HP Fortify Static Code Analyzer

HP Fortify Static Code Analyzer
Software Version 4.30
User Guide
DocumentReleaseDate:April2015
SoftwareReleaseDate:April2015
Legal Notices
Warranty
TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements
accompanyingsuchproductsandservices.Nothinghereinshouldbeconstruedasconstitutinganadditional
warranty.HPshallnotbeliablefortechnicaloreditorialerrorsoromissionscontainedherein.
Theinformationcontainedhereinissubjecttochangewithoutnotice.
Restricted Rights Legend
Confidentialcomputersoftware.ValidlicensefromHPrequiredforpossession,useorcopying.Consistentwith
FAR12.211and12.212,CommercialComputerSoftware,ComputerSoftwareDocumentation,andTechnical
DataforCommercialItemsarelicensedtotheU.S.Governmentundervendor'sstandardcommerciallicense.
Copyright Notice
©Copyright2003‐2015Hewlett‐PackardDevelopmentCompany,L.P.
DocumentationUpdates
Thetitlepageofthisdocumentcontainsthefollowingidentifyinginformation:
•
SoftwareVersionnumber
•
DocumentReleaseDate,whichchangeseachtimethedocumentisupdated
•
SoftwareReleaseDate,whichindicatesthereleasedateofthisversionofthesoftware
Tocheckforrecentupdatesortoverifythatyouareusingthemostrecenteditionofadocument,goto:
https://protect724.hp.com
You will also receive updated or new editions if you subscribe to the appropriate product support service. Contact
your HP sales representative for details.
PartNumber:1‐16b3‐2015‐04‐430‐02
Preface
Contacting HP Fortify Support
Ifyouhavequestionsorcommentsaboutusingthisproduct,contactHPFortifyTechnicalSupportusingoneof
thefollowingoptions.
ToManageYourSupportCases,AcquireLicenses,andManageYourAccount
https://support.fortify.com
ToEmailSupport
FortifyTechSupport@hp.com
ToCallSupport
650.735.2215
For More Information
FormoreinformationonHPEnterpriseSecuritySoftwareproducts:http://www.hpenterprisesecurity.com
About the HP Fortify Software Security Center 
Documentation Set
TheHPFortifySoftwareSecurityCenterdocumentationsetcontainsinstallation,user,anddeploymentguides
forallHPFortifySoftwareSecurityCenterproductsandcomponents.Inaddition,youwillfindtechnicalnotes
andreleasenotesthatdescribenewfeatures,knownissues,andlast‐minuteupdates.Youcanaccessthelatest
versionsofthesedocumentsfromtheHPESPusercommunityProtect724website(https://
protect724.hp.com/welcome).Youwillneedtoregisterforanaccount.
Preface
iii
Change Log
Thefollowingtabletrackschangesmadetothisguide.
Software Release‐version
Date
Change
4.30‐01
3/12/2014
Updated:AppendixI:ConfigurationProperties
Updated:Pythoninformation
Update:Translating.NETchapterwithsupportforVisualStudio
2014
Updated:iOSscanninginformationinTranslatingCodeforMobile
Platformschapter
Added:SectiononJavaBytecodeintheTranslatingJavachapter
4.21‐02
10/8/2014
Removed:BuildMonitor(deprecated)
4.21‐01
11/20/2014
Added:TranslatingRubychapter
Updated:TranslatingABAP
4.10‐01
3/22/2014
Updated:iOSsection
Change Log
iv
Contents
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .iii
ContactingHPFortifySupport.........................................................................iii
ForMoreInformation .................................................................................iii
AbouttheHPFortifySoftwareSecurityCenter
DocumentationSet....................................................................................iii
Change Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .iv
Chapter 1: Introduction............................................................................. 10
AbouttheIntendedAudience ......................................................................... 10
AbouttheHPFortifySoftwareSecurityCenterComponents ........................................... 10
RelatedDocuments ................................................................................... 11
Chapter 2: HPFortifyStaticCodeAnalyzer .......................................................... 12
AboutHPFortifyStaticCodeAnalyzer ................................................................ 12
AboutParallelAnalysis ........................................................................... 12
AboutAnalyzers.................................................................................. 12
AbouttheAnalysisProcess....................................................................... 13
AboutAnalysisCommands ....................................................................... 14
AboutMemoryConsiderations ................................................................... 14
AbouttheTranslationPhase...................................................................... 14
AbouttheAnalysisPhase ......................................................................... 15
AboutVerificationoftheTranslationandAnalysisPhase.......................................... 15
AbouttheHPFortifyScanWizard ................................................................ 16
AboutHPFortifyCloudScan...................................................................... 16
Chapter 3: TranslatingJavaCode .................................................................... 17
AboutJavaCommandLineSyntax..................................................................... 17
AboutJavaCommandLineExamples.................................................................. 17
IntegratingwithAntusingtheHPFortifyAntCompilerAdapter ....................................... 18
HandlingResolutionWarnings........................................................................ 18
JavaWarnings.................................................................................... 19
UsingFindBugs....................................................................................... 19
TranslatingJ2EEApplications ........................................................................ 20
PrerequisiteforTranslatingCodeUsingLegacyVersionsoftheJ2EESDK ......................... 20
TranslatingtheJavaFiles ......................................................................... 20
TranslatingJSPProjects,ConfigurationFiles,andDeploymentDescriptors........................ 20
TranslatingJavaByteCode........................................................................ 21
J2EEWarnings................................................................................... 21
Chapter 4: Translating.NETSourceCode............................................................ 22
AbouttheVisualStudioCommandPrompt ............................................................ 22
AboutVisualStudio.NET............................................................................. 22
Contents
v
TranslatingSimple.NETApplications ................................................................. 23
TranslatingASP.NET1.1(VisualStudioVersion2003)Projects........................................ 24
HandlingResolutionWarnings........................................................................ 25
About.NETWarnings ............................................................................ 25
AboutASP.NETWarnings ........................................................................ 25
Chapter 5: TranslatingC/C++Code .................................................................. 26
AboutCandC++CommandLineSyntax............................................................... 26
CandC++CommandLineExamples.............................................................. 26
AboutIntegratingwithMake ......................................................................... 26
UsingtheHPFortifyTouchlessBuildAdapter ..................................................... 26
ModifyingaMakefiletoInvokeSCA............................................................... 27
AboutCommandLineBuildsinVisualStudio.NET.................................................... 27
AboutCommandLineBuildsinVisualStudio6.0 ...................................................... 27
ScanningPre‐processedC/C++Code .................................................................. 27
Chapter 6: TranslatingABAP/4...................................................................... 28
AboutTranslatingABAP/4Code ...................................................................... 28
AboutScanningABAPCode ........................................................................... 28
AboutINCLUDEProcessing....................................................................... 28
OverviewoftheProcess.............................................................................. 28
AbouttheTransportRequest......................................................................... 29
AddFortifySCAtoYourFavoritesList(Optional) ..................................................... 29
RunningtheHPFortifyABAPExtractor ............................................................... 31
Chapter 7: TranslatingRubyCode ................................................................... 33
AboutRubyCommandLineSyntax.................................................................... 33
AddingLibraries ................................................................................. 33
AddingMultipleLibraryPaths ................................................................... 33
AddingGemPaths ................................................................................ 33
Chapter 8: TranslatingFlex.......................................................................... 35
AbouttheCommand‐LineOptions.................................................................... 35
AboutActionScriptCommandLineSyntax ............................................................ 35
ActionScriptCommandLineExamples ................................................................ 36
AboutHandlingResolutionWarnings ................................................................. 36
AboutActionScriptWarnings ..................................................................... 36
Chapter 9: TranslatingCodeforMobilePlatforms ................................................... 37
AboutTranslatingObjective‐CCode................................................................... 37
Prerequisites..................................................................................... 37
AboutObjective‐CCommandLineSyntax......................................................... 37
Objective‐CCommandLineExample.............................................................. 37
Contents
vi
XcodeCompilerErrors........................................................................... 37
AboutTranslatingGoogleAndroidCode .............................................................. 38
MigrationIssues ................................................................................. 38
Chapter 10: TranslatingOtherLanguages............................................................ 39
AboutCommandLineSyntaxforOtherLanguages .................................................... 39
ConfigurationConsiderations ......................................................................... 40
ConfiguringPython............................................................................... 40
ConfiguringColdFusion .......................................................................... 40
ConfiguringtheSQLExtension.................................................................... 41
ConfiguringASP/VBScriptVirtualRoots.......................................................... 41
OtherLanguageCommandLineExamples ........................................................ 42
TranslatingPL/SQLExample..................................................................... 42
TranslatingT‐SQLExample....................................................................... 42
TranslatingPHPExample......................................................................... 43
TranslatingClassicASPwrittenwithVBScriptExample........................................... 43
TranslatingJavaScriptExample................................................................... 43
TranslatingVBScriptFileExample ............................................................... 43
TranslatingCOBOLCode.............................................................................. 43
SupportedTechnologies .......................................................................... 43
PreparingCOBOLSourceFilesforTranslation.................................................... 43
AboutCOBOLCommandLineSyntax ............................................................. 44
AboutAuditingCOBOLScans..................................................................... 44
Chapter 11: TroubleshootingandSupport........................................................... 45
UsingtheLogFiletoDebugProblems ................................................................. 45
AbouttheTranslationFailedMessage................................................................. 45
AboutJSPTranslationProblems...................................................................... 45
AboutASPXTranslationProblems.................................................................... 46
AboutC/C++PrecompiledHeaderFiles ............................................................... 46
AboutReportingBugsandRequestingEnhancements ................................................. 46
Appendix A: Command Line Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
OutputOptions................................................................................... 48
AnalysisOptions ................................................................................. 49
PythonOption.................................................................................... 50
ColdFusionOptions .............................................................................. 50
Java/J2EEOptions................................................................................ 51
.NETOptions ..................................................................................... 51
BuildIntegrationOptions......................................................................... 52
Directives ........................................................................................ 52
RuntimeOptions................................................................................. 53
OtherOptions .................................................................................... 54
SpecifyingFiles ....................................................................................... 54
Contents
vii
Appendix B: Parallel Analysis Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
AboutParallelAnalysisMode ......................................................................... 55
HardwareRequirements ............................................................................. 55
ConfiguringParallelAnalysisMode................................................................... 55
RunninginParallelAnalysisMode.................................................................... 56
Appendix C: Using the sourceanalyzer Ant Task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
AboutthesourceanalyzerAntTask................................................................... 57
UsingtheAntSourceanalyzerTask ................................................................... 57
Antproperties........................................................................................ 58
SourceanalyzerTaskOptions......................................................................... 59
Appendix D: Advanced Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
AboutFilterFiles ..................................................................................... 63
FilterFileCreationExample...................................................................... 63
UsingPropertiestoControlRuntimeOptions..................................................... 65
SpecifyingtheOrderofProperties ................................................................ 65
Appendix E: MSBuild Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
AboutMSBuildIntegration ........................................................................... 72
Installation ........................................................................................... 72
SettingWindowsEnvironmentVariablesforTouchlessIntegrationofSCA............................. 72
AddingCustomTaskstoyourMSBuildProject........................................................ 73
AddingCustomTaskstoYourProject ................................................................. 74
AddingFortify.TranslateTask..................................................................... 74
AddingFortify.ScanTask.......................................................................... 75
AddingFortify.CleanTask......................................................................... 75
AddingFortify.SSCTask........................................................................... 75
AddingFortify.CloudScanTask .................................................................... 76
Appendix F: Maven Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
AbouttheMavenPlugin .............................................................................. 77
InstallingtheMavenPlugin ........................................................................... 77
UpdatingtheMavenPlugin........................................................................... 78
EditingthePluginSourceFiles.................................................................... 78
TestingthePlugin ................................................................................ 79
UsingtheMavenPlugin ............................................................................... 79
ExcludingFilesfromtheScan ......................................................................... 80
UninstallingtheMavenPlugin........................................................................ 81
AdditionalDocumentation ............................................................................ 81
Appendix G: Sample Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Contents
viii
AbouttheSampleFiles ............................................................................... 82
BasicSamples .................................................................................... 82
AdvancedSamples ............................................................................... 83
Appendix H: Issue Tuning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
AboutIssueTuning ................................................................................... 85
AboutWrapperDetection ........................................................................ 85
AboutInterproceduralConstantPropagation ......................................................... 86
AboutSelectiveMapOperationTracking.......................................................... 87
Appendix I: Configuration Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
fortify.properties ..................................................................................... 88
fortify‐sca.properties ................................................................................. 93
Contents
ix
Chapter 1: Introduction
ThisdocumentprovidesinstructionsforusingHPFortifyStaticCodeAnalyzer.
About the Intended Audience
Thisguideisintendedforpeopleresponsibleforsecurityauditsandsecurecoding.HPFortifyStaticCode
Analyzerprovidesasuiteofanalyzersandapplicationcomponents.Thisguideprovidesinstructionson
scanningcodeonmostofthemajorprogrammingplatforms.
About the HP Fortify Software Security Center Components
HPFortifyStaticCodeAnalyzeriscomponentofanHPFortifySoftwareSecurityCenterinstallation.The
installationconsistsofoneormoreofthefollowinganalyzers:
•
HPFortifyStaticCodeAnalyzer:Analyzesyourbuildcodeaccordingtoasetofrulesspecificallytailoredto
providetheinformationnecessaryforthetypeofanalysisperformed.
•
HPFortifyRuntimeApplicationProtection:Monitorsandprotectsdeployedapplicationsfromcommon
attacks,unintendeduse,andtargetedhacking.Inaddition,bestsecuritypractices,suchasinputverification
andproperexceptionhandling,canbeconsistentlyappliedtodeployedapplications.
•
HPFortifySecurityScope:Identifiesvulnerabilitiesinpre‐deploymentapplicationsduringtheQAphase,
preventingexposuretosecurityflawsbeforetheyareexploited.
AnHPFortifySoftwareSecurityCenterinstallationmayalsoincludeoneormoreofthefollowingapplication
tools:
•
HPFortifyAuditWorkbench:providesagraphicaluserinterfaceforHPFortifyStaticCodeAnalyzerthat
helpsyouorganize,investigate,andprioritizeanalysisresultssothatsecurityflawscanbefixedquickly.
•
HPFortifyPluginforEclipse:integrateswiththeEclipsedevelopmentenvironmentandaddstheabilityto
scanandanalyzetheentirecodebaseofaprojectandapplyhundredsofsoftwaresecurityrulesthatidentify
thevulnerabilitiesinyourJavacode.TheresultsaredisplayedwithintheIDE,alongwithdescriptionsof
eachofthesecurityissuesandsuggestionsfortheirelimination.
•
HPFortifyEclipseRemediationPlug‐in:integrateswiththeEclipsedevelopmentenvironment.TheEclipse
RemediationPlug‐inisalightweightplug‐inoptionfordeveloperswhoneedremediationfunctionalitybut
donotneedthescanningandauditingcapabilitiesofAuditWorkbenchorthefullEclipsePlugin.
•
HPFortifyPackageforMicrosoftVisualStudio:integrateswithVisualStudioPremiumandVisualStudio
Professionaltolocatesecurityvulnerabilitiesinyoursolutionsandpackagesanddisplaysthescanresultsin
VisualStudio.Theresultsincludealistofissuesuncovered,descriptionsofthetypeofvulnerabilityeach
issuerepresents,andsuggestionsonhowtofixthem.
•
HPFortifyRemediationPackageforVisualStudio:integrateswithMicrosoftVisualStudioPremiumand
VisualStudioProfessionalintegrateddevelopmentenvironments(IDEs).TheHPFortifyRemediation
PackageforVisualStudioisalightweightplug‐inoptionfordeveloperswhoneedremediationfunctionality
butdonotneedthescanningandauditingcapabilitiesofAuditWorkbenchorthefullVisualStudiopackage.
•
HPFortifyExtensionforJDeveloper:integrateswiththeJDeveloperintegrateddevelopmentenvironment
(IDE)andaddstheabilitytoscanandanalyzetheentirecodebaseofaprojectandapplyhundredsof
softwaresecurityrulesthatidentifythevulnerabilitiesinyourcode.
•
HPFortifyRemediationPluginforIntelliJ:integrateswiththeIntelliJIntegratedDevelopmentEnvironment
(IDE)andaddstheabilitytoscanandanalyzetheentirecodebaseofaprojectandapplyhundredsof
softwaresecurityrulesthatidentifythevulnerabilitiesinyourcode.
Chapter 1: Introduction
10
Related Documents
ThefollowingdocumentsprovideadditionalinformationaboutHPFortifyStaticCodeAnalyzer:
•
HPFortifyStaticCodeAnalyzerPerformanceGuide
TheHPFortifyStaticCodeAnalyzerPerformanceGuideprovidesguidanceonselectingthehardware
requiredforscanningspecificcodebases,optimizingmemoryusage,andimprovingperformance.
•
HPFortifyStaticCodeAnalyzerUserGuide
Thisdocumentprovidesinstructionsonusingtheanalyzerstoidentifyvulnerabilitiesinyourcode.
•
HPFortifyStaticCodeAnalyzerUtilitiesUserGuide
Thisdocumentprovidesinformationonthecommand‐linetoolsthatprovideadditionalmanagementand
accesstothefunctionsprovidedbySCA.
•
HPFortifyStaticCodeAnalyzerPerformanceGuide
Thisdocumentdescribestheissuesinvolvedwhentryingtoselecthardwaretoscancertaincodebases,
providesguidelinesformakingthosedecisionsandofferstipsforoptimizingmemoryusageand
performance.
Chapter 1: Introduction
11
Chapter 2: HP Fortify Static Code Analyzer Thischaptercoversthefollowingtopics:
•
AboutHPFortifyStaticCodeAnalyzer
•
AboutAnalyzers
•
AbouttheAnalysisProcess
About HP Fortify Static Code Analyzer
HPFortifyStaticCodeAnalyzer(SCA)isasetofsoftwaresecurityanalyzersthatsearchforviolationsof
security‐specificcodingrulesandguidelinesinavarietyoflanguages.TherichdataprovidedbySCAlanguage
technologyenablestheanalyzerstopinpointandprioritizeviolationssothatfixescanbefastandaccurate.The
analysisinformationproducedbySCAhelpsyoudelivermoresecuresoftware,aswellasmakingsecuritycode
reviewsmoreefficient,consistent,andcomplete.Thisisespeciallyadvantageouswhenlargecodebasesare
involved.ThemodulararchitectureofSCAallowsyoutoquicklyuploadnewthird‐partyandcustomer‐specific
securityrules.
Atthehighestlevel,usingSCAinvolves:
1. ChoosingtorunSCAasastand‐aloneprocessorintegratingSCAaspartofthebuildtool
2. Translatingthesourcecodeintoanintermediatetranslatedformat
3. Scanningthetranslatedcodeandproducingsecurityvulnerabilityreports
4. Auditingtheresultsofthescan,eitherbytransferringtheresultingFPRfiletoHPFortifyAuditWorkbench
orHPFortifySoftwareSecurityCenterforanalysis,ordirectlywiththeresultsdisplayedonscreen
Note:ForinformationontransferringresultstoHPFortifyAuditWorkbenchandcreatingcustomer‐specific
securityrules,seetheHPFortifyAuditWorkbenchUser’sGuide.
About Parallel Analysis
Beginningwithversion4.00,SCAsupportsparallelprocessingforlargeprojects.Ifyourprojectscantakes
longerthananhourortwotocomplete,youcandramaticallydecreasethetimenecessarytocompletethescan
byenablingparallelprocessing.ParallelprocessingallowsyoutotakeadvantageofmultipleCPUsandcores
withinasinglemachineandautomaticmemorytuning.
Forinformationonenablingparallelanalysisforyourprojects,seeAppendixB:ParallelAnalysisMode.
About Analyzers
SCAcomprisessixdistinctanalyzers:Dataflow,Controlflow,Semantic,Structural,Configuration,andBuffer.
Eachanalyzeracceptsadifferenttypeofrulespecificallytailoredtoprovidetheinformationnecessaryforthe
correspondingtypeofanalysisperformed.Rulesaredefinitionsthatidentifyelementsinthesourcecodethat
mayresultinsecurityvulnerabilitiesorareotherwiseunsafe.
Rulesareorganizedaccordingtotheanalyzerthatusesthem,resultinginrulesthatarespecifictotheDataflow,
Controlflow,Semantic,Structural,andConfigurationanalyzers.Theserulecategoriesarefurtherdividedto
reflectthecategoryoftheissueortypeofinformationrepresentedbytherule.
TheinstallationprocessdownloadsandupdatesthesetofrulesusedbySCAonyoursystem.HPupdatesthe
specificrulescontainedwithintheHPFortifySecureCodingRulepacksonaregularbasis.TheCustomerPortal
offersupdatedRulepacks.
Chapter 2: HP Fortify Static Code Analyzer
12
ThefollowingtablelistsanddescribeseachSCAanalyzer.
Table 1: HP Fortify Static Code Analyzer
Analyzer
Description
Dataflow
TheDataflowAnalyzerdetectspotentialvulnerabilitiesthatinvolvetainted
data(user‐controlledinput)puttopotentiallydangeroususe.TheDataflow
Analyzerusesglobal,inter‐proceduraltaintpropagationanalysistodetect
theflowofdatabetweenasource(siteofuserinput)andasink
(dangerousfunctioncalloroperation).Forexample,theDataflowAnalyzer
detectswhetherauser‐controlledinputstringofunboundedlengthis
beingcopiedintoastaticallysizedbuffer,anddetectswhetherauser
controlledstringisbeingusedtoconstructSQLquerytext.
Controlflow
TheControlflowAnalyzerdetectspotentiallydangeroussequencesof
operations.Byanalyzingcontrolflowpathsinaprogram,theControlflow
Analyzerdetermineswhetherasetofoperationsareexecutedinacertain
order.Forexample,theControlflowAnalyzerdetectstimeofcheck/timeof
useissuesanduninitializedvariables,andcheckswhetherutilities,suchas
XMLreaders,areconfiguredproperlybeforebeingused.
Semantic
TheSemanticAnalyzerdetectspotentiallydangeroususesoffunctionsand
APIsattheintra‐procedurallevel.Itsspecializedlogicsearchesforbuffer
overflow,formatstring,andexecutionpathissues,butisnotlimitedto
thesecategories.Acalltoanypotentiallydangerousfunctioncanbe
flaggedbytheSemanticAnalyzer.Forexample,theSemanticAnalyzer
detectsdeprecatedfunctionsinJavaandunsafefunctionsinC/C++,suchas
gets().
Structural
TheStructuralAnalyzerdetectspotentiallydangerousflawsinthestructure
ordefinitionoftheprogram.Byunderstandingthewayprogramsare
structured,theStructuralAnalyzeridentifiesviolationsofsecure
programmingpracticesandtechniquesthatareoftendifficulttodetect
throughinspectionbecausetheyencompassawidescopeinvolvingboth
thedeclarationanduseofvariablesandfunctions.Forexample,the
StructuralAnalyzerdetectsassignmenttomembervariablesinJava
servlets,identifiestheuseofloggersthatarenotdeclaredstaticfinal,and
flagsinstancesofdeadcodethatwillneverbeexecutedbecauseofa
predicatethatisalwaysfalse.
Configuration
TheConfigurationAnalyzersearchesformistakes,weaknesses,andpolicy
violationsinanapplication'sdeploymentconfigurationfiles.Forexample,
theConfigurationAnalyzerchecksforreasonabletimeoutsinusersessions
inawebapplication.
Buffer
TheBufferAnalyzerdetectsbufferoverflowvulnerabilitiesthatinvolve
writingorreadingmoredatathanabuffercanhold.Thebuffercanbe
eitherstack‐allocatedorheap‐allocated.TheBufferAnalyzeruseslimited
inter‐proceduralanalysistodeterminewhetherornotthereisacondition
thatcausesthebuffertooverflow.Ifallexecutionpathstoabufferleadtoa
bufferoverflow,SCAreportsitasbufferoverflowvulnerabilityandpoints
outthevariablesthatcouldcausetheoverflow.Ifsome,butnotall,
executionpathstoabufferleadtoabufferoverflowandthevalueofthe
variablecausingthebufferoverflowistainted(user‐controlled),thenSCA
willreportitaswellanddisplaythedataflowtracetoshowhowthe
variableistainted.
Chapter 2: HP Fortify Static Code Analyzer
13
About the Analysis Process
TherearefourdistinctstagesthatmakeuptheSCAsourcecodeanalysisprocess:
•
BuildIntegration:ThefirststageintheprocessinvolvesdecidingwhethertointegrateSCAintothebuild
compilersystem.
•
Translation:Next,sourcecodeisgatheredusingaseriesofcommandsandthenitistranslatedintoan
intermediateformatassociatedwithabuildID.ThebuildIDisusuallythenameoftheprojectbeing
scanned.
•
Analysis:Sourcefilesidentifiedduringthetranslationphasearescannedandananalysisresultsfile,typically
intheHPFortifyproject(FPR)format,isgenerated.FPRfilesareindicatedbythe.fprfileextension.
•
Verificationofthetranslationandanalysis:Ensurethatthesourcefileswerescannedusingthecorrect
Rulepacksandthatnosignificanterrorswerereported.
About Analysis Commands
Thefollowingisanexampleofthesequenceofcommandsyouusetoanalyzecode:
sourceanalyzer -b <build_id> -clean
sourceanalyzer -b <build_id> ...
sourceanalyzer -b <build_id> -scan -f results.fpr
Toanalyzemorethanonebuildatatime,addtheadditionalbuildsasparameters:
sourceanalyzer -b <build_id1> -b <build_id2> -b <build_id3> -scan -f results.fpr
About Memory Considerations
WhenrunningSCA,theamountofphysicalRAMrequiredisdependentonanumberoffactors.Thesefactors,
whichincludethesizeandcomplexityofthesourcefile,makeitimpossibletoquantifyandprovideguidance‐‐
eachcustomersituationisunique.Ifyoudoencounteralowmemoryerror,increasingtheamountofmemory
availabletoSCAmayresolvetheproblem.
Bydefault,SCAusesupto600MBofmemory.Ifthisisnotsufficienttoanalyzeaparticularcodebase,you
mighthavetoprovidemorememoryinthescanphase.Thiscanbedonebypassingthe-Xmx optiontothe
sourceanalyzercommand.
Forexample,tomake1000MBavailabletoSCA,includetheoption -Xmx1000M.
YoucanalsousetheSCA_VM_OPTS environmentvariabletosetthememoryallocation.
Note:DonotallocatemorememoryforSCAthanthemachinehasavailable,becausethiswilldegrade
performance.Asaguideline,assumingthatnoothermemory‐intensiveprocessesarerunning,donotallocate
morethan2/3oftheavailablephysicalmemory.
About the Translation Phase
Thebasiccommandlinesyntaxforperformingthefirstanalysisphase,translatingthefiles,is:
sourceanalyzer -b <build_id> ...
ThetranslationphaseconsistsofoneormoreinvocationsofSCAusingthesourceanalyzercommand.Abuild
ID(-b <build_id>)isusedtotietogethertheinvocations.
Subsequentinvocationsofsourceanalyzeraddanynewlyspecifiedsourceorconfigurationfilestothefilelist
associatedwiththebuildID.
Attheendoftranslation,youcanuse-show-build-warningstolistallwarningsanderrorsthatwere
encounteredduringthetranslationprocess:
sourceanalyzer -b <build_id> -show-build-warnings
Chapter 2: HP Fortify Static Code Analyzer
14
ToviewallofthefilesassociatedwithaparticularbuildID,usethe-show-filesdirective:
sourceanalyzer -b <build_id> -show-files
Thefollowingchaptersdescribehowtotranslatedifferenttypesofsourcecode:
•
TranslatingJavaCode
•
Translating.NETSourceCode
•
TranslatingC/C++Code
•
TranslatingABAP/4
•
TranslatingRuby
•
TranslatingFlex
•
TranslatingCodeforMobilePlatforms
•
TranslatingOtherLanguages
About SCA Mobile Build Sessions
AnSCAmobilebuildsessionallowsaprojecttobetranslatedononemachineandanalyzedonanother.When
youcreateanSCAmobilebuildsession,a.mbsfilethatincludesthefilesneededfortheanalysisphaseiscreated
inthebuildsessiondirectory.The.mbsfileisthenmovedtoadifferentmachineforanalysis.
Creating a Mobile Build Session
Onthemachinewherethetranslationwasdone,issuethefollowingcommandtogenerateanSCAmobilebuild
session:
sourceanalyzer -b <build_id> -export-build-session <file.mbs>
where<file.mbs>isthefilenameyouassignfortheSCAmobilebuildsession.
Importing a Mobile Build Session
Onceyou’vemovedthe.mbsfiletothemachinewhereyouwanttoruntheanalysis,issuethefollowing
command:
sourceanalyzer -import-build-session <file.mbs>
where<file.mbs>istheSCAmobilebuildsession.
OnceyouhaveimportedyourSCAmobilebuildsession,youarereadytomoveontotheanalysisphase.
About the Analysis Phase
Thistopicdescribesthesyntaxfortheanalysisphase:scanningtheintermediatefilescreatedduringthe
translationandcreatingtheanalysisresultsfile.Thephaseconsistsofoneinvocationofsourceanalyzer.You
specifythebuildIDandincludethe-scandirectiveandanyrequiredanalysisoroutputoptions.
Note:Bydefault,SCAincludesthesourcecodeintheFPR.
Thebasiccommandlinesyntaxfortheanalysisphaseis:
sourceanalyzer -b <build_id> -scan -f results.fpr
