FortifySCA UserGuide

Fortify 360, Version 2.6 May 2010

Copyright2010FortifySoftware,Inc.RB_RB_May4,20103:48pm AllRightsReserved.PrintedintheUnitedStatesofAmerica. FortifySoftware,Inc. 2215BridgepointePkwy. Suite400 SanMateo,CA94404 Fortify Software, Inc. (Fortify) and its licensors retain all ownership rights to this document (the Document).UseoftheDocumentisgovernedbyapplicablecopyrightlaw.FortifymayrevisethisDocument fromtimetotimewithoutnotice. THISDOCUMENTISPROVIDEDASISWITHOUTWARRANTYOFANYKIND.INNOEVENTSHALLFORTIFY BE LIABLE FOR INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY KIND ARISING FROMANYERRORINTHISDOCUMENT,INCLUDINGWITHOUTLIMITATIONANYLOSSORINTERRUPTIONOF BUSINESS,PROFITS,USEORDATA.FORTIFYRESERVESTHERIGHTTOMODIFYORREMOVEANYOFTHE FEATURES OR COMPONENTS DESCRIBED IN THIS DOCUMENT FROM THE FINAL PRODUCT, WITHOUT NOTICE. FortifyisaregisteredtrademarkofFortifySoftware,Inc. BrandandproductnamesinthisDocumentaretrademarksoftheirrespectiveowners. PartNumber:111320100520261

TableofContents
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii ContactingFortifySoftware............................................................................vii TechnicalSupport .................................................................................vii CorporateHeadquarters...........................................................................vii WebSite..........................................................................................vii AbouttheFortify360DocumentationSet ..............................................................vii Introduction .....................................................................................1 OverviewofFortifySCA ................................................................................ 1 OverviewoftheAnalyzers .............................................................................. 1 OverviewoftheAnalysisPhases ........................................................................ 3 ExampleofAnalysisCommands.................................................................... 3 MemoryConsiderations ............................................................................ 3 TranslationPhase .................................................................................. 3 FortifySCAPerUseLicenseOnly,VerifyingAvailableLines ......................................... 4 AnalysisPhase..................................................................................... 4 VerificationoftheTranslationandAnalysisPhase .................................................. 5 TranslatingJavaCode ...............................................................................6 JavaCommandLineSyntax............................................................................. 6 JavaCommandLineExamples.......................................................................... 7 IntegratingwithAntusingtheFortifyAntCompilerAdapter ............................................ 7 TranslatingJ2EEApplications .......................................................................... 8 WorkingwithJSPProjects .......................................................................... 8 XMLConfigurationFiles ............................................................................ 8 CallGraph.......................................................................................... 9 HandlingResolutionWarnings.......................................................................... 9 JavaWarnings...................................................................................... 9 J2EEWarnings..................................................................................... 9 UsingFindBugs....................................................................................... 10 Translating.NETSourceCode ...................................................................... 11 VisualStudio.NET .................................................................................... 11 TranslatingSimple.NETApplications ................................................................. 11 TranslatingASP.NET1.1(VisualStudioVersion2003)Projects........................................ 12 HandlingResolutionWarnings........................................................................ 13 .NETWarnings ................................................................................... 13 ASP.NETWarnings............................................................................... 14 TranslatingC/C++Code ............................................................................ 15 CandC++CommandLineSyntax ..................................................................... 15
FortifySCAUserGuide i

CandC++CommandLineExamples .................................................................. 15 IntegratingwithMake................................................................................ 15 UsingtheFortifyTouchlessBuildAdapter........................................................ 15 ModifyingaMakefiletoInvokeFortifySCA ....................................................... 16 UsingFortifyBuildMonitor ........................................................................... 17 FortifyBuildMonitorOverview................................................................... 17 ConfiguringFortifyBuildMonitor ................................................................ 18 MonitoringBuilds ................................................................................ 19 ExampleofMonitoringaProject .................................................................. 19 VisualStudio.NET .................................................................................... 20 VisualStudio6.0...................................................................................... 20 TranslatingOtherLanguages ...................................................................... 21 CommandLineSyntaxforOtherLanguages ........................................................... 21 ConfigurationConsiderations ......................................................................... 22 ConfiguringPython............................................................................... 22 ConfiguringColdFusion .......................................................................... 22 ConfiguringtheSQLExtension.................................................................... 22 ConfiguringASP/VBScriptVirtualRoots.......................................................... 22 OtherLanguageCommandLineExamples ........................................................ 24 ExampleofTranslatingPL/SQL................................................................... 24 ExampleofTranslatingTSQL.................................................................... 24 ExampleofTranslatingPHP...................................................................... 24 ExampleofTranslatingClassicASPwrittenwithVBScript......................................... 25 ExampleofTranslatingJavaScript................................................................ 25 ExampleofTranslatingVBScriptFile ............................................................. 25 TranslatingCOBOLCode.............................................................................. 25 SupportedTechnologies .......................................................................... 25 PreparingCOBOLSourceFilesforTranslation.................................................... 25 COBOLCommandLineSyntax.................................................................... 26 AuditingaCOBOLScan ........................................................................... 26 TroubleshootingandSupport ...................................................................... 27 Troubleshooting...................................................................................... 27 UsingtheLogFiletoDebugProblems............................................................. 27 TranslationFailedMessage ....................................................................... 27 JSPTranslationProblems......................................................................... 27 ASPXTranslationProblems....................................................................... 28 C/C++PrecompiledHeaderFiles ................................................................. 29 ReportingBugsandRequestingEnhancements ....................................................... 29
Appendix: Managing Per Use Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

AbouttheFortifySCAPerUseEdition................................................................. 30 ManagingYourPortalUserAccount................................................................... 31

FortifySCAUserGuide

ii

ChangingyourPassword......................................................................... 31 PurchasingAdditionalLines.......................................................................... 31 TransferringLines.................................................................................... 31 TransferringLinestoaMachinewithInternetAccess............................................. 32 TransferringLinestoaMachinewithoutInternetAccess .......................................... 32

Appendix: Command Line Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

CommandLineOptions ............................................................................... 34 OutputOptions................................................................................... 34 AnalysisOptions ................................................................................. 36 PythonOption.................................................................................... 37 ColdFusionOptions .............................................................................. 37 Java/J2EEOptions................................................................................ 37 .NETOptions ..................................................................................... 38 BuildIntegrationOptions......................................................................... 38 Directives ........................................................................................ 39 RuntimeOptions................................................................................. 40 LineTransferOptions............................................................................ 40 OtherOptions .................................................................................... 41 SpecifyingFiles ....................................................................................... 41
Appendix: Using the sourceanalyzer Ant Task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

UsingtheAntsourceanalyzerTask.................................................................... 43 Antproperties........................................................................................ 44 sourceanalyzerTaskOptions ......................................................................... 45

Appendix: Advanced Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

CreatingaFilterFile .................................................................................. 49
EightBall.java(4) ................................................................................. 52

UsingPropertiestoControlRuntimeOptions ......................................................... 52 SpecifyingtheOrderofProperties ................................................................ 52

Appendix: Fortify SCA Memory Tuning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

JavaHeapExhaustion................................................................................. 59 ErrorMessage.................................................................................... 59 Resolution ....................................................................................... 59 JavaPermanentGenerationExhaustion ............................................................... 61 ErrorMessage.................................................................................... 61 Resolution ....................................................................................... 61 NativeHeapExhaustion .............................................................................. 62 ErrorMessage.................................................................................... 62 Resolution ....................................................................................... 62
Appendix: Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

FortifySCAUserGuide

iii

JavaRunTimeEnvironment........................................................................... 63 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

FortifySCAUserGuide

iv

Preface
ThisguidedescribeshowtouseFortifySourceCodeAnalyzer.

ContactingFortifySoftware
Ifyouhavequestionsorcommentsaboutanypartofthisguide,contactFortifySoftwareat:

TechnicalSupport
650.358.5679 techsupport@fortify.com

CorporateHeadquarters
2215BridgepointePkwy. Suite400 SanMateo,CA94404 650.358.5600 contact@fortify.com

WebSite
http://www.fortify.com

AbouttheFortify360DocumentationSet
TheFortify360documentationsetcontainsinstallation,user,anddeploymentguidesforvarious360 components,includingFortify360Serverandanalyzers,aswellasotherdocumentationpertainingtotheuseof Fortify360. Updatedversionsofthedocumentationandreleasenotesthatdescribenewfeaturesandknownissuesarealso availableontheFortifyCustomerPortal.

FortifySCAUserGuide

vii

Introduction
Thischaptercontainsthefollowingsections: OverviewofFortifySCA OverviewoftheAnalyzers OverviewoftheAnalysisPhases

OverviewofFortifySCA
Fortify Source Code Analyzer(SCA)isasetofsoftwaresecurityanalyzersthatsearchforviolationsofsecurity specificcodingrulesandguidelinesinavarietyoflanguages.TherichdataprovidedbyFortify SCAlanguage

technologyenablestheanalyzerstopinpointandprioritizeviolationssothatfixescanbefastandaccurate.The analysisinformationproducedbySCAhelpsyoudelivermoresecuresoftware,aswellasmakingsecuritycode reviewsmoreefficient,consistent,andcomplete.Thisisespeciallyadvantageouswhenlargecodebasesare involved.ThemodulararchitectureofSCAallowsyoutoquicklyuploadnew,thirdparty,andcustomerspecific securityrules. Atthehighestlevel,usingFortify SCAinvolves: 1. ChoosingtorunSCAasastandaloneprocessorintegratingFortify SCAaspartofthebuildtool 2. Translatingthesourcecodeintoanintermediatetranslatedformat,preparingthecodebaseforscanningby thedifferentanalyzers 3. Scanningthetranslatedcode,producingsecurityvulnerabilityreports 4. Auditingtheresultsofthescan,eitherbytransferringtheresultingFPRfiletoAudit WorkbenchorFortify360 Serverforanalysis,ordirectlywiththeresultsdisplayedonscreen
Note:ForinformationontransferringresultstoAudit Workbenchandcreatingcustomerspecificsecurityrules, seetheAudit Workbench Users Guide.

OverviewoftheAnalyzers
Fortify SCAcomprisesfivedistinctanalyzers:dataflow,controlflow,semantic,structural,andconfiguration. Eachanalyzeracceptsadifferenttypeofrulespecificallytailoredtoprovidetheinformationnecessaryforthe correspondingtypeofanalysisperformed.Rulesaredefinitionsthatidentifyelementsinthesourcecodethat mayresultinsecurityvulnerabilitiesorareotherwiseunsafe.

Rulesareorganizedaccordingtotheanalyzerthatusesthem,resultinginrulesthatarespecifictothedataflow, controlflow,semantic,structural,andconfigurationanalyzers.Theserulecategoriesarefurtherdividedto reflectthecategoryoftheissueortypeofinformationrepresentedbytherule. TheinstallationprocessdownloadsandupdatesthesetofrulesusedbySCAonyoursystem.Fortifyupdatesthe specificrulescontainedwithintheFortifySecureCodeRulepackonaregularbasis.TheFortifyCustomerPortal offersupdatedrulepacks. ThefollowingtablelistsanddescribeseachFortifysourcecodeanalyzer.

FortifySCAUserGuide

Table1:FortifySourceCodeAnalyzers Analyzer DataFlow Description Thedataflowanalyzerdetectspotentialvulnerabilitiesthatinvolvetainted data(usercontrolledinput)puttopotentiallydangeroususe.Thedataflow analyzerusesglobal,interproceduraltaintpropagationanalysistodetect theflowofdatabetweenasource(siteofuserinput)andasink(dangerous functioncalloroperation).Forexample,thedataflowanalyzerdetects whetherausercontrolledinputstringofunboundedlengthisbeing copiedintoastaticallysizedbuffer,anddetectswhetherausercontrolled stringisbeingusedtoconstructSQLquerytext. Thecontrolflowanalyzerdetectspotentiallydangeroussequencesof operations.Byanalyzingcontrolflowpathsinaprogram,thecontrolflow analyzerdetermineswhetherasetofoperationsareexecutedinacertain order.Forexample,thecontrolflowanalyzerdetectstimeofcheck/timeof useissuesanduninitializedvariables,andcheckswhetherutilities,suchas XMLreaders,areconfiguredproperlybeforebeingused. Thesemanticanalyzerdetectspotentiallydangeroususesoffunctionsand APIsattheintraprocedurallevel.Itsspecializedlogicsearchesforbuffer overflow,formatstring,andexecutionpathissues,butisnotlimitedto thesecategories.Acalltoanypotentiallydangerousfunctioncanbeflagged bythesemanticanalyzer.Forexample,thesemanticanalyzerdetects deprecatedfunctionsinJavaandunsafefunctionsinC/C++,suchas gets(). Thestructuralanalyzerdetectspotentiallydangerousflawsinthestructure ordefinitionoftheprogram.Byunderstandingthewayprogramsare structured,thestructuralanalyzeridentifiesviolationsofsecure programmingpracticesandtechniquesthatareoftendifficulttodetect throughinspectionbecausetheyencompassawidescopeinvolvingboth thedeclarationanduseofvariablesandfunctions.Forexample,the structuralanalyzerdetectsassignmenttomembervariablesinJava servlets,identifiestheuseofloggersthatarenotdeclaredstaticfinal,and flagsinstancesofdeadcodethatwillneverbeexecutedbecauseofa predicatethatisalwaysfalse. Theconfigurationanalyzersearchesformistakes,weaknesses,andpolicy violationsinanapplication'sdeploymentconfigurationfiles.Forexample, theconfigurationanalyzerchecksforreasonabletimeoutsinusersessions inawebapplication.

ControlFlow

Semantic

Structural

Configuration

FortifySCAUserGuide

OverviewoftheAnalysisPhases
FortifySCAperformssourcecodeanalysis
BuildIntegration:Thefirstphaseofsourcecodeanalysisinvolvesmakingadecisionwhethertointegrate SCAintothebuildcompilersystem. Translation:Sourcecodegatheredusingaseriesofcommandsistranslatedintoanintermediateformat

whichisassociatedwithabuildID.ThebuildIDisusuallythenameoftheprojectbeingscanned.
Analysis:Sourcefilesidentifiedduringthetranslationphasearescannedandananalysisresultsfile,typically intheFortifyproject(FPR)format,isgenerated.FPRfilesareindicatedbythe.fprfileextension. Verificationofthetranslationandanalysis:Ensurethatthesourcefileswerescannedusingthecorrect

rulepacksandthatnosignificanterrorswerereported.

ExampleofAnalysisCommands
Thefollowingisanexampleofthesequenceofcommandsyouusetoanalyzecode:
> sourceanalyzer -b <build_id> -clean > sourceanalyzer -b <build_id> ... > sourceanalyzer -b <build_id> -scan -f results.fpr

AdditionalConfirmationforFortifySCAPerUse
ThefollowingshowstheadditionalsequenceofcommandswhenusingFortify SCAwithaperuselicenseto analyzecode: Running this scan will deduct <number-of-lines> scan lines from your account. Would you like to proceed? [y/n] y <number-of-lines> scan lines deducted. <number-of-lines> remaining
Note:Youcanrunthescaninsilentmode,whichsuppressesthepromptandautomaticallydeductslines,by usingthecommandlineoption,-auth-silent,orbysettingthecom.fortify.sca.PPSSilent propertyto

true.

MemoryConsiderations
Bydefault,Fortify SCAusesupto600MBofmemory.Ifthisisnotsufficienttoanalyzeaparticularcodebase, youmighthavetoprovidemorememoryinthescanphase.Thiscanbedonebypassingthe-Xmxoptiontothe sourceanalyzercommand. Forexample,tomake1000MBavailabletoFortify SCA,includetheoption -Xmx1000M. YoucanalsousetheSCA_VM_OPTSenvironmentvariabletosetthememoryallocation.
Note:DonotallocatemorememoryforFortify SCAthanthemachinehasavailable,becausethiswilldegrade

performance.Asaguideline,assumingthatnoothermemoryintensiveprocessesarerunning,donotallocate morethan2/3oftheavailablephysicalmemory.

TranslationPhase
Thebasiccommandlinesyntaxforperformingthefirstanalysisphase,translatingthefiles,is:
sourceanalyzer -b <build_id> ...

ThetranslationphaseconsistsofoneormoreinvocationsofFortify SCAusingthesourceanalyzercommand. AbuildID(-b <build_id>)isusedtotietogethertheinvocations. Subsequentinvocationsofsourceanalyzeraddanynewlyspecifiedsourceorconfigurationfilestothefilelist associatedwiththebuildID.

FortifySCAUserGuide

Attheendoftranslation,youcanuse-show-build-warningstolistallwarningsanderrorsthatwere encounteredduringthetranslationprocess:
sourceanalyzer -b <build_id> -show-build-warnings

ToviewallofthefilesassociatedwithaparticularbuildID,usethe-show-filesdirective:
sourceanalyzer -b <build_id> -show-files

Thefollowingchaptersdescribehowtotranslatedifferenttypesofsourcecode:
Translating Java Code Translating .NET Source Code Translating C/C++ Code Translating Other Languages,suchasColdFusion,ClassicASPandJavaScript

FortifySCAPerUseLicenseOnly,VerifyingAvailableLines
WhenusingFortify SCAwithaperuselicense,thebasiccommandlinesyntaxtodisplaythenumberofavailable linesis:
sourceanalyzer -auth-query

Fortranslatedprojects,displaythetotalnumberoflinesrequiredtoanalyzetheprojectusingthe -show-loc option.Fortify SCAcountslinesofcode(LOC)inaprojectthatareexecutable,andexcludeslinessuchas commentsandblanklines.Thecommandtodisplaythenumberoflinesis:

sourceanalyzer -b <build_id> -show-loc

Ifthenumberofavailablelinesislessthantheamountrequiredtoanalyzetheproject,requestlinesfromthe PerUsePortalaccountbeforecontinuingwiththeanalysisphase.SeeManaging Per Use Accounts on page 30 fordetails.

