community.microfocus.com · Preface iii Preface Contacting HP Fortify Support If you have questions...

HP Fortify Static Code AnalyzerSoftware Version 4.30

User Guide

DocumentReleaseDate:April2015

SoftwareReleaseDate:April2015

Legal Notices

Warranty

TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatementsaccompanyingsuchproductsandservices.Nothinghereinshouldbeconstruedasconstitutinganadditionalwarranty.HPshallnotbeliablefortechnicaloreditorialerrorsoromissionscontainedherein.

Theinformationcontainedhereinissubjecttochangewithoutnotice.

Restricted Rights Legend

Confidentialcomputersoftware.ValidlicensefromHPrequiredforpossession,useorcopying.ConsistentwithFAR12.211and12.212,CommercialComputerSoftware,ComputerSoftwareDocumentation,andTechnicalDataforCommercialItemsarelicensedtotheU.S.Governmentundervendor'sstandardcommerciallicense.

Copyright Notice

©Copyright2003‐2015Hewlett‐PackardDevelopmentCompany,L.P.

DocumentationUpdates

Thetitlepageofthisdocumentcontainsthefollowingidentifyinginformation:

• SoftwareVersionnumber

• DocumentReleaseDate,whichchangeseachtimethedocumentisupdated

• SoftwareReleaseDate,whichindicatesthereleasedateofthisversionofthesoftware

Tocheckforrecentupdatesortoverifythatyouareusingthemostrecenteditionofadocument,goto:

https://protect724.hp.com

You will also receive updated or new editions if you subscribe to the appropriate product support service. Contact your HP sales representative for details.

PartNumber:1‐16b3‐2015‐04‐430‐02

Preface iii

Preface

Contacting HP Fortify SupportIfyouhavequestionsorcommentsaboutusingthisproduct,contactHPFortifyTechnicalSupportusingoneofthefollowingoptions.

ToManageYourSupportCases,AcquireLicenses,andManageYourAccount

https://support.fortify.com

ToEmailSupport

[email protected]

ToCallSupport

650.735.2215

For More InformationFormoreinformationonHPEnterpriseSecuritySoftwareproducts:http://www.hpenterprisesecurity.com

About the HP Fortify Software Security Center Documentation SetTheHPFortifySoftwareSecurityCenterdocumentationsetcontainsinstallation,user,anddeploymentguidesforallHPFortifySoftwareSecurityCenterproductsandcomponents.Inaddition,youwillfindtechnicalnotesandreleasenotesthatdescribenewfeatures,knownissues,andlast‐minuteupdates.YoucanaccessthelatestversionsofthesedocumentsfromtheHPESPusercommunityProtect724website(https://protect724.hp.com/welcome).Youwillneedtoregisterforanaccount.

https://support.fortify.com

mailto:[email protected]

http://www.hpenterprisesecurity.com

https://protect724.hp.com/welcome

https://protect724.hp.com/welcome

Change Log iv

Change LogThefollowingtabletrackschangesmadetothisguide.

Software Release‐version Date Change

4.30‐01 3/12/2014 Updated:AppendixI:ConfigurationProperties

Updated:Pythoninformation

Update:Translating.NETchapterwithsupportforVisualStudio2014

Updated:iOSscanninginformationinTranslatingCodeforMobilePlatformschapter

Added:SectiononJavaBytecodeintheTranslatingJavachapter

4.21‐02 10/8/2014 Removed:BuildMonitor(deprecated)

4.21‐01 11/20/2014 Added:TranslatingRubychapter

Updated:TranslatingABAP

4.10‐01 3/22/2014 Updated:iOSsection

Contents v

Contents

Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .iii

ContactingHPFortifySupport.........................................................................iii

ForMoreInformation .................................................................................iii

AbouttheHPFortifySoftwareSecurityCenterDocumentationSet....................................................................................iii

Change Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .iv

Chapter 1: Introduction............................................................................. 10

AbouttheIntendedAudience ......................................................................... 10

AbouttheHPFortifySoftwareSecurityCenterComponents ........................................... 10

RelatedDocuments ................................................................................... 11

Chapter 2: HPFortifyStaticCodeAnalyzer .......................................................... 12

AboutHPFortifyStaticCodeAnalyzer ................................................................ 12

AboutParallelAnalysis ........................................................................... 12AboutAnalyzers.................................................................................. 12AbouttheAnalysisProcess....................................................................... 13AboutAnalysisCommands ....................................................................... 14AboutMemoryConsiderations ................................................................... 14AbouttheTranslationPhase...................................................................... 14AbouttheAnalysisPhase ......................................................................... 15AboutVerificationoftheTranslationandAnalysisPhase.......................................... 15AbouttheHPFortifyScanWizard ................................................................ 16AboutHPFortifyCloudScan...................................................................... 16

Chapter 3: TranslatingJavaCode .................................................................... 17

AboutJavaCommandLineSyntax..................................................................... 17

AboutJavaCommandLineExamples.................................................................. 17

IntegratingwithAntusingtheHPFortifyAntCompilerAdapter ....................................... 18

HandlingResolutionWarnings........................................................................ 18

JavaWarnings.................................................................................... 19

UsingFindBugs....................................................................................... 19

TranslatingJ2EEApplications ........................................................................ 20

PrerequisiteforTranslatingCodeUsingLegacyVersionsoftheJ2EESDK ......................... 20TranslatingtheJavaFiles ......................................................................... 20TranslatingJSPProjects,ConfigurationFiles,andDeploymentDescriptors........................ 20TranslatingJavaByteCode........................................................................ 21J2EEWarnings................................................................................... 21

Chapter 4: Translating.NETSourceCode............................................................ 22

AbouttheVisualStudioCommandPrompt ............................................................ 22

AboutVisualStudio.NET............................................................................. 22

Contents vi

TranslatingSimple.NETApplications ................................................................. 23

TranslatingASP.NET1.1(VisualStudioVersion2003)Projects........................................ 24

HandlingResolutionWarnings........................................................................ 25

About.NETWarnings ............................................................................ 25AboutASP.NETWarnings ........................................................................ 25

Chapter 5: TranslatingC/C++Code .................................................................. 26

AboutCandC++CommandLineSyntax............................................................... 26

CandC++CommandLineExamples.............................................................. 26

AboutIntegratingwithMake ......................................................................... 26

UsingtheHPFortifyTouchlessBuildAdapter ..................................................... 26ModifyingaMakefiletoInvokeSCA............................................................... 27

AboutCommandLineBuildsinVisualStudio.NET.................................................... 27

AboutCommandLineBuildsinVisualStudio6.0 ...................................................... 27

ScanningPre‐processedC/C++Code .................................................................. 27

Chapter 6: TranslatingABAP/4...................................................................... 28

AboutTranslatingABAP/4Code ...................................................................... 28

AboutScanningABAPCode ........................................................................... 28

AboutINCLUDEProcessing....................................................................... 28

OverviewoftheProcess.............................................................................. 28

AbouttheTransportRequest......................................................................... 29

AddFortifySCAtoYourFavoritesList(Optional) ..................................................... 29

RunningtheHPFortifyABAPExtractor ............................................................... 31

Chapter 7: TranslatingRubyCode ................................................................... 33

AboutRubyCommandLineSyntax.................................................................... 33

AddingLibraries ................................................................................. 33AddingMultipleLibraryPaths ................................................................... 33AddingGemPaths ................................................................................ 33

Chapter 8: TranslatingFlex.......................................................................... 35

AbouttheCommand‐LineOptions.................................................................... 35

AboutActionScriptCommandLineSyntax ............................................................ 35

ActionScriptCommandLineExamples ................................................................ 36

AboutHandlingResolutionWarnings ................................................................. 36

AboutActionScriptWarnings ..................................................................... 36

Chapter 9: TranslatingCodeforMobilePlatforms ................................................... 37

AboutTranslatingObjective‐CCode................................................................... 37

Prerequisites..................................................................................... 37AboutObjective‐CCommandLineSyntax......................................................... 37Objective‐CCommandLineExample.............................................................. 37

Contents vii

XcodeCompilerErrors........................................................................... 37

AboutTranslatingGoogleAndroidCode .............................................................. 38

MigrationIssues ................................................................................. 38

Chapter 10: TranslatingOtherLanguages............................................................ 39

AboutCommandLineSyntaxforOtherLanguages .................................................... 39

ConfigurationConsiderations ......................................................................... 40

ConfiguringPython............................................................................... 40ConfiguringColdFusion .......................................................................... 40ConfiguringtheSQLExtension.................................................................... 41ConfiguringASP/VBScriptVirtualRoots.......................................................... 41OtherLanguageCommandLineExamples ........................................................ 42TranslatingPL/SQLExample..................................................................... 42TranslatingT‐SQLExample....................................................................... 42TranslatingPHPExample......................................................................... 43TranslatingClassicASPwrittenwithVBScriptExample........................................... 43TranslatingJavaScriptExample................................................................... 43TranslatingVBScriptFileExample ............................................................... 43

TranslatingCOBOLCode.............................................................................. 43

SupportedTechnologies .......................................................................... 43PreparingCOBOLSourceFilesforTranslation.................................................... 43AboutCOBOLCommandLineSyntax ............................................................. 44AboutAuditingCOBOLScans..................................................................... 44

Chapter 11: TroubleshootingandSupport........................................................... 45

UsingtheLogFiletoDebugProblems ................................................................. 45

AbouttheTranslationFailedMessage................................................................. 45

AboutJSPTranslationProblems...................................................................... 45

AboutASPXTranslationProblems.................................................................... 46

AboutC/C++PrecompiledHeaderFiles ............................................................... 46

AboutReportingBugsandRequestingEnhancements ................................................. 46

Appendix A: Command Line Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

OutputOptions................................................................................... 48AnalysisOptions ................................................................................. 49PythonOption.................................................................................... 50ColdFusionOptions .............................................................................. 50Java/J2EEOptions................................................................................ 51.NETOptions ..................................................................................... 51BuildIntegrationOptions......................................................................... 52Directives ........................................................................................ 52RuntimeOptions................................................................................. 53OtherOptions .................................................................................... 54

SpecifyingFiles ....................................................................................... 54

Contents viii

Appendix B: Parallel Analysis Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

AboutParallelAnalysisMode ......................................................................... 55

HardwareRequirements ............................................................................. 55

ConfiguringParallelAnalysisMode................................................................... 55

RunninginParallelAnalysisMode.................................................................... 56

Appendix C: Using the sourceanalyzer Ant Task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

AboutthesourceanalyzerAntTask................................................................... 57

UsingtheAntSourceanalyzerTask ................................................................... 57

Antproperties........................................................................................ 58

SourceanalyzerTaskOptions......................................................................... 59

Appendix D: Advanced Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

AboutFilterFiles ..................................................................................... 63

FilterFileCreationExample...................................................................... 63UsingPropertiestoControlRuntimeOptions..................................................... 65SpecifyingtheOrderofProperties ................................................................ 65

Appendix E: MSBuild Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

AboutMSBuildIntegration ........................................................................... 72

Installation ........................................................................................... 72

SettingWindowsEnvironmentVariablesforTouchlessIntegrationofSCA............................. 72

AddingCustomTaskstoyourMSBuildProject........................................................ 73

AddingCustomTaskstoYourProject ................................................................. 74

AddingFortify.TranslateTask..................................................................... 74AddingFortify.ScanTask.......................................................................... 75AddingFortify.CleanTask......................................................................... 75AddingFortify.SSCTask........................................................................... 75AddingFortify.CloudScanTask .................................................................... 76

Appendix F: Maven Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

AbouttheMavenPlugin .............................................................................. 77

InstallingtheMavenPlugin ........................................................................... 77

UpdatingtheMavenPlugin........................................................................... 78

EditingthePluginSourceFiles.................................................................... 78TestingthePlugin ................................................................................ 79

UsingtheMavenPlugin ............................................................................... 79

ExcludingFilesfromtheScan ......................................................................... 80

UninstallingtheMavenPlugin........................................................................ 81

AdditionalDocumentation............................................................................ 81

Appendix G: Sample Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

Contents ix

AbouttheSampleFiles ............................................................................... 82

BasicSamples .................................................................................... 82AdvancedSamples ............................................................................... 83

Appendix H: Issue Tuning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

AboutIssueTuning ................................................................................... 85

AboutWrapperDetection........................................................................ 85

AboutInterproceduralConstantPropagation ......................................................... 86

AboutSelectiveMapOperationTracking.......................................................... 87

Appendix I: Configuration Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

fortify.properties ..................................................................................... 88

fortify‐sca.properties ................................................................................. 93

Chapter 1: Introduction 10

Chapter 1: IntroductionThisdocumentprovidesinstructionsforusingHPFortifyStaticCodeAnalyzer.

About the Intended AudienceThisguideisintendedforpeopleresponsibleforsecurityauditsandsecurecoding.HPFortifyStaticCodeAnalyzerprovidesasuiteofanalyzersandapplicationcomponents.Thisguideprovidesinstructionsonscanningcodeonmostofthemajorprogrammingplatforms.

About the HP Fortify Software Security Center ComponentsHPFortifyStaticCodeAnalyzeriscomponentofanHPFortifySoftwareSecurityCenterinstallation.Theinstallationconsistsofoneormoreofthefollowinganalyzers:

• HPFortifyStaticCodeAnalyzer:Analyzesyourbuildcodeaccordingtoasetofrulesspecificallytailoredtoprovidetheinformationnecessaryforthetypeofanalysisperformed.

• HPFortifyRuntimeApplicationProtection:Monitorsandprotectsdeployedapplicationsfromcommonattacks,unintendeduse,andtargetedhacking.Inaddition,bestsecuritypractices,suchasinputverificationandproperexceptionhandling,canbeconsistentlyappliedtodeployedapplications.

• HPFortifySecurityScope:Identifiesvulnerabilitiesinpre‐deploymentapplicationsduringtheQAphase,preventingexposuretosecurityflawsbeforetheyareexploited.

AnHPFortifySoftwareSecurityCenterinstallationmayalsoincludeoneormoreofthefollowingapplicationtools:

• HPFortifyAuditWorkbench:providesagraphicaluserinterfaceforHPFortifyStaticCodeAnalyzerthathelpsyouorganize,investigate,andprioritizeanalysisresultssothatsecurityflawscanbefixedquickly.

• HPFortifyPluginforEclipse:integrateswiththeEclipsedevelopmentenvironmentandaddstheabilitytoscanandanalyzetheentirecodebaseofaprojectandapplyhundredsofsoftwaresecurityrulesthatidentifythevulnerabilitiesinyourJavacode.TheresultsaredisplayedwithintheIDE,alongwithdescriptionsofeachofthesecurityissuesandsuggestionsfortheirelimination.

• HPFortifyEclipseRemediationPlug‐in:integrateswiththeEclipsedevelopmentenvironment.TheEclipseRemediationPlug‐inisalightweightplug‐inoptionfordeveloperswhoneedremediationfunctionalitybutdonotneedthescanningandauditingcapabilitiesofAuditWorkbenchorthefullEclipsePlugin.

• HPFortifyPackageforMicrosoftVisualStudio:integrateswithVisualStudioPremiumandVisualStudioProfessionaltolocatesecurityvulnerabilitiesinyoursolutionsandpackagesanddisplaysthescanresultsinVisualStudio.Theresultsincludealistofissuesuncovered,descriptionsofthetypeofvulnerabilityeachissuerepresents,andsuggestionsonhowtofixthem.

• HPFortifyRemediationPackageforVisualStudio:integrateswithMicrosoftVisualStudioPremiumandVisualStudioProfessionalintegrateddevelopmentenvironments(IDEs).TheHPFortifyRemediationPackageforVisualStudioisalightweightplug‐inoptionfordeveloperswhoneedremediationfunctionalitybutdonotneedthescanningandauditingcapabilitiesofAuditWorkbenchorthefullVisualStudiopackage.

• HPFortifyExtensionforJDeveloper:integrateswiththeJDeveloperintegrateddevelopmentenvironment(IDE)andaddstheabilitytoscanandanalyzetheentirecodebaseofaprojectandapplyhundredsofsoftwaresecurityrulesthatidentifythevulnerabilitiesinyourcode.

• HPFortifyRemediationPluginforIntelliJ:integrateswiththeIntelliJIntegratedDevelopmentEnvironment(IDE)andaddstheabilitytoscanandanalyzetheentirecodebaseofaprojectandapplyhundredsofsoftwaresecurityrulesthatidentifythevulnerabilitiesinyourcode.

Chapter 1: Introduction 11

Related DocumentsThefollowingdocumentsprovideadditionalinformationaboutHPFortifyStaticCodeAnalyzer:

• HPFortifyStaticCodeAnalyzerPerformanceGuide

TheHPFortifyStaticCodeAnalyzerPerformanceGuideprovidesguidanceonselectingthehardwarerequiredforscanningspecificcodebases,optimizingmemoryusage,andimprovingperformance.

• HPFortifyStaticCodeAnalyzerUserGuide

Thisdocumentprovidesinstructionsonusingtheanalyzerstoidentifyvulnerabilitiesinyourcode.

• HPFortifyStaticCodeAnalyzerUtilitiesUserGuide

Thisdocumentprovidesinformationonthecommand‐linetoolsthatprovideadditionalmanagementandaccesstothefunctionsprovidedbySCA.

• HPFortifyStaticCodeAnalyzerPerformanceGuide

Thisdocumentdescribestheissuesinvolvedwhentryingtoselecthardwaretoscancertaincodebases,providesguidelinesformakingthosedecisionsandofferstipsforoptimizingmemoryusageandperformance.

Chapter 2: HP Fortify Static Code Analyzer 12

Chapter 2: HP Fortify Static Code Analyzer Thischaptercoversthefollowingtopics:

• AboutHPFortifyStaticCodeAnalyzer

• AboutAnalyzers

• AbouttheAnalysisProcess

About HP Fortify Static Code AnalyzerHPFortifyStaticCodeAnalyzer(SCA)isasetofsoftwaresecurityanalyzersthatsearchforviolationsofsecurity‐specificcodingrulesandguidelinesinavarietyoflanguages.TherichdataprovidedbySCAlanguagetechnologyenablestheanalyzerstopinpointandprioritizeviolationssothatfixescanbefastandaccurate.TheanalysisinformationproducedbySCAhelpsyoudelivermoresecuresoftware,aswellasmakingsecuritycodereviewsmoreefficient,consistent,andcomplete.Thisisespeciallyadvantageouswhenlargecodebasesareinvolved.ThemodulararchitectureofSCAallowsyoutoquicklyuploadnewthird‐partyandcustomer‐specificsecurityrules.

Atthehighestlevel,usingSCAinvolves:

1. ChoosingtorunSCAasastand‐aloneprocessorintegratingSCAaspartofthebuildtool

2. Translatingthesourcecodeintoanintermediatetranslatedformat

3. Scanningthetranslatedcodeandproducingsecurityvulnerabilityreports

4. Auditingtheresultsofthescan,eitherbytransferringtheresultingFPRfiletoHPFortifyAuditWorkbenchorHPFortifySoftwareSecurityCenterforanalysis,ordirectlywiththeresultsdisplayedonscreen

Note:ForinformationontransferringresultstoHPFortifyAuditWorkbenchandcreatingcustomer‐specificsecurityrules,seetheHPFortifyAuditWorkbenchUser’sGuide.

About Parallel AnalysisBeginningwithversion4.00,SCAsupportsparallelprocessingforlargeprojects.Ifyourprojectscantakeslongerthananhourortwotocomplete,youcandramaticallydecreasethetimenecessarytocompletethescanbyenablingparallelprocessing.ParallelprocessingallowsyoutotakeadvantageofmultipleCPUsandcoreswithinasinglemachineandautomaticmemorytuning.

Forinformationonenablingparallelanalysisforyourprojects,seeAppendixB:ParallelAnalysisMode.

About AnalyzersSCAcomprisessixdistinctanalyzers:Dataflow,Controlflow,Semantic,Structural,Configuration,andBuffer.Eachanalyzeracceptsadifferenttypeofrulespecificallytailoredtoprovidetheinformationnecessaryforthecorrespondingtypeofanalysisperformed.Rulesaredefinitionsthatidentifyelementsinthesourcecodethatmayresultinsecurityvulnerabilitiesorareotherwiseunsafe.

Rulesareorganizedaccordingtotheanalyzerthatusesthem,resultinginrulesthatarespecifictotheDataflow,Controlflow,Semantic,Structural,andConfigurationanalyzers.Theserulecategoriesarefurtherdividedtoreflectthecategoryoftheissueortypeofinformationrepresentedbytherule.

TheinstallationprocessdownloadsandupdatesthesetofrulesusedbySCAonyoursystem.HPupdatesthespecificrulescontainedwithintheHPFortifySecureCodingRulepacksonaregularbasis.TheCustomerPortaloffersupdatedRulepacks.


ThefollowingtablelistsanddescribeseachSCAanalyzer.

Table 1: HP Fortify Static Code Analyzer

Analyzer Description

Dataflow TheDataflowAnalyzerdetectspotentialvulnerabilitiesthatinvolvetainteddata(user‐controlledinput)puttopotentiallydangeroususe.TheDataflowAnalyzerusesglobal,inter‐proceduraltaintpropagationanalysistodetecttheflowofdatabetweenasource(siteofuserinput)andasink(dangerousfunctioncalloroperation).Forexample,theDataflowAnalyzerdetectswhetherauser‐controlledinputstringofunboundedlengthisbeingcopiedintoastaticallysizedbuffer,anddetectswhetherausercontrolledstringisbeingusedtoconstructSQLquerytext.

Controlflow TheControlflowAnalyzerdetectspotentiallydangeroussequencesofoperations.Byanalyzingcontrolflowpathsinaprogram,theControlflowAnalyzerdetermineswhetherasetofoperationsareexecutedinacertainorder.Forexample,theControlflowAnalyzerdetectstimeofcheck/timeofuseissuesanduninitializedvariables,andcheckswhetherutilities,suchasXMLreaders,areconfiguredproperlybeforebeingused.

Semantic TheSemanticAnalyzerdetectspotentiallydangeroususesoffunctionsandAPIsattheintra‐procedurallevel.Itsspecializedlogicsearchesforbufferoverflow,formatstring,andexecutionpathissues,butisnotlimitedtothesecategories.AcalltoanypotentiallydangerousfunctioncanbeflaggedbytheSemanticAnalyzer.Forexample,theSemanticAnalyzerdetectsdeprecatedfunctionsinJavaandunsafefunctionsinC/C++,suchasgets().

Structural TheStructuralAnalyzerdetectspotentiallydangerousflawsinthestructureordefinitionoftheprogram.Byunderstandingthewayprogramsarestructured,theStructuralAnalyzeridentifiesviolationsofsecureprogrammingpracticesandtechniquesthatareoftendifficulttodetectthroughinspectionbecausetheyencompassawidescopeinvolvingboththedeclarationanduseofvariablesandfunctions.Forexample,theStructuralAnalyzerdetectsassignmenttomembervariablesinJavaservlets,identifiestheuseofloggersthatarenotdeclaredstaticfinal,andflagsinstancesofdeadcodethatwillneverbeexecutedbecauseofapredicatethatisalwaysfalse.

Configuration TheConfigurationAnalyzersearchesformistakes,weaknesses,andpolicyviolationsinanapplication'sdeploymentconfigurationfiles.Forexample,theConfigurationAnalyzerchecksforreasonabletimeoutsinusersessionsinawebapplication.

Buffer TheBufferAnalyzerdetectsbufferoverflowvulnerabilitiesthatinvolvewritingorreadingmoredatathanabuffercanhold.Thebuffercanbeeitherstack‐allocatedorheap‐allocated.TheBufferAnalyzeruseslimitedinter‐proceduralanalysistodeterminewhetherornotthereisaconditionthatcausesthebuffertooverflow.Ifallexecutionpathstoabufferleadtoabufferoverflow,SCAreportsitasbufferoverflowvulnerabilityandpointsoutthevariablesthatcouldcausetheoverflow.Ifsome,butnotall,executionpathstoabufferleadtoabufferoverflowandthevalueofthevariablecausingthebufferoverflowistainted(user‐controlled),thenSCAwillreportitaswellanddisplaythedataflowtracetoshowhowthevariableistainted.


About the Analysis ProcessTherearefourdistinctstagesthatmakeuptheSCAsourcecodeanalysisprocess:

• BuildIntegration:ThefirststageintheprocessinvolvesdecidingwhethertointegrateSCAintothebuildcompilersystem.

• Translation:Next,sourcecodeisgatheredusingaseriesofcommandsandthenitistranslatedintoanintermediateformatassociatedwithabuildID.ThebuildIDisusuallythenameoftheprojectbeingscanned.

• Analysis:Sourcefilesidentifiedduringthetranslationphasearescannedandananalysisresultsfile,typicallyintheHPFortifyproject(FPR)format,isgenerated.FPRfilesareindicatedbythe.fprfileextension.

• Verificationofthetranslationandanalysis:EnsurethatthesourcefileswerescannedusingthecorrectRulepacksandthatnosignificanterrorswerereported.

About Analysis CommandsThefollowingisanexampleofthesequenceofcommandsyouusetoanalyzecode:

sourceanalyzer -b <build_id> -cleansourceanalyzer -b <build_id> ...sourceanalyzer -b <build_id> -scan -f results.fpr

Toanalyzemorethanonebuildatatime,addtheadditionalbuildsasparameters:

sourceanalyzer -b <build_id1> -b <build_id2> -b <build_id3> -scan -f results.fpr

About Memory ConsiderationsWhenrunningSCA,theamountofphysicalRAMrequiredisdependentonanumberoffactors.Thesefactors,whichincludethesizeandcomplexityofthesourcefile,makeitimpossibletoquantifyandprovideguidance‐‐eachcustomersituationisunique.Ifyoudoencounteralowmemoryerror,increasingtheamountofmemoryavailabletoSCAmayresolvetheproblem.

