. 23
TranslatingASP.NET1.1(VisualStudioVersion2003)Projects........................................ 24
HandlingResolutionWarnings........................................................................ 25
About.NETWarnings ............................................................................ 25AboutASP.NETWarnings ........................................................................ 25
Chapter 5: TranslatingC/C++Code .................................................................. 26
AboutCandC++CommandLineSyntax............................................................... 26
CandC++CommandLineExamples.............................................................. 26
AboutIntegratingwithMake ......................................................................... 26
UsingtheHPFortifyTouchlessBuildAdapter ..................................................... 26ModifyingaMakefiletoInvokeSCA............................................................... 27
AboutCommandLineBuildsinVisualStudio.NET.................................................... 27
AboutCommandLineBuildsinVisualStudio6.0 ...................................................... 27
ScanningPre‐processedC/C++Code .................................................................. 27
Chapter 6: TranslatingABAP/4...................................................................... 28
AboutTranslatingABAP/4Code ...................................................................... 28
AboutScanningABAPCode ........................................................................... 28
AboutINCLUDEProcessing....................................................................... 28
OverviewoftheProcess.............................................................................. 28
AbouttheTransportRequest......................................................................... 29
AddFortifySCAtoYourFavoritesList(Optional) ..................................................... 29
RunningtheHPFortifyABAPExtractor ............................................................... 31
Chapter 7: TranslatingRubyCode ................................................................... 33
AboutRubyCommandLineSyntax.................................................................... 33
AddingLibraries ................................................................................. 33AddingMultipleLibraryPaths ................................................................... 33AddingGemPaths ................................................................................ 33
Chapter 8: TranslatingFlex.......................................................................... 35
AbouttheCommand‐LineOptions.................................................................... 35
AboutActionScriptCommandLineSyntax ............................................................ 35
ActionScriptCommandLineExamples ................................................................ 36
AboutHandlingResolutionWarnings ................................................................. 36
AboutActionScriptWarnings ..................................................................... 36
Chapter 9: TranslatingCodeforMobilePlatforms ................................................... 37
AboutTranslatingObjective‐CCode................................................................... 37
Prerequisites..................................................................................... 37AboutObjective‐CCommandLineSyntax......................................................... 37Objective‐CCommandLineExample.............................................................. 37
Contents vii
XcodeCompilerErrors........................................................................... 37
AboutTranslatingGoogleAndroidCode .............................................................. 38
MigrationIssues ................................................................................. 38
Chapter 10: TranslatingOtherLanguages............................................................ 39
AboutCommandLineSyntaxforOtherLanguages .................................................... 39
ConfigurationConsiderations ......................................................................... 40
ConfiguringPython............................................................................... 40ConfiguringColdFusion .......................................................................... 40ConfiguringtheSQLExtension.................................................................... 41ConfiguringASP/VBScriptVirtualRoots.......................................................... 41OtherLanguageCommandLineExamples ........................................................ 42TranslatingPL/SQLExample..................................................................... 42TranslatingT‐SQLExample....................................................................... 42TranslatingPHPExample......................................................................... 43TranslatingClassicASPwrittenwithVBScriptExample........................................... 43TranslatingJavaScriptExample................................................................... 43TranslatingVBScriptFileExample ............................................................... 43
TranslatingCOBOLCode.............................................................................. 43
SupportedTechnologies .......................................................................... 43PreparingCOBOLSourceFilesforTranslation.................................................... 43AboutCOBOLCommandLineSyntax ............................................................. 44AboutAuditingCOBOLScans..................................................................... 44
Chapter 11: TroubleshootingandSupport........................................................... 45
UsingtheLogFiletoDebugProblems ................................................................. 45
AbouttheTranslationFailedMessage................................................................. 45
AboutJSPTranslationProblems...................................................................... 45
AboutASPXTranslationProblems.................................................................... 46
AboutC/C++PrecompiledHeaderFiles ............................................................... 46
AboutReportingBugsandRequestingEnhancements ................................................. 46
Appendix A: Command Line Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
OutputOptions................................................................................... 48AnalysisOptions ................................................................................. 49PythonOption.................................................................................... 50ColdFusionOptions .............................................................................. 50Java/J2EEOptions................................................................................ 51.NETOptions ..................................................................................... 51BuildIntegrationOptions......................................................................... 52Directives ........................................................................................ 52RuntimeOptions................................................................................. 53OtherOptions .................................................................................... 54
SpecifyingFiles ....................................................................................... 54
Contents viii
Appendix B: Parallel Analysis Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
AboutParallelAnalysisMode ......................................................................... 55
HardwareRequirements ............................................................................. 55
ConfiguringParallelAnalysisMode................................................................... 55
RunninginParallelAnalysisMode.................................................................... 56
Appendix C: Using the sourceanalyzer Ant Task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
AboutthesourceanalyzerAntTask................................................................... 57
UsingtheAntSourceanalyzerTask ................................................................... 57
Antproperties........................................................................................ 58
SourceanalyzerTaskOptions......................................................................... 59
Appendix D: Advanced Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
AboutFilterFiles ..................................................................................... 63
FilterFileCreationExample...................................................................... 63UsingPropertiestoControlRuntimeOptions..................................................... 65SpecifyingtheOrderofProperties ................................................................ 65
Appendix E: MSBuild Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
AboutMSBuildIntegration ........................................................................... 72
Installation ........................................................................................... 72
SettingWindowsEnvironmentVariablesforTouchlessIntegrationofSCA............................. 72
AddingCustomTaskstoyourMSBuildProject........................................................ 73
AddingCustomTaskstoYourProject ................................................................. 74
AddingFortify.TranslateTask..................................................................... 74AddingFortify.ScanTask.......................................................................... 75AddingFortify.CleanTask......................................................................... 75AddingFortify.SSCTask........................................................................... 75AddingFortify.CloudScanTask .................................................................... 76
Appendix F: Maven Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
AbouttheMavenPlugin .............................................................................. 77
InstallingtheMavenPlugin ........................................................................... 77
UpdatingtheMavenPlugin........................................................................... 78
EditingthePluginSourceFiles.................................................................... 78TestingthePlugin ................................................................................ 79
UsingtheMavenPlugin ............................................................................... 79
ExcludingFilesfromtheScan ......................................................................... 80
UninstallingtheMavenPlugin........................................................................ 81
AdditionalDocumentation............................................................................ 81
Appendix G: Sample Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Contents ix
AbouttheSampleFiles ............................................................................... 82
BasicSamples .................................................................................... 82AdvancedSamples ............................................................................... 83
Appendix H: Issue Tuning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
AboutIssueTuning ................................................................................... 85
AboutWrapperDetection........................................................................ 85
AboutInterproceduralConstantPropagation ......................................................... 86
AboutSelectiveMapOperationTracking.......................................................... 87
Appendix I: Configuration Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
fortify.properties ..................................................................................... 88
fortify‐sca.properties ................................................................................. 93
Chapter 1: Introduction 10
Chapter 1: IntroductionThisdocumentprovidesinstructionsforusingHPFortifyStaticCodeAnalyzer.
About the Intended AudienceThisguideisintendedforpeopleresponsibleforsecurityauditsandsecurecoding.HPFortifyStaticCodeAnalyzerprovidesasuiteofanalyzersandapplicationcomponents.Thisguideprovidesinstructionsonscanningcodeonmostofthemajorprogrammingplatforms.
About the HP Fortify Software Security Center ComponentsHPFortifyStaticCodeAnalyzeriscomponentofanHPFortifySoftwareSecurityCenterinstallation.Theinstallationconsistsofoneormoreofthefollowinganalyzers:
• HPFortifyStaticCodeAnalyzer:Analyzesyourbuildcodeaccordingtoasetofrulesspecificallytailoredtoprovidetheinformationnecessaryforthetypeofanalysisperformed.
• HPFortifyRuntimeApplicationProtection:Monitorsandprotectsdeployedapplicationsfromcommonattacks,unintendeduse,andtargetedhacking.Inaddition,bestsecuritypractices,suchasinputverificationandproperexceptionhandling,canbeconsistentlyappliedtodeployedapplications.
• HPFortifySecurityScope:Identifiesvulnerabilitiesinpre‐deploymentapplicationsduringtheQAphase,preventingexposuretosecurityflawsbeforetheyareexploited.
AnHPFortifySoftwareSecurityCenterinstallationmayalsoincludeoneormoreofthefollowingapplicationtools:
• HPFortifyAuditWorkbench:providesagraphicaluserinterfaceforHPFortifyStaticCodeAnalyzerthathelpsyouorganize,investigate,andprioritizeanalysisresultssothatsecurityflawscanbefixedquickly.
• HPFortifyPluginforEclipse:integrateswiththeEclipsedevelopmentenvironmentandaddstheabilitytoscanandanalyzetheentirecodebaseofaprojectandapplyhundredsofsoftwaresecurityrulesthatidentifythevulnerabilitiesinyourJavacode.TheresultsaredisplayedwithintheIDE,alongwithdescriptionsofeachofthesecurityissuesandsuggestionsfortheirelimination.
• HPFortifyEclipseRemediationPlug‐in:integrateswiththeEclipsedevelopmentenvironment.TheEclipseRemediationPlug‐inisalightweightplug‐inoptionfordeveloperswhoneedremediationfunctionalitybutdonotneedthescanningandauditingcapabilitiesofAuditWorkbenchorthefullEclipsePlugin.
• HPFortifyPackageforMicrosoftVisualStudio:integrateswithVisualStudioPremiumandVisualStudioProfessionaltolocatesecurityvulnerabilitiesinyoursolutionsandpackagesanddisplaysthescanresultsinVisualStudio.Theresultsincludealistofissuesuncovered,descriptionsofthetypeofvulnerabilityeachissuerepresents,andsuggestionsonhowtofixthem.
• HPFortifyRemediationPackageforVisualStudio:integrateswithMicrosoftVisualStudioPremiumandVisualStudioProfessionalintegrateddevelopmentenvironments(IDEs).TheHPFortifyRemediationPackageforVisualStudioisalightweightplug‐inoptionfordeveloperswhoneedremediationfunctionalitybutdonotneedthescanningandauditingcapabilitiesofAuditWorkbenchorthefullVisualStudiopackage.
• HPFortifyExtensionforJDeveloper:integrateswiththeJDeveloperintegrateddevelopmentenvironment(IDE)andaddstheabilitytoscanandanalyzetheentirecodebaseofaprojectandapplyhundredsofsoftwaresecurityrulesthatidentifythevulnerabilitiesinyourcode.
• HPFortifyRemediationPluginforIntelliJ:integrateswiththeIntelliJIntegratedDevelopmentEnvironment(IDE)andaddstheabilitytoscanandanalyzetheentirecodebaseofaprojectandapplyhundredsofsoftwaresecurityrulesthatidentifythevulnerabilitiesinyourcode.
Chapter 1: Introduction 11
Related DocumentsThefollowingdocumentsprovideadditionalinformationaboutHPFortifyStaticCodeAnalyzer:
• HPFortifyStaticCodeAnalyzerPerformanceGuide
TheHPFortifyStaticCodeAnalyzerPerformanceGuideprovidesguidanceonselectingthehardwarerequiredforscanningspecificcodebases,optimizingmemoryusage,andimprovingperformance.
• HPFortifyStaticCodeAnalyzerUserGuide
Thisdocumentprovidesinstructionsonusingtheanalyzerstoidentifyvulnerabilitiesinyourcode.
• HPFortifyStaticCodeAnalyzerUtilitiesUserGuide
Thisdocumentprovidesinformationonthecommand‐linetoolsthatprovideadditionalmanagementandaccesstothefunctionsprovidedbySCA.
• HPFortifyStaticCodeAnalyzerPerformanceGuide
Thisdocumentdescribestheissuesinvolvedwhentryingtoselecthardwaretoscancertaincodebases,providesguidelinesformakingthosedecisionsandofferstipsforoptimizingmemoryusageandperformance.
Chapter 2: HP Fortify Static Code Analyzer 12
Chapter 2: HP Fortify Static Code Analyzer Thischaptercoversthefollowingtopics:
• AboutHPFortifyStaticCodeAnalyzer
• AboutAnalyzers
• AbouttheAnalysisProcess
About HP Fortify Static Code AnalyzerHPFortifyStaticCodeAnalyzer(SCA)isasetofsoftwaresecurityanalyzersthatsearchforviolationsofsecurity‐specificcodingrulesandguidelinesinavarietyoflanguages.TherichdataprovidedbySCAlanguagetechnologyenablestheanalyzerstopinpointandprioritizeviolationssothatfixescanbefastandaccurate.TheanalysisinformationproducedbySCAhelpsyoudelivermoresecuresoftware,aswellasmakingsecuritycodereviewsmoreefficient,consistent,andcomplete.Thisisespeciallyadvantageouswhenlargecodebasesareinvolved.ThemodulararchitectureofSCAallowsyoutoquicklyuploadnewthird‐partyandcustomer‐specificsecurityrules.
Atthehighestlevel,usingSCAinvolves:
1. ChoosingtorunSCAasastand‐aloneprocessorintegratingSCAaspartofthebuildtool
2. Translatingthesourcecodeintoanintermediatetranslatedformat
3. Scanningthetranslatedcodeandproducingsecurityvulnerabilityreports
4. Auditingtheresultsofthescan,eitherbytransferringtheresultingFPRfiletoHPFortifyAuditWorkbenchorHPFortifySoftwareSecurityCenterforanalysis,ordirectlywiththeresultsdisplayedonscreen
Note:ForinformationontransferringresultstoHPFortifyAuditWorkbenchandcreatingcustomer‐specificsecurityrules,seetheHPFortifyAuditWorkbenchUser’sGuide.
About Parallel AnalysisBeginningwithversion4.00,SCAsupportsparallelprocessingforlargeprojects.Ifyourprojectscantakeslongerthananhourortwotocomplete,youcandramaticallydecreasethetimenecessarytocompletethescanbyenablingparallelprocessing.ParallelprocessingallowsyoutotakeadvantageofmultipleCPUsandcoreswithinasinglemachineandautomaticmemorytuning.
Forinformationonenablingparallelanalysisforyourprojects,seeAppendixB:ParallelAnalysisMode.
About AnalyzersSCAcomprisessixdistinctanalyzers:Dataflow,Controlflow,Semantic,Structural,Configuration,andBuffer.Eachanalyzeracceptsadifferenttypeofrulespecificallytailoredtoprovidetheinformationnecessaryforthecorrespondingtypeofanalysisperformed.Rulesaredefinitionsthatidentifyelementsinthesourcecodethatmayresultinsecurityvulnerabilitiesorareotherwiseunsafe.
Rulesareorganizedaccordingtotheanalyzerthatusesthem,resultinginrulesthatarespecifictotheDataflow,Controlflow,Semantic,Structural,andConfigurationanalyzers.Theserulecategoriesarefurtherdividedtoreflectthecategoryoftheissueortypeofinformationrepresentedbytherule.
TheinstallationprocessdownloadsandupdatesthesetofrulesusedbySCAonyoursystem.HPupdatesthespecificrulescontainedwithintheHPFortifySecureCodingRulepacksonaregularbasis.TheCustomerPortaloffersupdatedRulepacks.
Chapter 2: HP Fortify Static Code Analyzer 13
ThefollowingtablelistsanddescribeseachSCAanalyzer.
Table 1: HP Fortify Static Code Analyzer
Analyzer Description
Dataflow TheDataflowAnalyzerdetectspotentialvulnerabilitiesthatinvolvetainteddata(user‐controlledinput)puttopotentiallydangeroususe.TheDataflowAnalyzerusesglobal,inter‐proceduraltaintpropagationanalysistodetecttheflowofdatabetweenasource(siteofuserinput)andasink(dangerousfunctioncalloroperation).Forexample,theDataflowAnalyzerdetectswhetherauser‐controlledinputstringofunboundedlengthisbeingcopiedintoastaticallysizedbuffer,anddetectswhetherausercontrolledstringisbeingusedtoconstructSQLquerytext.
Controlflow TheControlflowAnalyzerdetectspotentiallydangeroussequencesofoperations.Byanalyzingcontrolflowpathsinaprogram,theControlflowAnalyzerdetermineswhetherasetofoperationsareexecutedinacertainorder.Forexample,theControlflowAnalyzerdetectstimeofcheck/timeofuseissuesanduninitializedvariables,andcheckswhetherutilities,suchasXMLreaders,areconfiguredproperlybeforebeingused.
Semantic TheSemanticAnalyzerdetectspotentiallydangeroususesoffunctionsandAPIsattheintra‐procedurallevel.Itsspecializedlogicsearchesforbufferoverflow,formatstring,andexecutionpathissues,butisnotlimitedtothesecategories.AcalltoanypotentiallydangerousfunctioncanbeflaggedbytheSemanticAnalyzer.Forexample,theSemanticAnalyzerdetectsdeprecatedfunctionsinJavaandunsafefunctionsinC/C++,suchasgets().
Structural TheStructuralAnalyzerdetectspotentiallydangerousflawsinthestructureordefinitionoftheprogram.Byunderstandingthewayprogramsarestructured,theStructuralAnalyzeridentifiesviolationsofsecureprogrammingpracticesandtechniquesthatareoftendifficulttodetectthroughinspectionbecausetheyencompassawidescopeinvolvingboththedeclarationanduseofvariablesandfunctions.Forexample,theStructuralAnalyzerdetectsassignmenttomembervariablesinJavaservlets,identifiestheuseofloggersthatarenotdeclaredstaticfinal,andflagsinstancesofdeadcodethatwillneverbeexecutedbecauseofapredicatethatisalwaysfalse.
Configuration TheConfigurationAnalyzersearchesformistakes,weaknesses,andpolicyviolationsinanapplication'sdeploymentconfigurationfiles.Forexample,theConfigurationAnalyzerchecksforreasonabletimeoutsinusersessionsinawebapplication.
Buffer TheBufferAnalyzerdetectsbufferoverflowvulnerabilitiesthatinvolvewritingorreadingmoredatathanabuffercanhold.Thebuffercanbeeitherstack‐allocatedorheap‐allocated.TheBufferAnalyzeruseslimitedinter‐proceduralanalysistodeterminewhetherornotthereisaconditionthatcausesthebuffertooverflow.Ifallexecutionpathstoabufferleadtoabufferoverflow,SCAreportsitasbufferoverflowvulnerabilityandpointsoutthevariablesthatcouldcausetheoverflow.Ifsome,butnotall,executionpathstoabufferleadtoabufferoverflowandthevalueofthevariablecausingthebufferoverflowistainted(user‐controlled),thenSCAwillreportitaswellanddisplaythedataflowtracetoshowhowthevariableistainted.
Chapter 2: HP Fortify Static Code Analyzer 14
About the Analysis ProcessTherearefourdistinctstagesthatmakeuptheSCAsourcecodeanalysisprocess:
• BuildIntegration:ThefirststageintheprocessinvolvesdecidingwhethertointegrateSCAintothebuildcompilersystem.
• Translation:Next,sourcecodeisgatheredusingaseriesofcommandsandthenitistranslatedintoanintermediateformatassociatedwithabuildID.ThebuildIDisusuallythenameoftheprojectbeingscanned.
• Analysis:Sourcefilesidentifiedduringthetranslationphasearescannedandananalysisresultsfile,typicallyintheHPFortifyproject(FPR)format,isgenerated.FPRfilesareindicatedbythe.fprfileextension.
• Verificationofthetranslationandanalysis:EnsurethatthesourcefileswerescannedusingthecorrectRulepacksandthatnosignificanterrorswerereported.
About Analysis CommandsThefollowingisanexampleofthesequenceofcommandsyouusetoanalyzecode:
sourceanalyzer -b <build_id> -cleansourceanalyzer -b <build_id> ...sourceanalyzer -b <build_id> -scan -f results.fpr
Toanalyzemorethanonebuildatatime,addtheadditionalbuildsasparameters:
sourceanalyzer -b <build_id1> -b <build_id2> -b <build_id3> -scan -f results.fpr
About Memory ConsiderationsWhenrunningSCA,theamountofphysicalRAMrequiredisdependentonanumberoffactors.Thesefactors,whichincludethesizeandcomplexityofthesourcefile,makeitimpossibletoquantifyandprovideguidance‐‐eachcustomersituationisunique.Ifyoudoencounteralowmemoryerror,increasingtheamountofmemoryavailabletoSCAmayresolvetheproblem.
Bydefault,SCAusesupto600MBofmemory.Ifthisisnotsufficienttoanalyzeaparticularcodebase,youmighthavetoprovidemorememoryinthescanphase.Thiscanbedonebypassingthe-Xmx optiontothesourceanalyzercommand.
Forexample,tomake1000MBavailabletoSCA,includetheoption -Xmx1000M.
YoucanalsousetheSCA_VM_OPTS environmentvariabletosetthememoryallocation.
Note:DonotallocatemorememoryforSCAthanthemachinehasavailable,becausethiswilldegradeperformance.Asaguideline,assumingthatnoothermemory‐intensiveprocessesarerunning,donotallocatemorethan2/3oftheavailablephysicalmemory.
About the Translation PhaseThebasiccommandlinesyntaxforperformingthefirstanalysisphase,translatingthefiles,is:
sourceanalyzer -b <build_id> ...
ThetranslationphaseconsistsofoneormoreinvocationsofSCAusingthesourceanalyzercommand.AbuildID(-b <build_id>)isusedtotietogethertheinvocations.
SubsequentinvocationsofsourceanalyzeraddanynewlyspecifiedsourceorconfigurationfilestothefilelistassociatedwiththebuildID.
Attheendoftranslation,youcanuse-show-build-warningstolistallwarningsanderrorsthatwereencounteredduringthetranslationprocess:
sourceanalyzer -b <build_id> -show-build-warnings
Chapter 2: HP Fortify Static Code Analyzer 15
ToviewallofthefilesassociatedwithaparticularbuildID,usethe-show-filesdirective:
sourceanalyzer -b <build_id> -show-files
Thefollowingchaptersdescribehowtotranslatedifferenttypesofsourcecode:
• TranslatingJavaCode
• Translating.NETSourceCode
• TranslatingC/C++Code
• TranslatingABAP/4
• TranslatingRuby
• TranslatingFlex
• TranslatingCodeforMobilePlatforms
• TranslatingOtherLanguages
About SCA Mobile Build Sessions
AnSCAmobilebuildsessionallowsaprojecttobetranslatedononemachineandanalyzedonanother.WhenyoucreateanSCAmobilebuildsession,a.mbsfilethatincludesthefilesneededfortheanalysisphaseiscreatedinthebuildsessiondirectory.The.mbsfileisthenmovedtoadifferentmachineforanalysis.
Creating a Mobile Build Session
Onthemachinewherethetranslationwasdone,issuethefollowingcommandtogenerateanSCAmobilebuildsession:
sourceanalyzer -b <build_id> -export-build-session <file.mbs>
where<file.mbs>isthefilenameyouassignfortheSCAmobilebuildsession.
Importing a Mobile Build Session
Onceyou’vemovedthe.mbsfiletothemachinewhereyouwanttoruntheanalysis,issuethefollowingcommand:
sourceanalyzer -import-build-session <file.mbs>
where<file.mbs>istheSCAmobilebuildsession.
OnceyouhaveimportedyourSCAmobilebuildsession,youarereadytomoveontotheanalysisphase.
About the Analysis PhaseThistopicdescribesthesyntaxfortheanalysisphase:scanningtheintermediatefilescreatedduringthetranslationandcreatingtheanalysisresultsfile.Thephaseconsistsofoneinvocationofsourceanalyzer.YouspecifythebuildIDandincludethe-scandirectiveandanyrequiredanalysisoroutputoptions.
Note:Bydefault,SCAincludesthesourcecodeintheFPR.
Thebasiccommandlinesyntaxfortheanalysisphaseis:
sourceanalyzer -b <build_id> -scan -f results.fpr
Torunananalysismorethanonebuildatatime,addtheadditionalbuildstothecommandline:
sourceanalyzer - b <build_id1> -b <build_id2> -b <build_id3> -scan -f results.fpr
Chapter 2: HP Fortify Static Code Analyzer 16
Torunasilentanalysisonmorethanonebuildatatime,addtheadditionalbuildstothecommandline:
sourceanalyzer -b <build-id1> -b <build-id2> -b <build-id3> -auth-silent -scan -f results.fpr
About Verification of the Translation and Analysis PhaseTheResultCertificationfeatureofAuditWorkbenchverifiesthattheanalysisiscomplete.ResultcertificationshowsspecificinformationaboutthecodescannedbySCA,including:
• Listoffilesscanned,withfilesizesandtimestamps
• JavaCLASSPATHusedforthetranslation
• ListofRulepacksusedfortheanalysis
• ListofSCAruntimesettingsandcommandlinearguments
• Listoferrorsorwarningsencounteredduringtranslationoranalysis
• Machine/platforminformation
Toviewresultcertificationinformation,opentheFPRfileinAuditWorkbenchandselectTools‐ProjectSummary‐Certification.
About the HP Fortify Scan WizardHPFortifyScanWizardisautilitythatallowsyoutoquicklyandeasilyprepareandscanprojectcodeusingSCA.TheScanWizardallowsyoutorunyourscanslocally,or,ifyouareusingHPFortifyCloudScan,inacloudofcomputersprovisionedfortakingcareoftheprocessor‐intensivescanningphaseoftheanalysis.Formoreinformation,seeAppendixG:HPFortifyScanWizardonpage82.
About HP Fortify CloudScanWithHPFortifyCloudScan(CloudScan),usersofHPFortifyStaticCodeAnalyzercanbettermanagetheirresourcesbyoffloadingtheprocessor‐intensivescanningphaseoftheanalysisfromtheirbuildmachinestoacloudofmachinesprovisionedforthispurpose.
Afterthetranslationphaseiscompletedonthebuildmachine,anSCAmobilebuildsessionisgeneratedandCloudScanmovesittoanavailablemachineforscanning.Inadditiontofreeingupthebuildmachines,thisprocessmakesiteasytogrowthesystembyaddingmoreresourcestothecloudasneeded,withouthavingtointerruptyourbuildprocess.