AnalysisPhase
Thistopicdescribesthesyntaxfortheanalysisphase:scanningtheintermediatefilescreatedduringthe translationandcreatingtheanalysisresultsfile.Thephaseconsistsofoneinvocationofsourceanalyzer.You specifythebuildIDandincludethe-scandirectiveandanyrequiredanalysisoroutputoptions.
Note:Bydefault,Fortify SCAincludesthesourcecodeintheFPR.

Thebasiccommandlinesyntaxfortheanalysisphaseis:
sourceanalyzer -b <build_id> -scan -f results.fpr

ThecommandlinesyntaxtosilentlyanalyzeaprojectforFortify SCAwithaperuselicenseis:
sourceanalyzer -b <build-id> -auth-silent -scan -f results.fpr

Thisrunsthescanwithouttheprompttodeductthelines.Formoreinformationaboutthecommandline options,seeCommand Line Interface on page 34.

AdditionalStepsforFortifySCAPerUse
IfyouareusingFortify SCAwithaperuselicense,Fortify SCAdisplaysthenumberoflinesrequiredtoscanthe projectandpromptsyoubeforedeductingthelines. Entery(yes)tocontinuewiththescanasfollows:
Running this scan will deduct <number-of-lines> scan lines from your account. Would you like to proceed? [y/n] y <number-of-lines> scan lines deducted. <number-of-lines> remaining

FortifySCAUserGuide

Note:Youcanrescanasetoftranslatedfiles.Thisallowsyoutoscanthesameprojectwithdifferentrules, updatedrulepacks,and/orscansettingswithoutusingadditionalscanlines.

VerificationoftheTranslationandAnalysisPhase
TheResultCertificationfeatureofAudit Workbenchverifiesthattheanalysisiscomplete.results certificationResultcertificationshowsspecificinformationaboutthecodescannedbyFortify SCA,including: Listoffilesscanned,withfilesizesandtimestamps Javaclasspathusedforthetranslation Listofrulepacksusedfortheanalysis ListofFortify SCAruntimesettingsandcommandlinearguments Listoferrorsorwarningsencounteredduringtranslationoranalysis Machine/platforminformation

Toviewresultcertificationinformation,opentheFPRfileinAudit WorkbenchandselectToolsProjectSummary
Certification.

FortifySCAUserGuide

TranslatingJavaCode
ThischapterdescribeshowtotranslateJavasourcecodeforanalysiswithFortifySCA. Thefollowingtopicsareincluded: JavaCommandLineSyntax JavaCommandLineExamples IntegratingwithAntusingtheFortifyAntCompilerAdapter TranslatingJ2EEApplications UsingFindBugs

JavaCommandLineSyntax
ThistopicdescribestheFortifySCAcommandsyntaxfortranslatingJavasourcecode. ThebasiccommandlinesyntaxforJavais:
sourceanalyzer -b <build_id> -cp <classpath> <file_list>

WithJavacode,FortifySCAcaneitheremulatethecompiler,whichmaybeconvenientforbuildintegration,or acceptsourcefilesdirectly,whichismoreconvenientforcommandlinescans.
Note:Foradescriptionofalltheoptionsyoucanusewiththesourceanalyzercommand,seeCommand Line Interface on page 34.

TohaveFortifySCAemulatethecompiler,enter:
sourceanalyzer -b <build_id> javac [<translation options>]

TopassfilesdirectlytoFortifySCA,enter:
sourceanalyzer -b <build_id> -cp <classpath> [<translation options>] <files>|<file specifiers>

where:
<translation options>

areoptionspassedtothecompiler.
-cp <classpath>

specifiestheclasspathtobeusedfortheJavasourcecode.Aclasspathisalistofbuilddirectoriesandjarfiles. Theformatisthesameasexpectedbyjavac(colonorsemicolonseparatedlistofpaths).YoucanuseFortify SCAfilespecifiers.

-cp "build/classes:lib/*.jar" Note:Ifyoudonotspecifytheclasspathwiththisoption,theCLASSPATHenvironmentvariableisused.

Formoreinformation,seeJava/J2EE Options on page 37.Forinformationaboutfilespecifiers,seeSpecifying Files on page 41.

FortifySCAUserGuide

JavaCommandLineExamples
TotranslateasinglefilenamedMyServlet.javawithj2ee.jarontheclasspath,enter:
sourceanalyzer -b MyServlet -cp lib/j2ee.jar MyServlet.java

Totranslateall.java filesinthesrcdirectoryusingalljarfilesinthelibdirectoryasaclasspath:
sourceanalyzer -b MyProject -cp "lib/*.jar" "src/**/*.java"

TotranslateandcompiletheMyCode.javafilewhileusingthejavaccompiler:
sourceanalyzer -b mybuild javac -classpath libs.jar MyCode.java

IntegratingwithAntusingtheFortifyAntCompilerAdapter
FortifySCAprovidesanAntCompilerAdapterthatyoucanuseasaneasywaytotranslateJavasourcefilesif yourprojectusesanAntbuildfile.ThisintegrationrequiressettingonlytwoAntproperties,andcanbedoneon thecommandlinewithoutmodifyingtheAntbuild.xmlfile.Whenthebuildruns,FortifySCAinterceptsall javactaskinvocationsandtranslatestheJavasourcefilesastheyarecompiled.NotethatanyJSPfiles, configurationfiles,oranyothernonJavasourcefilesthatarepartoftheapplicationneedtobetranslatedina separatestep. ThefollowingstepsmustbetakentousetheCompilerAdapter: ThesourceanalyzerexecutablemustbeonthesystemPATH.
sourceanalyzer.jar(locatedinCore/lib)mustbeonAnt'sclasspath.

Thebuild.compilerpropertymustbesettocom.fortify.dev.ant.SCACompiler. Thesourceanalyzer.buildidpropertymustbesettothebuildID.

ThefollowingexamplesshowhowtorunanAntbuildusingtheCompilerAdapterwithoutmodifyingthebuild file:
ant -Dbuild.compiler=com.fortify.dev.ant.SCACompiler -Dsourceanalyzer.buildid=MyBuild -lib <install_dir>/Core/lib/sourceanalyzer.jar

The-liboptionisonlyavailableinAntversion1.6orhigher.InolderversionsyoumustsettheCLASSPATH environmentvariableorcopysourceanalyzer.jartoAnt'slibdirectory. Alternatively,withAnt1.6ornewer,thefollowingshorthandcanbeusedtorunAntwiththecompileradapter:

sourceanalyzer -b <build-id> ant [ant-options]

Bydefault,600MBofmemoryisallocatedtoFortifySCAfortranslation.Increasethememoryallocationwhen usingtheAntCompilerAdapterusingthe -Dsourceanalyzer.maxHeapoptionasfollows:

ant -Dbuild.compiler=com.fortify.dev.ant.SCACompiler -Dsourceanalyzer.buildid=MyBuild -lib <install_directory>/Core/lib/sourceanalyzer.jar -Dsourceanalyzer.maxHeap=1000M

FortifySCAUserGuide

TranslatingJ2EEApplications
TranslatingJ2EEapplicationsinvolvesprocessingJavasourcefiles,J2EEcomponentssuchasJSPfiles, deploymentdescriptorssuchasweb.xml,andconfigurationfilessuchasstruts-config.xml. Thestepsinclude: 1. TranslatingtheJavafiles. Refertothesamplesearlierinthischapter. 2. TranslatingtheJSPfiles. Refertothesamplebelow. 3. Processingtheconfigurationfiles. Anexampleis:
sourceanalyzer -b my_buildid "mydirectory/myfile.xml"

WorkingwithJSPProjects
TotranslateJSPfiles,FortifySCArequiresthattheJSPfilesareinastandardWebApplicationArchive(WAR) layout.IfyoursourcedirectoryisalreadyorganizedinaWARlayout,youcantranslateJSPfilesdirectlyfromthe sourcedirectory.Ifthisisnotthecase,youmayneedtodeployyourapplicationandtranslatetheJSPfilesfrom thedeploymentdirectory. IfyourJSPfilesuseanytaglibraries,suchasJSTL,ensurethatthelibrariesjarfilesareintheWEB-INF/lib directory.Otherwise,theJSPcompilerwillnotresolvethetaglibrariesandcouldproduceincorrectresults. Bydefault,FortifySCAusesaversionoftheJasperJSPcompilertocompileJSPfilesintoJavafilesduringthe translationphase.However,ifyourwebapplicationisdevelopedspecificallyforanapplicationserver,youmust usetheJSPcompilerforthatapplicationserverwhenperformingthetranslation. Tosupportthis,FortifySCAprovidesthefollowingcommandlineoptions:
-appserversupportedvalues:weblogic/websphere -appserver-home

ForWeblogic,thepathtothedirectorycontainingtheserver/libdirectory ForWebSphere,thepathtothedirectorycontainingthebin/JspBatchCompilerscript
-appserver-versionsupportedvalues:

Weblogicversions7,8,9,and10 WebSphereversion6 Ifyouareusinganapplicationserverthatisnotlisted,usethedefaultinternalFortifyJSPcompiler. Forexample:

sourceanalyzer -b my_buildid -cp "WEB-INF/lib/*.jar" "WEB-INF/**/*.jsp"

XMLConfigurationFiles
FortifySCAusestheweb.xmlconfigurationfileduringtheprojectscanforthefollowinginformation: servlettags servletmappingtags filtertags filtermappingtags errorpagetags

FortifySCAUserGuide

Thesetagsareusedtodeterminehowtheservletsandfilersdefinedinthe.javaand.jspfilesareconnected. Ifastrutsservletisdetected,FortifySCAextractstheconfigurationfiletoprocessthefollowingtopleveltags: formbeans globalforwards actionmappings

Thisdataconnectsstrutsactionstofollowhowtaintmaypropagatethroughanapplication.

CallGraph
UsingdatafromtheXMLandstrutsconfigurationfiles,FortifySCAbuildsacallgraphtotrackpotentialtaintfrom servlettoservletandtostrutsactions.Forinformationaboutwhatisextractedfromtheconfigurationfiles,see XMLConfigurationFiles.

HandlingResolutionWarnings
Toseeallwarningsthatweregeneratedduringyourbuild,enterthefollowingcommandbeforeyoustartthe scanphase:
sourceanalyzer -b <build_id> -show-build-warnings

JavaWarnings
YoumayseethefollowingwarningsforJava:
Unable to resolve type... Unable to resolve function... Unable to resolve field... Unable to locate import... Unable to resolve symbol... Multiple definitions found for function... Multiple definitions found for class...

Thesewarningsaretypicallycausedbymissingresources.Forexample,someofthe.jarandclassfiles requiredtobuildtheapplicationhavenotbeenspecified.Toresolvethewarnings,makesurethatyouhave includedalloftherequiredfilesthatyourapplicationuses.

J2EEWarnings
YoumayseethefollowingwarningsforJ2EEapplications:
Could not locate the root (WEB-INF) of the web application. Please build your web application and try again. Failed to parse the following jsp files: <list of .jsp file names>

ThiswarningdisplaysbecauseyourWebapplicationisnotdeployedinthestandardWARdirectoryformator doesnotcontainthefullsetofrequiredlibraries.Toresolvethewarning,ensurethatyourwebapplicationisin anexplodedWARdirectoryformatwiththecorrectWEB-INF/libandWEB-INF/classesdirectories containingallofthe.jarand.classfilesrequiredforyourapplication.Youshouldalsoverifythatyouhave alloftheTLDfilesforallofthetagsthatyouhaveandthecorresponding.jarfileswiththeirtag implementations.

FortifySCAUserGuide

UsingFindBugs
FindBugs(http://findbugs.sourceforge.net)isastaticanalysistoolthatdetectsqualityissuesinJavacode.You canrunFindBugswithFortifySCAandtheresultswillbeintegratedintotheanalysisresultsfile.UnlikeFortify SCA,whichrunsonJavasourcefiles,FindBugsrunsonJavabytecode.Therefore,beforerunningananalysison yourproject,youshouldfirstcompiletheprojectandproducetheclassfiles. TodemonstratehowtorunFindBugsautomaticallywithFortifySCA,compilethesamplecode, Warning.java, asfollows: 1. Gotothefollowingdirectory:
<install_directory>/Samples/advanced/findbugs

2. Enterthefollowingcommandtocompilethesample:
mkdir build javac -d build Warning.java

3. ScanthesamplewithFindBugsandFortifySCAasfollows:
sourceanalyzer -b findbugs_sample -java-build-dir build Warning.java sourceanalyzer -b findbugs_sample -scan -findbugs -f findbugs_sample.fpr

4. ExaminetheanalysisresultsinAuditWorkbench:
auditworkbench findbugs_sample.fpr

Theoutputcontainsthefollowingissuecategories: BadcastsofObjectReferences(1) Deadlocalstore(2) Equalobjectsmusthaveequalhashcodes(1) Objectmodelviolation(1) Unwrittenfield(2) Uselessselfassignment(2)

IfyougroupbyAnalyzer,youcanseethattheFortifySCAStructuralanalyzerproducedonewarningand FindBugsproducedeight.TheObject model violationwarningproducedbyFortifySCAonline25is similartotheEqual objects must have equal hash codeswarningproducedbyFindBugs.Inaddition, FindBugsproducestwosetsofwarnings(Useless self-assignmentandDead local store)aboutthe sameissuesonlines6and7.Toavoidoverlappingresults,applythefilter.txtfilterfilebyusingthefilter optionduringthescan.Notethatthefilteringisnotcompletebecauseeachtoolfiltersatadifferent levelofgranularity.Todemonstratehowtoavoidoverlappingresults,scanthesamplecodeusingfilter.txt asfollows:
sourceanalyzer -b findbugs_sample -scan -findbugs -filter filter.txt -f findbugs_sample.fpr

FortifySCAUserGuide

10

Translating.NETSourceCode
ThischapterdescribeshowtouseFortifySCAtotranslateMicrosoftVisualStudio.NETandASP.NET applicationsbuiltwith: .NETVersions1.1and2.0 VisualStudio.NETversion2003 VisualStudio.NETversion2005

FortifySCAworksontheCommonIntermediateLanguage(CIL),andthereforesupportsallofthe.NET languagesthatcompiletoCIL,includingC#andVB.NET. Thefollowingtopicsareincluded: VisualStudio.NET TranslatingSimple.NETApplications TranslatingASP.NET1.1(VisualStudioVersion2003)Projects

Note:Theeasiestwaytoanalyzea.NETapplicationistouseaFortifySecureCodingPluginforVisualStudio, whichautomatestheprocessofgatheringinformationabouttheproject.

VisualStudio.NET
IfyouperformcommandlinebuildswithVisualStudio.NET,youcaneasilyintegratestaticanalysisbywrapping thebuildcommandlinewithaninvocationofsourceanalyzer.Forthistowork,youmusthavetheSecure CodingPackageforyourversionofVisualStudioinstalled. ThefollowingexampledemonstratesthecommandlinesyntaxforVisualStudio.NET:
sourceanalyzer -b my_buildid devenv Sample1.sln /REBUILD debug

ThisperformsthetranslationphaseonallfilesbuiltbyVisualStudio.Besuretodoacleanorarebuildsothatall filesareincluded.Youcanthenperformtheanalysisphase,asinthefollowingexample:
sourceanalyzer -b my_buildid -scan -f results.fpr Note:IfyourclassicASP/VBScriptapplicationusesvirtualincludes,forexample, <!--include virtual=/myweb/foo.inc>

thenyoushouldspecifythephysicallocationofthemywebapplicationbypassingthefollowingpropertyvalue:
com.fortify.sca.ASPVirtualRoots=<semicoloon separated list of full paths to virtual roots used>

Forexample,iftheIISvirtualroot/mywebislocatedatC:\webapps\myweb-folder,thenyourpropertyvalue shouldbe:
-Dcom.fortify.sca.ASPVirtualRoots=c:\webapps\myweb-folder

Ifyouaddthislinetothefortifysca.propertiesfile,youmustescapethe\character,asinthefollowing:
com.fortify.sca.ASPVirtualRoots=c:\\webapps\\myweb-folder

TranslatingSimple.NETApplications
YoucanalsouseFortifySCAcommandlineinterfaceforprocessing.NETapplications. Prepareyourapplicationforanalysisusingoneofthefollowingmethods:

FortifySCAUserGuide

11

Performacompleterebuildofyourprojectwiththe"debug"configurationenabled.Compilingyourproject withdebugenabledprovidesinformationthatFortifySCAusesforpresentingtheresults. Obtainallofthethirdparty.dllfiles,projectoutput.dllfiles,andcorresponding.pdbfilesforyour projects.NotethatFortifySCAignoresany.dllfilepassedasaninputargumentifthecorresponding.pdb filedoesnotexistinthesamefolder.Itisthereforeimperativethatyouincludeallofthe.pdbfilesforall yourproject.dllfiles.

Note:.pdbfilesarenotrequiredforthirdpartylibraries.