Bydefault,SCAusesupto600MBofmemory.Ifthisisnotsufficienttoanalyzeaparticularcodebase,youmighthavetoprovidemorememoryinthescanphase.Thiscanbedonebypassingthe-Xmx optiontothesourceanalyzercommand.

Forexample,tomake1000MBavailabletoSCA,includetheoption -Xmx1000M.

YoucanalsousetheSCA_VM_OPTS environmentvariabletosetthememoryallocation.

Note:DonotallocatemorememoryforSCAthanthemachinehasavailable,becausethiswilldegradeperformance.Asaguideline,assumingthatnoothermemory‐intensiveprocessesarerunning,donotallocatemorethan2/3oftheavailablephysicalmemory.

About the Translation PhaseThebasiccommandlinesyntaxforperformingthefirstanalysisphase,translatingthefiles,is:

sourceanalyzer -b <build_id> ...

ThetranslationphaseconsistsofoneormoreinvocationsofSCAusingthesourceanalyzercommand.AbuildID(-b <build_id>)isusedtotietogethertheinvocations.

SubsequentinvocationsofsourceanalyzeraddanynewlyspecifiedsourceorconfigurationfilestothefilelistassociatedwiththebuildID.

Attheendoftranslation,youcanuse-show-build-warningstolistallwarningsanderrorsthatwereencounteredduringthetranslationprocess:

sourceanalyzer -b <build_id> -show-build-warnings


ToviewallofthefilesassociatedwithaparticularbuildID,usethe-show-filesdirective:

sourceanalyzer -b <build_id> -show-files

Thefollowingchaptersdescribehowtotranslatedifferenttypesofsourcecode:

• TranslatingJavaCode

• Translating.NETSourceCode

• TranslatingC/C++Code

• TranslatingABAP/4

• TranslatingRuby

• TranslatingFlex

• TranslatingCodeforMobilePlatforms

• TranslatingOtherLanguages

About SCA Mobile Build Sessions

AnSCAmobilebuildsessionallowsaprojecttobetranslatedononemachineandanalyzedonanother.WhenyoucreateanSCAmobilebuildsession,a.mbsfilethatincludesthefilesneededfortheanalysisphaseiscreatedinthebuildsessiondirectory.The.mbsfileisthenmovedtoadifferentmachineforanalysis.

Creating a Mobile Build Session

Onthemachinewherethetranslationwasdone,issuethefollowingcommandtogenerateanSCAmobilebuildsession:

sourceanalyzer -b <build_id> -export-build-session <file.mbs>

where<file.mbs>isthefilenameyouassignfortheSCAmobilebuildsession.

Importing a Mobile Build Session

Onceyou’vemovedthe.mbsfiletothemachinewhereyouwanttoruntheanalysis,issuethefollowingcommand:

sourceanalyzer -import-build-session <file.mbs>

where<file.mbs>istheSCAmobilebuildsession.

OnceyouhaveimportedyourSCAmobilebuildsession,youarereadytomoveontotheanalysisphase.

About the Analysis PhaseThistopicdescribesthesyntaxfortheanalysisphase:scanningtheintermediatefilescreatedduringthetranslationandcreatingtheanalysisresultsfile.Thephaseconsistsofoneinvocationofsourceanalyzer.YouspecifythebuildIDandincludethe-scandirectiveandanyrequiredanalysisoroutputoptions.

Note:Bydefault,SCAincludesthesourcecodeintheFPR.

Thebasiccommandlinesyntaxfortheanalysisphaseis:

sourceanalyzer -b <build_id> -scan -f results.fpr

Torunananalysismorethanonebuildatatime,addtheadditionalbuildstothecommandline:

sourceanalyzer - b <build_id1> -b <build_id2> -b <build_id3> -scan -f results.fpr


Torunasilentanalysisonmorethanonebuildatatime,addtheadditionalbuildstothecommandline:

sourceanalyzer -b <build-id1> -b <build-id2> -b <build-id3> -auth-silent -scan -f results.fpr

About Verification of the Translation and Analysis PhaseTheResultCertificationfeatureofAuditWorkbenchverifiesthattheanalysisiscomplete.ResultcertificationshowsspecificinformationaboutthecodescannedbySCA,including:

• Listoffilesscanned,withfilesizesandtimestamps

• JavaCLASSPATHusedforthetranslation

• ListofRulepacksusedfortheanalysis

• ListofSCAruntimesettingsandcommandlinearguments

• Listoferrorsorwarningsencounteredduringtranslationoranalysis

• Machine/platforminformation

Toviewresultcertificationinformation,opentheFPRfileinAuditWorkbenchandselectTools‐ProjectSummary‐Certification.

About the HP Fortify Scan WizardHPFortifyScanWizardisautilitythatallowsyoutoquicklyandeasilyprepareandscanprojectcodeusingSCA.TheScanWizardallowsyoutorunyourscanslocally,or,ifyouareusingHPFortifyCloudScan,inacloudofcomputersprovisionedfortakingcareoftheprocessor‐intensivescanningphaseoftheanalysis.Formoreinformation,seeAppendixG:HPFortifyScanWizardonpage82.

About HP Fortify CloudScanWithHPFortifyCloudScan(CloudScan),usersofHPFortifyStaticCodeAnalyzercanbettermanagetheirresourcesbyoffloadingtheprocessor‐intensivescanningphaseoftheanalysisfromtheirbuildmachinestoacloudofmachinesprovisionedforthispurpose.

Afterthetranslationphaseiscompletedonthebuildmachine,anSCAmobilebuildsessionisgeneratedandCloudScanmovesittoanavailablemachineforscanning.Inadditiontofreeingupthebuildmachines,thisprocessmakesiteasytogrowthesystembyaddingmoreresourcestothecloudasneeded,withouthavingtointerruptyourbuildprocess.

Inaddition,usersofSoftwareSecurityCentercandirectCloudScantooutputtheFPRfiledirectlytotheserver.

FormoreinformationonHPFortifyCloudScan,seetheHPFortifyCloudScanInstallation,Configuration,andUsageGuide.

Chapter 3: Translating Java Code 17

Chapter 3: Translating Java CodeThischaptercoversthefollowingtopics:

• AboutJavaCommandLineSyntax

• AboutJavaCommandLineExamples

• IntegratingwithAntusingtheHPFortifyAntCompilerAdapter

• HandlingResolutionWarnings

• UsingFindBugs

• TranslatingJ2EEApplications

• TranslatingJavaByteCode

About Java Command Line SyntaxThebasiccommandlinesyntaxforJavais:

sourceanalyzer -b <build_id> -cp <classpath> <file_list>

WithJavacode,SCAcaneitheremulatethecompiler,whichmaybeconvenientforbuildintegration,oracceptsourcefilesdirectly,whichismoreconvenientforcommandlinescans.

Note:Foradescriptionofalltheoptionsyoucanusewiththesourceanalyzercommand,seeCommandLineInterfaceonpage48.

TotellSCAtoemulatethecompiler,enter:

sourceanalyzer -b <build_id> javac [<translation options>]

TopassfilesdirectlytoSCA,enter:

sourceanalyzer -b <build_id> -cp <classpath> [<translation options>] <files>|<file specifiers>

where:

<translation options>

areoptionspassedtothecompiler.

-cp <classpath>

specifiestheCLASSPATHtobeusedfortheJavasourcecode.ACLASSPATHisalistofbuilddirectoriesandjarfiles.Theformatisthesameasexpectedbyjavac(colonorsemicolon‐separatedlistofpaths).YoucanuseSCAfilespecifiers.

-cp "build/classes:lib/*.jar"

Note:Ifyoudonotspecifytheclasspathwiththisoption,theCLASSPATHenvironmentvariableisused.

Formoreinformation,seeJava/J2EEOptionsonpage51.Forinformationaboutfilespecifiers,seeSpecifyingFilesonpage54.

About Java Command Line ExamplesTotranslateasinglefilenamedMyServlet.javawithj2ee.jarontheCLASSPATH,enter:

sourceanalyzer -b MyServlet -cp lib/j2ee.jar MyServlet.java

Totranslateall.java filesinthesrcdirectoryusingalljarfilesinthelibdirectoryasaCLASSPATH:

sourceanalyzer -b MyProject -cp "lib/*.jar" "src/**/*.java"


TotranslateandcompiletheMyCode.javafilewhileusingthejavaccompiler:

sourceanalyzer -b mybuild javac -classpath libs.jar MyCode.java

Integrating with Ant using the HP Fortify Ant Compiler AdapterSCAprovidesanAntCompilerAdapterthatyoucanuseasaneasywaytotranslateJavasourcefilesifyourprojectusesanAntbuildfile.ThisintegrationrequiressettingonlytwoAntproperties,andcanbedoneonthecommandlinewithoutmodifyingtheAntbuild.xmlfile.Whenthebuildruns,SCAinterceptsalljavactaskinvocationsandtranslatestheJavasourcefilesastheyarecompiled.NotethatanyJSPfiles,configurationfiles,oranyothernon‐Javasourcefilesthatarepartoftheapplicationneedtobetranslatedinaseparatestep.

ThefollowingstepsmustbetakentousetheCompilerAdapter:

• ThesourceanalyzerexecutablemustbeonthesystemPATH.

• sourceanalyzer.jar(locatedinCore/lib)mustbeonAnt'sclasspath.

• Thebuild.compilerpropertymustbesettocom.fortify.dev.ant.SCACompiler.

• Thesourceanalyzer.buildidpropertymustbesettothebuildID.

ThefollowingexamplesshowhowtorunanAntbuildusingtheCompilerAdapterwithoutmodifyingthebuildfile:

ant -Dbuild.compiler=com.fortify.dev.ant.SCACompiler -Dsourceanalyzer.buildid=MyBuild -lib <install_dir>/Core/lib/sourceanalyzer.jar

The-liboptionisonlyavailableinAntversion1.6orhigher.InolderversionsyoumustsettheCLASSPATHenvironmentvariableorcopysourceanalyzer.jartoAnt'slibdirectory.

Alternatively,withAnt1.6ornewer,thefollowingshorthandcanbeusedtorunAntwiththecompileradapter:

sourceanalyzer -b <build-id> ant [ant-options]

Bydefault,600MBofmemoryisallocatedtoSCAfortranslation.IncreasethememoryallocationwhenusingtheAntCompilerAdapterusingthe -Dsourceanalyzer.maxHeapoptionasfollows:

ant -Dbuild.compiler=com.fortify.dev.ant.SCACompiler -Dsourceanalyzer.buildid=MyBuild -lib <install_directory>/Core/lib/sourceanalyzer.jar -Dsourceanalyzer.maxHeap=1000M

Handling Resolution WarningsToseeallwarningsthatweregeneratedduringyourbuild,enterthefollowingcommandbeforeyoustartthescanphase:



Java WarningsYoumayseethefollowingwarningsforJava:

Unable to resolve type...

Unable to resolve function...

Unable to resolve field...

Unable to locate import...

Unable to resolve symbol...

Multiple definitions found for function...

Multiple definitions found for class...

Thesewarningsaretypicallycausedbymissingresources.Forexample,someofthe.jarandclassfilesrequiredtobuildtheapplicationhavenotbeenspecified.Toresolvethewarnings,makesurethatyouhaveincludedalloftherequiredfilesthatyourapplicationuses.

Using FindBugsFindBugs(http://findbugs.sourceforge.net)isastaticanalysistoolthatdetectsqualityissuesinJavacode.YoucanrunFindBugswithSCAandtheresultswillbeintegratedintotheanalysisresultsfile.UnlikeSCA,whichrunsonJavasourcefiles,FindBugsrunsonJavabytecode.Therefore,beforerunningananalysisonyourproject,youshouldfirstcompiletheprojectandproducetheclassfiles.

TodemonstratehowtorunFindBugsautomaticallywithSCA,compilethesamplecode, Warning.java,asfollows:

1. Gotothefollowingdirectory:

<install_directory>/Samples/advanced/findbugs

2. Enterthefollowingcommandtocompilethesample:

mkdir build

javac -d build Warning.java

3. ScanthesamplewithFindBugsandSCAasfollows:

sourceanalyzer -b findbugs_sample -java-build-dir build Warning.java

sourceanalyzer -b findbugs_sample -scan -findbugs -f findbugs_sample.fpr

4. ExaminetheanalysisresultsinAuditWorkbench:

auditworkbench findbugs_sample.fpr

Theoutputcontainsthefollowingissuecategories:

• BadcastsofObjectReferences(1)

• Deadlocalstore(2)

• Equalobjectsmusthaveequalhashcodes(1)

• Objectmodelviolation(1)

• Unwrittenfield(2)

• Uselessself‐assignment(2)

IfyougroupbyAnalyzer,youcanseethattheSCAStructuralAnalyzerproducedoneissueandFindBugsproducedeight.TheObject model violationissueproducedbySCAonline25issimilartotheEqual objects must have equal hash codesissueproducedbyFindBugs.Inaddition,FindBugsproducestwosetsofissues(Useless self-assignmentandDead local store)aboutthesamevulnerabilitiesonlines6and7.Toavoidoverlappingresults,applythefilter.txtfilterfilebyusingthe-filter optionduringthe


scan.Notethatthefilteringisnotcompletebecauseeachtoolfiltersatadifferentlevelofgranularity.Todemonstratehowtoavoidoverlappingresults,scanthesamplecodeusingfilter.txtasfollows:

sourceanalyzer -b findbugs_sample -scan -findbugs -filter filter.txt -f findbugs_sample.fpr

Translating J2EE ApplicationsTranslatingJ2EEapplicationsinvolvesprocessingJavasourcefilesandJ2EEcomponentssuchasJSPfiles,deploymentdescriptors,andconfigurationfiles.WhileyoucanprocessallthepertinentfilesinaJ2EEapplicationusingasingle‐stepprocess,yourprojectmayrequirethatyoubreaktheprocedureintoitscomponentsforintegrationinabuildprocessortomeettheneedsofvariousstakeholderswithinyourorganization.Thefollowingsectionsprovideinformationoneachcomponent,followedbyanall‐in‐oneprocess.

Prerequisite for Translating Code Using Legacy Versions of the J2EE SDKIfyouaretranslatingcodedevelopedusingaversionoftheJ2EESDKearlierthan1.5,youwillneedtoaddthefollowinglistoffilestotheCLASSPATH:

commons-logging.jarj2ee.jarjasper2_jasper-runtime.jarxercesImpl-2.0.2.jar

andthefollowingJSPtaglibrariesmayalsoberequired:

commons-validator.jarjsp-api.jarjstl.jarlog4j-1.2.9.jarsaxpath.jarstandard.jarstruts.jarstruts-el.jar

Ifyouwant,youcanputtheJSPtaglibraryfilesinasubdirectorynamedjsp_tag_lib,butitisnotrequired.

AddthefilesusingtheCLASSPATHoption(-cp),orbyaddingthefilestothe<Fortify_Home>/Core/default_jarsdirectory.

Note:InpreviousversionsofSCAtheJARSlistedabovewereincludedinthe<SCA>/Core/default_jarsdirectory.Beginningwithversion4.10,thefilesarenolongerincluded.

ToidentifyadirectoryordirectorieswhereSCAshouldlookforfileseachtimeyourunascan,youcansetthecom.fortify.sca.DefaultJarsDirsparameterinthefortify-sca-quickscan.propertiesfile.Formoreinformation,seethe“fortify‐sca‐quickscan.propertiesConfigurationOptions”sectionintheHPFortifyStaticCodeAnalyzerInstallationandConfigurationguide.

Translating the Java FilesEarlierinthischapterweprovidedthecommandlineinstructionsfortranslatingJavafiles.WhentranslatingJ2EEapplications,usethesameprocedurefortranslatingtheJavafileswithintheapplication.

Forexamples,seeAboutJavaCommandLineExamplesonpage17.

Translating JSP Projects, Configuration Files, and Deployment DescriptorsInadditiontotranslatingtheJavafilesinyourJ2EEapplication,youmayalsoneedtotranslateJSPfiles,configurationfiles,anddeploymentdescriptors.YoucanscanJSPfilescreatedwithversion2.0andabove.


YourJSPfilesmustbepartofaWebApplicationArchive(WAR).IfyoursourcedirectoryisalreadyorganizedinaWARlayout,youcantranslatetheJSPfilesdirectlyfromthesourcedirectory.Ifthisisnotthecase,youmayneedtodeployyourapplicationandtranslatetheJSPfilesfromthedeploymentdirectory.

Forexample:

sourceanalyzer -b <build_id> \**\*.jsp \**\*.xml

where\**\*.jspreferstothelocationofyour*.jspprojectfilesand\**\*.xmlreferstothelocationofyourconfigurationanddeploymentdescriptorfiles.

Translating Java ByteCodeInadditiontotranslatingsourcecode,youcantranslatetheBytecodeinyourproject.InordertoincludeByteCode,addthefollowingpropertiestothefortify-sca.propertiesfile:

com.fortify.sca.fileextensions.class=BYTECODE

com.fortify.sca.fileextensions.jar=ARCHIVE

J2EE WarningsYoumayseethefollowingwarningsforJ2EEapplications:

Could not locate the root (WEB-INF) of the web application. Please build your web application and try again. Failed to parse the following jsp files:

<list of .jsp file names>

ThiswarningdisplaysbecauseyourWebapplicationisnotdeployedinthestandardWARdirectoryformatordoesnotcontainthefullsetofrequiredlibraries.Toresolvethewarning,ensurethatyourwebapplicationisinanexplodedWARdirectoryformatwiththecorrectWEB-INF/libandWEB-INF/classesdirectoriescontainingallofthe.jarand.classfilesrequiredforyourapplication.YoushouldalsoverifythatyouhavealloftheTLDfilesforallofthetagsthatyouhaveandthecorresponding.jarfileswiththeirtagimplementations.

Chapter 4: Translating .NET Source Code 22

Chapter 4: Translating .NET Source CodeThechaptercoversthefollowingtopics:

• AbouttheVisualStudioCommandPrompt

• AboutVisualStudio.NET

• TranslatingSimple.NETApplications

• TranslatingASP.NET1.1(VisualStudioVersion2003)Projects

• HandlingResolutionWarnings

ThischapterdescribeshowtouseSCAtotranslateMicrosoftVisualStudio.NETandASP.NETapplicationsbuiltwith:

• .NETVersions1.1and2.0

• VisualStudio.NETversion2003







SCAworksontheCommonIntermediateLanguage(CIL),andthereforesupportsallofthe.NETlanguagesthatcompiletoCIL,includingC#andVB.NET.

Note:Theeasiestwaytoanalyzea.NETapplicationistousetheHPFortifyPackageforMicrosoftVisualStudio,whichautomatestheprocessofgatheringinformationabouttheproject.

About the Visual Studio Command PromptVisualStudio2005andhigherincludetheVisualStudioCommandPrompt.TheVisualStudioCommandPromptislocatedintheVisualStudioToolsdirectoryofyourVisualStudioinstallation.Youshouldusethiscommandpromptintheinstructionsthatfollow.

About Visual Studio .NETIfyouperformcommandlinebuildswithVisualStudio.NET,youcaneasilyintegratestaticanalysisbywrappingthebuildcommandlinewithaninvocationofsourceanalyzer.Forthistowork,youmusthavetheSecureCodingPackageforyourversionofVisualStudioinstalled.

ThefollowingexampledemonstratesthecommandlinesyntaxforVisualStudio.NET:

sourceanalyzer -b my_buildid devenv Sample1.sln /REBUILD debug

ThisperformsthetranslationphaseonallfilesbuiltbyVisualStudio.Besuretodoacleanorarebuildsothatallfilesareincluded.Youcanthenperformtheanalysisphase,asinthefollowingexample:

sourceanalyzer -b my_buildid -scan -f results.fpr

Note:IfyourclassicASP/VBScriptapplicationusesvirtualincludes,forexample,

<!--include virtual=”/myweb/foo.inc”>

thenyoushouldspecifythephysicallocationofthemywebapplicationbypassingthefollowingpropertyvalue:

com.fortify.sca.ASPVirtualRoots=<semicoloon separated list of full paths to virtual roots used>

Forexample,iftheIISvirtualroot/mywebislocatedatC:\webapps\myweb-folder,thenyourpropertyvalueshouldbe:

-Dcom.fortify.sca.ASPVirtualRoots=c:\webapps\myweb-folder

Ifyouaddthislinetothefortify‐sca.propertiesfile,youmustescapethe\character,asinthefollowing:

com.fortify.sca.ASPVirtualRoots=c:\\webapps\\myweb-folder

Translating Simple .NET ApplicationsYoucanalsouseSCAcommandlineinterfaceforprocessing.NETapplications.

Prepareyourapplicationforanalysisusingoneofthefollowingmethods:

• Performacompleterebuildofyourprojectwiththe“debug”configurationenabled.CompilingyourprojectwithdebugenabledprovidesinformationthatSCAusesforpresentingtheresults.

• Obtainallofthethird‐partydllfiles,projectoutputdllfiles,andcorrespondingpdbfilesforyourprojects.NotethatSCAignoresanydllfilepassedasaninputargumentifthecorrespondingpdbfiledoesnotexistinthesamefolder.Itisthereforeimperativethatyouincludeallofthepdbfilesforallyourprojectdllfiles.

Note:pdbfilesarenotrequiredforthird‐partylibraries.

RunSCAtoanalyzethe.NETapplicationfromthecommandlineasfollows:

• ForVisualStudio.NETVersion2010,enter:

sourceanalyzer -vsversion 10.0 -b MyBuild -libdirs ProjOne/Lib;ProjTwo/Lib ProjOne/bin/Debug ProjTwo/bin/Debug

where:

• MyBuildisthebuildidentifier

• ProjOne/Lib;ProjTwo/Libisasemicolon‐separatedlistofpathstofoldersorDLLswiththird‐partyDLLs

• ProjOne/bin/Debug ProjTwo/bin/Debugaretheoutputfolders

• Usethefollowingversionnumberswiththe-vsversionparameter:

Table 2: Visual Studio .NET version numbers

Visual Studio .NET Release Version

VisualStudio.NET2003 7.1


Note:Standard.NETDLLsusedinyourprojectareautomaticallypickedupbySCA,soyoudonotneedtoincludetheminthecommandline.

Ifyourprojectislarge,youcanperformthetranslationphaseseparatelyforeachoutputfolderusingthesamebuildID,asfollows:

sourceanalyzer -vsversion <version_number> -b <build_id> -libdirs <paths> <folder_1> ...sourceanalyzer -vsversion <version_number> -b <build_id> -libdirs <paths> <folder_n>

where:

• <version_number>iseither7.1,8.0,9.0,10.0,11.0,12.0or14.0hoo

• <build_id> isthebuildID

• <paths>isasemicolon‐separatedlistofpathstofoldersorDLLswiththird‐partyDLLs

• <folder_1>and<folder_n>aretheoutputfolders

Note:SCArequirestheappropriateversionofVisualStudiounlessyouareusingMSBuild.ForinformationofusingSCAwithMSBuild,seeAppendixE:MSBuildIntegrationonpage72.

Translating ASP.NET 1.1 (Visual Studio Version 2003) ProjectsAsdiscussedpreviously,SCAworksonCILgeneratedbythe.NETcompilers.ForASP.NETprojects,webcomponentssuchasaspxfilesneedtobecompiledbeforetheycanbeanalyzed.However,thereisnostandardcompilerforaspxfiles.The.NET1.1runtimeautomaticallycompilesthemwhentheyareaccessedfromabrowser.

Tofacilitatetheaspxcompilationphase,HPFortifySoftwareprovidesasimpletoolthatcompilesalloftheaspxfilesinyourproject.ThetoolislocatedintheHPFortifyinstallationdirectoryat:

\Tools\fortify_aspnet_compiler\fortify_aspnet_compiler.exe

ToanalyzeASP.NET1.1solutions:

1. Performacompleterebuildofthesolution.

2. Foreachofthewebprojectsinthesolution,deletethefollowingfolder:

%SYSTEMROOT%\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\<web_application_name>

3. Foreachofthewebprojectsinthesolution,runthefollowingcommand:

fortify_aspnet_compiler <url_to_the_web_site> <source_root_of_the_web_project>

where:

<url_to_the_web_site> is the URL for your website, such as http://localhost/WebApp

<source_root_of_the_web_project>isthesourcelocationofyourwebproject,suchas<VS_project_location>\WebApp

4. PerformthetranslationphasefortheDLLsbuiltinStep1.EnterthefollowingcommandusingthesamebuildIDasinthefollowingsteps:

sourceanalyzer -b <build_id> "<VS_project_location>\**\*.dll"

5. Performthetranslationphaseforthewebcomponents.Foreachofthewebprojectsinthesolution,enterthefollowingwhenyouinvokesourceanalyzer:

sourceanalyzer -b <build_id> %SYSTEMROOT%\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\<web_application_name>


6. IncludetheconfigurationfilesandanyMicrosoftT‐SQLsourcefilesthatyouhave:

sourceanalyzer -b <build_id> "<solution_root>\**\*.config" <"t-sql_src>\**\*.sql">

Note:ThesestepsareallautomatedifyouusetheHPFortifyPackageforMicrosoftVisualStudio.

Handling Resolution WarningsToseeallwarningsthatweregeneratedduringyourbuild,enterthefollowingcommandbeforeyoustartthescanphase:


About .NET WarningsYoumayseethefollowingwarningsfor.NET:

Cannot locate class... in the given search path and the Microsoft .NET Framework libraries.

Thesewarningsaretypicallycausedbymissingresources.Forexample,someofthe.DLLfilesrequiredtobuildtheapplicationhavenotbeenspecified.Toresolvethewarnings,makesurethatyouhaveincludedalloftherequiredfilesthatyourapplicationuses.Ifyoustillseeawarningandtheclassesitlistsareemptyinterfaceswithnomembers,youcanignorethewarning.Iftheinterfaceisnotempty,contactTechnicalSupport.