Torunananalysismorethanonebuildatatime,addtheadditionalbuildstothecommandline:
sourceanalyzer - b <build_id1> -b <build_id2> -b <build_id3> -scan -f results.fpr
Chapter 2: HP Fortify Static Code Analyzer
15
Torunasilentanalysisonmorethanonebuildatatime,addtheadditionalbuildstothecommandline:
sourceanalyzer -b <build-id1> -b <build-id2> -b <build-id3> -auth-silent -scan -f
results.fpr
About Verification of the Translation and Analysis Phase
TheResultCertificationfeatureofAuditWorkbenchverifiesthattheanalysisiscomplete.Resultcertification
showsspecificinformationaboutthecodescannedbySCA,including:
•
Listoffilesscanned,withfilesizesandtimestamps
•
JavaCLASSPATHusedforthetranslation
•
ListofRulepacksusedfortheanalysis
•
ListofSCAruntimesettingsandcommandlinearguments
•
Listoferrorsorwarningsencounteredduringtranslationoranalysis
•
Machine/platforminformation
Toviewresultcertificationinformation,opentheFPRfileinAuditWorkbenchandselectTools‐Project
Summary‐Certification.
About the HP Fortify Scan Wizard
HPFortifyScanWizardisautilitythatallowsyoutoquicklyandeasilyprepareandscanprojectcodeusingSCA.
TheScanWizardallowsyoutorunyourscanslocally,or,ifyouareusingHPFortifyCloudScan,inacloudof
computersprovisionedfortakingcareoftheprocessor‐intensivescanningphaseoftheanalysis.Formore
information,seeAppendixG:HPFortifyScanWizardonpage82.
About HP Fortify CloudScan
WithHPFortifyCloudScan(CloudScan),usersofHPFortifyStaticCodeAnalyzercanbettermanagetheir
resourcesbyoffloadingtheprocessor‐intensivescanningphaseoftheanalysisfromtheirbuildmachinestoa
cloudofmachinesprovisionedforthispurpose.
Afterthetranslationphaseiscompletedonthebuildmachine,anSCAmobilebuildsessionisgeneratedand
CloudScanmovesittoanavailablemachineforscanning.Inadditiontofreeingupthebuildmachines,this
processmakesiteasytogrowthesystembyaddingmoreresourcestothecloudasneeded,withouthavingto
interruptyourbuildprocess.
Inaddition,usersofSoftwareSecurityCentercandirectCloudScantooutputtheFPRfiledirectlytotheserver.
FormoreinformationonHPFortifyCloudScan,seetheHPFortifyCloudScanInstallation,Configuration,and
UsageGuide.
Chapter 2: HP Fortify Static Code Analyzer
16
Chapter 3: Translating Java Code
Thischaptercoversthefollowingtopics:
•
AboutJavaCommandLineSyntax
•
AboutJavaCommandLineExamples
•
IntegratingwithAntusingtheHPFortifyAntCompilerAdapter
•
HandlingResolutionWarnings
•
UsingFindBugs
•
TranslatingJ2EEApplications
•
TranslatingJavaByteCode
About Java Command Line Syntax
ThebasiccommandlinesyntaxforJavais:
sourceanalyzer -b <build_id> -cp <classpath> <file_list>
WithJavacode,SCAcaneitheremulatethecompiler,whichmaybeconvenientforbuildintegration,oraccept
sourcefilesdirectly,whichismoreconvenientforcommandlinescans.
Note:Foradescriptionofalltheoptionsyoucanusewiththesourceanalyzercommand,seeCommandLine
Interfaceonpage48.
TotellSCAtoemulatethecompiler,enter:
sourceanalyzer -b <build_id> javac [<translation options>]
TopassfilesdirectlytoSCA,enter:
sourceanalyzer -b <build_id> -cp <classpath> [<translation options>] 
<files>|<file specifiers>
where:
<translation options>
areoptionspassedtothecompiler.
-cp <classpath>
specifiestheCLASSPATHtobeusedfortheJavasourcecode.ACLASSPATHisalistofbuilddirectoriesandjar
files.Theformatisthesameasexpectedbyjavac(colonorsemicolon‐separatedlistofpaths).YoucanuseSCA
filespecifiers.
-cp "build/classes:lib/*.jar"
Note:Ifyoudonotspecifytheclasspathwiththisoption,theCLASSPATHenvironmentvariableisused.
Formoreinformation,seeJava/J2EEOptionsonpage51.Forinformationaboutfilespecifiers,seeSpecifying
Filesonpage54.
About Java Command Line Examples
TotranslateasinglefilenamedMyServlet.javawithj2ee.jarontheCLASSPATH,enter:
sourceanalyzer -b MyServlet -cp lib/j2ee.jar MyServlet.java
Totranslateall.java filesinthesrcdirectoryusingalljarfilesinthelibdirectoryasaCLASSPATH:
sourceanalyzer -b MyProject -cp "lib/*.jar" "src/**/*.java"
Chapter 3: Translating Java Code
17
TotranslateandcompiletheMyCode.javafilewhileusingthejavaccompiler:
sourceanalyzer -b mybuild javac -classpath libs.jar MyCode.java
Integrating with Ant using the HP Fortify Ant Compiler Adapter
SCAprovidesanAntCompilerAdapterthatyoucanuseasaneasywaytotranslateJavasourcefilesifyour
projectusesanAntbuildfile.ThisintegrationrequiressettingonlytwoAntproperties,andcanbedoneonthe
commandlinewithoutmodifyingtheAntbuild.xmlfile.Whenthebuildruns,SCAinterceptsalljavactask
invocationsandtranslatestheJavasourcefilesastheyarecompiled.NotethatanyJSPfiles,configurationfiles,
oranyothernon‐Javasourcefilesthatarepartoftheapplicationneedtobetranslatedinaseparatestep.
ThefollowingstepsmustbetakentousetheCompilerAdapter:
•
ThesourceanalyzerexecutablemustbeonthesystemPATH.
•
sourceanalyzer.jar(locatedinCore/lib)mustbeonAnt'sclasspath.
•
Thebuild.compilerpropertymustbesettocom.fortify.dev.ant.SCACompiler.
•
Thesourceanalyzer.buildidpropertymustbesettothebuildID.
ThefollowingexamplesshowhowtorunanAntbuildusingtheCompilerAdapterwithoutmodifyingthebuild
file:
ant -Dbuild.compiler=com.fortify.dev.ant.SCACompiler 
-Dsourceanalyzer.buildid=MyBuild 
-lib <install_dir>/Core/lib/sourceanalyzer.jar
The-liboptionisonlyavailableinAntversion1.6orhigher.InolderversionsyoumustsettheCLASSPATH
environmentvariableorcopysourceanalyzer.jartoAnt'slibdirectory.
Alternatively,withAnt1.6ornewer,thefollowingshorthandcanbeusedtorunAntwiththecompiler
adapter:
sourceanalyzer -b <build-id> ant [ant-options]
Bydefault,600MBofmemoryisallocatedtoSCAfortranslation.Increasethememoryallocationwhenusing
theAntCompilerAdapterusingthe -Dsourceanalyzer.maxHeapoptionasfollows:
ant -Dbuild.compiler=com.fortify.dev.ant.SCACompiler 
-Dsourceanalyzer.buildid=MyBuild 
-lib <install_directory>/Core/lib/sourceanalyzer.jar
-Dsourceanalyzer.maxHeap=1000M
Handling Resolution Warnings
Toseeallwarningsthatweregeneratedduringyourbuild,enterthefollowingcommandbeforeyoustartthe
scanphase:
sourceanalyzer -b <build_id> -show-build-warnings
Chapter 3: Translating Java Code
18
Java Warnings
YoumayseethefollowingwarningsforJava:
Unable to resolve type...
Unable to resolve function...
Unable to resolve field...
Unable to locate import...
Unable to resolve symbol...
Multiple definitions found for function...
Multiple definitions found for class...
Thesewarningsaretypicallycausedbymissingresources.Forexample,someofthe.jarandclassfiles
requiredtobuildtheapplicationhavenotbeenspecified.Toresolvethewarnings,makesurethatyouhave
includedalloftherequiredfilesthatyourapplicationuses.
Using FindBugs
FindBugs(http://findbugs.sourceforge.net)isastaticanalysistoolthatdetectsqualityissuesinJavacode.You
canrunFindBugswithSCAandtheresultswillbeintegratedintotheanalysisresultsfile.UnlikeSCA,which
runsonJavasourcefiles,FindBugsrunsonJavabytecode.Therefore,beforerunningananalysisonyour
project,youshouldfirstcompiletheprojectandproducetheclassfiles.
TodemonstratehowtorunFindBugsautomaticallywithSCA,compilethesamplecode, Warning.java,as
follows:
1. Gotothefollowingdirectory:
<install_directory>/Samples/advanced/findbugs
2. Enterthefollowingcommandtocompilethesample:
mkdir build
javac -d build Warning.java
3. ScanthesamplewithFindBugsandSCAasfollows:
sourceanalyzer -b findbugs_sample -java-build-dir build Warning.java
sourceanalyzer -b findbugs_sample -scan -findbugs -f findbugs_sample.fpr
4. ExaminetheanalysisresultsinAuditWorkbench:
auditworkbench findbugs_sample.fpr
Theoutputcontainsthefollowingissuecategories:
•
BadcastsofObjectReferences(1)
•
Deadlocalstore(2)
•
Equalobjectsmusthaveequalhashcodes(1)
•
Objectmodelviolation(1)
•
Unwrittenfield(2)
•
Uselessself‐assignment(2)
IfyougroupbyAnalyzer,youcanseethattheSCAStructuralAnalyzerproducedoneissueandFindBugs
producedeight.TheObject model violationissueproducedbySCAonline25issimilartotheEqual
objects must have equal hash codesissueproducedbyFindBugs.Inaddition,FindBugsproducestwo
setsofissues(Useless self-assignmentandDead local store)aboutthesamevulnerabilitiesonlines6
and7.Toavoidoverlappingresults,applythefilter.txtfilterfilebyusingthe-filter optionduringthe
Chapter 3: Translating Java Code
19
scan.Notethatthefilteringisnotcompletebecauseeachtoolfiltersatadifferentlevelofgranularity.To
demonstratehowtoavoidoverlappingresults,scanthesamplecodeusingfilter.txtasfollows:
sourceanalyzer -b findbugs_sample -scan -findbugs -filter filter.txt 
-f findbugs_sample.fpr
Translating J2EE Applications
TranslatingJ2EEapplicationsinvolvesprocessingJavasourcefilesandJ2EEcomponentssuchasJSPfiles,
deploymentdescriptors,andconfigurationfiles.WhileyoucanprocessallthepertinentfilesinaJ2EE
applicationusingasingle‐stepprocess,yourprojectmayrequirethatyoubreaktheprocedureintoits
componentsforintegrationinabuildprocessortomeettheneedsofvariousstakeholderswithinyour
organization.Thefollowingsectionsprovideinformationoneachcomponent,followedbyanall‐in‐one
process.
Prerequisite for Translating Code Using Legacy Versions of the J2EE SDK
IfyouaretranslatingcodedevelopedusingaversionoftheJ2EESDKearlierthan1.5,youwillneedtoaddthe
followinglistoffilestotheCLASSPATH:
commons-logging.jar
j2ee.jar
jasper2_jasper-runtime.jar
xercesImpl-2.0.2.jar
andthefollowingJSPtaglibrariesmayalsoberequired:
commons-validator.jar
jsp-api.jar
jstl.jar
log4j-1.2.9.jar
saxpath.jar
standard.jar
struts.jar
struts-el.jar
Ifyouwant,youcanputtheJSPtaglibraryfilesinasubdirectorynamedjsp_tag_lib,butitisnotrequired.
AddthefilesusingtheCLASSPATHoption(-cp),orbyaddingthefilestothe<Fortify_Home>/Core/
default_jarsdirectory.
Note:InpreviousversionsofSCAtheJARSlistedabovewereincludedinthe<SCA>/Core/default_jars
directory.Beginningwithversion4.10,thefilesarenolongerincluded.
ToidentifyadirectoryordirectorieswhereSCAshouldlookforfileseachtimeyourunascan,youcansetthe
com.fortify.sca.DefaultJarsDirsparameterinthefortify-sca-quickscan.propertiesfile.For
moreinformation,seethe“fortify‐sca‐quickscan.propertiesConfigurationOptions”sectionintheHPFortify
StaticCodeAnalyzerInstallationandConfigurationguide.
Translating the Java Files
EarlierinthischapterweprovidedthecommandlineinstructionsfortranslatingJavafiles.Whentranslating
J2EEapplications,usethesameprocedurefortranslatingtheJavafileswithintheapplication.
Forexamples,seeAboutJavaCommandLineExamplesonpage17.
Translating JSP Projects, Configuration Files, and Deployment Descriptors
InadditiontotranslatingtheJavafilesinyourJ2EEapplication,youmayalsoneedtotranslateJSPfiles,
configurationfiles,anddeploymentdescriptors.YoucanscanJSPfilescreatedwithversion2.0andabove.
Chapter 3: Translating Java Code
20
YourJSPfilesmustbepartofaWebApplicationArchive(WAR).Ifyoursourcedirectoryisalreadyorganized
inaWARlayout,youcantranslatetheJSPfilesdirectlyfromthesourcedirectory.Ifthisisnotthecase,you
mayneedtodeployyourapplicationandtranslatetheJSPfilesfromthedeploymentdirectory.
Forexample:
sourceanalyzer -b <build_id> \**\*.jsp \**\*.xml
where\**\*.jspreferstothelocationofyour*.jspprojectfilesand\**\*.xmlreferstothelocationof
yourconfigurationanddeploymentdescriptorfiles.
Translating Java ByteCode
Inadditiontotranslatingsourcecode,youcantranslatetheBytecodeinyourproject.Inordertoinclude
ByteCode,addthefollowingpropertiestothefortify-sca.propertiesfile:
com.fortify.sca.fileextensions.class=BYTECODE
com.fortify.sca.fileextensions.jar=ARCHIVE
J2EE Warnings
YoumayseethefollowingwarningsforJ2EEapplications:
Could not locate the root (WEB-INF) of the web application. Please build your web
application and try again. Failed to parse the following jsp files:
<list of .jsp file names>
ThiswarningdisplaysbecauseyourWebapplicationisnotdeployedinthestandardWARdirectoryformator
doesnotcontainthefullsetofrequiredlibraries.Toresolvethewarning,ensurethatyourwebapplicationis
inanexplodedWARdirectoryformatwiththecorrectWEB-INF/libandWEB-INF/classesdirectories
containingallofthe.jarand.classfilesrequiredforyourapplication.Youshouldalsoverifythatyouhave
alloftheTLDfilesforallofthetagsthatyouhaveandthecorresponding.jarfileswiththeirtag
implementations.
Chapter 3: Translating Java Code
21
Chapter 4: Translating .NET Source Code
Thechaptercoversthefollowingtopics:
•
AbouttheVisualStudioCommandPrompt
•
AboutVisualStudio.NET
•
TranslatingSimple.NETApplications
•
TranslatingASP.NET1.1(VisualStudioVersion2003)Projects
•
HandlingResolutionWarnings
ThischapterdescribeshowtouseSCAtotranslateMicrosoftVisualStudio.NETandASP.NETapplications
builtwith:
•
.NETVersions1.1and2.0
•
VisualStudio.NETversion2003
•
VisualStudio.NETversion2005
•
VisualStudio.NETversion2008
•
VisualStudio.NETversion2010
•
VisualStudio.NETversion2012
•
VisualStudio.NETversion2013
•
VisualStudio.NETversion2015
SCAworksontheCommonIntermediateLanguage(CIL),andthereforesupportsallofthe.NETlanguagesthat
compiletoCIL,includingC#andVB.NET.
Note:Theeasiestwaytoanalyzea.NETapplicationistousetheHPFortifyPackageforMicrosoftVisualStudio,
whichautomatestheprocessofgatheringinformationabouttheproject.
About the Visual Studio Command Prompt
VisualStudio2005andhigherincludetheVisualStudioCommandPrompt.TheVisualStudioCommand
PromptislocatedintheVisualStudioToolsdirectoryofyourVisualStudioinstallation.Youshouldusethis
commandpromptintheinstructionsthatfollow.
About Visual Studio .NET
IfyouperformcommandlinebuildswithVisualStudio.NET,youcaneasilyintegratestaticanalysisby
wrappingthebuildcommandlinewithaninvocationofsourceanalyzer.Forthistowork,youmusthavethe
SecureCodingPackageforyourversionofVisualStudioinstalled.
ThefollowingexampledemonstratesthecommandlinesyntaxforVisualStudio.NET:
sourceanalyzer -b my_buildid devenv Sample1.sln /REBUILD debug
ThisperformsthetranslationphaseonallfilesbuiltbyVisualStudio.Besuretodoacleanorarebuildsothat
allfilesareincluded.Youcanthenperformtheanalysisphase,asinthefollowingexample:
sourceanalyzer -b my_buildid -scan -f results.fpr
Chapter 4: Translating .NET Source Code
22
Note:IfyourclassicASP/VBScriptapplicationusesvirtualincludes,forexample,
<!--include virtual=”/myweb/foo.inc”>
thenyoushouldspecifythephysicallocationofthemywebapplicationbypassingthefollowingpropertyvalue:
com.fortify.sca.ASPVirtualRoots=<semicoloon separated list of full paths to virtual
roots used>
Forexample,iftheIISvirtualroot/mywebislocatedatC:\webapps\myweb-folder,thenyourpropertyvalue
shouldbe:
-Dcom.fortify.sca.ASPVirtualRoots=c:\webapps\myweb-folder
Ifyouaddthislinetothefortify‐sca.propertiesfile,youmustescapethe\character,asinthefollowing:
com.fortify.sca.ASPVirtualRoots=c:\\webapps\\myweb-folder
Translating Simple .NET Applications
YoucanalsouseSCAcommandlineinterfaceforprocessing.NETapplications.
Prepareyourapplicationforanalysisusingoneofthefollowingmethods:
•
Performacompleterebuildofyourprojectwiththe“debug”configurationenabled.Compilingyourproject
withdebugenabledprovidesinformationthatSCAusesforpresentingtheresults.
•
Obtainallofthethird‐partydllfiles,projectoutputdllfiles,andcorrespondingpdbfilesforyourprojects.
NotethatSCAignoresanydllfilepassedasaninputargumentifthecorrespondingpdbfiledoesnotexistin
thesamefolder.Itisthereforeimperativethatyouincludeallofthepdbfilesforallyourprojectdllfiles.
Note:pdbfilesarenotrequiredforthird‐partylibraries.
RunSCAtoanalyzethe.NETapplicationfromthecommandlineasfollows:
•
ForVisualStudio.NETVersion2010,enter:
sourceanalyzer -vsversion 10.0 -b MyBuild 
-libdirs ProjOne/Lib;ProjTwo/Lib ProjOne/bin/Debug ProjTwo/bin/Debug
where:
•
•
MyBuildisthebuildidentifier
•
ProjOne/Lib;ProjTwo/Libisasemicolon‐separatedlistofpathstofoldersorDLLswiththird‐partyDLLs
•
ProjOne/bin/Debug ProjTwo/bin/Debugaretheoutputfolders
Usethefollowingversionnumberswiththe-vsversionparameter:
Table 2: Visual Studio .NET version numbers
Visual Studio .NET Release
Version VisualStudio.NET2003
7.1
VisualStudio.NET2005
8.0
VisualStudio.NET2008
9.0
VisualStudio.NET2010
10.0
VisualStudio.NET2012
11.0
VisualStudio.NET2013
12.0
VisualStudio.NET2015
14.0
Chapter 4: Translating .NET Source Code
23
Note:Standard.NETDLLsusedinyourprojectareautomaticallypickedupbySCA,soyoudonotneedto
includetheminthecommandline.
Ifyourprojectislarge,youcanperformthetranslationphaseseparatelyforeachoutputfolderusingthe
samebuildID,asfollows:
sourceanalyzer -vsversion <version_number> -b <build_id> 
-libdirs <paths> <folder_1> 
...
sourceanalyzer -vsversion <version_number> -b <build_id> 
-libdirs <paths> <folder_n>
where:
•
<version_number>iseither7.1,8.0,9.0,10.0,11.0,12.0or14.0hoo
•
<build_id>
•
<paths>isasemicolon‐separatedlistofpathstofoldersorDLLswiththird‐partyDLLs
•
<folder_1>and<folder_n>aretheoutputfolders
isthebuildID
Note:SCArequirestheappropriateversionofVisualStudiounlessyouareusingMSBuild.Forinformationof
usingSCAwithMSBuild,seeAppendixE:MSBuildIntegrationonpage72.
Translating ASP.NET 1.1 (Visual Studio Version 2003) Projects
Asdiscussedpreviously,SCAworksonCILgeneratedbythe.NETcompilers.ForASP.NETprojects,web
componentssuchasaspxfilesneedtobecompiledbeforetheycanbeanalyzed.However,thereisnostandard
compilerforaspxfiles.The.NET1.1runtimeautomaticallycompilesthemwhentheyareaccessedfroma
browser.
Tofacilitatetheaspxcompilationphase,HPFortifySoftwareprovidesasimpletoolthatcompilesallofthe
aspxfilesinyourproject.ThetoolislocatedintheHPFortifyinstallationdirectoryat:
\Tools\fortify_aspnet_compiler\fortify_aspnet_compiler.exe
ToanalyzeASP.NET1.1solutions:
1. Performacompleterebuildofthesolution.
2. Foreachofthewebprojectsinthesolution,deletethefollowingfolder:
%SYSTEMROOT%\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\<web_application_name>
3. Foreachofthewebprojectsinthesolution,runthefollowingcommand:
fortify_aspnet_compiler <url_to_the_web_site> <source_root_of_the_web_project>
where:
<url_to_the_web_site> is the URL for your website, such as 
http://localhost/WebApp
<source_root_of_the_web_project>isthesourcelocationofyourwebproject,suchas
<VS_project_location>\WebApp
4. PerformthetranslationphasefortheDLLsbuiltinStep1.Enterthefollowingcommandusingthesame
buildIDasinthefollowingsteps:
sourceanalyzer -b <build_id>
"<VS_project_location>\**\*.dll"
5. Performthetranslationphaseforthewebcomponents.Foreachofthewebprojectsinthesolution,enter
thefollowingwhenyouinvokesourceanalyzer:
sourceanalyzer -b <build_id> %SYSTEMROOT%\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET
Files\<web_application_name>
Chapter 4: Translating .NET Source Code
24
6. IncludetheconfigurationfilesandanyMicrosoftT‐SQLsourcefilesthatyouhave:
sourceanalyzer -b <build_id> "<solution_root>\**\*.config" 
<"t-sql_src>\**\*.sql">
Note:ThesestepsareallautomatedifyouusetheHPFortifyPackageforMicrosoftVisualStudio.
Handling Resolution Warnings
Toseeallwarningsthatweregeneratedduringyourbuild,enterthefollowingcommandbeforeyoustartthe
scanphase:
sourceanalyzer -b <build_id> -show-build-warnings
About .NET Warnings
Youmayseethefollowingwarningsfor.NET:
Cannot locate class... in the given search path and the Microsoft .NET Framework
libraries.
Thesewarningsaretypicallycausedbymissingresources.Forexample,someofthe.DLLfilesrequiredto
buildtheapplicationhavenotbeenspecified.Toresolvethewarnings,makesurethatyouhaveincludedallof
therequiredfilesthatyourapplicationuses.Ifyoustillseeawarningandtheclassesitlistsareempty
interfaceswithnomembers,youcanignorethewarning.Iftheinterfaceisnotempty,contactTechnical
Support.
About ASP.NET Warnings
YoumayseethefollowingwarningsforASP.NETapplications:
Failed to parse the following aspx files:
<list of .aspx file names>
Thiswarningdisplaysbecauseyourwebapplicationisnotdeployedcorrectlyordoesnotcontainthefullset
ofrequiredlibraries,oritusestheGlobalAccessCache(GAC).Ifyourapplicationisa.NETversion1.1
application,youmayalsohaveaccessissuesfromMicrosoftIIS.Verifythatyoucanaccesstheapplicationfrom
abrowserwithoutauthenticationoraccesserrors.IfyourwebapplicationusestheGAC,youmustaddtheDLL
filestotheprojectseparatelytoensureasuccessfulscan.SCAdoesnotloadDLLfilesfromtheGAC.
Chapter 4: Translating .NET Source Code
25
Chapter 5: Translating C/C++ Code
Thischaptercoversthefollowingtopics:
•
AboutCandC++CommandLineSyntax
•
CandC++CommandLineExamples
•
AboutIntegratingwithMake
•
AboutCommandLineBuildsinVisualStudio.NET
•
AboutCommandLineBuildsinVisualStudio.NET
•
AboutCommandLineBuildsinVisualStudio6.0
About C and C++ Command Line Syntax
Thebasiccommandlinesyntaxfortranslatingasinglefileis:
sourceanalyzer -b <build_id> <compiler> [<compiler options>]
where:
<compiler> isthenameofthecompileryouwanttouseduringaprojectbuildscan,suchasgccorcl.
<compiler options> areoptionspassedtothecompilerthataretypicallyusedtocompilethefile.
C and C++ Command Line Examples
Thefollowingisasimpleusageexample:
Totranslateafilenamedhelloworld.cusingthegcccompiler,enter:
sourceanalyzer -b my_buildid gcc helloworld.c
Note:Thisalsocompilesthefile.
About Integrating with Make
YoucanuseeitherofthefollowingmethodstointegrateSCAwithMake:
•
HPFortifyTouchlessBuildAdapter
•
ModifyaMakefiletoInvokeSCA
Using the HP Fortify Touchless Build Adapter
Thefollowingsectiondescribesthedifferentmethodsforusingthetouchlessbuildadapter.
Using the sourceanalyzer Build Adapter Command
Forexample,tousetheHPFortifytouchlessbuildadaptertointegratewithapythonbuildscript:
sourceanalyzer -b <build_id> touchless python build.py
SCArunstheentirecommandfollowingthe"touchless"keyword.Whenthecommandcreatesanewprocess
thatSCAdeterminesisacompiler,thecommandisprocessedbySCA.
ForinformationaboutinformingSCAaboutspeciallynamedcompilers,seethecom.fortify.sca.compilers.*
propertyin“UsingPropertiestoControlRuntimeOptions”onpage65.Anybuildcommandthatexecutesa
recognizedcompilerprocesscanbeusedwiththissystem;justreplacethe'make'sectionoftheabove
commandwiththecommandusedtorunabuild.
Chapter 5: Translating C/C++ Code
26
Note:TheHPFortifytouchlessbuildadapterdoesnotfunctioncorrectlyif:
•
Thebuildscriptinvokesthecompilerwithanabsolutepathoroverridestheexecutablesearchpath.
•
Thebuildscriptdoesnotcreateanewprocesstorunthecompiler.ManyJavabuildtools,includingAnt,
operatethisway.
Modifying a Makefile to Invoke SCA
TomodifyamakefiletoinvokeSCA,replaceanycallstothecompiler,archiver,orlinkerinthemakefilewithcalls
toSCA.Thesetoolsaretypicallyspecifiedinaspecialvariableinthemakefile,asinthefollowingexample:
CC=gcc
CXX=g++
AR=ar
ThestepcanbeassimpleasprependingthesetoolreferencesinthemakefilewithSCAandtheappropriate
options:
CC=sourceanalyzer -b mybuild gcc
CXX=sourceanalyzer -b mybuild g++
AR=sourceanalyzer -b mybuild ar
About Command Line Builds in Visual Studio .NET
IfyouperformcommandlinebuildswithVisualStudio.NET,youcaneasilyintegratestaticanalysisbysimply
wrappingthebuildcommandlinewithaninvocationofsourceanalyzer.Forthistowork,youmusthavethe
HPFortifyPackageforMicrosoftVisualStudioforyourversionofVisualStudioinstalled.
Considerthefollowingexample
sourceanalyzer -b my_buildid devenv MyProject.sln /REBUILD
ThisperformsthetranslationphaseonallfilesbuiltbyVisualStudio.Besuretodoacleanorarebuildsothatall
filesareincluded.
About Command Line Builds in Visual Studio 6.0
IfyouperformcommandlinebuildswithVisualStudio6.0,youcanintegratestaticanalysisbywrappingthe
buildcommandlinewithaninvocationofsourceanalyzer.
Considerthefollowingexample:
sourceanalyzer -b my_buildid msdev MyProject.dsp /MAKE "MyProject DEBUG" /REBUILD
ThisperformsthetranslationphaseonallfilesbuiltbytheVisualStudio.Besuretodoacleanorarebuildso
thatallfilesareincluded,asdescribedinyourVisualStudiodocumentation.
Scanning Pre‐processed C/C++ Code
If,priortocompilation,yourC/C++buildexecutesathird‐partyCpreprocessorthatisnotsupportedbySCA,
youmustinvokeSCAtranslationontheintermediatefile.SCAtouchlessbuildintegrationwillautomatically
translatetheintermediatefileprovidedyourbuildexecutestheunsupportedpreprocessorandsupported
compilerastwocommandsconnectedbyatemporaryfileratherthanapipechain.
Thissanuncommonscenariothatmostuserswillnotencounter.
Chapter 5: Translating C/C++ Code
27
Chapter 6: Translating ABAP/4
Thischaptercoversthefollowingtopics:
•
AboutTranslatingABAP/4Code
•
AboutScanningABAPCode
•
OverviewoftheProcess
•
AbouttheTransportRequest
•
AddFortifySCAtoYourFavoritesList(Optional)
•
RunningtheHPFortifyABAPExtractor
About Translating ABAP/4 Code
TranslatingABAP/4codeissimilartotranslatingotheroperatinglanguagecode,butrequiresadditionalsteps
inordertoextractthecodefromtheSAPdatabaseandprepareitforscanning.Thischapterassumesyouhave
SCArunningandhaveabasicunderstandingofSCA,SAP,andABAP/4.
About Scanning ABAP Code
InordertotranslateABAPcode,theHPFortifyABAPExtractorprogramdownloadssourcefilestothe
presentationserver,andoptionally,invokesSCA.Youneedtouseanaccountwithpermissionstodownload
filestothelocalsystemandexecuteOScommands.
Becausetheextractorprogramisexecutedonline,youmayreceiveamax dialog work process time
reachedexceptionifthevolumeofsourcesfilesselectedforextractionexceedstheallowableprocessrun
time.YoucanoftenworkaroundthisbydownloadinglargeprojectsasaseriesofsmallerExtractortasks.For
example,ifyourprojectconsistsoffourdifferentpackages,downloadeachpackageseparatelyintothesame
projectdirectory.
Iftheexceptionoccursfrequently,pleaseworkwithyourSAPBasisadministratortoincreasethemaximum
timelimit(rdisp/max_wprun_time).
WhenaPACKAGEisextractedfromABAP,theHPFortifyABAPExtractorextractseverythingfromTDEVC
withaparentclfieldthatmatchesthepackagename.Itthenrecursivelyextractseverythingelsefrom
TDEVCwithaparentclfieldequaltothosealreadyextractedfromTDEVC.ThefieldextractedfromTDEVC
isdevclass.
Thedevclassvaluesaretreatedasasetofprogramnamesandhandledthesamewayasaprogramname
whichyoumayoptionallyprovide.
ProgramsareextractedfromTRDIRbymatchingthenamefieldagainsteithertheprogramnamegivenbythe
userintheselectionscreenorbycomparingwiththelistofvaluesextractedfromTDEVCifapackagewas
provided.TherowsfromTRDIRarethoseforwhichthenamefieldhasthegivenprogramnameandthe
expressionLIKEprogramnameisusedtoextractrows.
ThisfinallistofnamesisusedwithREAD REPORTtofinallygetcodeoutoftheSAPsystem.Thismethoddoes
readclassesandmethodsoutaswellasmerelyREPORTs,fortherecord.
EachREAD REPORTcallproducesafileinthetemporaryfolderonthelocalsystem.Thissetoffilesiswhat
sourceanalyzerwilltranslateandscan,producingan.fprfilewhichcanbeviewedwithHPFortifyAudit
Workbench.
About INCLUDE Processing
Assourcecodeisdownloaded,theHPFortifyABAPExtractorchecksforINCLUDEstatementsinthesource.
Whenfound,itdownloadstheincludetargetstothelocalmachineforanalysisaswell.
Chapter 6: Translating ABAP/4
28
Overview of the Process
TherearetwomainstepsrequiredpriortotranslatingyourABAP/4code:
•
InstallaTransportRequestonyourSAPserver.
•
AddthetransactionobjecttoyourFavoriteslist(optional)
Note:ThefollowingprocedureisbasedontheuseoftheWindowsSAPclient‐basedinterface.Screenshots
andinterfacelocationsmayvaryifyouareusingadifferentSAPclient.
About the Transport Request
ABAPscanningisavailableasapremiumcomponentofSCA.Ifyoupurchasedalicensethatincludesthis
capability,youwillneedtoinstalltheHPFortifyTransportRequestonyourSAPServer..
ThetransportrequestislocatedintheSAP_Extractor.zippackage.ThepackageislocatedintheTools
directory:
<SCA_Install_Directory>\Tools\SAP_Extractor.zip
TheHPFortifySCAABAPExtractorpackage,SAP_Extractor.zip,containsthefollowingfiles:
•
K9000XX.NSP (wherethe“XX”isthereleasenumber)
•
R9000XX.NSP (wherethe“XX”isthereleasenumber)
ThesefilesincludemakeuptheSAPtransportrequestandshouldbeimportedintoyourSAPsystemfrom
outsideyourlocalTransportDomain.ThisshouldbedonebyyourSAPadministratororanindividual
authorizedtoinstalltransportrequestsonthesystem.
TheNSPfilescontainaclass,aprogram,atransaction(YSCA),andtheprogramGUIscreens.Onceimported
intoyoursystemandproperlyconfigured,youwillbeabletoextractyourcodefromtheSAPdatabaseand
prepareitforscanningbySCA.
InstallationNote:TheHPFortifySCAABAPExtractortransportrequestwascreatedonasystemrunning
SAPrelease702,SPlevel0006.IfyouarerunningadifferentSAPrelease,youmaygetatransportrequest
importerror:
Install release does not match the current version
Thiswillcausetheinstallationtofail.Toresolvethisissue:
1. Runthetransportrequestimportagain.
TheImportTransportRequestscreenappears.
2. ClicktheOptionstab.
3. SelecttheIgnoreInvalidComponentVersioncheckbox.
4. Completetheimportprocedure.
Add Fortify SCA to Your Favorites List (Optional)
AddingFortifySCAtoyourFavoriteslistisoptional,butdoingsomaymakeiteasiertoaccessandlaunch
FortifySCAscans.ThefollowingstepsassumethatyouusetheUsermenuinyourday‐to‐daywork.Ifyour
workisdonefromadifferentmenu,addtheFavoriteslinktothemenuthatyouuse.Beforeyoucreatethe
FortifySCAentry,theSAPservershouldberunningandyoushouldbeintheSAPEasyAccessareaofyour
web‐basedclient.
1. FromtheSAPEasyAccessmenu,typeS000inthetransactionbox.
TheSAPMenuappears.
2. Right‐clicktheFavoritesfolderandselectInserttransaction.
Chapter 6: Translating ABAP/4
29
TheManualentryofatransactionboxappears.
3. TypeYSCAintheTransactioncodebox.
4. Clickthegreencheckmarkbutton.
TheLaunchSCAitemshould appearintheFavoriteslist.
5. ClicktheExtractABAPcodeandlaunchSCAlinktolaunchtheHPFortifyABAPExtractor.
Chapter 6: Translating ABAP/4
30
Running the HP Fortify ABAP Extractor
1. LaunchtheprogramfromtheFavoriteslink,thetransactioncode,orbymanuallylaunchingthe
Z_AMOL_SCAobject.
2. Fillintherequestedinformation:
Section
Data
Objects
EnterthenameoftheSoftwareComponent,Package,
Program,orBSPApplicationyouwanttoscan.
Sourceanalyzerparameters
FPRFilePath:Typethedirectorywhereyouwantto
storeyourFPRfile.Includethenameyouwantassigned
totheFPRfileinthepathname.
WorkingDirectory:Typethedirectorywherethe
extractedsourcecodeshouldbecopied.
Build‐ID:TypethebuildIDforthescan.
TranslationsParameters:Listanyoptional
sourceanalyzertranslationarguments.
ScanParameters:Listanyoptionalsourceanalyzerscan
arguments.
ZIPFileName:TypeaZIPfilenameifyouwouldlike
youroutputprovidedinacompressedpackage.
MaximumCall‐chainDepth:AglobalSAP‐functionF
willnotbedownloadedunlessFwasexplicitlyselected
orunlessFcanbereachedthroughachainoffunction
callswhichstartsinexplicitly‐selectedcodeandwhose
lengthisthisnumberorless.
Chapter 6: Translating ABAP/4
31
Section
Data
Actions
Download:CheckthisboxtoinstructSCAtodownload
thesourcecodeextractedfromyourSAPdatabase.
Build:CheckthisboxtoinstructSCAtotranslateall
downloadedABAPcodeandstoreitunderthespecified
Build‐ID.
Scan:Checkthisboxtorequestascan.
LaunchAWB:CheckthisboxtolaunchAuditWorkbench
andloadtheFPR.
CreateZIP:Checkthisboxtorequesttheoutputbe
compressed.
ProcessinBackground:Checkthisboxtorequestthat
processingoccurinthebackground.
3. ClicktheExecutebutton.
Chapter 6: Translating ABAP/4
32
Chapter 7: Translating Ruby Code
Thischaptercoversthefollowingtopics:
•
AboutRubyCommandLineSyntax
•
AddingLibraries
•
AddingMultipleLibraryPaths
•
AddingGemPaths
About Ruby Command Line Syntax
ThebasiccommandlinesyntaxforRubyis:
sourceanalyzer –b <build_id> <.rb_file>
whererb_fileisthenameoftheRubyfiletobescanned.ToincludemultipleRubyfiles,separatethemwith
aspace,asinthefollowingexample:
sourceanalyzer –b <build_id> file1.rb file2.rb file3.rb
Note:InadditiontolistingindividualRubyfiles,youcanusetheasterisk(*)wildcardtoselectallRubyfilesin
aspecifieddirectory.Forexample,tofindalloftheRubyfilesinadirectorycalledsrc,youcouldusethe
followingsourceanalyzercommand:
sourceanalyzer –b <build_id> src/*.rb
Adding Libraries IfyourRubysourcecoderequiresaspecificlibrary,addtheRubylibrarytothesourceanalyzercommand.For
example,ifyouhaveautils.rbfilethatresidesinthe/usr/share/ruby/myPersonalLibrary/
directory,thenyoushouldaddthefollowingtothesourceanalyzercommand:
-ruby-path=/usr/share/ruby/myPersonalLibrary
Adding Multiple Library Paths Tousemultiplelibraries,useadelimitedlist.InWindowsthepathsshouldbeseparatebyasemicolon(‘;’);
andonallotherplatformsuseacolon(‘:’),asinthefollowingnon‐Windowsexample:
-ruby-path=/path/one:/path/two:/path/three
Adding Gem Paths
ToaddallRubyGemsandtheirdependencypaths,importallRubyGems.Todothis,runthegem env
commandandunderGEMPATHSyouwillseeadirectorylike:
/home/myUser/gems/ruby-version
Thisdirectoryshouldcontainanotherdirectorycalledgemswhichcontainsdirectoriesforallthegemfiles
installedonthesystem,soforthisexampleyouwouldset:
-rubygem-path=/home/user/myUser/gems/ruby-version/gems
Ifyouhavemultiplegemsdirectories,addthemusingadelimitedlistsuchas:
-rubygem-path=/path/to/gems:/another/path/to/more/gems
Chapter 7: Translating Ruby Code
33
Note:ForWindowssystems,separatethegemsdirectorieswithasemicolon.
Warnings
BecausethisisaTechnicalPreview,youmayencounterparseerrors.
[error]: Unexpected exception while parsing file p.rb: (SyntaxError) p.rb:2:syntax
error, unexpected end-of-file.
Theseerrors,orwarnings,arelikelycausedbybugsintheRubyTechnicalPreviewcodeandshouldbe
reportedtoHPFortifysupport.
Ruby on Rails Support
RubyonRailssupportwillbeaddedinafuturereleaseofHPFortifyStaticCodeAnalyzer.
YourJSPfilesmustbepartofaWebApplicationArchive(WAR).Ifyoursourcedirectoryisalreadyorganized
inaWARlayout,youcantranslatetheJSPfilesdirectlyfromthesourcedirectory.Ifthisisnotthecase,you
mayneedtodeployyourapplicationandtranslatetheJSPfilesfromthedeploymentdirectory.
Forexample:
sourceanalyzer -b <build_id> \**\*.jsp \**\*.xml
where\**\*.jspreferstothelocationofyour*.jspprojectfilesand\**\*.xmlreferstothelocationof
yourconfigurationanddeploymentdescriptorfiles.
Chapter 7: Translating Ruby Code
34
Chapter 8: Translating Flex
Thischaptercoversthefollowingtopics:
•