RunFortifySCAtoanalyzethe.NETapplicationfromthecommandlineasfollows: ForVisualStudio.NETVersion2003,enter:
sourceanalyzer -vsversion 7.1 -b MyBuild -libdirs ProjOne/Lib;ProjTwo/Lib ProjOne/bin/Debug ProjTwo/bin/Debug

where:
MyBuildisthebuildidentifier ProjOne/Lib;ProjTwo/LibisasemicolonseparatedlistofpathstofoldersorDLLswiththirdparty

DLLs

ProjOne/bin/Debug ProjTwo/bin/Debugaretheoutputfolders

ForVisualStudio.NETVersion2005,enter:
sourceanalyzer -vsversion 8.0 -b MyBuild -libdirs ProjOne/Lib;ProjTwo/Lib ProjOne/bin/Debug ProjTwo/bin/Debug

where:
MyBuild isthebuildidentifier ProjOne/Lib;ProjTwo/LibisasemicolonseparatedlistofpathstofoldersorDLLswiththirdparty

DLLs

ProjOne/bin/Debug ProjTwo/bin/Debugaretheoutputfolders

Note:Standard.NETDLLsusedinyourprojectareautomaticallypickedupbyFortifySCA,soyoudonot needtoincludetheminthecommandline.

Ifyourprojectislarge,youcanperformthetranslationphaseseparatelyforeachoutputfolderusingthe samebuildID,asfollows:
sourceanalyzer -vsversion<version_number> -b <build_id> -libdirs <paths> <folder_1> ... sourceanalyzer -vsversion <version_number> -b <build_id> -libdirs <paths> <folder_n>

where:
<version_number>iseither7.1,8.0,or9.0 <build_id> isthebuildID <paths>isasemicolonseparatedlistofpathstofoldersorDLLswiththirdpartyDLLs <folder_1>and<folder_n>aretheoutputfolders

Note:FortifySCArequirestheappropriateversionofVisualStudio,evenifyouareusingthecommandline

interface.

TranslatingASP.NET1.1(VisualStudioVersion2003)Projects
Asdiscussedpreviously,FortifySCAworksonCILgeneratedbythe.NETcompilers.ForASP.NETprojects,web componentssuchas.aspxfilesneedtobecompiledbeforetheycanbeanalyzed.However,thereisnostandard
FortifySCAUserGuide 12

compilerfor.aspxfiles.The.NET1.1runtimeautomaticallycompilesthemwhentheyareaccessedfroma browser. Tofacilitatethe.aspxcompilationphase,FortifySoftwareprovidesasimpletoolthatcompilesallofthe.aspx filesinyourproject.ThetoolislocatedintheFortifyinstallationdirectoryat: \Tools\fortify_aspnet_compiler\fortify_aspnet_compiler.exe ToanalyzeASP.NET1.1solutions: 1. Performacompleterebuildofthesolution. 2. Foreachofthewebprojectsinthesolution,deletethefollowingfolder:

%SYSTEMROOT%\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\<web_application_name>

3. Foreachofthewebprojectsinthesolution,runthefollowingcommand:
fortify_aspnet_compiler<url_to_the_web_site> <source_root_of_the_web_project>

where:
<url_to_the_web_site>istheURLforyourwebsite,suchas http://localhost/WebApp <source_root_of_the_web_project>isthesourcelocationofyourwebproject,suchas <VS_project_location>\WebApp

4. PerformthetranslationphasefortheDLLsbuiltinStep1.Enterthefollowingcommandusingthesame buildIDasinthefollowingsteps:
sourceanalyzer -b <build_id>"<VS_project_location>\**\*.dll"

5. Performthetranslationphaseforthewebcomponents.Foreachofthewebprojectsinthesolution,enter thefollowingwhenyouinvokesourceanalyzer:
sourceanalyzer -b <build_id> %SYSTEMROOT%\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\<web_application_name>

6. IncludetheconfigurationfilesandanyMicrosoftTSQLsourcefilesthatyouhave:
sourceanalyzer -b <build_id> "<solution_root>\**\*.config" <"t-sql_src>\**\*.sql"> Note:ThesestepsareallautomatedifyouusetheFortify360PackageforVisualStudio.

HandlingResolutionWarnings
Toseeallwarningsthatweregeneratedduringyourbuild,enterthefollowingcommandbeforeyoustartthe scanphase:
sourceanalyzer -b <build_id> -show-build-warnings

.NETWarnings
Youmayseethefollowingwarningsfor.NET:
Cannot locate class... in the given search path and the Microsoft .NET Framework libraries.

Thesewarningsaretypicallycausedbymissingresources.Forexample,someofthe.DLLfilesrequiredto buildtheapplicationhavenotbeenspecified.Toresolvethewarnings,makesurethatyouhaveincludedallof therequiredfilesthatyourapplicationuses.Ifyoustillseeawarningandtheclassesitlistsareempty interfaceswithnomembers,youcanignorethewarning.Iftheinterfaceisnotempty,contactTechnical Support.

FortifySCAUserGuide 13

ASP.NETWarnings
YoumayseethefollowingwarningsforASP.NETapplications:
Failed to parse the following aspx files: <list of .aspx file names>

ThiswarningdisplaysbecauseyourWebapplicationisnotdeployedcorrectlyordoesnotcontainthefullsetof requiredlibraries,oritusestheGlobalAccessCache(GAC).Ifyourapplicationisa.NETversion1.1application, youmayalsohaveaccessissuesfromMicrosoftIIS.Verifythatyoucanaccesstheapplicationfromabrowser withoutauthenticationoraccesserrors.IfyourwebapplicationusestheGAC,youmustaddthe.DLLfilestothe projectseparatelytoensureasuccessfulscan.FortifySCAdoesnotload.DLLfilesfromtheGAC.

FortifySCAUserGuide

14

TranslatingC/C++Code
ThischapterdescribeshowtotranslateCandC++sourcecodeforanalysiswithFortifySCA.

CandC++CommandLineSyntax
Thebasiccommandlinesyntaxfortranslatingasinglefileis:
sourceanalyzer -b <build_id> <compiler> [<compiler options>]

where:
<compiler> isthenameofthecompileryouwanttouseduringaprojectbuildscan,suchasgccorcl. <compiler options> areoptionspassedtothecompilerthataretypicallyusedtocompilethefile.

CandC++CommandLineExamples
Thefollowingisasimpleusageexample: Totranslateafilenamedhelloworld.cusingthegcccompiler,enter:
sourceanalyzer -b my_buildid gcc helloworld.c Note:Thisalsocompilesthefile.

IntegratingwithMake
YoucanuseeitherofthefollowingmethodstouseFortifySCAwithMake:
Using the Fortify Touchless Build Adapter Modifying a Makefile to Invoke Fortify SCA

UsingtheFortifyTouchlessBuildAdapter
Thefollowingsectiondescibesthedifferentmethodsforusingthetouchlessbuildadaptor.

UsingthesourceanalyzerBuildAdaptorCommand
TousetheFortifytouchlessbuildadaptertointegratewithmakefiles,runthefollowingcommand:
sourceanalyzer -b <build_id> touchless make

FortifySCArunsthemakecommand.WhenmakeinvokesanycommandthatFortifySCAdeterminesisa compiler,thecommandisprocessedbyFortifySCA.Notethatthemakefileisnotmodified. ForinformationaboutinformingFortifySCAaboutspeciallynamedcompilers,seethe

com.fortify.sca.compilers.*propertyinUsing Properties to Control Runtime Options on page 52.

Thismethodofbuildintegrationisnotlimitedtomake.Anybuildcommandthatexecutesacompilerprocess canbeusedwiththissystem;justreplacethe'make'sectionoftheabovecommandwiththecommandusedto runabuild.

Note:TheFortifytouchlessbuildadapterdoesnotfunctioncorrectlyif:

Thebuildscriptinvokesthecompilerwithanabsolutepathorifthebuildscriptoverridestheexecutable searchpath. Thebuildscriptdoesnotcreateanewprocesstorunthecompiler.ManyJavabuildtools,includingAnt, operatethisway.

FortifySCAUserGuide

15

UsingthefortifyBuildAdaptorCommand
Fortify360offersaconvenientcommandthatbundlestogetherthetranslationandscanstepswhenyouare usingtouchlessintegrationtoanalyzeaC/C++project.Thecommandisasfollows:
fortify [-b my_build_id] [-noscan] [-f my_fpr_name.fpr] build_command

Thecommandfortify build_commandservesasanequivalenttorunningthefollowingcommands:
sourceanalyzer -b my_build_id -clean sourceanalyzer -b my_build_id touchless build_command sourceanalyzer -b my_build_id -scan -f cwd.fpr

If-f isnotused,thenameofthecurrentworkingdirectoryisusedinnamingtheFPR,i.e.cwd.fpr. Ifadditionaloptionsarerequiredforeitherthetranslationoranalysisstep(asdescribedinCh.1),acoupleof environmentvariablesareavailable:

FORTIFY_BUILD_OPTS FORTIFY_SCAN_OPTS

Forexample,inaBashshell,youwouldsetthesetothefollowingvaluesinordertoacquiretheinformation neededbyFortifyTechnicalSupportwhentheyarehelpingyouwithanSCArelatedticket.
export FORTIFY_BUILD_OPTS=-debug\ -logfile\ translation.log export FORTIFY_SCAN_OPTS=-debug\ -logfile\ scan.log

Thiswouldcausetwoadditionalfilestobecreated,translation.logandscan.log,afterthefollowingisrun:
fortify make

ModifyingaMakefiletoInvokeFortifySCA
TomodifyamakefiletoinvokeFortifySCA,replaceanycallstothecompiler,archiver,orlinkerinthemakefile withcallstoFortifySCA.Thesetoolsaretypicallyspecifiedinaspecialvariableinthemakefile,asinthe followingexample:
CC=gcc CXX=g++ AR=ar

ThestepcanbeassimpleasprependingthesetoolreferencesinthemakefilewithFortifySCAandthe appropriateoptions:
CC=sourceanalyzer -b mybuild gcc CXX=sourceanalyzer -b mybuild g++ AR=sourceanalyzer -b mybuild ar

FortifySCAUserGuide

16

UsingFortifyBuildMonitor
ThissectiondescribeshowtouseFortifyBuildMonitortoscanC/C++projectsautomaticallyduringabuildon Windowsandviewtheresults.ItincludesexamplesthatusesampleprojectsprovidedwithFortifySCA. Thissectioncoversthefollowingtopics: FortifyBuildMonitorOverview ConfiguringFortifyBuildMonitor MonitoringBuilds ExampleofMonitoringaProject

FortifyBuildMonitorOverview
ThefollowingoptionsareavailablefromtheFortifyBuildMonitormenu:
Table2:FortifyBuildMonitorOptions Option Monitor BuildDone Scan ScanSettings SetResultsFolder StayonTop MinimizetoTray Exit ShowMessages Description Enablesthemonitoring.BuildMonitorinterceptsandtranslatethenext buildonthemachine. Stopsthemonitorafterthebuildiscomplete. Scansthecodethatwasmonitoredduringthebuild. Controlstherulepacksandmemorysettings. ControlswhereFortifySCAoutputstheresults. KeepstheFortifyBuildMonitorwindowontopofotherwindows. ShowstheFortifyBuildMonitorasaniconinthetaskbar. ClosestheFortifyBuildMonitor. Showsorhidesthemessagesinthelowerareaofthewindow.Messages includeScanMessages,Errors,andMonitorDriverinformation.Youcan clickDetailedMessagesatthebottomofthewindow. Displaysonlinehelp. ResetstheFortifyBuildMonitortoitsbeginningstate.

Help Reset

FortifySCAUserGuide

17

ConfiguringFortifyBuildMonitor
Thissectioncoversthefollowingtopics: SettingUptheResultsFolder SettingFortifySCAScanOptions

SettingUptheResultsFolder
FortifyBuildMonitoroutputsresultsinFPRformattoalocalfolder.Youcanchangetheoutputfolder.Fortify BuildMonitorreplacestheresultseachtimeascanisperformed.Resultsarenotarchived. Tochangetheresultsfolder: 1. SelectActionSetResultsFolder. TheBrowseforFolderdialogdisplays. 2. SelectafolderandclickOK. FortifyBuildMonitorwilloutputtheresultstotheselectedfolder.

SettingFortifySCAScanOptions
FortifyBuildMonitorscanstheprojectusingFortifySCA.Youcanadjustthefollowingscansettings:
Allocatememory:IncreaseordecreasetheamountofmemoryallocatedtoFortifySCA

FortifySecureCodingRulepacksandcustomrulepacks:ChangewhichrulepacksFortifySCAusestoanalyze thesourcecode
User:Onlymonitorbuildsrunbythecurrentuser

Tochangethescanoptions: 1. SelectActionScanSettings. TheFortifyBuildMonitor:ScanSettingsdialogdisplays. 2. Tochangethememoryallocation,selectavalue.

Note:Enteringaninvalidoptionsetsthememorytounlimited.

3. Toaddorremoverulepacks,clickRulepacks. 4. ToviewtheFortifySCAcommandlineoptions,clickPreview. 5. ClickDone. TheFortifySCAscanoptionsarechanged.

FortifySCAUserGuide

18

MonitoringBuilds
ForC/C++projectsandsolutionsonWindows,FortifySCAincludestheFortifyBuildMonitor,whichisa graphicaluserinterfacetoolthatautomatesanalysisduringbuilds. ToanalyzeC/C++sourcecodebuildsonWindows: 1. SelectStartProgramFilesFortifySoftwareFortifySCABuildMonitor. 2. ClickMonitor. Afterthemonitorinitiatesagreenlighticondisplays. 3. Createacompletebuildofyourprojectinyourbuildenvironment. 4. Checkthatthebuildhasfinishedsuccessfully. 5. ReturntotheFortifyBuildMonitorwindowandclickBuildDone. 6. FortifySCAoutputstheresultstoasubfolder,specifyanameforthefolderfortheoutput.Ifthefolderalready exists,FortifySCAcleansthefolderbeforestartingthescan. 7. ClickScan. FortifySCAdisplaystheresultsandsavesanFPRfileinthefolderyouspecified.
Note:Toviewtheresults,opentheFPRfileinAuditWorkbenchorusingtheSecure Coding Package for Microsoft Visual Studio.

ExampleofMonitoringaProject
ThisexampleforWindowsusersanalyzesthesampleC++codeprojectnamedqwik-smtpd.ItusesMicrosoft VisualStudioandtheFortifyBuildMonitor. Toanalyzetheqwik-smtpdproject: 1. UsingMicrosoftVisualStudio,openandbuildtheqwik-smtpdprojectlocatedintheTutorial/C/source directory. 2. SelectStartProgramFilesFortifySoftwareFortifySCABuildMonitor. 3. ClickMonitor. 4. Minimizethewindow. 5. InMicrosoftVisualStudio,rebuildtheproject.
Note:Sincenothingintheprojectchanged,youmustusetherebuildoption.

6. Checkthatbuildhasfinishedsuccessfully. 7. ReturntotheFortifyBuildMonitorwindowandclickBuildDone. 8. Specifythelocationofthebuildoutput. 9. ClickScan. FortifySCAsavesanFPRfileinthefolderyouspecified.

Note:Toviewtheresults,opentheFPRfileinAuditWorkbenchorusingtheSecure Coding Package for Microsoft Visual Studio.

FortifySCAUserGuide

19

VisualStudio.NET
IfyouperformcommandlinebuildswithVisualStudio.NET,youcaneasilyintegratestaticanalysisbysimply wrappingthebuildcommandlinewithaninvocationofsourceanalyzer.Forthistowork,youmusthavethe FortifySecureCodingPluginforyourversionofVisualStudioinstalled. Considerthefollowingexample
sourceanalyzer -b my_buildid devenv MyProject.sln /REBUILD

ThisperformsthetranslationphaseonallfilesbuiltbyVisualStudio.Besuretodoacleanorarebuildsothatall filesareincluded.

VisualStudio6.0
IfyouperformcommandlinebuildswithVisualStudio6.0,youcanintegratestaticanalysisbywrappingthe buildcommandlinewithaninvocationofsourceanalyzer. Considerthefollowingexample:
sourceanalyzer -b my_buildid msdev MyProject.dsp /MAKE "MyProject DEBUG" /REBUILD

ThisperformsthetranslationphaseonallfilesbuiltbytheVisualStudio.Besuretodoacleanorarebuildso thatallfilesareincluded,asdescribedinyourVisualStudiodocumentation.

FortifySCAUserGuide

20

TranslatingOtherLanguages
ThischapterdescribeshowtotranslateotherprogramminglanguagesforanalysiswithFortifySCA. Thissectionincludesthefollowingtopics: CommandLineSyntaxforOtherLanguages ConfigurationConsiderations

CommandLineSyntaxforOtherLanguages
ThistopicdescribestheFortifySCAcommandsyntaxfortranslatingotherlanguages. Thebasiccommandlinesyntaxforotherlanguagesis:
sourceanalyzer -b <build_id> <file_list> SQLNote:Bydefault,fileswiththeextension.sqlareassumedtobeTSQLratherthanPL/SQLonWindows platforms.IfyouareusingWindowsandhavePL/SQLfileswiththe.sqlextension,youshouldconfigure

FortifySCAtotreatthemasPL/SQL.Tochangethedefaultbehavior,setthe com.fortify.sca.fileextensions.sql propertyinfortify-sca.propertiesto"TSQL"or"PLSQL". EnterthefollowingtoperformtranslationonColdFusionsourcecode:

sourceanalyzer -b <build -id> -source-base-dir <dir> <files|file specifiers>

where:
<build_id>specifiesthebuildIDfortheproject <dir>specifiestherootdirectoryofthewebapplication <files|file specifiers>specifiestheCFMLsourcecodefiles

ColdFusionNote:FortifySCAcalculatestherelativepathtoeachCFMLsourcefilebyusingthe -source-base-dirdirectoryasthestartingpoint,thenusestheserelativepathswhengeneratinginstance

IDs.Iftheentireapplicationsourcetreeismovedtoadifferentdirectory,theinstanceIDsgeneratedbya securityanalysisshouldremainthesameifyouspecifyanappropriatevaluefor -source-base-dir. Foradescriptionofalltheoptionsyoucanusewiththesourceanalyzercommand,seeCommand Line Interface on page 34. Filespecifiersareshowninthefollowingtable:

Table3:FileSpecifiers FileSpecifier <dirname> <dirname>/**/ Example.js <dirname>/*.js <dirname>/**/*.js <dirname>/**/* Description Allfilesfoundunderthenameddirectoryoranysubdirectories AnyfilenamedExample.jsfoundunderthenameddirectory oranysubdirectories Anyfilewiththeextension.jsfoundinthenameddirectory Anyfilewiththeextension.jsfoundunderthenameddirectory oranysubdirectories Allfilesfoundunderthenameddirectoryoranysubdirectories (sameas<dirname>)

FortifySCAUserGuide

21

Note:WindowsandmanyUnixshellsautomaticallytrytoexpandargumentscontainingthe'*'character,sofile

specifierexpressionsshouldbequoted.Also,onWindows,enterthebackslash(\)insteadoftheforwardslash (/).