About ASP.NET WarningsYoumayseethefollowingwarningsforASP.NETapplications:

Failed to parse the following aspx files:

<list of .aspx file names>

Thiswarningdisplaysbecauseyourwebapplicationisnotdeployedcorrectlyordoesnotcontainthefullsetofrequiredlibraries,oritusestheGlobalAccessCache(GAC).Ifyourapplicationisa.NETversion1.1application,youmayalsohaveaccessissuesfromMicrosoftIIS.Verifythatyoucanaccesstheapplicationfromabrowserwithoutauthenticationoraccesserrors.IfyourwebapplicationusestheGAC,youmustaddtheDLLfilestotheprojectseparatelytoensureasuccessfulscan.SCAdoesnotloadDLLfilesfromtheGAC.

Chapter 5: Translating C/C++ Code 26

Chapter 5: Translating C/C++ CodeThischaptercoversthefollowingtopics:

• AboutCandC++CommandLineSyntax

• CandC++CommandLineExamples

• AboutIntegratingwithMake

• AboutCommandLineBuildsinVisualStudio.NET

• AboutCommandLineBuildsinVisualStudio.NET

• AboutCommandLineBuildsinVisualStudio6.0

About C and C++ Command Line SyntaxThebasiccommandlinesyntaxfortranslatingasinglefileis:

sourceanalyzer -b <build_id> <compiler> [<compiler options>]

where:

<compiler> isthenameofthecompileryouwanttouseduringaprojectbuildscan,suchasgccorcl.

<compiler options> areoptionspassedtothecompilerthataretypicallyusedtocompilethefile.

C and C++ Command Line ExamplesThefollowingisasimpleusageexample:

Totranslateafilenamedhelloworld.cusingthegcccompiler,enter:

sourceanalyzer -b my_buildid gcc helloworld.c

Note:Thisalsocompilesthefile.

About Integrating with MakeYoucanuseeitherofthefollowingmethodstointegrateSCAwithMake:

• HPFortifyTouchlessBuildAdapter

• ModifyaMakefiletoInvokeSCA

Using the HP Fortify Touchless Build AdapterThefollowingsectiondescribesthedifferentmethodsforusingthetouchlessbuildadapter.

Using the sourceanalyzer Build Adapter Command

Forexample,tousetheHPFortifytouchlessbuildadaptertointegratewithapythonbuildscript:

sourceanalyzer -b <build_id> touchless python build.py

SCArunstheentirecommandfollowingthe"touchless"keyword.WhenthecommandcreatesanewprocessthatSCAdeterminesisacompiler,thecommandisprocessedbySCA.

ForinformationaboutinformingSCAaboutspeciallynamedcompilers,seethecom.fortify.sca.compilers.*propertyin“UsingPropertiestoControlRuntimeOptions”onpage65.Anybuildcommandthatexecutesarecognizedcompilerprocesscanbeusedwiththissystem;justreplacethe'make'sectionoftheabovecommandwiththecommandusedtorunabuild.

Chapter 5: Translating C/C++ Code 27

Note:TheHPFortifytouchlessbuildadapterdoesnotfunctioncorrectlyif:

• Thebuildscriptinvokesthecompilerwithanabsolutepathoroverridestheexecutablesearchpath.

• Thebuildscriptdoesnotcreateanewprocesstorunthecompiler.ManyJavabuildtools,includingAnt,operatethisway.

Modifying a Makefile to Invoke SCATomodifyamakefiletoinvokeSCA,replaceanycallstothecompiler,archiver,orlinkerinthemakefilewithcallstoSCA.Thesetoolsaretypicallyspecifiedinaspecialvariableinthemakefile,asinthefollowingexample:

CC=gccCXX=g++AR=ar

ThestepcanbeassimpleasprependingthesetoolreferencesinthemakefilewithSCAandtheappropriateoptions:

CC=sourceanalyzer -b mybuild gcc

CXX=sourceanalyzer -b mybuild g++

AR=sourceanalyzer -b mybuild ar

About Command Line Builds in Visual Studio .NETIfyouperformcommandlinebuildswithVisualStudio.NET,youcaneasilyintegratestaticanalysisbysimplywrappingthebuildcommandlinewithaninvocationofsourceanalyzer.Forthistowork,youmusthavetheHPFortifyPackageforMicrosoftVisualStudioforyourversionofVisualStudioinstalled.

Considerthefollowingexample

sourceanalyzer -b my_buildid devenv MyProject.sln /REBUILD

ThisperformsthetranslationphaseonallfilesbuiltbyVisualStudio.Besuretodoacleanorarebuildsothatallfilesareincluded.

About Command Line Builds in Visual Studio 6.0IfyouperformcommandlinebuildswithVisualStudio6.0,youcanintegratestaticanalysisbywrappingthebuildcommandlinewithaninvocationofsourceanalyzer.

Considerthefollowingexample:

sourceanalyzer -b my_buildid msdev MyProject.dsp /MAKE "MyProject DEBUG" /REBUILD

ThisperformsthetranslationphaseonallfilesbuiltbytheVisualStudio.Besuretodoacleanorarebuildsothatallfilesareincluded,asdescribedinyourVisualStudiodocumentation.

Scanning Pre‐processed C/C++ CodeIf,priortocompilation,yourC/C++buildexecutesathird‐partyCpreprocessorthatisnotsupportedbySCA,youmustinvokeSCAtranslationontheintermediatefile.SCAtouchlessbuildintegrationwillautomaticallytranslatetheintermediatefileprovidedyourbuildexecutestheunsupportedpreprocessorandsupportedcompilerastwocommandsconnectedbyatemporaryfileratherthanapipechain.

Thissanuncommonscenariothatmostuserswillnotencounter.

Chapter 6: Translating ABAP/4 28

Chapter 6: Translating ABAP/4Thischaptercoversthefollowingtopics:

• AboutTranslatingABAP/4Code

• AboutScanningABAPCode

• OverviewoftheProcess

• AbouttheTransportRequest

• AddFortifySCAtoYourFavoritesList(Optional)

• RunningtheHPFortifyABAPExtractor

About Translating ABAP/4 CodeTranslatingABAP/4codeissimilartotranslatingotheroperatinglanguagecode,butrequiresadditionalstepsinordertoextractthecodefromtheSAPdatabaseandprepareitforscanning.ThischapterassumesyouhaveSCArunningandhaveabasicunderstandingofSCA,SAP,andABAP/4.

About Scanning ABAP CodeInordertotranslateABAPcode,theHPFortifyABAPExtractorprogramdownloadssourcefilestothepresentationserver,andoptionally,invokesSCA.YouneedtouseanaccountwithpermissionstodownloadfilestothelocalsystemandexecuteOScommands.

Becausetheextractorprogramisexecutedonline,youmayreceiveamax dialog work process time reachedexceptionifthevolumeofsourcesfilesselectedforextractionexceedstheallowableprocessruntime.YoucanoftenworkaroundthisbydownloadinglargeprojectsasaseriesofsmallerExtractortasks.Forexample,ifyourprojectconsistsoffourdifferentpackages,downloadeachpackageseparatelyintothesameprojectdirectory.

Iftheexceptionoccursfrequently,pleaseworkwithyourSAPBasisadministratortoincreasethemaximumtimelimit(rdisp/max_wprun_time).

WhenaPACKAGEisextractedfromABAP,theHPFortifyABAPExtractorextractseverythingfromTDEVCwithaparentclfieldthatmatchesthepackagename.ItthenrecursivelyextractseverythingelsefromTDEVCwithaparentclfieldequaltothosealreadyextractedfromTDEVC.ThefieldextractedfromTDEVCisdevclass.

Thedevclassvaluesaretreatedasasetofprogramnamesandhandledthesamewayasaprogramnamewhichyoumayoptionallyprovide.

ProgramsareextractedfromTRDIRbymatchingthenamefieldagainsteithertheprogramnamegivenbytheuserintheselectionscreenorbycomparingwiththelistofvaluesextractedfromTDEVCifapackagewasprovided.TherowsfromTRDIRarethoseforwhichthenamefieldhasthegivenprogramnameandtheexpressionLIKEprogramnameisusedtoextractrows.

ThisfinallistofnamesisusedwithREAD REPORTtofinallygetcodeoutoftheSAPsystem.ThismethoddoesreadclassesandmethodsoutaswellasmerelyREPORTs,fortherecord.

EachREAD REPORTcallproducesafileinthetemporaryfolderonthelocalsystem.Thissetoffilesiswhatsourceanalyzerwilltranslateandscan,producingan.fprfilewhichcanbeviewedwithHPFortifyAuditWorkbench.

About INCLUDE ProcessingAssourcecodeisdownloaded,theHPFortifyABAPExtractorchecksforINCLUDEstatementsinthesource.Whenfound,itdownloadstheincludetargetstothelocalmachineforanalysisaswell.


Overview of the ProcessTherearetwomainstepsrequiredpriortotranslatingyourABAP/4code:

• InstallaTransportRequestonyourSAPserver.

• AddthetransactionobjecttoyourFavoriteslist(optional)

Note:ThefollowingprocedureisbasedontheuseoftheWindowsSAPclient‐basedinterface.ScreenshotsandinterfacelocationsmayvaryifyouareusingadifferentSAPclient.

About the Transport RequestABAPscanningisavailableasapremiumcomponentofSCA.Ifyoupurchasedalicensethatincludesthiscapability,youwillneedtoinstalltheHPFortifyTransportRequestonyourSAPServer..

ThetransportrequestislocatedintheSAP_Extractor.zippackage.ThepackageislocatedintheToolsdirectory:

<SCA_Install_Directory>\Tools\SAP_Extractor.zip

TheHPFortifySCAABAPExtractorpackage,SAP_Extractor.zip,containsthefollowingfiles:

• K9000XX.NSP (wherethe“XX”isthereleasenumber)

• R9000XX.NSP (wherethe“XX”isthereleasenumber)

ThesefilesincludemakeuptheSAPtransportrequestandshouldbeimportedintoyourSAPsystemfromoutsideyourlocalTransportDomain.ThisshouldbedonebyyourSAPadministratororanindividualauthorizedtoinstalltransportrequestsonthesystem.

TheNSPfilescontainaclass,aprogram,atransaction(YSCA),andtheprogramGUIscreens.Onceimportedintoyoursystemandproperlyconfigured,youwillbeabletoextractyourcodefromtheSAPdatabaseandprepareitforscanningbySCA.

InstallationNote:TheHPFortifySCAABAPExtractortransportrequestwascreatedonasystemrunningSAPrelease702,SPlevel0006.IfyouarerunningadifferentSAPrelease,youmaygetatransportrequestimporterror:

Install release does not match the current version

Thiswillcausetheinstallationtofail.Toresolvethisissue:

1. Runthetransportrequestimportagain.

TheImportTransportRequestscreenappears.

2. ClicktheOptionstab.

3. SelecttheIgnoreInvalidComponentVersioncheckbox.

4. Completetheimportprocedure.

Add Fortify SCA to Your Favorites List (Optional)AddingFortifySCAtoyourFavoriteslistisoptional,butdoingsomaymakeiteasiertoaccessandlaunchFortifySCAscans.ThefollowingstepsassumethatyouusetheUsermenuinyourday‐to‐daywork.Ifyourworkisdonefromadifferentmenu,addtheFavoriteslinktothemenuthatyouuse.BeforeyoucreatetheFortifySCAentry,theSAPservershouldberunningandyoushouldbeintheSAPEasyAccessareaofyourweb‐basedclient.

1. FromtheSAPEasyAccessmenu,typeS000inthetransactionbox.

TheSAPMenuappears.

2. Right‐clicktheFavoritesfolderandselectInserttransaction.


TheManualentryofatransactionboxappears.

3. TypeYSCAintheTransactioncodebox.

4. Clickthegreencheckmarkbutton.

TheLaunchSCAitemshould appearintheFavoriteslist.

5. ClicktheExtractABAPcodeandlaunchSCAlinktolaunchtheHPFortifyABAPExtractor.


Running the HP Fortify ABAP Extractor1. LaunchtheprogramfromtheFavoriteslink,thetransactioncode,orbymanuallylaunchingthe

Z_AMOL_SCAobject.

2. Fillintherequestedinformation:

Section Data

Objects EnterthenameoftheSoftwareComponent,Package,Program,orBSPApplicationyouwanttoscan.

Sourceanalyzerparameters FPRFilePath:TypethedirectorywhereyouwanttostoreyourFPRfile.IncludethenameyouwantassignedtotheFPRfileinthepathname.

WorkingDirectory:Typethedirectorywheretheextractedsourcecodeshouldbecopied.

Build‐ID:TypethebuildIDforthescan.

TranslationsParameters:Listanyoptionalsourceanalyzertranslationarguments.

ScanParameters:Listanyoptionalsourceanalyzerscanarguments.

ZIPFileName:TypeaZIPfilenameifyouwouldlikeyouroutputprovidedinacompressedpackage.

MaximumCall‐chainDepth:AglobalSAP‐functionFwillnotbedownloadedunlessFwasexplicitlyselectedorunlessFcanbereachedthroughachainoffunctioncallswhichstartsinexplicitly‐selectedcodeandwhoselengthisthisnumberorless.


3. ClicktheExecutebutton.

Actions Download:CheckthisboxtoinstructSCAtodownloadthesourcecodeextractedfromyourSAPdatabase.

Build:CheckthisboxtoinstructSCAtotranslatealldownloadedABAPcodeandstoreitunderthespecifiedBuild‐ID.

Scan:Checkthisboxtorequestascan.

LaunchAWB:CheckthisboxtolaunchAuditWorkbenchandloadtheFPR.

CreateZIP:Checkthisboxtorequesttheoutputbecompressed.

ProcessinBackground:Checkthisboxtorequestthatprocessingoccurinthebackground.

Section Data

Chapter 7: Translating Ruby Code 33

Chapter 7: Translating Ruby CodeThischaptercoversthefollowingtopics:

• AboutRubyCommandLineSyntax

• AddingLibraries

• AddingMultipleLibraryPaths

• AddingGemPaths

About Ruby Command Line SyntaxThebasiccommandlinesyntaxforRubyis:

sourceanalyzer –b <build_id> <.rb_file>

whererb_fileisthenameoftheRubyfiletobescanned.ToincludemultipleRubyfiles,separatethemwithaspace,asinthefollowingexample:

sourceanalyzer –b <build_id> file1.rb file2.rb file3.rb

Note:InadditiontolistingindividualRubyfiles,youcanusetheasterisk(*)wildcardtoselectallRubyfilesinaspecifieddirectory.Forexample,tofindalloftheRubyfilesinadirectorycalledsrc,youcouldusethefollowingsourceanalyzercommand:

sourceanalyzer –b <build_id> src/*.rb

Adding Libraries IfyourRubysourcecoderequiresaspecificlibrary,addtheRubylibrarytothesourceanalyzercommand.Forexample,ifyouhaveautils.rbfilethatresidesinthe/usr/share/ruby/myPersonalLibrary/ directory,thenyoushouldaddthefollowingtothesourceanalyzercommand:

-ruby-path=/usr/share/ruby/myPersonalLibrary

Adding Multiple Library Paths Tousemultiplelibraries,useadelimitedlist.InWindowsthepathsshouldbeseparatebyasemicolon(‘;’);andonallotherplatformsuseacolon(‘:’),asinthefollowingnon‐Windowsexample:

-ruby-path=/path/one:/path/two:/path/three

Adding Gem PathsToaddallRubyGemsandtheirdependencypaths,importallRubyGems.Todothis,runthegem envcommandandunderGEMPATHSyouwillseeadirectorylike:

/home/myUser/gems/ruby-version

Thisdirectoryshouldcontainanotherdirectorycalledgemswhichcontainsdirectoriesforallthegemfilesinstalledonthesystem,soforthisexampleyouwouldset:

-rubygem-path=/home/user/myUser/gems/ruby-version/gems

Ifyouhavemultiplegemsdirectories,addthemusingadelimitedlistsuchas:

-rubygem-path=/path/to/gems:/another/path/to/more/gems

Chapter 7: Translating Ruby Code 34

Note:ForWindowssystems,separatethegemsdirectorieswithasemicolon.

Warnings

BecausethisisaTechnicalPreview,youmayencounterparseerrors.

[error]: Unexpected exception while parsing file p.rb: (SyntaxError) p.rb:2:syntax error, unexpected end-of-file.

Theseerrors,orwarnings,arelikelycausedbybugsintheRubyTechnicalPreviewcodeandshouldbereportedtoHPFortifysupport.

Ruby on Rails Support

RubyonRailssupportwillbeaddedinafuturereleaseofHPFortifyStaticCodeAnalyzer.

YourJSPfilesmustbepartofaWebApplicationArchive(WAR).IfyoursourcedirectoryisalreadyorganizedinaWARlayout,youcantranslatetheJSPfilesdirectlyfromthesourcedirectory.Ifthisisnotthecase,youmayneedtodeployyourapplicationandtranslatetheJSPfilesfromthedeploymentdirectory.

Forexample:

sourceanalyzer -b <build_id> \**\*.jsp \**\*.xml

where\**\*.jspreferstothelocationofyour*.jspprojectfilesand\**\*.xmlreferstothelocationofyourconfigurationanddeploymentdescriptorfiles.

Chapter 8: Translating Flex 35

Chapter 8: Translating FlexThischaptercoversthefollowingtopics:

• AbouttheCommand‐LineOptions

• AboutActionScriptCommandLineSyntax

• ActionScriptCommandLineExamples

• AboutHandlingResolutionWarnings

About the Command‐Line OptionsThefollowingcommand‐lineoptions(withcorrespondingpropertiesthatcanbeusedinstead,forconvenience)areusingwhentranslatingFlexfiles:

• -flex-sdk-root (com.fortify.sca.FlexSdkRoot)shouldpointtotherootofavalidFlexSDK.Thisfoldershouldcontainaframeworksfolderthatcontainsaflex-config.xmlfile.Itshouldalsocontainabinfolderthatcontainsanmxmlcexecutable.

Youcansetthispropertyinyourfortify-sca.propertiesfile.

• -flex-libraries (com.fortify.sca.FlexLibraries)containsa: or;separatedlist(: onmostplatforms,;onWindows)oflibrarynamesthatyouwantto“link”to.Inmostcases,thislistincludesflex.swc, framework.swc,andplayerglobal.swc(usuallyfoundinframeworks/libs/underyourFlexSDKroot).

Youcansetthispropertyinyourfortify-sca.propertiesfiletousethesamesetofSWCs.

Note:YoucanspecifySWCorSWFfilesasFlexlibraries,butwedonotcurrentlysupportSWZ.

• -flex-source-roots (com.fortify.sca.FlexSourceRoots)containsa:or; separatedlistofrootdirectoriesinwhichMXMLsourcescanbefound.Normally,thesewillcontainasubfoldernamedcom.Forinstance,ifaFlexsourcerootisgiventhatispointingatfoo/bar/src, then foo/bar/src/com/fortify/manager/util/Foo.mxmlwillgettransformedintoanobjectnamedcom.fortify.manager.util.Foo,(anobjectnamedFoointhepackagecom.fortify.manager.util).

• -flex-sdk-rootand–flex-source-rootsareprimarilyforMXMLtranslation,andareoptionalifyouarescanningpureActionScript.–flex-librariesisusedforresolvingallActionScript

Note:MXMLfilesaretranslatedintoActionScriptandthenrunthroughtheActionScriptparser.TheActionScriptthatisgeneratedisintendedtobesimpletoanalyze;notrigorouslycorrectliketheFlexrun‐timemodel.Asaconsequenceofthis,youmaygetparseerrorswithMXMLfiles.Forinstance,theXMLparsingcouldfail,thetranslationtoActionScriptcouldfail,andtheparsingoftheresultingActionScriptcouldalsofail.Ifyouseeanyerrorsthatdonothaveaclearconnectiontotheoriginalsourcecode,pleasenotifyHPFortifySupport.


About ActionScript Command Line SyntaxThebasiccommandlinesyntaxforActionScriptis:

sourceanalyzer -b <build_id> -flex-libraries <listOfLibraries>

TopassfilesdirectlytoFortifySCA,enter:

sourceanalyzer -b <build_id> -flex-libraries <listOfLibraries>

where:

<listOfLibraries>

isasemicolon‐separatedlist(Windows)oracolonseparated‐list(non‐Windowssystems)oflibrarynamesthatyouwantto“link”to.

ActionScript Command Line ExamplesThefollowingexamplesillustratecommand‐linestructurefortypicalscenariosyoumayencounter.

Example1

ThefollowingexampleisforasimpleapplicationthatcontainsonlyoneMXMLfileandasingleSWFlibrary(MyLib.swf).

sourceanalyzer -b MyFlexApp -flex-libraries lib/MyLib.swf -flex-sdk-root /home/myself/flex-sdk/ -flex-source-roots.my/app/FlexApp.mxml

Thisidentifiesthelocationofthelibrariestoinclude,andalsoidentifiestheFlexSDKandtheFlexsourcerootlocations.ThesingleMXMLfile,locatedin/my/app/FlexApp.mxml,resultsinyourMXMLapplication’sbeingtranslatedasasingleActionScriptclasscalledFlexAppandlocatedinthemy.apppackage.

Example2

Thefollowingexampleisforanapplicationinwhichthesourcefilesarerelativetothesrcdirectory.ItusesasingleSWFlibrary,MyLib.swf,andtheFlexandframeworklibrariesfromtheFlexSDK.

sourceanalyzer -b MyFlexProject -flex-sdk-root /home/myself/flex-sdk/ -flex-source-roots src/ -flex-libraries lib/MyLib.swf src/**/*.mxml src/**/*.as

Inthisexample,welocatetheFlexSDK.SCAfilespecifiersareusedtoincludethe.as andmxmlfilesunderthesrc folder.Itisnotnecessarytoexplicitlyspecifythe.SWCfilesfoundunderthe–flex-sdk-root,althoughthisexampledoessoforthepurposesofillustration.SCAwillautomaticallylocateall.SWCfilesunderthespecifiedFlexSDKroot,anditassumesthatthesearelibrariesintendedforusetranslatingActionScriptormxmlfiles.

Example3

Inthisexample,theFlexSDKrootandFlexlibrariesarespecifiedinapropertiesfilesincetypinginthedataistimeconsumingandittendstobeconstant.Theapplicationmaybedividedintotwosectionsandstoredinfolders:amainsectionfolderandamodulesfolder.Eachfoldercontainsansrcfolderwherethepathsshouldbebegun.Wildcardsareusedinfilespecifierstopickupallthe.mxmland.asfilesinbothofthesrcfolders.AnMXMLfileinmain/src/com/foo/util/Foo.mxmlwillbetranslatedasanActionScriptclassnamedFoointhepackagecom.foo.util,forexample,withthesourcerootsspecifiedhere:

sourceanalyzer -b MyFlexProject -flex-source-roots main/src:modules/src ./main/src/**/*.mxml ./main/src/**/*.as ./modules/src/**/*.mxml ./modules/src/**/*.as


About Handling Resolution WarningsToseeallwarningsthatweregeneratedduringyourbuild,enterthefollowingcommandbeforeyoustartthescanphase:


About ActionScript WarningsYoumayreceiveamessagesimilarto:

The ActionScript front end was unable to resolve the following imports: a.b at y.as:2. foo.bar at somewhere.as:5. a.b at foo.mxml:8.

ThiserroroccurswhenSCAcannotfindallofthelibrariesitneeds.YoumayneedtospecifyadditionalSWCorSWFFlexlibraries(‐flex‐librariesoption,orcom.fortify.sca.FlexLibrariesproperty)sothatSCAcancompletetheanalysis.

Chapter 9: Translating Code for Mobile Platforms 37

Chapter 9: Translating Code for Mobile PlatformsThischaptercoversthefollowingtopics:

• AboutTranslatingObjective‐CCode

• AboutTranslatingGoogleAndroidCode

About Translating Objective‐C CodeThissectiondescribeshowtotranslateObjective‐CsourcecodeforiOSapplications.

Prerequisites• Xcodecommand‐linetoolsmustbeinstalledinthepath.

• Projectsmustusethenon‐fragileObjective‐Cruntime(ABIversion2or3).

• UseApple’sxcode‐selectcommand‐lineutilitytosetyourXcodepath.SCAusesthesystems’sglobalXcodeconfigurationtofindtheXcodetoolchainandheaders.

About Objective‐C Command Line SyntaxThebasiccommandlinesyntaxfortranslatingasinglefileis:

sourceanalyzer -b <build_id> -clean

sourceanalyzer -b <build_id> xcodebuild [<compiler options>]

where:

<compiler options> areoptionspassedtoxcode.

Objective‐C Command Line ExampleThefollowingsimpleexamplesillustrateusagepatternsforthesupportedcompilers.Thefollowingcommandsamplesshouldberunfromthedirectorywheretheprojectfilesarelocated.

TotranslateanXcodeObjective‐Cproject,enter:

xcodebuild [options] clean(Optional.Cleanthepreviousbuildartifacts)

sourceanalyzer -b my_buildid -clean

sourceanalyzer -b my_buildid xcodebuild [options]

Toscantheapplicationartifactfiles:

sourceanalyzer -b my_buildid -scan -f result.fpr

Note:Thesourcecodewillbecompiledwhenrunningthesecommands.

Xcode Compiler ErrorsIfyoureceiveXcodecompilererrors,thismaybeduetotheinclusionofClangoptionsaddedafteryourversionofSCAwasreleased.Toeradicatetheerrors,typethefollowingafterxcodebuild:

ARCHS=i386GCC_TREAT_WARNINGS_AS_ERRORS=NO

whereARCHS=i386representsthearchitectures(ABIs,processormodels)towhichthebinaryistargeted.

Chapter 9: Translating Code for Mobile Platforms 38

About Translating Google Android CodeSSRprovidesrulessupportforprogramsthatrunontheGoogleAndroidplatform.Theserules

• identifyinsecuredatastorage

• categorizeapplicationsbytheirsecuritypermissionsanddetectoverprivilegeduses

• sendandreceiveintents,identifydatabase,filesystem,web,privateinformationandAndroidinter‐componentsources

TranslatingGoogleAndroidcodeissimilartotranslatingJavacode.ForinstructionsontranslatingJavacode,seeChapter2,TranslatingJavaCodeonpage17.