Inaddition,usersofSoftwareSecurityCentercandirectCloudScantooutputtheFPRfiledirectlytotheserver.
FormoreinformationonHPFortifyCloudScan,seetheHPFortifyCloudScanInstallation,Configuration,andUsageGuide.
Chapter 3: Translating Java Code 17
Chapter 3: Translating Java CodeThischaptercoversthefollowingtopics:
• AboutJavaCommandLineSyntax
• AboutJavaCommandLineExamples
• IntegratingwithAntusingtheHPFortifyAntCompilerAdapter
• HandlingResolutionWarnings
• UsingFindBugs
• TranslatingJ2EEApplications
• TranslatingJavaByteCode
About Java Command Line SyntaxThebasiccommandlinesyntaxforJavais:
sourceanalyzer -b <build_id> -cp <classpath> <file_list>
WithJavacode,SCAcaneitheremulatethecompiler,whichmaybeconvenientforbuildintegration,oracceptsourcefilesdirectly,whichismoreconvenientforcommandlinescans.
Note:Foradescriptionofalltheoptionsyoucanusewiththesourceanalyzercommand,seeCommandLineInterfaceonpage48.
TotellSCAtoemulatethecompiler,enter:
sourceanalyzer -b <build_id> javac [<translation options>]
TopassfilesdirectlytoSCA,enter:
sourceanalyzer -b <build_id> -cp <classpath> [<translation options>] <files>|<file specifiers>
where:
<translation options>
areoptionspassedtothecompiler.
-cp <classpath>
specifiestheCLASSPATHtobeusedfortheJavasourcecode.ACLASSPATHisalistofbuilddirectoriesandjarfiles.Theformatisthesameasexpectedbyjavac(colonorsemicolon‐separatedlistofpaths).YoucanuseSCAfilespecifiers.
-cp "build/classes:lib/*.jar"
Note:Ifyoudonotspecifytheclasspathwiththisoption,theCLASSPATHenvironmentvariableisused.
Formoreinformation,seeJava/J2EEOptionsonpage51.Forinformationaboutfilespecifiers,seeSpecifyingFilesonpage54.
About Java Command Line ExamplesTotranslateasinglefilenamedMyServlet.javawithj2ee.jarontheCLASSPATH,enter:
sourceanalyzer -b MyServlet -cp lib/j2ee.jar MyServlet.java
Totranslateall.java filesinthesrcdirectoryusingalljarfilesinthelibdirectoryasaCLASSPATH:
sourceanalyzer -b MyProject -cp "lib/*.jar" "src/**/*.java"
Chapter 3: Translating Java Code 18
TotranslateandcompiletheMyCode.javafilewhileusingthejavaccompiler:
sourceanalyzer -b mybuild javac -classpath libs.jar MyCode.java
Integrating with Ant using the HP Fortify Ant Compiler AdapterSCAprovidesanAntCompilerAdapterthatyoucanuseasaneasywaytotranslateJavasourcefilesifyourprojectusesanAntbuildfile.ThisintegrationrequiressettingonlytwoAntproperties,andcanbedoneonthecommandlinewithoutmodifyingtheAntbuild.xmlfile.Whenthebuildruns,SCAinterceptsalljavactaskinvocationsandtranslatestheJavasourcefilesastheyarecompiled.NotethatanyJSPfiles,configurationfiles,oranyothernon‐Javasourcefilesthatarepartoftheapplicationneedtobetranslatedinaseparatestep.
ThefollowingstepsmustbetakentousetheCompilerAdapter:
• ThesourceanalyzerexecutablemustbeonthesystemPATH.
• sourceanalyzer.jar(locatedinCore/lib)mustbeonAnt'sclasspath.
• Thebuild.compilerpropertymustbesettocom.fortify.dev.ant.SCACompiler.
• Thesourceanalyzer.buildidpropertymustbesettothebuildID.
ThefollowingexamplesshowhowtorunanAntbuildusingtheCompilerAdapterwithoutmodifyingthebuildfile:
ant -Dbuild.compiler=com.fortify.dev.ant.SCACompiler -Dsourceanalyzer.buildid=MyBuild -lib <install_dir>/Core/lib/sourceanalyzer.jar
The-liboptionisonlyavailableinAntversion1.6orhigher.InolderversionsyoumustsettheCLASSPATHenvironmentvariableorcopysourceanalyzer.jartoAnt'slibdirectory.
Alternatively,withAnt1.6ornewer,thefollowingshorthandcanbeusedtorunAntwiththecompileradapter:
sourceanalyzer -b <build-id> ant [ant-options]
Bydefault,600MBofmemoryisallocatedtoSCAfortranslation.IncreasethememoryallocationwhenusingtheAntCompilerAdapterusingthe -Dsourceanalyzer.maxHeapoptionasfollows:
ant -Dbuild.compiler=com.fortify.dev.ant.SCACompiler -Dsourceanalyzer.buildid=MyBuild -lib <install_directory>/Core/lib/sourceanalyzer.jar -Dsourceanalyzer.maxHeap=1000M
Handling Resolution WarningsToseeallwarningsthatweregeneratedduringyourbuild,enterthefollowingcommandbeforeyoustartthescanphase:
sourceanalyzer -b <build_id> -show-build-warnings
Chapter 3: Translating Java Code 19
Java WarningsYoumayseethefollowingwarningsforJava:
Unable to resolve type...
Unable to resolve function...
Unable to resolve field...
Unable to locate import...
Unable to resolve symbol...
Multiple definitions found for function...
Multiple definitions found for class...
Thesewarningsaretypicallycausedbymissingresources.Forexample,someofthe.jarandclassfilesrequiredtobuildtheapplicationhavenotbeenspecified.Toresolvethewarnings,makesurethatyouhaveincludedalloftherequiredfilesthatyourapplicationuses.
Using FindBugsFindBugs(http://findbugs.sourceforge.net)isastaticanalysistoolthatdetectsqualityissuesinJavacode.YoucanrunFindBugswithSCAandtheresultswillbeintegratedintotheanalysisresultsfile.UnlikeSCA,whichrunsonJavasourcefiles,FindBugsrunsonJavabytecode.Therefore,beforerunningananalysisonyourproject,youshouldfirstcompiletheprojectandproducetheclassfiles.
TodemonstratehowtorunFindBugsautomaticallywithSCA,compilethesamplecode, Warning.java,asfollows:
1. Gotothefollowingdirectory:
<install_directory>/Samples/advanced/findbugs
2. Enterthefollowingcommandtocompilethesample:
mkdir build
javac -d build Warning.java
3. ScanthesamplewithFindBugsandSCAasfollows:
sourceanalyzer -b findbugs_sample -java-build-dir build Warning.java
sourceanalyzer -b findbugs_sample -scan -findbugs -f findbugs_sample.fpr
4. ExaminetheanalysisresultsinAuditWorkbench:
auditworkbench findbugs_sample.fpr
Theoutputcontainsthefollowingissuecategories:
• BadcastsofObjectReferences(1)
• Deadlocalstore(2)
• Equalobjectsmusthaveequalhashcodes(1)
• Objectmodelviolation(1)
• Unwrittenfield(2)
• Uselessself‐assignment(2)
IfyougroupbyAnalyzer,youcanseethattheSCAStructuralAnalyzerproducedoneissueandFindBugsproducedeight.TheObject model violationissueproducedbySCAonline25issimilartotheEqual objects must have equal hash codesissueproducedbyFindBugs.Inaddition,FindBugsproducestwosetsofissues(Useless self-assignmentandDead local store)aboutthesamevulnerabilitiesonlines6and7.Toavoidoverlappingresults,applythefilter.txtfilterfilebyusingthe-filter optionduringthe
Chapter 3: Translating Java Code 20
scan.Notethatthefilteringisnotcompletebecauseeachtoolfiltersatadifferentlevelofgranularity.Todemonstratehowtoavoidoverlappingresults,scanthesamplecodeusingfilter.txtasfollows:
sourceanalyzer -b findbugs_sample -scan -findbugs -filter filter.txt -f findbugs_sample.fpr
Translating J2EE ApplicationsTranslatingJ2EEapplicationsinvolvesprocessingJavasourcefilesandJ2EEcomponentssuchasJSPfiles,deploymentdescriptors,andconfigurationfiles.WhileyoucanprocessallthepertinentfilesinaJ2EEapplicationusingasingle‐stepprocess,yourprojectmayrequirethatyoubreaktheprocedureintoitscomponentsforintegrationinabuildprocessortomeettheneedsofvariousstakeholderswithinyourorganization.Thefollowingsectionsprovideinformationoneachcomponent,followedbyanall‐in‐oneprocess.
Prerequisite for Translating Code Using Legacy Versions of the J2EE SDKIfyouaretranslatingcodedevelopedusingaversionoftheJ2EESDKearlierthan1.5,youwillneedtoaddthefollowinglistoffilestotheCLASSPATH:
commons-logging.jarj2ee.jarjasper2_jasper-runtime.jarxercesImpl-2.0.2.jar
andthefollowingJSPtaglibrariesmayalsoberequired:
commons-validator.jarjsp-api.jarjstl.jarlog4j-1.2.9.jarsaxpath.jarstandard.jarstruts.jarstruts-el.jar
Ifyouwant,youcanputtheJSPtaglibraryfilesinasubdirectorynamedjsp_tag_lib,butitisnotrequired.
AddthefilesusingtheCLASSPATHoption(-cp),orbyaddingthefilestothe<Fortify_Home>/Core/default_jarsdirectory.
Note:InpreviousversionsofSCAtheJARSlistedabovewereincludedinthe<SCA>/Core/default_jarsdirectory.Beginningwithversion4.10,thefilesarenolongerincluded.
ToidentifyadirectoryordirectorieswhereSCAshouldlookforfileseachtimeyourunascan,youcansetthecom.fortify.sca.DefaultJarsDirsparameterinthefortify-sca-quickscan.propertiesfile.Formoreinformation,seethe“fortify‐sca‐quickscan.propertiesConfigurationOptions”sectionintheHPFortifyStaticCodeAnalyzerInstallationandConfigurationguide.
Translating the Java FilesEarlierinthischapterweprovidedthecommandlineinstructionsfortranslatingJavafiles.WhentranslatingJ2EEapplications,usethesameprocedurefortranslatingtheJavafileswithintheapplication.
Forexamples,seeAboutJavaCommandLineExamplesonpage17.
Translating JSP Projects, Configuration Files, and Deployment DescriptorsInadditiontotranslatingtheJavafilesinyourJ2EEapplication,youmayalsoneedtotranslateJSPfiles,configurationfiles,anddeploymentdescriptors.YoucanscanJSPfilescreatedwithversion2.0andabove.
Chapter 3: Translating Java Code 21
YourJSPfilesmustbepartofaWebApplicationArchive(WAR).IfyoursourcedirectoryisalreadyorganizedinaWARlayout,youcantranslatetheJSPfilesdirectlyfromthesourcedirectory.Ifthisisnotthecase,youmayneedtodeployyourapplicationandtranslatetheJSPfilesfromthedeploymentdirectory.
Forexample:
sourceanalyzer -b <build_id> \**\*.jsp \**\*.xml
where\**\*.jspreferstothelocationofyour*.jspprojectfilesand\**\*.xmlreferstothelocationofyourconfigurationanddeploymentdescriptorfiles.
Translating Java ByteCodeInadditiontotranslatingsourcecode,youcantranslatetheBytecodeinyourproject.InordertoincludeByteCode,addthefollowingpropertiestothefortify-sca.propertiesfile:
com.fortify.sca.fileextensions.class=BYTECODE
com.fortify.sca.fileextensions.jar=ARCHIVE
J2EE WarningsYoumayseethefollowingwarningsforJ2EEapplications:
Could not locate the root (WEB-INF) of the web application. Please build your web application and try again. Failed to parse the following jsp files:
<list of .jsp file names>
ThiswarningdisplaysbecauseyourWebapplicationisnotdeployedinthestandardWARdirectoryformatordoesnotcontainthefullsetofrequiredlibraries.Toresolvethewarning,ensurethatyourwebapplicationisinanexplodedWARdirectoryformatwiththecorrectWEB-INF/libandWEB-INF/classesdirectoriescontainingallofthe.jarand.classfilesrequiredforyourapplication.YoushouldalsoverifythatyouhavealloftheTLDfilesforallofthetagsthatyouhaveandthecorresponding.jarfileswiththeirtagimplementations.
Chapter 4: Translating .NET Source Code 22
Chapter 4: Translating .NET Source CodeThechaptercoversthefollowingtopics:
• AbouttheVisualStudioCommandPrompt
• AboutVisualStudio.NET
• TranslatingSimple.NETApplications
• TranslatingASP.NET1.1(VisualStudioVersion2003)Projects
• HandlingResolutionWarnings
ThischapterdescribeshowtouseSCAtotranslateMicrosoftVisualStudio.NETandASP.NETapplicationsbuiltwith:
• .NETVersions1.1and2.0
• VisualStudio.NETversion2003
• VisualStudio.NETversion2005
• VisualStudio.NETversion2008
• VisualStudio.NETversion2010
• VisualStudio.NETversion2012
• VisualStudio.NETversion2013
• VisualStudio.NETversion2015
SCAworksontheCommonIntermediateLanguage(CIL),andthereforesupportsallofthe.NETlanguagesthatcompiletoCIL,includingC#andVB.NET.
Note:Theeasiestwaytoanalyzea.NETapplicationistousetheHPFortifyPackageforMicrosoftVisualStudio,whichautomatestheprocessofgatheringinformationabouttheproject.
About the Visual Studio Command PromptVisualStudio2005andhigherincludetheVisualStudioCommandPrompt.TheVisualStudioCommandPromptislocatedintheVisualStudioToolsdirectoryofyourVisualStudioinstallation.Youshouldusethiscommandpromptintheinstructionsthatfollow.
About Visual Studio .NETIfyouperformcommandlinebuildswithVisualStudio.NET,youcaneasilyintegratestaticanalysisbywrappingthebuildcommandlinewithaninvocationofsourceanalyzer.Forthistowork,youmusthavetheSecureCodingPackageforyourversionofVisualStudioinstalled.
ThefollowingexampledemonstratesthecommandlinesyntaxforVisualStudio.NET:
sourceanalyzer -b my_buildid devenv Sample1.sln /REBUILD debug
ThisperformsthetranslationphaseonallfilesbuiltbyVisualStudio.Besuretodoacleanorarebuildsothatallfilesareincluded.Youcanthenperformtheanalysisphase,asinthefollowingexample:
sourceanalyzer -b my_buildid -scan -f results.fpr
Chapter 4: Translating .NET Source Code 23
Note:IfyourclassicASP/VBScriptapplicationusesvirtualincludes,forexample,
<!--include virtual=”/myweb/foo.inc”>
thenyoushouldspecifythephysicallocationofthemywebapplicationbypassingthefollowingpropertyvalue:
com.fortify.sca.ASPVirtualRoots=<semicoloon separated list of full paths to virtual roots used>
Forexample,iftheIISvirtualroot/mywebislocatedatC:\webapps\myweb-folder,thenyourpropertyvalueshouldbe:
-Dcom.fortify.sca.ASPVirtualRoots=c:\webapps\myweb-folder
Ifyouaddthislinetothefortify‐sca.propertiesfile,youmustescapethe\character,asinthefollowing:
com.fortify.sca.ASPVirtualRoots=c:\\webapps\\myweb-folder
Translating Simple .NET ApplicationsYoucanalsouseSCAcommandlineinterfaceforprocessing.NETapplications.
Prepareyourapplicationforanalysisusingoneofthefollowingmethods:
• Performacompleterebuildofyourprojectwiththe“debug”configurationenabled.CompilingyourprojectwithdebugenabledprovidesinformationthatSCAusesforpresentingtheresults.
• Obtainallofthethird‐partydllfiles,projectoutputdllfiles,andcorrespondingpdbfilesforyourprojects.NotethatSCAignoresanydllfilepassedasaninputargumentifthecorrespondingpdbfiledoesnotexistinthesamefolder.Itisthereforeimperativethatyouincludeallofthepdbfilesforallyourprojectdllfiles.
Note:pdbfilesarenotrequiredforthird‐partylibraries.
RunSCAtoanalyzethe.NETapplicationfromthecommandlineasfollows:
• ForVisualStudio.NETVersion2010,enter:
sourceanalyzer -vsversion 10.0 -b MyBuild -libdirs ProjOne/Lib;ProjTwo/Lib ProjOne/bin/Debug ProjTwo/bin/Debug
where:
• MyBuildisthebuildidentifier
• ProjOne/Lib;ProjTwo/Libisasemicolon‐separatedlistofpathstofoldersorDLLswiththird‐partyDLLs
• ProjOne/bin/Debug ProjTwo/bin/Debugaretheoutputfolders
• Usethefollowingversionnumberswiththe-vsversionparameter:
Table 2: Visual Studio .NET version numbers
Visual Studio .NET Release Version
VisualStudio.NET2003 7.1
VisualStudio.NET2005 8.0
VisualStudio.NET2008 9.0
VisualStudio.NET2010 10.0
VisualStudio.NET2012 11.0
VisualStudio.NET2013 12.0
VisualStudio.NET2015 14.0
Chapter 4: Translating .NET Source Code 24
Note:Standard.NETDLLsusedinyourprojectareautomaticallypickedupbySCA,soyoudonotneedtoincludetheminthecommandline.
Ifyourprojectislarge,youcanperformthetranslationphaseseparatelyforeachoutputfolderusingthesamebuildID,asfollows:
sourceanalyzer -vsversion <version_number> -b <build_id> -libdirs <paths> <folder_1> ...sourceanalyzer -vsversion <version_number> -b <build_id> -libdirs <paths> <folder_n>
where:
• <version_number>iseither7.1,8.0,9.0,10.0,11.0,12.0or14.0hoo
• <build_id> isthebuildID
• <paths>isasemicolon‐separatedlistofpathstofoldersorDLLswiththird‐partyDLLs
• <folder_1>and<folder_n>aretheoutputfolders
Note:SCArequirestheappropriateversionofVisualStudiounlessyouareusingMSBuild.ForinformationofusingSCAwithMSBuild,seeAppendixE:MSBuildIntegrationonpage72.
Translating ASP.NET 1.1 (Visual Studio Version 2003) ProjectsAsdiscussedpreviously,SCAworksonCILgeneratedbythe.NETcompilers.ForASP.NETprojects,webcomponentssuchasaspxfilesneedtobecompiledbeforetheycanbeanalyzed.However,thereisnostandardcompilerforaspxfiles.The.NET1.1runtimeautomaticallycompilesthemwhentheyareaccessedfromabrowser.
Tofacilitatetheaspxcompilationphase,HPFortifySoftwareprovidesasimpletoolthatcompilesalloftheaspxfilesinyourproject.ThetoolislocatedintheHPFortifyinstallationdirectoryat:
\Tools\fortify_aspnet_compiler\fortify_aspnet_compiler.exe
ToanalyzeASP.NET1.1solutions:
1. Performacompleterebuildofthesolution.
2. Foreachofthewebprojectsinthesolution,deletethefollowingfolder:
%SYSTEMROOT%\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\<web_application_name>
3. Foreachofthewebprojectsinthesolution,runthefollowingcommand:
fortify_aspnet_compiler <url_to_the_web_site> <source_root_of_the_web_project>
where:
<url_to_the_web_site> is the URL for your website, such as http://localhost/WebApp
<source_root_of_the_web_project>isthesourcelocationofyourwebproject,suchas<VS_project_location>\WebApp
4. PerformthetranslationphasefortheDLLsbuiltinStep1.EnterthefollowingcommandusingthesamebuildIDasinthefollowingsteps:
sourceanalyzer -b <build_id> "<VS_project_location>\**\*.dll"
5. Performthetranslationphaseforthewebcomponents.Foreachofthewebprojectsinthesolution,enterthefollowingwhenyouinvokesourceanalyzer:
sourceanalyzer -b <build_id> %SYSTEMROOT%\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\<web_application_name>
Chapter 4: Translating .NET Source Code 25
6. IncludetheconfigurationfilesandanyMicrosoftT‐SQLsourcefilesthatyouhave:
sourceanalyzer -b <build_id> "<solution_root>\**\*.config" <"t-sql_src>\**\*.sql">
Note:ThesestepsareallautomatedifyouusetheHPFortifyPackageforMicrosoftVisualStudio.
Handling Resolution WarningsToseeallwarningsthatweregeneratedduringyourbuild,enterthefollowingcommandbeforeyoustartthescanphase:
sourceanalyzer -b <build_id> -show-build-warnings
About .NET WarningsYoumayseethefollowingwarningsfor.NET:
Cannot locate class... in the given search path and the Microsoft .NET Framework libraries.
Thesewarningsaretypicallycausedbymissingresources.Forexample,someofthe.DLLfilesrequiredtobuildtheapplicationhavenotbeenspecified.Toresolvethewarnings,makesurethatyouhaveincludedalloftherequiredfilesthatyourapplicationuses.Ifyoustillseeawarningandtheclassesitlistsareemptyinterfaceswithnomembers,youcanignorethewarning.Iftheinterfaceisnotempty,contactTechnicalSupport.
About ASP.NET WarningsYoumayseethefollowingwarningsforASP.NETapplications:
Failed to parse the following aspx files:
<list of .aspx file names>
Thiswarningdisplaysbecauseyourwebapplicationisnotdeployedcorrectlyordoesnotcontainthefullsetofrequiredlibraries,oritusestheGlobalAccessCache(GAC).Ifyourapplicationisa.NETversion1.1application,youmayalsohaveaccessissuesfromMicrosoftIIS.Verifythatyoucanaccesstheapplicationfromabrowserwithoutauthenticationoraccesserrors.IfyourwebapplicationusestheGAC,youmustaddtheDLLfilestotheprojectseparatelytoensureasuccessfulscan.SCAdoesnotloadDLLfilesfromtheGAC.
Chapter 5: Translating C/C++ Code 26
Chapter 5: Translating C/C++ CodeThischaptercoversthefollowingtopics:
• AboutCandC++CommandLineSyntax
• CandC++CommandLineExamples
• AboutIntegratingwithMake
• AboutCommandLineBuildsinVisualStudio.NET
• AboutCommandLineBuildsinVisualStudio.NET
• AboutCommandLineBuildsinVisualStudio6.0
About C and C++ Command Line SyntaxThebasiccommandlinesyntaxfortranslatingasinglefileis:
sourceanalyzer -b <build_id> <compiler> [<compiler options>]
where:
<compiler> isthenameofthecompileryouwanttouseduringaprojectbuildscan,suchasgccorcl.
<compiler options> areoptionspassedtothecompilerthataretypicallyusedtocompilethefile.
C and C++ Command Line ExamplesThefollowingisasimpleusageexample:
Totranslateafilenamedhelloworld.cusingthegcccompiler,enter:
sourceanalyzer -b my_buildid gcc helloworld.c
Note:Thisalsocompilesthefile.
About Integrating with MakeYoucanuseeitherofthefollowingmethodstointegrateSCAwithMake:
• HPFortifyTouchlessBuildAdapter
• ModifyaMakefiletoInvokeSCA
Using the HP Fortify Touchless Build AdapterThefollowingsectiondescribesthedifferentmethodsforusingthetouchlessbuildadapter.
Using the sourceanalyzer Build Adapter Command
Forexample,tousetheHPFortifytouchlessbuildadaptertointegratewithapythonbuildscript:
sourceanalyzer -b <build_id> touchless python build.py
SCArunstheentirecommandfollowingthe"touchless"keyword.WhenthecommandcreatesanewprocessthatSCAdeterminesisacompiler,thecommandisprocessedbySCA.
ForinformationaboutinformingSCAaboutspeciallynamedcompilers,seethecom.fortify.sca.compilers.*propertyin“UsingPropertiestoControlRuntimeOptions”onpage65.Anybuildcommandthatexecutesarecognizedcompilerprocesscanbeusedwiththissystem;justreplacethe'make'sectionoftheabovecommandwiththecommandusedtorunabuild.
Chapter 5: Translating C/C++ Code 27
Note:TheHPFortifytouchlessbuildadapterdoesnotfunctioncorrectlyif:
• Thebuildscriptinvokesthecompilerwithanabsolutepathoroverridestheexecutablesearchpath.
• Thebuildscriptdoesnotcreateanewprocesstorunthecompiler.ManyJavabuildtools,includingAnt,operatethisway.
Modifying a Makefile to Invoke SCATomodifyamakefiletoinvokeSCA,replaceanycallstothecompiler,archiver,orlinkerinthemakefilewithcallstoSCA.Thesetoolsaretypicallyspecifiedinaspecialvariableinthemakefile,asinthefollowingexample:
CC=gccCXX=g++AR=ar
ThestepcanbeassimpleasprependingthesetoolreferencesinthemakefilewithSCAandtheappropriateoptions:
CC=sourceanalyzer -b mybuild gcc
CXX=sourceanalyzer -b mybuild g++
AR=sourceanalyzer -b mybuild ar
About Command Line Builds in Visual Studio .NETIfyouperformcommandlinebuildswithVisualStudio.NET,youcaneasilyintegratestaticanalysisbysimplywrappingthebuildcommandlinewithaninvocationofsourceanalyzer.Forthistowork,youmusthavetheHPFortifyPackageforMicrosoftVisualStudioforyourversionofVisualStudioinstalled.
Considerthefollowingexample
sourceanalyzer -b my_buildid devenv MyProject.sln /REBUILD
ThisperformsthetranslationphaseonallfilesbuiltbyVisualStudio.Besuretodoacleanorarebuildsothatallfilesareincluded.
About Command Line Builds in Visual Studio 6.0IfyouperformcommandlinebuildswithVisualStudio6.0,youcanintegratestaticanalysisbywrappingthebuildcommandlinewithaninvocationofsourceanalyzer.