ConfigurationConsiderations
Thissectioncoversthefollowingtopics: ConfiguringPython ConfiguringColdFusion ConfiguringtheSQLExtension ConfiguringASP/VBScriptVirtualRoots

ConfiguringPython
FortifySCAtranslatesPythonapplications,andtreatsfileswiththeextension.pyasPythonsourcecode.In orderforSCAtotranslatePythonapplicationsandpreparetheapplicationforascan,SCAsearchesanyimport filesfortheapplication.SCAdoesnotrespectthePYTHONPATHenvironmentvariablewhichthePython runtimesystemusestofindimportedfiles,sothisinformationshouldbegivendirectlytoSCAusingthe python-pathargument.Inaddition,someapplicationsaddadditionalimportdirectoriesduringruntime initialization. Toaddpathsforadditionalimportdirectories,usethesourceanalyzercommandlineoption:
-python-path pathname Note:SCAtranslatesPythonapplicationsusingallimportfileslocatedinthedirectorypathdefinedbythepython-path pathnameoption.Subsequently,translationmaytakeasignificantamountoftimetocomplete.

ConfiguringColdFusion
InordertotreatundefinedvariablesinaCFMLpageastainted,uncommentthefollowinglinein sca_install_dir\Core\config\fortifysca.properties:
#com.fortify.sca.CfmlUndefinedVariablesAreTainted=true

Doingsoservesasahinttothedataflowanalyzertowatchoutforregisterglobalsstylevulnerabilities. However,enablingthispropertyinterfereswithdataflowfindingsinwhichavariableinanincludedpageis initializedtoataintedvalueinanearlieroccurringincludedpage.

ConfiguringtheSQLExtension
Bydefault,fileswiththeextension.sqlareassumedtobeTSQLratherthanPL/SQLonWindowsplatforms.If youareusingWindowsandhavePL/SQLfileswiththe.sqlextension,youshouldconfigureFortifySCAtotreat themasPL/SQL.Tochangethedefaultbehavior,setthecom.fortify.sca.fileextensions.sql property infortify-sca.propertiesto"TSQL"or"PLSQL".
Note:Fortify360v2.5updatesthePL/SQLparsertoimprovetranslationofPL/SQLsourcecode.However,the existenceoftwodifferentparserscanmakemergingresultsfromprev2.5andpostv2.5difficult.

ToreverttotheolderversionofthePL/SQLparser,addthefollowingpropertytothefortifysca.propertiesfile:
com.fortify.sca.UseOldPlsql=true

ConfiguringASP/VBScriptVirtualRoots
FortifySCAallowsyoutohandleASPvirtualroots.Forwebserversthatusevirtualdirectoriesasaliasesthat maptophysicaldirectories,SCAallowsyoutousealias.
FortifySCAUserGuide 22

Forinstance,youmayhavevirtualdirectoriesnamedIncludeandLibrarywhichrefertothephysical directoriesC:\WebServer\CustomerOne\incandC:\WebServer\CustomerTwo\Stuffrespectively. Asanexample,theASP/VBScriptcodeforanapplicationusingvirtualincludes,asfollows:

<!--#include virtual=Include/Task1/foo.inc-->

TheaboveASPcodereferstotheactualdirectory,asfollows:
C:\Webserver\CustomerOne\inc\Task1\foo.inc

TherealdirectoryreplacesthevirtualdirectorynameIncludeinthatinstance.

AccommodatingVirtualRoots
InordertoindicatetoSCAwhateachvirtualdirectoryisanaliasfor,youmustsetapropertyoftheform com.fortify.sca.ASPVirtualRoots.name_of_virtual_directoryaspartofyourcommandline invocationofSCAinthefollowingmanner:
sourceanalyzer -Dcom.fortify.sca.ASPVirtualRoots.name_of_virtual_directory=<full path to corresponding physical directory>

Note:OnWindows,ifthephysicalpathhasspacesinit,youmustincludethepropertysettingindoublequotes:
sourceanalyzer "-Dcom.fortify.sca.ASPVirtualRoots.name_of_virtual_directory=<full path to corresponding *physical* directory>"

Toexpandupontheexampleintheprevioussection,thepropertyvaluethatyoumustpassalongshouldbe:
-Dcom.fortify.sca.ASPVirtualRoots.Include=C:\WebServer\CustomerOne\inc -Dcom.fortify.sca.ASPVirtualRoots.Library="C:\WebServer\CustomerTwo\Stuff

DoingsocausesthemappingofIncludetoitsdirectoryandLibrarytoitsdirectory. WhenSCAencounterstheincludedirective:
<!-- #include virtual="Include/Task1/foo.inc" -->

SCAwillfirstchecktoseeifyourprojectcontainsaphysicaldirectorynamedInclude.Ifthereisnosuch physicaldirectory,SCAlooksthroughitsownruntimepropertiesandseesthat:
-Dcom.fortify.sca.ASPVirtualRoots.Include="C:\WebServer\CustomerOne\inc"

ThistellsSCAthatvirtualdirectoryIncludeisactuallythedirectory: C:\WebServer\CustomerOne\inc ThiswillcauseSCAtolookforthefile:

C:\WebServer\CustomerOne\inc\Task1\foo.inc

Alternately,ifyouchoosetosetthispropertyinthefortify-sca.propertiesfile,whichislocatedin <sca_install_dir>\Core\config,youmustescapethe\character,aswellasanyspacesthatappearinthe pathofthephysicaldirectory:

com.fortify.sca.ASPVirtualRoots.Library=c:\\WebServer\\CustomerTwo\Stuff com.fortify.sca.ASPVirtualRoots.Include=c:\\WebServer\\CustomerOne\inc

Note:ThepreviousversionoftheASPVirtualRootpropertyisstillvalid,whichyoumayuseontheSCA commandlineasfollows:
-Dcom.fortify.sca.ASPVirtualRoots=C:\WebServer\ CustomerTwo\Stuff;C:\WebServer\CustomerOne\inc

ThispromptsSCAtosearchthroughthelisteddirectoriesintheorderspecifiedwhenitisresolvingavirtual includedirective.
FortifySCAUserGuide 23

Example:UsingVirtualRoots
Youhaveafileasfollows:
C:\files\foo\bar.asp

Youcanspecifythisfilebyusingthefollowinginclude:
<!-- #include virtual="/foo/bar.asp">

Thenyoushouldsetthevirtualrootas:
-Dcom.fortify.sca.ASPVirtualRoots=C:\files\foo

Thiswillstripthe/foofromthefrontofthevirtualroot.IfyoudonotspecifyfoointheASPVirtualRoots property,SCAwilllookinC:\files\bar.asp,andwillfail. Thesequenceforspecifyingvirtualrootsareasfollows: 1. Removethefirstpartofthepathinthesource 2. Replacethefirstparthofthepathwiththevirtualrootasspecifiedonthecommandline.

OtherLanguageCommandLineExamples
Thissectionincludesthefollowingexamples: ExampleofTranslatingPL/SQL ExampleofTranslatingTSQL ExampleofTranslatingPHP ExampleofTranslatingClassicASPwrittenwithVBScript ExampleofTranslatingJavaScript ExampleofTranslatingVBScriptFile

ExampleofTranslatingPL/SQL
ThefollowingexampledemonstratessyntaxfortranslatingtwoPL/SQLfiles:
sourceanalyzer -b MyProject x.pks y.pks

ThefollowingexampledemonstrateshowtotranslateallPL/SQLfilesunderthesourcesdirectory:
sourceanalyzer -b MyProject "sources/**/*.pks"

ExampleofTranslatingTSQL
ThefollowingexampledemonstratessyntaxfortranslatingtwoTSQLfiles:
sourceanalyzer -b MyProject x.sql y.sql

ThefollowingexampledemonstrateshowtotranslateallTSQLfilesunderthesourcesdirectory:
sourceanalyzer -b MyProject "sources\**\*.sql" Note:Thisexampleassumesthecom.fortify.sca.fileextensions.sql propertyinfortifysca.propertiesissetto"TSQL".

ExampleofTranslatingPHP
TotranslateasinglefilenamedMyPHP.php,enter:
sourceanalyzer -b mybuild "MyPHP.php"

FortifySCAUserGuide

24

ExampleofTranslatingClassicASPwrittenwithVBScript
TotranslateasinglefilenamedMyASP.asp,enter:
sourceanalyzer -b mybuild "MyASP.asp"

ExampleofTranslatingJavaScript
TotranslateallJavaScriptfilesunderthescriptsdirectory,enter:
sourceanalyzer -b mybuild "scripts/*.js"

ExampleofTranslatingVBScriptFile
TotranslateaVBfilenamedmyApp.vb,enter:
sourceanalyzer -b mybuild "myApp.vb"

TranslatingCOBOLCode
Thissectioncontainsthefollowingtopics: SupportedTechnologies PreparingCOBOLSourceFilesforTranslation COBOLCommandLineSyntax AuditingaCOBOLScan

Note:InordertouseSCAtoscanCOBOL,youmusthaveaspecializedFortifyLicensespecificforCOBOL scanningcapabilities.ContactFortifyformoreinformationaboutscanningCOBOLandthenecessarylicense required.

SupportedTechnologies
FortifySCAsupportsIBMEnterpriseCOBOLforIBMz/OSandiscompatiblewiththefollowingsystems: CICS IMS DB/2embeddedSQL IBMWebSphereMQ

PreparingCOBOLSourceFilesforTranslation
FortifySCArunsonlyonthesupportedsystemslistedintheFortifySystemRequirementsdatasheet,noton mainframecomputers.ThismeansthatbeforeyoucanscanaCOBOLprogram,youmustcopythefollowing programcomponentstothesystemrunningFortifySCA: TheCOBOLsourcecode AllcopybookfilesusedbytheCOBOLsourcecode AllSQLINCLUDEfilesreferencedbytheCOBOLsourcecode

PreparingCOBOLSourceCodeFiles
IfyouareretrievingCOBOLsourcefilesfromamainframewithout.COBor.CBLfileextensions(whichis usuallythecaseforCOBOLfilenames),thenyoumustusethefollowingcommandline:
-noextension-type COBOL <directory-file-path>

FortifySCAUserGuide

25

SpecifythedirectoryandfolderwithallCOBOLfilesastheargumenttoSCA,andSCAwillprocessallthefilesin thatdirectoryandfolderwithoutanyneedforCOBOLfileextensions.

PreparingCOBOLCopybookFiles
FortifySCAdoesnotidentifycopybooksbyextension.Allcopybookfilesshouldthereforeretainthenamesused intheCOBOLsourcecodeCOPYstatements.

COBOLCommandLineSyntax
FreeformatCOBOListhedefaulttranslationandscanningmodeforFortifySCA.Thebasicsyntaxfortranslating asinglefreeformatCOBOLsourcecodefileis:
sourceanalyzer -b <build-id>

ThebasicsyntaxforscanningatranslatedfreeformatCOBOLprogramis:
sourceanalyzer -b <build-id> -scan -f <FPR file name>

WorkingwithFixedFormatCOBOL
FortifySCAalsosupportsfixedformatCOBOL.WhentranslatingandscanningfixedformatCOBOL,boththe translationandscanningcommandlinesmustincludethe-fixed-formatcommandlineoption.Forexample, thetranslationlinesyntaxwouldlooklike:
sourceanalyzer -b <build-id> -fixed-format

Andthescanninglinesyntaxwouldlooklike:
sourceanalyzer -b <build-id> -scan -fixed-format -f <FPR file name>

IfyourCOBOLcodeisIBMEnterpriseCOBOL,thenitismostlikelyfixedformat.IftheCOBOLtranslation commandappearstohangindefinitely,terminatethetranslationbytypingCtrlCseveraltimes,andrepeatthe translationcommandwiththe"fixedformat"parameter.

SearchingforCOBOLCopybooks
UsethecopydirscommandlineoptiontodirectFortifySCAtosearchalistofpathsforcopybooksandSQL INCLUDEfiles.Forexample,thecommandlinesyntaxwouldlooklikethefollowing:
sourceanalyzer -b coboltest -copydirs c:\cobol\copybooks

AuditingaCOBOLScan
Afterusingthecommandlinetoscantheapplication,youcanuploadtheresultingFPRfiletoAuditWorkbench orFortify360Serverandaudittheapplicationsissues. FortifySCAdoesnotcurrentlysupportcustomrulesforCOBOLapplications.

FortifySCAUserGuide

26

TroubleshootingandSupport
Thischaptercontainsthefollowingtopics: Troubleshooting ReportingBugsandRequestingEnhancements

Troubleshooting
Thissectioncontainsthefollowingtroubleshootingtopics: UsingtheLogFiletoDebugProblems TranslationFailedMessage JSPTranslationProblems ASPXTranslationProblems C/C++PrecompiledHeaderFiles

UsingtheLogFiletoDebugProblems
IfyouencounterwarningsandproblemswhenyourunFortifySCA,rerunFortifySCAusingthe-debugoption. Thisgeneratesafilenamedsca.loginthefollowingdirectory: OnWindows:C:\Documents and Settings\<username>\Local Settings\Application
Data\Fortify\sca5.0\log

Onotherplatforms:$HOME/.fortify/sca5.0/log

Emailthesca.logfileasazipfiletotechsupport@fortify.comforfurtherinvestigation.

TranslationFailedMessage
IfyourC/C++applicationbuildssuccessfullybutyouseeoneormoretranslationfailedmessageswhen buildingwithFortifySCA,editthe<install_directory>/Core/config/fortify-sca.propertiesfileto changethefollowingline:
com.fortify.sca.cpfe.options= --remove_unneeded_entities --suppress_vtbl

to
com.fortify.sca.cpfe.options=-w --remove_unneeded_entities --suppress_vtbl

Rerunthebuildtoprinttheerrorsencounteredbythetranslator.Iftheoutputindicatesanincompatibility betweenyourcompilerandtheFortifytranslator,sendyouroutputtoFortifyTechnicalSupportforfurther investigation.

JSPTranslationProblems
FortifySCAuseseitherthebuiltinoryourspecificapplicationserver'sJSPcompilertotranslateJSPfilesinto Javafilesforanalysis. IftheJSPparserencountersproblemswhenFortifySCAisconvertingJSPfilestoJavafilesforanalysis,youwill seeamessagesimilartothefollowing:
Failed to translate the following jsps into analysis model. Please see the log file for any errors from the jsp parser and the user manual for hints on fixing those <List of JSP file names>

Thistypicallyhappensduetooneormoreofthefollowingreasons:

FortifySCAUserGuide

27

ThewebapplicationisnotlaidoutinaproperdeployableWARdirectoryformat YouaremissingsomeJARfilesorclassesrequiredfortheapplication Sometaglibrariesortheirdefinitions(TLD)aremissingfromyourapplication

Toobtainmoreinformationabouttheproblem,performthefollowingsteps: 1. OpentheFortifySCAlogfileinaneditor. 2. SearchforthestringsJsp parser stdout:andJsp parser stderr:. TheseerrorsaregeneratedbytheJSPparserthatwasused.ResolvetheerrorsandrerunFortifySCA. FormoreinformationaboutscanningJ2EEapplications,seeTranslating J2EE Applications on page 8.

ASPXTranslationProblems
FortifySCAcompilesASPXfilestoDLLsforanalysisasfollows: Ifyouareusing.NET2.0orlaterandVisualStudio2005,usingtheMicrosoftaspnet_compilecompiler Ifyouareusing.NET1.1andVisualStudio2003,tryingtofetchASPXfilesoneatatimefromthewebsite Youhaveaccessorauthenticationproblemswithaccessingthewebapplication YouaremissingsomerequiredDLLs

Thecompilationstepcanfailif:

Ineithercase,youwillseeamessagesimilartothefollowing:
Failed to translate the following aspx files into analysis model. Please see the log file for any errors from the aspx precompiler and the user manual for hints on fixing those. <List of ASPX file names>

Ifyouareusingtheplugin,enableplugindebuggingandexaminethepluginlogfileforanyerrorsgenerated bytheASPXprecompiler. Ifyouareusingthecommandlinetool,fortify_aspnet_compiler,youshouldseetheerrormessagesonthe console. Ifyoustillcannotdeterminethecauseoftheproblem,trytoaccesssomeofthefailedASPXfilesfromyour browserandseewhatkindoferrorsdisplay.Ifyouseemessagessuchascannot locate assembly,ensure thatyouhavethemissingDLLsandrerunFortifySCA. IfyoucanaccessthefailedASPXfilesfromthebrowser,butFortifySCAstillfailstoscanit,contactFortify TechnicalSupportforadditionalhelp. FormoreinformationaboutscanningASP.NETapplications,seeTranslating ASP.NET 1.1 (Visual Studio Version 2003) Projects on page 12.