Migration IssuesIfyouhavemigratedfromapreviousversionofSCAandreceiveanerrorwhenrunningSCA,itmaybeduetoadeprecatedpropertykeyinyourfortify-sca.propertiesfile.Checkthe fortify-sca.prortiesfile(locatedintheinstall directory>/SCA/Core/config/directoryforanyofthefollowing,deprecatedpropertykeys:

com.fortify.sca.xcodebuild.CompilerPath

com.fortify.sca.xcodebuild.SupportedVersion

com.fortify.sca.xcodebuild43.CompilerPath

com.fortify.sca.clang.includes

com.fortify.sca.clang.CaptureWarnings

com.fortify.sca.llvmtonst.CaptureWarnings

com.fortify.sca.llvmtonst.FailOnError

com.fortify.sca.llvmtonst.command

com.fortify.sca.llvmtonst.options

com.fortify.sca.pretranslate.command

Iffound,removethekeyfromyourpropertiesfile.

Chapter 10: Translating Other Languages 39

Chapter 10: Translating Other LanguagesThischaptercoversthefollowingtopics:

• AboutCommandLineSyntaxforOtherLanguages

• ConfigurationConsiderations

• TranslatingCOBOLCode

About Command Line Syntax for Other LanguagesThistopicdescribestheSCAcommandsyntaxfortranslatingotherlanguages.

Thebasiccommandlinesyntaxforotherlanguagesis:

sourceanalyzer -b <build_id> <file_list>

EnterthefollowingtoselectthesqltypebeingtranslatedonWindowsplatforms:

sourceanalyzer -b <example_build> -sql-language TSQL <files>

or

sourceanalyzer -b <example_build> -sql-language PL/SQL <files>

SQLNote:Bydefault,fileswiththeextensionsqlareassumedtobeT‐SQLratherthanPL/SQLonWindowsplatforms.IfyouareusingWindowsandhavePL/SQLfileswiththesqlextension,youcanconfigureSCAtotreatthemasPL/SQLratherthanexplicitlyspecifyiteachtimeyourrunsourceanalyzer

Tochangethedefaultbehavior,setthecom.fortify.sca.fileextensions.sql propertyinfortify-sca.properties to “TSQL” or “PLSQL.”

EnterthefollowingtoperformtranslationonColdFusionsourcecode:

sourceanalyzer -b <build -id> -source-base-dir <dir> <files|file specifiers>

where:

• <build_id>specifiesthebuildIDfortheproject

• <dir>specifiestherootdirectoryofthewebapplication

• <files|file specifiers>specifiestheCFMLsourcecodefiles

ColdFusionNote:SCAcalculatestherelativepathtoeachCFMLsourcefilebyusingthe-source-base-dirdirectoryasthestartingpoint,thenusestheserelativepathswhengeneratinginstanceIDs.Iftheentireapplicationsourcetreeismovedtoadifferentdirectory,theinstanceIDsgeneratedbyasecurityanalysisshouldremainthesameifyouspecifyanappropriatevaluefor-source-base-dir.

Foradescriptionofalltheoptionsyoucanusewiththesourceanalyzercommand,seeCommandLineInterfaceonpage48.

Filespecifiersareshowninthefollowingtable:

Table 4: File Specifiers

File Specifier Description

<dirname> Allfilesfoundunderthenameddirectoryoranysubdirectories

<dirname>/**/Example.js AnyfilenamedExample.jsfoundunderthenameddirectoryoranysubdirectories


Note:WindowsandmanyUnixshellsautomaticallytrytoexpandargumentscontainingthe'*'character,sofile‐specifierexpressionsshouldbequoted.Also,onWindows,enterthebackslash(\)insteadoftheforwardslash(/).

Configuration ConsiderationsThissectionprovidesinformationonconfiguringPython,configuringColdFusion,configuringtheSQLextension,andconfiguringASP/VSScriptvirtualroot.

Configuring PythonSCAtranslatesPythonapplications,andtreatsfileswiththeextensionpyasPythonsourcecode.InorderforSCAtotranslatePythonapplicationsandpreparetheapplicationforascan,SCAsearchesanyimportfilesfortheapplication.SCAdoesnotrespectthePYTHONPATHenvironmentvariablewhichthePythonruntimesystemusestofindimportedfiles,sothisinformationshouldbegivendirectlytoSCAusingthe -python-pathargument.Inaddition,someapplicationsaddadditionalimportdirectoriesduringruntimeinitialization.

Toaddpathsforadditionalimportdirectories,usethesourceanalyzercommandlineoption:

-python-path pathname

Note:SCAtranslatesPythonapplicationsusingallimportfileslocatedinthedirectorypathdefinedbythe-python-path pathnameoption.Subsequently,translationmaytakeasignificantamountoftimetocomplete.

Using the Django Framework with Python

InordertoscancodecreatedusingtheDJangoframework,setthefollowingpropertiesinthefortify-sca.propertiesconfigurationfile:

-Dcom.fortify.sca.limiters.MaxPassThroughChainDepth=8

-Dcom.fortify.sca.limiters.MaxChainDepth-8

Duringthetranslationphase,setthefollowingswitch:

-django-template-dirs path/to/template/dirs

Configuring ColdFusionInordertotreatundefinedvariablesinaCFMLpageastainted,uncommentthefollowinglineinsca_install_dir\Core\config\fortify-sca.properties:#com.fortify.sca.CfmlUndefinedVariablesAreTainted=true

Doingsoservesasahinttothedataflowanalyzertowatchoutforregister‐globals‐stylevulnerabilities.However,enablingthispropertyinterfereswithDataflowfindingsinwhichavariableinanincludedpageisinitializedtoataintedvalueinanearlier‐occurringincludedpage.

<dirname>/*.js Anyfilewiththeextension.jsfoundinthenameddirectory

<dirname>/**/*.js Anyfilewiththeextension.jsfoundunderthenameddirectoryoranysubdirectories

<dirname>/**/* Allfilesfoundunderthenameddirectoryoranysubdirectories(sameas<dirname>)

Table 4: File Specifiers (Continued)


Configuring the SQL ExtensionBydefault,fileswiththeextensionsqlareassumedtobeT‐SQLratherthanPL/SQLonWindowsplatforms.IfyouareusingWindowsandhavePL/SQLfileswiththesqlextension,youshouldconfigureSCAtotreatthemasPL/SQL.Tochangethedefaultbehavior,setthecom.fortify.sca.fileextensions.sql propertyinfortify-sca.propertiesto“TSQL”or“PLSQL.”

Note:Fortify360v2.5updatedthePL/SQLparsertoimprovetranslationofPL/SQLsourcecode.However,theexistenceoftwodifferentparserscanmakemergingresultsfrompre‐v2.5andpost‐v2.5difficult.

ToreverttotheolderversionofthePL/SQLparser,addthefollowingpropertytothefortify-sca.propertiesfile:

com.fortify.sca.UseOldPlsql=true

Configuring ASP/VBScript Virtual RootsSCAallowsyoutohandleASPvirtualroots.Forwebserversthatusevirtualdirectoriesasaliasesthatmaptophysicaldirectories,SCAallowsyoutousealias.

Forinstance,youmayhavevirtualdirectoriesnamedIncludeandLibrarywhichrefertothephysicaldirectoriesC:\WebServer\CustomerOne\incandC:\WebServer\CustomerTwo\Stuff,respectively.

Asanexample,theASP/VBScriptcodeforanapplicationusingvirtualincludes,asfollows:



TheaboveASPcodereferstotheactualdirectory,asfollows:

C:\Webserver\CustomerOne\inc\Task1\foo.inc

TherealdirectoryreplacesthevirtualdirectorynameIncludeinthatinstance.

Accommodating Virtual Roots

InordertoindicatetoSCAwhateachvirtualdirectoryisanaliasfor,youmustsetapropertyoftheformcom.fortify.sca.ASPVirtualRoots.name_of_virtual_directoryaspartofyourcommandlineinvocationofSCAinthefollowingmanner:

sourceanalyzer -Dcom.fortify.sca.ASPVirtualRoots.name_of_virtual_directory=<full path to corresponding physical directory>

Note:OnWindows,ifthephysicalpathhasspacesinit,youmustincludethepropertysettingindouble‐quotes:

sourceanalyzer "-Dcom.fortify.sca.ASPVirtualRoots.name_of_virtual_directory=<full path to corresponding *physical* directory>"

Toexpandupontheexampleintheprevioussection,thepropertyvaluethatyoumustpassalongshouldbe:

-Dcom.fortify.sca.ASPVirtualRoots.Include=”C:\WebServer\CustomerOne\inc”

-Dcom.fortify.sca.ASPVirtualRoots.Library="C:\WebServer\CustomerTwo\Stuff”

DoingsocausesthemappingofIncludetoitsdirectoryandLibrarytoitsdirectory.

WhenSCAencounterstheincludedirective:



SCAwillfirstchecktoseeifyourprojectcontainsaphysicaldirectorynamedInclude.Ifthereisnosuchphysicaldirectory,SCAlooksthroughitsownrun‐timepropertiesandseesthat:

-Dcom.fortify.sca.ASPVirtualRoots.Include="C:\WebServer\CustomerOne\inc"

ThistellsSCAthatvirtualdirectoryIncludeisactuallythedirectory:

C:\WebServer\CustomerOne\inc

ThiswillcauseSCAtolookforthefile:

C:\WebServer\CustomerOne\inc\Task1\foo.inc

Alternately,ifyouchoosetosetthispropertyinthefortify-sca.propertiesfile,whichislocatedin<sca_install_dir>\Core\config,youmustescapethe\character,aswellasanyspacesthatappearinthepathofthephysicaldirectory:

com.fortify.sca.ASPVirtualRoots.Library=c:\\WebServer\\CustomerTwo\\Stuff

com.fortify.sca.ASPVirtualRoots.Include=c:\\WebServer\\CustomerOne\\inc

Note:ThepreviousversionoftheASPVirtualRootpropertyisstillvalid,whichyoumayuseontheSCAcommandlineasfollows:

-Dcom.fortify.sca.ASPVirtualRoots=C:\WebServer\CustomerTwo\Stuff;C:\WebServer\CustomerOne\inc

ThispromptsSCAtosearchthroughthelisteddirectoriesintheorderspecifiedwhenitisresolvingavirtualincludedirective.

Example: Using Virtual Roots

Youhaveafileasfollows:

C:\files\foo\bar.asp

Youcanspecifythisfilebyusingthefollowinginclude:

<!-- #include virtual="/foo/bar.asp">

Thenyoushouldsetthevirtualrootas:

-Dcom.fortify.sca.ASPVirtualRoots=C:\files\foo

Thiswillstripthe/foofromthefrontofthevirtualroot.IfyoudonotspecifyfoointheASPVirtualRootsproperty,SCAwilllookinC:\files\bar.asp,andwillfail.

Thesequenceforspecifyingvirtualrootsareasfollows:

1. Removethefirstpartofthepathinthesource

2. Replacethefirstpartofthepathwiththevirtualrootasspecifiedonthecommandline.

Other Language Command Line ExamplesThissectionincludesexamplesoftranslatingPL/SQL,T‐SQL,PHP,ClassicASPwrittenwithVBScript,JavaScript,VBScriptFiles.

Translating PL/SQL ExampleThefollowingexampledemonstratessyntaxfortranslatingtwoPL/SQLfiles:

sourceanalyzer -b MyProject x.pks y.pks

ThefollowingexampledemonstrateshowtotranslateallPL/SQLfilesunderthesourcesdirectory:

sourceanalyzer -b MyProject "sources/**/*.pks"


Translating T‐SQL ExampleThefollowingexampledemonstratessyntaxfortranslatingtwoT‐SQLfiles:

sourceanalyzer -b MyProject x.sql y.sql

ThefollowingexampledemonstrateshowtotranslateallT‐SQLfilesunderthesourcesdirectory:

sourceanalyzer -b MyProject "sources\**\*.sql"

Note:Thisexampleassumesthecom.fortify.sca.fileextensions.sql propertyinfortify-sca.propertiesissetto“TSQL.”

Translating PHP ExampleTotranslateasinglefilenamedMyPHP.php,enter:

sourceanalyzer -b mybuild "MyPHP.php"

Totranslateafilewherethesourceorthephp.inifileentryincludesarelativepathname(startswith./ or../),youwillneedtosetthePHPsourceroot:

sourceanalyzer -php-source-root <path> -b mybuild "MyPHP.php"

where<path>shouldbetheabsoluteorrelativepathtotheprojectrootdirectory.Therelativepathnamewillexpandfromthephpprojectrootdirectory.

Translating Classic ASP written with VBScript ExampleTotranslateasinglefilenamedMyASP.asp,enter:

sourceanalyzer -b mybuild "MyASP.asp"

Translating JavaScript ExampleTotranslateallJavaScriptfilesunderthescriptsdirectory,enter:

sourceanalyzer -b mybuild "scripts/*.js"

Translating VB Script File ExampleTotranslateaVBfilenamedmyApp.vb,enter:

sourceanalyzer -b mybuild "myApp.vb"

Translating COBOL CodeThissectionprovidesinformationonsupportedtechnologies,preparingCOBOLsourcefilesfortranslation,COBOLcommandlinesyntax,andauditingaCOBOLscan.

Note:InordertouseSCAtoscanCOBOL,youmusthaveaspecializedHPFortifylicensespecificforCOBOLscanningcapabilities.ContactHPFortifyformoreinformationaboutscanningCOBOLandthenecessarylicenserequired.


Supported TechnologiesSCAsupportsIBMEnterpriseCOBOLforIBMz/OSandiscompatiblewiththefollowingsystems:

• CICS

• IMS

• DB/2embeddedSQL

• IBMWebSphereMQ

Preparing COBOL Source Files for TranslationSCArunsonlyonthesupportedsystemslistedintheHPFortifySystemRequirementsdocument,notonmainframecomputers.ThismeansthatbeforeyoucanscanaCOBOLprogram,youmustcopythefollowingprogramcomponentstothesystemrunningSCA:

• TheCOBOLsourcecode

• AllcopybookfilesusedbytheCOBOLsourcecode

• AllSQLINCLUDEfilesreferencedbytheCOBOLsourcecode

Preparing COBOL Source Code Files

IfyouareretrievingCOBOLsourcefilesfromamainframewithoutCOBorCBLfileextensions(whichisusuallythecaseforCOBOLfilenames),thenyoumustusethefollowingcommandline:

-noextension-type COBOL <directory-file-path>

SpecifythedirectoryandfolderwithallCOBOLfilesastheargumenttoSCA,andSCAwillprocessallthefilesinthatdirectoryandfolderwithoutanyneedforCOBOLfileextensions.

Preparing COBOL Copybook Files

SCAdoesnotidentifycopybooksbyextension.AllcopybookfilesshouldthereforeretainthenamesusedintheCOBOLsourcecodeCOPYstatements.

About COBOL Command Line SyntaxFree‐formatCOBOListhedefaulttranslationandscanningmodeforSCA.Thebasicsyntaxfortranslatingasinglefree‐formatCOBOLsourcecodefileis:

sourceanalyzer -b <build-id>

Thebasicsyntaxforscanningatranslatedfree‐formatCOBOLprogramis:

sourceanalyzer -b <build-id> -scan -f <FPR file name>

Working with Fixed‐Format COBOL

SCAalsosupportsfixed‐formatCOBOL.Whentranslatingandscanningfixed‐formatCOBOL,boththetranslationandscanningcommandlinesmustincludethe-fixed-formatcommandlineoption.Forexample,thetranslationlinesyntaxwouldlooklike:

sourceanalyzer -b <build-id> -fixed-format

Andthescanninglinesyntaxwouldlooklike:

sourceanalyzer -b <build-id> -scan -fixed-format -f <FPR file name>

IfyourCOBOLcodeisIBMEnterpriseCOBOL,thenitismostlikelyfixedformat.IftheCOBOLtranslationcommandappearstohangindefinitely,terminatethetranslationbytypingCtrl‐Cseveraltimes,andrepeatthetranslationcommandwiththe“‐fixed‐format”parameter.


Searching for COBOL Copybooks

UsethecopydirscommandlineoptiontodirectSCAtosearchalistofpathsforcopybooksandSQL INCLUDEfiles.Forexample,thecommandlinesyntaxwouldlooklikethefollowing:

sourceanalyzer -b coboltest -copydirs c:\cobol\copybooks

About Auditing COBOL ScansAfterusingthecommandlinetoscantheapplication,youcanuploadtheresultingFPRfiletoHPFortifyAuditWorkbenchorHPFortifySoftwareSecurityCenterandaudittheapplication’sissues.

SCAdoesnotcurrentlysupportcustomrulesforCOBOLapplications.

Chapter 11: Troubleshooting and Support 45

Chapter 11: Troubleshooting and SupportThischaptercoversthefollowingtopics:

• UsingtheLogFiletoDebugProblems

• AbouttheTranslationFailedMessage

• AboutJSPTranslationProblems

• AboutASPXTranslationProblems

• AboutC/C++PrecompiledHeaderFiles

• AboutReportingBugsandRequestingEnhancements

Using the Log File to Debug ProblemsIfyouencounterwarningsandproblemswhenyourunSCA,re‐runSCAusingthe-debugoption.Thisgeneratesafilenamedsca.loginthefollowingdirectory:

• OnWindows:C:\Documents and Settings\<username>\Local Settings\Application Data\Fortify\scax.xx\log

• Onotherplatforms:$HOME/.fortify/scax.xx/log

wherex.xxistheversionofSCAyouareusing.

Emailthesca.logfileasazipfiletotechsupport@fortify.comforfurtherinvestigation.

About the Translation Failed MessageIfyourC/C++applicationbuildssuccessfullybutyouseeoneormore“translationfailed”messageswhenbuildingwithSCA,editthe<install_directory>/Core/config/fortify-sca.propertiesfiletochangethefollowingline:

com.fortify.sca.cpfe.options= --remove_unneeded_entities --suppress_vtbl

to

com.fortify.sca.cpfe.options=-w --remove_unneeded_entities --suppress_vtbl

Re‐runthebuildtoprinttheerrorsencounteredbythetranslator.IftheoutputindicatesanincompatibilitybetweenyourcompilerandtheHPFortifytranslator,sendyouroutputtoFortifyTechnicalSupportforfurtherinvestigation.

About JSP Translation ProblemsSCAuseseitherthebuilt‐inoryourspecificapplicationserver'sJSPcompilertotranslateJSPfilesintoJavafilesforanalysis.

IftheJSPparserencountersproblemswhenSCAisconvertingJSPfilestoJavafilesforanalysis,youwillseeamessagesimilartothefollowing:

Failed to translate the following jsps into analysis model. Please see the log file for any errors from the jsp parser and the user manual for hints on fixing those<List of JSP file names>

Thistypicallyhappensduetooneormoreofthefollowingreasons:

• ThewebapplicationisnotlaidoutinaproperdeployableWARdirectoryformat

• YouaremissingsomeJARfilesorclassesrequiredfortheapplication

• Sometaglibrariesortheirdefinitions(TLD)aremissingfromyourapplication


Toobtainmoreinformationabouttheproblem,performthefollowingsteps:

1. OpentheSCAlogfileinaneditor.

2. SearchforthestringsJsp parser stdout:andJsp parser stderr:.

TheseerrorsaregeneratedbytheJSPparserthatwasused.ResolvetheerrorsandrerunSCA.

FormoreinformationaboutscanningJ2EEapplications,seeTranslatingJ2EEApplicationsonpage20.

About ASPX Translation ProblemsSCAcompilesASPXfilestoDLLsforanalysisasfollows:

• Ifyouareusing.NET2.0orlaterandVisualStudio2005,usingtheMicrosoftaspnet_compilecompiler

• Ifyouareusing.NET1.1andVisualStudio2003,tryingtofetchASPXfilesoneatatimefromthewebsite

Thecompilationstepcanfailif:

• Youhaveaccessorauthenticationproblemswithaccessingthewebapplication

• YouaremissingsomerequiredDLLs

Ineithercase,youwillseeamessagesimilartothefollowing:

Failed to translate the following aspx files into analysis model. Please see the log file for any errors from the aspx precompiler and the user manual for hints on fixing those.<List of ASPX file names>

Ifyouareusingtheplug‐in,enableplug‐indebuggingandexaminetheplug‐inlogfileforanyerrorsgeneratedbytheASPXprecompiler.

Ifyouareusingthecommandlinetool,fortify_aspnet_compiler,youshouldseetheerrormessagesontheconsole.

Ifyoustillcannotdeterminethecauseoftheproblem,trytoaccesssomeofthefailedASPXfilesfromyourbrowserandseewhatkindoferrorsdisplay.Ifyouseemessagessuchascannot locate assembly,ensurethatyouhavethemissingDLLsandrerunSCA.

IfyoucanaccessthefailedASPXfilesfromthebrowser,butSCAstillfailstoscanit,contactHPFortifyTechnicalSupportforadditionalhelp.

FormoreinformationaboutscanningASP.NETapplications,seeTranslatingASP.NET1.1(VisualStudioVersion2003)Projectsonpage24.

About C/C++ Precompiled Header FilesSomeC/C++compilerssupportafeaturetermed“precompiledheaderfiles,”whichcanspeedupcompilation.Somecompilers'implementationsofthisfeaturehavesubtleside‐effects.Whenthefeatureisenabled,thecompilermayaccepterroneoussourcecodewithoutwarningsorerrors.ThiscanresultinadiscrepancywhereSCAreportstranslationerrorsevenwhenyourcompilerdoesnot.

Ifyouusetheprecompiledheaderfeatureofyourcompiler,makesureyoursourcecodecompilescleanlybydisablingprecompiledheadersanddoingafullbuild.


About Reporting Bugs and Requesting EnhancementsFeedbackiscriticaltothesuccessofthisproduct.Torequestenhancementsorpatches,ortoreportbugs,sendanemailtoTechnicalSupportat:

[email protected]

Besuretoincludethefollowinginformationintheemailbody:

• Product:SCA

• VersionNumber:Todeterminetheversionnumber,runthefollowing:

sourceanalyzer -version

• Platform:(suchasPC)

• OS:(suchasWindows2000)

Whenrequestingenhancements,includeadescriptionofthefeatureenhancement.

Whenreportingbugs,provideenoughdetailsfortheissuetobeduplicated.Themoredescriptiveyouare,thefasterwecananalyzeandfixtheissue.Alsoincludethelogfiles,ortherelevantportionsofthem,fromwhentheissueoccurred.

Appendix A: Command Line Interface 48

Appendix A: Command Line InterfaceThisappendixcoversthecommandlineoptions:

• OutputOptions

• AnalysisOptions

• PythonOption

• ColdFusionOptions

• Java/J2EEOptions

• .NETOptions

• BuildIntegrationOptions

• RuntimeOptions

• OtherOptions

Output OptionsThefollowingtabledescribestheoutputoptions.

Table 5: Output Options

Output Option Description

-append Appendsresultstothefilespecifiedwith-f.Ifthisoptionisnotspecified,SCAaddsthenewfindingstotheFPRfile,andlabelstheolderresultaspreviousfindings.Tousethisoption,theoutputfileformatmustbe.fpror.fvdl.Forinformationonthe-formatoutputoption,seethedescriptioninthistable.

Note:When-appendispassedtoSCAandtheoutputfilespecifiedwiththe-foptioncontainstheresultsofanearlierscan,theresultingFPRcontainstheissuesfromtheearlierscanaswellasissuesfromthecurrentscan.Thebuildinformationandprogramdata(listsofsourcesandsinks)sectionsarealsomerged.

Theenginedatasection,whichincludesrulepackinformation,commandlineoptions,systemproperties,warningsanderrors,andotherinformationabouttheexecutionofsourceanalyzer(asopposedtoinformationabouttheprogrambeinganalyzed),isnotmerged,inpartbecausethereisnowaytomeaningfullymergethisdatafrommultiplescans.Becauseenginedataisnotmergedwith-append,HPFortifydoesnotcertifyresultsgeneratedwith-append.

Ingeneral,-appendshouldonlybeusedwhenitisnotpossibletoanalyzeanentireapplicationatonce.

-build-label<label> Thelabeloftheprojectbeingscanned.ThelabelisnotusedbySCAbutisincludedintheanalysisresults.

-build-project <project> Thenameoftheprojectbeingscanned.ThenameisnotusedbySCAbutisincludedintheanalysisresults.

-build-version <version> Theversionoftheprojectbeingscanned.TheversionisnotusedbySCAbutisincludedintheanalysisresults.

-f <file> Thefiletowhichresultsarewritten.Ifyoudonotspecifyanoutputfile,theoutputiswrittentotheterminal.


Analysis OptionsThefollowingtabledescribestheanalysisoptions.

-format <format> Controlstheoutputformat.Validoptionsarefpr,fvdl,text,andauto.Thedefaultisauto,whichselectstheoutputformatbasedonthefileextension.

Note:Ifyouareusingresultcertification,youmustspecifythefprformat.SeetheAuditWorkbenchUser’sGuideforinformationonresultcertification.

Table 6: Analysis Options

Analysis Option Description

-disable-default-rule-type <type>

DisablesallrulesofthespecifiedtypeinthedefaultRulepacks.Canbeusedmultipletimestospecifymultipleruletypes.WherethevalueoftypeistheXMLtagminusthesuffix“Rule.”Forexample,useDataflowSourceforDataflowSourceRuleelements.Youcanalsospecifyspecificsectionsofcharacterizationrules,suchasCharacterization:Controlflow,Characterization:Issue,andCharacterization:Generic.

Typeiscase‐insensitive.

-encoding Specifiestheencoding.SCAallowsscanningaprojectthatcontainsdifferentencodedsourcefiles.Toworkwithamulti‐encodedproject,youmustspecifythe-encodingoptionatthetranslationstep,whenSCAfirstreadsthesourcecodefile.Thisencodingisrememberedinthebuildsession,andispropagatedintotheFVDLfile.