Considerthefollowingexample:
sourceanalyzer -b my_buildid msdev MyProject.dsp /MAKE "MyProject DEBUG" /REBUILD
ThisperformsthetranslationphaseonallfilesbuiltbytheVisualStudio.Besuretodoacleanorarebuildsothatallfilesareincluded,asdescribedinyourVisualStudiodocumentation.
Scanning Pre‐processed C/C++ CodeIf,priortocompilation,yourC/C++buildexecutesathird‐partyCpreprocessorthatisnotsupportedbySCA,youmustinvokeSCAtranslationontheintermediatefile.SCAtouchlessbuildintegrationwillautomaticallytranslatetheintermediatefileprovidedyourbuildexecutestheunsupportedpreprocessorandsupportedcompilerastwocommandsconnectedbyatemporaryfileratherthanapipechain.
Thissanuncommonscenariothatmostuserswillnotencounter.
Chapter 6: Translating ABAP/4 28
Chapter 6: Translating ABAP/4Thischaptercoversthefollowingtopics:
• AboutTranslatingABAP/4Code
• AboutScanningABAPCode
• OverviewoftheProcess
• AbouttheTransportRequest
• AddFortifySCAtoYourFavoritesList(Optional)
• RunningtheHPFortifyABAPExtractor
About Translating ABAP/4 CodeTranslatingABAP/4codeissimilartotranslatingotheroperatinglanguagecode,butrequiresadditionalstepsinordertoextractthecodefromtheSAPdatabaseandprepareitforscanning.ThischapterassumesyouhaveSCArunningandhaveabasicunderstandingofSCA,SAP,andABAP/4.
About Scanning ABAP CodeInordertotranslateABAPcode,theHPFortifyABAPExtractorprogramdownloadssourcefilestothepresentationserver,andoptionally,invokesSCA.YouneedtouseanaccountwithpermissionstodownloadfilestothelocalsystemandexecuteOScommands.
Becausetheextractorprogramisexecutedonline,youmayreceiveamax dialog work process time reachedexceptionifthevolumeofsourcesfilesselectedforextractionexceedstheallowableprocessruntime.YoucanoftenworkaroundthisbydownloadinglargeprojectsasaseriesofsmallerExtractortasks.Forexample,ifyourprojectconsistsoffourdifferentpackages,downloadeachpackageseparatelyintothesameprojectdirectory.
Iftheexceptionoccursfrequently,pleaseworkwithyourSAPBasisadministratortoincreasethemaximumtimelimit(rdisp/max_wprun_time).
WhenaPACKAGEisextractedfromABAP,theHPFortifyABAPExtractorextractseverythingfromTDEVCwithaparentclfieldthatmatchesthepackagename.ItthenrecursivelyextractseverythingelsefromTDEVCwithaparentclfieldequaltothosealreadyextractedfromTDEVC.ThefieldextractedfromTDEVCisdevclass.
Thedevclassvaluesaretreatedasasetofprogramnamesandhandledthesamewayasaprogramnamewhichyoumayoptionallyprovide.
ProgramsareextractedfromTRDIRbymatchingthenamefieldagainsteithertheprogramnamegivenbytheuserintheselectionscreenorbycomparingwiththelistofvaluesextractedfromTDEVCifapackagewasprovided.TherowsfromTRDIRarethoseforwhichthenamefieldhasthegivenprogramnameandtheexpressionLIKEprogramnameisusedtoextractrows.
ThisfinallistofnamesisusedwithREAD REPORTtofinallygetcodeoutoftheSAPsystem.ThismethoddoesreadclassesandmethodsoutaswellasmerelyREPORTs,fortherecord.
EachREAD REPORTcallproducesafileinthetemporaryfolderonthelocalsystem.Thissetoffilesiswhatsourceanalyzerwilltranslateandscan,producingan.fprfilewhichcanbeviewedwithHPFortifyAuditWorkbench.
About INCLUDE ProcessingAssourcecodeisdownloaded,theHPFortifyABAPExtractorchecksforINCLUDEstatementsinthesource.Whenfound,itdownloadstheincludetargetstothelocalmachineforanalysisaswell.
Chapter 6: Translating ABAP/4 29
Overview of the ProcessTherearetwomainstepsrequiredpriortotranslatingyourABAP/4code:
• InstallaTransportRequestonyourSAPserver.
• AddthetransactionobjecttoyourFavoriteslist(optional)
Note:ThefollowingprocedureisbasedontheuseoftheWindowsSAPclient‐basedinterface.ScreenshotsandinterfacelocationsmayvaryifyouareusingadifferentSAPclient.
About the Transport RequestABAPscanningisavailableasapremiumcomponentofSCA.Ifyoupurchasedalicensethatincludesthiscapability,youwillneedtoinstalltheHPFortifyTransportRequestonyourSAPServer..
ThetransportrequestislocatedintheSAP_Extractor.zippackage.ThepackageislocatedintheToolsdirectory:
<SCA_Install_Directory>\Tools\SAP_Extractor.zip
TheHPFortifySCAABAPExtractorpackage,SAP_Extractor.zip,containsthefollowingfiles:
• K9000XX.NSP (wherethe“XX”isthereleasenumber)
• R9000XX.NSP (wherethe“XX”isthereleasenumber)
ThesefilesincludemakeuptheSAPtransportrequestandshouldbeimportedintoyourSAPsystemfromoutsideyourlocalTransportDomain.ThisshouldbedonebyyourSAPadministratororanindividualauthorizedtoinstalltransportrequestsonthesystem.
TheNSPfilescontainaclass,aprogram,atransaction(YSCA),andtheprogramGUIscreens.Onceimportedintoyoursystemandproperlyconfigured,youwillbeabletoextractyourcodefromtheSAPdatabaseandprepareitforscanningbySCA.
InstallationNote:TheHPFortifySCAABAPExtractortransportrequestwascreatedonasystemrunningSAPrelease702,SPlevel0006.IfyouarerunningadifferentSAPrelease,youmaygetatransportrequestimporterror:
Install release does not match the current version
Thiswillcausetheinstallationtofail.Toresolvethisissue:
1. Runthetransportrequestimportagain.
TheImportTransportRequestscreenappears.
2. ClicktheOptionstab.
3. SelecttheIgnoreInvalidComponentVersioncheckbox.
4. Completetheimportprocedure.
Add Fortify SCA to Your Favorites List (Optional)AddingFortifySCAtoyourFavoriteslistisoptional,butdoingsomaymakeiteasiertoaccessandlaunchFortifySCAscans.ThefollowingstepsassumethatyouusetheUsermenuinyourday‐to‐daywork.Ifyourworkisdonefromadifferentmenu,addtheFavoriteslinktothemenuthatyouuse.BeforeyoucreatetheFortifySCAentry,theSAPservershouldberunningandyoushouldbeintheSAPEasyAccessareaofyourweb‐basedclient.
1. FromtheSAPEasyAccessmenu,typeS000inthetransactionbox.
TheSAPMenuappears.
2. Right‐clicktheFavoritesfolderandselectInserttransaction.
Chapter 6: Translating ABAP/4 30
TheManualentryofatransactionboxappears.
3. TypeYSCAintheTransactioncodebox.
4. Clickthegreencheckmarkbutton.
TheLaunchSCAitemshould appearintheFavoriteslist.
5. ClicktheExtractABAPcodeandlaunchSCAlinktolaunchtheHPFortifyABAPExtractor.
Chapter 6: Translating ABAP/4 31
Running the HP Fortify ABAP Extractor1. LaunchtheprogramfromtheFavoriteslink,thetransactioncode,orbymanuallylaunchingthe
Z_AMOL_SCAobject.
2. Fillintherequestedinformation:
Section Data
Objects EnterthenameoftheSoftwareComponent,Package,Program,orBSPApplicationyouwanttoscan.
Sourceanalyzerparameters FPRFilePath:TypethedirectorywhereyouwanttostoreyourFPRfile.IncludethenameyouwantassignedtotheFPRfileinthepathname.
WorkingDirectory:Typethedirectorywheretheextractedsourcecodeshouldbecopied.
Build‐ID:TypethebuildIDforthescan.
TranslationsParameters:Listanyoptionalsourceanalyzertranslationarguments.
ScanParameters:Listanyoptionalsourceanalyzerscanarguments.
ZIPFileName:TypeaZIPfilenameifyouwouldlikeyouroutputprovidedinacompressedpackage.
MaximumCall‐chainDepth:AglobalSAP‐functionFwillnotbedownloadedunlessFwasexplicitlyselectedorunlessFcanbereachedthroughachainoffunctioncallswhichstartsinexplicitly‐selectedcodeandwhoselengthisthisnumberorless.
Chapter 6: Translating ABAP/4 32
3. ClicktheExecutebutton.
Actions Download:CheckthisboxtoinstructSCAtodownloadthesourcecodeextractedfromyourSAPdatabase.
Build:CheckthisboxtoinstructSCAtotranslatealldownloadedABAPcodeandstoreitunderthespecifiedBuild‐ID.
Scan:Checkthisboxtorequestascan.
LaunchAWB:CheckthisboxtolaunchAuditWorkbenchandloadtheFPR.
CreateZIP:Checkthisboxtorequesttheoutputbecompressed.
ProcessinBackground:Checkthisboxtorequestthatprocessingoccurinthebackground.
Section Data
Chapter 7: Translating Ruby Code 33
Chapter 7: Translating Ruby CodeThischaptercoversthefollowingtopics:
• AboutRubyCommandLineSyntax
• AddingLibraries
• AddingMultipleLibraryPaths
• AddingGemPaths
About Ruby Command Line SyntaxThebasiccommandlinesyntaxforRubyis:
sourceanalyzer –b <build_id> <.rb_file>
whererb_fileisthenameoftheRubyfiletobescanned.ToincludemultipleRubyfiles,separatethemwithaspace,asinthefollowingexample:
sourceanalyzer –b <build_id> file1.rb file2.rb file3.rb
Note:InadditiontolistingindividualRubyfiles,youcanusetheasterisk(*)wildcardtoselectallRubyfilesinaspecifieddirectory.Forexample,tofindalloftheRubyfilesinadirectorycalledsrc,youcouldusethefollowingsourceanalyzercommand:
sourceanalyzer –b <build_id> src/*.rb
Adding Libraries IfyourRubysourcecoderequiresaspecificlibrary,addtheRubylibrarytothesourceanalyzercommand.Forexample,ifyouhaveautils.rbfilethatresidesinthe/usr/share/ruby/myPersonalLibrary/ directory,thenyoushouldaddthefollowingtothesourceanalyzercommand:
-ruby-path=/usr/share/ruby/myPersonalLibrary
Adding Multiple Library Paths Tousemultiplelibraries,useadelimitedlist.InWindowsthepathsshouldbeseparatebyasemicolon(‘;’);andonallotherplatformsuseacolon(‘:’),asinthefollowingnon‐Windowsexample:
-ruby-path=/path/one:/path/two:/path/three
Adding Gem PathsToaddallRubyGemsandtheirdependencypaths,importallRubyGems.Todothis,runthegem envcommandandunderGEMPATHSyouwillseeadirectorylike:
/home/myUser/gems/ruby-version
Thisdirectoryshouldcontainanotherdirectorycalledgemswhichcontainsdirectoriesforallthegemfilesinstalledonthesystem,soforthisexampleyouwouldset:
-rubygem-path=/home/user/myUser/gems/ruby-version/gems
Ifyouhavemultiplegemsdirectories,addthemusingadelimitedlistsuchas:
-rubygem-path=/path/to/gems:/another/path/to/more/gems
Chapter 7: Translating Ruby Code 34
Note:ForWindowssystems,separatethegemsdirectorieswithasemicolon.
Warnings
BecausethisisaTechnicalPreview,youmayencounterparseerrors.
[error]: Unexpected exception while parsing file p.rb: (SyntaxError) p.rb:2:syntax error, unexpected end-of-file.
Theseerrors,orwarnings,arelikelycausedbybugsintheRubyTechnicalPreviewcodeandshouldbereportedtoHPFortifysupport.
Ruby on Rails Support
RubyonRailssupportwillbeaddedinafuturereleaseofHPFortifyStaticCodeAnalyzer.
YourJSPfilesmustbepartofaWebApplicationArchive(WAR).IfyoursourcedirectoryisalreadyorganizedinaWARlayout,youcantranslatetheJSPfilesdirectlyfromthesourcedirectory.Ifthisisnotthecase,youmayneedtodeployyourapplicationandtranslatetheJSPfilesfromthedeploymentdirectory.
Forexample:
sourceanalyzer -b <build_id> \**\*.jsp \**\*.xml
where\**\*.jspreferstothelocationofyour*.jspprojectfilesand\**\*.xmlreferstothelocationofyourconfigurationanddeploymentdescriptorfiles.
Chapter 8: Translating Flex 35
Chapter 8: Translating FlexThischaptercoversthefollowingtopics:
• AbouttheCommand‐LineOptions
• AboutActionScriptCommandLineSyntax
• ActionScriptCommandLineExamples
• AboutHandlingResolutionWarnings
About the Command‐Line OptionsThefollowingcommand‐lineoptions(withcorrespondingpropertiesthatcanbeusedinstead,forconvenience)areusingwhentranslatingFlexfiles:
• -flex-sdk-root (com.fortify.sca.FlexSdkRoot)shouldpointtotherootofavalidFlexSDK.Thisfoldershouldcontainaframeworksfolderthatcontainsaflex-config.xmlfile.Itshouldalsocontainabinfolderthatcontainsanmxmlcexecutable.
Youcansetthispropertyinyourfortify-sca.propertiesfile.
• -flex-libraries (com.fortify.sca.FlexLibraries)containsa: or;separatedlist(: onmostplatforms,;onWindows)oflibrarynamesthatyouwantto“link”to.Inmostcases,thislistincludesflex.swc, framework.swc,andplayerglobal.swc(usuallyfoundinframeworks/libs/underyourFlexSDKroot).
Youcansetthispropertyinyourfortify-sca.propertiesfiletousethesamesetofSWCs.
Note:YoucanspecifySWCorSWFfilesasFlexlibraries,butwedonotcurrentlysupportSWZ.
• -flex-source-roots (com.fortify.sca.FlexSourceRoots)containsa:or; separatedlistofrootdirectoriesinwhichMXMLsourcescanbefound.Normally,thesewillcontainasubfoldernamedcom.Forinstance,ifaFlexsourcerootisgiventhatispointingatfoo/bar/src, then foo/bar/src/com/fortify/manager/util/Foo.mxmlwillgettransformedintoanobjectnamedcom.fortify.manager.util.Foo,(anobjectnamedFoointhepackagecom.fortify.manager.util).
• -flex-sdk-rootand–flex-source-rootsareprimarilyforMXMLtranslation,andareoptionalifyouarescanningpureActionScript.–flex-librariesisusedforresolvingallActionScript
Note:MXMLfilesaretranslatedintoActionScriptandthenrunthroughtheActionScriptparser.TheActionScriptthatisgeneratedisintendedtobesimpletoanalyze;notrigorouslycorrectliketheFlexrun‐timemodel.Asaconsequenceofthis,youmaygetparseerrorswithMXMLfiles.Forinstance,theXMLparsingcouldfail,thetranslationtoActionScriptcouldfail,andtheparsingoftheresultingActionScriptcouldalsofail.Ifyouseeanyerrorsthatdonothaveaclearconnectiontotheoriginalsourcecode,pleasenotifyHPFortifySupport.
Chapter 8: Translating Flex 36
About ActionScript Command Line SyntaxThebasiccommandlinesyntaxforActionScriptis:
sourceanalyzer -b <build_id> -flex-libraries <listOfLibraries>
TopassfilesdirectlytoFortifySCA,enter:
sourceanalyzer -b <build_id> -flex-libraries <listOfLibraries>
where:
<listOfLibraries>
isasemicolon‐separatedlist(Windows)oracolonseparated‐list(non‐Windowssystems)oflibrarynamesthatyouwantto“link”to.
ActionScript Command Line ExamplesThefollowingexamplesillustratecommand‐linestructurefortypicalscenariosyoumayencounter.
Example1
ThefollowingexampleisforasimpleapplicationthatcontainsonlyoneMXMLfileandasingleSWFlibrary(MyLib.swf).
sourceanalyzer -b MyFlexApp -flex-libraries lib/MyLib.swf -flex-sdk-root /home/myself/flex-sdk/ -flex-source-roots.my/app/FlexApp.mxml
Thisidentifiesthelocationofthelibrariestoinclude,andalsoidentifiestheFlexSDKandtheFlexsourcerootlocations.ThesingleMXMLfile,locatedin/my/app/FlexApp.mxml,resultsinyourMXMLapplication’sbeingtranslatedasasingleActionScriptclasscalledFlexAppandlocatedinthemy.apppackage.
Example2
Thefollowingexampleisforanapplicationinwhichthesourcefilesarerelativetothesrcdirectory.ItusesasingleSWFlibrary,MyLib.swf,andtheFlexandframeworklibrariesfromtheFlexSDK.
sourceanalyzer -b MyFlexProject -flex-sdk-root /home/myself/flex-sdk/ -flex-source-roots src/ -flex-libraries lib/MyLib.swf src/**/*.mxml src/**/*.as
Inthisexample,welocatetheFlexSDK.SCAfilespecifiersareusedtoincludethe.as andmxmlfilesunderthesrc folder.Itisnotnecessarytoexplicitlyspecifythe.SWCfilesfoundunderthe–flex-sdk-root,althoughthisexampledoessoforthepurposesofillustration.SCAwillautomaticallylocateall.SWCfilesunderthespecifiedFlexSDKroot,anditassumesthatthesearelibrariesintendedforusetranslatingActionScriptormxmlfiles.
Example3
Inthisexample,theFlexSDKrootandFlexlibrariesarespecifiedinapropertiesfilesincetypinginthedataistimeconsumingandittendstobeconstant.Theapplicationmaybedividedintotwosectionsandstoredinfolders:amainsectionfolderandamodulesfolder.Eachfoldercontainsansrcfolderwherethepathsshouldbebegun.Wildcardsareusedinfilespecifierstopickupallthe.mxmland.asfilesinbothofthesrcfolders.AnMXMLfileinmain/src/com/foo/util/Foo.mxmlwillbetranslatedasanActionScriptclassnamedFoointhepackagecom.foo.util,forexample,withthesourcerootsspecifiedhere:
sourceanalyzer -b MyFlexProject -flex-source-roots main/src:modules/src ./main/src/**/*.mxml ./main/src/**/*.as ./modules/src/**/*.mxml ./modules/src/**/*.as
Chapter 8: Translating Flex 37
About Handling Resolution WarningsToseeallwarningsthatweregeneratedduringyourbuild,enterthefollowingcommandbeforeyoustartthescanphase:
sourceanalyzer -b <build_id> -show-build-warnings
About ActionScript WarningsYoumayreceiveamessagesimilarto:
The ActionScript front end was unable to resolve the following imports: a.b at y.as:2. foo.bar at somewhere.as:5. a.b at foo.mxml:8.
ThiserroroccurswhenSCAcannotfindallofthelibrariesitneeds.YoumayneedtospecifyadditionalSWCorSWFFlexlibraries(‐flex‐librariesoption,orcom.fortify.sca.FlexLibrariesproperty)sothatSCAcancompletetheanalysis.
Chapter 9: Translating Code for Mobile Platforms 37
Chapter 9: Translating Code for Mobile PlatformsThischaptercoversthefollowingtopics:
• AboutTranslatingObjective‐CCode
• AboutTranslatingGoogleAndroidCode
About Translating Objective‐C CodeThissectiondescribeshowtotranslateObjective‐CsourcecodeforiOSapplications.
Prerequisites• Xcodecommand‐linetoolsmustbeinstalledinthepath.
• Projectsmustusethenon‐fragileObjective‐Cruntime(ABIversion2or3).
• UseApple’sxcode‐selectcommand‐lineutilitytosetyourXcodepath.SCAusesthesystems’sglobalXcodeconfigurationtofindtheXcodetoolchainandheaders.
About Objective‐C Command Line SyntaxThebasiccommandlinesyntaxfortranslatingasinglefileis:
sourceanalyzer -b <build_id> -clean
sourceanalyzer -b <build_id> xcodebuild [<compiler options>]
where:
<compiler options> areoptionspassedtoxcode.
Objective‐C Command Line ExampleThefollowingsimpleexamplesillustrateusagepatternsforthesupportedcompilers.Thefollowingcommandsamplesshouldberunfromthedirectorywheretheprojectfilesarelocated.
TotranslateanXcodeObjective‐Cproject,enter:
xcodebuild [options] clean(Optional.Cleanthepreviousbuildartifacts)
sourceanalyzer -b my_buildid -clean
sourceanalyzer -b my_buildid xcodebuild [options]
Toscantheapplicationartifactfiles:
sourceanalyzer -b my_buildid -scan -f result.fpr
Note:Thesourcecodewillbecompiledwhenrunningthesecommands.
Xcode Compiler ErrorsIfyoureceiveXcodecompilererrors,thismaybeduetotheinclusionofClangoptionsaddedafteryourversionofSCAwasreleased.Toeradicatetheerrors,typethefollowingafterxcodebuild:
ARCHS=i386GCC_TREAT_WARNINGS_AS_ERRORS=NO
whereARCHS=i386representsthearchitectures(ABIs,processormodels)towhichthebinaryistargeted.
Chapter 9: Translating Code for Mobile Platforms 38
About Translating Google Android CodeSSRprovidesrulessupportforprogramsthatrunontheGoogleAndroidplatform.Theserules
• identifyinsecuredatastorage
• categorizeapplicationsbytheirsecuritypermissionsanddetectoverprivilegeduses
• sendandreceiveintents,identifydatabase,filesystem,web,privateinformationandAndroidinter‐componentsources
TranslatingGoogleAndroidcodeissimilartotranslatingJavacode.ForinstructionsontranslatingJavacode,seeChapter2,TranslatingJavaCodeonpage17.
Migration IssuesIfyouhavemigratedfromapreviousversionofSCAandreceiveanerrorwhenrunningSCA,itmaybeduetoadeprecatedpropertykeyinyourfortify-sca.propertiesfile.Checkthe fortify-sca.prortiesfile(locatedintheinstall directory>/SCA/Core/config/directoryforanyofthefollowing,deprecatedpropertykeys:
com.fortify.sca.xcodebuild.CompilerPath
com.fortify.sca.xcodebuild.SupportedVersion
com.fortify.sca.xcodebuild43.CompilerPath
com.fortify.sca.clang.includes
com.fortify.sca.clang.CaptureWarnings
com.fortify.sca.llvmtonst.CaptureWarnings
com.fortify.sca.llvmtonst.FailOnError
com.fortify.sca.llvmtonst.command
com.fortify.sca.llvmtonst.options
com.fortify.sca.pretranslate.command
Iffound,removethekeyfromyourpropertiesfile.
Chapter 10: Translating Other Languages 39
Chapter 10: Translating Other LanguagesThischaptercoversthefollowingtopics:
• AboutCommandLineSyntaxforOtherLanguages
• ConfigurationConsiderations
• TranslatingCOBOLCode
About Command Line Syntax for Other LanguagesThistopicdescribestheSCAcommandsyntaxfortranslatingotherlanguages.
Thebasiccommandlinesyntaxforotherlanguagesis:
sourceanalyzer -b <build_id> <file_list>
EnterthefollowingtoselectthesqltypebeingtranslatedonWindowsplatforms:
sourceanalyzer -b <example_build> -sql-language TSQL <files>
or
sourceanalyzer -b <example_build> -sql-language PL/SQL <files>
SQLNote:Bydefault,fileswiththeextensionsqlareassumedtobeT‐SQLratherthanPL/SQLonWindowsplatforms.IfyouareusingWindowsandhavePL/SQLfileswiththesqlextension,youcanconfigureSCAtotreatthemasPL/SQLratherthanexplicitlyspecifyiteachtimeyourrunsourceanalyzer
Tochangethedefaultbehavior,setthecom.fortify.sca.fileextensions.sql propertyinfortify-sca.properties to “TSQL” or “PLSQL.”
EnterthefollowingtoperformtranslationonColdFusionsourcecode:
sourceanalyzer -b <build -id> -source-base-dir <dir> <files|file specifiers>
where:
• <build_id>specifiesthebuildIDfortheproject
• <dir>specifiestherootdirectoryofthewebapplication
• <files|file specifiers>specifiestheCFMLsourcecodefiles
ColdFusionNote:SCAcalculatestherelativepathtoeachCFMLsourcefilebyusingthe-source-base-dirdirectoryasthestartingpoint,thenusestheserelativepathswhengeneratinginstanceIDs.Iftheentireapplicationsourcetreeismovedtoadifferentdirectory,theinstanceIDsgeneratedbyasecurityanalysisshouldremainthesameifyouspecifyanappropriatevaluefor-source-base-dir.
Foradescriptionofalltheoptionsyoucanusewiththesourceanalyzercommand,seeCommandLineInterfaceonpage48.
Filespecifiersareshowninthefollowingtable:
Table 4: File Specifiers
File Specifier Description
<dirname> Allfilesfoundunderthenameddirectoryoranysubdirectories
<dirname>/**/Example.js AnyfilenamedExample.jsfoundunderthenameddirectoryoranysubdirectories
Chapter 10: Translating Other Languages 40
Note:WindowsandmanyUnixshellsautomaticallytrytoexpandargumentscontainingthe'*'character,sofile‐specifierexpressionsshouldbequoted.Also,onWindows,enterthebackslash(\)insteadoftheforwardslash(/).
Configuration ConsiderationsThissectionprovidesinformationonconfiguringPython,configuringColdFusion,configuringtheSQLextension,andconfiguringASP/VSScriptvirtualroot.
Configuring PythonSCAtranslatesPythonapplications,andtreatsfileswiththeextensionpyasPythonsourcecode.InorderforSCAtotranslatePythonapplicationsandpreparetheapplicationforascan,SCAsearchesanyimportfilesfortheapplication.SCAdoesnotrespectthePYTHONPATHenvironmentvariablewhichthePythonruntimesystemusestofindimportedfiles,sothisinformationshouldbegivendirectlytoSCAusingthe -python-pathargument.Inaddition,someapplicationsaddadditionalimportdirectoriesduringruntimeinitialization.
