Documente Academic
Documente Profesional
Documente Cultură
Copyright2010FortifySoftware,Inc.RB_RB_May4,20103:48pm AllRightsReserved.PrintedintheUnitedStatesofAmerica. FortifySoftware,Inc. 2215BridgepointePkwy. Suite400 SanMateo,CA94404 Fortify Software, Inc. (Fortify) and its licensors retain all ownership rights to this document (the Document).UseoftheDocumentisgovernedbyapplicablecopyrightlaw.FortifymayrevisethisDocument fromtimetotimewithoutnotice. THISDOCUMENTISPROVIDEDASISWITHOUTWARRANTYOFANYKIND.INNOEVENTSHALLFORTIFY BE LIABLE FOR INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY KIND ARISING FROMANYERRORINTHISDOCUMENT,INCLUDINGWITHOUTLIMITATIONANYLOSSORINTERRUPTIONOF BUSINESS,PROFITS,USEORDATA.FORTIFYRESERVESTHERIGHTTOMODIFYORREMOVEANYOFTHE FEATURES OR COMPONENTS DESCRIBED IN THIS DOCUMENT FROM THE FINAL PRODUCT, WITHOUT NOTICE. FortifyisaregisteredtrademarkofFortifySoftware,Inc. BrandandproductnamesinthisDocumentaretrademarksoftheirrespectiveowners. PartNumber:111320100520261
TableofContents
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii ContactingFortifySoftware............................................................................vii TechnicalSupport .................................................................................vii CorporateHeadquarters...........................................................................vii WebSite..........................................................................................vii AbouttheFortify360DocumentationSet ..............................................................vii Introduction .....................................................................................1 OverviewofFortifySCA ................................................................................ 1 OverviewoftheAnalyzers .............................................................................. 1 OverviewoftheAnalysisPhases ........................................................................ 3 ExampleofAnalysisCommands.................................................................... 3 MemoryConsiderations ............................................................................ 3 TranslationPhase .................................................................................. 3 FortifySCAPerUseLicenseOnly,VerifyingAvailableLines ......................................... 4 AnalysisPhase..................................................................................... 4 VerificationoftheTranslationandAnalysisPhase .................................................. 5 TranslatingJavaCode ...............................................................................6 JavaCommandLineSyntax............................................................................. 6 JavaCommandLineExamples.......................................................................... 7 IntegratingwithAntusingtheFortifyAntCompilerAdapter ............................................ 7 TranslatingJ2EEApplications .......................................................................... 8 WorkingwithJSPProjects .......................................................................... 8 XMLConfigurationFiles ............................................................................ 8 CallGraph.......................................................................................... 9 HandlingResolutionWarnings.......................................................................... 9 JavaWarnings...................................................................................... 9 J2EEWarnings..................................................................................... 9 UsingFindBugs....................................................................................... 10 Translating.NETSourceCode ...................................................................... 11 VisualStudio.NET .................................................................................... 11 TranslatingSimple.NETApplications ................................................................. 11 TranslatingASP.NET1.1(VisualStudioVersion2003)Projects........................................ 12 HandlingResolutionWarnings........................................................................ 13 .NETWarnings ................................................................................... 13 ASP.NETWarnings............................................................................... 14 TranslatingC/C++Code ............................................................................ 15 CandC++CommandLineSyntax ..................................................................... 15
FortifySCAUserGuide i
CandC++CommandLineExamples .................................................................. 15 IntegratingwithMake................................................................................ 15 UsingtheFortifyTouchlessBuildAdapter........................................................ 15 ModifyingaMakefiletoInvokeFortifySCA ....................................................... 16 UsingFortifyBuildMonitor ........................................................................... 17 FortifyBuildMonitorOverview................................................................... 17 ConfiguringFortifyBuildMonitor ................................................................ 18 MonitoringBuilds ................................................................................ 19 ExampleofMonitoringaProject .................................................................. 19 VisualStudio.NET .................................................................................... 20 VisualStudio6.0...................................................................................... 20 TranslatingOtherLanguages ...................................................................... 21 CommandLineSyntaxforOtherLanguages ........................................................... 21 ConfigurationConsiderations ......................................................................... 22 ConfiguringPython............................................................................... 22 ConfiguringColdFusion .......................................................................... 22 ConfiguringtheSQLExtension.................................................................... 22 ConfiguringASP/VBScriptVirtualRoots.......................................................... 22 OtherLanguageCommandLineExamples ........................................................ 24 ExampleofTranslatingPL/SQL................................................................... 24 ExampleofTranslatingTSQL.................................................................... 24 ExampleofTranslatingPHP...................................................................... 24 ExampleofTranslatingClassicASPwrittenwithVBScript......................................... 25 ExampleofTranslatingJavaScript................................................................ 25 ExampleofTranslatingVBScriptFile ............................................................. 25 TranslatingCOBOLCode.............................................................................. 25 SupportedTechnologies .......................................................................... 25 PreparingCOBOLSourceFilesforTranslation.................................................... 25 COBOLCommandLineSyntax.................................................................... 26 AuditingaCOBOLScan ........................................................................... 26 TroubleshootingandSupport ...................................................................... 27 Troubleshooting...................................................................................... 27 UsingtheLogFiletoDebugProblems............................................................. 27 TranslationFailedMessage ....................................................................... 27 JSPTranslationProblems......................................................................... 27 ASPXTranslationProblems....................................................................... 28 C/C++PrecompiledHeaderFiles ................................................................. 29 ReportingBugsandRequestingEnhancements ....................................................... 29
Appendix: Managing Per Use Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
AbouttheFortifySCAPerUseEdition................................................................. 30 ManagingYourPortalUserAccount................................................................... 31
FortifySCAUserGuide
ii
CommandLineOptions ............................................................................... 34 OutputOptions................................................................................... 34 AnalysisOptions ................................................................................. 36 PythonOption.................................................................................... 37 ColdFusionOptions .............................................................................. 37 Java/J2EEOptions................................................................................ 37 .NETOptions ..................................................................................... 38 BuildIntegrationOptions......................................................................... 38 Directives ........................................................................................ 39 RuntimeOptions................................................................................. 40 LineTransferOptions............................................................................ 40 OtherOptions .................................................................................... 41 SpecifyingFiles ....................................................................................... 41
Appendix: Using the sourceanalyzer Ant Task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
CreatingaFilterFile .................................................................................. 49
EightBall.java(4) ................................................................................. 52
JavaHeapExhaustion................................................................................. 59 ErrorMessage.................................................................................... 59 Resolution ....................................................................................... 59 JavaPermanentGenerationExhaustion ............................................................... 61 ErrorMessage.................................................................................... 61 Resolution ....................................................................................... 61 NativeHeapExhaustion .............................................................................. 62 ErrorMessage.................................................................................... 62 Resolution ....................................................................................... 62
Appendix: Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
FortifySCAUserGuide
iii
JavaRunTimeEnvironment........................................................................... 63 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
FortifySCAUserGuide
iv
Preface
ThisguidedescribeshowtouseFortifySourceCodeAnalyzer.
ContactingFortifySoftware
Ifyouhavequestionsorcommentsaboutanypartofthisguide,contactFortifySoftwareat:
TechnicalSupport
650.358.5679 techsupport@fortify.com
CorporateHeadquarters
2215BridgepointePkwy. Suite400 SanMateo,CA94404 650.358.5600 contact@fortify.com
WebSite
http://www.fortify.com
AbouttheFortify360DocumentationSet
TheFortify360documentationsetcontainsinstallation,user,anddeploymentguidesforvarious360 components,includingFortify360Serverandanalyzers,aswellasotherdocumentationpertainingtotheuseof Fortify360. Updatedversionsofthedocumentationandreleasenotesthatdescribenewfeaturesandknownissuesarealso availableontheFortifyCustomerPortal.
FortifySCAUserGuide
vii
Introduction
Thischaptercontainsthefollowingsections: OverviewofFortifySCA OverviewoftheAnalyzers OverviewoftheAnalysisPhases
OverviewofFortifySCA
Fortify Source Code Analyzer(SCA)isasetofsoftwaresecurityanalyzersthatsearchforviolationsofsecurity specificcodingrulesandguidelinesinavarietyoflanguages.TherichdataprovidedbyFortify SCAlanguage
technologyenablestheanalyzerstopinpointandprioritizeviolationssothatfixescanbefastandaccurate.The analysisinformationproducedbySCAhelpsyoudelivermoresecuresoftware,aswellasmakingsecuritycode reviewsmoreefficient,consistent,andcomplete.Thisisespeciallyadvantageouswhenlargecodebasesare involved.ThemodulararchitectureofSCAallowsyoutoquicklyuploadnew,thirdparty,andcustomerspecific securityrules. Atthehighestlevel,usingFortify SCAinvolves: 1. ChoosingtorunSCAasastandaloneprocessorintegratingFortify SCAaspartofthebuildtool 2. Translatingthesourcecodeintoanintermediatetranslatedformat,preparingthecodebaseforscanningby thedifferentanalyzers 3. Scanningthetranslatedcode,producingsecurityvulnerabilityreports 4. Auditingtheresultsofthescan,eitherbytransferringtheresultingFPRfiletoAudit WorkbenchorFortify360 Serverforanalysis,ordirectlywiththeresultsdisplayedonscreen
Note:ForinformationontransferringresultstoAudit Workbenchandcreatingcustomerspecificsecurityrules, seetheAudit Workbench Users Guide.
OverviewoftheAnalyzers
Fortify SCAcomprisesfivedistinctanalyzers:dataflow,controlflow,semantic,structural,andconfiguration. Eachanalyzeracceptsadifferenttypeofrulespecificallytailoredtoprovidetheinformationnecessaryforthe correspondingtypeofanalysisperformed.Rulesaredefinitionsthatidentifyelementsinthesourcecodethat mayresultinsecurityvulnerabilitiesorareotherwiseunsafe.
FortifySCAUserGuide
Table1:FortifySourceCodeAnalyzers Analyzer DataFlow Description Thedataflowanalyzerdetectspotentialvulnerabilitiesthatinvolvetainted data(usercontrolledinput)puttopotentiallydangeroususe.Thedataflow analyzerusesglobal,interproceduraltaintpropagationanalysistodetect theflowofdatabetweenasource(siteofuserinput)andasink(dangerous functioncalloroperation).Forexample,thedataflowanalyzerdetects whetherausercontrolledinputstringofunboundedlengthisbeing copiedintoastaticallysizedbuffer,anddetectswhetherausercontrolled stringisbeingusedtoconstructSQLquerytext. Thecontrolflowanalyzerdetectspotentiallydangeroussequencesof operations.Byanalyzingcontrolflowpathsinaprogram,thecontrolflow analyzerdetermineswhetherasetofoperationsareexecutedinacertain order.Forexample,thecontrolflowanalyzerdetectstimeofcheck/timeof useissuesanduninitializedvariables,andcheckswhetherutilities,suchas XMLreaders,areconfiguredproperlybeforebeingused. Thesemanticanalyzerdetectspotentiallydangeroususesoffunctionsand APIsattheintraprocedurallevel.Itsspecializedlogicsearchesforbuffer overflow,formatstring,andexecutionpathissues,butisnotlimitedto thesecategories.Acalltoanypotentiallydangerousfunctioncanbeflagged bythesemanticanalyzer.Forexample,thesemanticanalyzerdetects deprecatedfunctionsinJavaandunsafefunctionsinC/C++,suchas gets(). Thestructuralanalyzerdetectspotentiallydangerousflawsinthestructure ordefinitionoftheprogram.Byunderstandingthewayprogramsare structured,thestructuralanalyzeridentifiesviolationsofsecure programmingpracticesandtechniquesthatareoftendifficulttodetect throughinspectionbecausetheyencompassawidescopeinvolvingboth thedeclarationanduseofvariablesandfunctions.Forexample,the structuralanalyzerdetectsassignmenttomembervariablesinJava servlets,identifiestheuseofloggersthatarenotdeclaredstaticfinal,and flagsinstancesofdeadcodethatwillneverbeexecutedbecauseofa predicatethatisalwaysfalse. Theconfigurationanalyzersearchesformistakes,weaknesses,andpolicy violationsinanapplication'sdeploymentconfigurationfiles.Forexample, theconfigurationanalyzerchecksforreasonabletimeoutsinusersessions inawebapplication.
ControlFlow
Semantic
Structural
Configuration
FortifySCAUserGuide
OverviewoftheAnalysisPhases
FortifySCAperformssourcecodeanalysis
BuildIntegration:Thefirstphaseofsourcecodeanalysisinvolvesmakingadecisionwhethertointegrate SCAintothebuildcompilersystem. Translation:Sourcecodegatheredusingaseriesofcommandsistranslatedintoanintermediateformat
whichisassociatedwithabuildID.ThebuildIDisusuallythenameoftheprojectbeingscanned.
Analysis:Sourcefilesidentifiedduringthetranslationphasearescannedandananalysisresultsfile,typically intheFortifyproject(FPR)format,isgenerated.FPRfilesareindicatedbythe.fprfileextension. Verificationofthetranslationandanalysis:Ensurethatthesourcefileswerescannedusingthecorrect
rulepacksandthatnosignificanterrorswerereported.
ExampleofAnalysisCommands
Thefollowingisanexampleofthesequenceofcommandsyouusetoanalyzecode:
> sourceanalyzer -b <build_id> -clean > sourceanalyzer -b <build_id> ... > sourceanalyzer -b <build_id> -scan -f results.fpr
AdditionalConfirmationforFortifySCAPerUse
ThefollowingshowstheadditionalsequenceofcommandswhenusingFortify SCAwithaperuselicenseto analyzecode: Running this scan will deduct <number-of-lines> scan lines from your account. Would you like to proceed? [y/n] y <number-of-lines> scan lines deducted. <number-of-lines> remaining
Note:Youcanrunthescaninsilentmode,whichsuppressesthepromptandautomaticallydeductslines,by usingthecommandlineoption,-auth-silent,orbysettingthecom.fortify.sca.PPSSilent propertyto
true.