AbouttheCommand‐LineOptions
•
AboutActionScriptCommandLineSyntax
•
ActionScriptCommandLineExamples
•
AboutHandlingResolutionWarnings
About the Command‐Line Options
Thefollowingcommand‐lineoptions(withcorrespondingpropertiesthatcanbeusedinstead,for
convenience)areusingwhentranslatingFlexfiles:
•
-flex-sdk-root (com.fortify.sca.FlexSdkRoot)shouldpointtotherootofavalidFlexSDK.Thisfolder
shouldcontainaframeworksfolderthatcontainsaflex-config.xmlfile.Itshouldalsocontainabinfolder
thatcontainsanmxmlcexecutable.
Youcansetthispropertyinyourfortify-sca.propertiesfile.
•
-flex-libraries (com.fortify.sca.FlexLibraries)containsa: or;separatedlist(: onmost
platforms,;onWindows)oflibrarynamesthatyouwantto“link”to.Inmostcases,thislistincludes
flex.swc, framework.swc,andplayerglobal.swc(usuallyfoundinframeworks/libs/underyourFlexSDK
root).
Youcansetthispropertyinyourfortify-sca.propertiesfiletousethesamesetofSWCs.
Note:YoucanspecifySWCorSWFfilesasFlexlibraries,butwedonotcurrentlysupportSWZ.
•
-flex-source-roots (com.fortify.sca.FlexSourceRoots)containsa:or; separatedlistofroot
directoriesinwhichMXMLsourcescanbefound.Normally,thesewillcontainasubfoldernamedcom.For
instance,ifaFlexsourcerootisgiventhatispointingatfoo/bar/src, then foo/bar/src/com/fortify/
manager/util/Foo.mxmlwillgettransformedintoanobjectnamedcom.fortify.manager.util.Foo,(an
objectnamedFoointhepackagecom.fortify.manager.util).
•
-flex-sdk-rootand–flex-source-rootsareprimarilyforMXMLtranslation,andareoptionalifyouare
scanningpureActionScript.–flex-librariesisusedforresolvingallActionScript
Note:MXMLfilesaretranslatedintoActionScriptandthenrunthroughtheActionScriptparser.The
ActionScriptthatisgeneratedisintendedtobesimpletoanalyze;notrigorouslycorrectliketheFlexrun‐time
model.Asaconsequenceofthis,youmaygetparseerrorswithMXMLfiles.Forinstance,theXMLparsing
couldfail,thetranslationtoActionScriptcouldfail,andtheparsingoftheresultingActionScriptcouldalsofail.
Ifyouseeanyerrorsthatdonothaveaclearconnectiontotheoriginalsourcecode,pleasenotifyHPFortify
Support.
Chapter 8: Translating Flex
35
About ActionScript Command Line Syntax
ThebasiccommandlinesyntaxforActionScriptis:
sourceanalyzer -b <build_id> -flex-libraries <listOfLibraries>
TopassfilesdirectlytoFortifySCA,enter:
sourceanalyzer -b <build_id> -flex-libraries <listOfLibraries>
where:
<listOfLibraries>
isasemicolon‐separatedlist(Windows)oracolonseparated‐list(non‐Windowssystems)oflibrarynames
thatyouwantto“link”to.
ActionScript Command Line Examples
Thefollowingexamplesillustratecommand‐linestructurefortypicalscenariosyoumayencounter.
Example1
ThefollowingexampleisforasimpleapplicationthatcontainsonlyoneMXMLfileandasingleSWFlibrary
(MyLib.swf).
sourceanalyzer -b MyFlexApp -flex-libraries lib/MyLib.swf -flex-sdk-root /home/myself/
flex-sdk/ -flex-source-roots.my/app/FlexApp.mxml
Thisidentifiesthelocationofthelibrariestoinclude,andalsoidentifiestheFlexSDKandtheFlexsourceroot
locations.ThesingleMXMLfile,locatedin/my/app/FlexApp.mxml,resultsinyourMXMLapplication’sbeing
translatedasasingleActionScriptclasscalledFlexAppandlocatedinthemy.apppackage.
Example2
Thefollowingexampleisforanapplicationinwhichthesourcefilesarerelativetothesrcdirectory.Itusesa
singleSWFlibrary,MyLib.swf,andtheFlexandframeworklibrariesfromtheFlexSDK.
sourceanalyzer -b MyFlexProject -flex-sdk-root /home/myself/flex-sdk/ -flex-sourceroots src/ -flex-libraries lib/MyLib.swf src/**/*.mxml src/**/*.as
Inthisexample,welocatetheFlexSDK.SCAfilespecifiersareusedtoincludethe.as andmxmlfilesunder
thesrc folder.Itisnotnecessarytoexplicitlyspecifythe.SWCfilesfoundunderthe–flex-sdk-root,although
thisexampledoessoforthepurposesofillustration.SCAwillautomaticallylocateall.SWCfilesunderthe
specifiedFlexSDKroot,anditassumesthatthesearelibrariesintendedforusetranslatingActionScriptor
mxmlfiles.
Example3
Inthisexample,theFlexSDKrootandFlexlibrariesarespecifiedinapropertiesfilesincetypinginthedatais
timeconsumingandittendstobeconstant.Theapplicationmaybedividedintotwosectionsandstoredin
folders:amainsectionfolderandamodulesfolder.Eachfoldercontainsansrcfolderwherethepathsshould
bebegun.Wildcardsareusedinfilespecifierstopickupallthe.mxmland.asfilesinbothofthesrcfolders.An
MXMLfileinmain/src/com/foo/util/Foo.mxmlwillbetranslatedasanActionScriptclassnamedFoointhe
packagecom.foo.util,forexample,withthesourcerootsspecifiedhere:
sourceanalyzer -b MyFlexProject -flex-source-roots main/src:modules/src ./main/src/**/
*.mxml ./main/src/**/*.as ./modules/src/**/*.mxml ./modules/src/**/*.as
Chapter 8: Translating Flex
36
About Handling Resolution Warnings
Toseeallwarningsthatweregeneratedduringyourbuild,enterthefollowingcommandbeforeyoustartthe
scanphase:
sourceanalyzer -b <build_id> -show-build-warnings
About ActionScript Warnings
Youmayreceiveamessagesimilarto:
The ActionScript front end was unable to resolve the following imports: a.b at y.as:2.
foo.bar at somewhere.as:5. a.b at foo.mxml:8.
ThiserroroccurswhenSCAcannotfindallofthelibrariesitneeds.YoumayneedtospecifyadditionalSWCor
SWFFlexlibraries(‐flex‐librariesoption,orcom.fortify.sca.FlexLibrariesproperty)sothatSCAcancomplete
theanalysis.
Chapter 8: Translating Flex
37
Chapter 9: Translating Code for Mobile Platforms
Thischaptercoversthefollowingtopics:
•
AboutTranslatingObjective‐CCode
•
AboutTranslatingGoogleAndroidCode
About Translating Objective‐C Code
ThissectiondescribeshowtotranslateObjective‐CsourcecodeforiOSapplications.
Prerequisites
•
Xcodecommand‐linetoolsmustbeinstalledinthepath.
•
Projectsmustusethenon‐fragileObjective‐Cruntime(ABIversion2or3).
•
UseApple’sxcode‐selectcommand‐lineutilitytosetyourXcodepath.SCAusesthesystems’sglobalXcode
configurationtofindtheXcodetoolchainandheaders.
About Objective‐C Command Line Syntax
Thebasiccommandlinesyntaxfortranslatingasinglefileis:
sourceanalyzer -b <build_id> -clean
sourceanalyzer -b <build_id> xcodebuild [<compiler options>]
where:
<compiler options>
areoptionspassedtoxcode.
Objective‐C Command Line Example
Thefollowingsimpleexamplesillustrateusagepatternsforthesupportedcompilers.Thefollowingcommand
samplesshouldberunfromthedirectorywheretheprojectfilesarelocated.
TotranslateanXcodeObjective‐Cproject,enter:
xcodebuild [options] clean(Optional.Cleanthepreviousbuildartifacts)
sourceanalyzer -b my_buildid -clean
sourceanalyzer -b my_buildid xcodebuild [options]
Toscantheapplicationartifactfiles:
sourceanalyzer -b my_buildid -scan -f result.fpr
Note:Thesourcecodewillbecompiledwhenrunningthesecommands.
Xcode Compiler Errors
IfyoureceiveXcodecompilererrors,thismaybeduetotheinclusionofClangoptionsaddedafteryour
versionofSCAwasreleased.Toeradicatetheerrors,typethefollowingafterxcodebuild:
ARCHS=i386
GCC_TREAT_WARNINGS_AS_ERRORS=NO
whereARCHS=i386representsthearchitectures(ABIs,processormodels)towhichthebinaryistargeted.
Chapter 9: Translating Code for Mobile Platforms
37
About Translating Google Android Code
SSRprovidesrulessupportforprogramsthatrunontheGoogleAndroidplatform.Theserules
•
identifyinsecuredatastorage
•
categorizeapplicationsbytheirsecuritypermissionsanddetectoverprivilegeduses
•
sendandreceiveintents,identifydatabase,filesystem,web,privateinformationandAndroidinter‐
componentsources
TranslatingGoogleAndroidcodeissimilartotranslatingJavacode.ForinstructionsontranslatingJavacode,
seeChapter2,TranslatingJavaCodeonpage17.
Migration Issues
IfyouhavemigratedfromapreviousversionofSCAandreceiveanerrorwhenrunningSCA,itmaybedueto
adeprecatedpropertykeyinyourfortify-sca.propertiesfile.Checkthe fortify-sca.prortiesfile(located
intheinstall directory>/SCA/Core/config/directoryforanyofthefollowing,deprecatedpropertykeys:
com.fortify.sca.xcodebuild.CompilerPath
com.fortify.sca.xcodebuild.SupportedVersion
com.fortify.sca.xcodebuild43.CompilerPath
com.fortify.sca.clang.includes
com.fortify.sca.clang.CaptureWarnings
com.fortify.sca.llvmtonst.CaptureWarnings
com.fortify.sca.llvmtonst.FailOnError
com.fortify.sca.llvmtonst.command
com.fortify.sca.llvmtonst.options
com.fortify.sca.pretranslate.command
Iffound,removethekeyfromyourpropertiesfile.
Chapter 9: Translating Code for Mobile Platforms
38
Chapter 10: Translating Other Languages
Thischaptercoversthefollowingtopics:
•
AboutCommandLineSyntaxforOtherLanguages
•
ConfigurationConsiderations
•
TranslatingCOBOLCode
About Command Line Syntax for Other Languages
ThistopicdescribestheSCAcommandsyntaxfortranslatingotherlanguages.
Thebasiccommandlinesyntaxforotherlanguagesis:
sourceanalyzer -b <build_id> <file_list>
EnterthefollowingtoselectthesqltypebeingtranslatedonWindowsplatforms:
sourceanalyzer -b <example_build> -sql-language TSQL <files>
or
sourceanalyzer -b <example_build> -sql-language PL/SQL <files>
SQLNote:Bydefault,fileswiththeextensionsqlareassumedtobeT‐SQLratherthanPL/SQLonWindows
platforms.IfyouareusingWindowsandhavePL/SQLfileswiththesqlextension,youcanconfigureSCAto
treatthemasPL/SQLratherthanexplicitlyspecifyiteachtimeyourrunsourceanalyzer
Tochangethedefaultbehavior,setthecom.fortify.sca.fileextensions.sql propertyinfortifysca.properties to “TSQL” or “PLSQL.”
EnterthefollowingtoperformtranslationonColdFusionsourcecode:
sourceanalyzer -b <build -id> -source-base-dir <dir> <files|file specifiers>
where:
•
<build_id>specifiesthebuildIDfortheproject
•
<dir>specifiestherootdirectoryofthewebapplication
•
<files|file specifiers>specifiestheCFMLsourcecodefiles
ColdFusionNote:SCAcalculatestherelativepathtoeachCFMLsourcefilebyusingthe
-source-base-dirdirectoryasthestartingpoint,thenusestheserelativepathswhengeneratinginstanceIDs.
Iftheentireapplicationsourcetreeismovedtoadifferentdirectory,theinstanceIDsgeneratedbyasecurity
analysisshouldremainthesameifyouspecifyanappropriatevaluefor
-source-base-dir.
Foradescriptionofalltheoptionsyoucanusewiththesourceanalyzercommand,seeCommandLine
Interfaceonpage48.
Filespecifiersareshowninthefollowingtable:
Table 4: File Specifiers File Specifier
Description
<dirname>
Allfilesfoundunderthenameddirectoryoranysubdirectories
<dirname>/**/Example.js
AnyfilenamedExample.jsfoundunderthenameddirectoryor
anysubdirectories
Chapter 10: Translating Other Languages
39
Table 4: File Specifiers (Continued)
File Specifier
Description
<dirname>/*.js
Anyfilewiththeextension.jsfoundinthenameddirectory
<dirname>/**/*.js
Anyfilewiththeextension.jsfoundunderthenameddirectory
oranysubdirectories
<dirname>/**/*
Allfilesfoundunderthenameddirectoryoranysubdirectories
(sameas<dirname>)
Note:WindowsandmanyUnixshellsautomaticallytrytoexpandargumentscontainingthe'*'character,so
file‐specifierexpressionsshouldbequoted.Also,onWindows,enterthebackslash(\)insteadoftheforward
slash(/).
Configuration Considerations
ThissectionprovidesinformationonconfiguringPython,configuringColdFusion,configuringtheSQL
extension,andconfiguringASP/VSScriptvirtualroot.
Configuring Python
SCAtranslatesPythonapplications,andtreatsfileswiththeextensionpyasPythonsourcecode.Inorderfor
SCAtotranslatePythonapplicationsandpreparetheapplicationforascan,SCAsearchesanyimportfilesfor
theapplication.SCAdoesnotrespectthePYTHONPATHenvironmentvariablewhichthePythonruntime
systemusestofindimportedfiles,sothisinformationshouldbegivendirectlytoSCAusingthe -python-path
argument.Inaddition,someapplicationsaddadditionalimportdirectoriesduringruntimeinitialization.
Toaddpathsforadditionalimportdirectories,usethesourceanalyzercommandlineoption:
-python-path pathname
Note:SCAtranslatesPythonapplicationsusingallimportfileslocatedinthedirectorypathdefinedbythepython-path pathnameoption.Subsequently,translationmaytakeasignificantamountoftimetocomplete.
Using the Django Framework with Python
InordertoscancodecreatedusingtheDJangoframework,setthefollowingpropertiesinthefortifysca.propertiesconfigurationfile:
-Dcom.fortify.sca.limiters.MaxPassThroughChainDepth=8
-Dcom.fortify.sca.limiters.MaxChainDepth-8
Duringthetranslationphase,setthefollowingswitch:
-django-template-dirs path/to/template/dirs
Configuring ColdFusion
InordertotreatundefinedvariablesinaCFMLpageastainted,uncommentthefollowinglinein
sca_install_dir\Core\config\fortify-sca.properties:
#com.fortify.sca.CfmlUndefinedVariablesAreTainted=true
Doingsoservesasahinttothedataflowanalyzertowatchoutforregister‐globals‐stylevulnerabilities.
However,enablingthispropertyinterfereswithDataflowfindingsinwhichavariableinanincludedpageis
initializedtoataintedvalueinanearlier‐occurringincludedpage.
Chapter 10: Translating Other Languages
40
Configuring the SQL Extension
Bydefault,fileswiththeextensionsqlareassumedtobeT‐SQLratherthanPL/SQLonWindowsplatforms.If
youareusingWindowsandhavePL/SQLfileswiththesqlextension,youshouldconfigureSCAtotreatthem
asPL/SQL.Tochangethedefaultbehavior,setthecom.fortify.sca.fileextensions.sql propertyin
fortify-sca.propertiesto“TSQL”or“PLSQL.”
Note:Fortify360v2.5updatedthePL/SQLparsertoimprovetranslationofPL/SQLsourcecode.However,the
existenceoftwodifferentparserscanmakemergingresultsfrompre‐v2.5andpost‐v2.5difficult.
ToreverttotheolderversionofthePL/SQLparser,addthefollowingpropertytothefortify-sca.properties
file:
com.fortify.sca.UseOldPlsql=true
Configuring ASP/VBScript Virtual Roots
SCAallowsyoutohandleASPvirtualroots.Forwebserversthatusevirtualdirectoriesasaliasesthatmapto
physicaldirectories,SCAallowsyoutousealias.
Forinstance,youmayhavevirtualdirectoriesnamedIncludeandLibrarywhichrefertothephysical
directoriesC:\WebServer\CustomerOne\incandC:\WebServer\CustomerTwo\Stuff,respectively.
Asanexample,theASP/VBScriptcodeforanapplicationusingvirtualincludes,asfollows:
<!--#include virtual=”Include/Task1/foo.inc”-->
TheaboveASPcodereferstotheactualdirectory,asfollows:
C:\Webserver\CustomerOne\inc\Task1\foo.inc
TherealdirectoryreplacesthevirtualdirectorynameIncludeinthatinstance.
Accommodating Virtual Roots
InordertoindicatetoSCAwhateachvirtualdirectoryisanaliasfor,youmustsetapropertyoftheform
com.fortify.sca.ASPVirtualRoots.name_of_virtual_directoryaspartofyourcommandlineinvocationof
SCAinthefollowingmanner:
sourceanalyzer -Dcom.fortify.sca.ASPVirtualRoots.name_of_virtual_directory=<full path
to corresponding physical directory>
Note:OnWindows,ifthephysicalpathhasspacesinit,youmustincludethepropertysettingindouble‐
quotes:
sourceanalyzer "-Dcom.fortify.sca.ASPVirtualRoots.name_of_virtual_directory=<full path
to corresponding *physical* directory>"
Toexpandupontheexampleintheprevioussection,thepropertyvaluethatyoumustpassalongshouldbe:
-Dcom.fortify.sca.ASPVirtualRoots.Include=”C:\WebServer\CustomerOne\inc”
-Dcom.fortify.sca.ASPVirtualRoots.Library="C:\WebServer\CustomerTwo\Stuff”
DoingsocausesthemappingofIncludetoitsdirectoryandLibrarytoitsdirectory.
WhenSCAencounterstheincludedirective:
<!-- #include virtual="Include/Task1/foo.inc" -->
SCAwillfirstchecktoseeifyourprojectcontainsaphysicaldirectorynamedInclude.Ifthereisnosuch
physicaldirectory,SCAlooksthroughitsownrun‐timepropertiesandseesthat:
-Dcom.fortify.sca.ASPVirtualRoots.Include="C:\WebServer\CustomerOne\inc"
Chapter 10: Translating Other Languages
41
ThistellsSCAthatvirtualdirectoryIncludeisactuallythedirectory:
C:\WebServer\CustomerOne\inc
ThiswillcauseSCAtolookforthefile:
C:\WebServer\CustomerOne\inc\Task1\foo.inc
Alternately,ifyouchoosetosetthispropertyinthefortify-sca.propertiesfile,whichislocatedin
<sca_install_dir>\Core\config,youmustescapethe\character,aswellasanyspacesthatappearinthe
pathofthephysicaldirectory:
com.fortify.sca.ASPVirtualRoots.Library=c:\\WebServer\\CustomerTwo\\Stuff
com.fortify.sca.ASPVirtualRoots.Include=c:\\WebServer\\CustomerOne\\inc
Note:ThepreviousversionoftheASPVirtualRootpropertyisstillvalid,whichyoumayuseontheSCA
commandlineasfollows:
-Dcom.fortify.sca.ASPVirtualRoots=C:\WebServer\
CustomerTwo\Stuff;C:\WebServer\CustomerOne\inc
ThispromptsSCAtosearchthroughthelisteddirectoriesintheorderspecifiedwhenitisresolvingavirtual
includedirective.
Example: Using Virtual Roots
Youhaveafileasfollows:
C:\files\foo\bar.asp
Youcanspecifythisfilebyusingthefollowinginclude:
<!-- #include virtual="/foo/bar.asp">
Thenyoushouldsetthevirtualrootas:
-Dcom.fortify.sca.ASPVirtualRoots=C:\files\foo
Thiswillstripthe/foofromthefrontofthevirtualroot.IfyoudonotspecifyfoointheASPVirtualRoots
property,SCAwilllookinC:\files\bar.asp,andwillfail.
Thesequenceforspecifyingvirtualrootsareasfollows:
1. Removethefirstpartofthepathinthesource
2. Replacethefirstpartofthepathwiththevirtualrootasspecifiedonthecommandline.
Other Language Command Line Examples
ThissectionincludesexamplesoftranslatingPL/SQL,T‐SQL,PHP,ClassicASPwrittenwithVBScript,
JavaScript,VBScriptFiles.
Translating PL/SQL Example
ThefollowingexampledemonstratessyntaxfortranslatingtwoPL/SQLfiles:
sourceanalyzer -b MyProject x.pks y.pks
ThefollowingexampledemonstrateshowtotranslateallPL/SQLfilesunderthesourcesdirectory:
sourceanalyzer -b MyProject "sources/**/*.pks"
Chapter 10: Translating Other Languages
42
Translating T‐SQL Example
ThefollowingexampledemonstratessyntaxfortranslatingtwoT‐SQLfiles:
sourceanalyzer -b MyProject x.sql y.sql
ThefollowingexampledemonstrateshowtotranslateallT‐SQLfilesunderthesourcesdirectory:
sourceanalyzer -b MyProject "sources\**\*.sql"
Note:Thisexampleassumesthecom.fortify.sca.fileextensions.sql propertyinfortify-sca.properties
issetto“TSQL.”
Translating PHP Example
TotranslateasinglefilenamedMyPHP.php,enter:
sourceanalyzer -b mybuild "MyPHP.php"
Totranslateafilewherethesourceorthephp.inifileentryincludesarelativepathname(startswith./ or
../),youwillneedtosetthePHPsourceroot:
sourceanalyzer -php-source-root <path> -b mybuild "MyPHP.php"
where<path>shouldbetheabsoluteorrelativepathtotheprojectrootdirectory.Therelativepathnamewill
expandfromthephpprojectrootdirectory.
Translating Classic ASP written with VBScript Example
TotranslateasinglefilenamedMyASP.asp,enter:
sourceanalyzer -b mybuild "MyASP.asp"
Translating JavaScript Example
TotranslateallJavaScriptfilesunderthescriptsdirectory,enter:
sourceanalyzer -b mybuild "scripts/*.js"
Translating VB Script File Example
TotranslateaVBfilenamedmyApp.vb,enter:
sourceanalyzer -b mybuild "myApp.vb"
Translating COBOL Code
Thissectionprovidesinformationonsupportedtechnologies,preparingCOBOLsourcefilesfortranslation,
COBOLcommandlinesyntax,andauditingaCOBOLscan.
Note:InordertouseSCAtoscanCOBOL,youmusthaveaspecializedHPFortifylicensespecificforCOBOL
scanningcapabilities.ContactHPFortifyformoreinformationaboutscanningCOBOLandthenecessary
licenserequired.
Chapter 10: Translating Other Languages
43
Supported Technologies
SCAsupportsIBMEnterpriseCOBOLforIBMz/OSandiscompatiblewiththefollowingsystems:
•
CICS
•
IMS
•
DB/2embeddedSQL
•
IBMWebSphereMQ
Preparing COBOL Source Files for Translation
SCArunsonlyonthesupportedsystemslistedintheHPFortifySystemRequirementsdocument,noton
mainframecomputers.ThismeansthatbeforeyoucanscanaCOBOLprogram,youmustcopythefollowing
programcomponentstothesystemrunningSCA:
•
TheCOBOLsourcecode
•
AllcopybookfilesusedbytheCOBOLsourcecode
•
AllSQLINCLUDEfilesreferencedbytheCOBOLsourcecode
Preparing COBOL Source Code Files
IfyouareretrievingCOBOLsourcefilesfromamainframewithoutCOBorCBLfileextensions(whichis
usuallythecaseforCOBOLfilenames),thenyoumustusethefollowingcommandline:
-noextension-type COBOL <directory-file-path>
SpecifythedirectoryandfolderwithallCOBOLfilesastheargumenttoSCA,andSCAwillprocessallthefiles
inthatdirectoryandfolderwithoutanyneedforCOBOLfileextensions.
Preparing COBOL Copybook Files
SCAdoesnotidentifycopybooksbyextension.Allcopybookfilesshouldthereforeretainthenamesusedin
theCOBOLsourcecodeCOPYstatements.
About COBOL Command Line Syntax
Free‐formatCOBOListhedefaulttranslationandscanningmodeforSCA.Thebasicsyntaxfortranslatinga
singlefree‐formatCOBOLsourcecodefileis:
sourceanalyzer -b <build-id>
Thebasicsyntaxforscanningatranslatedfree‐formatCOBOLprogramis:
sourceanalyzer -b <build-id> -scan -f <FPR file name>
Working with Fixed‐Format COBOL
SCAalsosupportsfixed‐formatCOBOL.Whentranslatingandscanningfixed‐formatCOBOL,boththe
translationandscanningcommandlinesmustincludethe-fixed-formatcommandlineoption.Forexample,
thetranslationlinesyntaxwouldlooklike:
sourceanalyzer -b <build-id> -fixed-format
Andthescanninglinesyntaxwouldlooklike:
sourceanalyzer -b <build-id> -scan -fixed-format -f <FPR file name>
IfyourCOBOLcodeisIBMEnterpriseCOBOL,thenitismostlikelyfixedformat.IftheCOBOLtranslation
commandappearstohangindefinitely,terminatethetranslationbytypingCtrl‐Cseveraltimes,andrepeatthe
translationcommandwiththe“‐fixed‐format”parameter.
Chapter 10: Translating Other Languages
44
Searching for COBOL Copybooks
UsethecopydirscommandlineoptiontodirectSCAtosearchalistofpathsforcopybooksandSQL INCLUDE
files.Forexample,thecommandlinesyntaxwouldlooklikethefollowing:
sourceanalyzer -b coboltest -copydirs c:\cobol\copybooks
About Auditing COBOL Scans
Afterusingthecommandlinetoscantheapplication,youcanuploadtheresultingFPRfiletoHPFortifyAudit
WorkbenchorHPFortifySoftwareSecurityCenterandaudittheapplication’sissues.
SCAdoesnotcurrentlysupportcustomrulesforCOBOLapplications.
Chapter 10: Translating Other Languages
45
Chapter 11: Troubleshooting and Support
Thischaptercoversthefollowingtopics:
•
UsingtheLogFiletoDebugProblems
•
AbouttheTranslationFailedMessage
•
AboutJSPTranslationProblems
•
AboutASPXTranslationProblems
•
AboutC/C++PrecompiledHeaderFiles
•
AboutReportingBugsandRequestingEnhancements
Using the Log File to Debug Problems
IfyouencounterwarningsandproblemswhenyourunSCA,re‐runSCAusingthe-debugoption.This
generatesafilenamedsca.loginthefollowingdirectory:
•
OnWindows:C:\Documents and Settings\<username>\Local Settings\Application
Data\Fortify\scax.xx\log
•
Onotherplatforms:$HOME/.fortify/scax.xx/log
wherex.xxistheversionofSCAyouareusing.
Emailthesca.logfileasazipfiletotechsupport@fortify.comforfurtherinvestigation.
About the Translation Failed Message
IfyourC/C++applicationbuildssuccessfullybutyouseeoneormore“translationfailed”messageswhen
buildingwithSCA,editthe<install_directory>/Core/config/fortify-sca.propertiesfiletochangethe
followingline:
com.fortify.sca.cpfe.options= --remove_unneeded_entities --suppress_vtbl
to
com.fortify.sca.cpfe.options=-w --remove_unneeded_entities --suppress_vtbl
Re‐runthebuildtoprinttheerrorsencounteredbythetranslator.Iftheoutputindicatesanincompatibility
betweenyourcompilerandtheHPFortifytranslator,sendyouroutputtoFortifyTechnicalSupportfor
furtherinvestigation.
About JSP Translation Problems
SCAuseseitherthebuilt‐inoryourspecificapplicationserver'sJSPcompilertotranslateJSPfilesintoJava
filesforanalysis.
IftheJSPparserencountersproblemswhenSCAisconvertingJSPfilestoJavafilesforanalysis,youwillseea
messagesimilartothefollowing:
Failed to translate the following jsps into analysis model. Please see the log file for
any errors from the jsp parser and the user manual for hints on fixing those
<List of JSP file names>
Thistypicallyhappensduetooneormoreofthefollowingreasons:
•
ThewebapplicationisnotlaidoutinaproperdeployableWARdirectoryformat
•
YouaremissingsomeJARfilesorclassesrequiredfortheapplication
•
Sometaglibrariesortheirdefinitions(TLD)aremissingfromyourapplication
Chapter 11: Troubleshooting and Support
45
Toobtainmoreinformationabouttheproblem,performthefollowingsteps:
1. OpentheSCAlogfileinaneditor.
2. SearchforthestringsJsp parser stdout:andJsp parser stderr:.
TheseerrorsaregeneratedbytheJSPparserthatwasused.ResolvetheerrorsandrerunSCA.
FormoreinformationaboutscanningJ2EEapplications,seeTranslatingJ2EEApplicationsonpage20.
About ASPX Translation Problems
SCAcompilesASPXfilestoDLLsforanalysisasfollows:
•
Ifyouareusing.NET2.0orlaterandVisualStudio2005,usingtheMicrosoftaspnet_compilecompiler
•
Ifyouareusing.NET1.1andVisualStudio2003,tryingtofetchASPXfilesoneatatimefromthewebsite
Thecompilationstepcanfailif:
•
Youhaveaccessorauthenticationproblemswithaccessingthewebapplication
•
YouaremissingsomerequiredDLLs
Ineithercase,youwillseeamessagesimilartothefollowing:
Failed to translate the following aspx files into analysis model. Please see the log
file for any errors from the aspx precompiler and the user manual for hints on fixing
those.
<List of ASPX file names>
Ifyouareusingtheplug‐in,enableplug‐indebuggingandexaminetheplug‐inlogfileforanyerrorsgenerated
bytheASPXprecompiler.
Ifyouareusingthecommandlinetool,fortify_aspnet_compiler,youshouldseetheerrormessagesonthe
console.
Ifyoustillcannotdeterminethecauseoftheproblem,trytoaccesssomeofthefailedASPXfilesfromyour
browserandseewhatkindoferrorsdisplay.Ifyouseemessagessuchascannot locate assembly,ensurethat
youhavethemissingDLLsandrerunSCA.
IfyoucanaccessthefailedASPXfilesfromthebrowser,butSCAstillfailstoscanit,contactHPFortify
TechnicalSupportforadditionalhelp.
FormoreinformationaboutscanningASP.NETapplications,seeTranslatingASP.NET1.1(VisualStudio
Version2003)Projectsonpage24.
About C/C++ Precompiled Header Files
SomeC/C++compilerssupportafeaturetermed“precompiledheaderfiles,”whichcanspeedupcompilation.
Somecompilers'implementationsofthisfeaturehavesubtleside‐effects.Whenthefeatureisenabled,the
compilermayaccepterroneoussourcecodewithoutwarningsorerrors.Thiscanresultinadiscrepancy
whereSCAreportstranslationerrorsevenwhenyourcompilerdoesnot.
Ifyouusetheprecompiledheaderfeatureofyourcompiler,makesureyoursourcecodecompilescleanlyby
disablingprecompiledheadersanddoingafullbuild.
Chapter 11: Troubleshooting and Support
46
About Reporting Bugs and Requesting Enhancements
Feedbackiscriticaltothesuccessofthisproduct.Torequestenhancementsorpatches,ortoreportbugs,send
anemailtoTechnicalSupportat:
techsupport@fortify.com
Besuretoincludethefollowinginformationintheemailbody:
•
Product:SCA
•
VersionNumber:Todeterminetheversionnumber,runthefollowing:
•
Platform:(suchasPC)
•
OS:(suchasWindows2000)
sourceanalyzer -version
Whenrequestingenhancements,includeadescriptionofthefeatureenhancement.
Whenreportingbugs,provideenoughdetailsfortheissuetobeduplicated.Themoredescriptiveyouare,the
fasterwecananalyzeandfixtheissue.Alsoincludethelogfiles,ortherelevantportionsofthem,fromwhen
theissueoccurred.
Chapter 11: Troubleshooting and Support
47
Appendix A: Command Line Interface
Thisappendixcoversthecommandlineoptions:
•
OutputOptions
•
AnalysisOptions
•
PythonOption
•
ColdFusionOptions
•
Java/J2EEOptions
•
.NETOptions
•
BuildIntegrationOptions
•
RuntimeOptions
•
OtherOptions
Output Options
Thefollowingtabledescribestheoutputoptions.
Table 5: Output Options Output Option
Description
-append
Appendsresultstothefilespecifiedwith-f.Ifthisoptionis
notspecified,SCAaddsthenewfindingstotheFPRfile,and
labelstheolderresultaspreviousfindings.Tousethis
option,theoutputfileformatmustbe.fpror.fvdl.For
informationonthe-formatoutputoption,seethedescription
inthistable.
Note:When-appendispassedtoSCAandtheoutputfile
specifiedwiththe-foptioncontainstheresultsofanearlier
scan,theresultingFPRcontainstheissuesfromtheearlier
scanaswellasissuesfromthecurrentscan.Thebuild
informationandprogramdata(listsofsourcesandsinks)
sectionsarealsomerged.
Theenginedatasection,whichincludesrulepackinformation,
commandlineoptions,systemproperties,warningsand
errors,andotherinformationabouttheexecutionof
sourceanalyzer(asopposedtoinformationaboutthe
programbeinganalyzed),isnotmerged,inpartbecausethere
isnowaytomeaningfullymergethisdatafrommultiplescans.
Becauseenginedataisnotmergedwith-append,HPFortify
doesnotcertifyresultsgeneratedwith-append.
Ingeneral,-appendshouldonlybeusedwhenitisnot
possibletoanalyzeanentireapplicationatonce.
-build-label<label>
Thelabeloftheprojectbeingscanned.Thelabelisnotusedby
SCAbutisincludedintheanalysisresults.
-build-project <project>
Thenameoftheprojectbeingscanned.Thenameisnotused
bySCAbutisincludedintheanalysisresults.
-build-version <version>
Theversionoftheprojectbeingscanned.Theversionisnot
usedbySCAbutisincludedintheanalysisresults.
-f <file>
Thefiletowhichresultsarewritten.Ifyoudonotspecifyan
outputfile,theoutputiswrittentotheterminal.
Appendix A: Command Line Interface
48
Table 5: Output Options (Continued)
Output Option
Description
-format <format>
Controlstheoutputformat.Validoptionsarefpr,fvdl,text,
andauto.Thedefaultisauto,whichselectstheoutputformat
basedonthefileextension.
Note:Ifyouareusingresultcertification,youmustspecifythe
fprformat.SeetheAuditWorkbenchUser’sGuidefor
informationonresultcertification.
Analysis Options
Thefollowingtabledescribestheanalysisoptions.
Table 6: Analysis Options Analysis Option
Description
-disable-default-ruletype <type>
Disablesallrulesofthespecifiedtypeinthedefault
Rulepacks.Canbeusedmultipletimestospecifymultiplerule
types.
WherethevalueoftypeistheXMLtagminusthesuffix“Rule.”
Forexample,useDataflowSourceforDataflowSourceRule
elements.Youcanalsospecifyspecificsectionsof
characterizationrules,suchasCharacterization:Controlflow,
Characterization:Issue,andCharacterization:Generic.
Typeiscase‐insensitive.
-encoding
Specifiestheencoding.SCAallowsscanningaprojectthat
containsdifferentencodedsourcefiles.Toworkwithamulti‐
encodedproject,youmustspecifythe-encodingoptionat
thetranslationstep,whenSCAfirstreadsthesourcecodefile.
Thisencodingisrememberedinthebuildsession,andis
propagatedintotheFVDLfile.
-filter <file_name>
Specifiesaresultsfilterfile.
-findbugs
EnablesFindBugsanalysisforJavacode.TheJavaclass
directoriesmusthavebeenspecifiedwiththe-javabuild-diroption,describedin“Java/J2EEOptions”on
page51.
-no-default-issue-rules
DisablesrulesindefaultRulepacksthatleaddirectlytoissues.
Stillloadsrulesthatcharacterizethebehavioroffunctions.
Note:Thisequivalenttodisablingthefollowingruletypes:
DataflowSink,Semantic,Controlflow,Structural,Configuration,
Content,Statistical,Internal,andCharacterization:Issue.
-no-default-rules
SpecifiesnottoloadrulesfromthedefaultRulepacks.SCA
processestheRulepacksfordescriptionelementsandlanguage
libraries,butnorulesareprocessed.
-no-default-source-rules
DisablessourcerulesinthedefaultRulepacks.
Note:Characterizationsourcerulesarenotdisabled.
-no-default-sink-rules
DisablessinkrulesinthedefaultRulepacks.
Note:Characterizationsinkrulesarenotdisabled.
-disable-sourcerendering
SourcefilesarenotincludedintheFPRfile.
Appendix A: Command Line Interface
49
Table 6: Analysis Options (Continued)
Analysis Option
Description
-quick
ScanstheprojectinQuickScanMode,usingthefortifysca-quickscan.propertiesfile.Bydefault,thisscan
searchesforhigh‐confidence,high‐severityissues.Formore
informationaboutQuickScanMode,seetheAuditWorkbench
User’sGuide.
-rules
[<file>|<directory>]
SpecifiesacustomRulepackordirectory.Canbeusedmultiple
timestospecifymultipleRulepackfiles.Ifyouspecifya
directory,allofthefilesinthedirectorywiththe.binand
.xmlextensionsareincluded.
-scan
CausesSCAtoperformanalysisforthespecifiedbuildID.
Python Option
ThefollowingtabledescribestheColdFusionoption.
Table 7: Python Options
Python Option
Description
-python-path <path name>
Specifiesthepathforadditionalimportdirectories.SCAdoes
notrespectthePYTHONPATHenvironmentvariablethatthe
Pythonruntimesystemusestofindimportedfiles.Usethe
-python-pathargumenttospecifyadditionalimport
directories.
ColdFusion Options
ThefollowingtabledescribestheColdFusionoption.
Table 8: ColdFusion Options
ColdFusion Option
Description
-source-base-dir
Thewebapplication’srootdirectory.
-source-archive
Theapplication’ssourcearchiverepository.Youmustinclude
the‐scanand‐foptionstousethisoption.
Appendix A: Command Line Interface
50
Java/J2EE Options
ThefollowingtabledescribestheJava/J2EEoptions.
Table 9: Java/J2EE Options
Java/J2EE Options
Description
-appserver
SpecifiestheapplicationserverforprocessingJSPfiles:
weblogicorwebsphere.
-appserver-home
Specifiestheapplicationserver’shome.
ForWeblogic,thisisthepathtothedirectorycontainingthe
server/lib directory.
ForWebSphere,thisisthepathtothedirectorycontainingthe
JspBatchCompiler script.
-appserver-version
Specifiestheversionoftheapplicationserver.
ForWeblogic,validvaluesare7,8,9,and10.
ForWebSphere,thevalidvalueis6.
-cp <classpath>,
-classpath <classpath>
SpecifiestheclasspathtouseforanalyzingJavasourcecode.
Theformatissameasjavac:acolonorsemicolon‐separatedlist
ofpaths.YoucanuseSCAfilespecifiers.
Note:Ifyoudonotspecifytheclasspathwiththisoption,the
CLASSPATHenvironmentvariableisused.
-extdirs <dirs>
Similartothejavacextdirsoption,acceptsacolonor
semicolon‐separatedlistofdirectories.Anyjarfilesfoundin
thesedirectoriesareincludedimplicitlyontheclasspath.
-java-build-dir
SpecifiesoneormoredirectoriestowhichJavasourceshave
beencompiled.MustbespecifiedforFindBugsresults,as
describedin“AnalysisOptions”onpage49.
-source <version>
IndicateswhichversionoftheJDKtheJavacodeiswrittenfor.
Validvaluesforversionare1.3,1.4,1.5,1.6 and 1.7.
Thedefaultis1.4.
-sourcepath
Specifiesthelocationofsourcefileswhichwillnotbeincluded
inthescanbutwillbeusedfornameresolution.The
sourcepathislikeclasspath,exceptitusessourcefilesrather
thanclassfilesforresolution.
Appendix A: Command Line Interface
51
.NET Options
Thefollowingtabledescribesthe.NEToptions.
Table 10: .NET Options .NET Options
Description
-libdirs <dirs>
Acceptsacolonorsemicolon‐separatedlistofdirectories
wheresystemDLLsarelocated.
-dotnet-sources
<directory name>
Specifieswheretolookforsourcefilesforadditional
information.ThisoptionisautomaticallypassedfromtheSCA
plug‐insandAuditWorkbenchbutwhenyouarerunningSCA
manually,youmustprovideityourself.