Toaddpathsforadditionalimportdirectories,usethesourceanalyzercommandlineoption:
-python-path pathname
Note:SCAtranslatesPythonapplicationsusingallimportfileslocatedinthedirectorypathdefinedbythe-python-path pathnameoption.Subsequently,translationmaytakeasignificantamountoftimetocomplete.
Using the Django Framework with Python
InordertoscancodecreatedusingtheDJangoframework,setthefollowingpropertiesinthefortify-sca.propertiesconfigurationfile:
-Dcom.fortify.sca.limiters.MaxPassThroughChainDepth=8
-Dcom.fortify.sca.limiters.MaxChainDepth-8
Duringthetranslationphase,setthefollowingswitch:
-django-template-dirs path/to/template/dirs
Configuring ColdFusionInordertotreatundefinedvariablesinaCFMLpageastainted,uncommentthefollowinglineinsca_install_dir\Core\config\fortify-sca.properties:#com.fortify.sca.CfmlUndefinedVariablesAreTainted=true
Doingsoservesasahinttothedataflowanalyzertowatchoutforregister‐globals‐stylevulnerabilities.However,enablingthispropertyinterfereswithDataflowfindingsinwhichavariableinanincludedpageisinitializedtoataintedvalueinanearlier‐occurringincludedpage.
<dirname>/*.js Anyfilewiththeextension.jsfoundinthenameddirectory
<dirname>/**/*.js Anyfilewiththeextension.jsfoundunderthenameddirectoryoranysubdirectories
<dirname>/**/* Allfilesfoundunderthenameddirectoryoranysubdirectories(sameas<dirname>)
Table 4: File Specifiers (Continued)
File Specifier Description
Chapter 10: Translating Other Languages 41
Configuring the SQL ExtensionBydefault,fileswiththeextensionsqlareassumedtobeT‐SQLratherthanPL/SQLonWindowsplatforms.IfyouareusingWindowsandhavePL/SQLfileswiththesqlextension,youshouldconfigureSCAtotreatthemasPL/SQL.Tochangethedefaultbehavior,setthecom.fortify.sca.fileextensions.sql propertyinfortify-sca.propertiesto“TSQL”or“PLSQL.”
Note:Fortify360v2.5updatedthePL/SQLparsertoimprovetranslationofPL/SQLsourcecode.However,theexistenceoftwodifferentparserscanmakemergingresultsfrompre‐v2.5andpost‐v2.5difficult.
ToreverttotheolderversionofthePL/SQLparser,addthefollowingpropertytothefortify-sca.propertiesfile:
com.fortify.sca.UseOldPlsql=true
Configuring ASP/VBScript Virtual RootsSCAallowsyoutohandleASPvirtualroots.Forwebserversthatusevirtualdirectoriesasaliasesthatmaptophysicaldirectories,SCAallowsyoutousealias.
Forinstance,youmayhavevirtualdirectoriesnamedIncludeandLibrarywhichrefertothephysicaldirectoriesC:\WebServer\CustomerOne\incandC:\WebServer\CustomerTwo\Stuff,respectively.
Asanexample,theASP/VBScriptcodeforanapplicationusingvirtualincludes,asfollows:
<!--#include virtual=”Include/Task1/foo.inc”-->
TheaboveASPcodereferstotheactualdirectory,asfollows:
C:\Webserver\CustomerOne\inc\Task1\foo.inc
TherealdirectoryreplacesthevirtualdirectorynameIncludeinthatinstance.
Accommodating Virtual Roots
InordertoindicatetoSCAwhateachvirtualdirectoryisanaliasfor,youmustsetapropertyoftheformcom.fortify.sca.ASPVirtualRoots.name_of_virtual_directoryaspartofyourcommandlineinvocationofSCAinthefollowingmanner:
sourceanalyzer -Dcom.fortify.sca.ASPVirtualRoots.name_of_virtual_directory=<full path to corresponding physical directory>
Note:OnWindows,ifthephysicalpathhasspacesinit,youmustincludethepropertysettingindouble‐quotes:
sourceanalyzer "-Dcom.fortify.sca.ASPVirtualRoots.name_of_virtual_directory=<full path to corresponding *physical* directory>"
Toexpandupontheexampleintheprevioussection,thepropertyvaluethatyoumustpassalongshouldbe:
-Dcom.fortify.sca.ASPVirtualRoots.Include=”C:\WebServer\CustomerOne\inc”
-Dcom.fortify.sca.ASPVirtualRoots.Library="C:\WebServer\CustomerTwo\Stuff”
DoingsocausesthemappingofIncludetoitsdirectoryandLibrarytoitsdirectory.
WhenSCAencounterstheincludedirective:
<!-- #include virtual="Include/Task1/foo.inc" -->
SCAwillfirstchecktoseeifyourprojectcontainsaphysicaldirectorynamedInclude.Ifthereisnosuchphysicaldirectory,SCAlooksthroughitsownrun‐timepropertiesandseesthat:
-Dcom.fortify.sca.ASPVirtualRoots.Include="C:\WebServer\CustomerOne\inc"
Chapter 10: Translating Other Languages 42
ThistellsSCAthatvirtualdirectoryIncludeisactuallythedirectory:
C:\WebServer\CustomerOne\inc
ThiswillcauseSCAtolookforthefile:
C:\WebServer\CustomerOne\inc\Task1\foo.inc
Alternately,ifyouchoosetosetthispropertyinthefortify-sca.propertiesfile,whichislocatedin<sca_install_dir>\Core\config,youmustescapethe\character,aswellasanyspacesthatappearinthepathofthephysicaldirectory:
com.fortify.sca.ASPVirtualRoots.Library=c:\\WebServer\\CustomerTwo\\Stuff
com.fortify.sca.ASPVirtualRoots.Include=c:\\WebServer\\CustomerOne\\inc
Note:ThepreviousversionoftheASPVirtualRootpropertyisstillvalid,whichyoumayuseontheSCAcommandlineasfollows:
-Dcom.fortify.sca.ASPVirtualRoots=C:\WebServer\CustomerTwo\Stuff;C:\WebServer\CustomerOne\inc
ThispromptsSCAtosearchthroughthelisteddirectoriesintheorderspecifiedwhenitisresolvingavirtualincludedirective.
Example: Using Virtual Roots
Youhaveafileasfollows:
C:\files\foo\bar.asp
Youcanspecifythisfilebyusingthefollowinginclude:
<!-- #include virtual="/foo/bar.asp">
Thenyoushouldsetthevirtualrootas:
-Dcom.fortify.sca.ASPVirtualRoots=C:\files\foo
Thiswillstripthe/foofromthefrontofthevirtualroot.IfyoudonotspecifyfoointheASPVirtualRootsproperty,SCAwilllookinC:\files\bar.asp,andwillfail.
Thesequenceforspecifyingvirtualrootsareasfollows:
1. Removethefirstpartofthepathinthesource
2. Replacethefirstpartofthepathwiththevirtualrootasspecifiedonthecommandline.
Other Language Command Line ExamplesThissectionincludesexamplesoftranslatingPL/SQL,T‐SQL,PHP,ClassicASPwrittenwithVBScript,JavaScript,VBScriptFiles.
Translating PL/SQL ExampleThefollowingexampledemonstratessyntaxfortranslatingtwoPL/SQLfiles:
sourceanalyzer -b MyProject x.pks y.pks
ThefollowingexampledemonstrateshowtotranslateallPL/SQLfilesunderthesourcesdirectory:
sourceanalyzer -b MyProject "sources/**/*.pks"
Chapter 10: Translating Other Languages 43
Translating T‐SQL ExampleThefollowingexampledemonstratessyntaxfortranslatingtwoT‐SQLfiles:
sourceanalyzer -b MyProject x.sql y.sql
ThefollowingexampledemonstrateshowtotranslateallT‐SQLfilesunderthesourcesdirectory:
sourceanalyzer -b MyProject "sources\**\*.sql"
Note:Thisexampleassumesthecom.fortify.sca.fileextensions.sql propertyinfortify-sca.propertiesissetto“TSQL.”
Translating PHP ExampleTotranslateasinglefilenamedMyPHP.php,enter:
sourceanalyzer -b mybuild "MyPHP.php"
Totranslateafilewherethesourceorthephp.inifileentryincludesarelativepathname(startswith./ or../),youwillneedtosetthePHPsourceroot:
sourceanalyzer -php-source-root <path> -b mybuild "MyPHP.php"
where<path>shouldbetheabsoluteorrelativepathtotheprojectrootdirectory.Therelativepathnamewillexpandfromthephpprojectrootdirectory.
Translating Classic ASP written with VBScript ExampleTotranslateasinglefilenamedMyASP.asp,enter:
sourceanalyzer -b mybuild "MyASP.asp"
Translating JavaScript ExampleTotranslateallJavaScriptfilesunderthescriptsdirectory,enter:
sourceanalyzer -b mybuild "scripts/*.js"
Translating VB Script File ExampleTotranslateaVBfilenamedmyApp.vb,enter:
sourceanalyzer -b mybuild "myApp.vb"
Translating COBOL CodeThissectionprovidesinformationonsupportedtechnologies,preparingCOBOLsourcefilesfortranslation,COBOLcommandlinesyntax,andauditingaCOBOLscan.
Note:InordertouseSCAtoscanCOBOL,youmusthaveaspecializedHPFortifylicensespecificforCOBOLscanningcapabilities.ContactHPFortifyformoreinformationaboutscanningCOBOLandthenecessarylicenserequired.
Chapter 10: Translating Other Languages 44
Supported TechnologiesSCAsupportsIBMEnterpriseCOBOLforIBMz/OSandiscompatiblewiththefollowingsystems:
• CICS
• IMS
• DB/2embeddedSQL
• IBMWebSphereMQ
Preparing COBOL Source Files for TranslationSCArunsonlyonthesupportedsystemslistedintheHPFortifySystemRequirementsdocument,notonmainframecomputers.ThismeansthatbeforeyoucanscanaCOBOLprogram,youmustcopythefollowingprogramcomponentstothesystemrunningSCA:
• TheCOBOLsourcecode
• AllcopybookfilesusedbytheCOBOLsourcecode
• AllSQLINCLUDEfilesreferencedbytheCOBOLsourcecode
Preparing COBOL Source Code Files
IfyouareretrievingCOBOLsourcefilesfromamainframewithoutCOBorCBLfileextensions(whichisusuallythecaseforCOBOLfilenames),thenyoumustusethefollowingcommandline:
-noextension-type COBOL <directory-file-path>
SpecifythedirectoryandfolderwithallCOBOLfilesastheargumenttoSCA,andSCAwillprocessallthefilesinthatdirectoryandfolderwithoutanyneedforCOBOLfileextensions.
Preparing COBOL Copybook Files
SCAdoesnotidentifycopybooksbyextension.AllcopybookfilesshouldthereforeretainthenamesusedintheCOBOLsourcecodeCOPYstatements.
About COBOL Command Line SyntaxFree‐formatCOBOListhedefaulttranslationandscanningmodeforSCA.Thebasicsyntaxfortranslatingasinglefree‐formatCOBOLsourcecodefileis:
sourceanalyzer -b <build-id>
Thebasicsyntaxforscanningatranslatedfree‐formatCOBOLprogramis:
sourceanalyzer -b <build-id> -scan -f <FPR file name>
Working with Fixed‐Format COBOL
SCAalsosupportsfixed‐formatCOBOL.Whentranslatingandscanningfixed‐formatCOBOL,boththetranslationandscanningcommandlinesmustincludethe-fixed-formatcommandlineoption.Forexample,thetranslationlinesyntaxwouldlooklike:
sourceanalyzer -b <build-id> -fixed-format
Andthescanninglinesyntaxwouldlooklike:
sourceanalyzer -b <build-id> -scan -fixed-format -f <FPR file name>
IfyourCOBOLcodeisIBMEnterpriseCOBOL,thenitismostlikelyfixedformat.IftheCOBOLtranslationcommandappearstohangindefinitely,terminatethetranslationbytypingCtrl‐Cseveraltimes,andrepeatthetranslationcommandwiththe“‐fixed‐format”parameter.
Chapter 10: Translating Other Languages 45
Searching for COBOL Copybooks
UsethecopydirscommandlineoptiontodirectSCAtosearchalistofpathsforcopybooksandSQL INCLUDEfiles.Forexample,thecommandlinesyntaxwouldlooklikethefollowing:
sourceanalyzer -b coboltest -copydirs c:\cobol\copybooks
About Auditing COBOL ScansAfterusingthecommandlinetoscantheapplication,youcanuploadtheresultingFPRfiletoHPFortifyAuditWorkbenchorHPFortifySoftwareSecurityCenterandaudittheapplication’sissues.
SCAdoesnotcurrentlysupportcustomrulesforCOBOLapplications.
Chapter 11: Troubleshooting and Support 45
Chapter 11: Troubleshooting and SupportThischaptercoversthefollowingtopics:
• UsingtheLogFiletoDebugProblems
• AbouttheTranslationFailedMessage
• AboutJSPTranslationProblems
• AboutASPXTranslationProblems
• AboutC/C++PrecompiledHeaderFiles
• AboutReportingBugsandRequestingEnhancements
Using the Log File to Debug ProblemsIfyouencounterwarningsandproblemswhenyourunSCA,re‐runSCAusingthe-debugoption.Thisgeneratesafilenamedsca.loginthefollowingdirectory:
• OnWindows:C:\Documents and Settings\<username>\Local Settings\Application Data\Fortify\scax.xx\log
• Onotherplatforms:$HOME/.fortify/scax.xx/log
wherex.xxistheversionofSCAyouareusing.
Emailthesca.logfileasazipfiletotechsupport@fortify.comforfurtherinvestigation.
About the Translation Failed MessageIfyourC/C++applicationbuildssuccessfullybutyouseeoneormore“translationfailed”messageswhenbuildingwithSCA,editthe<install_directory>/Core/config/fortify-sca.propertiesfiletochangethefollowingline:
com.fortify.sca.cpfe.options= --remove_unneeded_entities --suppress_vtbl
to
com.fortify.sca.cpfe.options=-w --remove_unneeded_entities --suppress_vtbl
Re‐runthebuildtoprinttheerrorsencounteredbythetranslator.IftheoutputindicatesanincompatibilitybetweenyourcompilerandtheHPFortifytranslator,sendyouroutputtoFortifyTechnicalSupportforfurtherinvestigation.
About JSP Translation ProblemsSCAuseseitherthebuilt‐inoryourspecificapplicationserver'sJSPcompilertotranslateJSPfilesintoJavafilesforanalysis.
IftheJSPparserencountersproblemswhenSCAisconvertingJSPfilestoJavafilesforanalysis,youwillseeamessagesimilartothefollowing:
Failed to translate the following jsps into analysis model. Please see the log file for any errors from the jsp parser and the user manual for hints on fixing those<List of JSP file names>
Thistypicallyhappensduetooneormoreofthefollowingreasons:
• ThewebapplicationisnotlaidoutinaproperdeployableWARdirectoryformat
• YouaremissingsomeJARfilesorclassesrequiredfortheapplication
• Sometaglibrariesortheirdefinitions(TLD)aremissingfromyourapplication
Chapter 11: Troubleshooting and Support 46
Toobtainmoreinformationabouttheproblem,performthefollowingsteps:
1. OpentheSCAlogfileinaneditor.
2. SearchforthestringsJsp parser stdout:andJsp parser stderr:.
TheseerrorsaregeneratedbytheJSPparserthatwasused.ResolvetheerrorsandrerunSCA.
FormoreinformationaboutscanningJ2EEapplications,seeTranslatingJ2EEApplicationsonpage20.
About ASPX Translation ProblemsSCAcompilesASPXfilestoDLLsforanalysisasfollows:
• Ifyouareusing.NET2.0orlaterandVisualStudio2005,usingtheMicrosoftaspnet_compilecompiler
• Ifyouareusing.NET1.1andVisualStudio2003,tryingtofetchASPXfilesoneatatimefromthewebsite
Thecompilationstepcanfailif:
• Youhaveaccessorauthenticationproblemswithaccessingthewebapplication
• YouaremissingsomerequiredDLLs
Ineithercase,youwillseeamessagesimilartothefollowing:
Failed to translate the following aspx files into analysis model. Please see the log file for any errors from the aspx precompiler and the user manual for hints on fixing those.<List of ASPX file names>
Ifyouareusingtheplug‐in,enableplug‐indebuggingandexaminetheplug‐inlogfileforanyerrorsgeneratedbytheASPXprecompiler.
Ifyouareusingthecommandlinetool,fortify_aspnet_compiler,youshouldseetheerrormessagesontheconsole.
Ifyoustillcannotdeterminethecauseoftheproblem,trytoaccesssomeofthefailedASPXfilesfromyourbrowserandseewhatkindoferrorsdisplay.Ifyouseemessagessuchascannot locate assembly,ensurethatyouhavethemissingDLLsandrerunSCA.
IfyoucanaccessthefailedASPXfilesfromthebrowser,butSCAstillfailstoscanit,contactHPFortifyTechnicalSupportforadditionalhelp.
FormoreinformationaboutscanningASP.NETapplications,seeTranslatingASP.NET1.1(VisualStudioVersion2003)Projectsonpage24.
About C/C++ Precompiled Header FilesSomeC/C++compilerssupportafeaturetermed“precompiledheaderfiles,”whichcanspeedupcompilation.Somecompilers'implementationsofthisfeaturehavesubtleside‐effects.Whenthefeatureisenabled,thecompilermayaccepterroneoussourcecodewithoutwarningsorerrors.ThiscanresultinadiscrepancywhereSCAreportstranslationerrorsevenwhenyourcompilerdoesnot.
Ifyouusetheprecompiledheaderfeatureofyourcompiler,makesureyoursourcecodecompilescleanlybydisablingprecompiledheadersanddoingafullbuild.
Chapter 11: Troubleshooting and Support 47
About Reporting Bugs and Requesting EnhancementsFeedbackiscriticaltothesuccessofthisproduct.Torequestenhancementsorpatches,ortoreportbugs,sendanemailtoTechnicalSupportat:
Besuretoincludethefollowinginformationintheemailbody:
• Product:SCA
• VersionNumber:Todeterminetheversionnumber,runthefollowing:
sourceanalyzer -version
• Platform:(suchasPC)
• OS:(suchasWindows2000)
Whenrequestingenhancements,includeadescriptionofthefeatureenhancement.
Whenreportingbugs,provideenoughdetailsfortheissuetobeduplicated.Themoredescriptiveyouare,thefasterwecananalyzeandfixtheissue.Alsoincludethelogfiles,ortherelevantportionsofthem,fromwhentheissueoccurred.
Appendix A: Command Line Interface 48
Appendix A: Command Line InterfaceThisappendixcoversthecommandlineoptions:
• OutputOptions
• AnalysisOptions
• PythonOption
• ColdFusionOptions
• Java/J2EEOptions
• .NETOptions
• BuildIntegrationOptions
• RuntimeOptions
• OtherOptions
Output OptionsThefollowingtabledescribestheoutputoptions.
Table 5: Output Options
Output Option Description
-append Appendsresultstothefilespecifiedwith-f.Ifthisoptionisnotspecified,SCAaddsthenewfindingstotheFPRfile,andlabelstheolderresultaspreviousfindings.Tousethisoption,theoutputfileformatmustbe.fpror.fvdl.Forinformationonthe-formatoutputoption,seethedescriptioninthistable.
Note:When-appendispassedtoSCAandtheoutputfilespecifiedwiththe-foptioncontainstheresultsofanearlierscan,theresultingFPRcontainstheissuesfromtheearlierscanaswellasissuesfromthecurrentscan.Thebuildinformationandprogramdata(listsofsourcesandsinks)sectionsarealsomerged.
Theenginedatasection,whichincludesrulepackinformation,commandlineoptions,systemproperties,warningsanderrors,andotherinformationabouttheexecutionofsourceanalyzer(asopposedtoinformationabouttheprogrambeinganalyzed),isnotmerged,inpartbecausethereisnowaytomeaningfullymergethisdatafrommultiplescans.Becauseenginedataisnotmergedwith-append,HPFortifydoesnotcertifyresultsgeneratedwith-append.
Ingeneral,-appendshouldonlybeusedwhenitisnotpossibletoanalyzeanentireapplicationatonce.
-build-label<label> Thelabeloftheprojectbeingscanned.ThelabelisnotusedbySCAbutisincludedintheanalysisresults.
-build-project <project> Thenameoftheprojectbeingscanned.ThenameisnotusedbySCAbutisincludedintheanalysisresults.
-build-version <version> Theversionoftheprojectbeingscanned.TheversionisnotusedbySCAbutisincludedintheanalysisresults.
-f <file> Thefiletowhichresultsarewritten.Ifyoudonotspecifyanoutputfile,theoutputiswrittentotheterminal.
Appendix A: Command Line Interface 49
Analysis OptionsThefollowingtabledescribestheanalysisoptions.
-format <format> Controlstheoutputformat.Validoptionsarefpr,fvdl,text,andauto.Thedefaultisauto,whichselectstheoutputformatbasedonthefileextension.
Note:Ifyouareusingresultcertification,youmustspecifythefprformat.SeetheAuditWorkbenchUser’sGuideforinformationonresultcertification.
Table 6: Analysis Options
Analysis Option Description
-disable-default-rule-type <type>
DisablesallrulesofthespecifiedtypeinthedefaultRulepacks.Canbeusedmultipletimestospecifymultipleruletypes.WherethevalueoftypeistheXMLtagminusthesuffix“Rule.”Forexample,useDataflowSourceforDataflowSourceRuleelements.Youcanalsospecifyspecificsectionsofcharacterizationrules,suchasCharacterization:Controlflow,Characterization:Issue,andCharacterization:Generic.
Typeiscase‐insensitive.
-encoding Specifiestheencoding.SCAallowsscanningaprojectthatcontainsdifferentencodedsourcefiles.Toworkwithamulti‐encodedproject,youmustspecifythe-encodingoptionatthetranslationstep,whenSCAfirstreadsthesourcecodefile.Thisencodingisrememberedinthebuildsession,andispropagatedintotheFVDLfile.
-filter <file_name> Specifiesaresultsfilterfile.
-findbugs EnablesFindBugsanalysisforJavacode.TheJavaclassdirectoriesmusthavebeenspecifiedwiththe-java-build-diroption,describedin“Java/J2EEOptions”onpage51.
-no-default-issue-rules DisablesrulesindefaultRulepacksthatleaddirectlytoissues.Stillloadsrulesthatcharacterizethebehavioroffunctions.Note:Thisequivalenttodisablingthefollowingruletypes:DataflowSink,Semantic,Controlflow,Structural,Configuration,Content,Statistical,Internal,andCharacterization:Issue.
-no-default-rules SpecifiesnottoloadrulesfromthedefaultRulepacks.SCAprocessestheRulepacksfordescriptionelementsandlanguagelibraries,butnorulesareprocessed.
-no-default-source-rules DisablessourcerulesinthedefaultRulepacks.Note:Characterizationsourcerulesarenotdisabled.
-no-default-sink-rules DisablessinkrulesinthedefaultRulepacks.Note:Characterizationsinkrulesarenotdisabled.
-disable-source-rendering
SourcefilesarenotincludedintheFPRfile.
Table 5: Output Options (Continued)
Output Option Description
Appendix A: Command Line Interface 50
Python OptionThefollowingtabledescribestheColdFusionoption.
Table 7: Python Options
Python Option Description
-python-path <path name> Specifiesthepathforadditionalimportdirectories.SCAdoesnotrespectthePYTHONPATHenvironmentvariablethatthePythonruntimesystemusestofindimportedfiles.Usethe-python-pathargumenttospecifyadditionalimportdirectories.
ColdFusion OptionsThefollowingtabledescribestheColdFusionoption.
Table 8: ColdFusion Options
ColdFusion Option Description
-source-base-dir Thewebapplication’srootdirectory.
-source-archive Theapplication’ssourcearchiverepository.Youmustincludethe‐scanand‐foptionstousethisoption.
-quick ScanstheprojectinQuickScanMode,usingthefortify-sca-quickscan.propertiesfile.Bydefault,thisscansearchesforhigh‐confidence,high‐severityissues.FormoreinformationaboutQuickScanMode,seetheAuditWorkbenchUser’sGuide.
-rules [<file>|<directory>]
SpecifiesacustomRulepackordirectory.CanbeusedmultipletimestospecifymultipleRulepackfiles.Ifyouspecifyadirectory,allofthefilesinthedirectorywiththe.binand.xmlextensionsareincluded.
-scan CausesSCAtoperformanalysisforthespecifiedbuildID.
Table 6: Analysis Options (Continued)
Analysis Option Description
Appendix A: Command Line Interface 51
Java/J2EE OptionsThefollowingtabledescribestheJava/J2EEoptions.
Table 9: Java/J2EE Options
Java/J2EE Options Description
-appserver SpecifiestheapplicationserverforprocessingJSPfiles:weblogicorwebsphere.
-appserver-home Specifiestheapplicationserver’shome.
ForWeblogic,thisisthepathtothedirectorycontainingtheserver/lib directory.
ForWebSphere,thisisthepathtothedirectorycontainingtheJspBatchCompiler script.
-appserver-version Specifiestheversionoftheapplicationserver.
ForWeblogic,validvaluesare7,8,9,and10.
ForWebSphere,thevalidvalueis6.
-cp <classpath>,-classpath <classpath>
SpecifiestheclasspathtouseforanalyzingJavasourcecode.Theformatissameasjavac:acolonorsemicolon‐separatedlistofpaths.YoucanuseSCAfilespecifiers.Note:Ifyoudonotspecifytheclasspathwiththisoption,theCLASSPATHenvironmentvariableisused.