FortifySCAUserGuide

28

C/C++PrecompiledHeaderFiles
SomeC/C++compilerssupportafeaturetermedprecompiledheaderfiles,whichcanspeedupcompilation. Somecompilers'implementationsofthisfeaturehavesubtlesideeffects.Whenthefeatureisenabled,the compilermayaccepterroneoussourcecodewithoutwarningsorerrors.Thiscanresultinadiscrepancy whereFortifySCAreportstranslationerrorsevenwhenyourcompilerdoesnot. Ifyouusetheprecompiledheaderfeatureofyourcompiler,makesureyoursourcecodecompilescleanlyby disablingprecompiledheadersanddoingafullbuild.

ReportingBugsandRequestingEnhancements
Feedbackiscriticaltothesuccessofthisproduct.Torequestenhancementsorpatches,ortoreportbugs,send anemailtoTechnicalSupportat:
techsupport@fortify.com

Besuretoincludethefollowinginformationintheemailbody: Product:FortifySCA VersionNumber:Todeterminetheversionnumber,runthefollowing:

sourceanalyzer -version

Platform:(suchasPC) OS:(suchasWindows2000)

Whenrequestingenhancements,includeadescriptionofthefeatureenhancement. Whenreportingbugs,provideenoughdetailsfortheissuetobeduplicated.Themoredescriptiveyouare,the fasterwecananalyzeandfixtheissue.Alsoincludethelogfiles,ortherelevantportionsofthem,fromwhenthe issueoccurred.

FortifySCAUserGuide

29

Appendix:ManagingPerUseAccounts
Thischaptercoversthefollowingtopics: AbouttheFortifySCAPerUseEdition ManagingYourPortalUserAccount TransferringLines

AbouttheFortifySCAPerUseEdition
TheFortify SCA Per Use editionanalyzessourcecodebythenumberofsourcecodelinesinaproject.Your companypurchaseslinesofcode(LOC)packsfromFortifySoftware.Thelinesarestoredinanaccountonthe PerUsePortal.WhenyouwanttouseFortifySCAtoanalyzesourcecode,youtransferlinesfromtheonline accounttoyourlocalinstance.Oncetransferredthoselinesareunlockedandappearasavailablelines. TransferredlinescanonlybeusedbytheinstanceofFortifySCAthatrequestedthem. FortifySCAdeductslinesforeachprojectyouanalyze.Whenyourunoutoflines,youmustgetadditionallines beforeyoucanscananotherproject.Transferringlinesandcreatingarequestfilefortransfersrequiresthe following: CompanyaccountonthePerUsePortalwithavailableLOCs UsernameandpasswordforthePerUsePortal Internetaccess AFortify SCA Per Use editioninstalledonyourbuildmachine

Note:TransferlinesfromthePerUsePortaltoaninstanceofFortifySCAonly.Transferringunusedlinesbackto thePerUsePortalorbetweenFortifySCAinstancesisnotsupported. Figure1:PerUsePortal

FortifySCAUserGuide

30

ManagingYourPortalUserAccount
TousetheFortify SCA Per Use editionyoumusthaveauseraccountontheFortifyPerUsePortal.Thisaccount allowsyoutorequestlines. ThePerUserPortaladministratorconfigurestheuseraccountsandprovidestheFortify SCA Per Use edition licensekey.Whentheadministratorsetsupanaccount,thedefaultpasswordisautomaticallyemailedtoyou. Youruserprofileincludes: Yourusername(emailaddress)andpassword Contactinformation,suchasyourtelephonenumber Recordoflinesallocatedtoyouruseraccount

ChangingyourPassword
Whentheadministratorsetsupyouraccount,theFortifySoftwareportalsendsyouanemailthatcontainsa defaultpasswordandalinktotheFortifyPerUsePortal.Thissectionexplainshowtologintothesiteandupdate yourpassword. Tochangeyourpassword: 1. OpenthelinkintheemailorenterthefollowingURL:
https://per-use.fortify.com

2. Enteryourusername,whichisyouremailaddresswhereyoureceivedadefaultpassword,andthe password. 3. ClickCustomerDetail. 4. Enteranewpassword. 5. Confirmnewpassword. 6. ClickSave.

PurchasingAdditionalLines
FortifySoftwaretechnicalsupportrepresentativecanaddlinestoanexistingaccount.Undersome circumstancesthetechnicalsupportrepresentativecanalsotransferlinesbackintothemainaccount. Atechnicalsupportrepresentativecanonlyaddlinesif: YouarealicenseduserofFortify SCA Per Use edition YourcompanyhasanaccountontheFortifyPerUsePortal Youhaveauseraccount Youareauthorizedtoaddlinestotheaccount

TransferringLines
ThissectionexplainshowtotransferlinesfromthePerUsePortalaccounttoFortifySCA.Thefollowingis requiredtotransferlines:
Fortify SCA Per Use editionisinstalledonabuildmachine

YouhaveanaccountonthePerUsePortal,http://per-use.fortify.com. Yourcompanyhasscanlinesavailableintheaccount
Note:Topurchaselines,contactaFortifySoftwaretechnicalsupport.

Transferlinesusingoneofthefollowingmethods:
FortifySCAUserGuide 31

Transferring Lines to a Machine with Internet Access Transferring Lines to a Machine without Internet Access

TransferringLinestoaMachinewithInternetAccess
UserswithFortify SCA Per Use editionclientsthathaveinternetaccesscansendrequeststotransferlinesfrom theperuseaccounttotheirlocalclient.Ifthelinesareavailable,thelinesaredeductedfromtheaccountand transferreddirectlytotheclient. Afterthetransfer,theperuseaccountshowsthelinesallocated.Thelocalclientshowsthelinesasavailable. Torequestlines: 1. Enterthesourceanalyzercommandwiththefollowingoption:
sourceanalyzer -auth-request

2. Entertheinformation,includingthenumberoflines,peruseraccountusername,andpassword. Ifthelinesyourequestedareavailable,theyareautomaticallytransferredtoyourclient.

TransferringLinestoaMachinewithoutInternetAccess
UsersofofflineFortifySCAinstancesmustmanuallygeneratearequestfile,transferthefiletoacomputerwith Internetaccess,logintotheportal,anduploadtherequestfile.Theymustthendownloadandinstallthe correspondingresponsefiletotransferlinesfromtheaccounttoFortifySCA. Aftertheresponsefileiscreated,theaccountshowsthelinesasallocated.Howeverthelinesarenotavailable onFortifySCAuntilaftertheresponsefileisdownloadedandinstalled. Totransferlinesmanually: 1. Generating a Request for Lines 2. Uploading the Request for Lines 3. Installing the Line Certificate

GeneratingaRequestforLines
ForusersofFortifySCAthatdonothaveinternetaccess,generatearequestfilethatcontainsthenumberof linesthatyouwanttoallocate. Togeneratearequestfile: 1. Enterthesourceanalyzercommandwiththefollowingoption:
sourceanalyzer -auth-gen-request <request-file-name>

2. Followthepromptstoentertherequestinformation. Arequestfileiscreatedinthedirectorywhereyouranthecommand.

UploadingtheRequestforLines
Whenyouuploadarequestfileandtheaccounthasthelinesavailable,acertificatefileiscreated.Therequested numberoflinesaredeductedfromtheaccount.Tocompletethetransfertheuserdownloadsthecertificateand installsit. Togeneratealineresponsefile: 1. Copytherequestfiletoacomputerwithinternetaccess. 2. LogintothePerUsePortal,http://peruse.fortify.com.
Note:Yourusernameisyouremailaddress.

3. ClickRequestLines.
FortifySCAUserGuide 32

4. ClickBrowseandlocatetherequestfile. 5. ClickUpload. Aftertherequestfileisprocessed,atransactionID(TxnID)displays. 6. ClickthetransactionIDtodownloadthecertificatefiletoyourlocalhost.

InstallingtheLineCertificate
ForofflineFortifySCAinstances,manuallyinstallthecertificatetoaddlines. Totransferlinesusingthecertificatefile: 1. CopythecertificatetothemachinewhereFortifySCAisinstalled. 2. Enterthesourceanalyzercommandwiththefollowingoption:
sourceanalyzer -auth-import-response <response-file-name>

Whentheprocesscompletesamessagedisplaysthenumberoflinesavailable.

FortifySCAUserGuide

33

Appendix:CommandLineInterface
ThisappendixdescribestheCommandLineoptionsavailableforFortifySourceCodeAnalyzer(FortifySCA).

CommandLineOptions
ThissectionlistsanddescribesFortifySCAcommandlineoptions: OutputOptions AnalysisOptions PythonOption ColdFusionOptions Java/J2EEOptions .NETOptions BuildIntegrationOptions RuntimeOptions LineTransferOptions OtherOptions

OutputOptions
Thefollowingtabledescribestheoutputoptions.
Table4:OutputOptions OutputOption -append Description Appendsresultstothefilespecifiedwith-f.Ifthisoptionisnot specified,FortifySCAaddsthenewfindingstotheFPRfile,and labelstheolderresultaspreviousfindings.Tousethis option,theoutputfileformatmustbe.fpror.fvdl.For informationonthe-formatoutputoption,seethedescription inthistable. Note:When-appendispassedtoSCAandtheoutputfile specifiedwiththe-foptioncontainstheresultsofanearlier scan,theresultingFPRcontainstheissuesfromtheearlier scanaswellasissuesfromthecurrentscan.Thebuild informationandprogramdata(listsofsourcesandsinks) sectionsarealsomerged. Theenginedatasection,whichincludesrulepackinformation, commandlineoptions,systemproperties,warningsand errors,andotherinformationabouttheexecutionof sourceanalyzer(asopposedtoinformationaboutthe programbeinganalyzed),isnotmerged,inpartbecausethere isnowaytomeaningfullymergethisdatafrommultiplescans. Becauseenginedataisnotmergedwith-append,Fortifydoes notcertifyresultsgeneratedwith -append. Ingeneral,-appendshouldonlybeusedwhenitisnot possibletoanalyzeanentireapplicationatonce.

FortifySCAUserGuide

34

Table4:OutputOptions OutputOption -build-label<label> -build-project <project> -build-version <version> -f <file> -format <format> Description Thelabeloftheprojectbeingscanned.Thelabelisnotusedby FortifySCAbutisincludedintheanalysisresults. Thenameoftheprojectbeingscanned.Thenameisnotused byFortifySCAbutisincludedintheanalysisresults. Theversionoftheprojectbeingscanned.Theversionisnot usedbyFortifySCAbutisincludedintheanalysisresults. Thefiletowhichresultsarewritten.Ifyoudonotspecifyan outputfile,theoutputiswrittentotheterminal. Controlstheoutputformat.Validoptionsarefpr,fvdl,text, andauto.Thedefaultisauto,whichselectstheoutputformat basedonthefileextension. Note:Ifyouareusingresultcertification,youmustspecifythe fprformat.SeetheAuditWorkbenchUsersGuidefor informationonresultcertification. CreatesanHTMLsummaryoftheresultsproduced.Theoutput formatmustbe.fpr.Thereportfileisgiventhesamebase nameastheresultsoutputfile. Note:TheHTMLsummaryandthesummarythroughAudit Workbenchdisplaydifferingnumberofissues.Thisisinpart duetodifferingmethodologyforcategorizingHIGHandLOW issuesbetweenthetwotypesofreports.Foramoredetailed summaryreportofissues,usetheReportGeneratorutility intheSCAbindirectory.

-html-report

FortifySCAUserGuide

35

AnalysisOptions
Thefollowingtabledescribestheanalysisoptions.
Table5:AnalysisOptions AnalysisOption -disable-default-ruletype <type> Description Disablesallrulesofthespecifiedtypeinthedefault rulepacks.Canbeusedmultipletimestospecifymultiplerule types. WherethevalueoftypeistheXMLtagminusthesuffixRule. Forexample,useDataflowSourceforDataflowSourceRule elements.Youcanalsospecifyspecificsectionsof characterizationrules,suchasCharacterization:Controlflow, Characterization:Issue,andCharacterization:Generic. Typeiscaseinsensitive. -encoding Specifiestheencoding.SCAallowsscanningaprojectthat containsdifferentencodedsourcefiles.Toworkwithamulti encodedproject,youmustspecifythe-encodingoptionat thetranslationstep,whenSCAfirstreadsthesourcecodefile. Thisencodingisrememberedinthebuildsession,andis propagatedintotheFVDLfile. Specifiesaresultsfilterfile.Forinformationaboutfilterfiles, seeCreating a Filter File on page 49. EnablesFindBugsanalysisforJavacode.TheJavaclass directoriesmusthavebeenspecifiedwiththe-javabuild-diroption,describedinJava/J2EE Options on page 37. Disablesrulesindefaultrulepacksthatleaddirectlytoissues. Stillloadsrulesthatcharacterizethebehavioroffunctions. Note:Thisequivalenttodisablingthefollowingruletypes: DataflowSink,Semantic,Controlflow,Structural,Configuration, Content,Statistical,Internal,andCharacterization:Issue. Specifiesnottoloadrulesfromthedefaultrulepacks.Fortify SCAprocessestherulepacksfordescriptionelementsand languagelibraries,butnorulesareprocessed. Disablessourcerulesinthedefaultrulepacks. Note:Characterizationsourcerulesarenotdisabled. Disablessinkrulesinthedefaultrulepacks. Note:Characterizationsinkrulesarenotdisabled. SourcefilesarenotincludedintheFPRfile. ScanstheprojectinQuickScanMode,usingthefortifysca-quickscan.propertiesfile.Bydefault,thisscan searchesforhighconfidence,highseverityissues.Formore informationaboutQuickScanMode,seetheAuditWorkbench UsersGuide. Specifiesacustomrulepackordirectory.Canbeusedmultiple timestospecifymultiplerulepackfiles.Ifyouspecifya directory,allofthefilesinthedirectorywiththe.binand .xmlextensionsareincluded.

-filter <file_name> -findbugs

-no-default-issue-rules

-no-default-rules

-no-default-source-rules -no-default-sink-rules -disable-sourcerendering -quick

-rules [<file>|<directory>]

FortifySCAUserGuide

36

Table5:AnalysisOptions AnalysisOption -scan Description CausesFortifySCAtoperformanalysisforthespecifiedbuild ID.

PythonOption
ThefollowingtabledescribestheColdFusionoption.
Table6:ColdFusionOptions PythonOption -python-path <path name> Description Specifiesthepathforadditionalimportdirectories.Bydefault, SCAusesthedefaultPYTHONPATHvariableonyoursystem whensearchingforPythonimportfiles.However,some applicationsaddadditionalimportdirectoriesduringruntime initialization.Usethisoptiontospecifyadditionalimport directories.

ColdFusionOptions
ThefollowingtabledescribestheColdFusionoption.
Table7:ColdFusionOptions ColdFusionOption -source-base-dir -source-archive Description Thewebapplicationsrootdirectory. Theapplicationssourcearchiverepository.Youmustinclude thescanandfoptionstousethisoption.

Java/J2EEOptions
ThefollowingtabledescribestheJava/J2EEoptions.
Table8:Java/J2EEOptions Java/J2EEOptions -appserver -appserver-home Description SpecifiestheapplicationserverforprocessingJSPfiles: weblogicorwebsphere. Specifiestheapplicationservershome. ForWeblogic,thisisthepathtothedirectorycontainingthe server/libdirectory. ForWebSphere,thisisthepathtothedirectorycontainingthe JspBatchCompilerscript. -appserver-version Specifiestheversionoftheapplicationserver. ForWeblogic,validvaluesare7,8,9,and10. ForWebSphere,thevalidvalueis6.

FortifySCAUserGuide

37

Table8:Java/J2EEOptions Java/J2EEOptions -cp <classpath>, -classpath <classpath> Description SpecifiestheclasspathtouseforanalyzingJavasourcecode. Theformatissameasjavac:acolonorsemicolonseparatedlist ofpaths.YoucanuseFortifySCAfilespecifiers. Note:Ifyoudonotspecifytheclasspathwiththisoption,the CLASSPATHenvironmentvariableisused. Similartothejavacextdirsoption,acceptsacolonor semicolonseparatedlistofdirectories.Anyjarfilesfoundin thesedirectoriesareincludedimplicitlyontheclasspath. SpecifiesoneormoredirectoriestowhichJavasourceshave beencompiled.MustbespecifiedforFindBugsresults,as describedinAnalysis Options on page 36. IndicateswhichversionoftheJDKtheJavacodeiswrittenfor. Validvaluesforversionare1.3,1.4,1.5,and1.6.The defaultis1.4. Specifiesthelocationofsourcefileswhichwillnotbeincluded inthescanbutwillbeusedfornameresolution.The sourcepathislikeclasspath,exceptitusessourcefilesrather thanclassfilesforresolution.

-extdirs <dirs>

-java-build-dir

-source <version>

-sourcepath

.NETOptions
Thefollowingtabledescribesthe.NEToptions.
Table9:.NETOptions .NETOptions -libdirs <dirs> -dotnet-sources <directory name> Description Acceptsacolonorsemicolonseparatedlistofdirectories wheresystemDLLsarelocated. Specifieswheretolookforsourcefilesforadditional information.Thisoptionisautomaticallypassedfromthe FortifySCApluginsandAuditWorkbenchbutwhenyouare runningSCAmanually,youmustprovideityourself. ThisoptioncausesSCAtoattempttofindany.NETclasses, enums,orinterfacesthatarenotexplicitlydeclaredinthe compiledproject. SpecifiesVisualStudioversion.Validvaluesforversionare 7.1forVisualStudioVersion2003and 8.0forVisualStudio Version2005,andthedefaultvalueis7.1.