MemoryConsiderations
Bydefault,Fortify SCAusesupto600MBofmemory.Ifthisisnotsufficienttoanalyzeaparticularcodebase, youmighthavetoprovidemorememoryinthescanphase.Thiscanbedonebypassingthe-Xmxoptiontothe sourceanalyzercommand. Forexample,tomake1000MBavailabletoFortify SCA,includetheoption -Xmx1000M. YoucanalsousetheSCA_VM_OPTSenvironmentvariabletosetthememoryallocation.
Note:DonotallocatemorememoryforFortify SCAthanthemachinehasavailable,becausethiswilldegrade
performance.Asaguideline,assumingthatnoothermemoryintensiveprocessesarerunning,donotallocate morethan2/3oftheavailablephysicalmemory.
TranslationPhase
Thebasiccommandlinesyntaxforperformingthefirstanalysisphase,translatingthefiles,is:
sourceanalyzer -b <build_id> ...
FortifySCAUserGuide
Attheendoftranslation,youcanuse-show-build-warningstolistallwarningsanderrorsthatwere encounteredduringthetranslationprocess:
sourceanalyzer -b <build_id> -show-build-warnings
ToviewallofthefilesassociatedwithaparticularbuildID,usethe-show-filesdirective:
sourceanalyzer -b <build_id> -show-files
Thefollowingchaptersdescribehowtotranslatedifferenttypesofsourcecode:
Translating Java Code Translating .NET Source Code Translating C/C++ Code Translating Other Languages,suchasColdFusion,ClassicASPandJavaScript
FortifySCAPerUseLicenseOnly,VerifyingAvailableLines
WhenusingFortify SCAwithaperuselicense,thebasiccommandlinesyntaxtodisplaythenumberofavailable linesis:
sourceanalyzer -auth-query
AnalysisPhase
Thistopicdescribesthesyntaxfortheanalysisphase:scanningtheintermediatefilescreatedduringthe translationandcreatingtheanalysisresultsfile.Thephaseconsistsofoneinvocationofsourceanalyzer.You specifythebuildIDandincludethe-scandirectiveandanyrequiredanalysisoroutputoptions.
Note:Bydefault,Fortify SCAincludesthesourcecodeintheFPR.
Thebasiccommandlinesyntaxfortheanalysisphaseis:
sourceanalyzer -b <build_id> -scan -f results.fpr
ThecommandlinesyntaxtosilentlyanalyzeaprojectforFortify SCAwithaperuselicenseis:
sourceanalyzer -b <build-id> -auth-silent -scan -f results.fpr
AdditionalStepsforFortifySCAPerUse
IfyouareusingFortify SCAwithaperuselicense,Fortify SCAdisplaysthenumberoflinesrequiredtoscanthe projectandpromptsyoubeforedeductingthelines. Entery(yes)tocontinuewiththescanasfollows:
Running this scan will deduct <number-of-lines> scan lines from your account. Would you like to proceed? [y/n] y <number-of-lines> scan lines deducted. <number-of-lines> remaining
FortifySCAUserGuide
Note:Youcanrescanasetoftranslatedfiles.Thisallowsyoutoscanthesameprojectwithdifferentrules, updatedrulepacks,and/orscansettingswithoutusingadditionalscanlines.
VerificationoftheTranslationandAnalysisPhase
TheResultCertificationfeatureofAudit Workbenchverifiesthattheanalysisiscomplete.results certificationResultcertificationshowsspecificinformationaboutthecodescannedbyFortify SCA,including: Listoffilesscanned,withfilesizesandtimestamps Javaclasspathusedforthetranslation Listofrulepacksusedfortheanalysis ListofFortify SCAruntimesettingsandcommandlinearguments Listoferrorsorwarningsencounteredduringtranslationoranalysis Machine/platforminformation
Toviewresultcertificationinformation,opentheFPRfileinAudit WorkbenchandselectToolsProjectSummary
Certification.
FortifySCAUserGuide
TranslatingJavaCode
ThischapterdescribeshowtotranslateJavasourcecodeforanalysiswithFortifySCA. Thefollowingtopicsareincluded: JavaCommandLineSyntax JavaCommandLineExamples IntegratingwithAntusingtheFortifyAntCompilerAdapter TranslatingJ2EEApplications UsingFindBugs
JavaCommandLineSyntax
ThistopicdescribestheFortifySCAcommandsyntaxfortranslatingJavasourcecode. ThebasiccommandlinesyntaxforJavais:
sourceanalyzer -b <build_id> -cp <classpath> <file_list>
WithJavacode,FortifySCAcaneitheremulatethecompiler,whichmaybeconvenientforbuildintegration,or acceptsourcefilesdirectly,whichismoreconvenientforcommandlinescans.
Note:Foradescriptionofalltheoptionsyoucanusewiththesourceanalyzercommand,seeCommand Line Interface on page 34.
TohaveFortifySCAemulatethecompiler,enter:
sourceanalyzer -b <build_id> javac [<translation options>]
TopassfilesdirectlytoFortifySCA,enter:
sourceanalyzer -b <build_id> -cp <classpath> [<translation options>] <files>|<file specifiers>
where:
<translation options>
areoptionspassedtothecompiler.
-cp <classpath>
FortifySCAUserGuide
JavaCommandLineExamples
TotranslateasinglefilenamedMyServlet.javawithj2ee.jarontheclasspath,enter:
sourceanalyzer -b MyServlet -cp lib/j2ee.jar MyServlet.java
Totranslateall.java filesinthesrcdirectoryusingalljarfilesinthelibdirectoryasaclasspath:
sourceanalyzer -b MyProject -cp "lib/*.jar" "src/**/*.java"
TotranslateandcompiletheMyCode.javafilewhileusingthejavaccompiler:
sourceanalyzer -b mybuild javac -classpath libs.jar MyCode.java
IntegratingwithAntusingtheFortifyAntCompilerAdapter
FortifySCAprovidesanAntCompilerAdapterthatyoucanuseasaneasywaytotranslateJavasourcefilesif yourprojectusesanAntbuildfile.ThisintegrationrequiressettingonlytwoAntproperties,andcanbedoneon thecommandlinewithoutmodifyingtheAntbuild.xmlfile.Whenthebuildruns,FortifySCAinterceptsall javactaskinvocationsandtranslatestheJavasourcefilesastheyarecompiled.NotethatanyJSPfiles, configurationfiles,oranyothernonJavasourcefilesthatarepartoftheapplicationneedtobetranslatedina separatestep. ThefollowingstepsmustbetakentousetheCompilerAdapter: ThesourceanalyzerexecutablemustbeonthesystemPATH.
sourceanalyzer.jar(locatedinCore/lib)mustbeonAnt'sclasspath.
Thebuild.compilerpropertymustbesettocom.fortify.dev.ant.SCACompiler. Thesourceanalyzer.buildidpropertymustbesettothebuildID.
ThefollowingexamplesshowhowtorunanAntbuildusingtheCompilerAdapterwithoutmodifyingthebuild file:
ant -Dbuild.compiler=com.fortify.dev.ant.SCACompiler -Dsourceanalyzer.buildid=MyBuild -lib <install_dir>/Core/lib/sourceanalyzer.jar
FortifySCAUserGuide
TranslatingJ2EEApplications
TranslatingJ2EEapplicationsinvolvesprocessingJavasourcefiles,J2EEcomponentssuchasJSPfiles, deploymentdescriptorssuchasweb.xml,andconfigurationfilessuchasstruts-config.xml. Thestepsinclude: 1. TranslatingtheJavafiles. Refertothesamplesearlierinthischapter. 2. TranslatingtheJSPfiles. Refertothesamplebelow. 3. Processingtheconfigurationfiles. Anexampleis:
sourceanalyzer -b my_buildid "mydirectory/myfile.xml"
WorkingwithJSPProjects
TotranslateJSPfiles,FortifySCArequiresthattheJSPfilesareinastandardWebApplicationArchive(WAR) layout.IfyoursourcedirectoryisalreadyorganizedinaWARlayout,youcantranslateJSPfilesdirectlyfromthe sourcedirectory.Ifthisisnotthecase,youmayneedtodeployyourapplicationandtranslatetheJSPfilesfrom thedeploymentdirectory. IfyourJSPfilesuseanytaglibraries,suchasJSTL,ensurethatthelibrariesjarfilesareintheWEB-INF/lib directory.Otherwise,theJSPcompilerwillnotresolvethetaglibrariesandcouldproduceincorrectresults. Bydefault,FortifySCAusesaversionoftheJasperJSPcompilertocompileJSPfilesintoJavafilesduringthe translationphase.However,ifyourwebapplicationisdevelopedspecificallyforanapplicationserver,youmust usetheJSPcompilerforthatapplicationserverwhenperformingthetranslation. Tosupportthis,FortifySCAprovidesthefollowingcommandlineoptions:
-appserversupportedvalues:weblogic/websphere -appserver-home
ForWeblogic,thepathtothedirectorycontainingtheserver/libdirectory ForWebSphere,thepathtothedirectorycontainingthebin/JspBatchCompilerscript
-appserver-versionsupportedvalues:
XMLConfigurationFiles
FortifySCAusestheweb.xmlconfigurationfileduringtheprojectscanforthefollowinginformation: servlettags servletmappingtags filtertags filtermappingtags errorpagetags
FortifySCAUserGuide
Thisdataconnectsstrutsactionstofollowhowtaintmaypropagatethroughanapplication.
CallGraph
UsingdatafromtheXMLandstrutsconfigurationfiles,FortifySCAbuildsacallgraphtotrackpotentialtaintfrom servlettoservletandtostrutsactions.Forinformationaboutwhatisextractedfromtheconfigurationfiles,see XMLConfigurationFiles.
HandlingResolutionWarnings
Toseeallwarningsthatweregeneratedduringyourbuild,enterthefollowingcommandbeforeyoustartthe scanphase:
sourceanalyzer -b <build_id> -show-build-warnings
JavaWarnings
YoumayseethefollowingwarningsforJava:
Unable to resolve type... Unable to resolve function... Unable to resolve field... Unable to locate import... Unable to resolve symbol... Multiple definitions found for function... Multiple definitions found for class...
J2EEWarnings
YoumayseethefollowingwarningsforJ2EEapplications:
Could not locate the root (WEB-INF) of the web application. Please build your web application and try again. Failed to parse the following jsp files: <list of .jsp file names>
FortifySCAUserGuide
UsingFindBugs
FindBugs(http://findbugs.sourceforge.net)isastaticanalysistoolthatdetectsqualityissuesinJavacode.You canrunFindBugswithFortifySCAandtheresultswillbeintegratedintotheanalysisresultsfile.UnlikeFortify SCA,whichrunsonJavasourcefiles,FindBugsrunsonJavabytecode.Therefore,beforerunningananalysison yourproject,youshouldfirstcompiletheprojectandproducetheclassfiles. TodemonstratehowtorunFindBugsautomaticallywithFortifySCA,compilethesamplecode, Warning.java, asfollows: 1. Gotothefollowingdirectory:
<install_directory>/Samples/advanced/findbugs
2. Enterthefollowingcommandtocompilethesample:
mkdir build javac -d build Warning.java
3. ScanthesamplewithFindBugsandFortifySCAasfollows:
sourceanalyzer -b findbugs_sample -java-build-dir build Warning.java sourceanalyzer -b findbugs_sample -scan -findbugs -f findbugs_sample.fpr
4. ExaminetheanalysisresultsinAuditWorkbench:
auditworkbench findbugs_sample.fpr
IfyougroupbyAnalyzer,youcanseethattheFortifySCAStructuralanalyzerproducedonewarningand FindBugsproducedeight.TheObject model violationwarningproducedbyFortifySCAonline25is similartotheEqual objects must have equal hash codeswarningproducedbyFindBugs.Inaddition, FindBugsproducestwosetsofwarnings(Useless self-assignmentandDead local store)aboutthe sameissuesonlines6and7.Toavoidoverlappingresults,applythefilter.txtfilterfilebyusingthefilter optionduringthescan.Notethatthefilteringisnotcompletebecauseeachtoolfiltersatadifferent levelofgranularity.Todemonstratehowtoavoidoverlappingresults,scanthesamplecodeusingfilter.txt asfollows:
sourceanalyzer -b findbugs_sample -scan -findbugs -filter filter.txt -f findbugs_sample.fpr
FortifySCAUserGuide
10
Translating.NETSourceCode
ThischapterdescribeshowtouseFortifySCAtotranslateMicrosoftVisualStudio.NETandASP.NET applicationsbuiltwith: .NETVersions1.1and2.0 VisualStudio.NETversion2003 VisualStudio.NETversion2005
Note:Theeasiestwaytoanalyzea.NETapplicationistouseaFortifySecureCodingPluginforVisualStudio, whichautomatestheprocessofgatheringinformationabouttheproject.