-extdirs <dirs> Similartothejavacextdirsoption,acceptsacolonorsemicolon‐separatedlistofdirectories.Anyjarfilesfoundinthesedirectoriesareincludedimplicitlyontheclasspath.
-java-build-dir SpecifiesoneormoredirectoriestowhichJavasourceshavebeencompiled.MustbespecifiedforFindBugsresults,asdescribedin“AnalysisOptions”onpage49.
-source <version> IndicateswhichversionoftheJDKtheJavacodeiswrittenfor.Validvaluesforversionare1.3,1.4,1.5,1.6 and 1.7.Thedefaultis1.4.
-sourcepath Specifiesthelocationofsourcefileswhichwillnotbeincludedinthescanbutwillbeusedfornameresolution.Thesourcepathislikeclasspath,exceptitusessourcefilesratherthanclassfilesforresolution.
Appendix A: Command Line Interface 52
.NET OptionsThefollowingtabledescribesthe.NEToptions.
Table 10: .NET Options
.NET Options Description
-libdirs <dirs> Acceptsacolonorsemicolon‐separatedlistofdirectorieswheresystemDLLsarelocated.
-dotnet-sources <directory name>
Specifieswheretolookforsourcefilesforadditionalinformation.ThisoptionisautomaticallypassedfromtheSCAplug‐insandAuditWorkbenchbutwhenyouarerunningSCAmanually,youmustprovideityourself.ThisoptioncausesSCAtoattempttofindany.NETclasses,enums,orinterfacesthatarenotexplicitlydeclaredinthecompiledproject.
-vsversion <version> SpecifiesVisualStudioversion.Validvaluesforversionare7.1forVisualStudioVersion2003,8.0forVisualStudioVersion2005,9.0forVisualStudio2008,10.0forVisualStudio2010and11.0forVisualStudio2012.Thedefaultvalueis7.1.
Build Integration OptionsThefollowingtabledescribesthebuildintegrationoptions.
Table 11: Build Integration Options
Build Integration Options Description
-b <build_id> SpecifiesthebuildID.ThebuildIDisusedtotrackwhichfilesarecompiledandcombinedtobepartofabuildandlatertoscanthosefiles.
-bin <binary> Usedwith-scantospecifyasubsetofsourcefilestoscan.Onlythesourcefilesthatwerelinkedinthenamedbinaryatbuildtimeareincludedinthescan.Canbeusedmultipletimestospecifytheinclusionofmultiplebinariesinthescan.
-exclude <file_pattern> Removesfilesfromthelistoffilestotranslate.Forexample:sourceanalyzer –cp "**/*.jar" "**/*" -exclude "**/Test.java"Note:The-excludeoptionworkswheninputfilesarespecifiedonthecommandline;itdoesnotworkwithcompilerintegration.
-nc Whenspecifiedbeforeacompilercommandline,SCAprocessesthesourcefilebutdoesnotrunthecompiler.
Appendix A: Command Line Interface 53
DirectivesThefollowingdirectivescanbeusedtolistinformationabouttranslationstepsthathavebeentaken.Onlyonedirectivecanbeusedatatimeandcannotbeusedinconjunctionwithnormaltranslationoranalysissteps.
Table 12: Directives
Directives Description
-clean DeletesallSCAintermediatefilesandbuildrecords.WhenabuildIDisalsospecified,onlyfilesandbuildrecordsrelatingtothatbuildIDaredeleted.
-show-binaries Displaysallobjectsthatwerecreatedbutnotusedintheproductionofanyotherbinaries.Iffullyintegratedintothebuild,itlistsallofthebinariesproduced.
-show-build-ids DisplaysalistofallknownbuildIDs.Note:ThisoptionmayerasebuildIDsgeneratedbypreviousversionsofSCA.
-show-build-tree Displaysallfilesusedtocreatebinaryandallfilesusedtocreatethosefilesinatreelayout.Ifthe-binbinaryoptionisnotpresent,thetreeisdisplayedforeachbinary.Note:Thisoptioncangenerateanextensiveamountofinformation.
-show-files ListsthefilesinthespecifiedbuildID.Whenthe-binoptionispresent,displaysonlythesourcefilesthatwentintothebinary.
-show-build-warnings Usewith-b <build_id>toshowallerrorsandwarningsfromthetranslationphaseontheconsole.Note:TheseerrorsandwarningsdisplayintheresultscertificationpanelofAuditWorkbench.
-show-loc Displaysthenumberoflinesinthecodebeingtranslated.
Runtime OptionsThefollowingtabledescribestheruntimeoptions.
Table 13: Runtime Options
Runtime Options Description
-logfile <file_name> SpecifiesthelogfilethatisproducedbySCA.
-quiet Disablesthecommandlineprogressbar.
-verbose Sendsverbosestatusmessagestotheconsole.
-Xmx <size> SpecifiesthemaximumamountofmemoryusedbySCA.Bydefault,itusesupto600MBofmemory(-Xmx600M),whichcanbeinsufficientforlargecodebases.Whenspecifyingthisoption,ensurethatyoudonotallocatemorememorythanisphysicallyavailable,becausethisdegradesperformance.Asaguideline,assumingnoothermemoryintensiveprocessesarerunning,donotallocatemorethan2/3oftheavailablememory.
Appendix A: Command Line Interface 54
Other OptionsThefollowingtabledescribesotheroptions.
Table 14: Other Options
Other Options Description
@<filename> Readscommandlineoptionsfromthespecifiedfile.
-encoding <encoding_name>
Specifiesthesourcefileencodingtype.Thisoptionisthesameasthejavacencodingoption.
-h, -?, -help Printsthissummaryofcommandlineoptions.
-version Displaystheversionnumber.
-debug Enablesdebugmodewhichisusefulduringtroubleshooting.
-build-migration-map <old_fpr_file>
RunstheInstanceIDmapperattheendofascan.
Specifying FilesFilespecifiersareexpressionsthatallowyoutoeasilypassalonglistoffilestoSCAusingwildcardcharacters.SCArecognizestwotypesofwildcardcharacters:'*'matchespartofafilename,and'**'recursivelymatchesdirectories.Youcanspecifyoneormorefiles,oneormorefilespecifiers,oracombinationoffilesandfilespecifiers.
<files> | <file specifiers>
Filespecifierscantakethefollowingforms:
Table 15: File Specifiers
File Specifier Description
<dirname> Allfilesfoundunderthenameddirectoryoranysubdirectories
<dirname>/**/Example.java
AnyfilenamedExample.javafoundunderthenameddirectoryoranysubdirectories
<dirname>/*.java Anyfilewiththeextension.javafoundinthenameddirectory
<dirname>/**/*.java Anyfilewiththeextension.javafoundunderthenameddirectoryoranysubdirectories
<dirname>/**/* Allfilesfoundunderthenameddirectoryoranysubdirectories(sameasdirname)
Note:WindowsandmanyUnixshellsautomaticallytrytoexpandargumentscontainingthe'*'character,sofile‐specifierexpressionsshouldbequoted.Also,onWindows,thebackslashcharacter(\)maybeusedasthedirectoryseparatorinsteadoftheforwardslash(/).
FilespecifiersdonotapplytoCorC++languages.
Appendix A: Command Line Interface 55
Appendix B: Parallel Analysis Mode 55
Appendix B: Parallel Analysis ModeThisappendixcoversthefollowingtopics:
• AboutParallelAnalysisMode
• HardwareRequirements
• ConfiguringParallelAnalysisMode
• RunninginParallelAnalysisMode
About Parallel Analysis ModeParallelprocessingallowsyoutoreducescantimesbyharnessingthemultiplecores,memory,andprocessingpowerinyourmachine.Dependingonthenatureofyourprojectandyourhardware,parallelprocessingcanreducescantimeasmuchas90percent.
Whileparallelprocessingcanbeenabledforallscans,scansthatcompleteinlessthan2hoursmaynotwarrantthehigherprocessingpowerrequirements.Forthisreason,parallelprocessingisnotthedefaultmodeofoperation.Youmustenableparallelprocessingonyoursystemandinitiateitonthecommandline.
Hardware RequirementsPleaserefertotheHPFortifySoftwareSecurityCenterSystemRequirementsdocumentforthelatesthardwareandsoftwarerequirementsforrunningSCAinparallel.
Configuring Parallel Analysis ModeAfterinstallingSCAandcompletingthepost‐installationsteps,youwillneedtoaddacouplepropertiestoyourSCAconfigurationfiletoenableparallelprocessing.
Addthefollowingpropertiestoyourfortify-sca.propertiesfile,locatedinthe<SCA_Installation_Directory>\core\configdirectory.
Table 16: Parallel Analysis Mode Properties
Property Description
com.fortify.sca.RmiWorkerMaxHeap
(default:heapsizeofmasterJVM)
Setstheheapsizefortheworkers.
Theamountofmemoryrequiredvariesfromprojecttoproject,butyoudon’thavetoallocateasmuchmemoryfortheworkersasyoudoforthemasterJVM.
Youmayneedtoexperimentwiththispropertyifyouexperiencelowmemorywarnings,crashes,ordon’tachieveasignificantspeedincrease.
TheRmiWorkerMaxHeappropertyacceptsvaluesinkilobytes(K),megabytes(M),orGigabytes(G).Forexample,tosetthepropertyto500kilobytes:-Dcom.fortify.sca.RmiWorkerMaxHeap = 500K
com.fortify.sca.ThreadCount(default:Ifunchanged,SCAwilluseallavailablethreads.)
Youwillonlyneedtoaddthisparameterifyouneedtolowerthenumberofthreadsusedbecauseofaresourceconstraint.Ifyouexperienceslow‐downsorproblemswithyourscan,reducingthenumberofthreadsusedmaysolvetheproblem.
Appendix B: Parallel Analysis Mode 56
Running in Parallel Analysis ModeTorunsourceanalyzerinparallelanalysismode,addthefollowingparametertoyourcommandstring:‐j <# worker processes>
Theidealnumberofworkerprocessesisn‐2,wherenrepresentsthenumberofprocessorsinyourmachine.Forexample,ifyourmachinehas8processors,theidealnumberofworkerprocesseswouldbe6.Thereisasinglemasterprocessthatcoordinatestasksandthedistributionofdatatothedataworkers.EachJavaprocessusesthesameamountofmemory(unlessyouoverrodeitusingthecom.fortify.sca.RmiWorkerMaxHeapMBinthefortify-sca.propertiesfile).Youmayneedtobalancethe-Xmxand-joptionstoinsureyoudon’tallocatemorememorythanisphysicallyavailable.
Tofigureoutthemaximumnumberofworkersforyourinstallation:
ExampleoftranslatingasinglefilenamedMyServlet.java:
sourceanalyzer -b MyServlet -cp lib/j2ee.jar MyServlet.java -j 6
Theminimumvaluefor-jis2,but3orhigherisrecommended.Avalueof3isusuallyfasterthanwhennotrunninginparallel,but4ormoreshouldprovideyouwiththebestoverallspeedincreases.
TotalPhysicalMemory
PhysicalMemoryPerJavaProcessxNumberofprocesses
Appendix C: Using the sourceanalyzer Ant Task 57
Appendix C: Using the sourceanalyzer Ant TaskThisappendixcoversthefollowingtopics:
• UsingtheAntSourceanalyzerTask
• Antproperties
• SourceanalyzerTaskOptions
About the sourceanalyzer Ant TaskThesourceanalyzerAnttaskprovidesaconvenientwaytointegrateSCAintoyourAntbuild.AsdiscussedinTranslatingJavaCode,translationofJavasourcefilesthatarepartofanAntbuildismosteasilyaccomplishedusingtheSCACompilerAdapter,whichautomaticallycapturesinputtojavactaskinvocations.Thesourceanalyzertaskprovidesaconvenientandflexiblewaytoaccomplishothertranslationtasksandtorunanalysis.
ThissectiondescribeshowtousethesourceanalyzerAnttaskandprovidesanexampleofasamplebuildfilewithaself‐containedanalysis target.rs.
Using the Ant Sourceanalyzer TaskAswiththeSCACompilerAdapter,usingthesourceanalyzertaskrequiressourceanalyzer.jar tobeonAnt'sclasspath,andthesourceanalyzerexecutabletobeonthePATH.
Thefirststeptousingthesourceanalyzertaskistoincludeatypedefinthebuild.xmlfileasfollows:
<typedef name="sourceanalyzer" classname="com.fortify.dev.ant.SourceanalyzerTask"/>
Note:OnlyAnt1.6andhighersupportstop‐leveltypedefofthesourceanalyzertask.ForAnt1.5andlower,includethetypedefinthetargetwherethesourceanalyzertaskisused.
Oncethistypedefisincluded,targetscanbedefinedthatinvokethesourceanalyzertasktoperformtranslationandanalysisoperationsexactlyasifrunningsourceanalyzerfromthecommandline.Thesourceanalyzertasksyntaxissimilartothatofthecommandlineinterface,butAntfilesetandpathprimitivescanbeleveraged.
ThefollowingisanexampleofasnippetfromanAntbuild.xmlfilewhichprovidesatargetuserscancalltogenerateSCAresultsfortheproject.Thissnippetassumesthatthetargetscleanandcompileandthepathjsp.classpatharedefinedelsewhereinthefile.ItalsousesverboseandlogtocreateaseparateSCAlogfileforthebuild.
<available classname="com.fortify.dev.ant.SourceanalyzerTask"
property="fortify.present"/>
<property name="sourceanalyzer.buildid" value="mybuild"/>
<!-- For debugging in a separate HP Fortify SCA log file -->
<property name="fortify.debug" value="false" />
<property name="fortify.verbose" value="false" />
<mkdir dir="${code.build}/log" />
<mkdir dir="${code.build}/audit" />
<tstamp/>
<property=”com.fortify.sca.PPSSilent” value=”true” />
<target name="fortify" if="fortify.present">
<typedef name="sourceanalyzer"classname="com.fortify.dev.ant.SourceanalyzerTask"/><!-- call clean to ensure that all source files are recompiled -->
Appendix C: Using the sourceanalyzer Ant Task 58
<antcall target="clean"/><!-- call the compile target using the SCA Compiler Adapter to --><!-- translate all source files--><antcall target="compile"><!-- Log SCA in separate file --><param name="com.fortify.sca.Debug" value="${fortify.debug}" /><param name="com.fortify.sca.Verbose" value="${fortify.verbose}" /><param name="com.fortify.sca.LogFile"value="${code.build}/log/${sourceanalyzer.buildid}-${DSTAMP}-${TSTAMP}.log" /><param name="build.compiler"value="com.fortify.dev.ant.SCACompiler" />
</antcall><!-- capture all configuration files in WEB-INF directory --><echo>sourceanalyzer ${web-inf}</echo><sourceanalyzer buildid="${sourceanalyzer.buildid}"><fileset dir="${web-inf}">
<include name="**/*.properties"/><include name="**/*.xml"/>
</fileset></sourceanalyzer><!-- translate all jsp files--><echo>sourceanalyzer ${basedir} jsp</echo><sourceanalyzer buildid="${sourceanalyzer.buildid}"><fileset dir="${basedir}">
<include name="**/*.jsp"/></fileset><classpath refid="jsp.classpath"/></sourceanalyzer><!-- run analysis --><echo>sourceanalyzer scan</echo><sourceanalyzer buildid="${sourceanalyzer.buildid}"scan="true"resultsfile="issues.fpr"/ >
</target>
Ant propertiesAnyAntpropertythatbeginswithcom.fortifyisrelayedtothesourceanalyzertaskvia-D.Forexample,settingthecom.fortify.sca.ProjectRootpropertyresultsin -Dcom.fortify.sca.ProjectRoot=<value>beingpassedtothesourceanalyzertask.ThisisalsousedfortheSCACompileradapter.Thesepropertiescanbeseteitherinthebuildfile,usingthe<property>taskforexample,orontheAntcommandlineusingthe -D<property=<value>syntax.
WhenusingtheSCACompileradapterviathebuild.compilersetting,thesourceanalyzer.buildAntpropertyisequivalenttothebuildID attributeofthesourceanalyzertask,andthesourceanalyzer.maxHeapisequivalenttomaxHeap.Youcanuseeitherthecommandlineoryourbuildscripttosettheseproperties.
Appendix C: Using the sourceanalyzer Ant Task 59
Sourceanalyzer Task OptionsThefollowingtablecontainsthecommandlineoptionsforthesourceanalyzertask.Pathvaluesusecolon(:)orsemi‐colon(;)delimitedlistsoffilenames.
Table 17: Sourceanalyzer Task Command Line Options
Attribute Command Line Option Description
append -append Appendsresultstothefilespecifiedwiththe-foption.Ifthisoptionisnotspecified,SCAoverwritesthefile.Note:Tousethisoption,theoutputfileformatmustbe.fpror.fvdl.Forinformationonthe-formatoutputoption,seethedescriptioninthistable.
appserver -appserver <appserver>
Specifiestheapplicationserver:Validoptionsareweblogicorwebsphere
appserverHome -apperserver-home <directory>
Specifiestheapplicationserver'shomedirectory.
ForWeblogic,thisisthepathtothedirectorycontainingserver/libdirectory.
ForWebSphere,thisisthepathtothedirectorycontainingthebin/JspBatchCompilerscript.
appserverVersion -apperserver-version <version_number>
Specifiestheversionoftheapplicationserver.
ForWeblogic:versions7,8,9,and10ForWebSphere:version6
bootclasspath -bootclasspath <classpath>
SpecifiestheJDKbootclasspath.
buildID ‐b <build_ID> SpecifiesthebuildID.ThebuildIDisusedtotrackwhichfilesarecompiledandlinkedaspartofabuildandlatertoscanthosefiles.
buildLabel -build-label <build_label>
Specifiesthelabeloftheprojectbeingscanned.ThelabelisnotusedbySCAbutisincludedintheanalysisresults.
buildProject -build-project <project_name>
Specifiesthenameoftheprojectbeingscanned.ThenameisnotusedbySCAbutisincludedintheanalysisresults.
buildVersion -build-version <version>
Theversionoftheprojectbeingscanned.TheversionisnotusedbySCAbutisincludedintheanalysisresults.
classpath -cp <classpath> SpecifiestheclasspathtobeusedforJavasourcecode.Formatissameasjavac(colonorsemicolon‐separatedlistofpaths).
clean -clean ThisoptionresetsthebuildID.Thedefaultvalueisfalse.
Appendix C: Using the sourceanalyzer Ant Task 60
debug -debug Thisoptionenablesthedebugmode,whichisusefulduringtroubleshooting.
disableAnalyzers -disable-analyzer <list_of_analyzers>
Thisoptiontakesacolon‐delimitedlistofanalyzerssothatyoucandisablemultipleanalyzersatonceifnecessary.
enableAnalyzers -enable-analyzer <list_of_analyzers>
Thisoptiontakesacolon‐delimitedlistofanalyzerssothatyoucanenablemultipleanalyzersatonceifnecessary.
encoding -encoding <encoding_type>
Specifiesthesourcefileencodingtype.Thisoptionisthesameasthejavacencodingoption.
extdirs -extdirs <list_of_dirs>
Similartothejavacextdirsoption,acceptsacolonorsemicolonseparatedlistofdirectories.Anyjarfilesfoundinthesedirectoriesareincludedimplicitlyontheclasspath.
filter -filter <file_name> Specifiesthefilterfile.
findbugs -findbugs SettingthistotrueenablesFindBugsanalysis.Thedefaultvalueisfalse.
format -format <format_type>
Controlstheoutputformat.Validoptionsarefpr,fvdl,text,andauto.Thedefaultisauto,whichselectstheoutputformatbasedonthefileextension.Note:Ifyouareusingresultscertification,youmustspecifythefprformat.SeetheAuditWorkbenchUser’sGuideforinformationonresultscertification.
javaBuildDir -java-build-dir <directory>
SpecifiesoneormoredirectorstowhichJavasourceshavebeencompiled.Mustbespecifiedforthefindbugsoption,asdescribedabove.
jdk -source <value> IndicateswhichversionoftheJDKtheJavacodeiswrittenfor.Validvaluesforthisoptionare1.3,1.4,1.5,1.6 and1.7.Thedefaultis1.4.Note:ThesourceandJDKoptionsarethesame.Ifbothoptionsarespecified,theoptionthatisspecifiedlastwilltakeprecedence.
jdkBootclasspath -jdk-bootclasspath <classpath>
SpecifiestheJDKbootclasspath.
logfile -logfile <file_name> SpecifiesthelogfilethatisproducedbySCA.
Table 17: Sourceanalyzer Task Command Line Options (Continued)
Attribute Command Line Option Description
Appendix C: Using the sourceanalyzer Ant Task 61
Thebootclasspath, classpath, extdirs,andoptionsmayalsobespecifiedasnestedelements,aswiththeAntjavactask.Sourcefilescanbespecifiedvianested<fileset>elements.
maxHeap -Xmx <size> SpecifiesthemaximumamountofmemoryusedbySCA.Bydefault,itusesupto600MBofmemory(600M),whichcanbeinsufficientforlargecodebases.Whenspecifyingthisoption,ensurethatyoudonotallocatemorememorythanisphysicallyavailable,becausethiswilldegradeperformance.Asaguideline,assumingnoothermemoryintensiveprocessesarerunning,donotallocatemorethan2/3oftheavailablememory.
noDefaultRules -no-default-rules SettingthisoptionspecifiesthatSCAshouldnotapplydefaultruleswhenscanning.
quick -quick-scan LaunchesanSCAquickscaninsteadofaregularscan.Setvaluetotruetolaunchaquickscan.
resultsfile -f <absolute_path_file name>
Thefiletowhichtheresultsarewritten.
rules -rules <delimited_rules_list>
Therulesoptiontakesalistofrulesfiles,delimitedbythepathseparator.Thisisasemi‐colon(;)onWindows,andacolon(:)onotherplatforms.Foreachelementinthislist,SCAispassedthe-rules <file>command.
scan -scan SettingthisoptiondetermineswhetherSCAshouldperformanalysisontheprovidedbuildID.Thedefaultvalueisfalse.
source -source <value> IndicateswhichversionoftheJDKtheJavacodeiswrittenfor.Validvaluesforthisoptionare1.3,1.4,1.5,and1.6.Thedefaultis1.4.Note:ThesourceandJDKoptionsarethesame.Ifbothoptionsarespecified,theoptionthatisspecifiedlastwilltakeprecedence.
sourcepath -sourcepath <directory>
Specifiesthelocationofsourcefileswhichwillnotbeincludedinthescanbutwillbeusedforresolution.
verbose -verbose Settingthisoptionsendsverbosestatusmessagestotheconsole.
Table 17: Sourceanalyzer Task Command Line Options (Continued)
Attribute Command Line Option Description
Appendix C: Using the sourceanalyzer Ant Task 62
Thefollowingtableincludessourceanalyzerelements.
Table 18: Sourceanalyzer Task Nested Elements
Element Ant Type Description
fileset Fileset SpecifiesthefilestopasstoSCA.
classpath Path SpecifiestheclasspathtobeusedforJavasourcecode.
bootclasspath Path SpecifiestheJDKbootclasspath.
extdirs Path Similartothejavacextdirsoption.Anyjarfilesfoundinthesedirectoriesareincludedimplicitlyontheclasspath.
sourcepath Path Specifiesthelocationofsourcefileswhichwillnotbeincludedinthescanbutwillbeusedforresolution.
Appendix D: Advanced Options 63
Appendix D: Advanced OptionsThischapterdescribesthefollowingadvancedoptions:
• AboutFilterFiles
• UsingPropertiestoControlRuntimeOptions
About Filter FilesYoucancreateatextfileforfilteringoutparticularvulnerabilityinstances,rules,andvulnerabilitycategorieswhenyourunthesourceanalyzercommand.Thefileisspecifiedbythe-filteranalysisoption.
Note:HPFortifySoftwarerecommendsthatyouonlyusethisfeatureifyouareanadvanceduser,andthatyoudonotusethisfeatureduringstandardaudits,becauseauditorsshouldbeabletoseeandevaluateallissuesfoundbySCA.
Afilterfileisaflattextfilethatcanbecreatedwithanytexteditor.Thefilefunctionsasablacklist,suchthatonlythefilteritemsyoudonotwantarespecifiedoneperline.Thefollowingfiltertypescanbeenteredonaline:
• Category
• InstanceID
• RuleID
Thefiltersareappliedatdifferenttimesintheanalysisprocess,accordingtothetypeoffilter.CategoryandruleIDfiltersareappliedduringtheinitializationphasebeforeanyscanshavetakenplace,whereasaninstanceIDfilterisappliedaftertheanalysisphase.
Filter File Creation ExampleAsanexample,thefollowingoutputresultedfromascanoftheEightBall.java,locatedinthe/Samples/basic/eightballdirectoryinyourHPFortifyinstallationdirectory.
Thefollowingcommandisexecutedtoproducetheanalysisresults:
>sourceanalyzer -b eightball Eightball.java
>sourceanalyzer -b eightball -scan
Thefollowingresultsetdisplays,showingsixdetectedissues.
[F7A138CDE5235351F6A4405BA4AD7C53 : low : Unchecked Return Value : semantic ]
EightBall.java(12) : Reader.read()
[EFE997D3683DC384056FA40F6C7BD0E8 : medium : Path Manipulation : dataflow ]
EightBall.java(12) : ->new FileReader(0)
EightBall.java(6) : <=> (filename)
EightBall.java(4) : ->EightBall.main(0)
[60AC727CCEEDE041DE984E7CE6836177 : medium : Unreleased Resource : Streams : con
trolflow ]
EightBall.java(12) : start -> loaded : new FileReader(...)
Appendix D: Advanced Options 64
EightBall.java(12) : loaded -> loaded : <inline expression> refers to an allocated resource
EightBall.java(12) : java.io.IOException thrown
EightBall.java(12) : loaded -> loaded : throw
EightBall.java(12) : loaded -> loaded : <inline expression> no longer refers
to an allocated resource
EightBall.java(12) : loaded -> end_of_scope : end scope : Resource leaked :
java.io.IOException thrown
EightBall.java(12) : start -> loaded : new FileReader(...)