-vsversion <version>

BuildIntegrationOptions
Thefollowingtabledescribesthebuildintegrationoptions.

FortifySCAUserGuide

38

Table10:BuildIntegrationOptions BuildIntegrationOptions -b <build_id> Description SpecifiesthebuildID.ThebuildIDisusedtotrackwhichfiles arecompiledandcombinedtobepartofabuildandlaterto scanthosefiles. Usedwith-scantospecifyasubsetofsourcefilestoscan. Onlythesourcefilesthatwerelinkedinthenamedbinaryat buildtimeareincludedinthescan.Canbeusedmultipletimes tospecifytheinclusionofmultiplebinariesinthescan. Removesfilesfromthelistoffilestotranslate. Forexample:sourceanalyzer cp "**/*.jar" "**/*" -exclude "**/Test.java" Note:The-excludeoptionworkswheninputfilesare specifiedonthecommandline;itdoesnotworkwithcompiler integration. Whenspecifiedbeforeacompilercommandline,FortifySCA processesthesourcefilebutdoesnotrunthecompiler.

-bin <binary>

-exclude <file_pattern>

-nc

Directives
Thefollowingdirectivescanbeusedtolistinformationabouttranslationstepsthathavebeentaken.Onlyone directivecanbeusedatatimeandcannotbeusedinconjunctionwithnormaltranslationoranalysissteps.
Table11: Directives -clean Description DeletesallFortifySCAintermediatefilesandbuild records.WhenabuildIDisalsospecified,onlyfilesand buildrecordsrelatingtothatbuildIDaredeleted. Displaysallobjectsthatwerecreatedbutnotusedin theproductionofanyotherbinaries.Iffullyintegrated intothebuild,itlistsallofthebinariesproduced. DisplaysalistofallknownbuildIDs. Note:ThisoptionmayerasebuildIDsgeneratedby previousversionsofFortifySCA. Displaysallfilesusedtocreatebinaryandallfiles usedtocreatethosefilesinatreelayout.Ifthe-bin binaryoptionisnotpresent,thetreeisdisplayedfor eachbinary. Note:Thisoptioncangenerateanextensiveamount ofinformation. ListsthefilesinthespecifiedbuildID.Whenthe-bin optionispresent,displaysonlythesourcefilesthat wentintothebinary. Usewith-b <build_id>toshowallerrorsand warningsfromthetranslationphaseontheconsole. Note:Theseerrorsandwarningsdisplayintheresults certificationpanelofAuditWorkbench.

-show-binaries

-show-build-ids

-show-build-tree

-show-files

-show-build-warnings

FortifySCAUserGuide

39

RuntimeOptions
Thefollowingtabledescribestheruntimeoptions.
Table12:RuntimeOptions RuntimeOptions -auth-silent Description AvailableonFortify SCA Per Use editiononly. Suppressesthepromptthatdisplaysthenumberoflinesthe scanrequirestoanalyzethesourcecode.Withthisoption,the linesareautomaticallydeducted. Note:Ifthescanrequiresmorelinesthanareavailable,the scanfailswithanerrorindicatinghowmanyadditionallines arerequired. RunsFortifySCAunderthe64bitJRE.Ifno64bitJREis available,FortifySCAfails. SpecifiesthelogfilethatisproducedbyFortifySCA. Disablesthecommandlineprogressbar. Sendsverbosestatusmessagestotheconsole. SpecifiesthemaximumamountofmemoryusedbyFortify SCA.Bydefault,itusesupto600MBofmemory(-Xmx600M), whichcanbeinsufficientforlargecodebases.Whenspecifying thisoption,ensurethatyoudonotallocatemorememorythan isphysicallyavailable,becausethisdegradesperformance.Asa guideline,assumingnoothermemoryintensiveprocessesare running,donotallocatemorethan2/3oftheavailable memory.

-64 -logfile <file_name> -quiet -verbose -Xmx <size>

LineTransferOptions
TheFortify SCA Per Use editionhasthefollowinglinetransferoptions.Table 13describestheoptionstoshow thenumberofavailablelinesandtotransferlinesfromthePerUsePortalaccounttoalocalinstanceofFortify SCA.
Table13:LineTransferOptions Option -auth-gen-request <request-file-name> Description Createsafilethatcontainsarequestforlines. Note:YoumustmanuallyuploadtherequestfiletothePerUse Portaltoreceivearesponsefilethatallocateslinestothe FortifySCAinstance. Showsthenumberoflinesavailable. SendsarequesttotransferlinesfromPerUsePortalaccountto theFortifySCAinstance.Thisoptionrequiresinternetaccess. Note:Iftheaccounthasinsufficientlines,therequestfails. InstallsaresponsefilethatallocateslinestotheFortifySCA instance. Note:Thefilecanonlybeinstalledontheinstancethat generatedtherequest.

-auth-query -auth-request

-auth-import-response <response-file-name>

FortifySCAUserGuide

40

Table13:LineTransferOptions Option -show-loc Description Usewith -bbuild_idtodeterminehowmanylinesofcode weretranslated.Thisoptionreturnsthetotalnumberoflines requiredtoanalyzetheproject.

OtherOptions
Thefollowingtabledescribesotheroptions.
Table14:OtherOptions OtherOptions @<filename> -encoding <encoding_name> -h, -?, -help -version -debug -build-migration-map <old_fpr_file> Description Readscommandlineoptionsfromthespecifiedfile. Specifiesthesourcefileencodingtype.Thisoptionisthesame asthejavacencodingoption. Printsthissummaryofcommandlineoptions. Displaystheversionnumber. Enablesdebugmodewhichisusefulduringtroubleshooting. RunstheInstanceIDmapperattheendofascan.

SpecifyingFiles
FilespecifiersareexpressionsthatallowyoutoeasilypassalonglistoffilestoFortifySCAusingwildcard characters.FortifySCArecognizestwotypesofwildcardcharacters:'*'matchespartofafilename,and'**' recursivelymatchesdirectories.Youcanspecifyoneormorefiles,oneormorefilespecifiers,oracombination offilesandfilespecifiers.
<files> | <file specifiers>

Filespecifierscantakethefollowingforms:
Table15:FileSpecifiers FileSpecifier <dirname> <dirname>/**/Example.java <dirname>/*.java <dirname>/**/*.java <dirname>/**/* Description Allfilesfoundunderthenameddirectoryoranysubdirectories AnyfilenamedExample.javafoundunderthenamed directoryoranysubdirectories Anyfilewiththeextension.javafoundinthenameddirectory Anyfilewiththeextension.javafoundunderthenamed directoryoranysubdirectories Allfilesfoundunderthenameddirectoryoranysubdirectories (sameasdirname)

FortifySCAUserGuide

41

Note:WindowsandmanyUnixshellsautomaticallytrytoexpandargumentscontainingthe'*'character,sofile

specifierexpressionsshouldbequoted.Also,onWindows,thebackslashcharacter(\)maybeusedasthe directoryseparatorinsteadoftheforwardslash(/).

FilespecifiersdonotapplytoCorC++languages.

FortifySCAUserGuide

42

Appendix:UsingthesourceanalyzerAntTask
ThesourceanalyzerAnttaskprovidesaconvenientwaytointegrateFortifySCAintoyourAntbuild.As discussedinTranslating Java Code,translationofJavasourcefilesthatarepartofanAntbuildismosteasily accomplishedusingtheSCACompilerAdapter,whichautomaticallycapturesinputtojavactaskinvocations.The sourceanalyzertaskprovidesaconvenientandflexiblewaytoaccomplishothertranslationtasksandtorun analysis. ThissectiondescribeshowtousethesourceanalyzerAnttaskandprovidesanexampleofasamplebuildfile withaselfcontainedanalysis target.rs.Itcontainsthefollowingtopics: UsingtheAntsourceanalyzerTask Antproperties sourceanalyzerTaskOptions

UsingtheAntsourceanalyzerTask
AswiththeSCACompilerAdapter,usingthesourceanalyzertaskrequiressourceanalyzer.jar tobeon Ant'sclasspath,andthesourceanalyzerexecutabletobeonthePATH. Thefirststeptousingthesourceanalyzertaskistoincludeatypedefinthebuild.xmlfileasfollows:
<typedef name="sourceanalyzer" classname="com.fortify.dev.ant.SourceanalyzerTask"/> Note:OnlyAnt1.6andhighersupportstopleveltypedefofthesourceanalyzertask.ForAnt1.5andlower, includethetypedefinthetargetwherethesourceanalyzertaskisused.

Oncethistypedefisincluded,targetscanbedefinedthatinvokethesourceanalyzertasktoperform translationandanalysisoperationsexactlyasifrunningsourceanalyzerfromthecommandline.The sourceanalyzertasksyntaxissimilartothatofthecommandlineinterface,butAntfilesetandpathprimitives canbeleveraged. ThefollowingisanexampleofasnippetfromanAntbuild.xmlfilewhichprovidesatargetuserscancallto generateFortifySCAresultsfortheproject.Thissnippetassumesthatthetargetscleanandcompileandthe pathjsp.classpatharedefinedelsewhereinthefile.ItalsousesverboseandlogtocreateaseparateFortify SCAlogfileforthebuild.

<available classname="com.fortify.dev.ant.SourceanalyzerTask" property="fortify.present"/> <property name="sourceanalyzer.buildid" value="mybuild"/> <!-- For debugging in a separate Fortify SCA log file --> <property name="fortify.debug" value="false" /> <property name="fortify.verbose" value="false" />

<mkdir dir="${code.build}/log" /> <mkdir dir="${code.build}/audit" />

<tstamp/> <target name="fortify" if="fortify.present"> <typedef name="sourceanalyzer" classname="com.fortify.dev.ant.SourceanalyzerTask"/> <!-- call clean to ensure that all source files are recompiled --> <antcall target="clean"/> <!-- call the compile target using the SCA Compiler Adapter to --> <!-- translate all source files-->

FortifySCAUserGuide

43

<antcall target="compile"> <!-- Log SCA in separate file --> <param name="com.fortify.sca.Debug" value="${fortify.debug}" /> <param name="com.fortify.sca.Verbose" value="${fortify.verbose}" /> <param name="com.fortify.sca.LogFile" value="${code.build}/log/${sourceanalyzer.buildid}-${DSTAMP}${TSTAMP}.log" /> <param name="build.compiler" value="com.fortify.dev.ant.SCACompiler" /> </antcall> <!-- capture all configuration files in WEB-INF directory --> <echo>sourceanalyzer ${web-inf}</echo> <sourceanalyzer buildid="${sourceanalyzer.buildid}"> <fileset dir="${web-inf}"> <include name="**/*.properties"/> <include name="**/*.xml"/> </fileset> </sourceanalyzer> <!-- translate all jsp files--> <echo>sourceanalyzer ${basedir} jsp</echo> <sourceanalyzer buildid="${sourceanalyzer.buildid}"> <fileset dir="${basedir}"> <include name="**/*.jsp"/> </fileset> <classpath refid="jsp.classpath"/> </sourceanalyzer> <!-- run analysis --> <echo>sourceanalyzer scan</echo> <sourceanalyzer buildid="${sourceanalyzer.buildid}" scan="true" resultsfile="issues.fpr" / > </target>

Antproperties
AnyAntpropertythatbeginswithcom.fortifyisrelayedtothesourceanalyzertaskvia-D.Forexample, settingthecom.fortify.sca.ProjectRootpropertyresultsin Dcom.fortify.sca.ProjectRoot=<value>beingpassedtothesourceanalyzertask.Thisisalsousedfor theSCACompileradapter.Thesepropertiescanbeseteitherinthebuildfile,usingthe<property>taskfor example,orontheAntcommandlineusingthe -D<property=<value>syntax. WhenusingtheSCACompileradapterviathebuild.compilersetting,thesourceanalyzer.buildAnt propertyisequivalenttothebuildID attributeofthesourceanalyzertask,andthe sourceanalyzer.maxHeapisequivalenttomaxHeap.Youcanuseeitherthecommandlineoryourbuildscript tosettheseproperties.

FortifySCAUserGuide

44

sourceanalyzerTaskOptions
Thefollowingtablecontainsthecommandlineoptionsforthesourceanalyzertask.Pathvaluesusecolon(:) orsemicolon(;)delimitedlistsoffilenames.
Table16:SourceanalyzerTaskCommandLineOptions Attribute append CommandLineOption -append Description Appendsresultstothefilespecifiedwith the-foption.Ifthisoptionisnot specified,FortifySCAoverwritesthefile. Note:Tousethisoption,theoutputfile formatmustbe.fpror.fvdl.For informationonthe-formatoutput option,seethedescriptioninthistable. Specifiestheapplicationserver:Valid optionsareweblogicorwebsphere Specifiestheapplicationserver'shome directory. ForWeblogic,thisisthepathtothe directorycontainingserver/lib directory. ForWebSphere,thisisthepathtothe directorycontainingthebin/ JspBatchCompilerscript. appserverVersion -apperserver-version <version_number> Specifiestheversionoftheapplication server. ForWeblogic:versions7,8,9,and10 ForWebSphere:version6 bootclasspath buildID -bootclasspath <classpath> b <build_ID> SpecifiestheJDKbootclasspath. SpecifiesthebuildID.ThebuildIDis usedtotrackwhichfilesarecompiled andlinkedaspartofabuildandlaterto scanthosefiles. Specifiesthelabeloftheprojectbeing scanned.ThelabelisnotusedbyFortify SCAbutisincludedintheanalysis results. Specifiesthenameoftheprojectbeing scanned.ThenameisnotusedbyFortify SCAbutisincludedintheanalysis results. Theversionoftheprojectbeingscanned. TheversionisnotusedbyFortifySCA butisincludedintheanalysisresults. SpecifiestheclasspathtobeusedforJava sourcecode.Formatissameasjavac (colonorsemicolonseparatedlistof paths). ThisoptionresetsthebuildID.The defaultvalueisfalse. FortifySCAUserGuide 45

appserver appserverHome

-appserver <appserver> -apperserver-home <directory>

buildLabel

-build-label <build_label>

buildProject

-build-project <project_name>

buildVersion

-build-version <version> -cp <classpath>

classpath

clean

-clean

Table16:SourceanalyzerTaskCommandLineOptions Attribute debug disableAnalyzers CommandLineOption -debug -disable-analyzer <list_of_analyzers> -enable-analyzer <list_of_analyzers> -encoding <encoding_type> -extdirs <list_of_dirs> Description Thisoptionenablesthedebugmode, whichisusefulduringtroubleshooting. Thisoptiontakesacolondelimitedlistof analyzerssothatyoucandisable multipleanalyzersatonceifnecessary. Thisoptiontakesacolondelimitedlistof analyzerssothatyoucanenablemultiple analyzersatonceifnecessary. Specifiesthesourcefileencodingtype. Thisoptionisthesameasthejavac encodingoption. Similartothejavacextdirsoption, acceptsacolonorsemicolonseparated listofdirectories.Anyjarfilesfoundin thesedirectoriesareincludedimplicitly ontheclasspath. Specifiesthefilterfile. SettingthistotrueenablesFindBugs analysis.Thedefaultvalueisfalse. Controlstheoutputformat.Validoptions arefpr,fvdl,text,andauto.The defaultisauto,whichselectstheoutput formatbasedonthefileextension. Note:Ifyouareusingresults certification,youmustspecifythefpr format.SeetheAuditWorkbenchUsers Guideforinformationonresults certification. SpecifiesthecreationofanHTML summaryoftheresultsproduced.The outputformatmustbefprorfvdl.The reportfilewillbegiventhesamebase nameastheresultsoutputfile.The defaultvalueisfalse. Note:TheHTMLsummaryandthe summarythroughAuditWorkbench displaydifferingnumberofissues.This isinpartduetodifferingmethodology forcategorizingHIGHandLOWissues betweenthetwotypesofreports.Fora moredetailedsummaryreportofissues, usethe\AWB\FPRUtilitytool. javaBuildDir -java-build-dir <directory> Specifiesoneormoredirectorstowhich Javasourceshavebeencompiled.Must bespecifiedforthefindbugsoption,as describedabove.

enableAnalyzers

encoding

extdirs

filter findbugs format

-filter <file_name> -findbugs -format <format_type>

htmlReport

-html-report

FortifySCAUserGuide

46

Table16:SourceanalyzerTaskCommandLineOptions Attribute jdk CommandLineOption -source <value> Description IndicateswhichversionoftheJDKthe Javacodeiswrittenfor.Validvaluesfor thisoptionare1.3,1.4,1.5,and1.6. Thedefaultis1.4.. Note:ThesourceandJDKoptionsare thesame.Ifbothoptionsarespecified, theoptionthatisspecifiedlastwilltake precedence. SpecifiestheJDKbootclasspath. Specifiesthelogfilethatisproducedby FortifySCA. Specifiesthemaximumamountof memoryusedbyFortifySCA.Bydefault, itusesupto600MBofmemory(600M), whichcanbeinsufficientforlargecode bases. Whenspecifyingthisoption,ensurethat youdonotallocatemorememorythanis physicallyavailable,becausethiswill degradeperformance.Asaguideline, assumingnoothermemoryintensive processesarerunning,donotallocate morethan2/3oftheavailablememory. SettingthisoptionspecifiesthatFortify SCAshouldnotapplydefaultruleswhen scanning. LaunchesanSCAquickscaninsteadofa regularscan.Setvaluetotruetolaunch aquickscan. Thefiletowhichtheresultsarewritten.

jdkBootclasspath logfile maxHeap

-jdk-bootclasspath <classpath> -logfile <file_name> -Xmx <size>

noDefaultRules

-no-default-rules

quick

-quick-scan

resultsfile

f <absolute_path_file name> -rules <delimited_rules_lis t>

rules

Therulesoptiontakesalistofrulesfiles, delimitedbythepathseparator(thisisa semicolon(;)onWindows,andacolon (:)onotherplatforms.Foreachelement inthislist,SCAispassedthe-rules <file>command. Settingthisoptiondetermineswhether FortifySCAshouldperformanalysison theprovidedbuildID.Thedefaultvalueis false. IndicateswhichversionoftheJDKthe Javacodeiswrittenfor.Validvaluesfor thisoptionare1.3,1.4,1.5,and1.6. Thedefaultis1.4.. Note:ThesourceandJDKoptionsare thesame.Ifbothoptionsarespecified, theoptionthatisspecifiedlastwilltake precedence.

scan

-scan

source

-source <value>

FortifySCAUserGuide

47

Table16:SourceanalyzerTaskCommandLineOptions Attribute sourcepath CommandLineOption -sourcepath <directory> -64 Description Specifiesthelocationofsourcefiles whichwillnotbeincludedinthescanbut willbeusedforresolution. RunsFortifySCAunderthe64bitJRE.If no64bitJREisavailable,FortifySCA fails. Settingthisoptionsendsverbosestatus messagestotheconsole.

use64bit

verbose

-verbose

Thebootclasspath, classpath, extdirs,andoptionsmayalsobespecifiedasnestedelements,aswith theAntjavactask.Sourcefilescanbespecifiedvianested<fileset>elements. Thefollowingtableincludessourceanalyzerelements.