VisualStudio.NET
IfyouperformcommandlinebuildswithVisualStudio.NET,youcaneasilyintegratestaticanalysisbywrapping thebuildcommandlinewithaninvocationofsourceanalyzer.Forthistowork,youmusthavetheSecure CodingPackageforyourversionofVisualStudioinstalled. ThefollowingexampledemonstratesthecommandlinesyntaxforVisualStudio.NET:
sourceanalyzer -b my_buildid devenv Sample1.sln /REBUILD debug
ThisperformsthetranslationphaseonallfilesbuiltbyVisualStudio.Besuretodoacleanorarebuildsothatall filesareincluded.Youcanthenperformtheanalysisphase,asinthefollowingexample:
sourceanalyzer -b my_buildid -scan -f results.fpr Note:IfyourclassicASP/VBScriptapplicationusesvirtualincludes,forexample, <!--include virtual=/myweb/foo.inc>
thenyoushouldspecifythephysicallocationofthemywebapplicationbypassingthefollowingpropertyvalue:
com.fortify.sca.ASPVirtualRoots=<semicoloon separated list of full paths to virtual roots used>
Forexample,iftheIISvirtualroot/mywebislocatedatC:\webapps\myweb-folder,thenyourpropertyvalue shouldbe:
-Dcom.fortify.sca.ASPVirtualRoots=c:\webapps\myweb-folder
Ifyouaddthislinetothefortifysca.propertiesfile,youmustescapethe\character,asinthefollowing:
com.fortify.sca.ASPVirtualRoots=c:\\webapps\\myweb-folder
TranslatingSimple.NETApplications
YoucanalsouseFortifySCAcommandlineinterfaceforprocessing.NETapplications. Prepareyourapplicationforanalysisusingoneofthefollowingmethods:
FortifySCAUserGuide
11
RunFortifySCAtoanalyzethe.NETapplicationfromthecommandlineasfollows: ForVisualStudio.NETVersion2003,enter:
sourceanalyzer -vsversion 7.1 -b MyBuild -libdirs ProjOne/Lib;ProjTwo/Lib ProjOne/bin/Debug ProjTwo/bin/Debug
where:
MyBuildisthebuildidentifier ProjOne/Lib;ProjTwo/LibisasemicolonseparatedlistofpathstofoldersorDLLswiththirdparty
DLLs
ProjOne/bin/Debug ProjTwo/bin/Debugaretheoutputfolders
ForVisualStudio.NETVersion2005,enter:
sourceanalyzer -vsversion 8.0 -b MyBuild -libdirs ProjOne/Lib;ProjTwo/Lib ProjOne/bin/Debug ProjTwo/bin/Debug
where:
MyBuild isthebuildidentifier ProjOne/Lib;ProjTwo/LibisasemicolonseparatedlistofpathstofoldersorDLLswiththirdparty
DLLs
ProjOne/bin/Debug ProjTwo/bin/Debugaretheoutputfolders
Note:Standard.NETDLLsusedinyourprojectareautomaticallypickedupbyFortifySCA,soyoudonot needtoincludetheminthecommandline.
Ifyourprojectislarge,youcanperformthetranslationphaseseparatelyforeachoutputfolderusingthe samebuildID,asfollows:
sourceanalyzer -vsversion<version_number> -b <build_id> -libdirs <paths> <folder_1> ... sourceanalyzer -vsversion <version_number> -b <build_id> -libdirs <paths> <folder_n>
where:
<version_number>iseither7.1,8.0,or9.0 <build_id> isthebuildID <paths>isasemicolonseparatedlistofpathstofoldersorDLLswiththirdpartyDLLs <folder_1>and<folder_n>aretheoutputfolders
Note:FortifySCArequirestheappropriateversionofVisualStudio,evenifyouareusingthecommandline
interface.
TranslatingASP.NET1.1(VisualStudioVersion2003)Projects
Asdiscussedpreviously,FortifySCAworksonCILgeneratedbythe.NETcompilers.ForASP.NETprojects,web componentssuchas.aspxfilesneedtobecompiledbeforetheycanbeanalyzed.However,thereisnostandard
FortifySCAUserGuide 12
3. Foreachofthewebprojectsinthesolution,runthefollowingcommand:
fortify_aspnet_compiler<url_to_the_web_site> <source_root_of_the_web_project>
where:
<url_to_the_web_site>istheURLforyourwebsite,suchas http://localhost/WebApp <source_root_of_the_web_project>isthesourcelocationofyourwebproject,suchas <VS_project_location>\WebApp
4. PerformthetranslationphasefortheDLLsbuiltinStep1.Enterthefollowingcommandusingthesame buildIDasinthefollowingsteps:
sourceanalyzer -b <build_id>"<VS_project_location>\**\*.dll"
5. Performthetranslationphaseforthewebcomponents.Foreachofthewebprojectsinthesolution,enter thefollowingwhenyouinvokesourceanalyzer:
sourceanalyzer -b <build_id> %SYSTEMROOT%\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\<web_application_name>
6. IncludetheconfigurationfilesandanyMicrosoftTSQLsourcefilesthatyouhave:
sourceanalyzer -b <build_id> "<solution_root>\**\*.config" <"t-sql_src>\**\*.sql"> Note:ThesestepsareallautomatedifyouusetheFortify360PackageforVisualStudio.
HandlingResolutionWarnings
Toseeallwarningsthatweregeneratedduringyourbuild,enterthefollowingcommandbeforeyoustartthe scanphase:
sourceanalyzer -b <build_id> -show-build-warnings
.NETWarnings
Youmayseethefollowingwarningsfor.NET:
Cannot locate class... in the given search path and the Microsoft .NET Framework libraries.
ASP.NETWarnings
YoumayseethefollowingwarningsforASP.NETapplications:
Failed to parse the following aspx files: <list of .aspx file names>
FortifySCAUserGuide
14
TranslatingC/C++Code
ThischapterdescribeshowtotranslateCandC++sourcecodeforanalysiswithFortifySCA.
CandC++CommandLineSyntax
Thebasiccommandlinesyntaxfortranslatingasinglefileis:
sourceanalyzer -b <build_id> <compiler> [<compiler options>]
where:
<compiler> isthenameofthecompileryouwanttouseduringaprojectbuildscan,suchasgccorcl. <compiler options> areoptionspassedtothecompilerthataretypicallyusedtocompilethefile.
CandC++CommandLineExamples
Thefollowingisasimpleusageexample: Totranslateafilenamedhelloworld.cusingthegcccompiler,enter:
sourceanalyzer -b my_buildid gcc helloworld.c Note:Thisalsocompilesthefile.
IntegratingwithMake
YoucanuseeitherofthefollowingmethodstouseFortifySCAwithMake:
Using the Fortify Touchless Build Adapter Modifying a Makefile to Invoke Fortify SCA
UsingtheFortifyTouchlessBuildAdapter
Thefollowingsectiondescibesthedifferentmethodsforusingthetouchlessbuildadaptor.
UsingthesourceanalyzerBuildAdaptorCommand
TousetheFortifytouchlessbuildadaptertointegratewithmakefiles,runthefollowingcommand:
sourceanalyzer -b <build_id> touchless make
FortifySCAUserGuide
15
UsingthefortifyBuildAdaptorCommand
Fortify360offersaconvenientcommandthatbundlestogetherthetranslationandscanstepswhenyouare usingtouchlessintegrationtoanalyzeaC/C++project.Thecommandisasfollows:
fortify [-b my_build_id] [-noscan] [-f my_fpr_name.fpr] build_command
Thecommandfortify build_commandservesasanequivalenttorunningthefollowingcommands:
sourceanalyzer -b my_build_id -clean sourceanalyzer -b my_build_id touchless build_command sourceanalyzer -b my_build_id -scan -f cwd.fpr
Forexample,inaBashshell,youwouldsetthesetothefollowingvaluesinordertoacquiretheinformation neededbyFortifyTechnicalSupportwhentheyarehelpingyouwithanSCArelatedticket.
export FORTIFY_BUILD_OPTS=-debug\ -logfile\ translation.log export FORTIFY_SCAN_OPTS=-debug\ -logfile\ scan.log
Thiswouldcausetwoadditionalfilestobecreated,translation.logandscan.log,afterthefollowingisrun:
fortify make
ModifyingaMakefiletoInvokeFortifySCA
TomodifyamakefiletoinvokeFortifySCA,replaceanycallstothecompiler,archiver,orlinkerinthemakefile withcallstoFortifySCA.Thesetoolsaretypicallyspecifiedinaspecialvariableinthemakefile,asinthe followingexample:
CC=gcc CXX=g++ AR=ar
ThestepcanbeassimpleasprependingthesetoolreferencesinthemakefilewithFortifySCAandthe appropriateoptions:
CC=sourceanalyzer -b mybuild gcc CXX=sourceanalyzer -b mybuild g++ AR=sourceanalyzer -b mybuild ar
FortifySCAUserGuide
16
UsingFortifyBuildMonitor
ThissectiondescribeshowtouseFortifyBuildMonitortoscanC/C++projectsautomaticallyduringabuildon Windowsandviewtheresults.ItincludesexamplesthatusesampleprojectsprovidedwithFortifySCA. Thissectioncoversthefollowingtopics: FortifyBuildMonitorOverview ConfiguringFortifyBuildMonitor MonitoringBuilds ExampleofMonitoringaProject
FortifyBuildMonitorOverview
ThefollowingoptionsareavailablefromtheFortifyBuildMonitormenu:
Table2:FortifyBuildMonitorOptions Option Monitor BuildDone Scan ScanSettings SetResultsFolder StayonTop MinimizetoTray Exit ShowMessages Description Enablesthemonitoring.BuildMonitorinterceptsandtranslatethenext buildonthemachine. Stopsthemonitorafterthebuildiscomplete. Scansthecodethatwasmonitoredduringthebuild. Controlstherulepacksandmemorysettings. ControlswhereFortifySCAoutputstheresults. KeepstheFortifyBuildMonitorwindowontopofotherwindows. ShowstheFortifyBuildMonitorasaniconinthetaskbar. ClosestheFortifyBuildMonitor. Showsorhidesthemessagesinthelowerareaofthewindow.Messages includeScanMessages,Errors,andMonitorDriverinformation.Youcan clickDetailedMessagesatthebottomofthewindow. Displaysonlinehelp. ResetstheFortifyBuildMonitortoitsbeginningstate.
Help Reset
FortifySCAUserGuide
17
ConfiguringFortifyBuildMonitor
Thissectioncoversthefollowingtopics: SettingUptheResultsFolder SettingFortifySCAScanOptions
SettingUptheResultsFolder
FortifyBuildMonitoroutputsresultsinFPRformattoalocalfolder.Youcanchangetheoutputfolder.Fortify BuildMonitorreplacestheresultseachtimeascanisperformed.Resultsarenotarchived. Tochangetheresultsfolder: 1. SelectActionSetResultsFolder. TheBrowseforFolderdialogdisplays. 2. SelectafolderandclickOK. FortifyBuildMonitorwilloutputtheresultstotheselectedfolder.
SettingFortifySCAScanOptions
FortifyBuildMonitorscanstheprojectusingFortifySCA.Youcanadjustthefollowingscansettings:
Allocatememory:IncreaseordecreasetheamountofmemoryallocatedtoFortifySCA
FortifySecureCodingRulepacksandcustomrulepacks:ChangewhichrulepacksFortifySCAusestoanalyze thesourcecode
User:Onlymonitorbuildsrunbythecurrentuser
FortifySCAUserGuide
18
MonitoringBuilds
ForC/C++projectsandsolutionsonWindows,FortifySCAincludestheFortifyBuildMonitor,whichisa graphicaluserinterfacetoolthatautomatesanalysisduringbuilds. ToanalyzeC/C++sourcecodebuildsonWindows: 1. SelectStartProgramFilesFortifySoftwareFortifySCABuildMonitor. 2. ClickMonitor. Afterthemonitorinitiatesagreenlighticondisplays. 3. Createacompletebuildofyourprojectinyourbuildenvironment. 4. Checkthatthebuildhasfinishedsuccessfully. 5. ReturntotheFortifyBuildMonitorwindowandclickBuildDone. 6. FortifySCAoutputstheresultstoasubfolder,specifyanameforthefolderfortheoutput.Ifthefolderalready exists,FortifySCAcleansthefolderbeforestartingthescan. 7. ClickScan. FortifySCAdisplaystheresultsandsavesanFPRfileinthefolderyouspecified.
Note:Toviewtheresults,opentheFPRfileinAuditWorkbenchorusingtheSecure Coding Package for Microsoft Visual Studio.
ExampleofMonitoringaProject
ThisexampleforWindowsusersanalyzesthesampleC++codeprojectnamedqwik-smtpd.ItusesMicrosoft VisualStudioandtheFortifyBuildMonitor. Toanalyzetheqwik-smtpdproject: 1. UsingMicrosoftVisualStudio,openandbuildtheqwik-smtpdprojectlocatedintheTutorial/C/source directory. 2. SelectStartProgramFilesFortifySoftwareFortifySCABuildMonitor. 3. ClickMonitor. 4. Minimizethewindow. 5. InMicrosoftVisualStudio,rebuildtheproject.
Note:Sincenothingintheprojectchanged,youmustusetherebuildoption.
FortifySCAUserGuide
19
VisualStudio.NET
IfyouperformcommandlinebuildswithVisualStudio.NET,youcaneasilyintegratestaticanalysisbysimply wrappingthebuildcommandlinewithaninvocationofsourceanalyzer.Forthistowork,youmusthavethe FortifySecureCodingPluginforyourversionofVisualStudioinstalled. Considerthefollowingexample
sourceanalyzer -b my_buildid devenv MyProject.sln /REBUILD
ThisperformsthetranslationphaseonallfilesbuiltbyVisualStudio.Besuretodoacleanorarebuildsothatall filesareincluded.
VisualStudio6.0
IfyouperformcommandlinebuildswithVisualStudio6.0,youcanintegratestaticanalysisbywrappingthe buildcommandlinewithaninvocationofsourceanalyzer. Considerthefollowingexample:
sourceanalyzer -b my_buildid msdev MyProject.dsp /MAKE "MyProject DEBUG" /REBUILD
ThisperformsthetranslationphaseonallfilesbuiltbytheVisualStudio.Besuretodoacleanorarebuildso thatallfilesareincluded,asdescribedinyourVisualStudiodocumentation.