EightBall.java(12) : loaded -> loaded : <inline expression> refers to an allocated resource
EightBall.java(14) : loaded -> loaded : <inline expression> no longer refers
to an allocated resource
EightBall.java(14) : loaded -> end_of_scope : end scope : Resource leaked
[BB9F74FFA0FF75C9921D0093A0665BEB : low : J2EE Bad Practices : Leftover Debug Code : structural ]
EightBall.java(4)
[FF0D787110C7AD2F3ACFA5BEB6E951C3 : low : Poor Logging Practice : Use of a System Output Stream : structural ]
EightBall.java(10)
[FF0D787110C7AD2F3ACFA5BEB6E951C4 : low : Poor Logging Practice : Use of a Syste
m Output Stream : structural ]
EightBall.java(13)
Thesamplefilterfile,test_filter.txtdoesthefollowing:
• RemovesallresultsrelatedtothePoorLoggingPracticecategory
• RemovestheUnreleasedResourcebasedonitsinstanceID
• RemovesanydataflowissuesthatweregeneratedfromaspecificruleID
Thetest_filter.txt fileusedinthisexamplecontainsthefollowingtext:
#This is a category that will be filtered from scan outputPoor Logging Practice
#This is an instance ID of a specific issue to be filtered from scan #output60AC727CCEEDE041DE984E7CE6836177
#This is a specific Rule ID that leads to the reporting of a specific #issue in #the scan output: in this case the data flow sink for a Path Manipulation #issue.823FE039-A7FE-4AAD-B976-9EC53FFE4A59
Youcancreateafiletotestthefilteredoutputbycopyingtheabovetextintoafile.
Appendix D: Advanced Options 65
Thefollowingcommandisexecutedusingthe-filteroptiontospecifythetest_filter.txt:
[C:\Program Files\Fortify Software\HP Fortify vX.XX\Fortify SCA X.XX\Samples\basic\eightball]>sourceanalyzer -b eightball -scan -filter test_filter.txt
Thefollowingresultsetdisplays:
[F7A138CDE5235351F6A4405BA4AD7C53 : low : Unchecked Return Value : semantic]EightBall.java(12) : Reader.read()
[BB9F74FFA0FF75C9921D0093A0665BEB : low : J2EE Bad Practices : Leftover Debug Code : structural]
EightBall.java(4)
Using Properties to Control Runtime OptionsYoucaneditpropertiestodefineruntimeoptionsforSCA,includinganalysis,output,andperformancetuningoptions.Thesepropertiescanbesetinfourdifferentplaces:
• Globalconfigurationfile(fortify-sca.properties):usedtodefineglobalsettings.
• Userconfigurationfile‐‐ (fortify-sca.properties(Windows)or.fortify-sca.properties(non‐Windows):usedtodefineuser‐specifiedsettings.
• QuickScanconfigurationfile (fortify-sca-quickscan.properties):usedtodefinesettingsusedwhenSCAisruninQuickScanmode.
• Commandline:youcandefinepropertysettingsonthecommandline
-D<property_name>=<property_value>
Thefortify-sca.propertiesglobalsettingsfileandthefortify-sca-quickscan.propertiesfilearelocatedinthe<install_directory>/Core/configdirectory.Theuser‐specificpropertiesfiles‐‐fortify-sca.propertiesonWindowsinstallationsand.fortify-sca.propertiesonnon‐Windowsinstallations‐‐arelocatedineitheryourWindowsuserdirectoryoryourUnixhomedirectory.
Youcaneditallpropertiesfilesdirectly.
Specifying the Order of PropertiesSCAprocessespropertiesinaspecificorder,usingthisordertooverrideanypreviouslysetpropertieswiththevaluesthatyouspecify.Youshouldkeepthisprocessingorderinmindwhenmakingchangestothepropertiesfiles.
Propertydefinitionsareprocessedinthefollowingorder:
• Propertiesspecifiedonthecommandlinehavethehighestprecedenceandcanbespecifiedduringanyscan.
• PropertiesspecifiedintheQuickScanconfigurationfile(fortify-sca-quickscan.properties)areprocessedsecond,butonlywhenthe-quickoptionisusedtooperateinQuickScanmode.IfQuickScanisnotinvoked,thisfileisignored.
• PropertiesspecifiedintheGlobalconfigurationfile(fortify-sca.properties)areprocessedlast.Youshouldeditthisfileifyouwanttochangethepropertyvaluesonamorepermanentbasisforallscans.
SCAalsoreliesonsomepropertiesthathaveinternallydefineddefaultvalues.
Appendix D: Advanced Options 66
Table19:HPFortifyPropertieslistspropertiesthatcanbedefined.Thedefaultvaluesarelisted.IfyouwanttouseQuickScanMode,oryouwanttotuneyourapplication,youcanmakethechangesasdescribedinTable20:onpage69.
Table 19: HP Fortify Properties
Property Name
Default Value Description
com.fortify.sca.AbortedScanOverwritesOutput
false Bydefault,ifascanisinterrupted,thepartialresultsarewrittentoadifferentoutputfile:<output>.partial.fprinsteadof<output>.fpr.Ifthispropertyissettotrue,theinterruptedresultarewrittentothenormaloutfile(<output>.fpr),whichoverwritesanyfull‐scanresultsthatmaybepresentinthatfile.
com.fortify.sca.Appserver
(none) SpecifiestheapplicationserverforprocessingJSPfiles:weblogicorwebsphere
com.fortify.sca.Appserver.Home
(none) Specifiestheapplicationserver’shome.
ForWeblogic,thisisthepathtothedirectorycontainingserver/libdirectory.
ForWebSphere,thisisthepathtothedirectorycontainingthebin/JspBatchCompilerscript.
com.fortify.sca.Appserver.Version
(none) Specifiestheversionoftheapplicationserver.
ForWeblogic,validvaluesare7,8,9,and10.
ForWebSphere,thevalidvalueis6.
com.fortify.sca.fileextensions.*
(none) ControlshowSCAhandlesfileswithgivenextensions.Seefortify-sca.propertiesforexamples.
com.fortify.sca.FPRDisableSrcHtml
(none) Iftrue,disablessourcecoderenderingintotheFPRfile.
com.fortify.sca.NoDefaultRules
(none) Iftrue,rulesfromthedefaultRulepacksarenotloaded.SCAprocessestheRulepacksfordescriptionelementsandlanguagelibraries,butnorulesareprocessed.
com.fortify.sca.NoDefaultIssueRules
(none) Iftrue,disablesrulesindefaultRulepacksthatleaddirectlytoissues.Stillloadsrulesthatcharacterizethebehavioroffunctions.Note:Thisequivalenttodisablingthefollowingruletypes:DataflowSink,Semantic,Controlflow,Structural,Configuration,Content,Statistical,Internal,andCharacterization:Issue.
com.fortify.sca.DisableDefaultRuleTypes
Appendix D: Advanced Options 67
(none) DisablesthespecifiedtypeofruleinthedefaultRulepacks;wheretypeistheXMLtagminusthesuffix“Rule.”Forexample,useDataflowSourceforDataflowSourceRuleelements.Youcanalsospecifyspecificsectionsofcharacterizationrules,suchasCharacterization:Controlflow,Characterization:Issue,andCharacterization:Generic.Typeiscase‐insensitive.
Useacolondelimitedlisttospecifymultipletypesofrules.
com.fortify.sca.NoDefaultSinkRules
(none) Iftrue,disablessinkrulesinthedefaultRulepacks.Note:Characterizationsinkrulesarenotdisabled.
com.fortify.sca.NoDefaultSourceRules
(none) Iftrue,disablessourcerulesinthedefaultRulepacks.Note:Characterizationsourcerulesarenotdisabled.
com.fortify.sca.ProjectRoot
(platformdependent) DirectoryusedbySCAtostoreintermediatefilesgeneratedduringscans.
com.fortify.sca.ASPVirtualRoots.<virtual path>=<physical path>
false Iftrue,enablessupportforvirtualroots.Thispropertyassociatesvirtualpathnameswithphysicalpathnames.
com.fortify.sca.DefaultFileTypes
java,jsp,sql,pks,pkh,pkb,xml,properties,config,dll,exe
Comma‐separatedlistoffileextensionsthatarepickedupbydefaultbySCA.
com.fortify.sca.compilers.*
(none) CanbeusedtoinformSCAaboutspeciallynamedcompilers.Seefortify-sca.propertiesforexamples.
com.fortify.sca.CfmlUndefinedVariablesAreTainted
false Iftrue,treatsundefinedvariablesinaCFMLpageastainted.Doingsoservesasahinttothedataflowanalyzertowatchoutforregister‐globals‐stylevulnerabilities.However,enablingthispropertyinterfereswithdataflowfindingsinwhichavariableinanincludedpageisinitializedtoataintedvalueinanearlier‐occurringincludedpage.
com.fortify.sca.FVDLDisableProgramData
false Iftrue,causestheProgramDatasectiontobeexcludedfromtheanalysisresults(FVDLoutput).
com.fortify.sca.FVDLDisableSnippets
false Iftrue,codesnippetsarenotincludedintheanalysisresults(FVDLoutput).
com.fortify.sca.LogFile
Table 19: HP Fortify Properties (Continued)
Property Name
Default Value Description
Appendix D: Advanced Options 68
${com.fortify.sca.ProjectRoot}/log/sca.log
ThedefaultlocationfortheSCAlogfile.
com.fortify.sca.LogMaxSize
(none) Whenthispropertyisset,itenableslogrotationfortheSCAlog.Thevalueisthenumberbytesthatcanbewrittentothelogfilebeforeitisrotated.Mustbeusedwithcom.fortify.sca.LogMaxFiles.
com.fortify.sca.LogMaxFiles
(none) Thenumberoflogfilestoincludeinthelogfilerotationset.Whenallfilesarefilled,thefirstfileintherotationisoverwritten.Thevaluemustbeatleast1.Mustbeusedwithcom.fortify.sca.LogMaxSize.
com.fortify.sca.Debug
false Producesadebuglogfile.ThislogfileisforTechnicalSupportpurposes.
com.fortify.sca.PPSSilent
false Promptstheuserwiththenumberoflinesthescanrequirestoanalyzethesourcecode.Settotruetosuppressthepromptandautomaticallydeductthelines.Note:Ifthescanrequiresmorelinesthanareavailable,thescanfailswithanerrorindicatinghowmanyadditionallinesarerequired.
com.fortify.sca.UnicodeInputFile
(none) Whensettotrue,thispropertyindicatesthattheinputfileisUTF‐8basedandbeginswithabyte‐ordermark(BOM).Typically,youshouldonlysetthispropertyifyouseealexicalerroratLine1,Column1,indicatingthattheBOMispresent.
com.fortify.rules.SkipRulePacks
(none) Semicolon‐delimitedlistofRulepackstoexcludefromthedefaultset.ThispropertycontrolswhichRulepacksareusedbySCAbydefault.AllRulepacksinstalledin<install_directory>/Core/config/rulesareusedbydefaultunlesstheyareonthislist.
com.fortify.sca.limiters.MaxChainDepth
5 Controlsthemaximumcalldepththroughwhichthedataflowanalyzertrackstainteddata.Increasingthisvalueincreasesthecoverageofdataflowanalysis,andresultsinlongeranalysistimes.ThispropertycanbechangedifyouareusingQuickScanMode:seethefollowingtableforthesuggestedvaluetouse.Note:Inthiscase,calldepthreferstothemaximumcalldepthonadataflowpathbetweenataintsourceandsink,ratherthancalldepthfromtheprogramentrypoint,suchasmain().
com.fortify.sca.limiters.MaxFieldDepth
Table 19: HP Fortify Properties (Continued)
Property Name
Default Value Description
Appendix D: Advanced Options 69
Thefollowingtabledescribesthepropertiesthatcanbeusedtotunedefaultscanningperformance.TheyhavedifferentdefaultsforQuickScanmode,whichcanbeadjustedbyeditingthefortify-sca-quickscan.propertiesfile.Ifyouwanttousetherecommendedtuningparameters,youdonotneedtoeditthisfile;however,youmayfindthatyouwanttoexperimentwithothersettingstofine‐tuneyourspecificapplication.
Rememberthatpropertiesinthisfileareprocessedonlyifyouspecifythe-quickoptiononthecommandlinewheninvokingyourscan.
4 Controlsthemaximumgranularityoftainttrackingthroughdatastructurememberfields.Thisvalueisthenumberofnestedfieldsthroughwhichtaintwillbetrackedbeforetheentirestructureisconsideredtainted.Increasingthisvalueimprovestheaccuracyofanalysisbyreducingfalsepositives,andnormallyincreasesanalysistime.
com.fortify.sca.limiters.MaxPaths
5 Controlsthemaximumnumberofpathstoreportforasingledataflowvulnerability.Changingthisvaluedoesnotchangetheresultsthatarefound,onlythenumberofdataflowpathsdisplayedforanindividualresult.
com.fortify.sca.limiters.MaxIndirectResolutionsForCall
128 Controlsthemaximumnumberofvirtualfunctionsthatarefollowedatagivencallsite.
com.fortify.sca.jspparserusesclasspath
false AllowstheusertospecifytheclasspathtotheWeblogicparser.ThisisforWeblogic9and10only.
Table 20: Performance Tuning Properties
Property Name
Values Description
com.fortify.sca.FilterSet
Defaultvalueisnotset.QuickScanvalue:Critical Exposure.
Whensettotargeted,thispropertyrunsrulesonlyforthetargetedfilterset.RunningonlyasubsetofthedefinedrulesallowstheSCAscantocompletemorequickly.ThiscausesSCAtorunonlythoserulesthatcancauseissuesidentifiedinthenamedfilterset,asdefinedbythedefaultprojecttemplateforyourapplication.Formoreinformationaboutprojecttemplates,seetheAuditWorkbenchUser’sGuide.
com.fortify.sca.FPRDisableSrcHtml
Defaultvalue:False.QuickScanvalue:True.
Whensettotrue,thispropertypreventsthegenerationofmarked‐upsourcefiles.IfyouplantouploadFPRsthataregeneratedasaresultofaquickscan,youmustsetthispropertytofalse.
com.fortify.sca.limiters.ConstraintPredicateSize
Table 19: HP Fortify Properties (Continued)
Property Name
Default Value Description
Appendix D: Advanced Options 70
Defaultvalue:50000.QuickScanvalue:10000.
Skipscalculationsdefinedasverycomplexinthebufferanalyzertoimprovescanningtime.
com.fortify.sca.limiters.BufferConfidenceInconclusiveOnTimeout
Defaultvalue:true.QuickScanvalue:false.
Skipscalculationsdefinedasverycomplexinthebufferanalyzertoimprovescanningtime.
com.fortify.sca.limiters.MaxChainDepth
Defaultvalue:5. QuickScanvalue:4.
Controlsthemaximumcalldepththroughwhichthedataflowanalyzertrackstainteddata.Increasingthisvalueincreasesthecoverageofdataflowanalysis,andresultsinlongeranalysistimes.
Note:Inthiscase,calldepthreferstothemaximumcalldepthonadataflowpathbetweenataintsourceandsink,ratherthancalldepthfromtheprogramentrypoint,suchasmain().
com.fortify.sca.limiters.MaxTaintDefForVar
Defaultvalue:1000.QuickScanvalue:500.
Thispropertysetsthecomplexitylimitfordataflowprecisionbackoff.Dataflowincrementallydecreasesprecisionofanalysisforfunctionsthatexceedthiscomplexitymetricforagivenpreci‐sionlevel.
com.fortify.sca.limiters.MaxTaintDefForVarAbort
Defaultvalue:4000.QuickScanvalue:1000.
Thispropertysetsahardlimitforfunctioncomplexity.Ifcom‐plexityofafunctionexceedsthislimitatthelowestprecisionlevel,theanalyzerwillnotanalyzethatfunction.
com.fortify.sca.DisableGlobals
Defaultvalue:false.QuickScanvalue:false.
Thispropertypreventsthetrackingoftainteddatathroughglobalvariablestoallowfasterscanning.
com.fortify.sca.CtrlflowSkipJSPs
Defaultvalue:false.QuickScanvalue:false.
ThispropertyskipscontrolflowanalysisofJSPsinyourproject.
com.fortify.sca.NullPtrMaxFunctionTime
Defaultvalue:300000.QuickScanvalue:30000.
Thispropertysetsatimelimit,inmilliseconds,forNullPointeranalysisforasinglefunction.Thedefaultisfiveminutes.Settingittoashorterlimitdecreasesoverallscanningtime.
com.fortify.sca.CtrlflowMaxFunctionTime
Defaultvalue:600000.QuickScanvalue:30000.
Thispropertysetsatimelimit,inmilliseconds,forcontrolflowanalysisforasinglefunction.Thedefaultis10minutes.
com.fortify.sca.TrackPaths
Table 20: Performance Tuning Properties (Continued)
Property Name
Values Description
Appendix D: Advanced Options 71
Bydefault,thispropertyisnotset.QuickScanvalue:NoJSP.
Thispropertydisablespathtrackingforcontrolflowanalysis.Pathtrackingprovidesmoredetailedreportingforissues,butrequiresmorescanningtime.YoucandisablethisforJSPonlybysettingittoNoJSP,orforallfunctionsbysettingittoNone.
com.fortify.sca.JdkVersion
Defaultvalue:1.4 ThispropertyspecifiestheJDKversion.
Table 20: Performance Tuning Properties (Continued)
Property Name
Values Description
Appendix E: MSBuild Integration 72
Appendix E: MSBuild IntegrationThisappendixcovers:
• Installation
• SettingWindowsEnvironmentVariablesforTouchlessIntegrationofSCA
• AddingCustomTaskstoyourMSBuildProject
• AddingCustomTaskstoYourProject
About MSBuild IntegrationSCAprovidestheabilitytotranslateyour.NETsourcecodeaspartofyourMSBuildbuildprocess.WithSCA’sMSBuildintegration,youcantranslatefilesonmachineswheretheVisualStudioIDEhasnotbeeninstalled.MSBuildintegrationiscompatiblewithversion2.0,3.5,and4.XoftheMSBuildexecutable,allowingforthetranslationofthefollowingproject/sourcecodetypes:
• C/C++ConsoleApplications(VisualStudio2010andaboveonly)
• C/C++Libraries(VisualStudio2010andaboveonly)
• VisualC#andVisualBasicWebsites
• VisualC#andVisualBasicLibraries
• VisualC#andVisualBasicWebApplications
• VisualC#andVisualBasicConsoleApplications
ThissectiondescribeshowtolaunchanSCAanalysisaspartofyourMSBuildproject.
InstallationTherearenoinstallationstepsrequiredunlessthemachineyourunMSBuildondoesnotincludeacopyofMicrosoftVisualStudio.Ifyourbuildmachinedoesn’tincludeacopyofMicrosoftVisualStudio,youwillneedtoaddcom.fortify.sca.IldasmPath=<Path_to_ildasm.exe>toyour <SCA_Installation_Directory>\core\config\fortify-sca.properties file.
Setting Windows Environment Variables for Touchless Integration of SCAWhenintegratingSCAintoyourMSBuildprocess,thereareanumberofWindowsenvironmentvariablesthatyoucanset.Ifyoudon’tsetthesevariables,SCAwillassumeadefaultsetofvariablesandusethose.Onceyou’vesettheappropriateWindowsenvironmentvariables,successivebuildswillusethesamesetuntilyoumakeachangetotheenvironmentvariables.TheenvironmentvariablesthatcanbesetarelistedinTable21.
Table 21: Windows Environment Variables
Environment Variable Definition Default
FORTIFY_MSBUILD_BUILDID UsedtosettheSCAbuildID. ThebuildIDpassedonthecommandline.
FORTIFY_MSBUILD_DEBUG UsedtoputtheloggerandHPFortifyStaticCodeAnalyzerindebugmode.
False
FORTIFY_MSBUILD_MEM UsedtosetthememoryusedtoinvokeHPFortifyStaticCodeAnalyzer(i.e.,-Xmx1200M)
600MB
Appendix E: MSBuild Integration 73
TouchlessintegrationrequirestheFortifyMSBuildTouchless.dlllocatedinthe\Core\libdirectory.ItmustberunfromaVisualStudiocommandprompt.
ThefollowingisanexampleofthecommandusedtorunthebuildandlaunchanSCAanalysisusingthedefaultenvironmentvariables,orthoseyouhavepreviouslyset:
sourceanalyzer -b buildid msbuild <solution_file> <msbuild_options>
Alternatively,youcancallMSBuildtolaunchabuildandSCAanalysis:
Msbuild <solution_file> /logger:"C:\Program Files\Fortify Software\HP Fortify vX.XX\Core\lib\FortifyMSBuildTouchless.dll" <msbuild_options>
Adding Custom Tasks to your MSBuild ProjectRatherthanusingtheTouchlessIntegrationmethod,youcanaddanumberofcustomtaskstoyourMSBuildprojectinordertoinvokeSCA.ThesetasksmustbeaddedtoanMSBuildproject,notasolution.AsolutionfileisnotavalidMSBuildscript.SolutionsareparsedbyMSBuildandacorrespondingprojectfileiscreated.
Table22liststhecustomtasksyoucanaddtoyourMSBuildproject:
FORTIFY_MSBUILD_LOG Usedtosetthelocationforthelog. ${win32.LocalAppdata}/Fortify/MSBuildPlugin
FORTIFY_MSBUILD_SCALOG UsedtosetthelocationfortheSCAlog.Useanabsolutepathwhenchanging.
FORTIFY_MSBUILD_LOGALL Usetosetthepluginsothatitwilllogeverymessagepassedtoit.Thiswillcreateaverylargeamountofinformation.
False
Table 22: Custom Tasks
Custom Task Required Parameters Optional Parameters
Fortify.TranslateTask BuildID‐thebuildIDforthetranslation
BinariesFolder‐thedirectorywherethefilestobetranslatedreside
VSVersion‐theversionofthe.NETdllsbeingused.
References‐listofdllstobepassedviathelibdirscommand
JVMSettings‐memorysettingstopasstoSCA
LogFile‐locationfortheSCAlogfile
Debug‐setstaskandSCAtodebugmode
Fortify.ScanTask BuildID‐thebuildIDforthescan
Output‐thenameoftheFPRfiletobegenerated
JVMSettings‐memorysettingstopasstoSCA
LogFile‐locationfortheSCAlogfile
Debug‐setstaskandSCAtodebugmode
Fortify.CleanTask BuildID‐thebuildIDforthescan Debug‐setstaskandSCAtodebugmode
Table 21: Windows Environment Variables (Continued)
Environment Variable Definition Default
Appendix E: MSBuild Integration 74
Adding Custom Tasks to Your ProjectYoucanaddanyofthefollowingtaskstoyourprojectscript:
• Fortify.TranslateTask
• Fortify.ScanTask
• Fortify.CleanTask
• Fortify.SSCTask
• Fortify.CloudScanTask
Adding Fortify.TranslateTaskToaddFortify.TranslateTasktoyourprojectscript:
1.CreateatasktoidentifyandlocateFortifyMSBuildTasks.dll.
<UsingTask TaskName=”Fortify.TranslateTask” AssemblyFile=”<Install Directory>\Core\lib\FortifyMSBuildTasks.dll”/>
2.Createanewtargetoraddthefollowingcustomtargettoanexistingtargettoinvokethecustomtask:
<Target Name=”FortifyBuild” AfterTargets=”AfterBuild” Outputs=”dummy.out”>
<TranslateTask BinariesFolder=”$(OutDir)”
VSVersion=”<Visual Studio Version>”
BuildID=”TempTask”
JVMSettings=”-Xmx1000M”
Fortify.SSCTask AuthToken‐shouldbedefinedoruseusernameandpassword
Project‐projectname
ProjectVersion‐projectversion.Ifundefined,aProjectIDandProjectVersionIDmustbedefined
FPRFile‐nameofthefiletouploadtoSoftwareSecurityCenter
SSCURL‐theURLfortheSSC
Debug‐specifiestaskandSCAshouldbeinvokedwithdebug
Username‐necessaryifAuthTokenisn’tdefined
Password‐necessaryifAuthTokenisn’tdefined
ProjectID‐usedwithProjectVersionIDifProjectandProjectVersionaren’tused
ProjectVersionID‐usedwithProjectIDifProjectandProjectVersionaren’tused
Proxy‐necessaryifaproxyisrequired
Fortify.CloudScanTask BuildID‐thebuildIDforthetranslation
SSCUpload‐setthisbooleantotruetouploadyouroutputtoSSC.
CloudURL‐theCloudURL
or
SSCUrl‐theSSCURL
Debug‐setthisbooleantotruefordebugmode
ThefollowingparametersareonlyusedwhenSSCUploadissettotrue:
SSCToken‐theSSCtoken
Project‐theprojecttouploadto
VersionName‐theversionyouwanttouploadto
ThefollowingparameterareonlyusedwhenSSCUploadissettofalse:
FPRName‐thenamefortheFPRfile
Table 22: Custom Tasks (Continued)
Custom Task Required Parameters Optional Parameters
Appendix E: MSBuild Integration 75
LogFile=”trans_task.log”
Debug=”true”/>
</Target>
TheFortifyBuildtargetwillbeinvokedaftertheAfterBuildtargetisrun.TheAfterBuildtargetisoneofseveraldefaulttargetsdefinedintheMSBuildtargetfile.Ifoneoftherequiredparametersisn’tdefined,theMSBuildwillfail.
Note:IfaddinganewtargetwhenrunningMSBuild2.0or3.5,youwillneedtoremovethestringAfterTargets=”AfterBuild”andreplaceFortifyBuildwithAfterBuild.
Adding Fortify.ScanTaskThefollowingcodeaddsFortify.ScanTasktotheMSBuildproject.Newcontentisinboldtext.