Table17:SourceanalyzerTaskNestedElements Element fileset classpath bootclasspath extdirs sourcepath AntType Fileset Path Path Path Path Description SpecifiesthefilestopasstoFortifySCA. SpecifiestheclasspathtobeusedforJavasourcecode. SpecifiestheJDKbootclasspath. Similartothejavacextdirsoption.Anyjarfilesfoundin thesedirectoriesareincludedimplicitlyontheclasspath. Specifiesthelocationofsourcefileswhichwillnotbe includedinthescanbutwillbeusedforresolution.

FortifySCAUserGuide

48

Appendix:AdvancedOptions
Thischapterdescribesthefollowingadvancedoptions: CreatingaFilterFile UsingPropertiestoControlRuntimeOptions

CreatingaFilterFile
Youcancreateatextfileforfilteringoutparticularvulnerabilityinstances,rules,andvulnerabilitycategories whenyourunthesourceanalyzercommand.Thefileisspecifiedbythe-filteranalysisoption.
Note:FortifySoftwarerecommendsthatyouonlyusethisfeatureifyouareanadvanceduser,andthatyoudo notusethisfeatureduringstandardaudits,becauseauditorsshouldbeabletoseeandevaluateallissuesfound byFortifySCA.

Afilterfileisaflattextfilethatcanbecreatedwithanytexteditor.Thefilefunctionsasablacklist,suchthatonly thefilteritemsyoudonotwantarespecifiedoneperline.Thefollowingfiltertypescanbeenteredonaline: Category InstanceID RuleID

Thefiltersareappliedatdifferenttimesintheanalysisprocess,accordingtothetypeoffilter.Categoryandrule IDfiltersareappliedduringtheinitializationphasebeforeanyscanshavetakenplace,whereasaninstanceID filterisappliedaftertheanalysisphase. Asanexample,thefollowingoutputresultedfromascanoftheEightBall.java,locatedinthe/Samples/ basic/eightballdirectoryinyourFortifyinstallationdirectory. Thefollowingcommandisexecutedtoproducetheanalysisresults:

>sourceanalyzer -b eightball Eightball.java >sourceanalyzer -b eightball -scan

Thefollowingresultsetdisplays,showing12detectedissues.
[F7A138CDE5235351F6A4405BA4AD7C54 : low : Unchecked Return Value : semantic ] Fortify SCA 360 v2.1/Samples/basic/eightball/EightBall.java(12) : Reader.read()

[F7A138CDE5235351F6A4405BA4AD7C53 : low : Unchecked Return Value : semantic ] Fortify SCA 5.2/Samples/basic/eightball/EightBall.java(12) : Reader.read()

[EFE997D3683DC384056FA40F6C7BD0E9 : medium : Path Manipulation : dataflow ] Fortify SCA 5.2/Samples/basic/eightball/EightBall.java(12) : ->new FileReader(0) ->EightBall.main(0) Fortify SCA 5.2/Samples/basic/eightball/EightBall.java(6) : <=> (filename) Fortify SCA 5.2/Samples/basic/eightball/EightBall.java(4) :

[EFE997D3683DC384056FA40F6C7BD0E8 : medium : Path Manipulation : dataflow ] Fortify SCA 360 v2.1/Samples/basic/eightball/EightBall.java(12) : FileReader(0) ->new

Fortify SCA 360 v2.1/Samples/basic/eightball/EightBall.java(6) : <=> (filename)

FortifySCAUserGuide

49

Fortify SCA 360 v2.1/Samples/basic/eightball/EightBall.java(4) : >EightBall.main(0)

[60AC727CCEEDE041DE984E7CE6836177 : medium : Unreleased Resource : Streams : controlflow ] Fortify SCA 360 v2.1/Samples/basic/eightball/EightBall.java(12) : start -> loaded : new FileReader(...) Fortify SCA 360 v2.1/Samples/basic/eightball/EightBall.java(12) : loaded -> loaded : <inline expression> refers to an allocated resource Fortify SCA 360 v2.1/Samples/basic/eightball/EightBall.java(12) : java.io.IOException thrown Fortify SCA 360 v2.1/Samples/basic/eightball/EightBall.java(12) : loaded -> loaded : throw Fortify SCA 360 v2.1/Samples/basic/eightball/EightBall.java(12) : loaded -> loaded : <inline expression> no longer refers to an allocated resource Fortify SCA 360 v2.1/Samples/basic/eightball/EightBall.java(12) : loaded -> end_of_scope : end scope : Resource leaked : java.io.IOException thrown Fortify SCA 360 v2.1/Samples/basic/eightball/EightBall.java(12) : start -> loaded : new FileReader(...) Fortify SCA 360 v2.1/Samples/basic/eightball/EightBall.java(12) : loaded -> loaded : <inline expression> refers to an allocated resource Fortify SCA 360 v2.1/Samples/basic/eightball/EightBall.java(14) : loaded -> loaded : <inline expression> no longer refers to an allocated resource Fortify SCA 360 v2.1/Samples/basic/eightball/EightBall.java(14) : loaded -> end_of_scope : end scope : Resource leaked

[60AC727CCEEDE041DE984E7CE6836178 : medium : Unreleased Resource : Streams : controlflow ] Fortify SCA 5.2/Samples/basic/eightball/EightBall.java(12) : start -> loaded : new FileReader(...) Fortify SCA 5.2/Samples/basic/eightball/EightBall.java(12) : loaded -> loaded : <inline expression> refers to an allocated resource Fortify SCA 5.2/Samples/basic/eightball/EightBall.java(12) : java.io.IOException thrown Fortify SCA 5.2/Samples/basic/eightball/EightBall.java(12) : loaded -> loaded : throw Fortify SCA 5.2/Samples/basic/eightball/EightBall.java(12) : loaded -> loaded : <inline expression> no longer refers to an allocated resource Fortify SCA 5.2/Samples/basic/eightball/EightBall.java(12) : loaded -> end_of_scope : end scope : Resource leaked : java.io.IOException thrown Fortify SCA 5.2/Samples/basic/eightball/EightBall.java(12) : start -> loaded : new FileReader(...) Fortify SCA 5.2/Samples/basic/eightball/EightBall.java(12) : loaded -> loaded : <inline expression> refers to an allocated resource Fortify SCA 5.2/Samples/basic/eightball/EightBall.java(14) : loaded -> loaded : <inline expression> no longer refers to an allocated resource FortifySCAUserGuide 50

Fortify SCA 5.2/Samples/basic/eightball/EightBall.java(14) : loaded -> end_of_scope : end scope : Resource leaked

[BB9F74FFA0FF75C9921D0093A0665BEB : low : J2EE Bad Practices : Leftover Debug Code : structural ] Fortify SCA 360 v2.1/Samples/basic/eightball/EightBall.java(4)

[FF0D787110C7AD2F3ACFA5BEB6E951C3 : low : Poor Logging Practice : Use of a System Output Stream : structural ] Fortify SCA 360 v2.1/Samples/basic/eightball/EightBall.java(10)

[FF0D787110C7AD2F3ACFA5BEB6E951C4 : low : Poor Logging Practice : Use of a System Output Stream : structural ] Fortify SCA 360 v2.1/Samples/basic/eightball/EightBall.java(13)

[BB9F74FFA0FF75C9921D0093A0665BEC : low : J2EE Bad Practices : Leftover Debug Code : structural ] Fortify SCA 5.2/Samples/basic/eightball/EightBall.java(4)

[FF0D787110C7AD2F3ACFA5BEB6E951C5 : low : Poor Logging Practice : Use of a System Output Stream : structural ] Fortify SCA 5.2/Samples/basic/eightball/EightBall.java(10)

[FF0D787110C7AD2F3ACFA5BEB6E951C6 : low : Poor Logging Practice : Use of a System Output Stream : structural ] Fortify SCA 5.2/Samples/basic/eightball/EightBall.java(13)

Thesamplefilterfile,test_filter.txtdoesthefollowing: RemovesallresultsrelatedtothePoorLoggingPracticecategory RemovestheUnreleasedResourcebasedonitsinstanceID RemovesanydataflowissuesthatweregeneratedfromaspecificruleID

Thetest_filter.txt fileusedinthisexamplecontainsthefollowingtext:
#This is a category that will be filtered from scan output Poor Logging Practice #This is an instance ID of a specific issue to be filtered from scan #output 60AC727CCEEDE041DE984E7CE6836177 #This is a specific Rule ID that leads to the reporting of a specific #issue in #the scan output: in this case the data flow sink for a Path Manipulation #issue. 823FE039-A7FE-4AAD-B976-9EC53FFE4A59

Youcancreateafiletotestthefilteredoutputbycopyingtheabovetextintoafile. Thefollowingcommandisexecutedusingthe-filteroptiontospecifythetest_filter.txt:
[C:\Program Files\Fortify Software\Fortify SCA 5.0\Samples\basic\ eightball]>sourceanalyzer -b eightball -scan -filter test_filter.txt FortifySCAUserGuide 51

Thefollowingresultsetdisplays:
[F7A138CDE5235351F6A4405BA4AD7C53 : low : Unchecked Return Value : semantic] EightBall.java(12) : Reader.read() [BB9F74FFA0FF75C9921D0093A0665BEB : low : J2EE Bad Practices : Leftover Debug Code : structural] EightBall.java(4)

UsingPropertiestoControlRuntimeOptions
YoucanusepropertiestodefineruntimeoptionsforFortifySCA,includinganalysis,output,andperformance tuningoptions.Thesepropertiescanbesetinfourdifferentplaces: fortify-sca.propertiescontainstheglobalsetofdefaultproperties fortify-sca.properties(forWindowsinstallations)or.fortify-sca.properties(for nonWindowsinstallations)containsyourlocallydefinedproperties Onthecommandlinebyspecifying-D<property_name>=<property_value> fortify-sca-quickscan.propertiescontainsthesetofpropertiesthatareusedwhen SCArunsinQuickScanmode. Thefortify-sca.propertiesandfortify-sca-quickscan.propertiesfilesarelocatedinthe <install_directory>/Core/configdirectory.Thefortify.propertiesfileislocatedineitheryour WindowsuserdirectoryoryourUnixhomedirectory. Youcaneditallpropertiesfilesdirectly.

SpecifyingtheOrderofProperties
FortifySCAprocessespropertiesinaspecificorder,usingthisordertooverrideanypreviouslysetproperties withthevaluesthatyouspecify.Youshouldkeepthisprocessingorderinmindwhenmakingchangestothe propertiesfiles. Propertydefinitionsareprocessedinthefollowingorder: Propertiesspecifiedonthecommandlinehavethehighestprecedenceandcanbespecified duringanyscan. Propertiesspecifiedinthefortify-sca-quickscan.propertiesfileareprocessedsecond,butonly whenthe-quickoptionisusedtooperateinQuickScanmode.IfQuickScanisnotinvoked,thisfileis ignored. Propertiesspecifiedinthelocal fortify.propertiesfileareprocessedthird.Changevaluesinthisfileon ascanbyscanbasistofinetuneyourinstallation. Propertiesspecifiedintheglobalfortify-sca.propertiesfileareprocessedlast.Youshouldeditthisfile ifyouwanttochangethepropertyvaluesonamorepermanentbasisforallscans.

FortifySCAalsoreliesonsomepropertiesthathaveinternallydefineddefaultvalues. Thefollowingtablelistspropertiesthatcanbedefined.Thedefaultvaluesarelisted.IfyouwanttouseQuick ScanMode,orwanttotuneyourapplication,youcanmakethechangesasdescribedinTable18:Tuning PerformanceProperties.

FortifySCAUserGuide

52

Table18:FortifyProperties PropertyName DefaultValue Description

com.fortify.sca.AbortedScanOverwritesOutput false Bydefault,ifascanisinterrupted,thepartialresultsarewrittentoa differentoutputfile:<output>.partial.fprinsteadof <output>.fpr.Ifthispropertyissettotrue,theinterruptedresult arewrittentothenormaloutfile(<output>.fpr),which overwritesanyfullscanresultsthatmaybepresentinthatfile.

com.fortify.sca.Appserver (none) SpecifiestheapplicationserverforprocessingJSPfiles:weblogic orwebsphere

com.fortify.sca.Appserver.Home (none) Specifiestheapplicationservershome. ForWeblogic,thisisthepathtothedirectorycontainingserver/ libdirectory. ForWebSphere,thisisthepathtothedirectorycontainingthebin/ JspBatchCompilerscript. com.fortify.sca.Appserver.Version (none) Specifiestheversionoftheapplicationserver. ForWeblogic,validvaluesare7,8,9,and10. ForWebSphere,thevalidvalueis6. com.fortify.sca.fileextensions.* (none) ControlshowFortifySCAhandlesfileswithgivenextensions.See fortify-sca.propertiesforexamples.

com.fortify.sca.FPRDisableSrcHtml (none) Iftrue,disablessourcecoderenderingintotheFPRfile.

com.fortify.sca.NoDefaultRules (none) Iftrue,rulesfromthedefaultrulepacksarenotloaded.FortifySCA processestherulepacksfordescriptionelementsandlanguage libraries,butnorulesareprocessed.

com.fortify.sca.NoDefaultIssueRules (none) Iftrue,disablesrulesindefaultrulepacksthatleaddirectlytoissues. Stillloadsrulesthatcharacterizethebehavioroffunctions. Note:Thisequivalenttodisablingthefollowingruletypes: DataflowSink,Semantic,Controlflow,Structural,Configuration, Content,Statistical,Internal,andCharacterization:Issue.

com.fortify.sca.DisableDefaultRuleTypes

FortifySCAUserGuide

53

Table18:FortifyProperties PropertyName DefaultValue (none) Description Disablesthespecifiedtypeofruleinthedefaultrulepacks;where typeistheXMLtagminusthesuffixRule.Forexample,use DataflowSourceforDataflowSourceRuleelements.Youcanalso specifyspecificsectionsofcharacterizationrules,suchas Characterization:Controlflow,Characterization:Issue,and Characterization:Generic.Typeiscaseinsensitive. Useacolondelimitedlisttospecifymultipletypesofrules. com.fortify.sca.NoDefaultSinkRules (none) Iftrue,disablessinkrulesinthedefaultrulepacks. Note:Characterizationsinkrulesarenotdisabled.

com.fortify.sca.NoDefaultSourceRules (none) Iftrue,disablessourcerulesinthedefaultrulepacks. Note:Characterizationsourcerulesarenotdisabled.

com.fortify.sca.ProjectRoot (platformdependent) DirectoryusedbyFortifySCAtostoreintermediatefilesgenerated duringscans.

com.fortify.sca.ASPVirtualRoots.<virtual path>=<physical path> false Iftrue,enablessupportforvirtualroots.Thispropertyassociates virtualpathnameswithphysicalpathnames.

com.fortify.sca.DefaultFileTypes java,jsp,sql,pks,pkh,pkb,xml,p roperties,config,dll,exe Commaseparatedlistoffileextensionsthatarepickedupbydefault byFortifySCA.

com.fortify.sca.compilers.* (none) CanbeusedtoinformFortifySCAaboutspeciallynamedcompilers. Seefortify-sca.propertiesforexamples.

com.fortify.sca.CfmlUndefinedVariablesAreTainted false Iftrue,treatsundefinedvariablesinaCFMLpageastainted.Doingso servesasahinttothedataflowanalyzertowatchoutforregister globalsstylevulnerabilities.However,enablingthisproperty interfereswithdataflowfindingsinwhichavariableinanincluded pageisinitializedtoataintedvalueinanearlieroccurringincluded page.

com.fortify.sca.FVDLDisableProgramData false Iftrue,causestheProgramDatasectiontobeexcludedfromthe analysisresults(FVDLoutput).

com.fortify.sca.FVDLDisableSnippets false com.fortify.sca.LogFile Iftrue,codesnippetsarenotincludedintheanalysisresults(FVDL output).