-filter <file_name> Specifiesaresultsfilterfile.

-findbugs EnablesFindBugsanalysisforJavacode.TheJavaclassdirectoriesmusthavebeenspecifiedwiththe-java-build-diroption,describedin“Java/J2EEOptions”onpage51.

-no-default-issue-rules DisablesrulesindefaultRulepacksthatleaddirectlytoissues.Stillloadsrulesthatcharacterizethebehavioroffunctions.Note:Thisequivalenttodisablingthefollowingruletypes:DataflowSink,Semantic,Controlflow,Structural,Configuration,Content,Statistical,Internal,andCharacterization:Issue.

-no-default-rules SpecifiesnottoloadrulesfromthedefaultRulepacks.SCAprocessestheRulepacksfordescriptionelementsandlanguagelibraries,butnorulesareprocessed.

-no-default-source-rules DisablessourcerulesinthedefaultRulepacks.Note:Characterizationsourcerulesarenotdisabled.

-no-default-sink-rules DisablessinkrulesinthedefaultRulepacks.Note:Characterizationsinkrulesarenotdisabled.

-disable-source-rendering

SourcefilesarenotincludedintheFPRfile.

Table 5: Output Options (Continued)

Output Option Description


Python OptionThefollowingtabledescribestheColdFusionoption.

Table 7: Python Options

Python Option Description

-python-path <path name> Specifiesthepathforadditionalimportdirectories.SCAdoesnotrespectthePYTHONPATHenvironmentvariablethatthePythonruntimesystemusestofindimportedfiles.Usethe-python-pathargumenttospecifyadditionalimportdirectories.

ColdFusion OptionsThefollowingtabledescribestheColdFusionoption.

Table 8: ColdFusion Options

ColdFusion Option Description

-source-base-dir Thewebapplication’srootdirectory.

-source-archive Theapplication’ssourcearchiverepository.Youmustincludethe‐scanand‐foptionstousethisoption.

-quick ScanstheprojectinQuickScanMode,usingthefortify-sca-quickscan.propertiesfile.Bydefault,thisscansearchesforhigh‐confidence,high‐severityissues.FormoreinformationaboutQuickScanMode,seetheAuditWorkbenchUser’sGuide.

-rules [<file>|<directory>]

SpecifiesacustomRulepackordirectory.CanbeusedmultipletimestospecifymultipleRulepackfiles.Ifyouspecifyadirectory,allofthefilesinthedirectorywiththe.binand.xmlextensionsareincluded.

-scan CausesSCAtoperformanalysisforthespecifiedbuildID.

Table 6: Analysis Options (Continued)

Analysis Option Description


Java/J2EE OptionsThefollowingtabledescribestheJava/J2EEoptions.

Table 9: Java/J2EE Options

Java/J2EE Options Description

-appserver SpecifiestheapplicationserverforprocessingJSPfiles:weblogicorwebsphere.

-appserver-home Specifiestheapplicationserver’shome.

ForWeblogic,thisisthepathtothedirectorycontainingtheserver/lib directory.

ForWebSphere,thisisthepathtothedirectorycontainingtheJspBatchCompiler script.

-appserver-version Specifiestheversionoftheapplicationserver.

ForWeblogic,validvaluesare7,8,9,and10.

ForWebSphere,thevalidvalueis6.

-cp <classpath>,-classpath <classpath>

SpecifiestheclasspathtouseforanalyzingJavasourcecode.Theformatissameasjavac:acolonorsemicolon‐separatedlistofpaths.YoucanuseSCAfilespecifiers.Note:Ifyoudonotspecifytheclasspathwiththisoption,theCLASSPATHenvironmentvariableisused.

-extdirs <dirs> Similartothejavacextdirsoption,acceptsacolonorsemicolon‐separatedlistofdirectories.Anyjarfilesfoundinthesedirectoriesareincludedimplicitlyontheclasspath.

-java-build-dir SpecifiesoneormoredirectoriestowhichJavasourceshavebeencompiled.MustbespecifiedforFindBugsresults,asdescribedin“AnalysisOptions”onpage49.

-source <version> IndicateswhichversionoftheJDKtheJavacodeiswrittenfor.Validvaluesforversionare1.3,1.4,1.5,1.6 and 1.7.Thedefaultis1.4.

-sourcepath Specifiesthelocationofsourcefileswhichwillnotbeincludedinthescanbutwillbeusedfornameresolution.Thesourcepathislikeclasspath,exceptitusessourcefilesratherthanclassfilesforresolution.


.NET OptionsThefollowingtabledescribesthe.NEToptions.

Table 10: .NET Options

.NET Options Description

-libdirs <dirs> Acceptsacolonorsemicolon‐separatedlistofdirectorieswheresystemDLLsarelocated.

-dotnet-sources <directory name>

Specifieswheretolookforsourcefilesforadditionalinformation.ThisoptionisautomaticallypassedfromtheSCAplug‐insandAuditWorkbenchbutwhenyouarerunningSCAmanually,youmustprovideityourself.ThisoptioncausesSCAtoattempttofindany.NETclasses,enums,orinterfacesthatarenotexplicitlydeclaredinthecompiledproject.

-vsversion <version> SpecifiesVisualStudioversion.Validvaluesforversionare7.1forVisualStudioVersion2003,8.0forVisualStudioVersion2005,9.0forVisualStudio2008,10.0forVisualStudio2010and11.0forVisualStudio2012.Thedefaultvalueis7.1.

Build Integration OptionsThefollowingtabledescribesthebuildintegrationoptions.

Table 11: Build Integration Options

Build Integration Options Description

-b <build_id> SpecifiesthebuildID.ThebuildIDisusedtotrackwhichfilesarecompiledandcombinedtobepartofabuildandlatertoscanthosefiles.

-bin <binary> Usedwith-scantospecifyasubsetofsourcefilestoscan.Onlythesourcefilesthatwerelinkedinthenamedbinaryatbuildtimeareincludedinthescan.Canbeusedmultipletimestospecifytheinclusionofmultiplebinariesinthescan.

-exclude <file_pattern> Removesfilesfromthelistoffilestotranslate.Forexample:sourceanalyzer –cp "**/*.jar" "**/*" -exclude "**/Test.java"Note:The-excludeoptionworkswheninputfilesarespecifiedonthecommandline;itdoesnotworkwithcompilerintegration.

-nc Whenspecifiedbeforeacompilercommandline,SCAprocessesthesourcefilebutdoesnotrunthecompiler.


DirectivesThefollowingdirectivescanbeusedtolistinformationabouttranslationstepsthathavebeentaken.Onlyonedirectivecanbeusedatatimeandcannotbeusedinconjunctionwithnormaltranslationoranalysissteps.

Table 12: Directives

Directives Description

-clean DeletesallSCAintermediatefilesandbuildrecords.WhenabuildIDisalsospecified,onlyfilesandbuildrecordsrelatingtothatbuildIDaredeleted.

-show-binaries Displaysallobjectsthatwerecreatedbutnotusedintheproductionofanyotherbinaries.Iffullyintegratedintothebuild,itlistsallofthebinariesproduced.

-show-build-ids DisplaysalistofallknownbuildIDs.Note:ThisoptionmayerasebuildIDsgeneratedbypreviousversionsofSCA.

-show-build-tree Displaysallfilesusedtocreatebinaryandallfilesusedtocreatethosefilesinatreelayout.Ifthe-binbinaryoptionisnotpresent,thetreeisdisplayedforeachbinary.Note:Thisoptioncangenerateanextensiveamountofinformation.

-show-files ListsthefilesinthespecifiedbuildID.Whenthe-binoptionispresent,displaysonlythesourcefilesthatwentintothebinary.

-show-build-warnings Usewith-b <build_id>toshowallerrorsandwarningsfromthetranslationphaseontheconsole.Note:TheseerrorsandwarningsdisplayintheresultscertificationpanelofAuditWorkbench.

-show-loc Displaysthenumberoflinesinthecodebeingtranslated.

Runtime OptionsThefollowingtabledescribestheruntimeoptions.

Table 13: Runtime Options

Runtime Options Description

-logfile <file_name> SpecifiesthelogfilethatisproducedbySCA.

-quiet Disablesthecommandlineprogressbar.

-verbose Sendsverbosestatusmessagestotheconsole.

-Xmx <size> SpecifiesthemaximumamountofmemoryusedbySCA.Bydefault,itusesupto600MBofmemory(-Xmx600M),whichcanbeinsufficientforlargecodebases.Whenspecifyingthisoption,ensurethatyoudonotallocatemorememorythanisphysicallyavailable,becausethisdegradesperformance.Asaguideline,assumingnoothermemoryintensiveprocessesarerunning,donotallocatemorethan2/3oftheavailablememory.


Other OptionsThefollowingtabledescribesotheroptions.

Table 14: Other Options

Other Options Description

@<filename> Readscommandlineoptionsfromthespecifiedfile.

-encoding <encoding_name>

Specifiesthesourcefileencodingtype.Thisoptionisthesameasthejavacencodingoption.

-h, -?, -help Printsthissummaryofcommandlineoptions.

-version Displaystheversionnumber.

-debug Enablesdebugmodewhichisusefulduringtroubleshooting.

-build-migration-map <old_fpr_file>

RunstheInstanceIDmapperattheendofascan.

Specifying FilesFilespecifiersareexpressionsthatallowyoutoeasilypassalonglistoffilestoSCAusingwildcardcharacters.SCArecognizestwotypesofwildcardcharacters:'*'matchespartofafilename,and'**'recursivelymatchesdirectories.Youcanspecifyoneormorefiles,oneormorefilespecifiers,oracombinationoffilesandfilespecifiers.

<files> | <file specifiers>

Filespecifierscantakethefollowingforms:

Table 15: File Specifiers


<dirname> Allfilesfoundunderthenameddirectoryoranysubdirectories

<dirname>/**/Example.java

AnyfilenamedExample.javafoundunderthenameddirectoryoranysubdirectories

<dirname>/*.java Anyfilewiththeextension.javafoundinthenameddirectory

<dirname>/**/*.java Anyfilewiththeextension.javafoundunderthenameddirectoryoranysubdirectories

<dirname>/**/* Allfilesfoundunderthenameddirectoryoranysubdirectories(sameasdirname)

Note:WindowsandmanyUnixshellsautomaticallytrytoexpandargumentscontainingthe'*'character,sofile‐specifierexpressionsshouldbequoted.Also,onWindows,thebackslashcharacter(\)maybeusedasthedirectoryseparatorinsteadoftheforwardslash(/).

FilespecifiersdonotapplytoCorC++languages.

Appendix B: Parallel Analysis Mode 55

Appendix B: Parallel Analysis ModeThisappendixcoversthefollowingtopics:

• AboutParallelAnalysisMode

• HardwareRequirements

• ConfiguringParallelAnalysisMode

• RunninginParallelAnalysisMode

About Parallel Analysis ModeParallelprocessingallowsyoutoreducescantimesbyharnessingthemultiplecores,memory,andprocessingpowerinyourmachine.Dependingonthenatureofyourprojectandyourhardware,parallelprocessingcanreducescantimeasmuchas90percent.

Whileparallelprocessingcanbeenabledforallscans,scansthatcompleteinlessthan2hoursmaynotwarrantthehigherprocessingpowerrequirements.Forthisreason,parallelprocessingisnotthedefaultmodeofoperation.Youmustenableparallelprocessingonyoursystemandinitiateitonthecommandline.

Hardware RequirementsPleaserefertotheHPFortifySoftwareSecurityCenterSystemRequirementsdocumentforthelatesthardwareandsoftwarerequirementsforrunningSCAinparallel.

Configuring Parallel Analysis ModeAfterinstallingSCAandcompletingthepost‐installationsteps,youwillneedtoaddacouplepropertiestoyourSCAconfigurationfiletoenableparallelprocessing.

Addthefollowingpropertiestoyourfortify-sca.propertiesfile,locatedinthe<SCA_Installation_Directory>\core\configdirectory.

Table 16: Parallel Analysis Mode Properties

Property Description

com.fortify.sca.RmiWorkerMaxHeap

(default:heapsizeofmasterJVM)

Setstheheapsizefortheworkers.

Theamountofmemoryrequiredvariesfromprojecttoproject,butyoudon’thavetoallocateasmuchmemoryfortheworkersasyoudoforthemasterJVM.

Youmayneedtoexperimentwiththispropertyifyouexperiencelowmemorywarnings,crashes,ordon’tachieveasignificantspeedincrease.

TheRmiWorkerMaxHeappropertyacceptsvaluesinkilobytes(K),megabytes(M),orGigabytes(G).Forexample,tosetthepropertyto500kilobytes:-Dcom.fortify.sca.RmiWorkerMaxHeap = 500K

com.fortify.sca.ThreadCount(default:Ifunchanged,SCAwilluseallavailablethreads.)

Youwillonlyneedtoaddthisparameterifyouneedtolowerthenumberofthreadsusedbecauseofaresourceconstraint.Ifyouexperienceslow‐downsorproblemswithyourscan,reducingthenumberofthreadsusedmaysolvetheproblem.

Appendix B: Parallel Analysis Mode 56

Running in Parallel Analysis ModeTorunsourceanalyzerinparallelanalysismode,addthefollowingparametertoyourcommandstring:‐j <# worker processes>

Theidealnumberofworkerprocessesisn‐2,wherenrepresentsthenumberofprocessorsinyourmachine.Forexample,ifyourmachinehas8processors,theidealnumberofworkerprocesseswouldbe6.Thereisasinglemasterprocessthatcoordinatestasksandthedistributionofdatatothedataworkers.EachJavaprocessusesthesameamountofmemory(unlessyouoverrodeitusingthecom.fortify.sca.RmiWorkerMaxHeapMBinthefortify-sca.propertiesfile).Youmayneedtobalancethe-Xmxand-joptionstoinsureyoudon’tallocatemorememorythanisphysicallyavailable.

Tofigureoutthemaximumnumberofworkersforyourinstallation:

ExampleoftranslatingasinglefilenamedMyServlet.java:

sourceanalyzer -b MyServlet -cp lib/j2ee.jar MyServlet.java -j 6

Theminimumvaluefor-jis2,but3orhigherisrecommended.Avalueof3isusuallyfasterthanwhennotrunninginparallel,but4ormoreshouldprovideyouwiththebestoverallspeedincreases.

TotalPhysicalMemory

PhysicalMemoryPerJavaProcessxNumberofprocesses

Appendix C: Using the sourceanalyzer Ant Task 57

Appendix C: Using the sourceanalyzer Ant TaskThisappendixcoversthefollowingtopics:

• UsingtheAntSourceanalyzerTask

• Antproperties

• SourceanalyzerTaskOptions

About the sourceanalyzer Ant TaskThesourceanalyzerAnttaskprovidesaconvenientwaytointegrateSCAintoyourAntbuild.AsdiscussedinTranslatingJavaCode,translationofJavasourcefilesthatarepartofanAntbuildismosteasilyaccomplishedusingtheSCACompilerAdapter,whichautomaticallycapturesinputtojavactaskinvocations.Thesourceanalyzertaskprovidesaconvenientandflexiblewaytoaccomplishothertranslationtasksandtorunanalysis.

ThissectiondescribeshowtousethesourceanalyzerAnttaskandprovidesanexampleofasamplebuildfilewithaself‐containedanalysis target.rs.

Using the Ant Sourceanalyzer TaskAswiththeSCACompilerAdapter,usingthesourceanalyzertaskrequiressourceanalyzer.jar tobeonAnt'sclasspath,andthesourceanalyzerexecutabletobeonthePATH.

Thefirststeptousingthesourceanalyzertaskistoincludeatypedefinthebuild.xmlfileasfollows:

<typedef name="sourceanalyzer" classname="com.fortify.dev.ant.SourceanalyzerTask"/>

Note:OnlyAnt1.6andhighersupportstop‐leveltypedefofthesourceanalyzertask.ForAnt1.5andlower,includethetypedefinthetargetwherethesourceanalyzertaskisused.

Oncethistypedefisincluded,targetscanbedefinedthatinvokethesourceanalyzertasktoperformtranslationandanalysisoperationsexactlyasifrunningsourceanalyzerfromthecommandline.Thesourceanalyzertasksyntaxissimilartothatofthecommandlineinterface,butAntfilesetandpathprimitivescanbeleveraged.

ThefollowingisanexampleofasnippetfromanAntbuild.xmlfilewhichprovidesatargetuserscancalltogenerateSCAresultsfortheproject.Thissnippetassumesthatthetargetscleanandcompileandthepathjsp.classpatharedefinedelsewhereinthefile.ItalsousesverboseandlogtocreateaseparateSCAlogfileforthebuild.

<available classname="com.fortify.dev.ant.SourceanalyzerTask"

property="fortify.present"/>

<property name="sourceanalyzer.buildid" value="mybuild"/>



<property name="fortify.debug" value="false" />

<property name="fortify.verbose" value="false" />

<mkdir dir="${code.build}/log" />

<mkdir dir="${code.build}/audit" />

<tstamp/>

<property=”com.fortify.sca.PPSSilent” value=”true” />

<target name="fortify" if="fortify.present">

<typedef name="sourceanalyzer"classname="com.fortify.dev.ant.SourceanalyzerTask"/>

<antcall target="clean"/><antcall target="compile"><param name="com.fortify.sca.Debug" value="${fortify.debug}" /><param name="com.fortify.sca.Verbose" value="${fortify.verbose}" /><param name="com.fortify.sca.LogFile"value="${code.build}/log/${sourceanalyzer.buildid}-${DSTAMP}-${TSTAMP}.log" /><param name="build.compiler"value="com.fortify.dev.ant.SCACompiler" />

</antcall><echo>sourceanalyzer ${web-inf}</echo><sourceanalyzer buildid="${sourceanalyzer.buildid}"><fileset dir="${web-inf}">

<include name="**/*.properties"/><include name="**/*.xml"/>

</fileset></sourceanalyzer><echo>sourceanalyzer ${basedir} jsp</echo><sourceanalyzer buildid="${sourceanalyzer.buildid}"><fileset dir="${basedir}">

<include name="**/*.jsp"/></fileset><classpath refid="jsp.classpath"/></sourceanalyzer><echo>sourceanalyzer scan</echo><sourceanalyzer buildid="${sourceanalyzer.buildid}"scan="true"resultsfile="issues.fpr"/ >

</target>

Ant propertiesAnyAntpropertythatbeginswithcom.fortifyisrelayedtothesourceanalyzertaskvia-D.Forexample,settingthecom.fortify.sca.ProjectRootpropertyresultsin -Dcom.fortify.sca.ProjectRoot=<value>beingpassedtothesourceanalyzertask.ThisisalsousedfortheSCACompileradapter.Thesepropertiescanbeseteitherinthebuildfile,usingthe<property>taskforexample,orontheAntcommandlineusingthe -D<property=<value>syntax.

WhenusingtheSCACompileradapterviathebuild.compilersetting,thesourceanalyzer.buildAntpropertyisequivalenttothebuildID attributeofthesourceanalyzertask,andthesourceanalyzer.maxHeapisequivalenttomaxHeap.Youcanuseeitherthecommandlineoryourbuildscripttosettheseproperties.


Sourceanalyzer Task OptionsThefollowingtablecontainsthecommandlineoptionsforthesourceanalyzertask.Pathvaluesusecolon(:)orsemi‐colon(;)delimitedlistsoffilenames.

Table 17: Sourceanalyzer Task Command Line Options

Attribute Command Line Option Description

append -append Appendsresultstothefilespecifiedwiththe-foption.Ifthisoptionisnotspecified,SCAoverwritesthefile.Note:Tousethisoption,theoutputfileformatmustbe.fpror.fvdl.Forinformationonthe-formatoutputoption,seethedescriptioninthistable.

appserver -appserver <appserver>

Specifiestheapplicationserver:Validoptionsareweblogicorwebsphere

appserverHome -apperserver-home <directory>

Specifiestheapplicationserver'shomedirectory.

ForWeblogic,thisisthepathtothedirectorycontainingserver/libdirectory.

ForWebSphere,thisisthepathtothedirectorycontainingthebin/JspBatchCompilerscript.

appserverVersion -apperserver-version <version_number>

Specifiestheversionoftheapplicationserver.

ForWeblogic:versions7,8,9,and10ForWebSphere:version6

bootclasspath -bootclasspath <classpath>

SpecifiestheJDKbootclasspath.

buildID ‐b <build_ID> SpecifiesthebuildID.ThebuildIDisusedtotrackwhichfilesarecompiledandlinkedaspartofabuildandlatertoscanthosefiles.

buildLabel -build-label <build_label>

Specifiesthelabeloftheprojectbeingscanned.ThelabelisnotusedbySCAbutisincludedintheanalysisresults.

buildProject -build-project <project_name>

Specifiesthenameoftheprojectbeingscanned.ThenameisnotusedbySCAbutisincludedintheanalysisresults.

buildVersion -build-version <version>

Theversionoftheprojectbeingscanned.TheversionisnotusedbySCAbutisincludedintheanalysisresults.

classpath -cp <classpath> SpecifiestheclasspathtobeusedforJavasourcecode.Formatissameasjavac(colonorsemicolon‐separatedlistofpaths).

clean -clean ThisoptionresetsthebuildID.Thedefaultvalueisfalse.


debug -debug Thisoptionenablesthedebugmode,whichisusefulduringtroubleshooting.

disableAnalyzers -disable-analyzer <list_of_analyzers>

Thisoptiontakesacolon‐delimitedlistofanalyzerssothatyoucandisablemultipleanalyzersatonceifnecessary.

enableAnalyzers -enable-analyzer <list_of_analyzers>

Thisoptiontakesacolon‐delimitedlistofanalyzerssothatyoucanenablemultipleanalyzersatonceifnecessary.

encoding -encoding <encoding_type>

Specifiesthesourcefileencodingtype.Thisoptionisthesameasthejavacencodingoption.

extdirs -extdirs <list_of_dirs>

Similartothejavacextdirsoption,acceptsacolonorsemicolonseparatedlistofdirectories.Anyjarfilesfoundinthesedirectoriesareincludedimplicitlyontheclasspath.

filter -filter <file_name> Specifiesthefilterfile.

findbugs -findbugs SettingthistotrueenablesFindBugsanalysis.Thedefaultvalueisfalse.

format -format <format_type>

Controlstheoutputformat.Validoptionsarefpr,fvdl,text,andauto.Thedefaultisauto,whichselectstheoutputformatbasedonthefileextension.Note:Ifyouareusingresultscertification,youmustspecifythefprformat.SeetheAuditWorkbenchUser’sGuideforinformationonresultscertification.

javaBuildDir -java-build-dir <directory>

SpecifiesoneormoredirectorstowhichJavasourceshavebeencompiled.Mustbespecifiedforthefindbugsoption,asdescribedabove.

jdk -source <value> IndicateswhichversionoftheJDKtheJavacodeiswrittenfor.Validvaluesforthisoptionare1.3,1.4,1.5,1.6 and1.7.Thedefaultis1.4.Note:ThesourceandJDKoptionsarethesame.Ifbothoptionsarespecified,theoptionthatisspecifiedlastwilltakeprecedence.

jdkBootclasspath -jdk-bootclasspath <classpath>

SpecifiestheJDKbootclasspath.

logfile -logfile <file_name> SpecifiesthelogfilethatisproducedbySCA.

Table 17: Sourceanalyzer Task Command Line Options (Continued)



Thebootclasspath, classpath, extdirs,andoptionsmayalsobespecifiedasnestedelements,aswiththeAntjavactask.Sourcefilescanbespecifiedvianested<fileset>elements.

maxHeap -Xmx <size> SpecifiesthemaximumamountofmemoryusedbySCA.Bydefault,itusesupto600MBofmemory(600M),whichcanbeinsufficientforlargecodebases.Whenspecifyingthisoption,ensurethatyoudonotallocatemorememorythanisphysicallyavailable,becausethiswilldegradeperformance.Asaguideline,assumingnoothermemoryintensiveprocessesarerunning,donotallocatemorethan2/3oftheavailablememory.

noDefaultRules -no-default-rules SettingthisoptionspecifiesthatSCAshouldnotapplydefaultruleswhenscanning.

quick -quick-scan LaunchesanSCAquickscaninsteadofaregularscan.Setvaluetotruetolaunchaquickscan.

resultsfile -f <absolute_path_file name>

Thefiletowhichtheresultsarewritten.

rules -rules <delimited_rules_list>

Therulesoptiontakesalistofrulesfiles,delimitedbythepathseparator.Thisisasemi‐colon(;)onWindows,andacolon(:)onotherplatforms.Foreachelementinthislist,SCAispassedthe-rules <file>command.

scan -scan SettingthisoptiondetermineswhetherSCAshouldperformanalysisontheprovidedbuildID.Thedefaultvalueisfalse.

source -source <value> IndicateswhichversionoftheJDKtheJavacodeiswrittenfor.Validvaluesforthisoptionare1.3,1.4,1.5,and1.6.Thedefaultis1.4.Note:ThesourceandJDKoptionsarethesame.Ifbothoptionsarespecified,theoptionthatisspecifiedlastwilltakeprecedence.

sourcepath -sourcepath <directory>

Specifiesthelocationofsourcefileswhichwillnotbeincludedinthescanbutwillbeusedforresolution.

verbose -verbose Settingthisoptionsendsverbosestatusmessagestotheconsole.

Table 17: Sourceanalyzer Task Command Line Options (Continued)



Thefollowingtableincludessourceanalyzerelements.

Table 18: Sourceanalyzer Task Nested Elements

Element Ant Type Description

fileset Fileset SpecifiesthefilestopasstoSCA.

classpath Path SpecifiestheclasspathtobeusedforJavasourcecode.

bootclasspath Path SpecifiestheJDKbootclasspath.

extdirs Path Similartothejavacextdirsoption.Anyjarfilesfoundinthesedirectoriesareincludedimplicitlyontheclasspath.

sourcepath Path Specifiesthelocationofsourcefileswhichwillnotbeincludedinthescanbutwillbeusedforresolution.