FortifySCAUserGuide
20
TranslatingOtherLanguages
ThischapterdescribeshowtotranslateotherprogramminglanguagesforanalysiswithFortifySCA. Thissectionincludesthefollowingtopics: CommandLineSyntaxforOtherLanguages ConfigurationConsiderations
CommandLineSyntaxforOtherLanguages
ThistopicdescribestheFortifySCAcommandsyntaxfortranslatingotherlanguages. Thebasiccommandlinesyntaxforotherlanguagesis:
sourceanalyzer -b <build_id> <file_list> SQLNote:Bydefault,fileswiththeextension.sqlareassumedtobeTSQLratherthanPL/SQLonWindows platforms.IfyouareusingWindowsandhavePL/SQLfileswiththe.sqlextension,youshouldconfigure
where:
<build_id>specifiesthebuildIDfortheproject <dir>specifiestherootdirectoryofthewebapplication <files|file specifiers>specifiestheCFMLsourcecodefiles
ColdFusionNote:FortifySCAcalculatestherelativepathtoeachCFMLsourcefilebyusingthe -source-base-dirdirectoryasthestartingpoint,thenusestheserelativepathswhengeneratinginstance
FortifySCAUserGuide
21
Note:WindowsandmanyUnixshellsautomaticallytrytoexpandargumentscontainingthe'*'character,sofile
specifierexpressionsshouldbequoted.Also,onWindows,enterthebackslash(\)insteadoftheforwardslash (/).
ConfigurationConsiderations
Thissectioncoversthefollowingtopics: ConfiguringPython ConfiguringColdFusion ConfiguringtheSQLExtension ConfiguringASP/VBScriptVirtualRoots
ConfiguringPython
FortifySCAtranslatesPythonapplications,andtreatsfileswiththeextension.pyasPythonsourcecode.In orderforSCAtotranslatePythonapplicationsandpreparetheapplicationforascan,SCAsearchesanyimport filesfortheapplication.SCAdoesnotrespectthePYTHONPATHenvironmentvariablewhichthePython runtimesystemusestofindimportedfiles,sothisinformationshouldbegivendirectlytoSCAusingthe python-pathargument.Inaddition,someapplicationsaddadditionalimportdirectoriesduringruntime initialization. Toaddpathsforadditionalimportdirectories,usethesourceanalyzercommandlineoption:
-python-path pathname Note:SCAtranslatesPythonapplicationsusingallimportfileslocatedinthedirectorypathdefinedbythepython-path pathnameoption.Subsequently,translationmaytakeasignificantamountoftimetocomplete.
ConfiguringColdFusion
InordertotreatundefinedvariablesinaCFMLpageastainted,uncommentthefollowinglinein sca_install_dir\Core\config\fortifysca.properties:
#com.fortify.sca.CfmlUndefinedVariablesAreTainted=true
ConfiguringtheSQLExtension
Bydefault,fileswiththeextension.sqlareassumedtobeTSQLratherthanPL/SQLonWindowsplatforms.If youareusingWindowsandhavePL/SQLfileswiththe.sqlextension,youshouldconfigureFortifySCAtotreat themasPL/SQL.Tochangethedefaultbehavior,setthecom.fortify.sca.fileextensions.sql property infortify-sca.propertiesto"TSQL"or"PLSQL".
Note:Fortify360v2.5updatesthePL/SQLparsertoimprovetranslationofPL/SQLsourcecode.However,the existenceoftwodifferentparserscanmakemergingresultsfromprev2.5andpostv2.5difficult.
ToreverttotheolderversionofthePL/SQLparser,addthefollowingpropertytothefortifysca.propertiesfile:
com.fortify.sca.UseOldPlsql=true
ConfiguringASP/VBScriptVirtualRoots
FortifySCAallowsyoutohandleASPvirtualroots.Forwebserversthatusevirtualdirectoriesasaliasesthat maptophysicaldirectories,SCAallowsyoutousealias.
FortifySCAUserGuide 22
TheaboveASPcodereferstotheactualdirectory,asfollows:
C:\Webserver\CustomerOne\inc\Task1\foo.inc
TherealdirectoryreplacesthevirtualdirectorynameIncludeinthatinstance.
AccommodatingVirtualRoots
InordertoindicatetoSCAwhateachvirtualdirectoryisanaliasfor,youmustsetapropertyoftheform com.fortify.sca.ASPVirtualRoots.name_of_virtual_directoryaspartofyourcommandline invocationofSCAinthefollowingmanner:
sourceanalyzer -Dcom.fortify.sca.ASPVirtualRoots.name_of_virtual_directory=<full path to corresponding physical directory>
Note:OnWindows,ifthephysicalpathhasspacesinit,youmustincludethepropertysettingindoublequotes:
sourceanalyzer "-Dcom.fortify.sca.ASPVirtualRoots.name_of_virtual_directory=<full path to corresponding *physical* directory>"
Toexpandupontheexampleintheprevioussection,thepropertyvaluethatyoumustpassalongshouldbe:
-Dcom.fortify.sca.ASPVirtualRoots.Include=C:\WebServer\CustomerOne\inc -Dcom.fortify.sca.ASPVirtualRoots.Library="C:\WebServer\CustomerTwo\Stuff
DoingsocausesthemappingofIncludetoitsdirectoryandLibrarytoitsdirectory. WhenSCAencounterstheincludedirective:
<!-- #include virtual="Include/Task1/foo.inc" -->
SCAwillfirstchecktoseeifyourprojectcontainsaphysicaldirectorynamedInclude.Ifthereisnosuch physicaldirectory,SCAlooksthroughitsownruntimepropertiesandseesthat:
-Dcom.fortify.sca.ASPVirtualRoots.Include="C:\WebServer\CustomerOne\inc"
Note:ThepreviousversionoftheASPVirtualRootpropertyisstillvalid,whichyoumayuseontheSCA commandlineasfollows:
-Dcom.fortify.sca.ASPVirtualRoots=C:\WebServer\ CustomerTwo\Stuff;C:\WebServer\CustomerOne\inc
ThispromptsSCAtosearchthroughthelisteddirectoriesintheorderspecifiedwhenitisresolvingavirtual includedirective.
FortifySCAUserGuide 23
Example:UsingVirtualRoots
Youhaveafileasfollows:
C:\files\foo\bar.asp
Youcanspecifythisfilebyusingthefollowinginclude:
<!-- #include virtual="/foo/bar.asp">
Thenyoushouldsetthevirtualrootas:
-Dcom.fortify.sca.ASPVirtualRoots=C:\files\foo
OtherLanguageCommandLineExamples
Thissectionincludesthefollowingexamples: ExampleofTranslatingPL/SQL ExampleofTranslatingTSQL ExampleofTranslatingPHP ExampleofTranslatingClassicASPwrittenwithVBScript ExampleofTranslatingJavaScript ExampleofTranslatingVBScriptFile
ExampleofTranslatingPL/SQL
ThefollowingexampledemonstratessyntaxfortranslatingtwoPL/SQLfiles:
sourceanalyzer -b MyProject x.pks y.pks
ThefollowingexampledemonstrateshowtotranslateallPL/SQLfilesunderthesourcesdirectory:
sourceanalyzer -b MyProject "sources/**/*.pks"
ExampleofTranslatingTSQL
ThefollowingexampledemonstratessyntaxfortranslatingtwoTSQLfiles:
sourceanalyzer -b MyProject x.sql y.sql
ThefollowingexampledemonstrateshowtotranslateallTSQLfilesunderthesourcesdirectory:
sourceanalyzer -b MyProject "sources\**\*.sql" Note:Thisexampleassumesthecom.fortify.sca.fileextensions.sql propertyinfortifysca.propertiesissetto"TSQL".
ExampleofTranslatingPHP
TotranslateasinglefilenamedMyPHP.php,enter:
sourceanalyzer -b mybuild "MyPHP.php"
FortifySCAUserGuide
24
ExampleofTranslatingClassicASPwrittenwithVBScript
TotranslateasinglefilenamedMyASP.asp,enter:
sourceanalyzer -b mybuild "MyASP.asp"
ExampleofTranslatingJavaScript
TotranslateallJavaScriptfilesunderthescriptsdirectory,enter:
sourceanalyzer -b mybuild "scripts/*.js"
ExampleofTranslatingVBScriptFile
TotranslateaVBfilenamedmyApp.vb,enter:
sourceanalyzer -b mybuild "myApp.vb"
TranslatingCOBOLCode
Thissectioncontainsthefollowingtopics: SupportedTechnologies PreparingCOBOLSourceFilesforTranslation COBOLCommandLineSyntax AuditingaCOBOLScan
SupportedTechnologies
FortifySCAsupportsIBMEnterpriseCOBOLforIBMz/OSandiscompatiblewiththefollowingsystems: CICS IMS DB/2embeddedSQL IBMWebSphereMQ
PreparingCOBOLSourceFilesforTranslation
FortifySCArunsonlyonthesupportedsystemslistedintheFortifySystemRequirementsdatasheet,noton mainframecomputers.ThismeansthatbeforeyoucanscanaCOBOLprogram,youmustcopythefollowing programcomponentstothesystemrunningFortifySCA: TheCOBOLsourcecode AllcopybookfilesusedbytheCOBOLsourcecode AllSQLINCLUDEfilesreferencedbytheCOBOLsourcecode
PreparingCOBOLSourceCodeFiles
IfyouareretrievingCOBOLsourcefilesfromamainframewithout.COBor.CBLfileextensions(whichis usuallythecaseforCOBOLfilenames),thenyoumustusethefollowingcommandline:
-noextension-type COBOL <directory-file-path>
FortifySCAUserGuide
25
SpecifythedirectoryandfolderwithallCOBOLfilesastheargumenttoSCA,andSCAwillprocessallthefilesin thatdirectoryandfolderwithoutanyneedforCOBOLfileextensions.
PreparingCOBOLCopybookFiles
FortifySCAdoesnotidentifycopybooksbyextension.Allcopybookfilesshouldthereforeretainthenamesused intheCOBOLsourcecodeCOPYstatements.
COBOLCommandLineSyntax
FreeformatCOBOListhedefaulttranslationandscanningmodeforFortifySCA.Thebasicsyntaxfortranslating asinglefreeformatCOBOLsourcecodefileis:
sourceanalyzer -b <build-id>
ThebasicsyntaxforscanningatranslatedfreeformatCOBOLprogramis:
sourceanalyzer -b <build-id> -scan -f <FPR file name>
WorkingwithFixedFormatCOBOL
FortifySCAalsosupportsfixedformatCOBOL.WhentranslatingandscanningfixedformatCOBOL,boththe translationandscanningcommandlinesmustincludethe-fixed-formatcommandlineoption.Forexample, thetranslationlinesyntaxwouldlooklike:
sourceanalyzer -b <build-id> -fixed-format
Andthescanninglinesyntaxwouldlooklike:
sourceanalyzer -b <build-id> -scan -fixed-format -f <FPR file name>
SearchingforCOBOLCopybooks
UsethecopydirscommandlineoptiontodirectFortifySCAtosearchalistofpathsforcopybooksandSQL INCLUDEfiles.Forexample,thecommandlinesyntaxwouldlooklikethefollowing:
sourceanalyzer -b coboltest -copydirs c:\cobol\copybooks
AuditingaCOBOLScan
Afterusingthecommandlinetoscantheapplication,youcanuploadtheresultingFPRfiletoAuditWorkbench orFortify360Serverandaudittheapplicationsissues. FortifySCAdoesnotcurrentlysupportcustomrulesforCOBOLapplications.
FortifySCAUserGuide
26
TroubleshootingandSupport
Thischaptercontainsthefollowingtopics: Troubleshooting ReportingBugsandRequestingEnhancements
Troubleshooting
Thissectioncontainsthefollowingtroubleshootingtopics: UsingtheLogFiletoDebugProblems TranslationFailedMessage JSPTranslationProblems ASPXTranslationProblems C/C++PrecompiledHeaderFiles
UsingtheLogFiletoDebugProblems
IfyouencounterwarningsandproblemswhenyourunFortifySCA,rerunFortifySCAusingthe-debugoption. Thisgeneratesafilenamedsca.loginthefollowingdirectory: OnWindows:C:\Documents and Settings\<username>\Local Settings\Application
Data\Fortify\sca5.0\log
Onotherplatforms:$HOME/.fortify/sca5.0/log
Emailthesca.logfileasazipfiletotechsupport@fortify.comforfurtherinvestigation.
TranslationFailedMessage
IfyourC/C++applicationbuildssuccessfullybutyouseeoneormoretranslationfailedmessageswhen buildingwithFortifySCA,editthe<install_directory>/Core/config/fortify-sca.propertiesfileto changethefollowingline:
com.fortify.sca.cpfe.options= --remove_unneeded_entities --suppress_vtbl
to
com.fortify.sca.cpfe.options=-w --remove_unneeded_entities --suppress_vtbl
JSPTranslationProblems
FortifySCAuseseitherthebuiltinoryourspecificapplicationserver'sJSPcompilertotranslateJSPfilesinto Javafilesforanalysis. IftheJSPparserencountersproblemswhenFortifySCAisconvertingJSPfilestoJavafilesforanalysis,youwill seeamessagesimilartothefollowing:
Failed to translate the following jsps into analysis model. Please see the log file for any errors from the jsp parser and the user manual for hints on fixing those <List of JSP file names>
Thistypicallyhappensduetooneormoreofthefollowingreasons:
FortifySCAUserGuide
27
Toobtainmoreinformationabouttheproblem,performthefollowingsteps: 1. OpentheFortifySCAlogfileinaneditor. 2. SearchforthestringsJsp parser stdout:andJsp parser stderr:. TheseerrorsaregeneratedbytheJSPparserthatwasused.ResolvetheerrorsandrerunFortifySCA. FormoreinformationaboutscanningJ2EEapplications,seeTranslating J2EE Applications on page 8.