FortifySCAUserGuide

54

Table18:FortifyProperties PropertyName DefaultValue ${com.fortify.sca.Pro jectRoot}/log/sca.log Description ThedefaultlocationfortheFortifySCAlogfile.

com.fortify.sca.LogMaxSize (none) Whenthispropertyisset,itenableslogrotationfortheFortifySCA log.Thevalueisthenumberbytesthatcanbewrittentothelogfile beforeitisrotated.Mustbeusedwith com.fortify.sca.LogMaxFiles.

com.fortify.sca.LogMaxFiles (none) Thenumberoflogfilestoincludeinthelogfilerotationset.Whenall filesarefilled,thefirstfileintherotationisoverwritten.Thevalue mustbeatleast1.Mustbeusedwith com.fortify.sca.LogMaxSize.

com.fortify.sca.Debug false Producesadebuglogfile.ThislogfileisforTechnicalSupport purposes.

com.fortify.sca.PPSSilent false Promptstheuserwiththenumberoflinesthescanrequiresto analyzethesourcecode.Settotruetosuppressthepromptand automaticallydeductthelines. Note:Ifthescanrequiresmorelinesthanareavailable,thescan failswithanerrorindicatinghowmanyadditionallinesare required.

com.fortify.sca.UnicodeInputFile (none) Whensettotrue,thispropertyindicatesthattheinputfileisUTF8 basedandbeginswithabyteordermark(BOM).Typically,you shouldonlysetthispropertyifyouseealexicalerroratLine1, Column1,indicatingthattheBOMispresent.

com.fortify.rules.SkipRulePacks (none) Semicolondelimitedlistofrulepackstoexcludefromthedefaultset. ThispropertycontrolswhichrulepacksareusedbyFortifySCAby default.Allrulepacksinstalledin<install_directory>/Core/ config/rulesareusedbydefaultunlesstheyareonthislist.

com.fortify.sca.limiters.MaxChainDepth 5 Controlsthemaximumcalldepththroughwhichthedataflow analyzertrackstainteddata.Increasingthisvalueincreasesthe coverageofdataflowanalysis,andresultsinlongeranalysistimes. ThispropertycanbechangedifyouareusingQuickScanMode:see thefollowingtableforthesuggestedvaluetouse.Note:Inthiscase, calldepthreferstothemaximumcalldepthonadataflowpath betweenataintsourceandsink,ratherthancalldepthfromthe programentrypoint,suchasmain().

com.fortify.sca.limiters.MaxFieldDepth

FortifySCAUserGuide

55

Table18:FortifyProperties PropertyName DefaultValue 4 Description Controlsthemaximumgranularityoftainttrackingthroughdata structurememberfields.Thisvalueisthenumberofnestedfields throughwhichtaintwillbetrackedbeforetheentirestructureis consideredtainted.Increasingthisvalueimprovestheaccuracyof analysisbyreducingfalsepositives,andnormallyincreasesanalysis time.

com.fortify.sca.limiters.MaxPaths 5 Controlsthemaximumnumberofpathstoreportforasingledata flowvulnerability.Changingthisvaluedoesnotchangetheresults thatarefound,onlythenumberofdataflowpathsdisplayedforan individualresult.

com.fortify.sca.limiters.MaxIndirectResolutionsForCall 128 Controlsthemaximumnumberofvirtualfunctionsthatarefollowed atagivencallsite.

com.fortify.sca.jspparserusesclasspath false AllowstheusertospecifytheclasspathtotheWeblogicparser.This isforWeblogic9and10only.

Thefollowingtabledescribesthepropertiesthatcanbeusedtotunedefaultscanningperformance.Theyhave differentdefaultsforQuickScanmode,whichcanbeadjustedbyeditingthefortify-scaquickscan.propertiesfile.Ifyouwanttousetherecommendedtuningparameters,youdonotneedtoedit thisfile;however,youmayfindthatyouwanttoexperimentwithothersettingstofinetuneyourspecific application. Rememberthatpropertiesinthisfileareprocessedonlyifyouspecifythe-quickoptiononthecommandline wheninvokingyourscan.

Table19:PerformanceTuningProperties PropertyName Values com.fortify.sca.FilterSet Defaultvalueisnotset. QuickScanvalue:Targeted. Whensettotargeted,thispropertyrunsrulesonlyforthe targetedfilterset.Runningonlyasubsetofthedefinedrules allowstheFortifySCAscantocompletemorequickly.Thiscauses SCAtorunonlythoserulesthatcancauseissuesidentifiedinthe namedfilterset,asdefinedbythedefaultprojecttemplatefor yourapplication.Formoreinformationaboutprojecttemplates, seetheAuditWorkbenchUsersGuide. Description

com.fortify.sca.FPRDisableSrcHtml Defaultvalue:False. QuickScanvalue:True. Whensettotrue,thispropertypreventsthegenerationof markedupsourcefiles.IfyouplantouploadFPRsthatare generatedasaresultofaquickscan,youmustsetthisproperty tofalse.

FortifySCAUserGuide

56

Table19:PerformanceTuningProperties PropertyName Values Description

com.fortify.sca.limiters.ConstraintPredicateSize Defaultvalue:50000. QuickScanvalue:10000. Skipscalculationsdefinedasverycomplexinthebufferanalyzer toimprovescanningtime.

com.fortify.sca.limiters.BufferConfidenceInconclusiveOnTimeout Defaultvalue:true. QuickScanvalue:false. Skipscalculationsdefinedasverycomplexinthebufferanalyzer toimprovescanningtime.

com.fortify.sca.limiters.MaxChainDepth Defaultvalue:5. QuickScanvalue:4. Controlsthemaximumcalldepththroughwhichthedataflow analyzertrackstainteddata.Increasingthisvalueincreasesthe coverageofdataflowanalysis,andresultsinlongeranalysis times. Note:Inthiscase,calldepthreferstothemaximumcalldepthon adataflowpathbetweenataintsourceandsink,ratherthancall depthfromtheprogramentrypoint,suchasmain().

com.fortify.sca.limiters.MaxTaintDefForVar Defaultvalue:1000. QuickScanvalue:500. Thispropertysetsthecomplexitylimitfordataflowprecision backoff.Dataflowincrementallydecreasesprecisionofanalysis forfunctionsthatexceedthiscomplexitymetricforagivenpreci sionlevel.

com.fortify.sca.limiters.MaxTaintDefForVarAbort Defaultvalue:4000. QuickScanvalue:1000. Thispropertysetsahardlimitforfunctioncomplexity.Ifcom plexityofafunctionexceedsthislimitatthelowestprecision level,theanalyzerwillnotanalyzethatfunction.

com.fortify.sca.DisableGlobals Defaultvalue:false. QuickScanvalue:false. Thispropertypreventsthetrackingoftainteddatathroughglobal variablestoallowfasterscanning.

com.fortify.sca.CtrlflowSkipJSPs Defaultvalue:false. QuickScanvalue:false. ThispropertyskipscontrolflowanalysisofJSPsinyourproject.

com.fortify.sca.NullPtrMaxFunctionTime Defaultvalue:300000. QuickScanvalue:30000. Thispropertysetsatimelimit,inmilliseconds,forNullPointer analysisforasinglefunction.Thedefaultisfiveminutes.Setting ittoashorterlimitdecreasesoverallscanningtime.

com.fortify.sca.CtrlflowMaxFunctionTime Defaultvalue:600000. QuickScanvalue:30000. Thispropertysetsatimelimit,inmilliseconds,forcontrolflow analysisforasinglefunction.Thedefaultis10minutes.

FortifySCAUserGuide

57

Table19:PerformanceTuningProperties PropertyName Values Description

com.fortify.sca.TrackPaths Bydefault,thispropertyisnot set. QuickScanvalue:NoJSP. Thispropertydisablespathtrackingforcontrolflowanalysis. Pathtrackingprovidesmoredetailedreportingforissues,but requiresmorescanningtime.YoucandisablethisforJSPonlyby settingittoNoJSP,orforallfunctionsbysettingittoNone.

com.fortify.sca.JdkVersion Defaultvalue:1.4 ThispropertyspecifiestheJDKversion.

FortifySCAUserGuide

58

Appendix:FortifySCAMemoryTuning
FortifySourceCodeAnalyzercanreportOutOfMemoryerrorsduringanFortifySCAscan.Theseerrorsarethe resultofJavaheapexhaustion,Javapermanentgenerationexhaustion,ornativeheapexhaustion. Usethefollowingsectionstoidentifytheseerrorsandresolvethem: JavaHeapExhaustion JavaPermanentGenerationExhaustion NativeHeapExhaustion

JavaHeapExhaustion
JavaheapexhaustionisthemostcommontypeofmemoryproblemthatoccursduringFortifySCAscans.It happenswhentheJavavirtualmachinethatFortifySCAisusingforascanhasbeenstartedwithan insufficientlylargevalueformaximumheapsize.

ErrorMessage
YoucanidentifyaJavaheapexhaustionbythefollowingerrormessages,whichFortifySCAdisplaysinthelog fileandcommandlineoutput:
Listing1:JavaHeapExhaustionMessages There is not enough memory available to complete analysis. For details on making more memory available, please consult the user manual. java.lang.OutOfMemoryError: Java heap space java.lang.OutOfMemoryError: GC overhead limit exceeded

Resolution
YoucanresolveaJavaheapexhaustionproblembyallocatingmoreheapspacetothevirtualmachinethat FortifySCAisusingwhilestartingthescan.Bydefault,FortifySCArunswithamaximumheapvalueof600MB. Increasethisvaluebyusingthe-XmccommandlineargumentwhenrunningaFortifySCAscan. Beforeadjustingthisparameter,determinethemaximumallowablevaluefortheJavaheapspace.Thisvalue dependsonthefollowingfactors: Availablephysicalmemory Virtualaddressspacelimitations

EachofthesecanlimittheamountofspacethatyoucanallocatetotheJavaheapforFortifySCA.Usethelower ofthetwolimitingvaluesastheupperboundfora-Xmxargument.ThefollowingexamplewillrunaFortifySCA scanwith1300MBavailablefortheJavaheap:

Listing2:JavaHeapExhaustionExample1 > sourceanalyzer -Xmx1300M

ThefollowingexamplewillrunanFortifySCAscanwith1GBavailablefortheJavaheap:
Listing3:JavaHeapExhaustionExample2 > sourceanalyzer Xmx1G

FortifySCAUserGuide

59

PhysicalMemory
DonotallowFortifySCAtousemorememorythanisphysicallyavailableintheenvironment.Doingsowilllead todiskswappingandsignificantlydegradeFortifySCAperformance. Todetermineavailablephysicalmemory,startbydetermininghowmuchtotalphysicalmemory(RAM)is installedonthesystem.Subtractfromthisvalueanallowancefortheoperatingsystem(200Misagoodguess, althoughitvariesbyOS).IfthesystemwillbededicatedtorunningSCA,youaredone.Ifthesystemresources willbesharedwithothermemoryintensiveprocesses,anallowanceshouldalsobesubtractedforthoseother processes.NotethatotherprocessesthatareresidentbutnotactivewhileSCAisrunningcanbeswappedto diskbytheoperatingsystemanddonotneedtobeaccountedfor.

VirtualAddressSpace
Bydefault,FortifySCArunsasa32bitprocess.All32bitprocessesaresubjecttovirtualaddressspace limitations,thespecificsofwhichdependontheunderlyingoperatingsystem. YoucanrunFortifySCAin64bitmodeon64bitcapablehardware.In64bitmode,virtualaddressspace limitationsarenotafactorandjavaheapspaceislimitedonlybyavailablephysicalmemory.Althoughitis slightlymorememoryefficienttorunFortifySCAin32bitmode,youshouldactivate64bitmodeifalargeheap isrequiredforascan. Activate64bitmodebypassingthe-64argumenttoFortifySCAonthecommandline:
Listing4:64bitModeArgument > sourceanalyzer -64

In32bitmodethesizeofthejavaheapisconstrainedbytheamountofcontiguousvirtualaddressspacethat canbereserved. OnmodernLinuxsystems,thislimitisusuallynear3GB. OnWindowssystems,addressspacefragmentationduetothewayDLLsareloadedmeansthelimitistypically between1200MBand1600MB.ThisvaluewillvaryamongsystemsduetodifferentDLLsbeingloadedintothe javaprocess(virusscanningsoftwareisoneexample). IfFortifySCAdoesnotstartwhengivenalargevaluefor-Xmx,itmightbebecausevirtualaddressspacelimits havebeenexceeded.Inthiscase,FortifySCAwilldisplayanerroronthecommandlinesimilartothefollowing:

Listing5:JavaHeapExhaustionExample Error occurred during initialization of VM Could not reserve enough space for object heap

FortifySCAUserGuide

60

JavaPermanentGenerationExhaustion
Javamaintainsaseparatememoryregionfromthemainheapwhichiscalledthepermanentgeneration.Inrare cases,thismemoryregiongetsfilledupduringascan,causinganOutOfMemoryerror.

ErrorMessage
Youcanidentifypermanentgenerationexhaustionbythefollowingerrormessage,whichFortifySCAdisplays inthelogfileandcommandlineoutput:
Listing6:JavaPermanentExhaustionErrorMessage java.lang.OutOfMemoryError: PermGen space

Resolution
Permanentgenerationexhaustionisresolvedbyincreasingthemaximumsizeofthepermanentgeneration. Youcantunethepermanentgenerationsizebypassingto-XX:MaxPermSizeargumenttotheFortifySCA commandline,asinthefollowingexample:
Listing7:JavaPermanentExhaustionErrorMessage > sourceanalyzer XX:MaxPermSize=128M

Thedefaultmaximumvalueforthepermanentgenerationis64MB.Notethatthepermanentgenerationis allocatedasaseparatememoryregionfromthejavaheap,soincreasingthepermanentgenerationwill increasetheoverallmemoryrequirementsfortheprocess.Seethediscussionofvirtualaddressspaceand physicalmemorylimitationsintheprevioussectionfordeterminingoveralllimits.

FortifySCAUserGuide

61

NativeHeapExhaustion
Nativeheapexhaustionisaveryrarescenarioinwhichthejavavirtualmachineisabletoallocatethejava memoryregionsonstartup,butisleftwithsofewresources(eithervirtualaddressspaceorphysicalmemory) foritsnativeoperations(suchasgarbagecollection)thatiteventuallyencountersafatalmemoryallocation failurethatimmediatelyterminatestheprocess.

ErrorMessage
YoucanidentifynativeheapexhaustionbyanabnormalterminationoftheFortifySCAprocess,whichFortify SCAdisplaysinthecommandlineoutput:
Listing8:NativeHeapExhaustionErrorMessages # A fatal error has been detected by the Java Runtime Environment: # # java.lang.OutOfMemoryError: requested ... bytes for GrET ...

Becausethisisafataljavavirtualmachineerror,itwillusuallybeaccompaniedbyanerrorlogcreatedinthe workingdirectory,namedasfollows:hs_err_pidNNN.log.

Resolution
Theresolutiontothistypeofproblemisslightlycounterintuitive.Becausetheproblemisaresultof overcrowdingwithintheprocess,theresolutionistoreducetheamountofmemoryusedfortheJavamemory regions(JavaheapandJavapermanentgeneration).Reducingeitherofthesevaluesshouldreducethe crowdingproblemandenablethescantobecompletedsuccessfully.

FortifySCAUserGuide

62

Appendix:Acknowledgements
FortifySoftwareacknowledgesthefollowing: JavaRunTimeEnvironment

JavaRunTimeEnvironment
TheFortifySourceCodeAnalyzerdistributionCDROMmediaincludestheSunJavaRunTimeEnvironment (JRE).ThefollowingstatementsareincludedtocomplywiththetermsofJREdistribution. ThisproductincludescodelicensedfromRSASecurity,Inc. SomeportionslicensedfromIBMareavailableathttp://oss.software.ibm.com/icu4j/.

FortifySCAUserGuide

63

Index
Symbols
.NET command line options 38 @filename option 41

analysis command line options 36 analyzing .NET 11 .NET 1.1 11 .NET 2.0 11 ASP.NET 1.1 12 ColdFusion 21 J2EE 8 JSP files 8 Visual Studio .NET 2003 11 Visual Studio 2005 11 Ant task parameters 43 ASP.NET 1.1 analyzing 12

runtime 40 version 41 command line syntax ColdFusion 21 Java 6, 21 configuring Build Monitor 18 results folder 18 creating filter files 49

D E F

debug option 41 encoding option 41 example Build Monitor 19 file specifiers 21, 41 filter files creating 49 FindBugs integrating with 10 Fortify SCA Properties 52

build scan options 18 build integration command line options 38 Build Monitor configuring 18 example 19 options 17 overview 17 results folder 18 scan options 18 starting 19 builds monitoring 19

H I

help option 41 integrating with FindBugs 10 with Make 15

C and C++ command line examples 15 ColdFusion analyzing 21 command line options 37 command line syntax 21 command line examples .Net 11 C and C++ 15 command line options .NET 38 analysis 36 build integration 38 ColdFusion 37 debug 41 encoding 41 help 41 Java/J2EE 37 other 41 output 34

J2EE analyzing 8 command line options 37 Java command line options 37 command line syntax 6, 21 file specifiers 21, 41 JSP files analyzing 8

Make integrating with 15 monitoring builds 17, 19

options Build Monitor 17 output command line options 34 overview Build Monitor 17

properties file 52

runtime command line options 40 FortifySCAUserGuide 64

runtime properties 52

scan monitoring build 18 SQL notes 21, 22 starting Build Monitor 19

task parameters 43 touchless build adapter 15 translating Classic ASP 21 JavaScript 21 other languages 21 PHP 21 PLSQL 21 SQL 21 TSQL 21 VB 6 21 VBScript 21

version option 41 Visual Studio Fortify plug-in 11

FortifySCAUserGuide

65