Appendix D: Advanced Options 63

Appendix D: Advanced OptionsThischapterdescribesthefollowingadvancedoptions:

• AboutFilterFiles

• UsingPropertiestoControlRuntimeOptions

About Filter FilesYoucancreateatextfileforfilteringoutparticularvulnerabilityinstances,rules,andvulnerabilitycategorieswhenyourunthesourceanalyzercommand.Thefileisspecifiedbythe-filteranalysisoption.

Note:HPFortifySoftwarerecommendsthatyouonlyusethisfeatureifyouareanadvanceduser,andthatyoudonotusethisfeatureduringstandardaudits,becauseauditorsshouldbeabletoseeandevaluateallissuesfoundbySCA.

Afilterfileisaflattextfilethatcanbecreatedwithanytexteditor.Thefilefunctionsasablacklist,suchthatonlythefilteritemsyoudonotwantarespecifiedoneperline.Thefollowingfiltertypescanbeenteredonaline:

• Category

• InstanceID

• RuleID

Thefiltersareappliedatdifferenttimesintheanalysisprocess,accordingtothetypeoffilter.CategoryandruleIDfiltersareappliedduringtheinitializationphasebeforeanyscanshavetakenplace,whereasaninstanceIDfilterisappliedaftertheanalysisphase.

Filter File Creation ExampleAsanexample,thefollowingoutputresultedfromascanoftheEightBall.java,locatedinthe/Samples/basic/eightballdirectoryinyourHPFortifyinstallationdirectory.

Thefollowingcommandisexecutedtoproducetheanalysisresults:

>sourceanalyzer -b eightball Eightball.java

>sourceanalyzer -b eightball -scan

Thefollowingresultsetdisplays,showingsixdetectedissues.

[F7A138CDE5235351F6A4405BA4AD7C53 : low : Unchecked Return Value : semantic ]

EightBall.java(12) : Reader.read()

[EFE997D3683DC384056FA40F6C7BD0E8 : medium : Path Manipulation : dataflow ]

EightBall.java(12) : ->new FileReader(0)

EightBall.java(6) : <=> (filename)

EightBall.java(4) : ->EightBall.main(0)

[60AC727CCEEDE041DE984E7CE6836177 : medium : Unreleased Resource : Streams : con

trolflow ]

EightBall.java(12) : start -> loaded : new FileReader(...)


EightBall.java(12) : loaded -> loaded : <inline expression> refers to an allocated resource

EightBall.java(12) : java.io.IOException thrown

EightBall.java(12) : loaded -> loaded : throw

EightBall.java(12) : loaded -> loaded : <inline expression> no longer refers

to an allocated resource

EightBall.java(12) : loaded -> end_of_scope : end scope : Resource leaked :

java.io.IOException thrown

EightBall.java(12) : start -> loaded : new FileReader(...)

EightBall.java(12) : loaded -> loaded : <inline expression> refers to an allocated resource

EightBall.java(14) : loaded -> loaded : <inline expression> no longer refers

to an allocated resource

EightBall.java(14) : loaded -> end_of_scope : end scope : Resource leaked

[BB9F74FFA0FF75C9921D0093A0665BEB : low : J2EE Bad Practices : Leftover Debug Code : structural ]

EightBall.java(4)

[FF0D787110C7AD2F3ACFA5BEB6E951C3 : low : Poor Logging Practice : Use of a System Output Stream : structural ]

EightBall.java(10)

[FF0D787110C7AD2F3ACFA5BEB6E951C4 : low : Poor Logging Practice : Use of a Syste

m Output Stream : structural ]

EightBall.java(13)

Thesamplefilterfile,test_filter.txtdoesthefollowing:

• RemovesallresultsrelatedtothePoorLoggingPracticecategory

• RemovestheUnreleasedResourcebasedonitsinstanceID

• RemovesanydataflowissuesthatweregeneratedfromaspecificruleID

Thetest_filter.txt fileusedinthisexamplecontainsthefollowingtext:

#This is a category that will be filtered from scan outputPoor Logging Practice

#This is an instance ID of a specific issue to be filtered from scan #output60AC727CCEEDE041DE984E7CE6836177

#This is a specific Rule ID that leads to the reporting of a specific #issue in #the scan output: in this case the data flow sink for a Path Manipulation #issue.823FE039-A7FE-4AAD-B976-9EC53FFE4A59

Youcancreateafiletotestthefilteredoutputbycopyingtheabovetextintoafile.


Thefollowingcommandisexecutedusingthe-filteroptiontospecifythetest_filter.txt:

[C:\Program Files\Fortify Software\HP Fortify vX.XX\Fortify SCA X.XX\Samples\basic\eightball]>sourceanalyzer -b eightball -scan -filter test_filter.txt

Thefollowingresultsetdisplays:

[F7A138CDE5235351F6A4405BA4AD7C53 : low : Unchecked Return Value : semantic]EightBall.java(12) : Reader.read()

[BB9F74FFA0FF75C9921D0093A0665BEB : low : J2EE Bad Practices : Leftover Debug Code : structural]

EightBall.java(4)

Using Properties to Control Runtime OptionsYoucaneditpropertiestodefineruntimeoptionsforSCA,includinganalysis,output,andperformancetuningoptions.Thesepropertiescanbesetinfourdifferentplaces:

• Globalconfigurationfile(fortify-sca.properties):usedtodefineglobalsettings.

• Userconfigurationfile‐‐ (fortify-sca.properties(Windows)or.fortify-sca.properties(non‐Windows):usedtodefineuser‐specifiedsettings.

• QuickScanconfigurationfile (fortify-sca-quickscan.properties):usedtodefinesettingsusedwhenSCAisruninQuickScanmode.

• Commandline:youcandefinepropertysettingsonthecommandline

-D<property_name>=<property_value>

Thefortify-sca.propertiesglobalsettingsfileandthefortify-sca-quickscan.propertiesfilearelocatedinthe<install_directory>/Core/configdirectory.Theuser‐specificpropertiesfiles‐‐fortify-sca.propertiesonWindowsinstallationsand.fortify-sca.propertiesonnon‐Windowsinstallations‐‐arelocatedineitheryourWindowsuserdirectoryoryourUnixhomedirectory.

Youcaneditallpropertiesfilesdirectly.

Specifying the Order of PropertiesSCAprocessespropertiesinaspecificorder,usingthisordertooverrideanypreviouslysetpropertieswiththevaluesthatyouspecify.Youshouldkeepthisprocessingorderinmindwhenmakingchangestothepropertiesfiles.

Propertydefinitionsareprocessedinthefollowingorder:

• Propertiesspecifiedonthecommandlinehavethehighestprecedenceandcanbespecifiedduringanyscan.

• PropertiesspecifiedintheQuickScanconfigurationfile(fortify-sca-quickscan.properties)areprocessedsecond,butonlywhenthe-quickoptionisusedtooperateinQuickScanmode.IfQuickScanisnotinvoked,thisfileisignored.

• PropertiesspecifiedintheGlobalconfigurationfile(fortify-sca.properties)areprocessedlast.Youshouldeditthisfileifyouwanttochangethepropertyvaluesonamorepermanentbasisforallscans.

SCAalsoreliesonsomepropertiesthathaveinternallydefineddefaultvalues.


Table19:HPFortifyPropertieslistspropertiesthatcanbedefined.Thedefaultvaluesarelisted.IfyouwanttouseQuickScanMode,oryouwanttotuneyourapplication,youcanmakethechangesasdescribedinTable20:onpage69.

Table 19: HP Fortify Properties

Property Name

Default Value Description

com.fortify.sca.AbortedScanOverwritesOutput

false Bydefault,ifascanisinterrupted,thepartialresultsarewrittentoadifferentoutputfile:<output>.partial.fprinsteadof<output>.fpr.Ifthispropertyissettotrue,theinterruptedresultarewrittentothenormaloutfile(<output>.fpr),whichoverwritesanyfull‐scanresultsthatmaybepresentinthatfile.

com.fortify.sca.Appserver

(none) SpecifiestheapplicationserverforprocessingJSPfiles:weblogicorwebsphere

com.fortify.sca.Appserver.Home

(none) Specifiestheapplicationserver’shome.

ForWeblogic,thisisthepathtothedirectorycontainingserver/libdirectory.

ForWebSphere,thisisthepathtothedirectorycontainingthebin/JspBatchCompilerscript.

com.fortify.sca.Appserver.Version

(none) Specifiestheversionoftheapplicationserver.

ForWeblogic,validvaluesare7,8,9,and10.

ForWebSphere,thevalidvalueis6.

com.fortify.sca.fileextensions.*

(none) ControlshowSCAhandlesfileswithgivenextensions.Seefortify-sca.propertiesforexamples.

com.fortify.sca.FPRDisableSrcHtml

(none) Iftrue,disablessourcecoderenderingintotheFPRfile.

com.fortify.sca.NoDefaultRules

(none) Iftrue,rulesfromthedefaultRulepacksarenotloaded.SCAprocessestheRulepacksfordescriptionelementsandlanguagelibraries,butnorulesareprocessed.

com.fortify.sca.NoDefaultIssueRules

(none) Iftrue,disablesrulesindefaultRulepacksthatleaddirectlytoissues.Stillloadsrulesthatcharacterizethebehavioroffunctions.Note:Thisequivalenttodisablingthefollowingruletypes:DataflowSink,Semantic,Controlflow,Structural,Configuration,Content,Statistical,Internal,andCharacterization:Issue.

com.fortify.sca.DisableDefaultRuleTypes


(none) DisablesthespecifiedtypeofruleinthedefaultRulepacks;wheretypeistheXMLtagminusthesuffix“Rule.”Forexample,useDataflowSourceforDataflowSourceRuleelements.Youcanalsospecifyspecificsectionsofcharacterizationrules,suchasCharacterization:Controlflow,Characterization:Issue,andCharacterization:Generic.Typeiscase‐insensitive.

Useacolondelimitedlisttospecifymultipletypesofrules.

com.fortify.sca.NoDefaultSinkRules

(none) Iftrue,disablessinkrulesinthedefaultRulepacks.Note:Characterizationsinkrulesarenotdisabled.

com.fortify.sca.NoDefaultSourceRules

(none) Iftrue,disablessourcerulesinthedefaultRulepacks.Note:Characterizationsourcerulesarenotdisabled.

com.fortify.sca.ProjectRoot

(platformdependent) DirectoryusedbySCAtostoreintermediatefilesgeneratedduringscans.

com.fortify.sca.ASPVirtualRoots.<virtual path>=<physical path>

false Iftrue,enablessupportforvirtualroots.Thispropertyassociatesvirtualpathnameswithphysicalpathnames.

com.fortify.sca.DefaultFileTypes

java,jsp,sql,pks,pkh,pkb,xml,properties,config,dll,exe

Comma‐separatedlistoffileextensionsthatarepickedupbydefaultbySCA.

com.fortify.sca.compilers.*

(none) CanbeusedtoinformSCAaboutspeciallynamedcompilers.Seefortify-sca.propertiesforexamples.

com.fortify.sca.CfmlUndefinedVariablesAreTainted

false Iftrue,treatsundefinedvariablesinaCFMLpageastainted.Doingsoservesasahinttothedataflowanalyzertowatchoutforregister‐globals‐stylevulnerabilities.However,enablingthispropertyinterfereswithdataflowfindingsinwhichavariableinanincludedpageisinitializedtoataintedvalueinanearlier‐occurringincludedpage.

com.fortify.sca.FVDLDisableProgramData

false Iftrue,causestheProgramDatasectiontobeexcludedfromtheanalysisresults(FVDLoutput).

com.fortify.sca.FVDLDisableSnippets

false Iftrue,codesnippetsarenotincludedintheanalysisresults(FVDLoutput).

com.fortify.sca.LogFile

Table 19: HP Fortify Properties (Continued)

Property Name



${com.fortify.sca.ProjectRoot}/log/sca.log

ThedefaultlocationfortheSCAlogfile.

com.fortify.sca.LogMaxSize

(none) Whenthispropertyisset,itenableslogrotationfortheSCAlog.Thevalueisthenumberbytesthatcanbewrittentothelogfilebeforeitisrotated.Mustbeusedwithcom.fortify.sca.LogMaxFiles.

com.fortify.sca.LogMaxFiles

(none) Thenumberoflogfilestoincludeinthelogfilerotationset.Whenallfilesarefilled,thefirstfileintherotationisoverwritten.Thevaluemustbeatleast1.Mustbeusedwithcom.fortify.sca.LogMaxSize.

com.fortify.sca.Debug

false Producesadebuglogfile.ThislogfileisforTechnicalSupportpurposes.

com.fortify.sca.PPSSilent

false Promptstheuserwiththenumberoflinesthescanrequirestoanalyzethesourcecode.Settotruetosuppressthepromptandautomaticallydeductthelines.Note:Ifthescanrequiresmorelinesthanareavailable,thescanfailswithanerrorindicatinghowmanyadditionallinesarerequired.

com.fortify.sca.UnicodeInputFile

(none) Whensettotrue,thispropertyindicatesthattheinputfileisUTF‐8basedandbeginswithabyte‐ordermark(BOM).Typically,youshouldonlysetthispropertyifyouseealexicalerroratLine1,Column1,indicatingthattheBOMispresent.

com.fortify.rules.SkipRulePacks

(none) Semicolon‐delimitedlistofRulepackstoexcludefromthedefaultset.ThispropertycontrolswhichRulepacksareusedbySCAbydefault.AllRulepacksinstalledin<install_directory>/Core/config/rulesareusedbydefaultunlesstheyareonthislist.

com.fortify.sca.limiters.MaxChainDepth

5 Controlsthemaximumcalldepththroughwhichthedataflowanalyzertrackstainteddata.Increasingthisvalueincreasesthecoverageofdataflowanalysis,andresultsinlongeranalysistimes.ThispropertycanbechangedifyouareusingQuickScanMode:seethefollowingtableforthesuggestedvaluetouse.Note:Inthiscase,calldepthreferstothemaximumcalldepthonadataflowpathbetweenataintsourceandsink,ratherthancalldepthfromtheprogramentrypoint,suchasmain().

com.fortify.sca.limiters.MaxFieldDepth


Property Name



Thefollowingtabledescribesthepropertiesthatcanbeusedtotunedefaultscanningperformance.TheyhavedifferentdefaultsforQuickScanmode,whichcanbeadjustedbyeditingthefortify-sca-quickscan.propertiesfile.Ifyouwanttousetherecommendedtuningparameters,youdonotneedtoeditthisfile;however,youmayfindthatyouwanttoexperimentwithothersettingstofine‐tuneyourspecificapplication.

Rememberthatpropertiesinthisfileareprocessedonlyifyouspecifythe-quickoptiononthecommandlinewheninvokingyourscan.

4 Controlsthemaximumgranularityoftainttrackingthroughdatastructurememberfields.Thisvalueisthenumberofnestedfieldsthroughwhichtaintwillbetrackedbeforetheentirestructureisconsideredtainted.Increasingthisvalueimprovestheaccuracyofanalysisbyreducingfalsepositives,andnormallyincreasesanalysistime.

com.fortify.sca.limiters.MaxPaths

5 Controlsthemaximumnumberofpathstoreportforasingledataflowvulnerability.Changingthisvaluedoesnotchangetheresultsthatarefound,onlythenumberofdataflowpathsdisplayedforanindividualresult.

com.fortify.sca.limiters.MaxIndirectResolutionsForCall

128 Controlsthemaximumnumberofvirtualfunctionsthatarefollowedatagivencallsite.

com.fortify.sca.jspparserusesclasspath

false AllowstheusertospecifytheclasspathtotheWeblogicparser.ThisisforWeblogic9and10only.

Table 20: Performance Tuning Properties

Property Name

Values Description

com.fortify.sca.FilterSet

Defaultvalueisnotset.QuickScanvalue:Critical Exposure.

Whensettotargeted,thispropertyrunsrulesonlyforthetargetedfilterset.RunningonlyasubsetofthedefinedrulesallowstheSCAscantocompletemorequickly.ThiscausesSCAtorunonlythoserulesthatcancauseissuesidentifiedinthenamedfilterset,asdefinedbythedefaultprojecttemplateforyourapplication.Formoreinformationaboutprojecttemplates,seetheAuditWorkbenchUser’sGuide.

com.fortify.sca.FPRDisableSrcHtml

Defaultvalue:False.QuickScanvalue:True.

Whensettotrue,thispropertypreventsthegenerationofmarked‐upsourcefiles.IfyouplantouploadFPRsthataregeneratedasaresultofaquickscan,youmustsetthispropertytofalse.

com.fortify.sca.limiters.ConstraintPredicateSize


Property Name



Defaultvalue:50000.QuickScanvalue:10000.

Skipscalculationsdefinedasverycomplexinthebufferanalyzertoimprovescanningtime.

com.fortify.sca.limiters.BufferConfidenceInconclusiveOnTimeout

Defaultvalue:true.QuickScanvalue:false.

Skipscalculationsdefinedasverycomplexinthebufferanalyzertoimprovescanningtime.

com.fortify.sca.limiters.MaxChainDepth

Defaultvalue:5. QuickScanvalue:4.

Controlsthemaximumcalldepththroughwhichthedataflowanalyzertrackstainteddata.Increasingthisvalueincreasesthecoverageofdataflowanalysis,andresultsinlongeranalysistimes.

Note:Inthiscase,calldepthreferstothemaximumcalldepthonadataflowpathbetweenataintsourceandsink,ratherthancalldepthfromtheprogramentrypoint,suchasmain().

com.fortify.sca.limiters.MaxTaintDefForVar


Thispropertysetsthecomplexitylimitfordataflowprecisionbackoff.Dataflowincrementallydecreasesprecisionofanalysisforfunctionsthatexceedthiscomplexitymetricforagivenpreci‐sionlevel.

com.fortify.sca.limiters.MaxTaintDefForVarAbort


Thispropertysetsahardlimitforfunctioncomplexity.Ifcom‐plexityofafunctionexceedsthislimitatthelowestprecisionlevel,theanalyzerwillnotanalyzethatfunction.

com.fortify.sca.DisableGlobals

Defaultvalue:false.QuickScanvalue:false.

Thispropertypreventsthetrackingoftainteddatathroughglobalvariablestoallowfasterscanning.

com.fortify.sca.CtrlflowSkipJSPs

Defaultvalue:false.QuickScanvalue:false.

ThispropertyskipscontrolflowanalysisofJSPsinyourproject.

com.fortify.sca.NullPtrMaxFunctionTime


Thispropertysetsatimelimit,inmilliseconds,forNullPointeranalysisforasinglefunction.Thedefaultisfiveminutes.Settingittoashorterlimitdecreasesoverallscanningtime.

com.fortify.sca.CtrlflowMaxFunctionTime


Thispropertysetsatimelimit,inmilliseconds,forcontrolflowanalysisforasinglefunction.Thedefaultis10minutes.

com.fortify.sca.TrackPaths

Table 20: Performance Tuning Properties (Continued)

Property Name

Values Description


Bydefault,thispropertyisnotset.QuickScanvalue:NoJSP.

Thispropertydisablespathtrackingforcontrolflowanalysis.Pathtrackingprovidesmoredetailedreportingforissues,butrequiresmorescanningtime.YoucandisablethisforJSPonlybysettingittoNoJSP,orforallfunctionsbysettingittoNone.

com.fortify.sca.JdkVersion

Defaultvalue:1.4 ThispropertyspecifiestheJDKversion.

Table 20: Performance Tuning Properties (Continued)

Property Name

Values Description

Appendix E: MSBuild Integration 72

Appendix E: MSBuild IntegrationThisappendixcovers:

• Installation

• SettingWindowsEnvironmentVariablesforTouchlessIntegrationofSCA

• AddingCustomTaskstoyourMSBuildProject

• AddingCustomTaskstoYourProject

About MSBuild IntegrationSCAprovidestheabilitytotranslateyour.NETsourcecodeaspartofyourMSBuildbuildprocess.WithSCA’sMSBuildintegration,youcantranslatefilesonmachineswheretheVisualStudioIDEhasnotbeeninstalled.MSBuildintegrationiscompatiblewithversion2.0,3.5,and4.XoftheMSBuildexecutable,allowingforthetranslationofthefollowingproject/sourcecodetypes:

• C/C++ConsoleApplications(VisualStudio2010andaboveonly)

• C/C++Libraries(VisualStudio2010andaboveonly)

• VisualC#andVisualBasicWebsites

• VisualC#andVisualBasicLibraries

• VisualC#andVisualBasicWebApplications

• VisualC#andVisualBasicConsoleApplications

ThissectiondescribeshowtolaunchanSCAanalysisaspartofyourMSBuildproject.

InstallationTherearenoinstallationstepsrequiredunlessthemachineyourunMSBuildondoesnotincludeacopyofMicrosoftVisualStudio.Ifyourbuildmachinedoesn’tincludeacopyofMicrosoftVisualStudio,youwillneedtoaddcom.fortify.sca.IldasmPath=<Path_to_ildasm.exe>toyour <SCA_Installation_Directory>\core\config\fortify-sca.properties file.

Setting Windows Environment Variables for Touchless Integration of SCAWhenintegratingSCAintoyourMSBuildprocess,thereareanumberofWindowsenvironmentvariablesthatyoucanset.Ifyoudon’tsetthesevariables,SCAwillassumeadefaultsetofvariablesandusethose.Onceyou’vesettheappropriateWindowsenvironmentvariables,successivebuildswillusethesamesetuntilyoumakeachangetotheenvironmentvariables.TheenvironmentvariablesthatcanbesetarelistedinTable21.

Table 21: Windows Environment Variables

Environment Variable Definition Default

FORTIFY_MSBUILD_BUILDID UsedtosettheSCAbuildID. ThebuildIDpassedonthecommandline.

FORTIFY_MSBUILD_DEBUG UsedtoputtheloggerandHPFortifyStaticCodeAnalyzerindebugmode.

False

FORTIFY_MSBUILD_MEM UsedtosetthememoryusedtoinvokeHPFortifyStaticCodeAnalyzer(i.e.,-Xmx1200M)

600MB


TouchlessintegrationrequirestheFortifyMSBuildTouchless.dlllocatedinthe\Core\libdirectory.ItmustberunfromaVisualStudiocommandprompt.

ThefollowingisanexampleofthecommandusedtorunthebuildandlaunchanSCAanalysisusingthedefaultenvironmentvariables,orthoseyouhavepreviouslyset:

sourceanalyzer -b buildid msbuild <solution_file> <msbuild_options>

Alternatively,youcancallMSBuildtolaunchabuildandSCAanalysis:

Msbuild <solution_file> /logger:"C:\Program Files\Fortify Software\HP Fortify vX.XX\Core\lib\FortifyMSBuildTouchless.dll" <msbuild_options>

Adding Custom Tasks to your MSBuild ProjectRatherthanusingtheTouchlessIntegrationmethod,youcanaddanumberofcustomtaskstoyourMSBuildprojectinordertoinvokeSCA.ThesetasksmustbeaddedtoanMSBuildproject,notasolution.AsolutionfileisnotavalidMSBuildscript.SolutionsareparsedbyMSBuildandacorrespondingprojectfileiscreated.

Table22liststhecustomtasksyoucanaddtoyourMSBuildproject:

FORTIFY_MSBUILD_LOG Usedtosetthelocationforthelog. ${win32.LocalAppdata}/Fortify/MSBuildPlugin

FORTIFY_MSBUILD_SCALOG UsedtosetthelocationfortheSCAlog.Useanabsolutepathwhenchanging.

FORTIFY_MSBUILD_LOGALL Usetosetthepluginsothatitwilllogeverymessagepassedtoit.Thiswillcreateaverylargeamountofinformation.

False

Table 22: Custom Tasks

Custom Task Required Parameters Optional Parameters

Fortify.TranslateTask BuildID‐thebuildIDforthetranslation

BinariesFolder‐thedirectorywherethefilestobetranslatedreside

VSVersion‐theversionofthe.NETdllsbeingused.

References‐listofdllstobepassedviathelibdirscommand

JVMSettings‐memorysettingstopasstoSCA

LogFile‐locationfortheSCAlogfile

Debug‐setstaskandSCAtodebugmode

Fortify.ScanTask BuildID‐thebuildIDforthescan

Output‐thenameoftheFPRfiletobegenerated

JVMSettings‐memorysettingstopasstoSCA

LogFile‐locationfortheSCAlogfile

Debug‐setstaskandSCAtodebugmode

Fortify.CleanTask BuildID‐thebuildIDforthescan Debug‐setstaskandSCAtodebugmode

Table 21: Windows Environment Variables (Continued)

Environment Variable Definition Default


Adding Custom Tasks to Your ProjectYoucanaddanyofthefollowingtaskstoyourprojectscript:

• Fortify.TranslateTask

• Fortify.ScanTask

• Fortify.CleanTask

• Fortify.SSCTask

• Fortify.CloudScanTask

Adding Fortify.TranslateTaskToaddFortify.TranslateTasktoyourprojectscript:

1.CreateatasktoidentifyandlocateFortifyMSBuildTasks.dll.

<UsingTask TaskName=”Fortify.TranslateTask” AssemblyFile=”<Install Directory>\Core\lib\FortifyMSBuildTasks.dll”/>

2.Createanewtargetoraddthefollowingcustomtargettoanexistingtargettoinvokethecustomtask:

<Target Name=”FortifyBuild” AfterTargets=”AfterBuild” Outputs=”dummy.out”>

<TranslateTask BinariesFolder=”$(OutDir)”

VSVersion=”<Visual Studio Version>”

BuildID=”TempTask”

JVMSettings=”-Xmx1000M”

Fortify.SSCTask AuthToken‐shouldbedefinedoruseusernameandpassword

Project‐projectname

ProjectVersion‐projectversion.Ifundefined,aProjectIDandProjectVersionIDmustbedefined

FPRFile‐nameofthefiletouploadtoSoftwareSecurityCenter

SSCURL‐theURLfortheSSC

Debug‐specifiestaskandSCAshouldbeinvokedwithdebug

Username‐necessaryifAuthTokenisn’tdefined

Password‐necessaryifAuthTokenisn’tdefined

ProjectID‐usedwithProjectVersionIDifProjectandProjectVersionaren’tused

ProjectVersionID‐usedwithProjectIDifProjectandProjectVersionaren’tused

Proxy‐necessaryifaproxyisrequired

Fortify.CloudScanTask BuildID‐thebuildIDforthetranslation

SSCUpload‐setthisbooleantotruetouploadyouroutputtoSSC.