<UsingTask TaskName="Fortify.TranslateTask" AssemblyFile="<Install Directory>\Core\lib\FortifyMSBuildTasks.dll" />
<UsingTask TaskName="Fortify.ScanTask" AssemblyFile="<Install Directory>\Core\lib\FortifyMSBuildTasks.dll"/>
<Target Name="FortifyBuild" AfterTargets="AfterBuild" Outputs="dummy.out">
<TranslateTask BinariesFolder="$(OutDir)"
VSVersion="<Visual Studio Version>"
BuildID="TempTask"
JVMSettings="-Xmx1000M"
LogFile="trans_task.log"
Debug="true" />
<ScanTask BuildID="TempTask"
JVMSettings="-Xmx1000M"
LogFile="scan_task.log"
Debug="true"
Output="Scan.fpr" />
</Target>
Adding Fortify.CleanTaskThefollowingexampleaddstheFortify.CleanTasktotheMSBuildproject.
<UsingTask TaskName="Fortify.CleanTask" AssemblyFile="<Install Directory>\Core\lib\FortifyMSBuildTasks.dll" /><Target Name="FortifyBuild" AfterTargets="AfterBuild" Outputs="dummy.out">
<CleanTask BuildID="TempTask" />
</Target>
Adding Fortify.SSCTaskThefollowingexampleaddstheFortify.SSCTasktotheMSBuildproject.Newcontentisinbold:
<UsingTask TaskName="Fortify.TranslateTask" AssemblyFile="<Install Directory>\Core\lib\FortifyMSBuildTasks.dll" /> <UsingTask TaskName="Fortify.ScanTask" AssemblyFile="<Install Directory>\Core\lib\FortifyMSBuildTasks.dll" />
Appendix E: MSBuild Integration 76
<UsingTask TaskName="Fortify.SSCTask" AssemblyFile=<Install Directory>\Core\lib\FortifyMSBuildTasks.dll" />
<Target Name="FortifyBuild" AfterTargets="AfterBuild" Outputs="dummy.out">
<TranslateTask BinariesFolder="$(OutDir)"
VSVersion="<Visual Studio Version>"
BuildID="TempTask"
JVMSettings="-Xmx1000M"
LogFile="trans_task.log"
Debug="true" />
<ScanTask BuildID="TempTask"
JVMSettings="-Xmx1000M"
LogFile="scan_task.log"
Debug="true"
Output="Scan.fpr" />
<SSCTask Username="admin"
Password="admin"Project="Test Project"ProjectVersion="Test Version 1"FPRFile="SSC.fpr"SSCURL="http://localhost:8180/SSC7"/>
</Target>
Adding Fortify.CloudScanTaskIfyouareusingCloudScantoprocessyourscans,youcansendthetranslatedoutputtoyourcloud‐basedresource.ThefollowingexampleaddstheFortify.CloudScanTasktotheMSBuildproject:
<UsingTask TaskName=”Fortify.CloudScanTask” AssemblyFile=”<Install Directory>\Core\lib\FortifyMSBuildTasks.dll”/>
<Target Name="FortifyBuild" AfterTargets="AfterBuild" Outputs="dummy.out">
<CloudScanTask BuildID="TempTask"
SSCUpload="false"
FPRName="Scan.fpr"
CloudURL="http://localhost:8080/cloud-ctrl" />
</Target>
Appendix F: Maven Integration 77
Appendix F: Maven IntegrationThisappendixcoversthefollowingtopics:
• AbouttheMavenPlugin
• InstallingtheMavenPlugin
• UpdatingtheMavenPlugin
• UsingtheMavenPlugin
• ExcludingFilesfromtheScan
• UninstallingtheMavenPlugin
• AdditionalDocumentation
About the Maven PluginSCAincludesaMavenpluginwhichprovidesameansforyoutoaddSCAclean,translation,scan,and.fpruploadcapabilitiestoyourMavenprojectbuilds.Youcanusetheplugindirectlyorintegrateitsfunctionalityintoyourbuildprocess.
TheMavenpluginislocated:
<HP_Fortify_Install_Directory>\Samples\advanced\maven-plugin
Insidethedirectory,youwillfindthefileslistedinTable23
Table 23: Contents of maven‐plugin directory
File Description
pom.xml Projectobjectmodelfile.
README.TXT TheREADMEtextprovidesinstallationandusageinstructions.
samples(directory) Includestwosampleprojectdirectories:EightBallandMyEnterpriseApp.
settings.xml XMLfilethatestablishesthenamespacetobeusedasitrelatestoMavensettings.
src(directory) Locationofsourcecode,assemblies,etc.
.
ThepluginiscompatiblewithMaven2.0.9to3.0.5,inclusive.Maven3.X.Xisrecommended.
Installing the Maven PluginWheninstallingtheMavenplugin,weassumethatthepathtotheSCAbinfolderisinyourPATHenvironmentvariable.
Note:IfyouareusingSCAversion3.60,3,70,or3.80,youwillneedtoedittheEOLformatofthepluginsourcefilesbeforeinstallingtheplugin.SeeEditingthePluginSourceFilesbeforeinstallingtheplugin.IfyouhaveapreviousversionoftheMavenPlugininstalled,see
ToinstalltheMavenplugin:
1. Openaterminalorcommandpromptwindowandnavigatetothemaven‐plugindirectory.
<HP_Fortify_Install_Directory>\Samples\advanced\maven-plugin
2. Attheprompt,type:
mvn clean package install
Appendix F: Maven Integration 78
Updating the Maven PluginIfyouhaveapreviousversionoftheMavenPlugininstalled,youcanupgradetothelatestversion.
ToupdatetheMavenPluginonyoursystem:
1. Openaterminalorcommandpromptwindowandnavigatetothemaven‐plugindirectory.
<HP_Fortify_Install_Directory>\Samples\advanced\maven-plugin
2. Attheprompt,type:
mvn install
Editing the Plugin Source Files IfyouareusingSCAversion3.60,3.70,or3.80,youwillneedtoedittheend‐of‐line(EOL)formatofthepluginsourcefilesbeforeinstallingtheplugin.IfyouareusingaversionofSCApost3.80,youdonotneedtoeditthesourcefiles.ThefollowinginstructionsarebasedontheOSyouareusing.
ToeditthefilesonaWindowssystem:
1. OpenaCommandPromptwindowandNavigateto:
Samples\advanced\maven-plugin\src\main\java\com\fortify\ps\maven\plugin\sca
2. Openthefollowingfilesinatexteditor:
• CleanMojo.java
• DeleteGeneratedSourcesMojo.java
• StringHelper.java
• Util.java
3. ChangetheEOLformatforeachofthesefilestoCR+LF(DOS/Windows).
Forexample,ifusingNotepad++asyourtexteditor,clickEdit‐‐>EOLConversion‐‐>WindowsFormat.Ifyoumakethesechangesafterinstallingtheplugin,youwillneedtouninstallitandthenreinstallitafterthechangeshavebeenmade.
ToeditthefilesonaLinuxorUnixsystem:
1. Openaterminalwindowandnavigatetothefollowingdirectory:<HP_Fortify_Install_Directory>/Samples/advanced/maven-plugin/src/main/java/com/fortify/ps/maven/plugin/sca
2. Runthefollowingcommands:
sudo dos2unix -o *.java
sudo mac2unix -o *.java
Note:Ifyoumakethesechangesafterinstallingtheplugin,youwillneedtouninstallitandthenreinstallitafterthechangeshavebeenmade.
ToeditthefilesonaMacintoshsystem:
1. Navigateto:
<HP_Fortify_Install_Directory>/Samples/advanced/maven-plugin/src/main/java/com/fortify/ps/maven/plugin/sca
2. Inatexteditorofyourchoice,changethelineendingsofallJavasourcefilestoLF(OSX/Unixformat).IfXcodeisavailableonyoursystem,youcanopenthesourcefilesinXcodeandchangethelineendingstoLF.
Note:Ifyoumakethesechangesafterinstallingtheplugin,youwillneedtouninstallitandthenreinstallitafterthechangeshavebeenmade.
Appendix F: Maven Integration 79
Testing the PluginAfterinstallingthemavenplugin,useoneoftheincludedsamplefilestoensureyourinstallationisworkingproperly.
TotesttheMavenpluginusingtheEightBallsamplefile:
1. Addthedirectorycontainingthesourceanalyzerexecutabletothepathenvironmentvariable.
Forexample:
export set PATH=$PATH:/path/to/f360/bin
or
set PATH=%PATH%;path\to\f360\bin
2. Typesourceanalyzer -htotestthePATHsetting.
Itshouldreturnsourceanalyzerhelp.
3. NavigatetotheEightballdirectory:
<HP_Fortify_Install_Directory>\Samples\advanced\maven-plugin\samples\EightBall
4. Openthe pom.xml fileinatexteditorandlocatethe<version>tag.ThisistheversionoftheMavenplugin.
Donotmistakethe<modelVersion>tagforthe<version>tag.
Using the Maven PluginYoucanrunthepackagelocallyorintegrateitaspartofyourbuildprocess.Duringthetranslationphase,theSCAMavenPluginwillsearchyourjarfilefromthelocalrepositoryandtrytoresolveclassesinyourapplication.
Note:Inthefollowingsteps,youareprovidethreeversionsoftheSCAcommands.TheShortGoalNameversionofeachcommandcanonlybeusedifyouareusingthelatestversionoftheMavenpluginandyouhaveplacedacopyofthesetting.xmlfileinthelocalrepository.
TomanuallyscanyourcodeusingtheMavenPlugin:
1. Installthetargetapplicationinthelocalrepository:
mvn install
2. Cleanoutthepreviousbuildusingoneofthefollowingcommands:
3. Translatethecode:
Complete mvn com.fortify.ps.maven.plugin:sca-maven-plugin:<ver>:clean
WithoutVersionID mvn com.fortify.ps.maven.plugin:sca-maven-plugin:clean
ShortGoalName mvn sca:clean
Complete mvn com.fortify.ps.maven.plugin:sca-maven-plugin:<ver>:translate
WithoutVersionID mvn com.fortify.ps.maven.plugin:sca-maven-plugin:translate
ShortGoalName mvn sca:translate
Appendix F: Maven Integration 80
4. Scanthecode:
where <ver>istheversionoftheMavenPluginyou’reusing.
Note:Ifyoudon’tspecifytheversion,Mavenwillcallthelatestversionofthesca‐maven‐plugininthelocalrepository.
Toscanyourfilesaspartofyourbuildsystem
1. Installthetargetapplicationinthelocalrepository:
mvn install
2. Cleanoutthepreviousbuild:
mvn com.fortify.ps.maven.plugin:sca-maven-plugin:<version>:clean
3. Translatethecodeusingoneofthefollowingoptions:
4. Runthescan:
sourceanalyzer -b <build id> [sca scan options] -scan -f result.fpr
Excluding Files from the ScanIfyoudon’twanttoincludeallofthefilesinyourprojectorsolution,youcandirectSCAtoexcludeselectedfilesfromyourscan:
1. Createanexclusionfileinatexteditor.
2. Addthefollowinglinetothefileyoujustcreated:
com.fortify.sca.exclude="fileA;fileB;fileC"
Note:Filenamesmustbeseparatedwithasemicolon.Wildcardsaresupported;asingleasterisk(*)canbeusedtomatchpartofafilenamewhiletwoasterisks(**)canbeusedtorecursivelymatchdirectories.Formoreinformationonwildcards,see
3. Addthefollowingcodetothetranslationstep:
-Dfortify.sca.properties.file=my.exclusions
Complete mvn com.fortify.ps.maven.plugin:sca-maven-plugin:<ver>:scan
WithoutVersionID mvn com.fortify.ps.maven.plugin:sca-maven-plugin:scan
ShortGoalName mvn sca:scan
Translation Code Options
sourceanalyzer -b <build id> [sca build options] mvn
sourceanalyzer -b <build id> [sca build options] mvn com.fortify.ps.maven.plugin:sca-maven-plugin:<ver>:translate
sourceanalyzer -b <build id> [sca build options] mvn com.fortify.ps.maven.plugin:sca-maven-plugin:translate
sourceanalyzer -b <build id> [sca build options] mvn sca:translate
Note:Tousethisversionofthecommand,youmusthaveplacedacopyofthesetting.xmlfileinthelocalrepository.
Appendix F: Maven Integration 81
Forexample,forthesampleEightBallproject,youwouldissuethefollowingcommandtotranslatethesourcecode:
mvn com.fortify.ps.maven.plugin:sca-maven-plugin:4.00:translate -Dfortify.sca.source.version=1.6 -Dfortify.sca.properties.file=my.properties
Uninstalling the Maven PluginTouninstalltheMavenPlugin,manuallydeletesca-maven-pluginfromthelocalrepository.
Additional DocumentationAfterthepluginhasbeenproperlyinstalled,anewdirectorywillbeincludedinthefollowinglocation:
Samples\advanced\maven-plugin\target\site
Openthefileindex.htmltostartreadingthedocumentation.Therearesectionsontheavailableoptions,basicusageguide,uploadingscanstoSSCServer,andFAQs.
Appendix G: Sample Files 82
Appendix G: Sample FilesThisappendixcoversthefollowingtopics:
• AbouttheSampleFiles
• BasicSamples
• AdvancedSamples
About the Sample FilesYourHPFortifysoftwareinstallationincludesanumberofsamplefilesthatyoucanusewhentestingorlearningtouseSCA.Thesamplefilesarelocatedinthefollowingdirectory:
<HP_Fortify_Install_Directory>/Samples
InsidetheSamplesdirectoryaretwosub‐directories:basicandadvanced.EachcodesampleincludesaREADME.txtfilethatprovidesinstructionsonscanningthecodeinSCAandviewingtheoutputinAuditWorkbench.
Thebasicsub‐directoryincludesanassortmentofsimplelanguage‐specificsamples.TheadvancedsubdirectoryincludesmoreadvancedsamplesandcodesamplesthatenableyoutointegrateSCAwithyourbugtrackingsystem.
Basic SamplesTable24providesalistofthesamplefilesinthebasicsub‐directory(<HP_Fortify_Install_Directory>\Samples\basic),abriefdescriptionofthesamplefile,andalistofthevulnerabilitiesidentified.EachsampleincludesaREADME.txtfilethatprovidesfurtherdetailsandinstructionsonitsuse.
Table 24: Basic Samples
SampleFileFolder Contents Vulnerabilities
cpp IncludesaC++samplefileandinstructionsfortestingasimpledataflowvulnerability.Itrequiresagccorclcompiler.
CommandInjectionMemoryLeak
database Includesadatabase.pkssamplefile.ThisSQLsampleincludesissuesthatcanbefoundinSQLcode.
AccessControl:Database
eightball IncludesEightBall.java,aJavaapplicationthatexhibitsbaderrorhandling.Itrequiresanintegerasanargument.Ifyousupplyafilenameinsteadofaninteger,itwilldisplaythecontentsofthefile.
PathManipulationUnreleasedResource:StreamsJ2EEBadPractices:LeftoverDebugCode
formatstring Includesformatstring.cfile.Itrequiresagccorclcompiler.
FormatString
javascript Includessample.js,aJavaScriptfile. CrossSiteScripting(XSS)OpenRedirect
nullpointer IncludesNullPointerSample.javafile. NullDereference
Appendix G: Sample Files 83
Advanced SamplesTable25providesalistofthesamplefilesintheadvancedsubdirectory(<HP_Fortify_Install_Directory>\Samples\advanced).EachsampleincludesaREADME.txtfilethatprovidesfurtherdetailsandinstructionsonitsuse.
php Includesbothsink.phpandsource.phpfiles.Analyzingsource.phpsurfacessimpleDataflowvulnerabilitiesandadangerousfunction.
CrossSiteScriptingSQLInjection
sampleOutput Includesasampleoutputfile(WebGoat5.0.fpr)fromtheWebGoatprojectlocatedintheSamples/advanced/webgoatdirectory.
ExampleinputforAuditWorkbench.
stackbuffer Includesstackbuffer.c.Agccorclcompilerisrequired.
BufferOverflow
toctou Includes toctou.c file. Time‐of‐Check/Time‐of‐Use(RaceCondition)
vb6 Includescommand-injection.basfile. CommandInjectionSQLInjection
vbscript Includessource.aspandsink.aspfiles.
SQLInjection
Table 25: Advanced Samples
Sample File Folder Description
Bugzilla IncludesaBuild.xmlfilebuiltusingtheAuditWorkbenchbugtrackerpluginframework.Thepluginincludesthesamefunctionalityasthebuilt‐inBugzillapluginsothatitcanbeusedasaguidetocreatingyourownplugin.
c++ IncludesasampleVisualStudio2005solution:Sample.sln,Sample1.cpp,Sample.vcproj,stafx.cpp,stdafx.h.
YouneedtohaveMicrosoftVisualStudioVisualC/C++2005(ornewer)installed.YoushouldalsohavetheFortifyAnalyzersinstalled,withthepluginfortheVisualStudioversionyouareusing.
ThecodeincludesaCommandInjectionissueandanUncheckedReturnValueissue.
configuration ThisisasampleJ2EEapplicationthathasvulnerabilitiesinitswebmoduledeploymentdescriptor‐web.xml.
Table 24: Basic Samples (Continued)
SampleFileFolder Contents Vulnerabilities
Appendix G: Sample Files 84
crosstier Thisisasamplethathasvulnerabilitiesspanningmultipleapplicationtechnologies(Java,PL/SQL,JSP,struts).Theoutputshouldcontainseveralissuesofdifferenttypes,includingtwoAccessControlvulnerabilities.Oneoftheseisacross‐tierresult.IthasadataflowtracefromuserinputinJavacodethatcanaffectaSELECTstatementinPL/SQL.
csharp ThisisasimpleC#programthathasSQLinjectionvulnerabilities.VersionsareincludedforVS2003,VS2005,VS2010andVS2012.Uponsuccessfulcompletionofthescan,youshouldseetheSQLInjectionvulnerabilitiesandoneUnreleasedResourcevulnerability.Othercategoriesmayalsobepresent,dependingontherulepacksusedinthescan.
customrules SeveralsimplesourcecodesamplesandRulepackfilesthatillustraterulesinterpretedbyfourdifferentanalyzers:Semantic,Dataflow,controlflow,andConfiguration.Thisdirectoryalsoincludesseveralmiscellaneousreal‐worldrulessamplesthatmaybeusedforscanningrealapplications.
ejb AsampleJ2EEcross‐tierapplicationwithServletsandEJBs.
filters Asamplethatusessourceanalyzer’s–filteroption.
findbugs AsamplethatdemonstrateshowtorunFindBugsstaticanalysistooltogetherwiththeFortifySourceCodeAnalysisEngine(FortifySCAEngine)andfiltersoutresultsthatoverlap.
HPQC AsamplethatdemonstratestheAuditWorkbenchbugtrackerpluginframeworkbyimplementingaplugintoHPQualityCenter.ThisplugincommunicateswithanHPQCserverinstancethroughtheHPQCclient‐sideaddin.ThebugtrackertalkstotheaddinthroughaCOMinterface,andtheaddinhandlesthecommunicationtotheserver.
java1.5 IncludesResourceInjection.java.TheresultfileshouldhaveaPathManipulationresultandaJ2EEBadPracticesresult.
javaAnnotations IncludesasampleapplicationthatillustratesproblemsthatmayarisefromitsuseandhowtofixtheproblemsusingtheFortifyJavaAnnotations.ThegoalofthisexampleistoillustratehowtheuseofFortifyAnnotationscanresultinincreasedaccuracyinthereportedvulnerabilities.TheaccompanyingREADMEfileillustratethepotentialproblemsandsolutionsassociatedwithvulnerabilityresults.
JavaDoc JavaDocdirectoryforthebugtrackers,public‐api,andWSClient.
maven‐plugin TestscanberunonanyprojectsthatuseMaven(forinstancethoseincludedinthesamplesdirectory,orWebGoat5.3:http://code.google.com/p/webgoat/)
webgoat WebGoattestJ2EEwebapplicationprovidedbytheOpenWebApplicationSecurityProject(http://www.owasp.org).ThisdirectorycontainstheWebGoat5.0sources.WebGoatjavasourcescanbeuseddirectlyforjavavulnerabilityscanningviaFortifySourceCodeAnalysisEngine.
Table 25: Advanced Samples (Continued)
Sample File Folder Description
Appendix H: Issue Tuning 85
Appendix H: Issue TuningThisappendixcoversthefollowingtopics:
• AboutIssueTuning
• AboutInterproceduralConstantPropagation
About Issue TuningThisappendixlistspropertiesthatimpactthenumberofissuesthatSCAreports.Thedefaultsettingshavebeendesignedtoprovideoptimalresultsandshouldnotbealteredunlessyouareexperiencingareportingissueorhavebeeninstructedtodosobysupport.
IssuetuningallowsyoutofinetunethenumberandqualityofresultyoureceivefromanSCAscan.Thisisanadvancedtopicandshouldnotbenecessaryforthemajorityofusers.
IfyoufeelthatSCAisreportingtoomanyortoofewissuesofaparticulartype,youmayneedtoadjustapropertytoexcludeorincludeadditionalissues.Beforemakinganychanges,youmaywanttocontactsupportanddiscusstheissueyouareexperiencing.
Thefollowingareascanbetuned:
• Wrapperdetection
• Interproceduralconstantpropagation
• Selectivemaptracking
Ifyouneedtoturnoneormoreoftheseanalysisfeaturesoff,editthefortify-sca.propertiesfile,locatedinthe<install_directory>/Core/config directory.
About Wrapper DetectionWrapperdetectionidentifiesmethodsthatwrapmapoperations.InSCA,mapoperationsinsert<key,value>pairsto,orretrieve<key,value>pairsfrom,anassociativemap.Whenataintedvalueisinsertedorretrieved,itstaintmaygetpropagatedthroughthemap.
TheHPFortifySoftwareSecurityResearchteam(SSR)providesrulesdescribinghowvariousAPIsimplementmapinsertionandretrieval.Taintpropagationoccurswhenmethodsmatchingthosespecifiedintherulesareinvoked.IfSCAcannotcomputethemapkeysusedatthosemethods,thenitpromotestaintfromasinglevaluetoallvaluesinthemap.Thisintroducesfalsepositives.
Afunctionistreatedasawrappermethodwhenit:
• ContainsacallsitetoamethodidentifiedbyanSSRruleasamapoperationoralreadyidentifiedbySCAasawrapper.
• Directlypassesitsparameterstothemapoperation.
• Directlypassesthemapoperation'sreturnvaluetoitsownreturn.
Theeffectsofsuccessfulwrapperidentificationinclude:
• ReductionoffalseissuereportsfromtheDataflowanalyzerbyreducingthenumberofissuesreportedwithmismatchedmapinsertionsandretrievals.
• Improvedreadabilityof
• Dataflowissuereportsbyreplacingunknownmapkeys,shownas'?',withexplicitkeyvalues.
Appendix H: Issue Tuning 86
ThepropertieslistedinTable26controlthebehaviorofwrapperdetection:
Table 26: Wrapper Detection Analysis Keys
Analysis Property Description
None Executeswrapperdetection,includingdetectionofnestedwrappers
com.fortify.sca.EnableNestedWrappers Avalueoffalsedisablesallnestedwrapperdetection.
com.fortify.sca.EnableWrapperDetection Avalueoffalsedisablesallwrapperdetection
com.fortify.sca.WrapperHeuristic Bydefault,theheuristicusedis“moderate”.Youcanalsosetthisvalueto“strict”,whichwillnotidentifyanymethodscontainingmultiplecallsitesaswrappers.
About Interprocedural Constant PropagationProgramminglanguagesprovidekeywordsindicatingthatavariableisaconstant,unchangingvaluethroughoutanentireprogram.However,somesoftwarefailstoconsistentlyapplythesekeywordstoconstantvariables.InterproceduralConstantPropagationidentifiesexplicitconstantsandvariablesthatarenotdefinedasconstantsbuthaveunchangingvalues,anditthenpropagatesthoseconstantvaluesthroughoutallfunctionsintheprogram.
ThepropertieslistedinTable27controlInterproceduralConstantPropagation.
Table 27: Interprocedural Constant Propagation Keys
Analysis Property Description
com.fortify.sca.EnableInterproceduralConstantResolution
Enablesordisablespropagationofconstantvaluesacrossfunctionboundaries.
com.fortify.sca.DisableInferredConstants
Ifsetto“true”,disablesidentificationofconstantvariableswithoutexplicitconstorfinalkeywords.
com.fortify.sca.DisableInferredConstants.NonStatic
Ifsetto“true”,disablesidentificationofnon‐staticconstants.
Appendix H: Issue Tuning 87
About Selective Map Operation TrackingSelectiveMapOperationTrackinganalysisgreatlyreducestheprevalenceofunresolvedmapkeys.ThisanalysisallowsSCAtofindtruepositivesinglobalclasseswithoutintroducinganincreaseinthenumberoffalsepositives.Thisalgorithmisconfigurableviaapropertykeythatacceptsanyoffourvalues.Thedefaultvalue,classrule,isappropriateinmostsituations.Ifyoufindthattoomanyissuesarebeingsuppressed,youcanchangethevalueandcomparetheresultsreceived.
ThevalueslistedinTable28controlSelectiveMapOperationTracking.
Table 28: Selective Map Operator Tracking Values
Analysis Property Value Description
com.fortify.sca.RequireMapKeys classrule Thisisthedefaultvalueofthepropertyanddoesnotneedtobeset.SCAwillanalyzedataflowoperationsonmapsglobalbyclassruleonlywhenitcandeterminekeys.
never Setthispropertyequalto“never”todisableSelectiveMapOperationTrackinganalysis.Allmapoperationswillbeanalyzed.
globals Setthispropertyequalto“globals”toincreasetheaggressivenessoftheanalysis.SCAwillanalyzedataflowoperationsonallglobalmapsonlywhenitcandeterminekeys.
always Setthispropertyequalto“always”formaximumaggressiveness.SCAwillprocessdataflowoperationsonallmapsonlywhenitcandeterminekeys.