ASPXTranslationProblems
FortifySCAcompilesASPXfilestoDLLsforanalysisasfollows: Ifyouareusing.NET2.0orlaterandVisualStudio2005,usingtheMicrosoftaspnet_compilecompiler Ifyouareusing.NET1.1andVisualStudio2003,tryingtofetchASPXfilesoneatatimefromthewebsite Youhaveaccessorauthenticationproblemswithaccessingthewebapplication YouaremissingsomerequiredDLLs
Thecompilationstepcanfailif:
Ineithercase,youwillseeamessagesimilartothefollowing:
Failed to translate the following aspx files into analysis model. Please see the log file for any errors from the aspx precompiler and the user manual for hints on fixing those. <List of ASPX file names>
Ifyouareusingtheplugin,enableplugindebuggingandexaminethepluginlogfileforanyerrorsgenerated bytheASPXprecompiler. Ifyouareusingthecommandlinetool,fortify_aspnet_compiler,youshouldseetheerrormessagesonthe console. Ifyoustillcannotdeterminethecauseoftheproblem,trytoaccesssomeofthefailedASPXfilesfromyour browserandseewhatkindoferrorsdisplay.Ifyouseemessagessuchascannot locate assembly,ensure thatyouhavethemissingDLLsandrerunFortifySCA. IfyoucanaccessthefailedASPXfilesfromthebrowser,butFortifySCAstillfailstoscanit,contactFortify TechnicalSupportforadditionalhelp. FormoreinformationaboutscanningASP.NETapplications,seeTranslating ASP.NET 1.1 (Visual Studio Version 2003) Projects on page 12.
FortifySCAUserGuide
28
C/C++PrecompiledHeaderFiles
SomeC/C++compilerssupportafeaturetermedprecompiledheaderfiles,whichcanspeedupcompilation. Somecompilers'implementationsofthisfeaturehavesubtlesideeffects.Whenthefeatureisenabled,the compilermayaccepterroneoussourcecodewithoutwarningsorerrors.Thiscanresultinadiscrepancy whereFortifySCAreportstranslationerrorsevenwhenyourcompilerdoesnot. Ifyouusetheprecompiledheaderfeatureofyourcompiler,makesureyoursourcecodecompilescleanlyby disablingprecompiledheadersanddoingafullbuild.
ReportingBugsandRequestingEnhancements
Feedbackiscriticaltothesuccessofthisproduct.Torequestenhancementsorpatches,ortoreportbugs,send anemailtoTechnicalSupportat:
techsupport@fortify.com
Platform:(suchasPC) OS:(suchasWindows2000)
FortifySCAUserGuide
29
Appendix:ManagingPerUseAccounts
Thischaptercoversthefollowingtopics: AbouttheFortifySCAPerUseEdition ManagingYourPortalUserAccount TransferringLines
AbouttheFortifySCAPerUseEdition
TheFortify SCA Per Use editionanalyzessourcecodebythenumberofsourcecodelinesinaproject.Your companypurchaseslinesofcode(LOC)packsfromFortifySoftware.Thelinesarestoredinanaccountonthe PerUsePortal.WhenyouwanttouseFortifySCAtoanalyzesourcecode,youtransferlinesfromtheonline accounttoyourlocalinstance.Oncetransferredthoselinesareunlockedandappearasavailablelines. TransferredlinescanonlybeusedbytheinstanceofFortifySCAthatrequestedthem. FortifySCAdeductslinesforeachprojectyouanalyze.Whenyourunoutoflines,youmustgetadditionallines beforeyoucanscananotherproject.Transferringlinesandcreatingarequestfilefortransfersrequiresthe following: CompanyaccountonthePerUsePortalwithavailableLOCs UsernameandpasswordforthePerUsePortal Internetaccess AFortify SCA Per Use editioninstalledonyourbuildmachine
FortifySCAUserGuide
30
ManagingYourPortalUserAccount
TousetheFortify SCA Per Use editionyoumusthaveauseraccountontheFortifyPerUsePortal.Thisaccount allowsyoutorequestlines. ThePerUserPortaladministratorconfigurestheuseraccountsandprovidestheFortify SCA Per Use edition licensekey.Whentheadministratorsetsupanaccount,thedefaultpasswordisautomaticallyemailedtoyou. Youruserprofileincludes: Yourusername(emailaddress)andpassword Contactinformation,suchasyourtelephonenumber Recordoflinesallocatedtoyouruseraccount
ChangingyourPassword
Whentheadministratorsetsupyouraccount,theFortifySoftwareportalsendsyouanemailthatcontainsa defaultpasswordandalinktotheFortifyPerUsePortal.Thissectionexplainshowtologintothesiteandupdate yourpassword. Tochangeyourpassword: 1. OpenthelinkintheemailorenterthefollowingURL:
https://per-use.fortify.com
PurchasingAdditionalLines
FortifySoftwaretechnicalsupportrepresentativecanaddlinestoanexistingaccount.Undersome circumstancesthetechnicalsupportrepresentativecanalsotransferlinesbackintothemainaccount. Atechnicalsupportrepresentativecanonlyaddlinesif: YouarealicenseduserofFortify SCA Per Use edition YourcompanyhasanaccountontheFortifyPerUsePortal Youhaveauseraccount Youareauthorizedtoaddlinestotheaccount
TransferringLines
ThissectionexplainshowtotransferlinesfromthePerUsePortalaccounttoFortifySCA.Thefollowingis requiredtotransferlines:
Fortify SCA Per Use editionisinstalledonabuildmachine
YouhaveanaccountonthePerUsePortal,http://per-use.fortify.com. Yourcompanyhasscanlinesavailableintheaccount
Note:Topurchaselines,contactaFortifySoftwaretechnicalsupport.
Transferlinesusingoneofthefollowingmethods:
FortifySCAUserGuide 31
Transferring Lines to a Machine with Internet Access Transferring Lines to a Machine without Internet Access
TransferringLinestoaMachinewithInternetAccess
UserswithFortify SCA Per Use editionclientsthathaveinternetaccesscansendrequeststotransferlinesfrom theperuseaccounttotheirlocalclient.Ifthelinesareavailable,thelinesaredeductedfromtheaccountand transferreddirectlytotheclient. Afterthetransfer,theperuseaccountshowsthelinesallocated.Thelocalclientshowsthelinesasavailable. Torequestlines: 1. Enterthesourceanalyzercommandwiththefollowingoption:
sourceanalyzer -auth-request
2. Entertheinformation,includingthenumberoflines,peruseraccountusername,andpassword. Ifthelinesyourequestedareavailable,theyareautomaticallytransferredtoyourclient.
TransferringLinestoaMachinewithoutInternetAccess
UsersofofflineFortifySCAinstancesmustmanuallygeneratearequestfile,transferthefiletoacomputerwith Internetaccess,logintotheportal,anduploadtherequestfile.Theymustthendownloadandinstallthe correspondingresponsefiletotransferlinesfromtheaccounttoFortifySCA. Aftertheresponsefileiscreated,theaccountshowsthelinesasallocated.Howeverthelinesarenotavailable onFortifySCAuntilaftertheresponsefileisdownloadedandinstalled. Totransferlinesmanually: 1. Generating a Request for Lines 2. Uploading the Request for Lines 3. Installing the Line Certificate
GeneratingaRequestforLines
ForusersofFortifySCAthatdonothaveinternetaccess,generatearequestfilethatcontainsthenumberof linesthatyouwanttoallocate. Togeneratearequestfile: 1. Enterthesourceanalyzercommandwiththefollowingoption:
sourceanalyzer -auth-gen-request <request-file-name>
2. Followthepromptstoentertherequestinformation. Arequestfileiscreatedinthedirectorywhereyouranthecommand.
UploadingtheRequestforLines
Whenyouuploadarequestfileandtheaccounthasthelinesavailable,acertificatefileiscreated.Therequested numberoflinesaredeductedfromtheaccount.Tocompletethetransfertheuserdownloadsthecertificateand installsit. Togeneratealineresponsefile: 1. Copytherequestfiletoacomputerwithinternetaccess. 2. LogintothePerUsePortal,http://peruse.fortify.com.
Note:Yourusernameisyouremailaddress.
3. ClickRequestLines.
FortifySCAUserGuide 32
InstallingtheLineCertificate
ForofflineFortifySCAinstances,manuallyinstallthecertificatetoaddlines. Totransferlinesusingthecertificatefile: 1. CopythecertificatetothemachinewhereFortifySCAisinstalled. 2. Enterthesourceanalyzercommandwiththefollowingoption:
sourceanalyzer -auth-import-response <response-file-name>
Whentheprocesscompletesamessagedisplaysthenumberoflinesavailable.
FortifySCAUserGuide
33
Appendix:CommandLineInterface
ThisappendixdescribestheCommandLineoptionsavailableforFortifySourceCodeAnalyzer(FortifySCA).
CommandLineOptions
ThissectionlistsanddescribesFortifySCAcommandlineoptions: OutputOptions AnalysisOptions PythonOption ColdFusionOptions Java/J2EEOptions .NETOptions BuildIntegrationOptions RuntimeOptions LineTransferOptions OtherOptions
OutputOptions
Thefollowingtabledescribestheoutputoptions.
Table4:OutputOptions OutputOption -append Description Appendsresultstothefilespecifiedwith-f.Ifthisoptionisnot specified,FortifySCAaddsthenewfindingstotheFPRfile,and labelstheolderresultaspreviousfindings.Tousethis option,theoutputfileformatmustbe.fpror.fvdl.For informationonthe-formatoutputoption,seethedescription inthistable. Note:When-appendispassedtoSCAandtheoutputfile specifiedwiththe-foptioncontainstheresultsofanearlier scan,theresultingFPRcontainstheissuesfromtheearlier scanaswellasissuesfromthecurrentscan.Thebuild informationandprogramdata(listsofsourcesandsinks) sectionsarealsomerged. Theenginedatasection,whichincludesrulepackinformation, commandlineoptions,systemproperties,warningsand errors,andotherinformationabouttheexecutionof sourceanalyzer(asopposedtoinformationaboutthe programbeinganalyzed),isnotmerged,inpartbecausethere isnowaytomeaningfullymergethisdatafrommultiplescans. Becauseenginedataisnotmergedwith-append,Fortifydoes notcertifyresultsgeneratedwith -append. Ingeneral,-appendshouldonlybeusedwhenitisnot possibletoanalyzeanentireapplicationatonce.
FortifySCAUserGuide
34
Table4:OutputOptions OutputOption -build-label<label> -build-project <project> -build-version <version> -f <file> -format <format> Description Thelabeloftheprojectbeingscanned.Thelabelisnotusedby FortifySCAbutisincludedintheanalysisresults. Thenameoftheprojectbeingscanned.Thenameisnotused byFortifySCAbutisincludedintheanalysisresults. Theversionoftheprojectbeingscanned.Theversionisnot usedbyFortifySCAbutisincludedintheanalysisresults. Thefiletowhichresultsarewritten.Ifyoudonotspecifyan outputfile,theoutputiswrittentotheterminal. Controlstheoutputformat.Validoptionsarefpr,fvdl,text, andauto.Thedefaultisauto,whichselectstheoutputformat basedonthefileextension. Note:Ifyouareusingresultcertification,youmustspecifythe fprformat.SeetheAuditWorkbenchUsersGuidefor informationonresultcertification. CreatesanHTMLsummaryoftheresultsproduced.Theoutput formatmustbe.fpr.Thereportfileisgiventhesamebase nameastheresultsoutputfile. Note:TheHTMLsummaryandthesummarythroughAudit Workbenchdisplaydifferingnumberofissues.Thisisinpart duetodifferingmethodologyforcategorizingHIGHandLOW issuesbetweenthetwotypesofreports.Foramoredetailed summaryreportofissues,usetheReportGeneratorutility intheSCAbindirectory.
-html-report
FortifySCAUserGuide
35
AnalysisOptions
Thefollowingtabledescribestheanalysisoptions.
Table5:AnalysisOptions AnalysisOption -disable-default-ruletype <type> Description Disablesallrulesofthespecifiedtypeinthedefault rulepacks.Canbeusedmultipletimestospecifymultiplerule types. WherethevalueoftypeistheXMLtagminusthesuffixRule. Forexample,useDataflowSourceforDataflowSourceRule elements.Youcanalsospecifyspecificsectionsof characterizationrules,suchasCharacterization:Controlflow, Characterization:Issue,andCharacterization:Generic. Typeiscaseinsensitive. -encoding Specifiestheencoding.SCAallowsscanningaprojectthat containsdifferentencodedsourcefiles.Toworkwithamulti encodedproject,youmustspecifythe-encodingoptionat thetranslationstep,whenSCAfirstreadsthesourcecodefile. Thisencodingisrememberedinthebuildsession,andis propagatedintotheFVDLfile. Specifiesaresultsfilterfile.Forinformationaboutfilterfiles, seeCreating a Filter File on page 49. EnablesFindBugsanalysisforJavacode.TheJavaclass directoriesmusthavebeenspecifiedwiththe-javabuild-diroption,describedinJava/J2EE Options on page 37. Disablesrulesindefaultrulepacksthatleaddirectlytoissues. Stillloadsrulesthatcharacterizethebehavioroffunctions. Note:Thisequivalenttodisablingthefollowingruletypes: DataflowSink,Semantic,Controlflow,Structural,Configuration, Content,Statistical,Internal,andCharacterization:Issue. Specifiesnottoloadrulesfromthedefaultrulepacks.Fortify SCAprocessestherulepacksfordescriptionelementsand languagelibraries,butnorulesareprocessed. Disablessourcerulesinthedefaultrulepacks. Note:Characterizationsourcerulesarenotdisabled. Disablessinkrulesinthedefaultrulepacks. Note:Characterizationsinkrulesarenotdisabled. SourcefilesarenotincludedintheFPRfile. ScanstheprojectinQuickScanMode,usingthefortifysca-quickscan.propertiesfile.Bydefault,thisscan searchesforhighconfidence,highseverityissues.Formore informationaboutQuickScanMode,seetheAuditWorkbench UsersGuide. Specifiesacustomrulepackordirectory.Canbeusedmultiple timestospecifymultiplerulepackfiles.Ifyouspecifya directory,allofthefilesinthedirectorywiththe.binand .xmlextensionsareincluded.
