Doubt about scanning

Hello guys,


I am using fortify on windows and GUI.


I am looking for .WAR files to check, so:


I rename it to .ZIP and extract my files to a directory.


Inside the directory, I have many files. Follow attached my directory and files.


I start the Audit Workbench, choose Advance Scan, set the directory and after, choose the JDK 1.6 and follow


The scan starts and finish.


So, in this scan. Is Fortify scanning for all possible files to be analyzed inside the directory?

I would like to make sure that I am doing the correct analysis and no one file is missing in the scan


Therefore, is possible to scan for all files/extensions (that fortify can do) just with one scanning (in this case talking about the files in the attach)







    The below cmd line syntax will scan recursively all files and directories within the 'whateverapp' folder, with verbosity set, with debug turned on, creating a log file, forcing a 64-bit scan, specifying 8G worth of heap for memory, specify java jdk 1.6 and dumping the output of the to 'whateverapp.fpr' audit file.


    >sourceanalyzer.exe whateverapp/**/* -verbose -debug -logfile E:\Reports\whateverapp.log -64 -Xmx8G -jdk 1.6 -scan -f E:\Reports\whateverapp.fpr


    Hope that helps as I usually only scan from the cmd line.

  • Hi,


    Right! I will trying using CLI, but more doubt!


    We need to run 3 commands over CLI, right?


    1 - sourceanalyzer.exe -b Test -clean


    2 - sourceanalyzer.exe whateverapp/**/* -verbose -debug -logfile E:\Reports\whateverapp.log -64 -Xmx8G -jdk 1.6 -scan -f E:\Reports\whateverapp.fpr (your command)


    3 - What should it do? (here is the command to really start the scan against the .fpr file, right?


    I am confused in those 3 steps!





  • I did a scan with your command line.


    The scan ran, but, I am thinking that just .jsp file was scanned.


    I have 158 .jar files and 22 .class files


    C:\Code>sourceanalyzer.exe APP/**/* -verbose -debug -logfile C:\code\1650.log -64 -Xmx10G -jdk 1.6 -scan -f C:\Code\1650.fpr
    Fortify Static Code Analyzer 6.30.0086
    Processing logs.jsp
    Processing teste_relatorio.jsp
    Processing index.jsp
    Processing ta_arquivos.jsp
    Processing sessoes.jsp
    Processing index2.jsp
    Processing conexao.jsp
    Processing memory.jsp
    Processing ta_arquivo.jsp
    Processing datasources.jsp
    Processing infoSistema.jsp
    Processing C:/Users/my_user/AppData/Local/Fortify/sca6.3/build/_fortify_libraries_/lib.js
    Processing C:/Code/teste_relatorio.jsp
    Processing C:/Code/bibliotecas/js/jquery-1.9.1.min.js
    Processing C:/Code/wheb_arquivos.jsp
    Processing C:/Code/conexao.jsp
    Processing C:/Code/bibliotecas/js/testeRelatorio.js
    Processing C:/Code/wheb_arquivo.jsp
    Processing C:/Code/infoSistema.jsp
    Analyzing 34 source file(s)
    Configuration analysis complete ]
    Buffer analysis complete ]
    Semantic analysis complete
    Data Flow analysis complete ]
    Control Flow analysis complete
    Structural analysis complete
    Null pointer analysis complete
    Rendering 107 results ]
    Analysis completed in 04:15 ]

  • oh, so, you are actually looking for the SCA to inspect the contents of all your .WAR files? you can try and scan those but if you don't get positive results just explode the war contents into another folder and then scan that. 

  • 1 - sourceanalyzer.exe -b Test -clean


    Answer: This is initializing a scan specifying a build named Test, and using the -clean switch which will delete all translated *.NST files from your AppData; 


    It will basically starting creating local copies within your C:\Users\<yourUser>\AppData\Local\Fortify\sca<version>\build\<application name>\*.nst


    2 - sourceanalyzer.exe whateverapp/**/* -verbose -debug -logfile E:\Reports\whateverapp.log -64 -Xmx8G -jdk 1.6 -scan -f E:\Reports\whateverapp.fpr 


    Answer: -verbose makes it where you can see what the SCA is doing real-time, onscreen; debug allows you to see more details on all the processing that is occurring within the scan and it will be held within the log file shown. 64-bit scan is an absolute must when dealing with Java applications since it is exhausting for the JVM along with specifying 8GB worth of heap size to help java Not crash. Of course, you'll need at least 16GB or more of physical memory otherwise you might crash your own system. The -jdk switch tells the SCA what version of Java Development Kit you are using. The -scan swtich tells the sourceanalyzer to actually scan the code for vulnerabilities. The -f switch just tell the SCA where to put the results.


    3 - What should it do? 

    Answer: Exactly what you tell it to do. There are some misconceptions about scanning code. Sometimes you need split up your scans depending on the size of the application. I've had instances where the SCA would crash because it ran out of memory.


    Final thought: 


    My recommendation is to install the full SCA and apps on Linux. You will notice it scans so much faster. Especially if you have a really beefed up linux machine.



  • Phil,


    When you sent me the command line, I got it working without using those 3 steps.


    But, I am not sure that all other file extensions were analyzed. I just saw jsp files.


    I am completely sure that I am using 5% of the tool :(