Appendix I: Configuration Properties 85
Appendix I: Configuration PropertiesThisappendixliststhepropertiesfoundinthefortify.propertiesandthefortify.sca.properties files.Theseconfigurationfilesarelocatedinthefollowingdirectory:
<Installation_Directory>\HP_Fortify\HP_Fortify_SCA_and_Apps_X.XX\Core\config
fortify.propertiesTable29listsconfigurationoptionsthatcanbealteredorsetinthefortify.propertiesfileordefinedonthecommandlineusingthe-Doption.s
Table 29: fortify.properties
Objective Property Value
SetSCAtools,suchasHPFortifyAuditWorkbench,todebugmode.
com.fortify.Debug Valuetype:Boolean
Default:false
Example:
com.fortify.Debug=true
SetHPFortifyAuditWorkbenchtodebugmode.
com.fortify.awb.Debug Valuetype:Boolean
Default:false
Example:
com.fortify.awb.Debug=true
SetEclipsetodebugmode. com.fortify.eclipse.Debug Valuetype:Boolean
Default:false
Example:
com.fortify.eclipse.Debug=true
SetVisualStudiotodebugmode.
com.fortify.VS.Debug Valuetype:Boolean
Default:false
Example:
com.fortify.VS.Debug=true
LocatetheSCAexecutablefile.
Note:Thispropertyissetoninstallationandshouldnotrequirealterationunlessyoumanuallymovetheexecutablefiles.
com.fortify.SCAExecutablePath
Valuetype:String(path)
Default:SetwhenSCAwasinstalled
Example:
com.fortify.SCAExecutablePath=C:\\Program Files\\Fortify Software\\HP Fortifyv3.60\\bin\\sourceanalyzer.exe
SetthepathtotheworkingdirectoryoftheSCAtools.
com.fortify.WorkingDirectory Valuetype:String(path)
Default:com.fortify.WorkingDirectory=${win32.LocalAppdata}/Fortify
Example:
com.fortify.WorkingDirectory=${win32.LocalAppdata}/Fortify
where${win32.LocalAppdata} isavariablethatpointstotheWindowsLocalApplicationDatashellfolder.ThisistypicallyC:\Documents and Settings\<user>\Local Settings\Application Data
Appendix I: Configuration Properties 86
Setorchangetheusernameforthisinstallation.
com.fortify.InstallationUserName
Valuetype:String(variablepointer)
Default:
com.fortify.InstallationUserName=${user.name}
Theusernameforthisinstallation,${FM.user.name},canbeusedtoreferencethestoredFortifyManagerusername.
Example:
com.fortify.InstallationUserName=${user.name}
Setthelocalefortheinstallation.
com.fortify.locale Valuetype:String(countrycodeabbrev.)
Default:Locationofmachinesoftwarewasinstalledon.
Example:
com.fortify.locale=en
SetthescantocontinueevenifASPPrecompilationfails.
Ifthispropertyissettofalse,whenperformingascanofawebsitefromVisualStudioinheadlessmodethescanwillcontinueeveniftheASPPre‐compilationfails.
com.fortify.VS.RequireASPPrecompilation
Valuetype:Boolean
Default:false
Example:
com.fortify.VS.RequireASPPrecompilation=false
SetthisvaluetotrueifyouwantSCAtotranslatethedefaultASPoutput(insteadofrunningtheaspnet_compiler)whenscanningawebsitefromVisualStudio.
Youshouldmanuallycleanthiscachebeforeuseofthissetting.
com.fortify.VS.SkipASPPrecompilation
Valuetype:Boolean
Default:false
Example:
com.fortify.VS.SkipASPPrecompilation=true
DisableuseofCodeNavigationfeatureinAWBandimproveruntimememoryusage.
com.fortify.DisableProgramInfo
Valuetype:Boolean
Example:
com.fortify.DisableProgramInfo=true
DisableintegrationwithC/CPPbuilds(VisualStudio).
com.fortify.VS.DisableCIntegration
Valuetype:Boolean
Default:false
Example:
com.fortify.VS.DisableCIntegration=true
Setthepathusedtostorethemanagerclientauthenticationtoken.
com.fortify.AuthenticationKey
Valuetype:String(path)
Default:
${com.fortify.WorkingDirectory}/config/tools
Example:
com.fortify.AuthenticationKey=${com.fortify.WorkingDirectory}/config/tools
Table 29: fortify.properties (Continued)
Objective Property Value
Appendix I: Configuration Properties 87
DisablefvdlvalidationintheUI.
com.fortify.model.CheckSig Valuetype:Boolean
Default:false
Example:
com.fortify.model.CheckSig=true
ReducetheamountofdataloadedfromanFPR.Whensettotrue,onlybasicissueinformationwillbeloadedfromtheFPR.
com.fortify.model.MinimalLoad
Valuetype:Boolean
Default:false
Example:
com.fortify.model.MinimalLoad=true
SetthisvaluetotruetouseIssueParseFilters.properties.
settings.OptimizeMemorymustalsobeenabled.
com.fortify.model.UseIssueParseFilters
Valuetype:Boolean
Default:false
Example:
com.fortify.model.UseIssueParseFilters=true
Setbackwardscompatibilitywithpre‐2.5migratedprojects.
com.fortify.model.EnablePathElementBaseIndexShift
Valuetype:Boolean
Default:true
Example:
com.fortify.model.EnablePathElementBaseIndexShift=true
SetdefaultVMargumentsforusewhentheVisualStudiopluginrunsJavacommands.
com.fortify.visualstudio.vm.args
Valuetype:String(VMargument)
Default:
-Xmx256m
Example:
com.fortify.visualstudio.vm.args=-Xmx256m
Setthispropertytoenablemanualremovalofthreadlocaltransactionresourcewhenajobcompletes.
enable.clean.transaction.resource
Valuetype:Boolean
Default:true
Settingthispropertytotruepreventsaquartz/springbugwhencrontriggerishappened,somethreadlocalresourceisnotreleased,resultingina"Pre-bound JDBC Connection found!"error.Setthispropertytotruewhenthisproblemoccurs.
Example:
enable.clean.transaction.resource=true
SetthispropertytomigrateIIDscreatedwithdifferentversionsofSCA.ThisisgenerallyhandledbySCA.Ifyouneedtooverridethemappingscheme,pleaseconsultHPFortifycustomersupport.
com.fortify.tools.iidmigrator.scheme
ContactHPFortifycustomersupportforassistance.
Table 29: fortify.properties (Continued)
Objective Property Value
Appendix I: Configuration Properties 88
Setthemaximumnumberofcharactersforyourfilepath.
max.file.path.length Valuetype:String(number)
Default:255
Ifthepathexceedsthisvalue,thelastXnumberofcharacterswillbekeptinthefilepathfortheissueandtheentrywillberemovedfromsourcefilemap.
Example:
max.file.path.length=255
Definewhich.FPRproject(defaultorimported)shouldbeusedasthebasewhenresolvingmergeconflicts.
com.fortify.model.MergeResolveStrategy
Valuetype:String
Default:DefaultToMasterValue
Possiblevaluesare:'DefaultToMasterValue','DefaultToImportValue',or'NoStrategy'.
Example:
com.fortify.model.MergeResolveStrategy=DefaultToMasterValue
SettheRemovedIssuePersistenceLimit.
com.fortify.RemovedIssuePersistenceLimit
Valuetype:String(number)
Default:1000
Example:
com.fortify.RemovedIssuePersistenceLimit=5000
DefinetheamountofmemoryallocatedforprocessesrequiredbyHPFortifyAuditWorkbench(i.e.,iidmigrator,events2fpr,etc.)
com.fortify.model.ExecMemorySetting
Valuetype:String
Default:1200M
Example:
-Dcom.fortify.model.ExecMemorySetting=12OOM
Limitthenumberofissuesloaded.
com.fortify.model.IssueCutoffStartIndex
com.fortify.model.IssueCutoffEndIndex
Valuetype:String(number)
Usethecom.fortify.model.IssueCutoffStartIndex propertytoselectthefirstissue(bynumber)tobeloaded.
Userthecom.fortify.model.IssueCutoffEndIndex propertytoselectthelastissue(bynumber)tobeloaded.
Example:
com.fortify.model.IssueCutoffStartIndex=10 com.fortify.model.IssueCutoffEndIndex=20
Note:Youcanusebothparameterstogether,asintheexampleabove,toselectarange.Thisexampleloadsissue10‐19,foratotalof20issues.
Table 29: fortify.properties (Continued)
Objective Property Value
Appendix I: Configuration Properties 89
fortify‐sca.propertiesTable30listsconfigurationoptionsthatcanbealteredorsetinthefortify‐sca.propertiesfileordefinedonthecommandlineusingthe-Doption.
Limitthecategoriesloadedbasedonnumberofissues.
com.fortify.model.IssueCutoffByCategoryStartIndex
com.fortify.model.IssueCutoffByCategoryEndIndex
Valuetype:String(number)
Usethecom.fortify.model.IssueCutoffByCategoryEndIndex propertytoloadcategoriesthathavelessthantheselectednumberofissues.Usebothpropertiesinconjunctiontoselectarange.
Example:
com.fortify.model.IssueCutoffByCategoryStartIndex=10com.fortify.model.IssueCutoffByCategoryEndIndex=20
Theexampleaboveloadscategorieswhichhavebetween10through19issuesinthem.
Table 30: fortify‐sca.properties
Objective Property Values
SettheHPFortifyapplicationdatadirectory.
com.fortify.sca.ProjectRoot Valuetype:String(path)
Default:com.fortify.sca.ProjectRoot=${win32.LocalAppdata}/Fortify
${win32.LocalAppdata} isaspecialvariablethatpointstothewindowsLocalApplicationDatashellfolder.
Example1:
com.fortify.sca.ProjectRoot=${win32.LocalAppdata}/Fortify
Example2:
com.fortify.sca.ProjectRoot=C:\Documents and Settings\<user>\Local Settings\Application Data
Selecttheanalyzerstobeused.
com.fortify.sca.DefaultAnalyzers
Valuetype:Boolean
Default:Allanalyzersareturnedonbydefault.
Editthelisttochangewhichanalyzersareenabledbydefault.
Example:
com.fortify.sca.DefaultAnalyzers=dataflow:semantic:controlflow:configuration:structural:content:buffer
Table 29: fortify.properties (Continued)
Objective Property Value
Appendix I: Configuration Properties 90
Setdefaultfiletypes. com.fortify.sca.DefaultFileTypes
Valuetype:String
Default:com.fortify.sca.DefaultFileTypes=java,rb,jsp,jspx,tag,tagx,tld,sql,cfm,php,phtml,ctp,pks,pkh,pkb,xml,config,settings,properties,dll,exe,inc,asp,vbscript,js,ini,bas,cls,vbs,frm,ctl,html,htm,xsd,wsdd,xmi,py,cfml,cfc,abap,xhtml,cpx,xcfg,jsff,as,mxml,cbl,c,scfg,csdef,wadcfg,appxmanifest,wsdl,plist
Example:
com.fortify.sca.DefaultFileTypes=<comma separated list of file types>
Setthedirectoryusedtosearchforcustomrules.Ifthisisset,thedefaultdirectoryisnotsearched.
com.fortify.sca.CustomRulesDir
Valuetype:String(path)
Default:com.fortify.sca.CustomRulesDir=${com.fortify.Core}/config/customrules
Example:
com.fortify.sca.CustomRulesDir=<Directory where custom rules are stored>
TellSCAhowtoprocessspecificfiletypes.Allowedtypesare:JAVA,JSP,JSPX,PLSQL,TSQL,SQL,XML,JAVA_Properties,MSIL,CFML,andCSHARP.
Note:Objective‐Cdoesnotrequireanentry.
com.fortify.sca.fileextensions.java = JAVAcom.fortify.sca.fileextensions.jsp = JSPcom.fortify.sca.fileextensions.tag = JSPcom.fortify.sca.fileextensions.tagx = JSPcom.fortify.sca.fileextensions.jspx = JSPXcom.fortify.sca.fileextensions.xhtml = JSPXcom.fortify.sca.fileextensions.faces = JSPXcom.fortify.sca.fileextensions.jsff = JSPXcom.fortify.sca.fileextensions.js = JAVASCRIPT
Note:Thisisapartiallist.Forthecompletelist,seethefortify‐sca.propertiesfile.
Valuetype:String(language)
Default:Seethefortify-sca.propertiesfileforthecompletelist.
SetSCAtousethenativeparser.
com.fortify.sca.jsp.UseNativeParser
Valuetype:Boolean
Default:true
Example:
com.fortify.sca.jsp.UseNativeParser=false
Table 30: fortify‐sca.properties (Continued)
Objective Property Values
Appendix I: Configuration Properties 91
SettheSQLlanguagevariant. com.fortify.sca.SqlLanguage Valuetype:String(SQLlanguagetype)
Default:TSQL
Example:
com.fortify.sca.SqlLanguage=TSQL
Enablecustom‐namedcompilers. com.fortify.sca.compilers.fortify=com.fortify.sca.util.compilers.FortifyCompilercom.fortify.sca.compilers.touchless=com.fortify.sca.util.compilers.FortifyCompilercom.fortify.sca.compilers.make=com.fortify.sca.util.compilers.TouchlessCompilercom.fortify.sca.compilers.gmake=com.fortify.sca.util.compilers.TouchlessCompilercom.fortify.sca.compilers.jam=com.fortify.sca.util.compilers.TouchlessCompilercom.fortify.sca.compilers.clearmake=com.fortify.sca.util.compilers.TouchlessCompilercom.fortify.sca.compilers.nmake=com.fortify.sca.util.compilers.TouchlessCompiler
Note:Thisisapartiallist.Forthecompletelist,seethefortify-sca.propertiesfile.
Valuetype:String(compiler)
Default:SeetheCompilerssectioninthefortify-sca.propertiesfileforthecompletelist.
Example:
TotellSCAthat“my‐gcc”isagcccompiler:
com.fortify.sca.compilers.my-gcc= com.fortify.sca.util.compilers.GccCompiler
Note:Compilernamesmaybeginorendwithan*,whichmatches0ormorecharacters.
Table 30: fortify‐sca.properties (Continued)
Objective Property Values
Appendix I: Configuration Properties 92
TellSCAwhichcompilerscauseatranslationdaemontobespawned.
com.fortify.sca.DaemonCompilers
Valuetype:String(compiler)
Default:com.fortify.sca.DaemonCompilers = com.fortify.sca.util.compilers.GppCompiler,com.fortify.sca.util.compilers.GccCompiler,com.fortify.sca.util.compilers.AppleGppCompiler,com.fortify.sca.util.compilers.AppleGccCompiler,com.fortify.sca.util.compilers.MicrosoftCompiler,com.fortify.sca.util.compilers.MicrosoftLinker,com.fortify.sca.util.compilers.LdCompiler,com.fortify.sca.util.compilers.ArUtil,com.fortify.sca.util.compilers.SunCCompiler,com.fortify.sca.util.compilers.SunCppCompiler,com.fortify.sca.util.compilers.IntelCompiler,com.fortify.sca.util.compilers.ExternalCppAdapter,com.fortify.sca.util.compilers.ClangCompiler
Example:
com.fortify.sca.DaemonCompilers = com.fortify.sca.util.compilers.GppCompiler,com.fortify.sca.util.compilers.GccCompiler,com.fortify.sca.util.compilers.AppleGppCompiler,com.fortify.sca.util.compilers.AppleGccCompiler,com.fortify.sca.util.compilers.MicrosoftCompiler,com.fortify.sca.util.compilers.MicrosoftLinker,com.fortify.sca.util.compilers.LdCompiler,com.fortify.sca.util.compilers.ArUtil,com.fortify.sca.util.compilers.SunCCompiler,com.fortify.sca.util.compilers.SunCppCompiler,com.fortify.sca.util.compilers.IntelCompiler,com.fortify.sca.util.compilers.ExternalCppAdapter,com.fortify.sca.util.compilers.ClangCompiler
Setcallgraphbuildersvalues. com.fortify.sca.analyzer.callgraph.VirtualCGBuilder: Virtual method mappingscom.fortify.sca.analyzer.callgraph.J2EEIndirectCGBuilder: EJB Bean methodscom.fortify.sca.analyzer.callgraph.JNICGBuilder: JNI Callscom.fortify.sca.analyzer.callgraph.IDLIndirectCGBuilder: CORBA calls (disabled by default)com.fortify.sca.analyzer.callgraph.StoredProcedureResolver: JDBC stored procedure calls
Note:Thisisasamplelist.Forthecompletelist,seethefortify-sca.propertiesfile.
Valuetype:String(callgraphbuilders)
Default:Offbydefault
Example:
com.fortify.sca.analyzer.callgraph.VirtualCGBuilder: Virtual method mappings
Table 30: fortify‐sca.properties (Continued)
Objective Property Values
Appendix I: Configuration Properties 93
SetDataflowanalysisvalues. com.fortify.sca.DisableFunctionPointerscom.fortify.sca.DisableGlobals com.fortify.sca.EnableStructuralMatchCache com.fortify.sca.EnableInterproceduralConstantResolutioncom.fortify.sca.EnableWrapperDetectioncom.fortify.sca.EnableNestedWrapperscom.fortify.sca.WrapperHeuristiccom.fortify.sca.RequireMapKeycome.fortify.sca.DisableInferredConstants
Valuetype:Boolean
Examples(defaultvalues):
com.fortify.sca.DisableFunctionPointers=falsecom.fortify.sca.DisableGlobals=falsecom.fortify.sca.EnableStructuralMatchCache=true com.fortify.sca.EnableInterproceduralConstantResolution=falsecom.fortify.sca.EnableWrapperDetection=falsecom.fortify.sca.EnableNestedWrappers=falsecom.fortify.sca.WrapperHeuristic = moderatecom.fortify.sca.RequireMapKey = classrulecome.fortify.sca.DisableInferredConstants = false
Setadditionalanalysisvalues. com.fortify.sca.NoNestedOutTagOutputcom.fortify.sca.DisableDeadCodeEliminationcom.fortify.sca.DeadCodeIgnoreTrivialPredicatescom.fortify.sca.DeadCodeFilter com.fortify.sca.SolverTimeout
Valuetype:Boolean
Examples(defaultvalues):
com.fortify.sca.NoNestedOutTagOutput=org.apache.taglibs.standard.tag.rt.core.RemoveTag,org.apache.taglibs.standard.tag.rt.core.SetTagcom.fortify.sca.DisableDeadCodeElimination=falsecom.fortify.sca.DeadCodeIgnoreTrivialPredicates=truecom.fortify.sca.DeadCodeFilter=truecom.fortify.sca.SolverTimeout=15
SetFVDLoptions. com.fortify.sca.FVDLDisableProgramDatacom.fortify.sca.FVDLDisableSnippetscom.fortify.sca.FVDLDisableDescriptionscom.fortify.sca.FVDLStylesheet
Valuetype:Boolean
Example(defaultvalues):
com.fortify.sca.FVDLDisableProgramData=falsecom.fortify.sca.FVDLDisableSnippets=falsecom.fortify.sca.FVDLDisableDescriptions=falsecom.fortify.sca.FVDLStylesheet=${com.fortify.Core}/resources/sca/fvdl2html.xsl
Setdefaultlogfilelocation. com.fortify.sca.LogFile Valuetype:String(path)
Default:N/A
SettingthisparameterwillcausethelogfiletobeoverwritteneachtimeSCAisrun.
Example:
com.fortify.sca.LogFile=${com.fortify.sca.ProjectRoot}/sca/log/sca.log
Table 30: fortify‐sca.properties (Continued)
Objective Property Values
Appendix I: Configuration Properties 94
Setpost‐scanloggingoptiontotrueandSCAwillwriteperformance‐relateddatatothelogfileafterscancompletion.
com.fortify.sca.PrintPerformanceDataAfterScan
Valuetype:Boolean
Default:false
Valuewillautomaticallybesettotruewhenindebugmode.
Example:
com.fortify.sca.PrintPerformanceDataAfterScan=true
Settranslatoroptions com.fortify.sca.cpfe.commandcom.fortify.sca.cpfe.441.commandcom.fortify.sca.cpfe.optionscom.fortify.sca.cpfe.file.optioncom.fortify.sca.cpfe.dont.fix.cctor.option
Valuetypes:StringandBoolean
Examples(Defaultvalues):
com.fortify.sca.cpfe.command=${com.fortify.Core}/private-bin/sca/cpfecom.fortify.sca.cpfe.441.command=${com.fortify.Core}/private-bin/sca/cpfe441com.fortify.sca.cpfe.options=--remove_unneeded_entities --suppress_vtbl -tusedcom.fortify.sca.cpfe.file.option=--gen_c_file_namecom.fortify.sca.cpfe.dont.fix.cctor.option=true
Displayprogressbar. com.fortify.sca.DisplayProgress
Valuetype:Boolean
Default:true
Example:
com.fortify.sca.DisplayProgress=true
SetFindbugsmaximumheapsize.
com.fortify.sca.findbugs.maxheap
Valuetype:Boolean
Default:SCA’smaxheapsize.
Example:
com.fortify.sca.findbugs.maxheap=500m
SetCFMLpagesbehavior com.fortify.sca.CfmlUndefinedVariablesAreTainted
Valuetype:Boolean
Default:Featureisdisabled.
AvalueoftruetreatsundefinedvariablesinCFMLpagesastainted.
Example:
com.fortify.sca.CfmlUndefinedVariablesAreTainted=true
Generateimpliedmethodswhenimplementationbyinheritanceisencountered
com.fortify.sca.AddImpliedMethods
Valuetype:Boolean
Default:true
Example:
com.fortify.sca.AddImpliedMethods=true
Table 30: fortify‐sca.properties (Continued)
Objective Property Values
Appendix I: Configuration Properties 95
SetControlflowAnalyzeroptions.
com.fortify.sca.analyzer.controlflow.liveness.skip.rulescom.fortify.sca.analyzer.controlflow.EnableRefRuleOptimizationcom.fortify.sca.analyzer.controlflow.EnableLivenessOptimizationcom.fortify.sca.analyzer.controlflow.EnableMachineFilteringcom.fortify.sca.analyzer.controlflow.EnableTimeOut
Valuetype:BooleanandString
Examples(defaultsettings):
com.fortify.sca.analyzer.controlflow.liveness.skip.rules=B530C5D6-3C71-48C5-9512-72A7F4911822com.fortify.sca.analyzer.controlflow.EnableRefRuleOptimization=falsecom.fortify.sca.analyzer.controlflow.EnableLivenessOptimization=falsecom.fortify.sca.analyzer.controlflow.EnableMachineFiltering=falsecom.fortify.sca.analyzer.controlflow.EnableTimeOut=true
Setpathtoregonyoursystem.
com.fortify.sca.RegExecutable
Valuetype:String(path)
Default:Notset
Example:
Setvarious.NEToptions. WinForms.TransformDataBindingsWinForms.TransformMessageLoopsWinForms.TransformChangeNotificationPatternWinForms.CollectionMutationMonitor.LabelWinForms.ExtractEventHandlersWinForms.TouchUpDataSourcesCAB.EnableStateMap1com.fortify.sca.dotnet.cab.injectioncom.fortify.sca.dotnet.cab.events
Valuetype:Boolean
Examples(Defaultsettings):
WinForms.TransformDataBindings=trueWinForms.TransformMessageLoops=trueWinForms.TransformChangeNotificationPattern=trueWinForms.CollectionMutationMonitor.Label=WinFormsDataSourceWinForms.ExtractEventHandlers=trueWinForms.TouchUpDataSources=trueCAB.EnableStateMap1=truecom.fortify.sca.dotnet.cab.injection=truecom.fortify.sca.dotnet.cab.events=true
Setnumberoflinesofcodetodisplaysurroundingissue.
com.fortify.sca.SnippetContextLines
Valuetype:String
Default:3
Thedefaultvalueis3.Whenset,thenumberrepresentthe2linesofcodeoneachsideofthelinewheretheerroroccurs.Sobydefault,thereareatotalof5linesdisplayed.Thisvaluecanbeoverwritten.
SetCPFEtohandlemultibytecharactersinyoursourcecode.ThisallowsSCAtohandlecodewithmultibyteencoding,suchasSJIS(Japanese).
com.fortify.sca.cpfe.multibyte
Valuetype:Boolean
Default:Notenabled
Thisfeatureisturnedoffbydefault.SetthispropertytoTrueifyouhavemultibytecharactersinyoursourcecode.
Example:
com.fortify.sca.cpfe.multibyte=true
Table 30: fortify‐sca.properties (Continued)
Objective Property Values
Appendix I: Configuration Properties 96
SettheversionofCPFEto441.
com.fortify.sca.cpfe.gnu.version
Valuetype:Boolean
Default:false
Example:
com.fortify.sca.cpfe.gnu.version=true
ConfigureSCAtooverwritethelogfile.
com.fortify.sca.ClobberLogFile
Valuetype:Boolean
Default:false
NewlogfilewillbeoverwritteneachtimeSCAruns.
Example:
com.fortify.sca.ClobberLogFile=true
Addaprefixtologfile. com.fortify.sca.SuppressLogPrefix
Valuetype:String
Default:Notenabled
Noprefixisaddedtothelogfilenamebydefault.Usethispropertytoaddaprefixtothelogname.
Example:
com.fortify.sca.SuppressLogPrefix=???
Specifyafileorseriesoffilestoexcludefromascan.
Note:Thisonlyworksonthecommandline.Youcanissueitmultipletimestoaccommodatemultiplefiles.
com.fortify.sca.exclude Valuetype:String
Default:Notenabled
Example:
com.fortify.sca.exclude=file1.x,file2.x
Thisisthesameas-debug,butmoreverbose,specificallywhenitcomestoparseerrors.
com.fortify.sca.DebugVerbose Valuetype:Boolean
Default:Notenabled
Example:com.fortify.sca.DebugVerbose= true
Table 30: fortify‐sca.properties (Continued)
Objective Property Values