<img height="1" width="1" src="https://www.facebook.com/tr?id=1879927395628828&amp;ev=PageView &amp;noscript=1">

Quick and Easy Fortify Scans

 Jul 19, 2017 12:27:00 PM |    Phillip Seay

Over the years, I’ve occasionally run security scans on projects that were buildable using Maven or Ant. Those of you who do scans on strangers’ code know that encountering code that actually builds is uncommon. When asked to scan something, you’re usually provided with code that is missing dependencies, or is internally inconsistent, containing references that make no sense and seemingly couldn’t compile under any circumstances.

As it turns out, in those rare cases when you’re given code that actually does build, and builds using either of the two most common build utilities, you can piggyback a scan on top of that build process without ever having to muck around writing a custom ant or maven script.

Even though I’ve scanned with Fortify for years, I only learned about these shortcuts a year ago, and couldn’t find much on the web about it, even though it’s spelled out in Fortify’s documentation. Some practitioners may be unaware of this, so I thought I’d share.

If the application that you're reviewing builds successfully with ant, don’t bother writing an ant script to control your scan. Instead, translate the java files as follows:

ant -Dbuild.compiler=com.fortify.dev.ant.SCACompiler -Dsourceanalyzer.buildid=[your build id] -lib [Fortify Home]/Core/lib/sourceanalyzer.jar -Dsourceanalyzer.maxHeap=[some numeric value – I usually use at least 500]M

Once that's done, translate jsp, xml, properties, and js files, and anything else:

sourceanalyzer -b [your build id] -verbose -cp "**/*.jar;[path to your compiled classes, e.g., WebContent/WEB-INF/classes]" -source "[version of java source, e.g., 1.7]" "**/*.jsp" "**/*.xml" "**/*.js" "**/*.properties" “**/*.java”

Now scan the translated files and generate an fpr as output:

sourceanalyzer -b [your build id] -scan -f [your fpr name].fpr

If your project builds successfully using Maven, you’ll do something similar, but note that in order for this to work, you first have to install the Fortify maven plugin. Note that this plugin installation needs to be done only once:

Install the Maven plugin:

To install Fortify maven plugin and run Fortify SCA in a Maven build, do the following:

  1. In a command prompt, cd into [Fortify Home]\Samples\advanced\maven-plugin. For a 64-bit Fortify 4.30 installation on Windows, Fortify Home will be: C:\Program Files\HP_Fortify\HP_Fortify_SCA_and_Apps_4.30, for Mac, /Applications/HP_Fortify/HP_Fortify_SCA_and_Apps_4.30
  2. Execute mvn clean package install. This compiles the maven-plugin and adds the maven plugin to your local maven repository.

Once that's done, cd into your project folder - wherever the project’s pom.xml is located and execute the following three commands to clean any previous work, translate the files, and run your scan, respectively:

mvn clean

mvn install -Dmaven.test.skip=true -Dfortify.sca.source.version=[the java version of your project, e.g., 1.6, 1.7, etc.] -Dfortify.sca.buildId=[your build id] -Dfortify.sca.Logfile=[optional logfile] com.fortify.ps.maven.plugin:sca-maven-plugin:translate

sourceanalyzer -b [your build id] -scan -f [your fpr name].fpr

Successfuly scanning a complicated software build can be difficult, and often adds time and expense to a project. Leveraging the build system already in use by the developers is often the most direct route to success. There is no need to reinvent the wheel. Your time is better spent analyzing the code!



Topics: Application Development

Want more of the AsTech Blog? You got it.
Blog subscribers get email updates twice a week.