ThisoptioncausesSCAtoattempttofindany.NETclasses,
enums,orinterfacesthatarenotexplicitlydeclaredinthe
compiledproject.
-vsversion <version>
SpecifiesVisualStudioversion.Validvaluesforversionare
7.1forVisualStudioVersion2003,8.0forVisualStudio
Version2005,9.0forVisualStudio2008,10.0forVisualStudio
2010and11.0forVisualStudio2012.Thedefaultvalueis7.1.
Build Integration Options
Thefollowingtabledescribesthebuildintegrationoptions.
Table 11: Build Integration Options
Build Integration Options
Description
-b <build_id>
SpecifiesthebuildID.ThebuildIDisusedtotrackwhichfiles
arecompiledandcombinedtobepartofabuildandlaterto
scanthosefiles.
-bin <binary>
Usedwith-scantospecifyasubsetofsourcefilestoscan.
Onlythesourcefilesthatwerelinkedinthenamedbinaryat
buildtimeareincludedinthescan.Canbeusedmultipletimes
tospecifytheinclusionofmultiplebinariesinthescan.
-exclude <file_pattern>
Removesfilesfromthelistoffilestotranslate.
Forexample:sourceanalyzer –cp "**/*.jar" 
"**/*" -exclude "**/Test.java"
Note:The-excludeoptionworkswheninputfilesare
specifiedonthecommandline;itdoesnotworkwithcompiler
integration.
-nc
Whenspecifiedbeforeacompilercommandline,SCA
processesthesourcefilebutdoesnotrunthecompiler.
Appendix A: Command Line Interface
52
Directives
Thefollowingdirectivescanbeusedtolistinformationabouttranslationstepsthathavebeentaken.Onlyone
directivecanbeusedatatimeandcannotbeusedinconjunctionwithnormaltranslationoranalysissteps.
Table 12: Directives Directives
Description
-clean
DeletesallSCAintermediatefilesandbuildrecords.
WhenabuildIDisalsospecified,onlyfilesandbuild
recordsrelatingtothatbuildIDaredeleted.
-show-binaries
Displaysallobjectsthatwerecreatedbutnotusedin
theproductionofanyotherbinaries.Iffullyintegrated
intothebuild,itlistsallofthebinariesproduced.
-show-build-ids
DisplaysalistofallknownbuildIDs.
Note:ThisoptionmayerasebuildIDsgeneratedby
previousversionsofSCA.
-show-build-tree
Displaysallfilesusedtocreatebinaryandallfiles
usedtocreatethosefilesinatreelayout.Ifthe-bin
binaryoptionisnotpresent,thetreeisdisplayedfor
eachbinary.
Note:Thisoptioncangenerateanextensiveamount
ofinformation.
-show-files
ListsthefilesinthespecifiedbuildID.Whenthe-bin
optionispresent,displaysonlythesourcefilesthat
wentintothebinary.
-show-build-warnings
Usewith-b <build_id>toshowallerrorsand
warningsfromthetranslationphaseontheconsole.
Note:Theseerrorsandwarningsdisplayintheresults
certificationpanelofAuditWorkbench.
-show-loc
Displaysthenumberoflinesinthecodebeing
translated.
Runtime Options
Thefollowingtabledescribestheruntimeoptions.
Table 13: Runtime Options
Runtime Options
Description
-logfile <file_name>
SpecifiesthelogfilethatisproducedbySCA.
-quiet
Disablesthecommandlineprogressbar.
-verbose
Sendsverbosestatusmessagestotheconsole.
-Xmx <size>
SpecifiesthemaximumamountofmemoryusedbySCA.By
default,itusesupto600MBofmemory(-Xmx600M),which
canbeinsufficientforlargecodebases.Whenspecifyingthis
option,ensurethatyoudonotallocatemorememorythanis
physicallyavailable,becausethisdegradesperformance.Asa
guideline,assumingnoothermemoryintensiveprocessesare
running,donotallocatemorethan2/3oftheavailablememory.
Appendix A: Command Line Interface
53
Other Options
Thefollowingtabledescribesotheroptions.
Table 14: Other Options
Other Options
Description
@<filename>
Readscommandlineoptionsfromthespecifiedfile.
-encoding
<encoding_name>
Specifiesthesourcefileencodingtype.Thisoptionisthesame
asthejavacencodingoption.
-h, -?, -help
Printsthissummaryofcommandlineoptions.
-version
Displaystheversionnumber.
-debug
Enablesdebugmodewhichisusefulduringtroubleshooting.
-build-migration-map
<old_fpr_file>
RunstheInstanceIDmapperattheendofascan.
Specifying Files
FilespecifiersareexpressionsthatallowyoutoeasilypassalonglistoffilestoSCAusingwildcardcharacters.
SCArecognizestwotypesofwildcardcharacters:'*'matchespartofafilename,and'**'recursivelymatches
directories.Youcanspecifyoneormorefiles,oneormorefilespecifiers,oracombinationoffilesandfile
specifiers.
<files> | <file specifiers>
Filespecifierscantakethefollowingforms:
Table 15: File Specifiers
File Specifier
Description
<dirname>
Allfilesfoundunderthenameddirectoryoranysubdirectories
<dirname>/**/
Example.java
AnyfilenamedExample.javafoundunderthenamed
directoryoranysubdirectories
<dirname>/*.java
Anyfilewiththeextension.javafoundinthenameddirectory
<dirname>/**/*.java
Anyfilewiththeextension.javafoundunderthenamed
directoryoranysubdirectories
<dirname>/**/*
Allfilesfoundunderthenameddirectoryoranysubdirectories
(sameasdirname)
Note:WindowsandmanyUnixshellsautomaticallytrytoexpandargumentscontainingthe'*'character,sofile‐
specifierexpressionsshouldbequoted.Also,onWindows,thebackslashcharacter(\)maybeusedasthe
directoryseparatorinsteadoftheforwardslash(/).
FilespecifiersdonotapplytoCorC++languages.
Appendix A: Command Line Interface
54
Appendix A: Command Line Interface
55
Appendix B: Parallel Analysis Mode
Thisappendixcoversthefollowingtopics:
•
AboutParallelAnalysisMode
•
HardwareRequirements
•
ConfiguringParallelAnalysisMode
•
RunninginParallelAnalysisMode
About Parallel Analysis Mode
Parallelprocessingallowsyoutoreducescantimesbyharnessingthemultiplecores,memory,andprocessing
powerinyourmachine.Dependingonthenatureofyourprojectandyourhardware,parallelprocessingcan
reducescantimeasmuchas90percent.
Whileparallelprocessingcanbeenabledforallscans,scansthatcompleteinlessthan2hoursmaynotwarrant
thehigherprocessingpowerrequirements.Forthisreason,parallelprocessingisnotthedefaultmodeof
operation.Youmustenableparallelprocessingonyoursystemandinitiateitonthecommandline.
Hardware Requirements
PleaserefertotheHPFortifySoftwareSecurityCenterSystemRequirementsdocumentforthelatesthardware
andsoftwarerequirementsforrunningSCAinparallel.
Configuring Parallel Analysis Mode
AfterinstallingSCAandcompletingthepost‐installationsteps,youwillneedtoaddacouplepropertiesto
yourSCAconfigurationfiletoenableparallelprocessing.
Addthefollowingpropertiestoyourfortify-sca.propertiesfile,locatedinthe
<SCA_Installation_Directory>\core\configdirectory.
Table 16: Parallel Analysis Mode Properties
Property
Description
com.fortify.sca.RmiWorkerMaxHeap
Setstheheapsizefortheworkers.
(default:heapsizeofmasterJVM)
Theamountofmemoryrequiredvariesfromprojecttoproject,
butyoudon’thavetoallocateasmuchmemoryforthe
workersasyoudoforthemasterJVM.
Youmayneedtoexperimentwiththispropertyifyou
experiencelowmemorywarnings,crashes,ordon’tachievea
significantspeedincrease.
TheRmiWorkerMaxHeappropertyacceptsvaluesinkilobytes
(K),megabytes(M),orGigabytes(G).Forexample,tosetthe
propertyto500kilobytes:
-Dcom.fortify.sca.Rmi
WorkerMaxHeap = 500K
com.fortify.sca.ThreadCount
(default:Ifunchanged,SCAwilluseall
availablethreads.)
Youwillonlyneedtoaddthisparameterifyouneedtolower
thenumberofthreadsusedbecauseofaresourceconstraint.If
youexperienceslow‐downsorproblemswithyourscan,
reducingthenumberofthreadsusedmaysolvetheproblem.
Appendix B: Parallel Analysis Mode
55
Running in Parallel Analysis Mode
Torunsourceanalyzerinparallelanalysismode,addthefollowingparametertoyourcommandstring:

‐j <# worker processes>
Theidealnumberofworkerprocessesisn‐2,wherenrepresentsthenumberofprocessorsinyour
machine.Forexample,ifyourmachinehas8processors,theidealnumberofworkerprocesseswouldbe6.
Thereisasinglemasterprocessthatcoordinatestasksandthedistributionofdatatothedataworkers.
EachJavaprocessusesthesameamountofmemory(unlessyouoverrodeitusingthe
com.fortify.sca.RmiWorkerMaxHeapMBinthefortify-sca.propertiesfile).Youmayneedto
balancethe-Xmxand-joptionstoinsureyoudon’tallocatemorememorythanisphysicallyavailable.
Tofigureoutthemaximumnumberofworkersforyourinstallation:
TotalPhysicalMemory
PhysicalMemoryPerJavaProcessxNumberofprocesses
ExampleoftranslatingasinglefilenamedMyServlet.java:
sourceanalyzer -b MyServlet -cp lib/j2ee.jar 
MyServlet.java -j 6
Theminimumvaluefor-jis2,but3orhigherisrecommended.Avalueof3isusuallyfasterthanwhen
notrunninginparallel,but4ormoreshouldprovideyouwiththebestoverallspeedincreases.
Appendix B: Parallel Analysis Mode
56
Appendix C: Using the sourceanalyzer Ant Task
Thisappendixcoversthefollowingtopics:
•
UsingtheAntSourceanalyzerTask
•
Antproperties
•
SourceanalyzerTaskOptions
About the sourceanalyzer Ant Task
ThesourceanalyzerAnttaskprovidesaconvenientwaytointegrateSCAintoyourAntbuild.Asdiscussedin
TranslatingJavaCode,translationofJavasourcefilesthatarepartofanAntbuildismosteasilyaccomplished
usingtheSCACompilerAdapter,whichautomaticallycapturesinputtojavactaskinvocations.The
sourceanalyzertaskprovidesaconvenientandflexiblewaytoaccomplishothertranslationtasksandtorun
analysis.
ThissectiondescribeshowtousethesourceanalyzerAnttaskandprovidesanexampleofasamplebuildfile
withaself‐containedanalysis target.rs.
Using the Ant Sourceanalyzer Task
AswiththeSCACompilerAdapter,usingthesourceanalyzertaskrequiressourceanalyzer.jar tobeon
Ant'sclasspath,andthesourceanalyzerexecutabletobeonthePATH.
Thefirststeptousingthesourceanalyzertaskistoincludeatypedefinthebuild.xmlfileasfollows:
<typedef name="sourceanalyzer" classname="com.fortify.dev.ant.SourceanalyzerTask"/>
Note:OnlyAnt1.6andhighersupportstop‐leveltypedefofthesourceanalyzertask.ForAnt1.5andlower,
includethetypedefinthetargetwherethesourceanalyzertaskisused.
Oncethistypedefisincluded,targetscanbedefinedthatinvokethesourceanalyzertasktoperform
translationandanalysisoperationsexactlyasifrunningsourceanalyzerfromthecommandline.The
sourceanalyzertasksyntaxissimilartothatofthecommandlineinterface,butAntfilesetandpath
primitivescanbeleveraged.
ThefollowingisanexampleofasnippetfromanAntbuild.xmlfilewhichprovidesatargetuserscancallto
generateSCAresultsfortheproject.Thissnippetassumesthatthetargetscleanandcompileandthepath
jsp.classpatharedefinedelsewhereinthefile.ItalsousesverboseandlogtocreateaseparateSCAlogfile
forthebuild.
<available classname="com.fortify.dev.ant.SourceanalyzerTask"
property="fortify.present"/>
<property name="sourceanalyzer.buildid" value="mybuild"/>
<!-- For debugging in a separate HP Fortify SCA log file -->
<property name="fortify.debug" value="false" />
<property name="fortify.verbose" value="false" />
<mkdir dir="${code.build}/log" />
<mkdir dir="${code.build}/audit" />
<tstamp/>
<property=”com.fortify.sca.PPSSilent” value=”true” />
<target name="fortify" if="fortify.present">
<typedef name="sourceanalyzer"
classname="com.fortify.dev.ant.SourceanalyzerTask"/>
<!-- call clean to ensure that all source files are recompiled -->
Appendix C: Using the sourceanalyzer Ant Task
57
<antcall target="clean"/>
<!-- call the compile target using the SCA Compiler Adapter to -->
<!-- translate all source files-->
<antcall target="compile">
<!-- Log SCA in separate file -->
<param name="com.fortify.sca.Debug" value="${fortify.debug}" />
<param name="com.fortify.sca.Verbose" value="${fortify.verbose}" />
<param name="com.fortify.sca.LogFile"
value="${code.build}/log/${sourceanalyzer.buildid}-${DSTAMP}${TSTAMP}.log" />
<param name="build.compiler"
value="com.fortify.dev.ant.SCACompiler" />
</antcall>
<!-- capture all configuration files in WEB-INF directory -->
<echo>sourceanalyzer ${web-inf}</echo>
<sourceanalyzer buildid="${sourceanalyzer.buildid}">
<fileset dir="${web-inf}">
<include name="**/*.properties"/>
<include name="**/*.xml"/>
</fileset>
</sourceanalyzer>
<!-- translate all jsp files-->
<echo>sourceanalyzer ${basedir} jsp</echo>
<sourceanalyzer buildid="${sourceanalyzer.buildid}">
<fileset dir="${basedir}">
<include name="**/*.jsp"/>
</fileset>
<classpath refid="jsp.classpath"/>
</sourceanalyzer>
<!-- run analysis -->
<echo>sourceanalyzer scan</echo>
<sourceanalyzer buildid="${sourceanalyzer.buildid}"
scan="true"
resultsfile="issues.fpr"
/ >
</target>
Ant properties
AnyAntpropertythatbeginswithcom.fortifyisrelayedtothesourceanalyzertaskvia-D.Forexample,
settingthecom.fortify.sca.ProjectRootpropertyresultsin Dcom.fortify.sca.ProjectRoot=<value>beingpassedtothesourceanalyzertask.Thisisalsousedfor
theSCACompileradapter.Thesepropertiescanbeseteitherinthebuildfile,usingthe<property>taskfor
example,orontheAntcommandlineusingthe -D<property=<value>syntax.
WhenusingtheSCACompileradapterviathebuild.compilersetting,thesourceanalyzer.buildAnt
propertyisequivalenttothebuildID attributeofthesourceanalyzertask,andthe
sourceanalyzer.maxHeapisequivalenttomaxHeap.Youcanuseeitherthecommandlineoryourbuildscript
tosettheseproperties.
Appendix C: Using the sourceanalyzer Ant Task
58
Sourceanalyzer Task Options
Thefollowingtablecontainsthecommandlineoptionsforthesourceanalyzertask.Pathvaluesusecolon(:)
orsemi‐colon(;)delimitedlistsoffilenames.
Table 17: Sourceanalyzer Task Command Line Options Attribute
Command Line Option
Description
append
-append
Appendsresultstothefilespecifiedwith
the-foption.Ifthisoptionisnot
specified,SCAoverwritesthefile.
Note:Tousethisoption,theoutputfile
formatmustbe.fpror.fvdl.For
informationonthe-formatoutput
option,seethedescriptioninthistable.
appserver
-appserver
<appserver>
Specifiestheapplicationserver:Valid
optionsareweblogicorwebsphere
appserverHome
-apperserver-home
<directory>
Specifiestheapplicationserver'shome
directory.
ForWeblogic,thisisthepathtothe
directorycontainingserver/lib
directory.
ForWebSphere,thisisthepathtothe
directorycontainingthebin/
JspBatchCompilerscript.
appserverVersion
-apperserver-version
<version_number>
Specifiestheversionoftheapplication
server.
ForWeblogic:versions7,8,9,and10
ForWebSphere:version6
bootclasspath
-bootclasspath
<classpath>
SpecifiestheJDKbootclasspath.
buildID
‐b <build_ID>
SpecifiesthebuildID.ThebuildIDis
usedtotrackwhichfilesarecompiled
andlinkedaspartofabuildandlaterto
scanthosefiles.
buildLabel
-build-label
<build_label>
Specifiesthelabeloftheprojectbeing
scanned.ThelabelisnotusedbySCAbut
isincludedintheanalysisresults.
buildProject
-build-project
<project_name>
Specifiesthenameoftheprojectbeing
scanned.ThenameisnotusedbySCA
butisincludedintheanalysisresults.
buildVersion
-build-version
<version>
Theversionoftheprojectbeingscanned.
TheversionisnotusedbySCAbutis
includedintheanalysisresults.
classpath
-cp <classpath>
SpecifiestheclasspathtobeusedforJava
sourcecode.Formatissameasjavac
(colonorsemicolon‐separatedlistof
paths).
clean
-clean
ThisoptionresetsthebuildID.The
defaultvalueisfalse.
Appendix C: Using the sourceanalyzer Ant Task
59
Table 17: Sourceanalyzer Task Command Line Options (Continued)
Attribute
Command Line Option
Description
debug
-debug
Thisoptionenablesthedebugmode,
whichisusefulduringtroubleshooting.
disableAnalyzers
-disable-analyzer
<list_of_analyzers>
Thisoptiontakesacolon‐delimitedlistof
analyzerssothatyoucandisablemultiple
analyzersatonceifnecessary.
enableAnalyzers
-enable-analyzer
<list_of_analyzers>
Thisoptiontakesacolon‐delimitedlistof
analyzerssothatyoucanenablemultiple
analyzersatonceifnecessary.
encoding
-encoding
<encoding_type>
Specifiesthesourcefileencodingtype.
Thisoptionisthesameasthejavac
encodingoption.
extdirs
-extdirs
<list_of_dirs>
Similartothejavacextdirsoption,
acceptsacolonorsemicolonseparated
listofdirectories.Anyjarfilesfoundin
thesedirectoriesareincludedimplicitly
ontheclasspath.
filter
-filter <file_name>
Specifiesthefilterfile.
findbugs
-findbugs
SettingthistotrueenablesFindBugs
analysis.Thedefaultvalueisfalse.
format
-format
<format_type>
Controlstheoutputformat.Validoptions
arefpr,fvdl,text,andauto.The
defaultisauto,whichselectstheoutput
formatbasedonthefileextension.
Note:Ifyouareusingresults
certification,youmustspecifythefpr
format.SeetheAuditWorkbenchUser’s
Guideforinformationonresults
certification.
javaBuildDir
-java-build-dir
<directory>
Specifiesoneormoredirectorstowhich
Javasourceshavebeencompiled.Must
bespecifiedforthefindbugsoption,as
describedabove.
jdk
-source <value>
IndicateswhichversionoftheJDKthe
Javacodeiswrittenfor.Validvaluesfor
thisoptionare1.3,1.4,1.5,1.6 and
1.7.Thedefaultis1.4.
Note:ThesourceandJDKoptionsare
thesame.Ifbothoptionsarespecified,
theoptionthatisspecifiedlastwilltake
precedence.
jdkBootclasspath
-jdk-bootclasspath
<classpath>
SpecifiestheJDKbootclasspath.
logfile
-logfile <file_name>
Specifiesthelogfilethatisproducedby
SCA.
Appendix C: Using the sourceanalyzer Ant Task
60
Table 17: Sourceanalyzer Task Command Line Options (Continued)
Attribute
Command Line Option
Description
maxHeap
-Xmx <size>
Specifiesthemaximumamountof
memoryusedbySCA.Bydefault,ituses
upto600MBofmemory(600M),which
canbeinsufficientforlargecodebases.