-no-default-issue-rules
-no-default-rules
-rules [<file>|<directory>]
FortifySCAUserGuide
36
PythonOption
ThefollowingtabledescribestheColdFusionoption.
Table6:ColdFusionOptions PythonOption -python-path <path name> Description Specifiesthepathforadditionalimportdirectories.Bydefault, SCAusesthedefaultPYTHONPATHvariableonyoursystem whensearchingforPythonimportfiles.However,some applicationsaddadditionalimportdirectoriesduringruntime initialization.Usethisoptiontospecifyadditionalimport directories.
ColdFusionOptions
ThefollowingtabledescribestheColdFusionoption.
Table7:ColdFusionOptions ColdFusionOption -source-base-dir -source-archive Description Thewebapplicationsrootdirectory. Theapplicationssourcearchiverepository.Youmustinclude thescanandfoptionstousethisoption.
Java/J2EEOptions
ThefollowingtabledescribestheJava/J2EEoptions.
Table8:Java/J2EEOptions Java/J2EEOptions -appserver -appserver-home Description SpecifiestheapplicationserverforprocessingJSPfiles: weblogicorwebsphere. Specifiestheapplicationservershome. ForWeblogic,thisisthepathtothedirectorycontainingthe server/libdirectory. ForWebSphere,thisisthepathtothedirectorycontainingthe JspBatchCompilerscript. -appserver-version Specifiestheversionoftheapplicationserver. ForWeblogic,validvaluesare7,8,9,and10. ForWebSphere,thevalidvalueis6.
FortifySCAUserGuide
37
Table8:Java/J2EEOptions Java/J2EEOptions -cp <classpath>, -classpath <classpath> Description SpecifiestheclasspathtouseforanalyzingJavasourcecode. Theformatissameasjavac:acolonorsemicolonseparatedlist ofpaths.YoucanuseFortifySCAfilespecifiers. Note:Ifyoudonotspecifytheclasspathwiththisoption,the CLASSPATHenvironmentvariableisused. Similartothejavacextdirsoption,acceptsacolonor semicolonseparatedlistofdirectories.Anyjarfilesfoundin thesedirectoriesareincludedimplicitlyontheclasspath. SpecifiesoneormoredirectoriestowhichJavasourceshave beencompiled.MustbespecifiedforFindBugsresults,as describedinAnalysis Options on page 36. IndicateswhichversionoftheJDKtheJavacodeiswrittenfor. Validvaluesforversionare1.3,1.4,1.5,and1.6.The defaultis1.4. Specifiesthelocationofsourcefileswhichwillnotbeincluded inthescanbutwillbeusedfornameresolution.The sourcepathislikeclasspath,exceptitusessourcefilesrather thanclassfilesforresolution.
-extdirs <dirs>
-java-build-dir
-source <version>
-sourcepath
.NETOptions
Thefollowingtabledescribesthe.NEToptions.
Table9:.NETOptions .NETOptions -libdirs <dirs> -dotnet-sources <directory name> Description Acceptsacolonorsemicolonseparatedlistofdirectories wheresystemDLLsarelocated. Specifieswheretolookforsourcefilesforadditional information.Thisoptionisautomaticallypassedfromthe FortifySCApluginsandAuditWorkbenchbutwhenyouare runningSCAmanually,youmustprovideityourself. ThisoptioncausesSCAtoattempttofindany.NETclasses, enums,orinterfacesthatarenotexplicitlydeclaredinthe compiledproject. SpecifiesVisualStudioversion.Validvaluesforversionare 7.1forVisualStudioVersion2003and 8.0forVisualStudio Version2005,andthedefaultvalueis7.1.
-vsversion <version>
BuildIntegrationOptions
Thefollowingtabledescribesthebuildintegrationoptions.
FortifySCAUserGuide
38
Table10:BuildIntegrationOptions BuildIntegrationOptions -b <build_id> Description SpecifiesthebuildID.ThebuildIDisusedtotrackwhichfiles arecompiledandcombinedtobepartofabuildandlaterto scanthosefiles. Usedwith-scantospecifyasubsetofsourcefilestoscan. Onlythesourcefilesthatwerelinkedinthenamedbinaryat buildtimeareincludedinthescan.Canbeusedmultipletimes tospecifytheinclusionofmultiplebinariesinthescan. Removesfilesfromthelistoffilestotranslate. Forexample:sourceanalyzer cp "**/*.jar" "**/*" -exclude "**/Test.java" Note:The-excludeoptionworkswheninputfilesare specifiedonthecommandline;itdoesnotworkwithcompiler integration. Whenspecifiedbeforeacompilercommandline,FortifySCA processesthesourcefilebutdoesnotrunthecompiler.
-bin <binary>
-exclude <file_pattern>
-nc
Directives
Thefollowingdirectivescanbeusedtolistinformationabouttranslationstepsthathavebeentaken.Onlyone directivecanbeusedatatimeandcannotbeusedinconjunctionwithnormaltranslationoranalysissteps.
Table11: Directives -clean Description DeletesallFortifySCAintermediatefilesandbuild records.WhenabuildIDisalsospecified,onlyfilesand buildrecordsrelatingtothatbuildIDaredeleted. Displaysallobjectsthatwerecreatedbutnotusedin theproductionofanyotherbinaries.Iffullyintegrated intothebuild,itlistsallofthebinariesproduced. DisplaysalistofallknownbuildIDs. Note:ThisoptionmayerasebuildIDsgeneratedby previousversionsofFortifySCA. Displaysallfilesusedtocreatebinaryandallfiles usedtocreatethosefilesinatreelayout.Ifthe-bin binaryoptionisnotpresent,thetreeisdisplayedfor eachbinary. Note:Thisoptioncangenerateanextensiveamount ofinformation. ListsthefilesinthespecifiedbuildID.Whenthe-bin optionispresent,displaysonlythesourcefilesthat wentintothebinary. Usewith-b <build_id>toshowallerrorsand warningsfromthetranslationphaseontheconsole. Note:Theseerrorsandwarningsdisplayintheresults certificationpanelofAuditWorkbench.
-show-binaries
-show-build-ids
-show-build-tree
-show-files
-show-build-warnings
FortifySCAUserGuide
39
RuntimeOptions
Thefollowingtabledescribestheruntimeoptions.
Table12:RuntimeOptions RuntimeOptions -auth-silent Description AvailableonFortify SCA Per Use editiononly. Suppressesthepromptthatdisplaysthenumberoflinesthe scanrequirestoanalyzethesourcecode.Withthisoption,the linesareautomaticallydeducted. Note:Ifthescanrequiresmorelinesthanareavailable,the scanfailswithanerrorindicatinghowmanyadditionallines arerequired. RunsFortifySCAunderthe64bitJRE.Ifno64bitJREis available,FortifySCAfails. SpecifiesthelogfilethatisproducedbyFortifySCA. Disablesthecommandlineprogressbar. Sendsverbosestatusmessagestotheconsole. SpecifiesthemaximumamountofmemoryusedbyFortify SCA.Bydefault,itusesupto600MBofmemory(-Xmx600M), whichcanbeinsufficientforlargecodebases.Whenspecifying thisoption,ensurethatyoudonotallocatemorememorythan isphysicallyavailable,becausethisdegradesperformance.Asa guideline,assumingnoothermemoryintensiveprocessesare running,donotallocatemorethan2/3oftheavailable memory.
LineTransferOptions
TheFortify SCA Per Use editionhasthefollowinglinetransferoptions.Table 13describestheoptionstoshow thenumberofavailablelinesandtotransferlinesfromthePerUsePortalaccounttoalocalinstanceofFortify SCA.
Table13:LineTransferOptions Option -auth-gen-request <request-file-name> Description Createsafilethatcontainsarequestforlines. Note:YoumustmanuallyuploadtherequestfiletothePerUse Portaltoreceivearesponsefilethatallocateslinestothe FortifySCAinstance. Showsthenumberoflinesavailable. SendsarequesttotransferlinesfromPerUsePortalaccountto theFortifySCAinstance.Thisoptionrequiresinternetaccess. Note:Iftheaccounthasinsufficientlines,therequestfails. InstallsaresponsefilethatallocateslinestotheFortifySCA instance. Note:Thefilecanonlybeinstalledontheinstancethat generatedtherequest.
-auth-query -auth-request
-auth-import-response <response-file-name>
FortifySCAUserGuide
40
OtherOptions
Thefollowingtabledescribesotheroptions.
Table14:OtherOptions OtherOptions @<filename> -encoding <encoding_name> -h, -?, -help -version -debug -build-migration-map <old_fpr_file> Description Readscommandlineoptionsfromthespecifiedfile. Specifiesthesourcefileencodingtype.Thisoptionisthesame asthejavacencodingoption. Printsthissummaryofcommandlineoptions. Displaystheversionnumber. Enablesdebugmodewhichisusefulduringtroubleshooting. RunstheInstanceIDmapperattheendofascan.
SpecifyingFiles
FilespecifiersareexpressionsthatallowyoutoeasilypassalonglistoffilestoFortifySCAusingwildcard characters.FortifySCArecognizestwotypesofwildcardcharacters:'*'matchespartofafilename,and'**' recursivelymatchesdirectories.Youcanspecifyoneormorefiles,oneormorefilespecifiers,oracombination offilesandfilespecifiers.
<files> | <file specifiers>
Filespecifierscantakethefollowingforms:
Table15:FileSpecifiers FileSpecifier <dirname> <dirname>/**/Example.java <dirname>/*.java <dirname>/**/*.java <dirname>/**/* Description Allfilesfoundunderthenameddirectoryoranysubdirectories AnyfilenamedExample.javafoundunderthenamed directoryoranysubdirectories Anyfilewiththeextension.javafoundinthenameddirectory Anyfilewiththeextension.javafoundunderthenamed directoryoranysubdirectories Allfilesfoundunderthenameddirectoryoranysubdirectories (sameasdirname)
FortifySCAUserGuide
41
Note:WindowsandmanyUnixshellsautomaticallytrytoexpandargumentscontainingthe'*'character,sofile
specifierexpressionsshouldbequoted.Also,onWindows,thebackslashcharacter(\)maybeusedasthe directoryseparatorinsteadoftheforwardslash(/).
FilespecifiersdonotapplytoCorC++languages.
FortifySCAUserGuide
42
Appendix:UsingthesourceanalyzerAntTask
ThesourceanalyzerAnttaskprovidesaconvenientwaytointegrateFortifySCAintoyourAntbuild.As discussedinTranslating Java Code,translationofJavasourcefilesthatarepartofanAntbuildismosteasily accomplishedusingtheSCACompilerAdapter,whichautomaticallycapturesinputtojavactaskinvocations.The sourceanalyzertaskprovidesaconvenientandflexiblewaytoaccomplishothertranslationtasksandtorun analysis. ThissectiondescribeshowtousethesourceanalyzerAnttaskandprovidesanexampleofasamplebuildfile withaselfcontainedanalysis target.rs.Itcontainsthefollowingtopics: UsingtheAntsourceanalyzerTask Antproperties sourceanalyzerTaskOptions
UsingtheAntsourceanalyzerTask
AswiththeSCACompilerAdapter,usingthesourceanalyzertaskrequiressourceanalyzer.jar tobeon Ant'sclasspath,andthesourceanalyzerexecutabletobeonthePATH. Thefirststeptousingthesourceanalyzertaskistoincludeatypedefinthebuild.xmlfileasfollows:
<typedef name="sourceanalyzer" classname="com.fortify.dev.ant.SourceanalyzerTask"/> Note:OnlyAnt1.6andhighersupportstopleveltypedefofthesourceanalyzertask.ForAnt1.5andlower, includethetypedefinthetargetwherethesourceanalyzertaskisused.
FortifySCAUserGuide
43
<antcall target="compile"> <!-- Log SCA in separate file --> <param name="com.fortify.sca.Debug" value="${fortify.debug}" /> <param name="com.fortify.sca.Verbose" value="${fortify.verbose}" /> <param name="com.fortify.sca.LogFile" value="${code.build}/log/${sourceanalyzer.buildid}-${DSTAMP}${TSTAMP}.log" /> <param name="build.compiler" value="com.fortify.dev.ant.SCACompiler" /> </antcall> <!-- capture all configuration files in WEB-INF directory --> <echo>sourceanalyzer ${web-inf}</echo> <sourceanalyzer buildid="${sourceanalyzer.buildid}"> <fileset dir="${web-inf}"> <include name="**/*.properties"/> <include name="**/*.xml"/> </fileset> </sourceanalyzer> <!-- translate all jsp files--> <echo>sourceanalyzer ${basedir} jsp</echo> <sourceanalyzer buildid="${sourceanalyzer.buildid}"> <fileset dir="${basedir}"> <include name="**/*.jsp"/> </fileset> <classpath refid="jsp.classpath"/> </sourceanalyzer> <!-- run analysis --> <echo>sourceanalyzer scan</echo> <sourceanalyzer buildid="${sourceanalyzer.buildid}" scan="true" resultsfile="issues.fpr" / > </target>
Antproperties
AnyAntpropertythatbeginswithcom.fortifyisrelayedtothesourceanalyzertaskvia-D.Forexample, settingthecom.fortify.sca.ProjectRootpropertyresultsin Dcom.fortify.sca.ProjectRoot=<value>beingpassedtothesourceanalyzertask.Thisisalsousedfor theSCACompileradapter.Thesepropertiescanbeseteitherinthebuildfile,usingthe<property>taskfor example,orontheAntcommandlineusingthe -D<property=<value>syntax. WhenusingtheSCACompileradapterviathebuild.compilersetting,thesourceanalyzer.buildAnt propertyisequivalenttothebuildID attributeofthesourceanalyzertask,andthe sourceanalyzer.maxHeapisequivalenttomaxHeap.Youcanuseeitherthecommandlineoryourbuildscript tosettheseproperties.
