It seems that no matter how much support you get from the vendors of these complicated test tools, there may still be unanswered questions regarding overcoming certain errors. One of these is the notorious out-of-memory error produced by applications such as Fortify that run in a Java Virtual Machine (JVM).
We have found that, with Fortify, these memory errors can happen during any one of several operations. I will focus on the three places that I have seen memory issues, “translate”, this is when Fortify is converting the targeted source code into a normalized syntax for recognition by the analysis engines, “scan” or the analysis of the normalized syntax, and “review” relating to opening and examining the results of the scan using Fortify’s Audit Workbench or one of the Integrated Development Environment (IDE) specific plugins.
The following are some tips which might help you to correct the errors. Keep in mind that these errors can be fatal to the outcome of the scan or can even stop the opening of results making it impossible to review the results of your scan.
These four tips are listed in the order of minimal impact:
- Improve the ability to “review” larger result sets by removing the source code from the results file. Typically the source inside the results file is not needed since you probably already have the source code at your disposal. This is a good practice in general so that if you transmit or share the results you are less likely to expose the source code.
FPRUtility –sourceArchive –extract –project –f
Or you can simply open the results file as a compressed file by renaming it to .zip and delete the “src-archive” directory. This reduces the overall size of the file and in some instance may allow the file to load.
- Increase the default memory setting by adding the following line in the “core/config/fortify.properties” file.
Or launch Audit Workbench using “auditworkbench.cmd –Xmx10G”.
Adding the –Xmx switch to the command line also works if you are experiencing out of memory errors when performing translation or scanning using the source analyzer. Just remember to add the -64 switch as well for memory access beyond the 3.5GB limits of 32 bit memory addressing.
- Force Fortify to swap results data in and out of disk swap space. This may slow things down but if using a Solid State Drive you may not notice. Do this by adding the following line to the “core/config/fortify.properties” file.
- Prevent the loading of analysis information. You may save this as a last resort since it will make it more difficult to trace real issues without the analysis information provided by the data flow engine but it really helps with memory problems. Do this by adding the following line to the “core/config/fortify.properties” file.
That is about it for this installment of tool tips. Stay tuned for more beneficial tools and tips.