Whenspecifyingthisoption,ensurethat
youdonotallocatemorememorythanis
physicallyavailable,becausethiswill
degradeperformance.Asaguideline,
assumingnoothermemoryintensive
processesarerunning,donotallocate
morethan2/3oftheavailablememory.
noDefaultRules
-no-default-rules
SettingthisoptionspecifiesthatSCA
shouldnotapplydefaultruleswhen
scanning.
quick
-quick-scan
LaunchesanSCAquickscaninsteadofa
regularscan.Setvaluetotruetolaunch
aquickscan.
resultsfile
-f
<absolute_path_file
name>
Thefiletowhichtheresultsarewritten.
rules
-rules
<delimited_rules_lis
t>
Therulesoptiontakesalistofrulesfiles,
delimitedbythepathseparator.Thisisa
semi‐colon(;)onWindows,andacolon
(:)onotherplatforms.Foreachelement
inthislist,SCAispassedthe-rules
<file>command.
scan
-scan
Settingthisoptiondetermineswhether
SCAshouldperformanalysisonthe
providedbuildID.Thedefaultvalueis
false.
source
-source <value>
IndicateswhichversionoftheJDKthe
Javacodeiswrittenfor.Validvaluesfor
thisoptionare1.3,1.4,1.5,and1.6.
Thedefaultis1.4.
Note:ThesourceandJDKoptionsare
thesame.Ifbothoptionsarespecified,
theoptionthatisspecifiedlastwilltake
precedence.
sourcepath
-sourcepath
<directory>
Specifiesthelocationofsourcefiles
whichwillnotbeincludedinthescanbut
willbeusedforresolution.
verbose
-verbose
Settingthisoptionsendsverbosestatus
messagestotheconsole.
Thebootclasspath, classpath, extdirs,andoptionsmayalsobespecifiedasnestedelements,aswith
theAntjavactask.Sourcefilescanbespecifiedvianested<fileset>elements.
Appendix C: Using the sourceanalyzer Ant Task
61
Thefollowingtableincludessourceanalyzerelements.
Table 18: Sourceanalyzer Task Nested Elements
Element
Ant Type
Description
fileset
Fileset
SpecifiesthefilestopasstoSCA.
classpath
Path
SpecifiestheclasspathtobeusedforJavasourcecode.
bootclasspath
Path
SpecifiestheJDKbootclasspath.
extdirs
Path
Similartothejavacextdirsoption.Anyjarfilesfoundin
thesedirectoriesareincludedimplicitlyontheclasspath.
sourcepath
Path
Specifiesthelocationofsourcefileswhichwillnotbe
includedinthescanbutwillbeusedforresolution.
Appendix C: Using the sourceanalyzer Ant Task
62
Appendix D: Advanced Options
Thischapterdescribesthefollowingadvancedoptions:
•
AboutFilterFiles
•
UsingPropertiestoControlRuntimeOptions
About Filter Files
Youcancreateatextfileforfilteringoutparticularvulnerabilityinstances,rules,andvulnerabilitycategories
whenyourunthesourceanalyzercommand.Thefileisspecifiedbythe-filteranalysisoption.
Note:HPFortifySoftwarerecommendsthatyouonlyusethisfeatureifyouareanadvanceduser,andthatyou
donotusethisfeatureduringstandardaudits,becauseauditorsshouldbeabletoseeandevaluateallissues
foundbySCA.
Afilterfileisaflattextfilethatcanbecreatedwithanytexteditor.Thefilefunctionsasablacklist,suchthatonly
thefilteritemsyoudonotwantarespecifiedoneperline.Thefollowingfiltertypescanbeenteredonaline:
•
Category
•
InstanceID
•
RuleID
Thefiltersareappliedatdifferenttimesintheanalysisprocess,accordingtothetypeoffilter.Categoryandrule
IDfiltersareappliedduringtheinitializationphasebeforeanyscanshavetakenplace,whereasaninstanceID
filterisappliedaftertheanalysisphase.
Filter File Creation Example
Asanexample,thefollowingoutputresultedfromascanoftheEightBall.java,locatedinthe/Samples/
basic/eightballdirectoryinyourHPFortifyinstallationdirectory.
Thefollowingcommandisexecutedtoproducetheanalysisresults:
>sourceanalyzer -b eightball Eightball.java
>sourceanalyzer -b eightball -scan
Thefollowingresultsetdisplays,showingsixdetectedissues.
[F7A138CDE5235351F6A4405BA4AD7C53 : low : Unchecked Return Value : semantic ]
EightBall.java(12) : Reader.read()
[EFE997D3683DC384056FA40F6C7BD0E8 : medium : Path Manipulation : dataflow ]
EightBall.java(12) :
->new FileReader(0)
EightBall.java(6) : <=> (filename)
EightBall.java(4) :
->EightBall.main(0)
[60AC727CCEEDE041DE984E7CE6836177 : medium : Unreleased Resource : Streams : con
trolflow ]
EightBall.java(12) : start -> loaded : new FileReader(...)
Appendix D: Advanced Options
63
EightBall.java(12) : loaded -> loaded : <inline expression> refers to an 
allocated resource
EightBall.java(12) : java.io.IOException thrown
EightBall.java(12) : loaded -> loaded : throw
EightBall.java(12) : loaded -> loaded : <inline expression> no longer refers
to an allocated resource
EightBall.java(12) : loaded -> end_of_scope : end scope : Resource leaked :
java.io.IOException thrown
EightBall.java(12) : start -> loaded : new FileReader(...)
EightBall.java(12) : loaded -> loaded : <inline expression> refers to an 
allocated resource
EightBall.java(14) : loaded -> loaded : <inline expression> no longer refers
to an allocated resource
EightBall.java(14) : loaded -> end_of_scope : end scope : Resource leaked
[BB9F74FFA0FF75C9921D0093A0665BEB : low : J2EE Bad Practices : Leftover Debug Code :
structural ]
EightBall.java(4)
[FF0D787110C7AD2F3ACFA5BEB6E951C3 : low : Poor Logging Practice : Use of a System
Output Stream : structural ]
EightBall.java(10)
[FF0D787110C7AD2F3ACFA5BEB6E951C4 : low : Poor Logging Practice : Use of a Syste
m Output Stream : structural ]
EightBall.java(13)
Thesamplefilterfile,test_filter.txtdoesthefollowing:
•
RemovesallresultsrelatedtothePoorLoggingPracticecategory
•
RemovestheUnreleasedResourcebasedonitsinstanceID
•
RemovesanydataflowissuesthatweregeneratedfromaspecificruleID
Thetest_filter.txt fileusedinthisexamplecontainsthefollowingtext:
#This is a category that will be filtered from scan output
Poor Logging Practice
#This is an instance ID of a specific issue to be filtered from scan #output
60AC727CCEEDE041DE984E7CE6836177
#This is a specific Rule ID that leads to the reporting of a specific #issue in 
#the scan output: in this case the data flow sink for a Path Manipulation #issue.
823FE039-A7FE-4AAD-B976-9EC53FFE4A59
Youcancreateafiletotestthefilteredoutputbycopyingtheabovetextintoafile.
Appendix D: Advanced Options
64
Thefollowingcommandisexecutedusingthe-filteroptiontospecifythetest_filter.txt:
[C:\Program Files\Fortify Software\HP Fortify vX.XX\Fortify SCA X.XX\Samples\basic\
eightball]>sourceanalyzer -b eightball -scan -filter test_filter.txt
Thefollowingresultsetdisplays:
[F7A138CDE5235351F6A4405BA4AD7C53 : low : Unchecked Return Value : semantic]
EightBall.java(12) : Reader.read()
[BB9F74FFA0FF75C9921D0093A0665BEB : low : J2EE Bad Practices : Leftover Debug Code :
structural]
EightBall.java(4)
Using Properties to Control Runtime Options
YoucaneditpropertiestodefineruntimeoptionsforSCA,includinganalysis,output,andperformancetuning
options.Thesepropertiescanbesetinfourdifferentplaces:
•
Globalconfigurationfile(fortify-sca.properties):usedtodefineglobalsettings.
•
Userconfigurationfile‐‐ (fortify-sca.properties(Windows)or.fortify-sca.properties(non‐
Windows):usedtodefineuser‐specifiedsettings.
•
QuickScanconfigurationfile (fortify-sca-quickscan.properties):usedtodefinesettingsused
whenSCAisruninQuickScanmode.
•
Commandline:youcandefinepropertysettingsonthecommandline
-D<property_name>=<property_value>
Thefortify-sca.propertiesglobalsettingsfileandthefortify-sca-quickscan.propertiesfileare
locatedinthe<install_directory>/Core/configdirectory.Theuser‐specificpropertiesfiles‐‐fortifysca.propertiesonWindowsinstallationsand.fortify-sca.propertiesonnon‐Windowsinstallations‐‐
arelocatedineitheryourWindowsuserdirectoryoryourUnixhomedirectory.
Youcaneditallpropertiesfilesdirectly.
Specifying the Order of Properties
SCAprocessespropertiesinaspecificorder,usingthisordertooverrideanypreviouslysetpropertieswiththe
valuesthatyouspecify.Youshouldkeepthisprocessingorderinmindwhenmakingchangestotheproperties
files.
Propertydefinitionsareprocessedinthefollowingorder:
•
Propertiesspecifiedonthecommandlinehavethehighestprecedenceandcanbespecifiedduringany
scan.
•
PropertiesspecifiedintheQuickScanconfigurationfile(fortify-sca-quickscan.properties)are
processedsecond,butonlywhenthe-quickoptionisusedtooperateinQuickScanmode.IfQuickScanis
notinvoked,thisfileisignored.
•
PropertiesspecifiedintheGlobalconfigurationfile(fortify-sca.properties)areprocessedlast.You
shouldeditthisfileifyouwanttochangethepropertyvaluesonamorepermanentbasisforallscans.
SCAalsoreliesonsomepropertiesthathaveinternallydefineddefaultvalues.
Appendix D: Advanced Options
65
Table19:HPFortifyPropertieslistspropertiesthatcanbedefined.Thedefaultvaluesarelisted.Ifyouwantto
useQuickScanMode,oryouwanttotuneyourapplication,youcanmakethechangesasdescribedinTable20:
onpage69.
Table 19: HP Fortify Properties Property Name
Default Value
Description
com.fortify.sca.AbortedScanOverwritesOutput
false
Bydefault,ifascanisinterrupted,thepartialresultsarewrittentoa
differentoutputfile:<output>.partial.fprinsteadof
<output>.fpr.Ifthispropertyissettotrue,theinterrupted
resultarewrittentothenormaloutfile(<output>.fpr),which
overwritesanyfull‐scanresultsthatmaybepresentinthatfile.
com.fortify.sca.Appserver
(none)
SpecifiestheapplicationserverforprocessingJSPfiles:weblogic
orwebsphere
com.fortify.sca.Appserver.Home
(none)
Specifiestheapplicationserver’shome.
ForWeblogic,thisisthepathtothedirectorycontainingserver/
libdirectory.
ForWebSphere,thisisthepathtothedirectorycontainingthe
bin/JspBatchCompilerscript.
com.fortify.sca.Appserver.Version
(none)
Specifiestheversionoftheapplicationserver.
ForWeblogic,validvaluesare7,8,9,and10.
ForWebSphere,thevalidvalueis6.
com.fortify.sca.fileextensions.*
(none)
ControlshowSCAhandlesfileswithgivenextensions.See
fortify-sca.propertiesforexamples.
com.fortify.sca.FPRDisableSrcHtml
(none)
Iftrue,disablessourcecoderenderingintotheFPRfile.
com.fortify.sca.NoDefaultRules
(none)
Iftrue,rulesfromthedefaultRulepacksarenotloaded.SCA
processestheRulepacksfordescriptionelementsandlanguage
libraries,butnorulesareprocessed.
com.fortify.sca.NoDefaultIssueRules
(none)
Iftrue,disablesrulesindefaultRulepacksthatleaddirectlytoissues.
Stillloadsrulesthatcharacterizethebehavioroffunctions.
Note:Thisequivalenttodisablingthefollowingruletypes:
DataflowSink,Semantic,Controlflow,Structural,Configuration,
Content,Statistical,Internal,andCharacterization:Issue.
com.fortify.sca.DisableDefaultRuleTypes
Appendix D: Advanced Options
66
Table 19: HP Fortify Properties (Continued)
Property Name
Default Value
Description
(none)
DisablesthespecifiedtypeofruleinthedefaultRulepacks;where
typeistheXMLtagminusthesuffix“Rule.”Forexample,use
DataflowSourceforDataflowSourceRuleelements.Youcanalso
specifyspecificsectionsofcharacterizationrules,suchas
Characterization:Controlflow,Characterization:Issue,and
Characterization:Generic.Typeiscase‐insensitive.
Useacolondelimitedlisttospecifymultipletypesofrules.
com.fortify.sca.NoDefaultSinkRules
(none)
Iftrue,disablessinkrulesinthedefaultRulepacks.
Note:Characterizationsinkrulesarenotdisabled.
com.fortify.sca.NoDefaultSourceRules
(none)
Iftrue,disablessourcerulesinthedefaultRulepacks.
Note:Characterizationsourcerulesarenotdisabled.
com.fortify.sca.ProjectRoot
(platformdependent)
DirectoryusedbySCAtostoreintermediatefilesgeneratedduring
scans.
com.fortify.sca.ASPVirtualRoots.<virtual path>=<physical path>
false
Iftrue,enablessupportforvirtualroots.Thispropertyassociates
virtualpathnameswithphysicalpathnames.
com.fortify.sca.DefaultFileTypes
java,jsp,sql,pks,pkh,pkb,xml,p
roperties,config,dll,exe
Comma‐separatedlistoffileextensionsthatarepickedupbydefault
bySCA.
com.fortify.sca.compilers.*
(none)
CanbeusedtoinformSCAaboutspeciallynamedcompilers.See
fortify-sca.propertiesforexamples.
com.fortify.sca.CfmlUndefinedVariablesAreTainted
false
Iftrue,treatsundefinedvariablesinaCFMLpageastainted.Doingso
servesasahinttothedataflowanalyzertowatchoutforregister‐
globals‐stylevulnerabilities.However,enablingthisproperty
interfereswithdataflowfindingsinwhichavariableinanincluded
pageisinitializedtoataintedvalueinanearlier‐occurringincluded
page.
com.fortify.sca.FVDLDisableProgramData
false
Iftrue,causestheProgramDatasectiontobeexcludedfromthe
analysisresults(FVDLoutput).
com.fortify.sca.FVDLDisableSnippets
false
Iftrue,codesnippetsarenotincludedintheanalysisresults(FVDL
output).
com.fortify.sca.LogFile
Appendix D: Advanced Options
67
Table 19: HP Fortify Properties (Continued)
Property Name
Default Value
Description
${com.fortify.sca.Pro
jectRoot}/log/sca.log
ThedefaultlocationfortheSCAlogfile.
com.fortify.sca.LogMaxSize
(none)
Whenthispropertyisset,itenableslogrotationfortheSCAlog.The
valueisthenumberbytesthatcanbewrittentothelogfilebeforeit
isrotated.Mustbeusedwithcom.fortify.sca.LogMaxFiles.
com.fortify.sca.LogMaxFiles
(none)
Thenumberoflogfilestoincludeinthelogfilerotationset.Whenall
filesarefilled,thefirstfileintherotationisoverwritten.Thevalue
mustbeatleast1.Mustbeusedwith
com.fortify.sca.LogMaxSize.
com.fortify.sca.Debug
false
Producesadebuglogfile.ThislogfileisforTechnicalSupport
purposes.
com.fortify.sca.PPSSilent
false
Promptstheuserwiththenumberoflinesthescanrequiresto
analyzethesourcecode.Settotruetosuppressthepromptand
automaticallydeductthelines.
Note:Ifthescanrequiresmorelinesthanareavailable,thescanfails
withanerrorindicatinghowmanyadditionallinesarerequired.
com.fortify.sca.UnicodeInputFile
(none)
Whensettotrue,thispropertyindicatesthattheinputfileisUTF‐8
basedandbeginswithabyte‐ordermark(BOM).Typically,you
shouldonlysetthispropertyifyouseealexicalerroratLine1,
Column1,indicatingthattheBOMispresent.
com.fortify.rules.SkipRulePacks
(none)
Semicolon‐delimitedlistofRulepackstoexcludefromthedefaultset.
ThispropertycontrolswhichRulepacksareusedbySCAbydefault.
AllRulepacksinstalledin<install_directory>/Core/
config/rulesareusedbydefaultunlesstheyareonthislist.
com.fortify.sca.limiters.MaxChainDepth
5
Controlsthemaximumcalldepththroughwhichthedataflow
analyzertrackstainteddata.Increasingthisvalueincreasesthe
coverageofdataflowanalysis,andresultsinlongeranalysistimes.
ThispropertycanbechangedifyouareusingQuickScanMode:see
thefollowingtableforthesuggestedvaluetouse.Note:Inthiscase,
calldepthreferstothemaximumcalldepthonadataflowpath
betweenataintsourceandsink,ratherthancalldepthfromthe
programentrypoint,suchasmain().
com.fortify.sca.limiters.MaxFieldDepth
Appendix D: Advanced Options
68
Table 19: HP Fortify Properties (Continued)
Property Name
Default Value
Description
4
Controlsthemaximumgranularityoftainttrackingthroughdata
structurememberfields.Thisvalueisthenumberofnestedfields
throughwhichtaintwillbetrackedbeforetheentirestructureis
consideredtainted.Increasingthisvalueimprovestheaccuracyof
analysisbyreducingfalsepositives,andnormallyincreasesanalysis
time.
com.fortify.sca.limiters.MaxPaths
5
Controlsthemaximumnumberofpathstoreportforasingledata
flowvulnerability.Changingthisvaluedoesnotchangetheresults
thatarefound,onlythenumberofdataflowpathsdisplayedforan
individualresult.
com.fortify.sca.limiters.MaxIndirectResolutionsForCall
128
Controlsthemaximumnumberofvirtualfunctionsthatarefollowed
atagivencallsite.
com.fortify.sca.jspparserusesclasspath
false
AllowstheusertospecifytheclasspathtotheWeblogicparser.This
isforWeblogic9and10only.
Thefollowingtabledescribesthepropertiesthatcanbeusedtotunedefaultscanningperformance.Theyhave
differentdefaultsforQuickScanmode,whichcanbeadjustedbyeditingthefortify-scaquickscan.propertiesfile.Ifyouwanttousetherecommendedtuningparameters,youdonotneedtoedit
thisfile;however,youmayfindthatyouwanttoexperimentwithothersettingstofine‐tuneyourspecific
application.
Rememberthatpropertiesinthisfileareprocessedonlyifyouspecifythe-quickoptiononthecommandline
wheninvokingyourscan.
Table 20: Performance Tuning Properties Property Name Values
Description
com.fortify.sca.FilterSet
Defaultvalueisnotset.

QuickScanvalue:Critical
Exposure.
Whensettotargeted,thispropertyrunsrulesonlyforthe
targetedfilterset.Runningonlyasubsetofthedefinedrules
allowstheSCAscantocompletemorequickly.ThiscausesSCAto
runonlythoserulesthatcancauseissuesidentifiedinthenamed
filterset,asdefinedbythedefaultprojecttemplateforyour
application.Formoreinformationaboutprojecttemplates,see
theAuditWorkbenchUser’sGuide.
com.fortify.sca.FPRDisableSrcHtml
Defaultvalue:False.

QuickScanvalue:True.
Whensettotrue,thispropertypreventsthegenerationof
marked‐upsourcefiles.IfyouplantouploadFPRsthatare
generatedasaresultofaquickscan,youmustsetthisproperty
tofalse.
com.fortify.sca.limiters.ConstraintPredicateSize
Appendix D: Advanced Options
69
Table 20: Performance Tuning Properties (Continued)
Property Name Values
Description
Defaultvalue:50000.

QuickScanvalue:10000.
Skipscalculationsdefinedasverycomplexinthebufferanalyzer
toimprovescanningtime.
com.fortify.sca.limiters.BufferConfidenceInconclusiveOnTimeout
Defaultvalue:true.

QuickScanvalue:false.
Skipscalculationsdefinedasverycomplexinthebufferanalyzer
toimprovescanningtime.
com.fortify.sca.limiters.MaxChainDepth
Defaultvalue:5. 

QuickScanvalue:4.
Controlsthemaximumcalldepththroughwhichthedataflow
analyzertrackstainteddata.Increasingthisvalueincreasesthe
coverageofdataflowanalysis,andresultsinlongeranalysis
times.
Note:Inthiscase,calldepthreferstothemaximumcalldepthon
adataflowpathbetweenataintsourceandsink,ratherthancall
depthfromtheprogramentrypoint,suchasmain().
com.fortify.sca.limiters.MaxTaintDefForVar
Defaultvalue:1000.

QuickScanvalue:500.
Thispropertysetsthecomplexitylimitfordataflowprecision
backoff.Dataflowincrementallydecreasesprecisionofanalysis
forfunctionsthatexceedthiscomplexitymetricforagivenpreci‐
sionlevel.
com.fortify.sca.limiters.MaxTaintDefForVarAbort
Defaultvalue:4000.

QuickScanvalue:1000.
Thispropertysetsahardlimitforfunctioncomplexity.Ifcom‐
plexityofafunctionexceedsthislimitatthelowestprecision
level,theanalyzerwillnotanalyzethatfunction.
com.fortify.sca.DisableGlobals
Defaultvalue:false.

QuickScanvalue:false.
Thispropertypreventsthetrackingoftainteddatathroughglobal
variablestoallowfasterscanning.
com.fortify.sca.CtrlflowSkipJSPs
Defaultvalue:false.

QuickScanvalue:false.
ThispropertyskipscontrolflowanalysisofJSPsinyourproject.
com.fortify.sca.NullPtrMaxFunctionTime
Defaultvalue:300000.

QuickScanvalue:30000.
Thispropertysetsatimelimit,inmilliseconds,forNullPointer
analysisforasinglefunction.Thedefaultisfiveminutes.Setting
ittoashorterlimitdecreasesoverallscanningtime.
com.fortify.sca.CtrlflowMaxFunctionTime
Defaultvalue:600000.

QuickScanvalue:30000.
Thispropertysetsatimelimit,inmilliseconds,forcontrolflow
analysisforasinglefunction.Thedefaultis10minutes.
com.fortify.sca.TrackPaths
Appendix D: Advanced Options
70
Table 20: Performance Tuning Properties (Continued)
Property Name Values
Description
Bydefault,thispropertyisnot
set.