FortifySCAUserGuide
44
sourceanalyzerTaskOptions
Thefollowingtablecontainsthecommandlineoptionsforthesourceanalyzertask.Pathvaluesusecolon(:) orsemicolon(;)delimitedlistsoffilenames.
Table16:SourceanalyzerTaskCommandLineOptions Attribute append CommandLineOption -append Description Appendsresultstothefilespecifiedwith the-foption.Ifthisoptionisnot specified,FortifySCAoverwritesthefile. Note:Tousethisoption,theoutputfile formatmustbe.fpror.fvdl.For informationonthe-formatoutput option,seethedescriptioninthistable. Specifiestheapplicationserver:Valid optionsareweblogicorwebsphere Specifiestheapplicationserver'shome directory. ForWeblogic,thisisthepathtothe directorycontainingserver/lib directory. ForWebSphere,thisisthepathtothe directorycontainingthebin/ JspBatchCompilerscript. appserverVersion -apperserver-version <version_number> Specifiestheversionoftheapplication server. ForWeblogic:versions7,8,9,and10 ForWebSphere:version6 bootclasspath buildID -bootclasspath <classpath> b <build_ID> SpecifiestheJDKbootclasspath. SpecifiesthebuildID.ThebuildIDis usedtotrackwhichfilesarecompiled andlinkedaspartofabuildandlaterto scanthosefiles. Specifiesthelabeloftheprojectbeing scanned.ThelabelisnotusedbyFortify SCAbutisincludedintheanalysis results. Specifiesthenameoftheprojectbeing scanned.ThenameisnotusedbyFortify SCAbutisincludedintheanalysis results. Theversionoftheprojectbeingscanned. TheversionisnotusedbyFortifySCA butisincludedintheanalysisresults. SpecifiestheclasspathtobeusedforJava sourcecode.Formatissameasjavac (colonorsemicolonseparatedlistof paths). ThisoptionresetsthebuildID.The defaultvalueisfalse. FortifySCAUserGuide 45
appserver appserverHome
buildLabel
-build-label <build_label>
buildProject
-build-project <project_name>
buildVersion
classpath
clean
-clean
Table16:SourceanalyzerTaskCommandLineOptions Attribute debug disableAnalyzers CommandLineOption -debug -disable-analyzer <list_of_analyzers> -enable-analyzer <list_of_analyzers> -encoding <encoding_type> -extdirs <list_of_dirs> Description Thisoptionenablesthedebugmode, whichisusefulduringtroubleshooting. Thisoptiontakesacolondelimitedlistof analyzerssothatyoucandisable multipleanalyzersatonceifnecessary. Thisoptiontakesacolondelimitedlistof analyzerssothatyoucanenablemultiple analyzersatonceifnecessary. Specifiesthesourcefileencodingtype. Thisoptionisthesameasthejavac encodingoption. Similartothejavacextdirsoption, acceptsacolonorsemicolonseparated listofdirectories.Anyjarfilesfoundin thesedirectoriesareincludedimplicitly ontheclasspath. Specifiesthefilterfile. SettingthistotrueenablesFindBugs analysis.Thedefaultvalueisfalse. Controlstheoutputformat.Validoptions arefpr,fvdl,text,andauto.The defaultisauto,whichselectstheoutput formatbasedonthefileextension. Note:Ifyouareusingresults certification,youmustspecifythefpr format.SeetheAuditWorkbenchUsers Guideforinformationonresults certification. SpecifiesthecreationofanHTML summaryoftheresultsproduced.The outputformatmustbefprorfvdl.The reportfilewillbegiventhesamebase nameastheresultsoutputfile.The defaultvalueisfalse. Note:TheHTMLsummaryandthe summarythroughAuditWorkbench displaydifferingnumberofissues.This isinpartduetodifferingmethodology forcategorizingHIGHandLOWissues betweenthetwotypesofreports.Fora moredetailedsummaryreportofissues, usethe\AWB\FPRUtilitytool. javaBuildDir -java-build-dir <directory> Specifiesoneormoredirectorstowhich Javasourceshavebeencompiled.Must bespecifiedforthefindbugsoption,as describedabove.
enableAnalyzers
encoding
extdirs
htmlReport
-html-report
FortifySCAUserGuide
46
Table16:SourceanalyzerTaskCommandLineOptions Attribute jdk CommandLineOption -source <value> Description IndicateswhichversionoftheJDKthe Javacodeiswrittenfor.Validvaluesfor thisoptionare1.3,1.4,1.5,and1.6. Thedefaultis1.4.. Note:ThesourceandJDKoptionsare thesame.Ifbothoptionsarespecified, theoptionthatisspecifiedlastwilltake precedence. SpecifiestheJDKbootclasspath. Specifiesthelogfilethatisproducedby FortifySCA. Specifiesthemaximumamountof memoryusedbyFortifySCA.Bydefault, itusesupto600MBofmemory(600M), whichcanbeinsufficientforlargecode bases. Whenspecifyingthisoption,ensurethat youdonotallocatemorememorythanis physicallyavailable,becausethiswill degradeperformance.Asaguideline, assumingnoothermemoryintensive processesarerunning,donotallocate morethan2/3oftheavailablememory. SettingthisoptionspecifiesthatFortify SCAshouldnotapplydefaultruleswhen scanning. LaunchesanSCAquickscaninsteadofa regularscan.Setvaluetotruetolaunch aquickscan. Thefiletowhichtheresultsarewritten.
noDefaultRules
-no-default-rules
quick
-quick-scan
resultsfile
rules
Therulesoptiontakesalistofrulesfiles, delimitedbythepathseparator(thisisa semicolon(;)onWindows,andacolon (:)onotherplatforms.Foreachelement inthislist,SCAispassedthe-rules <file>command. Settingthisoptiondetermineswhether FortifySCAshouldperformanalysison theprovidedbuildID.Thedefaultvalueis false. IndicateswhichversionoftheJDKthe Javacodeiswrittenfor.Validvaluesfor thisoptionare1.3,1.4,1.5,and1.6. Thedefaultis1.4.. Note:ThesourceandJDKoptionsare thesame.Ifbothoptionsarespecified, theoptionthatisspecifiedlastwilltake precedence.
scan
-scan
source
-source <value>
FortifySCAUserGuide
47
Table16:SourceanalyzerTaskCommandLineOptions Attribute sourcepath CommandLineOption -sourcepath <directory> -64 Description Specifiesthelocationofsourcefiles whichwillnotbeincludedinthescanbut willbeusedforresolution. RunsFortifySCAunderthe64bitJRE.If no64bitJREisavailable,FortifySCA fails. Settingthisoptionsendsverbosestatus messagestotheconsole.
use64bit
verbose
-verbose
FortifySCAUserGuide
48
Appendix:AdvancedOptions
Thischapterdescribesthefollowingadvancedoptions: CreatingaFilterFile UsingPropertiestoControlRuntimeOptions
CreatingaFilterFile
Youcancreateatextfileforfilteringoutparticularvulnerabilityinstances,rules,andvulnerabilitycategories whenyourunthesourceanalyzercommand.Thefileisspecifiedbythe-filteranalysisoption.
Note:FortifySoftwarerecommendsthatyouonlyusethisfeatureifyouareanadvanceduser,andthatyoudo notusethisfeatureduringstandardaudits,becauseauditorsshouldbeabletoseeandevaluateallissuesfound byFortifySCA.
Thefollowingresultsetdisplays,showing12detectedissues.
[F7A138CDE5235351F6A4405BA4AD7C54 : low : Unchecked Return Value : semantic ] Fortify SCA 360 v2.1/Samples/basic/eightball/EightBall.java(12) : Reader.read()
[F7A138CDE5235351F6A4405BA4AD7C53 : low : Unchecked Return Value : semantic ] Fortify SCA 5.2/Samples/basic/eightball/EightBall.java(12) : Reader.read()
[EFE997D3683DC384056FA40F6C7BD0E9 : medium : Path Manipulation : dataflow ] Fortify SCA 5.2/Samples/basic/eightball/EightBall.java(12) : ->new FileReader(0) ->EightBall.main(0) Fortify SCA 5.2/Samples/basic/eightball/EightBall.java(6) : <=> (filename) Fortify SCA 5.2/Samples/basic/eightball/EightBall.java(4) :
[EFE997D3683DC384056FA40F6C7BD0E8 : medium : Path Manipulation : dataflow ] Fortify SCA 360 v2.1/Samples/basic/eightball/EightBall.java(12) : FileReader(0) ->new
FortifySCAUserGuide
49
[60AC727CCEEDE041DE984E7CE6836177 : medium : Unreleased Resource : Streams : controlflow ] Fortify SCA 360 v2.1/Samples/basic/eightball/EightBall.java(12) : start -> loaded : new FileReader(...) Fortify SCA 360 v2.1/Samples/basic/eightball/EightBall.java(12) : loaded -> loaded : <inline expression> refers to an allocated resource Fortify SCA 360 v2.1/Samples/basic/eightball/EightBall.java(12) : java.io.IOException thrown Fortify SCA 360 v2.1/Samples/basic/eightball/EightBall.java(12) : loaded -> loaded : throw Fortify SCA 360 v2.1/Samples/basic/eightball/EightBall.java(12) : loaded -> loaded : <inline expression> no longer refers to an allocated resource Fortify SCA 360 v2.1/Samples/basic/eightball/EightBall.java(12) : loaded -> end_of_scope : end scope : Resource leaked : java.io.IOException thrown Fortify SCA 360 v2.1/Samples/basic/eightball/EightBall.java(12) : start -> loaded : new FileReader(...) Fortify SCA 360 v2.1/Samples/basic/eightball/EightBall.java(12) : loaded -> loaded : <inline expression> refers to an allocated resource Fortify SCA 360 v2.1/Samples/basic/eightball/EightBall.java(14) : loaded -> loaded : <inline expression> no longer refers to an allocated resource Fortify SCA 360 v2.1/Samples/basic/eightball/EightBall.java(14) : loaded -> end_of_scope : end scope : Resource leaked
[60AC727CCEEDE041DE984E7CE6836178 : medium : Unreleased Resource : Streams : controlflow ] Fortify SCA 5.2/Samples/basic/eightball/EightBall.java(12) : start -> loaded : new FileReader(...) Fortify SCA 5.2/Samples/basic/eightball/EightBall.java(12) : loaded -> loaded : <inline expression> refers to an allocated resource Fortify SCA 5.2/Samples/basic/eightball/EightBall.java(12) : java.io.IOException thrown Fortify SCA 5.2/Samples/basic/eightball/EightBall.java(12) : loaded -> loaded : throw Fortify SCA 5.2/Samples/basic/eightball/EightBall.java(12) : loaded -> loaded : <inline expression> no longer refers to an allocated resource Fortify SCA 5.2/Samples/basic/eightball/EightBall.java(12) : loaded -> end_of_scope : end scope : Resource leaked : java.io.IOException thrown Fortify SCA 5.2/Samples/basic/eightball/EightBall.java(12) : start -> loaded : new FileReader(...) Fortify SCA 5.2/Samples/basic/eightball/EightBall.java(12) : loaded -> loaded : <inline expression> refers to an allocated resource Fortify SCA 5.2/Samples/basic/eightball/EightBall.java(14) : loaded -> loaded : <inline expression> no longer refers to an allocated resource FortifySCAUserGuide 50
Fortify SCA 5.2/Samples/basic/eightball/EightBall.java(14) : loaded -> end_of_scope : end scope : Resource leaked
[BB9F74FFA0FF75C9921D0093A0665BEB : low : J2EE Bad Practices : Leftover Debug Code : structural ] Fortify SCA 360 v2.1/Samples/basic/eightball/EightBall.java(4)
[FF0D787110C7AD2F3ACFA5BEB6E951C3 : low : Poor Logging Practice : Use of a System Output Stream : structural ] Fortify SCA 360 v2.1/Samples/basic/eightball/EightBall.java(10)
[FF0D787110C7AD2F3ACFA5BEB6E951C4 : low : Poor Logging Practice : Use of a System Output Stream : structural ] Fortify SCA 360 v2.1/Samples/basic/eightball/EightBall.java(13)
[BB9F74FFA0FF75C9921D0093A0665BEC : low : J2EE Bad Practices : Leftover Debug Code : structural ] Fortify SCA 5.2/Samples/basic/eightball/EightBall.java(4)
[FF0D787110C7AD2F3ACFA5BEB6E951C5 : low : Poor Logging Practice : Use of a System Output Stream : structural ] Fortify SCA 5.2/Samples/basic/eightball/EightBall.java(10)
[FF0D787110C7AD2F3ACFA5BEB6E951C6 : low : Poor Logging Practice : Use of a System Output Stream : structural ] Fortify SCA 5.2/Samples/basic/eightball/EightBall.java(13)
Thetest_filter.txt fileusedinthisexamplecontainsthefollowingtext:
#This is a category that will be filtered from scan output Poor Logging Practice #This is an instance ID of a specific issue to be filtered from scan #output 60AC727CCEEDE041DE984E7CE6836177 #This is a specific Rule ID that leads to the reporting of a specific #issue in #the scan output: in this case the data flow sink for a Path Manipulation #issue. 823FE039-A7FE-4AAD-B976-9EC53FFE4A59
Youcancreateafiletotestthefilteredoutputbycopyingtheabovetextintoafile. Thefollowingcommandisexecutedusingthe-filteroptiontospecifythetest_filter.txt:
[C:\Program Files\Fortify Software\Fortify SCA 5.0\Samples\basic\ eightball]>sourceanalyzer -b eightball -scan -filter test_filter.txt FortifySCAUserGuide 51
Thefollowingresultsetdisplays:
[F7A138CDE5235351F6A4405BA4AD7C53 : low : Unchecked Return Value : semantic] EightBall.java(12) : Reader.read() [BB9F74FFA0FF75C9921D0093A0665BEB : low : J2EE Bad Practices : Leftover Debug Code : structural] EightBall.java(4)
UsingPropertiestoControlRuntimeOptions
YoucanusepropertiestodefineruntimeoptionsforFortifySCA,includinganalysis,output,andperformance tuningoptions.Thesepropertiescanbesetinfourdifferentplaces: fortify-sca.propertiescontainstheglobalsetofdefaultproperties fortify-sca.properties(forWindowsinstallations)or.fortify-sca.properties(for nonWindowsinstallations)containsyourlocallydefinedproperties Onthecommandlinebyspecifying-D<property_name>=<property_value> fortify-sca-quickscan.propertiescontainsthesetofpropertiesthatareusedwhen SCArunsinQuickScanmode. Thefortify-sca.propertiesandfortify-sca-quickscan.propertiesfilesarelocatedinthe <install_directory>/Core/configdirectory.Thefortify.propertiesfileislocatedineitheryour WindowsuserdirectoryoryourUnixhomedirectory. Youcaneditallpropertiesfilesdirectly.