CloudURL‐theCloudURL

or

SSCUrl‐theSSCURL

Debug‐setthisbooleantotruefordebugmode

ThefollowingparametersareonlyusedwhenSSCUploadissettotrue:

SSCToken‐theSSCtoken

Project‐theprojecttouploadto

VersionName‐theversionyouwanttouploadto

ThefollowingparameterareonlyusedwhenSSCUploadissettofalse:

FPRName‐thenamefortheFPRfile

Table 22: Custom Tasks (Continued)

Custom Task Required Parameters Optional Parameters


LogFile=”trans_task.log”

Debug=”true”/>

</Target>

TheFortifyBuildtargetwillbeinvokedaftertheAfterBuildtargetisrun.TheAfterBuildtargetisoneofseveraldefaulttargetsdefinedintheMSBuildtargetfile.Ifoneoftherequiredparametersisn’tdefined,theMSBuildwillfail.

Note:IfaddinganewtargetwhenrunningMSBuild2.0or3.5,youwillneedtoremovethestringAfterTargets=”AfterBuild”andreplaceFortifyBuildwithAfterBuild.

Adding Fortify.ScanTaskThefollowingcodeaddsFortify.ScanTasktotheMSBuildproject.Newcontentisinboldtext.

<UsingTask TaskName="Fortify.TranslateTask" AssemblyFile="<Install Directory>\Core\lib\FortifyMSBuildTasks.dll" />

<UsingTask TaskName="Fortify.ScanTask" AssemblyFile="<Install Directory>\Core\lib\FortifyMSBuildTasks.dll"/>

<Target Name="FortifyBuild" AfterTargets="AfterBuild" Outputs="dummy.out">

<TranslateTask BinariesFolder="$(OutDir)"

VSVersion="<Visual Studio Version>"

BuildID="TempTask"

JVMSettings="-Xmx1000M"

LogFile="trans_task.log"

Debug="true" />

<ScanTask BuildID="TempTask"


LogFile="scan_task.log"

Debug="true"

Output="Scan.fpr" />

</Target>

Adding Fortify.CleanTaskThefollowingexampleaddstheFortify.CleanTasktotheMSBuildproject.

<UsingTask TaskName="Fortify.CleanTask" AssemblyFile="<Install Directory>\Core\lib\FortifyMSBuildTasks.dll" /><Target Name="FortifyBuild" AfterTargets="AfterBuild" Outputs="dummy.out">

<CleanTask BuildID="TempTask" />

</Target>

Adding Fortify.SSCTaskThefollowingexampleaddstheFortify.SSCTasktotheMSBuildproject.Newcontentisinbold:

<UsingTask TaskName="Fortify.TranslateTask" AssemblyFile="<Install Directory>\Core\lib\FortifyMSBuildTasks.dll" /> <UsingTask TaskName="Fortify.ScanTask" AssemblyFile="<Install Directory>\Core\lib\FortifyMSBuildTasks.dll" />


<UsingTask TaskName="Fortify.SSCTask" AssemblyFile=<Install Directory>\Core\lib\FortifyMSBuildTasks.dll" />


<TranslateTask BinariesFolder="$(OutDir)"

VSVersion="<Visual Studio Version>"

BuildID="TempTask"


LogFile="trans_task.log"

Debug="true" />

<ScanTask BuildID="TempTask"


LogFile="scan_task.log"

Debug="true"

Output="Scan.fpr" />

<SSCTask Username="admin"

Password="admin"Project="Test Project"ProjectVersion="Test Version 1"FPRFile="SSC.fpr"SSCURL="http://localhost:8180/SSC7"/>

</Target>

Adding Fortify.CloudScanTaskIfyouareusingCloudScantoprocessyourscans,youcansendthetranslatedoutputtoyourcloud‐basedresource.ThefollowingexampleaddstheFortify.CloudScanTasktotheMSBuildproject:

<UsingTask TaskName=”Fortify.CloudScanTask” AssemblyFile=”<Install Directory>\Core\lib\FortifyMSBuildTasks.dll”/>


<CloudScanTask BuildID="TempTask"

SSCUpload="false"

FPRName="Scan.fpr"

CloudURL="http://localhost:8080/cloud-ctrl" />

</Target>

Appendix F: Maven Integration 77

Appendix F: Maven IntegrationThisappendixcoversthefollowingtopics:

• AbouttheMavenPlugin

• InstallingtheMavenPlugin

• UpdatingtheMavenPlugin

• UsingtheMavenPlugin

• ExcludingFilesfromtheScan

• UninstallingtheMavenPlugin

• AdditionalDocumentation

About the Maven PluginSCAincludesaMavenpluginwhichprovidesameansforyoutoaddSCAclean,translation,scan,and.fpruploadcapabilitiestoyourMavenprojectbuilds.Youcanusetheplugindirectlyorintegrateitsfunctionalityintoyourbuildprocess.

TheMavenpluginislocated:

<HP_Fortify_Install_Directory>\Samples\advanced\maven-plugin

Insidethedirectory,youwillfindthefileslistedinTable23

Table 23: Contents of maven‐plugin directory

File Description

pom.xml Projectobjectmodelfile.

README.TXT TheREADMEtextprovidesinstallationandusageinstructions.

samples(directory) Includestwosampleprojectdirectories:EightBallandMyEnterpriseApp.

settings.xml XMLfilethatestablishesthenamespacetobeusedasitrelatestoMavensettings.

src(directory) Locationofsourcecode,assemblies,etc.

.

ThepluginiscompatiblewithMaven2.0.9to3.0.5,inclusive.Maven3.X.Xisrecommended.

Installing the Maven PluginWheninstallingtheMavenplugin,weassumethatthepathtotheSCAbinfolderisinyourPATHenvironmentvariable.

Note:IfyouareusingSCAversion3.60,3,70,or3.80,youwillneedtoedittheEOLformatofthepluginsourcefilesbeforeinstallingtheplugin.SeeEditingthePluginSourceFilesbeforeinstallingtheplugin.IfyouhaveapreviousversionoftheMavenPlugininstalled,see

ToinstalltheMavenplugin:

1. Openaterminalorcommandpromptwindowandnavigatetothemaven‐plugindirectory.


2. Attheprompt,type:

mvn clean package install


Updating the Maven PluginIfyouhaveapreviousversionoftheMavenPlugininstalled,youcanupgradetothelatestversion.

ToupdatetheMavenPluginonyoursystem:

1. Openaterminalorcommandpromptwindowandnavigatetothemaven‐plugindirectory.


2. Attheprompt,type:

mvn install

Editing the Plugin Source Files IfyouareusingSCAversion3.60,3.70,or3.80,youwillneedtoedittheend‐of‐line(EOL)formatofthepluginsourcefilesbeforeinstallingtheplugin.IfyouareusingaversionofSCApost3.80,youdonotneedtoeditthesourcefiles.ThefollowinginstructionsarebasedontheOSyouareusing.

ToeditthefilesonaWindowssystem:

1. OpenaCommandPromptwindowandNavigateto:

Samples\advanced\maven-plugin\src\main\java\com\fortify\ps\maven\plugin\sca

2. Openthefollowingfilesinatexteditor:

• CleanMojo.java

• DeleteGeneratedSourcesMojo.java

• StringHelper.java

• Util.java

3. ChangetheEOLformatforeachofthesefilestoCR+LF(DOS/Windows).

Forexample,ifusingNotepad++asyourtexteditor,clickEdit‐‐>EOLConversion‐‐>WindowsFormat.Ifyoumakethesechangesafterinstallingtheplugin,youwillneedtouninstallitandthenreinstallitafterthechangeshavebeenmade.

ToeditthefilesonaLinuxorUnixsystem:

1. Openaterminalwindowandnavigatetothefollowingdirectory:<HP_Fortify_Install_Directory>/Samples/advanced/maven-plugin/src/main/java/com/fortify/ps/maven/plugin/sca

2. Runthefollowingcommands:

sudo dos2unix -o *.java

sudo mac2unix -o *.java

Note:Ifyoumakethesechangesafterinstallingtheplugin,youwillneedtouninstallitandthenreinstallitafterthechangeshavebeenmade.

ToeditthefilesonaMacintoshsystem:

1. Navigateto:

<HP_Fortify_Install_Directory>/Samples/advanced/maven-plugin/src/main/java/com/fortify/ps/maven/plugin/sca

2. Inatexteditorofyourchoice,changethelineendingsofallJavasourcefilestoLF(OSX/Unixformat).IfXcodeisavailableonyoursystem,youcanopenthesourcefilesinXcodeandchangethelineendingstoLF.

Note:Ifyoumakethesechangesafterinstallingtheplugin,youwillneedtouninstallitandthenreinstallitafterthechangeshavebeenmade.


Testing the PluginAfterinstallingthemavenplugin,useoneoftheincludedsamplefilestoensureyourinstallationisworkingproperly.

TotesttheMavenpluginusingtheEightBallsamplefile:

1. Addthedirectorycontainingthesourceanalyzerexecutabletothepathenvironmentvariable.

Forexample:

export set PATH=$PATH:/path/to/f360/bin

or

set PATH=%PATH%;path\to\f360\bin

2. Typesourceanalyzer -htotestthePATHsetting.

Itshouldreturnsourceanalyzerhelp.

3. NavigatetotheEightballdirectory:

<HP_Fortify_Install_Directory>\Samples\advanced\maven-plugin\samples\EightBall

4. Openthe pom.xml fileinatexteditorandlocatethe<version>tag.ThisistheversionoftheMavenplugin.

Donotmistakethe<modelVersion>tagforthe<version>tag.

Using the Maven PluginYoucanrunthepackagelocallyorintegrateitaspartofyourbuildprocess.Duringthetranslationphase,theSCAMavenPluginwillsearchyourjarfilefromthelocalrepositoryandtrytoresolveclassesinyourapplication.

Note:Inthefollowingsteps,youareprovidethreeversionsoftheSCAcommands.TheShortGoalNameversionofeachcommandcanonlybeusedifyouareusingthelatestversionoftheMavenpluginandyouhaveplacedacopyofthesetting.xmlfileinthelocalrepository.

TomanuallyscanyourcodeusingtheMavenPlugin:

1. Installthetargetapplicationinthelocalrepository:

mvn install

2. Cleanoutthepreviousbuildusingoneofthefollowingcommands:

3. Translatethecode:

Complete mvn com.fortify.ps.maven.plugin:sca-maven-plugin:<ver>:clean

WithoutVersionID mvn com.fortify.ps.maven.plugin:sca-maven-plugin:clean

ShortGoalName mvn sca:clean

Complete mvn com.fortify.ps.maven.plugin:sca-maven-plugin:<ver>:translate

WithoutVersionID mvn com.fortify.ps.maven.plugin:sca-maven-plugin:translate

ShortGoalName mvn sca:translate


4. Scanthecode:

where <ver>istheversionoftheMavenPluginyou’reusing.

Note:Ifyoudon’tspecifytheversion,Mavenwillcallthelatestversionofthesca‐maven‐plugininthelocalrepository.

Toscanyourfilesaspartofyourbuildsystem

1. Installthetargetapplicationinthelocalrepository:

mvn install

2. Cleanoutthepreviousbuild:

mvn com.fortify.ps.maven.plugin:sca-maven-plugin:<version>:clean

3. Translatethecodeusingoneofthefollowingoptions:

4. Runthescan:

sourceanalyzer -b <build id> [sca scan options] -scan -f result.fpr

Excluding Files from the ScanIfyoudon’twanttoincludeallofthefilesinyourprojectorsolution,youcandirectSCAtoexcludeselectedfilesfromyourscan:

1. Createanexclusionfileinatexteditor.

2. Addthefollowinglinetothefileyoujustcreated:

com.fortify.sca.exclude="fileA;fileB;fileC"

Note:Filenamesmustbeseparatedwithasemicolon.Wildcardsaresupported;asingleasterisk(*)canbeusedtomatchpartofafilenamewhiletwoasterisks(**)canbeusedtorecursivelymatchdirectories.Formoreinformationonwildcards,see

3. Addthefollowingcodetothetranslationstep:

-Dfortify.sca.properties.file=my.exclusions

Complete mvn com.fortify.ps.maven.plugin:sca-maven-plugin:<ver>:scan

WithoutVersionID mvn com.fortify.ps.maven.plugin:sca-maven-plugin:scan

ShortGoalName mvn sca:scan

Translation Code Options

sourceanalyzer -b <build id> [sca build options] mvn

sourceanalyzer -b <build id> [sca build options] mvn com.fortify.ps.maven.plugin:sca-maven-plugin:<ver>:translate

sourceanalyzer -b <build id> [sca build options] mvn com.fortify.ps.maven.plugin:sca-maven-plugin:translate

sourceanalyzer -b <build id> [sca build options] mvn sca:translate

Note:Tousethisversionofthecommand,youmusthaveplacedacopyofthesetting.xmlfileinthelocalrepository.


Forexample,forthesampleEightBallproject,youwouldissuethefollowingcommandtotranslatethesourcecode:

mvn com.fortify.ps.maven.plugin:sca-maven-plugin:4.00:translate -Dfortify.sca.source.version=1.6 -Dfortify.sca.properties.file=my.properties

Uninstalling the Maven PluginTouninstalltheMavenPlugin,manuallydeletesca-maven-pluginfromthelocalrepository.

Additional DocumentationAfterthepluginhasbeenproperlyinstalled,anewdirectorywillbeincludedinthefollowinglocation:

Samples\advanced\maven-plugin\target\site

Openthefileindex.htmltostartreadingthedocumentation.Therearesectionsontheavailableoptions,basicusageguide,uploadingscanstoSSCServer,andFAQs.

Appendix G: Sample Files 82

Appendix G: Sample FilesThisappendixcoversthefollowingtopics:

• AbouttheSampleFiles

• BasicSamples

• AdvancedSamples

About the Sample FilesYourHPFortifysoftwareinstallationincludesanumberofsamplefilesthatyoucanusewhentestingorlearningtouseSCA.Thesamplefilesarelocatedinthefollowingdirectory:

<HP_Fortify_Install_Directory>/Samples

InsidetheSamplesdirectoryaretwosub‐directories:basicandadvanced.EachcodesampleincludesaREADME.txtfilethatprovidesinstructionsonscanningthecodeinSCAandviewingtheoutputinAuditWorkbench.

Thebasicsub‐directoryincludesanassortmentofsimplelanguage‐specificsamples.TheadvancedsubdirectoryincludesmoreadvancedsamplesandcodesamplesthatenableyoutointegrateSCAwithyourbugtrackingsystem.

Basic SamplesTable24providesalistofthesamplefilesinthebasicsub‐directory(<HP_Fortify_Install_Directory>\Samples\basic),abriefdescriptionofthesamplefile,andalistofthevulnerabilitiesidentified.EachsampleincludesaREADME.txtfilethatprovidesfurtherdetailsandinstructionsonitsuse.

Table 24: Basic Samples

SampleFileFolder Contents Vulnerabilities

cpp IncludesaC++samplefileandinstructionsfortestingasimpledataflowvulnerability.Itrequiresagccorclcompiler.

CommandInjectionMemoryLeak

database Includesadatabase.pkssamplefile.ThisSQLsampleincludesissuesthatcanbefoundinSQLcode.

AccessControl:Database

eightball IncludesEightBall.java,aJavaapplicationthatexhibitsbaderrorhandling.Itrequiresanintegerasanargument.Ifyousupplyafilenameinsteadofaninteger,itwilldisplaythecontentsofthefile.

PathManipulationUnreleasedResource:StreamsJ2EEBadPractices:LeftoverDebugCode

formatstring Includesformatstring.cfile.Itrequiresagccorclcompiler.

FormatString

javascript Includessample.js,aJavaScriptfile. CrossSiteScripting(XSS)OpenRedirect

nullpointer IncludesNullPointerSample.javafile. NullDereference


Advanced SamplesTable25providesalistofthesamplefilesintheadvancedsubdirectory(<HP_Fortify_Install_Directory>\Samples\advanced).EachsampleincludesaREADME.txtfilethatprovidesfurtherdetailsandinstructionsonitsuse.

php Includesbothsink.phpandsource.phpfiles.Analyzingsource.phpsurfacessimpleDataflowvulnerabilitiesandadangerousfunction.

CrossSiteScriptingSQLInjection

sampleOutput Includesasampleoutputfile(WebGoat5.0.fpr)fromtheWebGoatprojectlocatedintheSamples/advanced/webgoatdirectory.

ExampleinputforAuditWorkbench.

stackbuffer Includesstackbuffer.c.Agccorclcompilerisrequired.

BufferOverflow

toctou Includes toctou.c file. Time‐of‐Check/Time‐of‐Use(RaceCondition)

vb6 Includescommand-injection.basfile. CommandInjectionSQLInjection

vbscript Includessource.aspandsink.aspfiles.

SQLInjection

Table 25: Advanced Samples

Sample File Folder Description

Bugzilla IncludesaBuild.xmlfilebuiltusingtheAuditWorkbenchbugtrackerpluginframework.Thepluginincludesthesamefunctionalityasthebuilt‐inBugzillapluginsothatitcanbeusedasaguidetocreatingyourownplugin.

c++ IncludesasampleVisualStudio2005solution:Sample.sln,Sample1.cpp,Sample.vcproj,stafx.cpp,stdafx.h.

YouneedtohaveMicrosoftVisualStudioVisualC/C++2005(ornewer)installed.YoushouldalsohavetheFortifyAnalyzersinstalled,withthepluginfortheVisualStudioversionyouareusing.

ThecodeincludesaCommandInjectionissueandanUncheckedReturnValueissue.

configuration ThisisasampleJ2EEapplicationthathasvulnerabilitiesinitswebmoduledeploymentdescriptor‐web.xml.

Table 24: Basic Samples (Continued)

SampleFileFolder Contents Vulnerabilities


crosstier Thisisasamplethathasvulnerabilitiesspanningmultipleapplicationtechnologies(Java,PL/SQL,JSP,struts).Theoutputshouldcontainseveralissuesofdifferenttypes,includingtwoAccessControlvulnerabilities.Oneoftheseisacross‐tierresult.IthasadataflowtracefromuserinputinJavacodethatcanaffectaSELECTstatementinPL/SQL.

csharp ThisisasimpleC#programthathasSQLinjectionvulnerabilities.VersionsareincludedforVS2003,VS2005,VS2010andVS2012.Uponsuccessfulcompletionofthescan,youshouldseetheSQLInjectionvulnerabilitiesandoneUnreleasedResourcevulnerability.Othercategoriesmayalsobepresent,dependingontherulepacksusedinthescan.

customrules SeveralsimplesourcecodesamplesandRulepackfilesthatillustraterulesinterpretedbyfourdifferentanalyzers:Semantic,Dataflow,controlflow,andConfiguration.Thisdirectoryalsoincludesseveralmiscellaneousreal‐worldrulessamplesthatmaybeusedforscanningrealapplications.

ejb AsampleJ2EEcross‐tierapplicationwithServletsandEJBs.

filters Asamplethatusessourceanalyzer’s–filteroption.

findbugs AsamplethatdemonstrateshowtorunFindBugsstaticanalysistooltogetherwiththeFortifySourceCodeAnalysisEngine(FortifySCAEngine)andfiltersoutresultsthatoverlap.

HPQC AsamplethatdemonstratestheAuditWorkbenchbugtrackerpluginframeworkbyimplementingaplugintoHPQualityCenter.ThisplugincommunicateswithanHPQCserverinstancethroughtheHPQCclient‐sideaddin.ThebugtrackertalkstotheaddinthroughaCOMinterface,andtheaddinhandlesthecommunicationtotheserver.

java1.5 IncludesResourceInjection.java.TheresultfileshouldhaveaPathManipulationresultandaJ2EEBadPracticesresult.

javaAnnotations IncludesasampleapplicationthatillustratesproblemsthatmayarisefromitsuseandhowtofixtheproblemsusingtheFortifyJavaAnnotations.ThegoalofthisexampleistoillustratehowtheuseofFortifyAnnotationscanresultinincreasedaccuracyinthereportedvulnerabilities.TheaccompanyingREADMEfileillustratethepotentialproblemsandsolutionsassociatedwithvulnerabilityresults.

JavaDoc JavaDocdirectoryforthebugtrackers,public‐api,andWSClient.

maven‐plugin TestscanberunonanyprojectsthatuseMaven(forinstancethoseincludedinthesamplesdirectory,orWebGoat5.3:http://code.google.com/p/webgoat/)

webgoat WebGoattestJ2EEwebapplicationprovidedbytheOpenWebApplicationSecurityProject(http://www.owasp.org).ThisdirectorycontainstheWebGoat5.0sources.WebGoatjavasourcescanbeuseddirectlyforjavavulnerabilityscanningviaFortifySourceCodeAnalysisEngine.

Table 25: Advanced Samples (Continued)

Sample File Folder Description

Appendix H: Issue Tuning 85

Appendix H: Issue TuningThisappendixcoversthefollowingtopics:

• AboutIssueTuning

• AboutInterproceduralConstantPropagation

About Issue TuningThisappendixlistspropertiesthatimpactthenumberofissuesthatSCAreports.Thedefaultsettingshavebeendesignedtoprovideoptimalresultsandshouldnotbealteredunlessyouareexperiencingareportingissueorhavebeeninstructedtodosobysupport.

IssuetuningallowsyoutofinetunethenumberandqualityofresultyoureceivefromanSCAscan.Thisisanadvancedtopicandshouldnotbenecessaryforthemajorityofusers.

IfyoufeelthatSCAisreportingtoomanyortoofewissuesofaparticulartype,youmayneedtoadjustapropertytoexcludeorincludeadditionalissues.Beforemakinganychanges,youmaywanttocontactsupportanddiscusstheissueyouareexperiencing.

Thefollowingareascanbetuned:

• Wrapperdetection

• Interproceduralconstantpropagation

• Selectivemaptracking

Ifyouneedtoturnoneormoreoftheseanalysisfeaturesoff,editthefortify-sca.propertiesfile,locatedinthe<install_directory>/Core/config directory.

About Wrapper DetectionWrapperdetectionidentifiesmethodsthatwrapmapoperations.InSCA,mapoperationsinsert<key,value>pairsto,orretrieve<key,value>pairsfrom,anassociativemap.Whenataintedvalueisinsertedorretrieved,itstaintmaygetpropagatedthroughthemap.

TheHPFortifySoftwareSecurityResearchteam(SSR)providesrulesdescribinghowvariousAPIsimplementmapinsertionandretrieval.Taintpropagationoccurswhenmethodsmatchingthosespecifiedintherulesareinvoked.IfSCAcannotcomputethemapkeysusedatthosemethods,thenitpromotestaintfromasinglevaluetoallvaluesinthemap.Thisintroducesfalsepositives.

Afunctionistreatedasawrappermethodwhenit:

• ContainsacallsitetoamethodidentifiedbyanSSRruleasamapoperationoralreadyidentifiedbySCAasawrapper.

• Directlypassesitsparameterstothemapoperation.

• Directlypassesthemapoperation'sreturnvaluetoitsownreturn.

Theeffectsofsuccessfulwrapperidentificationinclude:

• ReductionoffalseissuereportsfromtheDataflowanalyzerbyreducingthenumberofissuesreportedwithmismatchedmapinsertionsandretrievals.

• Improvedreadabilityof

• Dataflowissuereportsbyreplacingunknownmapkeys,shownas'?',withexplicitkeyvalues.


ThepropertieslistedinTable26controlthebehaviorofwrapperdetection:

Table 26: Wrapper Detection Analysis Keys

Analysis Property Description

None Executeswrapperdetection,includingdetectionofnestedwrappers

com.fortify.sca.EnableNestedWrappers Avalueoffalsedisablesallnestedwrapperdetection.

com.fortify.sca.EnableWrapperDetection Avalueoffalsedisablesallwrapperdetection

com.fortify.sca.WrapperHeuristic Bydefault,theheuristicusedis“moderate”.Youcanalsosetthisvalueto“strict”,whichwillnotidentifyanymethodscontainingmultiplecallsitesaswrappers.

About Interprocedural Constant PropagationProgramminglanguagesprovidekeywordsindicatingthatavariableisaconstant,unchangingvaluethroughoutanentireprogram.However,somesoftwarefailstoconsistentlyapplythesekeywordstoconstantvariables.InterproceduralConstantPropagationidentifiesexplicitconstantsandvariablesthatarenotdefinedasconstantsbuthaveunchangingvalues,anditthenpropagatesthoseconstantvaluesthroughoutallfunctionsintheprogram.

ThepropertieslistedinTable27controlInterproceduralConstantPropagation.

Table 27: Interprocedural Constant Propagation Keys

Analysis Property Description

com.fortify.sca.EnableInterproceduralConstantResolution

Enablesordisablespropagationofconstantvaluesacrossfunctionboundaries.

com.fortify.sca.DisableInferredConstants

Ifsetto“true”,disablesidentificationofconstantvariableswithoutexplicitconstorfinalkeywords.

com.fortify.sca.DisableInferredConstants.NonStatic

Ifsetto“true”,disablesidentificationofnon‐staticconstants.


About Selective Map Operation TrackingSelectiveMapOperationTrackinganalysisgreatlyreducestheprevalenceofunresolvedmapkeys.ThisanalysisallowsSCAtofindtruepositivesinglobalclasseswithoutintroducinganincreaseinthenumberoffalsepositives.Thisalgorithmisconfigurableviaapropertykeythatacceptsanyoffourvalues.Thedefaultvalue,classrule,isappropriateinmostsituations.Ifyoufindthattoomanyissuesarebeingsuppressed,youcanchangethevalueandcomparetheresultsreceived.