QuickScanvalue:NoJSP.
Thispropertydisablespathtrackingforcontrolflowanalysis.
Pathtrackingprovidesmoredetailedreportingforissues,but
requiresmorescanningtime.YoucandisablethisforJSPonlyby
settingittoNoJSP,orforallfunctionsbysettingittoNone.
com.fortify.sca.JdkVersion
Defaultvalue:1.4
ThispropertyspecifiestheJDKversion.
Appendix D: Advanced Options
71
Appendix E: MSBuild Integration
Thisappendixcovers:
•
Installation
•
SettingWindowsEnvironmentVariablesforTouchlessIntegrationofSCA
•
AddingCustomTaskstoyourMSBuildProject
•
AddingCustomTaskstoYourProject
About MSBuild Integration
SCAprovidestheabilitytotranslateyour.NETsourcecodeaspartofyourMSBuildbuildprocess.WithSCA’s
MSBuildintegration,youcantranslatefilesonmachineswheretheVisualStudioIDEhasnotbeeninstalled.
MSBuildintegrationiscompatiblewithversion2.0,3.5,and4.XoftheMSBuildexecutable,allowingforthe
translationofthefollowingproject/sourcecodetypes:
•
C/C++ConsoleApplications(VisualStudio2010andaboveonly)
•
C/C++Libraries(VisualStudio2010andaboveonly)
•
VisualC#andVisualBasicWebsites
•
VisualC#andVisualBasicLibraries
•
VisualC#andVisualBasicWebApplications
•
VisualC#andVisualBasicConsoleApplications
ThissectiondescribeshowtolaunchanSCAanalysisaspartofyourMSBuildproject.
Installation
TherearenoinstallationstepsrequiredunlessthemachineyourunMSBuildondoesnotincludeacopyof
MicrosoftVisualStudio.Ifyourbuildmachinedoesn’tincludeacopyofMicrosoftVisualStudio,youwillneedto
addcom.fortify.sca.IldasmPath=<Path_to_ildasm.exe>toyour
<SCA_Installation_Directory>\core\config\fortify-sca.properties file.
Setting Windows Environment Variables for Touchless Integration of SCA
WhenintegratingSCAintoyourMSBuildprocess,thereareanumberofWindowsenvironmentvariablesthat
youcanset.Ifyoudon’tsetthesevariables,SCAwillassumeadefaultsetofvariablesandusethose.Once
you’vesettheappropriateWindowsenvironmentvariables,successivebuildswillusethesamesetuntilyou
makeachangetotheenvironmentvariables.TheenvironmentvariablesthatcanbesetarelistedinTable21.
Table 21: Windows Environment Variables Environment Variable
Definition
Default
FORTIFY_MSBUILD_BUILDID
UsedtosettheSCAbuildID.
ThebuildIDpassedon
thecommandline.
FORTIFY_MSBUILD_DEBUG
UsedtoputtheloggerandHPFortifyStaticCode
Analyzerindebugmode.
False
FORTIFY_MSBUILD_MEM
UsedtosetthememoryusedtoinvokeHPFortify
StaticCodeAnalyzer(i.e.,-Xmx1200M)
600MB
Appendix E: MSBuild Integration
72
Table 21: Windows Environment Variables (Continued)
Environment Variable
Definition
Default
FORTIFY_MSBUILD_LOG
Usedtosetthelocationforthelog.
${win32.LocalAppd
ata}/Fortify/
MSBuildPlugin
FORTIFY_MSBUILD_SCALOG
UsedtosetthelocationfortheSCAlog.Usean
absolutepathwhenchanging.
FORTIFY_MSBUILD_LOGALL
Usetosetthepluginsothatitwilllogevery
messagepassedtoit.Thiswillcreateaverylarge
amountofinformation.
False
TouchlessintegrationrequirestheFortifyMSBuildTouchless.dlllocatedinthe\Core\libdirectory.Itmustbe
runfromaVisualStudiocommandprompt.
ThefollowingisanexampleofthecommandusedtorunthebuildandlaunchanSCAanalysisusingthedefault
environmentvariables,orthoseyouhavepreviouslyset:
sourceanalyzer -b buildid msbuild <solution_file> <msbuild_options>
Alternatively,youcancallMSBuildtolaunchabuildandSCAanalysis:
Msbuild <solution_file> /logger:"C:\Program Files\Fortify Software\HP Fortify
vX.XX\Core\lib\FortifyMSBuildTouchless.dll" <msbuild_options>
Adding Custom Tasks to your MSBuild Project
RatherthanusingtheTouchlessIntegrationmethod,youcanaddanumberofcustomtaskstoyourMSBuild
projectinordertoinvokeSCA.ThesetasksmustbeaddedtoanMSBuildproject,notasolution.Asolutionfileis
notavalidMSBuildscript.SolutionsareparsedbyMSBuildandacorrespondingprojectfileiscreated.
Table22liststhecustomtasksyoucanaddtoyourMSBuildproject:
Table 22: Custom Tasks Custom Task
Required Parameters
Optional Parameters
Fortify.TranslateTask
BuildID‐thebuildIDforthe
translation
References‐listofdllstobepassedviathe
libdirscommand
BinariesFolder‐thedirectorywhere
thefilestobetranslatedreside
JVMSettings‐memorysettingstopassto
SCA
VSVersion‐theversionofthe.NET
dllsbeingused.
LogFile‐locationfortheSCAlogfile
BuildID‐thebuildIDforthescan
JVMSettings‐memorysettingstopassto
SCA
Fortify.ScanTask
Output‐thenameoftheFPRfiletobe
generated
Debug‐setstaskandSCAtodebugmode
LogFile‐locationfortheSCAlogfile
Debug‐setstaskandSCAtodebugmode
Fortify.CleanTask
BuildID‐thebuildIDforthescan
Debug‐setstaskandSCAtodebugmode
Appendix E: MSBuild Integration
73
Table 22: Custom Tasks (Continued)
Custom Task
Required Parameters
Optional Parameters
Fortify.SSCTask
AuthToken‐shouldbedefinedoruse
usernameandpassword
Debug‐specifiestaskandSCAshouldbe
invokedwithdebug
Project‐projectname
Username‐necessaryifAuthTokenisn’t
defined
ProjectVersion‐projectversion.If
undefined,aProjectIDand
ProjectVersionIDmustbedefined
Password‐necessaryifAuthTokenisn’t
defined
FPRFile‐nameofthefiletouploadto
SoftwareSecurityCenter
ProjectID‐usedwithProjectVersionIDif
ProjectandProjectVersionaren’tused
SSCURL‐theURLfortheSSC
ProjectVersionID‐usedwithProjectIDif
ProjectandProjectVersionaren’tused
Proxy‐necessaryifaproxyisrequired
Fortify.CloudScanTask
BuildID‐thebuildIDforthe
translation
Debug‐setthisbooleantotruefordebug
mode
SSCUpload‐setthisbooleantotrueto
uploadyouroutputtoSSC.
Thefollowingparametersareonlyused
whenSSCUploadissettotrue:
CloudURL‐theCloudURL
SSCToken‐theSSCtoken
or
Project‐theprojecttouploadto
SSCUrl‐theSSCURL
VersionName‐theversionyouwantto
uploadto
Thefollowingparameterareonlyused
whenSSCUploadissettofalse:
FPRName‐thenamefortheFPRfile
Adding Custom Tasks to Your Project
Youcanaddanyofthefollowingtaskstoyourprojectscript:
•
Fortify.TranslateTask
•
Fortify.ScanTask
•
Fortify.CleanTask
•
Fortify.SSCTask
•
Fortify.CloudScanTask
Adding Fortify.TranslateTask
ToaddFortify.TranslateTasktoyourprojectscript:
1.CreateatasktoidentifyandlocateFortifyMSBuildTasks.dll.
<UsingTask TaskName=”Fortify.TranslateTask” AssemblyFile=”<Install
Directory>\Core\lib\FortifyMSBuildTasks.dll”/>
2.Createanewtargetoraddthefollowingcustomtargettoanexistingtargettoinvokethecustomtask:
<Target Name=”FortifyBuild” AfterTargets=”AfterBuild” Outputs=”dummy.out”>
<TranslateTask BinariesFolder=”$(OutDir)”
VSVersion=”<Visual Studio Version>”
BuildID=”TempTask”
JVMSettings=”-Xmx1000M”
Appendix E: MSBuild Integration
74
LogFile=”trans_task.log”
Debug=”true”/>
</Target>
TheFortifyBuildtargetwillbeinvokedaftertheAfterBuildtargetisrun.TheAfterBuildtargetisoneofseveral
defaulttargetsdefinedintheMSBuildtargetfile.Ifoneoftherequiredparametersisn’tdefined,theMSBuildwill
fail.
Note:IfaddinganewtargetwhenrunningMSBuild2.0or3.5,youwillneedtoremovethestring
AfterTargets=”AfterBuild”andreplaceFortifyBuildwithAfterBuild.
Adding Fortify.ScanTask
ThefollowingcodeaddsFortify.ScanTasktotheMSBuildproject.Newcontentisinboldtext.
<UsingTask TaskName="Fortify.TranslateTask" AssemblyFile="<Install
Directory>\Core\lib\FortifyMSBuildTasks.dll" />
<UsingTask TaskName="Fortify.ScanTask" AssemblyFile="<Install Directory>\Core
\lib\FortifyMSBuildTasks.dll"/>
<Target Name="FortifyBuild" AfterTargets="AfterBuild" Outputs="dummy.out">
<TranslateTask BinariesFolder="$(OutDir)"
VSVersion="<Visual Studio Version>"
BuildID="TempTask"
JVMSettings="-Xmx1000M"
LogFile="trans_task.log"
Debug="true" />
<ScanTask BuildID="TempTask"
JVMSettings="-Xmx1000M"
LogFile="scan_task.log"
Debug="true"
Output="Scan.fpr" />
</Target>
Adding Fortify.CleanTask
ThefollowingexampleaddstheFortify.CleanTasktotheMSBuildproject.
<UsingTask TaskName="Fortify.CleanTask" AssemblyFile="<Install
Directory>\Core\lib\FortifyMSBuildTasks.dll" />
<Target Name="FortifyBuild" AfterTargets="AfterBuild" Outputs="dummy.out">
<CleanTask BuildID="TempTask" />
</Target>
Adding Fortify.SSCTask
ThefollowingexampleaddstheFortify.SSCTasktotheMSBuildproject.Newcontentisinbold:
<UsingTask TaskName="Fortify.TranslateTask" AssemblyFile="<Install
Directory>\Core\lib\FortifyMSBuildTasks.dll" />
<UsingTask
TaskName="Fortify.ScanTask" AssemblyFile="<Install
Directory>\Core\lib\FortifyMSBuildTasks.dll" />
Appendix E: MSBuild Integration
75
<UsingTask TaskName="Fortify.SSCTask" AssemblyFile=<Install
Directory>\Core\lib\FortifyMSBuildTasks.dll" />
<Target Name="FortifyBuild" AfterTargets="AfterBuild" Outputs="dummy.out">
<TranslateTask BinariesFolder="$(OutDir)"
VSVersion="<Visual Studio Version>"
BuildID="TempTask"
JVMSettings="-Xmx1000M"
LogFile="trans_task.log"
Debug="true" />
<ScanTask BuildID="TempTask"
JVMSettings="-Xmx1000M"
LogFile="scan_task.log"
Debug="true"
Output="Scan.fpr" />
<SSCTask Username="admin"
Password="admin"
Project="Test Project"
ProjectVersion="Test Version 1"
FPRFile="SSC.fpr"
SSCURL="http://localhost:8180/SSC7"/>
</Target>
Adding Fortify.CloudScanTask
IfyouareusingCloudScantoprocessyourscans,youcansendthetranslatedoutputtoyourcloud‐based
resource.ThefollowingexampleaddstheFortify.CloudScanTasktotheMSBuildproject:
<UsingTask TaskName=”Fortify.CloudScanTask” AssemblyFile=”<Install
Directory>\Core\lib\FortifyMSBuildTasks.dll”/>
<Target Name="FortifyBuild" AfterTargets="AfterBuild" Outputs="dummy.out">
<CloudScanTask BuildID="TempTask"
SSCUpload="false"
FPRName="Scan.fpr"
CloudURL="http://localhost:8080/cloud-ctrl" />
</Target>
Appendix E: MSBuild Integration
76
Appendix F: Maven Integration
Thisappendixcoversthefollowingtopics:
•
AbouttheMavenPlugin
•
InstallingtheMavenPlugin
•
UpdatingtheMavenPlugin
•
UsingtheMavenPlugin
•
ExcludingFilesfromtheScan
•
UninstallingtheMavenPlugin
•
AdditionalDocumentation
About the Maven Plugin
SCAincludesaMavenpluginwhichprovidesameansforyoutoaddSCAclean,translation,scan,and.fprupload
capabilitiestoyourMavenprojectbuilds.Youcanusetheplugindirectlyorintegrateitsfunctionalityintoyour
buildprocess.
TheMavenpluginislocated:
<HP_Fortify_Install_Directory>\Samples\advanced\maven-plugin
Insidethedirectory,youwillfindthefileslistedinTable23.
Table 23: Contents of maven‐plugin directory
File
Description
pom.xml
Projectobjectmodelfile.
README.TXT
TheREADMEtextprovidesinstallationandusageinstructions.
samples(directory)
Includestwosampleprojectdirectories:EightBallandMyEnterpriseApp.
settings.xml
XMLfilethatestablishesthenamespacetobeusedasitrelatestoMavensettings.
src(directory)
Locationofsourcecode,assemblies,etc.
ThepluginiscompatiblewithMaven2.0.9to3.0.5,inclusive.Maven3.X.Xisrecommended.
Installing the Maven Plugin
WheninstallingtheMavenplugin,weassumethatthepathtotheSCAbinfolderisinyourPATHenvironment
variable.
Note:IfyouareusingSCAversion3.60,3,70,or3.80,youwillneedtoedittheEOLformatofthepluginsource
filesbeforeinstallingtheplugin.SeeEditingthePluginSourceFilesbeforeinstallingtheplugin.Ifyouhavea
previousversionoftheMavenPlugininstalled,see
ToinstalltheMavenplugin:
1. Openaterminalorcommandpromptwindowandnavigatetothemaven‐plugindirectory.
<HP_Fortify_Install_Directory>\Samples\advanced\maven-plugin
2. Attheprompt,type:
mvn clean package install
Appendix F: Maven Integration
77
Updating the Maven Plugin
IfyouhaveapreviousversionoftheMavenPlugininstalled,youcanupgradetothelatestversion.
ToupdatetheMavenPluginonyoursystem:
1. Openaterminalorcommandpromptwindowandnavigatetothemaven‐plugindirectory.
<HP_Fortify_Install_Directory>\Samples\advanced\maven-plugin
2. Attheprompt,type:
mvn install
Editing the Plugin Source Files IfyouareusingSCAversion3.60,3.70,or3.80,youwillneedtoedittheend‐of‐line(EOL)formatoftheplugin
sourcefilesbeforeinstallingtheplugin.IfyouareusingaversionofSCApost3.80,youdonotneedtoeditthe
sourcefiles.ThefollowinginstructionsarebasedontheOSyouareusing.
ToeditthefilesonaWindowssystem:
1. OpenaCommandPromptwindowandNavigateto:
Samples\advanced\maven-plugin\src\main\java\com\fortify\ps\maven\plugin\sca
2. Openthefollowingfilesinatexteditor:
• CleanMojo.java
• DeleteGeneratedSourcesMojo.java
• StringHelper.java
• Util.java
3. ChangetheEOLformatforeachofthesefilestoCR+LF(DOS/Windows).
Forexample,ifusingNotepad++asyourtexteditor,clickEdit‐‐>EOLConversion‐‐>WindowsFormat.Ifyou
makethesechangesafterinstallingtheplugin,youwillneedtouninstallitandthenreinstallitafterthe
changeshavebeenmade.
ToeditthefilesonaLinuxorUnixsystem:
1. Openaterminalwindowandnavigatetothefollowingdirectory:
<HP_Fortify_Install_Directory>/Samples/advanced/maven-plugin/src/main/java/com/
fortify/ps/maven/plugin/sca
2. Runthefollowingcommands:
sudo dos2unix -o *.java
sudo mac2unix -o *.java
Note:Ifyoumakethesechangesafterinstallingtheplugin,youwillneedtouninstallitandthenreinstallit
afterthechangeshavebeenmade.
ToeditthefilesonaMacintoshsystem:
1. Navigateto:
<HP_Fortify_Install_Directory>/Samples/advanced/maven-plugin/src/main/java/com/
fortify/ps/maven/plugin/sca
2. Inatexteditorofyourchoice,changethelineendingsofallJavasourcefilestoLF(OSX/Unixformat).If
Xcodeisavailableonyoursystem,youcanopenthesourcefilesinXcodeandchangethelineendingstoLF.
Note:Ifyoumakethesechangesafterinstallingtheplugin,youwillneedtouninstallitandthenreinstallit
afterthechangeshavebeenmade.
Appendix F: Maven Integration
78
Testing the Plugin
Afterinstallingthemavenplugin,useoneoftheincludedsamplefilestoensureyourinstallationisworking
properly.
TotesttheMavenpluginusingtheEightBallsamplefile:
1. Addthedirectorycontainingthesourceanalyzerexecutabletothepathenvironmentvariable.
Forexample:
export set PATH=$PATH:/path/to/f360/bin
or
set PATH=%PATH%;path\to\f360\bin
2. Typesourceanalyzer -htotestthePATHsetting.
Itshouldreturnsourceanalyzerhelp.
3. NavigatetotheEightballdirectory:
<HP_Fortify_Install_Directory>\Samples\advanced\maven-plugin\samples\EightBall
4. Openthe pom.xml fileinatexteditorandlocatethe<version>tag.ThisistheversionoftheMaven
plugin.
Donotmistakethe<modelVersion>tagforthe<version>tag.
Using the Maven Plugin
Youcanrunthepackagelocallyorintegrateitaspartofyourbuildprocess.Duringthetranslation
phase,theSCAMavenPluginwillsearchyourjarfilefromthelocalrepositoryandtrytoresolve
classesinyourapplication.
Note:Inthefollowingsteps,youareprovidethreeversionsoftheSCAcommands.TheShortGoalName
versionofeachcommandcanonlybeusedifyouareusingthelatestversionoftheMavenpluginandyouhave
placedacopyofthesetting.xmlfileinthelocalrepository.
TomanuallyscanyourcodeusingtheMavenPlugin:
1. Installthetargetapplicationinthelocalrepository:
mvn install
2. Cleanoutthepreviousbuildusingoneofthefollowingcommands:
Complete
mvn com.fortify.ps.maven.plugin:sca-maven-plugin:<ver>:clean
WithoutVersionID
mvn com.fortify.ps.maven.plugin:sca-maven-plugin:clean
ShortGoalName
mvn sca:clean
3. Translatethecode:
Complete
mvn com.fortify.ps.maven.plugin:sca-mavenplugin:<ver>:translate
WithoutVersionID
mvn com.fortify.ps.maven.plugin:sca-maven-plugin:translate
ShortGoalName
mvn sca:translate
Appendix F: Maven Integration
79
4. Scanthecode:
Complete
mvn com.fortify.ps.maven.plugin:sca-maven-plugin:<ver>:scan
WithoutVersionID
mvn com.fortify.ps.maven.plugin:sca-maven-plugin:scan
ShortGoalName
mvn sca:scan
where <ver>istheversionoftheMavenPluginyou’reusing.
Note:Ifyoudon’tspecifytheversion,Mavenwillcallthelatestversionofthesca‐maven‐plugininthelocal
repository.
Toscanyourfilesaspartofyourbuildsystem
1. Installthetargetapplicationinthelocalrepository:
mvn install
2. Cleanoutthepreviousbuild:
mvn com.fortify.ps.maven.plugin:sca-maven-plugin:<version>:clean
3. Translatethecodeusingoneofthefollowingoptions:
Translation Code Options
sourceanalyzer -b <build id> [sca build options] mvn
sourceanalyzer -b <build id> [sca build options] mvn com.fortify.ps.maven.plugin:scamaven-plugin:<ver>:translate
sourceanalyzer -b <build id> [sca build options] mvn com.fortify.ps.maven.plugin:scamaven-plugin:translate
sourceanalyzer -b <build id> [sca build options] mvn sca:translate
Note:Tousethisversionofthecommand,youmusthaveplacedacopyofthesetting.xmlfileinthelocal
repository.
4. Runthescan:
sourceanalyzer -b <build id> [sca scan options] -scan -f result.fpr
Excluding Files from the Scan
Ifyoudon’twanttoincludeallofthefilesinyourprojectorsolution,youcandirectSCAtoexcludeselectedfiles
fromyourscan:
1. Createanexclusionfileinatexteditor.
2. Addthefollowinglinetothefileyoujustcreated:
com.fortify.sca.exclude="fileA;fileB;fileC"
Note:Filenamesmustbeseparatedwithasemicolon.Wildcardsaresupported;asingleasterisk(*)canbe
usedtomatchpartofafilenamewhiletwoasterisks(**)canbeusedtorecursivelymatchdirectories.For
moreinformationonwildcards,see
3. Addthefollowingcodetothetranslationstep:
-Dfortify.sca.properties.file=my.exclusions
Appendix F: Maven Integration
80
Forexample,forthesampleEightBallproject,youwouldissuethefollowingcommandtotranslatethe
sourcecode:
mvn com.fortify.ps.maven.plugin:sca-maven-plugin:4.00:translate 
-Dfortify.sca.source.version=1.6 -Dfortify.sca.properties.file=my.properties
Uninstalling the Maven Plugin
TouninstalltheMavenPlugin,manuallydeletesca-maven-pluginfromthelocalrepository.
Additional Documentation
Afterthepluginhasbeenproperlyinstalled,anewdirectorywillbeincludedinthefollowinglocation:
Samples\advanced\maven-plugin\target\site
Openthefileindex.htmltostartreadingthedocumentation.Therearesectionsontheavailableoptions,basic
usageguide,uploadingscanstoSSCServer,andFAQs.
Appendix F: Maven Integration
81
Appendix G: Sample Files
Thisappendixcoversthefollowingtopics:
•
AbouttheSampleFiles
•
BasicSamples
•
AdvancedSamples
About the Sample Files
YourHPFortifysoftwareinstallationincludesanumberofsamplefilesthatyoucanusewhentestingorlearning
touseSCA.Thesamplefilesarelocatedinthefollowingdirectory:
<HP_Fortify_Install_Directory>/Samples
InsidetheSamplesdirectoryaretwosub‐directories:basicandadvanced.Eachcodesampleincludesa
README.txtfilethatprovidesinstructionsonscanningthecodeinSCAandviewingtheoutputinAudit
Workbench.
Thebasicsub‐directoryincludesanassortmentofsimplelanguage‐specificsamples.Theadvanced
subdirectoryincludesmoreadvancedsamplesandcodesamplesthatenableyoutointegrateSCAwithyourbug
trackingsystem.
Basic Samples
Table24providesalistofthesamplefilesinthebasicsub‐directory
(<HP_Fortify_Install_Directory>\Samples\basic),abriefdescriptionofthesamplefile,andalistofthe
vulnerabilitiesidentified.EachsampleincludesaREADME.txtfilethatprovidesfurtherdetailsandinstructions
onitsuse.
Table 24: Basic Samples SampleFileFolder
Contents
Vulnerabilities
cpp
IncludesaC++samplefileand
instructionsfortestingasimpledataflow
vulnerability.Itrequiresagccorcl
compiler.
CommandInjection
MemoryLeak
database
Includesadatabase.pkssamplefile.
ThisSQLsampleincludesissuesthatcan
befoundinSQLcode.
AccessControl:Database
eightball
IncludesEightBall.java,aJava
applicationthatexhibitsbaderror
handling.Itrequiresanintegerasan
argument.Ifyousupplyafilename
insteadofaninteger,itwilldisplaythe
contentsofthefile.
PathManipulation
UnreleasedResource:Streams
J2EEBadPractices:Leftover
DebugCode
formatstring
Includesformatstring.cfile.It
requiresagccorclcompiler.
FormatString
javascript
Includessample.js,aJavaScriptfile.
CrossSiteScripting(XSS)
OpenRedirect
nullpointer
IncludesNullPointerSample.javafile.
NullDereference
Appendix G: Sample Files
82
Table 24: Basic Samples (Continued)
SampleFileFolder
Contents
Vulnerabilities
php
Includesbothsink.phpand
source.phpfiles.Analyzing
source.phpsurfacessimpleDataflow
vulnerabilitiesandadangerousfunction.
CrossSiteScripting
SQLInjection
sampleOutput
Includesasampleoutputfile
(WebGoat5.0.fpr)fromtheWebGoat
projectlocatedintheSamples/
advanced/webgoatdirectory.
ExampleinputforAudit
Workbench.
stackbuffer
Includesstackbuffer.c.Agccorcl
compilerisrequired.
BufferOverflow
toctou
Includes toctou.c file.
Time‐of‐Check/Time‐of‐Use
(RaceCondition)
vb6
Includescommand-injection.basfile.
CommandInjection
SQLInjection
vbscript
Includessource.aspandsink.asp
files.
SQLInjection
Advanced Samples
Table25providesalistofthesamplefilesintheadvancedsubdirectory
(<HP_Fortify_Install_Directory>\Samples\advanced).EachsampleincludesaREADME.txtfilethat
providesfurtherdetailsandinstructionsonitsuse.
Table 25: Advanced Samples Sample File Folder
Description
Bugzilla
IncludesaBuild.xmlfilebuiltusingtheAuditWorkbenchbugtracker
pluginframework.Thepluginincludesthesamefunctionalityasthebuilt‐in
Bugzillapluginsothatitcanbeusedasaguidetocreatingyourownplugin.
c++
IncludesasampleVisualStudio2005solution:Sample.sln,Sample1.cpp,
Sample.vcproj,stafx.cpp,stdafx.h.
YouneedtohaveMicrosoftVisualStudioVisualC/C++2005(ornewer)
installed.YoushouldalsohavetheFortifyAnalyzersinstalled,withthe
pluginfortheVisualStudioversionyouareusing.
ThecodeincludesaCommandInjectionissueandanUncheckedReturn
Valueissue.
configuration
ThisisasampleJ2EEapplicationthathasvulnerabilitiesinitswebmodule
deploymentdescriptor‐web.xml.
Appendix G: Sample Files
83
Table 25: Advanced Samples (Continued)
Sample File Folder
Description
crosstier
Thisisasamplethathasvulnerabilitiesspanningmultipleapplication
technologies(Java,PL/SQL,JSP,struts).Theoutputshouldcontainseveral
issuesofdifferenttypes,includingtwoAccessControlvulnerabilities.One
oftheseisacross‐tierresult.IthasadataflowtracefromuserinputinJava
codethatcanaffectaSELECTstatementinPL/SQL.
csharp
ThisisasimpleC#programthathasSQLinjectionvulnerabilities.Versions
areincludedforVS2003,VS2005,VS2010andVS2012.Uponsuccessful
completionofthescan,youshouldseetheSQLInjectionvulnerabilitiesand
oneUnreleasedResourcevulnerability.Othercategoriesmayalsobe
present,dependingontherulepacksusedinthescan.
customrules
SeveralsimplesourcecodesamplesandRulepackfilesthatillustraterules
interpretedbyfourdifferentanalyzers:Semantic,Dataflow,controlflow,
andConfiguration.Thisdirectoryalsoincludesseveralmiscellaneousreal‐
worldrulessamplesthatmaybeusedforscanningrealapplications.
ejb
AsampleJ2EEcross‐tierapplicationwithServletsandEJBs.
filters
Asamplethatusessourceanalyzer’s–filteroption.
findbugs
AsamplethatdemonstrateshowtorunFindBugsstaticanalysistool
togetherwiththeFortifySourceCodeAnalysisEngine(FortifySCAEngine)
andfiltersoutresultsthatoverlap.
HPQC
AsamplethatdemonstratestheAuditWorkbenchbugtrackerplugin
frameworkbyimplementingaplugintoHPQualityCenter.Thisplugin
communicateswithanHPQCserverinstancethroughtheHPQCclient‐side
addin.ThebugtrackertalkstotheaddinthroughaCOMinterface,andthe
addinhandlesthecommunicationtotheserver.
java1.5
IncludesResourceInjection.java.TheresultfileshouldhaveaPath
ManipulationresultandaJ2EEBadPracticesresult.
javaAnnotations
Includesasampleapplicationthatillustratesproblemsthatmayarisefrom
itsuseandhowtofixtheproblemsusingtheFortifyJavaAnnotations.The
goalofthisexampleistoillustratehowtheuseofFortifyAnnotationscan
resultinincreasedaccuracyinthereportedvulnerabilities.The
accompanyingREADMEfileillustratethepotentialproblemsandsolutions
associatedwithvulnerabilityresults.
JavaDoc
JavaDocdirectoryforthebugtrackers,public‐api,andWSClient.
maven‐plugin
TestscanberunonanyprojectsthatuseMaven(forinstancethose
includedinthesamplesdirectory,orWebGoat5.3:http://code.google.com/
p/webgoat/)
webgoat
WebGoattestJ2EEwebapplicationprovidedbytheOpenWebApplication
SecurityProject(http://www.owasp.org).Thisdirectorycontainsthe
WebGoat5.0sources.WebGoatjavasourcescanbeuseddirectlyforjava
vulnerabilityscanningviaFortifySourceCodeAnalysisEngine.
Appendix G: Sample Files
84
Appendix H: Issue Tuning
Thisappendixcoversthefollowingtopics:
•
AboutIssueTuning
•
AboutInterproceduralConstantPropagation
About Issue Tuning
ThisappendixlistspropertiesthatimpactthenumberofissuesthatSCAreports.Thedefaultsettingshavebeen
designedtoprovideoptimalresultsandshouldnotbealteredunlessyouareexperiencingareportingissueor
havebeeninstructedtodosobysupport.
IssuetuningallowsyoutofinetunethenumberandqualityofresultyoureceivefromanSCAscan.Thisisan
advancedtopicandshouldnotbenecessaryforthemajorityofusers.
IfyoufeelthatSCAisreportingtoomanyortoofewissuesofaparticulartype,youmayneedtoadjusta
propertytoexcludeorincludeadditionalissues.Beforemakinganychanges,youmaywanttocontactsupport
anddiscusstheissueyouareexperiencing.
Thefollowingareascanbetuned:
•
Wrapperdetection
•
Interproceduralconstantpropagation
•
Selectivemaptracking
Ifyouneedtoturnoneormoreoftheseanalysisfeaturesoff,editthefortify-sca.propertiesfile,
locatedinthe<install_directory>/Core/config directory.
About Wrapper Detection
Wrapperdetectionidentifiesmethodsthatwrapmapoperations.InSCA,mapoperationsinsert<key,value>
pairsto,orretrieve<key,value>pairsfrom,anassociativemap.Whenataintedvalueisinsertedorretrieved,its
taintmaygetpropagatedthroughthemap.
TheHPFortifySoftwareSecurityResearchteam(SSR)providesrulesdescribinghowvariousAPIsimplement
mapinsertionandretrieval.Taintpropagationoccurswhenmethodsmatchingthosespecifiedintherulesare
invoked.IfSCAcannotcomputethemapkeysusedatthosemethods,thenitpromotestaintfromasinglevalue