SpecifyingtheOrderofProperties
FortifySCAprocessespropertiesinaspecificorder,usingthisordertooverrideanypreviouslysetproperties withthevaluesthatyouspecify.Youshouldkeepthisprocessingorderinmindwhenmakingchangestothe propertiesfiles. Propertydefinitionsareprocessedinthefollowingorder: Propertiesspecifiedonthecommandlinehavethehighestprecedenceandcanbespecified duringanyscan. Propertiesspecifiedinthefortify-sca-quickscan.propertiesfileareprocessedsecond,butonly whenthe-quickoptionisusedtooperateinQuickScanmode.IfQuickScanisnotinvoked,thisfileis ignored. Propertiesspecifiedinthelocal fortify.propertiesfileareprocessedthird.Changevaluesinthisfileon ascanbyscanbasistofinetuneyourinstallation. Propertiesspecifiedintheglobalfortify-sca.propertiesfileareprocessedlast.Youshouldeditthisfile ifyouwanttochangethepropertyvaluesonamorepermanentbasisforallscans.
FortifySCAUserGuide
52
com.fortify.sca.Appserver.Home (none) Specifiestheapplicationservershome. ForWeblogic,thisisthepathtothedirectorycontainingserver/ libdirectory. ForWebSphere,thisisthepathtothedirectorycontainingthebin/ JspBatchCompilerscript. com.fortify.sca.Appserver.Version (none) Specifiestheversionoftheapplicationserver. ForWeblogic,validvaluesare7,8,9,and10. ForWebSphere,thevalidvalueis6. com.fortify.sca.fileextensions.* (none) ControlshowFortifySCAhandlesfileswithgivenextensions.See fortify-sca.propertiesforexamples.
com.fortify.sca.DisableDefaultRuleTypes
FortifySCAUserGuide
53
Table18:FortifyProperties PropertyName DefaultValue (none) Description Disablesthespecifiedtypeofruleinthedefaultrulepacks;where typeistheXMLtagminusthesuffixRule.Forexample,use DataflowSourceforDataflowSourceRuleelements.Youcanalso specifyspecificsectionsofcharacterizationrules,suchas Characterization:Controlflow,Characterization:Issue,and Characterization:Generic.Typeiscaseinsensitive. Useacolondelimitedlisttospecifymultipletypesofrules. com.fortify.sca.NoDefaultSinkRules (none) Iftrue,disablessinkrulesinthedefaultrulepacks. Note:Characterizationsinkrulesarenotdisabled.
FortifySCAUserGuide
54
com.fortify.sca.limiters.MaxFieldDepth
FortifySCAUserGuide
55
Table18:FortifyProperties PropertyName DefaultValue 4 Description Controlsthemaximumgranularityoftainttrackingthroughdata structurememberfields.Thisvalueisthenumberofnestedfields throughwhichtaintwillbetrackedbeforetheentirestructureis consideredtainted.Increasingthisvalueimprovestheaccuracyof analysisbyreducingfalsepositives,andnormallyincreasesanalysis time.
FortifySCAUserGuide
56
com.fortify.sca.limiters.MaxChainDepth Defaultvalue:5. QuickScanvalue:4. Controlsthemaximumcalldepththroughwhichthedataflow analyzertrackstainteddata.Increasingthisvalueincreasesthe coverageofdataflowanalysis,andresultsinlongeranalysis times. Note:Inthiscase,calldepthreferstothemaximumcalldepthon adataflowpathbetweenataintsourceandsink,ratherthancall depthfromtheprogramentrypoint,suchasmain().
FortifySCAUserGuide
57
FortifySCAUserGuide
58
Appendix:FortifySCAMemoryTuning
FortifySourceCodeAnalyzercanreportOutOfMemoryerrorsduringanFortifySCAscan.Theseerrorsarethe resultofJavaheapexhaustion,Javapermanentgenerationexhaustion,ornativeheapexhaustion. Usethefollowingsectionstoidentifytheseerrorsandresolvethem: JavaHeapExhaustion JavaPermanentGenerationExhaustion NativeHeapExhaustion
JavaHeapExhaustion
JavaheapexhaustionisthemostcommontypeofmemoryproblemthatoccursduringFortifySCAscans.It happenswhentheJavavirtualmachinethatFortifySCAisusingforascanhasbeenstartedwithan insufficientlylargevalueformaximumheapsize.
ErrorMessage
YoucanidentifyaJavaheapexhaustionbythefollowingerrormessages,whichFortifySCAdisplaysinthelog fileandcommandlineoutput:
Listing1:JavaHeapExhaustionMessages There is not enough memory available to complete analysis. For details on making more memory available, please consult the user manual. java.lang.OutOfMemoryError: Java heap space java.lang.OutOfMemoryError: GC overhead limit exceeded
Resolution
YoucanresolveaJavaheapexhaustionproblembyallocatingmoreheapspacetothevirtualmachinethat FortifySCAisusingwhilestartingthescan.Bydefault,FortifySCArunswithamaximumheapvalueof600MB. Increasethisvaluebyusingthe-XmccommandlineargumentwhenrunningaFortifySCAscan. Beforeadjustingthisparameter,determinethemaximumallowablevaluefortheJavaheapspace.Thisvalue dependsonthefollowingfactors: Availablephysicalmemory Virtualaddressspacelimitations
ThefollowingexamplewillrunanFortifySCAscanwith1GBavailablefortheJavaheap:
Listing3:JavaHeapExhaustionExample2 > sourceanalyzer Xmx1G
FortifySCAUserGuide
59
PhysicalMemory
DonotallowFortifySCAtousemorememorythanisphysicallyavailableintheenvironment.Doingsowilllead todiskswappingandsignificantlydegradeFortifySCAperformance. Todetermineavailablephysicalmemory,startbydetermininghowmuchtotalphysicalmemory(RAM)is installedonthesystem.Subtractfromthisvalueanallowancefortheoperatingsystem(200Misagoodguess, althoughitvariesbyOS).IfthesystemwillbededicatedtorunningSCA,youaredone.Ifthesystemresources willbesharedwithothermemoryintensiveprocesses,anallowanceshouldalsobesubtractedforthoseother processes.NotethatotherprocessesthatareresidentbutnotactivewhileSCAisrunningcanbeswappedto diskbytheoperatingsystemanddonotneedtobeaccountedfor.
VirtualAddressSpace
Bydefault,FortifySCArunsasa32bitprocess.All32bitprocessesaresubjecttovirtualaddressspace limitations,thespecificsofwhichdependontheunderlyingoperatingsystem. YoucanrunFortifySCAin64bitmodeon64bitcapablehardware.In64bitmode,virtualaddressspace limitationsarenotafactorandjavaheapspaceislimitedonlybyavailablephysicalmemory.Althoughitis slightlymorememoryefficienttorunFortifySCAin32bitmode,youshouldactivate64bitmodeifalargeheap isrequiredforascan. Activate64bitmodebypassingthe-64argumenttoFortifySCAonthecommandline:
Listing4:64bitModeArgument > sourceanalyzer -64
FortifySCAUserGuide
60
JavaPermanentGenerationExhaustion
Javamaintainsaseparatememoryregionfromthemainheapwhichiscalledthepermanentgeneration.Inrare cases,thismemoryregiongetsfilledupduringascan,causinganOutOfMemoryerror.
ErrorMessage
Youcanidentifypermanentgenerationexhaustionbythefollowingerrormessage,whichFortifySCAdisplays inthelogfileandcommandlineoutput:
Listing6:JavaPermanentExhaustionErrorMessage java.lang.OutOfMemoryError: PermGen space
Resolution
Permanentgenerationexhaustionisresolvedbyincreasingthemaximumsizeofthepermanentgeneration. Youcantunethepermanentgenerationsizebypassingto-XX:MaxPermSizeargumenttotheFortifySCA commandline,asinthefollowingexample:
Listing7:JavaPermanentExhaustionErrorMessage > sourceanalyzer XX:MaxPermSize=128M
FortifySCAUserGuide
61
NativeHeapExhaustion
Nativeheapexhaustionisaveryrarescenarioinwhichthejavavirtualmachineisabletoallocatethejava memoryregionsonstartup,butisleftwithsofewresources(eithervirtualaddressspaceorphysicalmemory) foritsnativeoperations(suchasgarbagecollection)thatiteventuallyencountersafatalmemoryallocation failurethatimmediatelyterminatestheprocess.
ErrorMessage
YoucanidentifynativeheapexhaustionbyanabnormalterminationoftheFortifySCAprocess,whichFortify SCAdisplaysinthecommandlineoutput:
Listing8:NativeHeapExhaustionErrorMessages # A fatal error has been detected by the Java Runtime Environment: # # java.lang.OutOfMemoryError: requested ... bytes for GrET ...
Becausethisisafataljavavirtualmachineerror,itwillusuallybeaccompaniedbyanerrorlogcreatedinthe workingdirectory,namedasfollows:hs_err_pidNNN.log.
Resolution
Theresolutiontothistypeofproblemisslightlycounterintuitive.Becausetheproblemisaresultof overcrowdingwithintheprocess,theresolutionistoreducetheamountofmemoryusedfortheJavamemory regions(JavaheapandJavapermanentgeneration).Reducingeitherofthesevaluesshouldreducethe crowdingproblemandenablethescantobecompletedsuccessfully.
FortifySCAUserGuide
62
Appendix:Acknowledgements
FortifySoftwareacknowledgesthefollowing: JavaRunTimeEnvironment
JavaRunTimeEnvironment
TheFortifySourceCodeAnalyzerdistributionCDROMmediaincludestheSunJavaRunTimeEnvironment (JRE).ThefollowingstatementsareincludedtocomplywiththetermsofJREdistribution. ThisproductincludescodelicensedfromRSASecurity,Inc. SomeportionslicensedfromIBMareavailableathttp://oss.software.ibm.com/icu4j/.
FortifySCAUserGuide
63
Index
Symbols
.NET command line options 38 @filename option 41
analysis command line options 36 analyzing .NET 11 .NET 1.1 11 .NET 2.0 11 ASP.NET 1.1 12 ColdFusion 21 J2EE 8 JSP files 8 Visual Studio .NET 2003 11 Visual Studio 2005 11 Ant task parameters 43 ASP.NET 1.1 analyzing 12
runtime 40 version 41 command line syntax ColdFusion 21 Java 6, 21 configuring Build Monitor 18 results folder 18 creating filter files 49
D E F
debug option 41 encoding option 41 example Build Monitor 19 file specifiers 21, 41 filter files creating 49 FindBugs integrating with 10 Fortify SCA Properties 52
build scan options 18 build integration command line options 38 Build Monitor configuring 18 example 19 options 17 overview 17 results folder 18 scan options 18 starting 19 builds monitoring 19
H I
C and C++ command line examples 15 ColdFusion analyzing 21 command line options 37 command line syntax 21 command line examples .Net 11 C and C++ 15 command line options .NET 38 analysis 36 build integration 38 ColdFusion 37 debug 41 encoding 41 help 41 Java/J2EE 37 other 41 output 34
J2EE analyzing 8 command line options 37 Java command line options 37 command line syntax 6, 21 file specifiers 21, 41 JSP files analyzing 8
options Build Monitor 17 output command line options 34 overview Build Monitor 17
properties file 52
runtime properties 52
task parameters 43 touchless build adapter 15 translating Classic ASP 21 JavaScript 21 other languages 21 PHP 21 PLSQL 21 SQL 21 TSQL 21 VB 6 21 VBScript 21
FortifySCAUserGuide
65