ThevalueslistedinTable28controlSelectiveMapOperationTracking.

Table 28: Selective Map Operator Tracking Values

Analysis Property Value Description

com.fortify.sca.RequireMapKeys classrule Thisisthedefaultvalueofthepropertyanddoesnotneedtobeset.SCAwillanalyzedataflowoperationsonmapsglobalbyclassruleonlywhenitcandeterminekeys.

never Setthispropertyequalto“never”todisableSelectiveMapOperationTrackinganalysis.Allmapoperationswillbeanalyzed.

globals Setthispropertyequalto“globals”toincreasetheaggressivenessoftheanalysis.SCAwillanalyzedataflowoperationsonallglobalmapsonlywhenitcandeterminekeys.

always Setthispropertyequalto“always”formaximumaggressiveness.SCAwillprocessdataflowoperationsonallmapsonlywhenitcandeterminekeys.

Appendix I: Configuration Properties 85

Appendix I: Configuration PropertiesThisappendixliststhepropertiesfoundinthefortify.propertiesandthefortify.sca.properties files.Theseconfigurationfilesarelocatedinthefollowingdirectory:

<Installation_Directory>\HP_Fortify\HP_Fortify_SCA_and_Apps_X.XX\Core\config

fortify.propertiesTable29listsconfigurationoptionsthatcanbealteredorsetinthefortify.propertiesfileordefinedonthecommandlineusingthe-Doption.s

Table 29: fortify.properties

Objective Property Value

SetSCAtools,suchasHPFortifyAuditWorkbench,todebugmode.

com.fortify.Debug Valuetype:Boolean

Default:false

Example:

com.fortify.Debug=true

SetHPFortifyAuditWorkbenchtodebugmode.

com.fortify.awb.Debug Valuetype:Boolean

Default:false

Example:

com.fortify.awb.Debug=true

SetEclipsetodebugmode. com.fortify.eclipse.Debug Valuetype:Boolean

Default:false

Example:

com.fortify.eclipse.Debug=true

SetVisualStudiotodebugmode.

com.fortify.VS.Debug Valuetype:Boolean

Default:false

Example:

com.fortify.VS.Debug=true

LocatetheSCAexecutablefile.

Note:Thispropertyissetoninstallationandshouldnotrequirealterationunlessyoumanuallymovetheexecutablefiles.

com.fortify.SCAExecutablePath

Valuetype:String(path)

Default:SetwhenSCAwasinstalled

Example:

com.fortify.SCAExecutablePath=C:\\Program Files\\Fortify Software\\HP Fortifyv3.60\\bin\\sourceanalyzer.exe

SetthepathtotheworkingdirectoryoftheSCAtools.

com.fortify.WorkingDirectory Valuetype:String(path)

Default:com.fortify.WorkingDirectory=${win32.LocalAppdata}/Fortify

Example:

com.fortify.WorkingDirectory=${win32.LocalAppdata}/Fortify

where${win32.LocalAppdata} isavariablethatpointstotheWindowsLocalApplicationDatashellfolder.ThisistypicallyC:\Documents and Settings\<user>\Local Settings\Application Data


Setorchangetheusernameforthisinstallation.

com.fortify.InstallationUserName

Valuetype:String(variablepointer)

Default:

com.fortify.InstallationUserName=${user.name}

Theusernameforthisinstallation,${FM.user.name},canbeusedtoreferencethestoredFortifyManagerusername.

Example:

com.fortify.InstallationUserName=${user.name}

Setthelocalefortheinstallation.

com.fortify.locale Valuetype:String(countrycodeabbrev.)

Default:Locationofmachinesoftwarewasinstalledon.

Example:

com.fortify.locale=en

SetthescantocontinueevenifASPPrecompilationfails.

Ifthispropertyissettofalse,whenperformingascanofawebsitefromVisualStudioinheadlessmodethescanwillcontinueeveniftheASPPre‐compilationfails.

com.fortify.VS.RequireASPPrecompilation

Valuetype:Boolean

Default:false

Example:

com.fortify.VS.RequireASPPrecompilation=false

SetthisvaluetotrueifyouwantSCAtotranslatethedefaultASPoutput(insteadofrunningtheaspnet_compiler)whenscanningawebsitefromVisualStudio.

Youshouldmanuallycleanthiscachebeforeuseofthissetting.

com.fortify.VS.SkipASPPrecompilation

Valuetype:Boolean

Default:false

Example:

com.fortify.VS.SkipASPPrecompilation=true

DisableuseofCodeNavigationfeatureinAWBandimproveruntimememoryusage.

com.fortify.DisableProgramInfo

Valuetype:Boolean

Example:

com.fortify.DisableProgramInfo=true

DisableintegrationwithC/CPPbuilds(VisualStudio).

com.fortify.VS.DisableCIntegration

Valuetype:Boolean

Default:false

Example:

com.fortify.VS.DisableCIntegration=true

Setthepathusedtostorethemanagerclientauthenticationtoken.

com.fortify.AuthenticationKey


Default:

${com.fortify.WorkingDirectory}/config/tools

Example:

com.fortify.AuthenticationKey=${com.fortify.WorkingDirectory}/config/tools

Table 29: fortify.properties (Continued)



DisablefvdlvalidationintheUI.

com.fortify.model.CheckSig Valuetype:Boolean

Default:false

Example:

com.fortify.model.CheckSig=true

ReducetheamountofdataloadedfromanFPR.Whensettotrue,onlybasicissueinformationwillbeloadedfromtheFPR.

com.fortify.model.MinimalLoad

Valuetype:Boolean

Default:false

Example:

com.fortify.model.MinimalLoad=true

SetthisvaluetotruetouseIssueParseFilters.properties.

settings.OptimizeMemorymustalsobeenabled.

com.fortify.model.UseIssueParseFilters

Valuetype:Boolean

Default:false

Example:

com.fortify.model.UseIssueParseFilters=true

Setbackwardscompatibilitywithpre‐2.5migratedprojects.

com.fortify.model.EnablePathElementBaseIndexShift

Valuetype:Boolean

Default:true

Example:

com.fortify.model.EnablePathElementBaseIndexShift=true

SetdefaultVMargumentsforusewhentheVisualStudiopluginrunsJavacommands.

com.fortify.visualstudio.vm.args

Valuetype:String(VMargument)

Default:

-Xmx256m

Example:

com.fortify.visualstudio.vm.args=-Xmx256m

Setthispropertytoenablemanualremovalofthreadlocaltransactionresourcewhenajobcompletes.

enable.clean.transaction.resource

Valuetype:Boolean

Default:true

Settingthispropertytotruepreventsaquartz/springbugwhencrontriggerishappened,somethreadlocalresourceisnotreleased,resultingina"Pre-bound JDBC Connection found!"error.Setthispropertytotruewhenthisproblemoccurs.

Example:

enable.clean.transaction.resource=true

SetthispropertytomigrateIIDscreatedwithdifferentversionsofSCA.ThisisgenerallyhandledbySCA.Ifyouneedtooverridethemappingscheme,pleaseconsultHPFortifycustomersupport.

com.fortify.tools.iidmigrator.scheme

ContactHPFortifycustomersupportforassistance.




Setthemaximumnumberofcharactersforyourfilepath.

max.file.path.length Valuetype:String(number)

Default:255

Ifthepathexceedsthisvalue,thelastXnumberofcharacterswillbekeptinthefilepathfortheissueandtheentrywillberemovedfromsourcefilemap.

Example:

max.file.path.length=255

Definewhich.FPRproject(defaultorimported)shouldbeusedasthebasewhenresolvingmergeconflicts.

com.fortify.model.MergeResolveStrategy

Valuetype:String

Default:DefaultToMasterValue

Possiblevaluesare:'DefaultToMasterValue','DefaultToImportValue',or'NoStrategy'.

Example:

com.fortify.model.MergeResolveStrategy=DefaultToMasterValue

SettheRemovedIssuePersistenceLimit.

com.fortify.RemovedIssuePersistenceLimit

Valuetype:String(number)

Default:1000

Example:

com.fortify.RemovedIssuePersistenceLimit=5000

DefinetheamountofmemoryallocatedforprocessesrequiredbyHPFortifyAuditWorkbench(i.e.,iidmigrator,events2fpr,etc.)

com.fortify.model.ExecMemorySetting

Valuetype:String

Default:1200M

Example:

-Dcom.fortify.model.ExecMemorySetting=12OOM

Limitthenumberofissuesloaded.

com.fortify.model.IssueCutoffStartIndex

com.fortify.model.IssueCutoffEndIndex


Usethecom.fortify.model.IssueCutoffStartIndex propertytoselectthefirstissue(bynumber)tobeloaded.

Userthecom.fortify.model.IssueCutoffEndIndex propertytoselectthelastissue(bynumber)tobeloaded.

Example:

com.fortify.model.IssueCutoffStartIndex=10 com.fortify.model.IssueCutoffEndIndex=20

Note:Youcanusebothparameterstogether,asintheexampleabove,toselectarange.Thisexampleloadsissue10‐19,foratotalof20issues.




fortify‐sca.propertiesTable30listsconfigurationoptionsthatcanbealteredorsetinthefortify‐sca.propertiesfileordefinedonthecommandlineusingthe-Doption.

Limitthecategoriesloadedbasedonnumberofissues.

com.fortify.model.IssueCutoffByCategoryStartIndex

com.fortify.model.IssueCutoffByCategoryEndIndex


Usethecom.fortify.model.IssueCutoffByCategoryEndIndex propertytoloadcategoriesthathavelessthantheselectednumberofissues.Usebothpropertiesinconjunctiontoselectarange.

Example:

com.fortify.model.IssueCutoffByCategoryStartIndex=10com.fortify.model.IssueCutoffByCategoryEndIndex=20

Theexampleaboveloadscategorieswhichhavebetween10through19issuesinthem.

Table 30: fortify‐sca.properties

Objective Property Values

SettheHPFortifyapplicationdatadirectory.

com.fortify.sca.ProjectRoot Valuetype:String(path)

Default:com.fortify.sca.ProjectRoot=${win32.LocalAppdata}/Fortify

${win32.LocalAppdata} isaspecialvariablethatpointstothewindowsLocalApplicationDatashellfolder.

Example1:

com.fortify.sca.ProjectRoot=${win32.LocalAppdata}/Fortify

Example2:

com.fortify.sca.ProjectRoot=C:\Documents and Settings\<user>\Local Settings\Application Data

Selecttheanalyzerstobeused.

com.fortify.sca.DefaultAnalyzers

Valuetype:Boolean

Default:Allanalyzersareturnedonbydefault.

Editthelisttochangewhichanalyzersareenabledbydefault.

Example:

com.fortify.sca.DefaultAnalyzers=dataflow:semantic:controlflow:configuration:structural:content:buffer




Setdefaultfiletypes. com.fortify.sca.DefaultFileTypes

Valuetype:String

Default:com.fortify.sca.DefaultFileTypes=java,rb,jsp,jspx,tag,tagx,tld,sql,cfm,php,phtml,ctp,pks,pkh,pkb,xml,config,settings,properties,dll,exe,inc,asp,vbscript,js,ini,bas,cls,vbs,frm,ctl,html,htm,xsd,wsdd,xmi,py,cfml,cfc,abap,xhtml,cpx,xcfg,jsff,as,mxml,cbl,c,scfg,csdef,wadcfg,appxmanifest,wsdl,plist

Example:

com.fortify.sca.DefaultFileTypes=<comma separated list of file types>

Setthedirectoryusedtosearchforcustomrules.Ifthisisset,thedefaultdirectoryisnotsearched.

com.fortify.sca.CustomRulesDir


Default:com.fortify.sca.CustomRulesDir=${com.fortify.Core}/config/customrules

Example:

com.fortify.sca.CustomRulesDir=<Directory where custom rules are stored>

TellSCAhowtoprocessspecificfiletypes.Allowedtypesare:JAVA,JSP,JSPX,PLSQL,TSQL,SQL,XML,JAVA_Properties,MSIL,CFML,andCSHARP.

Note:Objective‐Cdoesnotrequireanentry.

com.fortify.sca.fileextensions.java = JAVAcom.fortify.sca.fileextensions.jsp = JSPcom.fortify.sca.fileextensions.tag = JSPcom.fortify.sca.fileextensions.tagx = JSPcom.fortify.sca.fileextensions.jspx = JSPXcom.fortify.sca.fileextensions.xhtml = JSPXcom.fortify.sca.fileextensions.faces = JSPXcom.fortify.sca.fileextensions.jsff = JSPXcom.fortify.sca.fileextensions.js = JAVASCRIPT

Note:Thisisapartiallist.Forthecompletelist,seethefortify‐sca.propertiesfile.

Valuetype:String(language)

Default:Seethefortify-sca.propertiesfileforthecompletelist.

SetSCAtousethenativeparser.

com.fortify.sca.jsp.UseNativeParser

Valuetype:Boolean

Default:true

Example:

com.fortify.sca.jsp.UseNativeParser=false

Table 30: fortify‐sca.properties (Continued)



SettheSQLlanguagevariant. com.fortify.sca.SqlLanguage Valuetype:String(SQLlanguagetype)

Default:TSQL

Example:

com.fortify.sca.SqlLanguage=TSQL

Enablecustom‐namedcompilers. com.fortify.sca.compilers.fortify=com.fortify.sca.util.compilers.FortifyCompilercom.fortify.sca.compilers.touchless=com.fortify.sca.util.compilers.FortifyCompilercom.fortify.sca.compilers.make=com.fortify.sca.util.compilers.TouchlessCompilercom.fortify.sca.compilers.gmake=com.fortify.sca.util.compilers.TouchlessCompilercom.fortify.sca.compilers.jam=com.fortify.sca.util.compilers.TouchlessCompilercom.fortify.sca.compilers.clearmake=com.fortify.sca.util.compilers.TouchlessCompilercom.fortify.sca.compilers.nmake=com.fortify.sca.util.compilers.TouchlessCompiler

Note:Thisisapartiallist.Forthecompletelist,seethefortify-sca.propertiesfile.

Valuetype:String(compiler)

Default:SeetheCompilerssectioninthefortify-sca.propertiesfileforthecompletelist.

Example:

TotellSCAthat“my‐gcc”isagcccompiler:

com.fortify.sca.compilers.my-gcc= com.fortify.sca.util.compilers.GccCompiler

Note:Compilernamesmaybeginorendwithan*,whichmatches0ormorecharacters.




TellSCAwhichcompilerscauseatranslationdaemontobespawned.

com.fortify.sca.DaemonCompilers

Valuetype:String(compiler)

Default:com.fortify.sca.DaemonCompilers = com.fortify.sca.util.compilers.GppCompiler,com.fortify.sca.util.compilers.GccCompiler,com.fortify.sca.util.compilers.AppleGppCompiler,com.fortify.sca.util.compilers.AppleGccCompiler,com.fortify.sca.util.compilers.MicrosoftCompiler,com.fortify.sca.util.compilers.MicrosoftLinker,com.fortify.sca.util.compilers.LdCompiler,com.fortify.sca.util.compilers.ArUtil,com.fortify.sca.util.compilers.SunCCompiler,com.fortify.sca.util.compilers.SunCppCompiler,com.fortify.sca.util.compilers.IntelCompiler,com.fortify.sca.util.compilers.ExternalCppAdapter,com.fortify.sca.util.compilers.ClangCompiler

Example:

com.fortify.sca.DaemonCompilers = com.fortify.sca.util.compilers.GppCompiler,com.fortify.sca.util.compilers.GccCompiler,com.fortify.sca.util.compilers.AppleGppCompiler,com.fortify.sca.util.compilers.AppleGccCompiler,com.fortify.sca.util.compilers.MicrosoftCompiler,com.fortify.sca.util.compilers.MicrosoftLinker,com.fortify.sca.util.compilers.LdCompiler,com.fortify.sca.util.compilers.ArUtil,com.fortify.sca.util.compilers.SunCCompiler,com.fortify.sca.util.compilers.SunCppCompiler,com.fortify.sca.util.compilers.IntelCompiler,com.fortify.sca.util.compilers.ExternalCppAdapter,com.fortify.sca.util.compilers.ClangCompiler

Setcallgraphbuildersvalues. com.fortify.sca.analyzer.callgraph.VirtualCGBuilder: Virtual method mappingscom.fortify.sca.analyzer.callgraph.J2EEIndirectCGBuilder: EJB Bean methodscom.fortify.sca.analyzer.callgraph.JNICGBuilder: JNI Callscom.fortify.sca.analyzer.callgraph.IDLIndirectCGBuilder: CORBA calls (disabled by default)com.fortify.sca.analyzer.callgraph.StoredProcedureResolver: JDBC stored procedure calls

Note:Thisisasamplelist.Forthecompletelist,seethefortify-sca.propertiesfile.

Valuetype:String(callgraphbuilders)

Default:Offbydefault

Example:

com.fortify.sca.analyzer.callgraph.VirtualCGBuilder: Virtual method mappings




SetDataflowanalysisvalues. com.fortify.sca.DisableFunctionPointerscom.fortify.sca.DisableGlobals com.fortify.sca.EnableStructuralMatchCache com.fortify.sca.EnableInterproceduralConstantResolutioncom.fortify.sca.EnableWrapperDetectioncom.fortify.sca.EnableNestedWrapperscom.fortify.sca.WrapperHeuristiccom.fortify.sca.RequireMapKeycome.fortify.sca.DisableInferredConstants

Valuetype:Boolean

Examples(defaultvalues):

com.fortify.sca.DisableFunctionPointers=falsecom.fortify.sca.DisableGlobals=falsecom.fortify.sca.EnableStructuralMatchCache=true com.fortify.sca.EnableInterproceduralConstantResolution=falsecom.fortify.sca.EnableWrapperDetection=falsecom.fortify.sca.EnableNestedWrappers=falsecom.fortify.sca.WrapperHeuristic = moderatecom.fortify.sca.RequireMapKey = classrulecome.fortify.sca.DisableInferredConstants = false

Setadditionalanalysisvalues. com.fortify.sca.NoNestedOutTagOutputcom.fortify.sca.DisableDeadCodeEliminationcom.fortify.sca.DeadCodeIgnoreTrivialPredicatescom.fortify.sca.DeadCodeFilter com.fortify.sca.SolverTimeout

Valuetype:Boolean

Examples(defaultvalues):

com.fortify.sca.NoNestedOutTagOutput=org.apache.taglibs.standard.tag.rt.core.RemoveTag,org.apache.taglibs.standard.tag.rt.core.SetTagcom.fortify.sca.DisableDeadCodeElimination=falsecom.fortify.sca.DeadCodeIgnoreTrivialPredicates=truecom.fortify.sca.DeadCodeFilter=truecom.fortify.sca.SolverTimeout=15

SetFVDLoptions. com.fortify.sca.FVDLDisableProgramDatacom.fortify.sca.FVDLDisableSnippetscom.fortify.sca.FVDLDisableDescriptionscom.fortify.sca.FVDLStylesheet

Valuetype:Boolean

Example(defaultvalues):

com.fortify.sca.FVDLDisableProgramData=falsecom.fortify.sca.FVDLDisableSnippets=falsecom.fortify.sca.FVDLDisableDescriptions=falsecom.fortify.sca.FVDLStylesheet=${com.fortify.Core}/resources/sca/fvdl2html.xsl

Setdefaultlogfilelocation. com.fortify.sca.LogFile Valuetype:String(path)

Default:N/A

SettingthisparameterwillcausethelogfiletobeoverwritteneachtimeSCAisrun.

Example:

com.fortify.sca.LogFile=${com.fortify.sca.ProjectRoot}/sca/log/sca.log




Setpost‐scanloggingoptiontotrueandSCAwillwriteperformance‐relateddatatothelogfileafterscancompletion.

com.fortify.sca.PrintPerformanceDataAfterScan

Valuetype:Boolean

Default:false

Valuewillautomaticallybesettotruewhenindebugmode.

Example:

com.fortify.sca.PrintPerformanceDataAfterScan=true

Settranslatoroptions com.fortify.sca.cpfe.commandcom.fortify.sca.cpfe.441.commandcom.fortify.sca.cpfe.optionscom.fortify.sca.cpfe.file.optioncom.fortify.sca.cpfe.dont.fix.cctor.option

Valuetypes:StringandBoolean

Examples(Defaultvalues):

com.fortify.sca.cpfe.command=${com.fortify.Core}/private-bin/sca/cpfecom.fortify.sca.cpfe.441.command=${com.fortify.Core}/private-bin/sca/cpfe441com.fortify.sca.cpfe.options=--remove_unneeded_entities --suppress_vtbl -tusedcom.fortify.sca.cpfe.file.option=--gen_c_file_namecom.fortify.sca.cpfe.dont.fix.cctor.option=true

Displayprogressbar. com.fortify.sca.DisplayProgress

Valuetype:Boolean

Default:true

Example:

com.fortify.sca.DisplayProgress=true

SetFindbugsmaximumheapsize.

com.fortify.sca.findbugs.maxheap

Valuetype:Boolean

Default:SCA’smaxheapsize.

Example:

com.fortify.sca.findbugs.maxheap=500m

SetCFMLpagesbehavior com.fortify.sca.CfmlUndefinedVariablesAreTainted

Valuetype:Boolean

Default:Featureisdisabled.

AvalueoftruetreatsundefinedvariablesinCFMLpagesastainted.

Example:

com.fortify.sca.CfmlUndefinedVariablesAreTainted=true

Generateimpliedmethodswhenimplementationbyinheritanceisencountered

com.fortify.sca.AddImpliedMethods

Valuetype:Boolean

Default:true

Example:

com.fortify.sca.AddImpliedMethods=true




SetControlflowAnalyzeroptions.

com.fortify.sca.analyzer.controlflow.liveness.skip.rulescom.fortify.sca.analyzer.controlflow.EnableRefRuleOptimizationcom.fortify.sca.analyzer.controlflow.EnableLivenessOptimizationcom.fortify.sca.analyzer.controlflow.EnableMachineFilteringcom.fortify.sca.analyzer.controlflow.EnableTimeOut

Valuetype:BooleanandString

Examples(defaultsettings):

com.fortify.sca.analyzer.controlflow.liveness.skip.rules=B530C5D6-3C71-48C5-9512-72A7F4911822com.fortify.sca.analyzer.controlflow.EnableRefRuleOptimization=falsecom.fortify.sca.analyzer.controlflow.EnableLivenessOptimization=falsecom.fortify.sca.analyzer.controlflow.EnableMachineFiltering=falsecom.fortify.sca.analyzer.controlflow.EnableTimeOut=true

Setpathtoregonyoursystem.

com.fortify.sca.RegExecutable


Default:Notset

Example:

Setvarious.NEToptions. WinForms.TransformDataBindingsWinForms.TransformMessageLoopsWinForms.TransformChangeNotificationPatternWinForms.CollectionMutationMonitor.LabelWinForms.ExtractEventHandlersWinForms.TouchUpDataSourcesCAB.EnableStateMap1com.fortify.sca.dotnet.cab.injectioncom.fortify.sca.dotnet.cab.events

Valuetype:Boolean

Examples(Defaultsettings):

WinForms.TransformDataBindings=trueWinForms.TransformMessageLoops=trueWinForms.TransformChangeNotificationPattern=trueWinForms.CollectionMutationMonitor.Label=WinFormsDataSourceWinForms.ExtractEventHandlers=trueWinForms.TouchUpDataSources=trueCAB.EnableStateMap1=truecom.fortify.sca.dotnet.cab.injection=truecom.fortify.sca.dotnet.cab.events=true

Setnumberoflinesofcodetodisplaysurroundingissue.

com.fortify.sca.SnippetContextLines

Valuetype:String

Default:3

Thedefaultvalueis3.Whenset,thenumberrepresentthe2linesofcodeoneachsideofthelinewheretheerroroccurs.Sobydefault,thereareatotalof5linesdisplayed.Thisvaluecanbeoverwritten.

SetCPFEtohandlemultibytecharactersinyoursourcecode.ThisallowsSCAtohandlecodewithmultibyteencoding,suchasSJIS(Japanese).

com.fortify.sca.cpfe.multibyte

Valuetype:Boolean

Default:Notenabled

Thisfeatureisturnedoffbydefault.SetthispropertytoTrueifyouhavemultibytecharactersinyoursourcecode.

Example:

com.fortify.sca.cpfe.multibyte=true




SettheversionofCPFEto441.

com.fortify.sca.cpfe.gnu.version

Valuetype:Boolean

Default:false

Example:

com.fortify.sca.cpfe.gnu.version=true

ConfigureSCAtooverwritethelogfile.

com.fortify.sca.ClobberLogFile

Valuetype:Boolean

Default:false

NewlogfilewillbeoverwritteneachtimeSCAruns.

Example:

com.fortify.sca.ClobberLogFile=true

Addaprefixtologfile. com.fortify.sca.SuppressLogPrefix

Valuetype:String

Default:Notenabled

Noprefixisaddedtothelogfilenamebydefault.Usethispropertytoaddaprefixtothelogname.

Example:

com.fortify.sca.SuppressLogPrefix=???

Specifyafileorseriesoffilestoexcludefromascan.

Note:Thisonlyworksonthecommandline.Youcanissueitmultipletimestoaccommodatemultiplefiles.

com.fortify.sca.exclude Valuetype:String

Default:Notenabled

Example:

com.fortify.sca.exclude=file1.x,file2.x

Thisisthesameas-debug,butmoreverbose,specificallywhenitcomestoparseerrors.

com.fortify.sca.DebugVerbose Valuetype:Boolean

Default:Notenabled

Example:com.fortify.sca.DebugVerbose= true



community.microfocus.com · Preface iii Preface Contacting HP Fortify Support If you have questions...

Documents

Transcript of community.microfocus.com · Preface iii Preface Contacting HP Fortify Support If you have questions...