toallvaluesinthemap.Thisintroducesfalsepositives.
Afunctionistreatedasawrappermethodwhenit:
•
ContainsacallsitetoamethodidentifiedbyanSSRruleasamapoperationoralreadyidentifiedbySCA
asawrapper.
•
Directlypassesitsparameterstothemapoperation.
•
Directlypassesthemapoperation'sreturnvaluetoitsownreturn.
Theeffectsofsuccessfulwrapperidentificationinclude:
•
ReductionoffalseissuereportsfromtheDataflowanalyzerbyreducingthenumberofissuesreported
withmismatchedmapinsertionsandretrievals.
•
Improvedreadabilityof
•
Dataflowissuereportsbyreplacingunknownmapkeys,shownas'?',withexplicitkeyvalues.
Appendix H: Issue Tuning
85
ThepropertieslistedinTable26controlthebehaviorofwrapperdetection:
Table 26: Wrapper Detection Analysis Keys
Analysis Property
Description
None
Executeswrapperdetection,includingdetectionofnested
wrappers
com.fortify.sca.EnableNestedWrappers
Avalueoffalsedisablesallnestedwrapperdetection.
com.fortify.sca.EnableWrapperDetection
Avalueoffalsedisablesallwrapperdetection
com.fortify.sca.WrapperHeuristic
Bydefault,theheuristicusedis“moderate”.Youcanalsosetthis
valueto“strict”,whichwillnotidentifyanymethodscontaining
multiplecallsitesaswrappers.
About Interprocedural Constant Propagation
Programminglanguagesprovidekeywordsindicatingthatavariableisaconstant,unchangingvalue
throughoutanentireprogram.However,somesoftwarefailstoconsistentlyapplythesekeywordstoconstant
variables.InterproceduralConstantPropagationidentifiesexplicitconstantsandvariablesthatarenotdefined
asconstantsbuthaveunchangingvalues,anditthenpropagatesthoseconstantvaluesthroughoutallfunctions
intheprogram.
ThepropertieslistedinTable27controlInterproceduralConstantPropagation.
Table 27: Interprocedural Constant Propagation Keys
Analysis Property
Description
com.fortify.sca.EnableInterprocedu
ralConstantResolution
Enablesordisablespropagationofconstantvaluesacrossfunction
boundaries.
com.fortify.sca.DisableInferredCon
stants
Ifsetto“true”,disablesidentificationofconstantvariableswithout
explicitconstorfinalkeywords.
com.fortify.sca.DisableInferredCon
stants.NonStatic
Ifsetto“true”,disablesidentificationofnon‐staticconstants.
Appendix H: Issue Tuning
86
About Selective Map Operation Tracking
SelectiveMapOperationTrackinganalysisgreatlyreducestheprevalenceofunresolvedmapkeys.Thisanalysis
allowsSCAtofindtruepositivesinglobalclasseswithoutintroducinganincreaseinthenumberoffalse
positives.Thisalgorithmisconfigurableviaapropertykeythatacceptsanyoffourvalues.Thedefaultvalue,
classrule,isappropriateinmostsituations.Ifyoufindthattoomanyissuesarebeingsuppressed,youcan
changethevalueandcomparetheresultsreceived.
ThevalueslistedinTable28controlSelectiveMapOperationTracking.
Table 28: Selective Map Operator Tracking Values
Analysis Property
Value
Description
com.fortify.sca.RequireMapKeys
classrule
Thisisthedefaultvalueofthepropertyanddoesnot
needtobeset.SCAwillanalyzedataflowoperations
onmapsglobalbyclassruleonlywhenitcan
determinekeys.
never
Setthispropertyequalto“never”todisableSelective
MapOperationTrackinganalysis.Allmapoperations
willbeanalyzed.
globals
Setthispropertyequalto“globals”toincreasethe
aggressivenessoftheanalysis.SCAwillanalyzedata
flowoperationsonallglobalmapsonlywhenitcan
determinekeys.
always
Setthispropertyequalto“always”formaximum
aggressiveness.SCAwillprocessdataflowoperations
onallmapsonlywhenitcandeterminekeys.
Appendix H: Issue Tuning
87
Appendix I: Configuration Properties
Thisappendixliststhepropertiesfoundinthefortify.propertiesandthefortify.sca.properties
files.Theseconfigurationfilesarelocatedinthefollowingdirectory:
<Installation_Directory>\HP_Fortify\HP_Fortify_SCA_and_Apps_X.XX\Core\config
fortify.properties
Table29listsconfigurationoptionsthatcanbealteredorsetinthefortify.propertiesfileordefinedonthe
commandlineusingthe-Doption.
s
Table 29: fortify.properties Objective
Property
Value
SetSCAtools,suchasHP
FortifyAuditWorkbench,to
debugmode.
com.fortify.Debug
Valuetype:Boolean
Default:false
Example:
com.fortify.Debug=true
SetHPFortifyAudit
Workbenchtodebugmode.
com.fortify.awb.Debug
Valuetype:Boolean
Default:false
Example:
com.fortify.awb.Debug=true
SetEclipsetodebugmode.
com.fortify.eclipse.Debug
Valuetype:Boolean
Default:false
Example:
com.fortify.eclipse.Debug=true
SetVisualStudiotodebug
mode.
com.fortify.VS.Debug
Valuetype:Boolean
Default:false
Example:
com.fortify.VS.Debug=true
LocatetheSCAexecutablefile.
Note:Thispropertyisseton
installationandshouldnot
requirealterationunlessyou
manuallymovetheexecutable
files.
Setthepathtotheworking
directoryoftheSCAtools.
com.fortify.
SCAExecutablePath
Valuetype:String(path)
Default:SetwhenSCAwasinstalled
Example:
com.fortify.SCAExecutablePath=C:\\
Program Files\\Fortify Software\\HP
Fortifyv3.60\\bin\\sourceanalyzer.exe
com.fortify.WorkingDirectory
Valuetype:String(path)
Default:
com.fortify.WorkingDirectory=${win32.
LocalAppdata}/Fortify
Example:
com.fortify.WorkingDirectory=${win32.
LocalAppdata}/Fortify
where${win32.LocalAppdata} isavariable
thatpointstotheWindowsLocalApplication
Datashellfolder.Thisistypically
C:\Documents and
Settings\<user>\Local
Settings\Application Data
Appendix I: Configuration Properties
85
Table 29: fortify.properties (Continued)
Objective
Property
Value
Setorchangetheusername
forthisinstallation.
com.fortify.InstallationUser
Name
Valuetype:String(variablepointer)
Default:
com.fortify.InstallationUserName=${us
er.name}
Theusernameforthisinstallation,
${FM.user.name},canbeusedtoreference
thestoredFortifyManagerusername.
Example:
com.fortify.InstallationUserName=
${user.name}
Setthelocaleforthe
installation.
com.fortify.locale
Valuetype:String(countrycodeabbrev.)
Default:Locationofmachinesoftwarewas
installedon.
Example:
com.fortify.locale=en
Setthescantocontinueeven
ifASPPrecompilationfails.
com.fortify.VS.
RequireASPPrecompilation
Ifthispropertyissettofalse,
whenperformingascanofa
websitefromVisualStudioin
headlessmodethescanwill
continueeveniftheASPPre‐
compilationfails.
Setthisvaluetotrueifyou
wantSCAtotranslatethe
defaultASPoutput(insteadof
runningtheaspnet_compiler)
whenscanningawebsite
fromVisualStudio.
Valuetype:Boolean
Default:false
Example:
com.fortify.VS.
RequireASPPrecompilation=false
com.fortify.VS.
SkipASPPrecompilation
Valuetype:Boolean
Default:false
Example:
com.fortify.VS.SkipASPPrecompilation
=true
Youshouldmanuallyclean
thiscachebeforeuseofthis
setting.
DisableuseofCode
NavigationfeatureinAWB
andimproveruntime
memoryusage.
com.fortify.DisableProgramIn
fo
DisableintegrationwithC/
CPPbuilds(VisualStudio).
com.fortify.VS.
DisableCIntegration
Valuetype:Boolean
Example:
com.fortify.DisableProgramInfo=true
Valuetype:Boolean
Default:false
Example:
com.fortify.VS.DisableCIntegration=
true
Setthepathusedtostorethe
managerclientauthentication
token.
com.fortify.AuthenticationKe
y
Valuetype:String(path)
Default:
${com.fortify.WorkingDirectory}/
config/tools
Example:
com.fortify.AuthenticationKey=
${com.fortify.WorkingDirectory}/
config/tools
Appendix I: Configuration Properties
86
Table 29: fortify.properties (Continued)
Objective
Property
Value
Disablefvdlvalidationinthe
UI.
com.fortify.model.CheckSig
Valuetype:Boolean
Default:false
Example:
com.fortify.model.CheckSig=true
Reducetheamountofdata
loadedfromanFPR.Whenset
totrue,onlybasicissue
informationwillbeloaded
fromtheFPR.
com.fortify.model.
MinimalLoad
Setthisvaluetotruetouse
com.fortify.model.
UseIssueParseFilters
IssueParseFilters.prope
rties.
Default:false
Example:
com.fortify.model.MinimalLoad=true
Valuetype:Boolean
Default:false
Example:
settings.OptimizeMemory
mustalsobeenabled.
Setbackwardscompatibility
withpre‐2.5migrated
projects.
Valuetype:Boolean
com.fortify.model.
UseIssueParseFilters=true
com.fortify.model.EnablePath
ElementBaseIndexShift
Valuetype:Boolean
Default:true
Example:
com.fortify.model.
EnablePathElementBaseIndexShift=true
SetdefaultVMarguments
forusewhentheVisualStudio
pluginrunsJavacommands.
com.fortify.visualstudio.vm.
args
Valuetype:String(VMargument)
Default:
-Xmx256m
Example:
com.fortify.visualstudio.vm.args=
-Xmx256m
Setthispropertytoenable
manualremovalof
threadlocaltransaction
resourcewhenajob
completes.
enable.clean.transaction.res
ource
Valuetype:Boolean
Default:true
Settingthispropertytotruepreventsaquartz/
springbugwhencrontriggerishappened,
somethreadlocalresourceisnotreleased,
resultingina"Pre-bound JDBC Connection
found!"error.Setthispropertytotruewhen
thisproblemoccurs.
Example:
enable.clean.transaction.resource=
true
Setthispropertytomigrate
IIDscreatedwithdifferent
versionsofSCA.Thisis
generallyhandledbySCA.If
youneedtooverridethe
mappingscheme,please
consultHPFortifycustomer
support.
com.fortify.tools.
iidmigrator.scheme
ContactHPFortifycustomersupportfor
assistance.
Appendix I: Configuration Properties
87
Table 29: fortify.properties (Continued)
Objective
Property
Value
Setthemaximumnumberof
charactersforyourfilepath.
max.file.path.length
Valuetype:String(number)
Default:255
Ifthepathexceedsthisvalue,thelastXnumber
ofcharacterswillbekeptinthefilepathforthe
issueandtheentrywillberemovedfrom
sourcefilemap.
Example:
max.file.path.length=255
Definewhich.FPRproject
(defaultorimported)should
beusedasthebasewhen
resolvingmergeconflicts.
com.fortify.model.
MergeResolveStrategy
Valuetype:String
Default:DefaultToMasterValue
Possiblevaluesare:'DefaultToMasterValue',
'DefaultToImportValue',or'NoStrategy'.
Example:
com.fortify.model.
MergeResolveStrategy=
DefaultToMasterValue
SettheRemovedIssue
PersistenceLimit.
com.fortify.
RemovedIssuePersistenceLimit
Valuetype:String(number)
Default:1000
Example:
com.fortify.
RemovedIssuePersistenceLimit=5000
Definetheamountofmemory
allocatedforprocesses
requiredbyHPFortifyAudit
Workbench(i.e.,iidmigrator,
events2fpr,etc.)
com.fortify.model.ExecMemory
Setting
Limitthenumberofissues
loaded.
com.fortify.model.IssueCutof
fStartIndex
Valuetype:String
Default:1200M
Example:
-Dcom.fortify.model.
ExecMemorySetting=12OOM
com.fortify.model.IssueCutof
fEndIndex
Valuetype:String(number)
Usethecom.fortify.model.
IssueCutoffStartIndex propertytoselect
thefirstissue(bynumber)tobeloaded.
Userthe
com.fortify.model.IssueCutoffEndIndex
propertytoselectthelastissue(bynumber)to
beloaded.
Example:
com.fortify.model.
IssueCutoffStartIndex=10
com.fortify.model.
IssueCutoffEndIndex=20
Note:Youcanusebothparameterstogether,as
intheexampleabove,toselectarange.This
exampleloadsissue10‐19,foratotalof20
issues.
Appendix I: Configuration Properties
88
Table 29: fortify.properties (Continued)
Objective
Property
Value
Limitthecategoriesloaded
basedonnumberofissues.
com.fortify.model.IssueCutof
fByCategoryStartIndex
Valuetype:String(number)
com.fortify.model.IssueCutof
fByCategoryEnd
Index
Usethe
com.fortify.model.IssueCutoffByCatego
ryEndIndex propertytoloadcategoriesthat
havelessthantheselectednumberofissues.
Usebothpropertiesinconjunctiontoselecta
range.
Example:
com.fortify.model.
IssueCutoffByCategoryStartIndex=10
com.fortify.model.
IssueCutoffByCategoryEndIndex=20
Theexampleaboveloadscategorieswhichhave
between10through19issuesinthem.
fortify‐sca.properties
Table30listsconfigurationoptionsthatcanbealteredorsetinthefortify‐sca.propertiesfileordefinedonthe
commandlineusingthe-Doption.
Table 30: fortify‐sca.properties Objective
Property
Values
SettheHPFortifyapplication
datadirectory.
com.fortify.sca.ProjectRoot
Valuetype:String(path)
Default:
com.fortify.sca.ProjectRoot=
${win32.LocalAppdata}/Fortify
${win32.LocalAppdata} isaspecialvariable
thatpointstothewindowsLocalApplication
Datashellfolder.
Example1:
com.fortify.sca.ProjectRoot=
${win32.LocalAppdata}/Fortify
Example2:
com.fortify.sca.ProjectRoot=
C:\Documents and Settings\<user>\
Local Settings\Application Data
Selecttheanalyzerstobe
used.
com.fortify.sca.DefaultAnaly
zers
Valuetype:Boolean
Default:Allanalyzersareturnedonbydefault.
Editthelisttochangewhichanalyzersare
enabledbydefault.
Example:
com.fortify.sca.DefaultAnalyzers=
dataflow:semantic:controlflow:
configuration:structural:content:
buffer
Appendix I: Configuration Properties
89
Table 30: fortify‐sca.properties (Continued)
Objective
Property
Values
Setdefaultfiletypes.
com.fortify.sca.DefaultFileT
ypes
Valuetype:String
Default:
com.fortify.sca.DefaultFileTypes=
java,rb,jsp,jspx,tag,tagx,tld,sql
,cfm,php,phtml,ctp,pks,pkh,pkb,xm
l,config,settings,properties,dll,
exe,inc,asp,vbscript,js,ini,bas,c
ls,vbs,frm,ctl,html,htm,xsd,wsdd,
xmi,py,cfml,cfc,abap,xhtml,cpx,xc
fg,jsff,as,mxml,cbl,c,scfg,csdef,
wadcfg,appxmanifest,wsdl,plist
Example:
com.fortify.sca.DefaultFileTypes=
<comma separated list of file
types>
Setthedirectoryusedto
searchforcustomrules.Ifthis
isset,thedefaultdirectoryis
notsearched.
com.fortify.sca.CustomRulesD
ir
Valuetype:String(path)
Default:
com.fortify.sca.CustomRulesDir=
${com.fortify.Core}/config/
customrules
Example:
com.fortify.sca.CustomRulesDir=<D
irectory where custom rules are
stored>
TellSCAhowtoprocess
specificfiletypes.Allowed
typesare:JAVA,JSP,JSPX,
PLSQL,TSQL,SQL,XML,
JAVA_Properties,MSIL,CFML,
andCSHARP.
Note:Objective‐Cdoesnot
requireanentry.
com.fortify.sca.fileextensio
ns.java = JAVA
com.fortify.sca.fileextensio
ns.jsp = JSP
com.fortify.sca.fileextensio
ns.tag = JSP
com.fortify.sca.fileextensio
ns.tagx = JSP
com.fortify.sca.fileextensio
ns.jspx = JSPX
com.fortify.sca.fileextensio
ns.xhtml = JSPX
com.fortify.sca.fileextensio
ns.faces = JSPX
com.fortify.sca.fileextensio
ns.jsff = JSPX
com.fortify.sca.fileextensio
ns.js = JAVASCRIPT
Valuetype:String(language)
Default:Seethefortify-sca.propertiesfile
forthecompletelist.
Note:Thisisapartiallist.Forthe
completelist,seethefortify‐
sca.propertiesfile.
SetSCAtousethenative
parser.
com.fortify.sca.jsp.UseNativ
eParser
Valuetype:Boolean
Default:true
Example:
com.fortify.sca.jsp.UseNativeParser=
false
Appendix I: Configuration Properties
90
Table 30: fortify‐sca.properties (Continued)
Objective
Property
Values
SettheSQLlanguagevariant.
com.fortify.sca.SqlLanguage
Valuetype:String(SQLlanguagetype)
Default:TSQL
Example:
com.fortify.sca.SqlLanguage=TSQL
Enablecustom‐namedcompilers.
com.fortify.sca.compilers.fortify=
com.fortify.sca.util.compilers.FortifyCom
piler
com.fortify.sca.compilers.touchless=
com.fortify.sca.util.compilers.FortifyCom
piler
com.fortify.sca.compilers.make=
com.fortify.sca.util.compilers.TouchlessC
ompiler
com.fortify.sca.compilers.gmake=
com.fortify.sca.util.compilers.TouchlessC
ompiler
com.fortify.sca.compilers.jam=
com.fortify.sca.util.compilers.TouchlessC
ompiler
com.fortify.sca.compilers.clearmake=
com.fortify.sca.util.compilers.TouchlessC
ompiler
com.fortify.sca.compilers.nmake=
com.fortify.sca.util.compilers.TouchlessC
ompiler
Valuetype:String(compiler)
Default:SeetheCompilerssectioninthe
fortify-sca.propertiesfileforthe
completelist.
Example:
TotellSCAthat“my‐gcc”isagcccompiler:
com.fortify.sca.compilers.my-gcc=
com.fortify.sca.util.compilers.
GccCompiler
Note:Compilernamesmaybeginorendwith
an*,whichmatches0ormorecharacters.
Note:Thisisapartiallist.Forthe
completelist,seethefortifysca.propertiesfile.
Appendix I: Configuration Properties
91
Table 30: fortify‐sca.properties (Continued)
Objective
Property
Values
TellSCAwhichcompilers
causeatranslationdaemonto
bespawned.
com.fortify.sca.DaemonCompil
ers
Valuetype:String(compiler)
Default:
com.fortify.sca.DaemonCompilers =
com.fortify.sca.util.compilers.GppCom
piler,com.fortify.sca.util.compilers.
GccCompiler,com.fortify.sca.util.comp
ilers.AppleGppCompiler,com.fortify.sc
a.util.compilers.AppleGccCompiler,com
.fortify.sca.util.compilers.Microsoft
Compiler,com.fortify.sca.util.compile
rs.MicrosoftLinker,com.fortify.sca.ut
il.compilers.LdCompiler,com.fortify.s
ca.util.compilers.ArUtil,com.fortify.
sca.util.compilers.SunCCompiler,com.f
ortify.sca.util.compilers.SunCppCompi
ler,com.fortify.sca.util.compilers.In
telCompiler,com.fortify.sca.util.comp
ilers.ExternalCppAdapter,com.fortify.
sca.util.compilers.ClangCompiler
Example:
com.fortify.sca.DaemonCompilers =
com.fortify.sca.util.compilers.GppCom
piler,com.fortify.sca.util.compilers.
GccCompiler,com.fortify.sca.util.comp
ilers.AppleGppCompiler,com.fortify.sc
a.util.compilers.AppleGccCompiler,com
.fortify.sca.util.compilers.Microsoft
Compiler,com.fortify.sca.util.compile
rs.MicrosoftLinker,com.fortify.sca.ut
il.compilers.LdCompiler,com.fortify.s
ca.util.compilers.ArUtil,com.fortify.
sca.util.compilers.SunCCompiler,com.f
ortify.sca.util.compilers.SunCppCompi
ler,com.fortify.sca.util.compilers.In
telCompiler,com.fortify.sca.util.comp
ilers.ExternalCppAdapter,com.fortify.
sca.util.compilers.ClangCompiler
Setcallgraphbuildersvalues.
com.fortify.sca.analyzer.cal
lgraph.VirtualCGBuilder:
Virtual method mappings
com.fortify.sca.analyzer.cal
lgraph.J2EEIndirectCGBuilder
: EJB Bean methods
com.fortify.sca.analyzer.cal
lgraph.JNICGBuilder: JNI
Calls
com.fortify.sca.analyzer.cal
lgraph.IDLIndirectCGBuilder:
CORBA calls (disabled by
default)
com.fortify.sca.analyzer.cal
lgraph.StoredProcedureResolv
er: JDBC stored procedure
calls
Valuetype:String(callgraphbuilders)
Default:Offbydefault
Example:
com.fortify.sca.analyzer.callgraph.Vi
rtualCGBuilder: Virtual method
mappings
Note:Thisisasamplelist.Forthe
completelist,seethefortifysca.propertiesfile.
Appendix I: Configuration Properties
92
Table 30: fortify‐sca.properties (Continued)
Objective
Property
Values
SetDataflowanalysisvalues.
com.fortify.sca.DisableFunct
ionPointers
com.fortify.sca.DisableGloba
ls
com.fortify.sca.EnableStruct
uralMatchCache
com.fortify.sca.EnableInterp
roceduralConstantResolution
com.fortify.sca.EnableWrappe
rDetection
com.fortify.sca.EnableNested
Wrappers
com.fortify.sca.WrapperHeuri
stic
com.fortify.sca.RequireMapKe
y
come.fortify.sca.DisableInfe
rredConstants
Valuetype:Boolean
com.fortify.sca.NoNestedOutT
agOutput
com.fortify.sca.DisableDeadC
odeElimination
com.fortify.sca.DeadCodeIgno
reTrivialPredicates
com.fortify.sca.DeadCodeFilt
er
com.fortify.sca.SolverTimeou
t
Valuetype:Boolean
com.fortify.sca.
FVDLDisableProgramData
com.fortify.sca.
FVDLDisableSnippets
com.fortify.sca.
FVDLDisableDescriptions
com.fortify.sca.
FVDLStylesheet
Valuetype:Boolean
com.fortify.sca.LogFile
Valuetype:String(path)
Setadditionalanalysisvalues.
SetFVDLoptions.
Setdefaultlogfilelocation.
Examples(defaultvalues):
com.fortify.sca.
DisableFunctionPointers=false
com.fortify.sca.DisableGlobals=false
com.fortify.sca.
EnableStructuralMatchCache=true
com.fortify.sca.EnableInter
proceduralConstantResolution=false
com.fortify.sca.EnableWrapper
Detection=false
com.fortify.sca.
EnableNestedWrappers=false
com.fortify.sca.WrapperHeuristic =
moderate
com.fortify.sca.RequireMapKey =
classrule
come.fortify.sca.DisableInferredConst
ants = false
Examples(defaultvalues):
com.fortify.sca.NoNestedOutTagOutput=
org.apache.taglibs.standard.tag.rt.
core.RemoveTag,org.apache.taglibs.
standard.tag.rt.core.SetTag
com.fortify.sca.
DisableDeadCodeElimination=false
com.fortify.sca.
DeadCodeIgnoreTrivialPredicates=true
com.fortify.sca.DeadCodeFilter=true
com.fortify.sca.SolverTimeout=15
Example(defaultvalues):
com.fortify.sca.
FVDLDisableProgramData=false
com.fortify.sca.FVDLDisableSnippets=
false
com.fortify.sca.
FVDLDisableDescriptions=false
com.fortify.sca.FVDLStylesheet=
${com.fortify.Core}/resources/sca/
fvdl2html.xsl
Default:N/A
Settingthisparameterwillcausethelogfileto
beoverwritteneachtimeSCAisrun.
Example:
com.fortify.sca.LogFile=
${com.fortify.sca.ProjectRoot}/sca/
log/sca.log
Appendix I: Configuration Properties
93
Table 30: fortify‐sca.properties (Continued)
Objective
Property
Values
Setpost‐scanloggingoptionto
trueandSCAwillwrite
performance‐relateddatato
thelogfileafterscan
completion.
com.fortify.sca.
PrintPerformanceDataAfterSca
n
Valuetype:Boolean
Default:false
Valuewillautomaticallybesettotruewhenin
debugmode.
Example:
com.fortify.sca.
PrintPerformanceDataAfterScan=true
Settranslatoroptions
Displayprogressbar.
com.fortify.sca.cpfe.command
com.fortify.sca.cpfe.441.
command
com.fortify.sca.cpfe.options
com.fortify.sca.cpfe.file.
option
com.fortify.sca.cpfe.dont.
fix.cctor.option
Valuetypes:StringandBoolean
com.fortify.sca.
DisplayProgress
Valuetype:Boolean
Examples(Defaultvalues):
com.fortify.sca.cpfe.command=
${com.fortify.Core}/private-bin/sca/
cpfe
com.fortify.sca.cpfe.441.command=
${com.fortify.Core}/private-bin/sca/
cpfe441
com.fortify.sca.cpfe.options=-remove_unneeded_entities -suppress_vtbl -tused
com.fortify.sca.cpfe.file.option=-gen_c_file_name
com.fortify.sca.cpfe.dont.fix.cctor.
option=true
Default:true
Example:
com.fortify.sca.DisplayProgress=true
SetFindbugsmaximumheap
size.
com.fortify.sca.findbugs.
maxheap
Valuetype:Boolean
Default:SCA’smaxheapsize.
Example:
com.fortify.sca.findbugs.maxheap=500m
SetCFMLpagesbehavior
com.fortify.sca.
CfmlUndefinedVariablesAre
Tainted
Valuetype:Boolean
Default:Featureisdisabled.
Avalueoftruetreatsundefinedvariablesin
CFMLpagesastainted.
Example:
com.fortify.sca.
CfmlUndefinedVariablesAreTainted=true
Generateimpliedmethods
whenimplementationby
inheritanceisencountered
com.fortify.sca.
AddImpliedMethods
Valuetype:Boolean
Default:true
Example:
com.fortify.sca.AddImpliedMethods=
true
Appendix I: Configuration Properties
94
Table 30: fortify‐sca.properties (Continued)
Objective
Property
Values
SetControlflowAnalyzer
options.
com.fortify.sca.analyzer.
controlflow.liveness.skip.
rules
com.fortify.sca.analyzer.
controlflow.
EnableRefRuleOptimization
com.fortify.sca.analyzer.
controlflow.
EnableLivenessOptimization
com.fortify.sca.analyzer.
controlflow.
EnableMachineFiltering
com.fortify.sca.analyzer.
controlflow.EnableTimeOut
Valuetype:BooleanandString
com.fortify.sca.RegExecutabl
e
Valuetype:String(path)
Setpathtoregonyour
system.
Examples(defaultsettings):
com.fortify.sca.analyzer.controlflow.
liveness.skip.rules=B530C5D6-3C7148C5-9512-72A7F4911822
com.fortify.sca.analyzer.controlflow.
EnableRefRuleOptimization=false
com.fortify.sca.analyzer.controlflow.
EnableLivenessOptimization=false
com.fortify.sca.analyzer.controlflow.
EnableMachineFiltering=false
com.fortify.sca.analyzer.controlflow.
EnableTimeOut=true
Default:Notset
Example:
Setvarious.NEToptions.
Setnumberoflinesofcodeto
displaysurroundingissue.
WinForms.
TransformDataBindings
WinForms.
TransformMessageLoops
WinForms.
TransformChangeNotificationP
attern
WinForms.
CollectionMutationMonitor.
Label
WinForms.
ExtractEventHandlers
WinForms.TouchUpDataSources
CAB.EnableStateMap1
com.fortify.sca.dotnet.cab.
injection
com.fortify.sca.dotnet.cab.
events
Valuetype:Boolean
com.fortify.sca.
SnippetContextLines
Valuetype:String
Examples(Defaultsettings):
WinForms.TransformDataBindings=true
WinForms.TransformMessageLoops=true
WinForms.TransformChangeNotificationP
attern=true
WinForms.CollectionMutationMonitor.La
bel=WinFormsDataSource
WinForms.ExtractEventHandlers=true
WinForms.TouchUpDataSources=true
CAB.EnableStateMap1=true
com.fortify.sca.dotnet.cab.injection=
true
com.fortify.sca.dotnet.cab.events=tru
e
Default:3
Thedefaultvalueis3.Whenset,thenumber
representthe2linesofcodeoneachsideofthe
linewheretheerroroccurs.Sobydefault,there
areatotalof5linesdisplayed.Thisvaluecanbe
overwritten.
SetCPFEtohandlemultibyte
charactersinyoursource
code.ThisallowsSCAto
handlecodewithmultibyte
encoding,suchasSJIS
(Japanese).
com.fortify.sca.cpfe.multiby
te
Valuetype:Boolean
Default:Notenabled
Thisfeatureisturnedoffbydefault.Setthis
propertytoTrueifyouhavemultibyte
charactersinyoursourcecode.
Example:
com.fortify.sca.cpfe.multibyte=true
Appendix I: Configuration Properties
95
Table 30: fortify‐sca.properties (Continued)
Objective
Property
Values
SettheversionofCPFEto
441.
com.fortify.sca.cpfe.gnu.ver
sion
Valuetype:Boolean
Default:false
Example:
com.fortify.sca.cpfe.gnu.version=true
ConfigureSCAtooverwrite
thelogfile.
com.fortify.sca.ClobberLogFi
le
Valuetype:Boolean
Default:false
NewlogfilewillbeoverwritteneachtimeSCA
runs.
Example:
com.fortify.sca.ClobberLogFile=true
Addaprefixtologfile.
com.fortify.sca.SuppressLogP
refix
Valuetype:String
Default:Notenabled
Noprefixisaddedtothelogfilenameby
default.Usethispropertytoaddaprefixtothe
logname.
Example:
com.fortify.sca.SuppressLogPrefix=???
Specifyafileorseriesoffiles
toexcludefromascan.
com.fortify.sca.exclude
Default:Notenabled
Note:Thisonlyworksonthe
commandline.Youcanissue
itmultipletimesto
accommodatemultiplefiles.
Thisisthesameas-debug,
butmoreverbose,specifically
whenitcomestoparse
errors.
Valuetype:String
Example:
com.fortify.sca.exclude=file1.x,file2.x
com.fortify.sca.DebugVerbose
Valuetype:Boolean
Default:Notenabled
Example:com.fortify.sca.DebugVerbose=
true
Appendix I: Configuration Properties
96
Download PDF