Using esapi.bin with AWB and SSC

Fortify has made available esapi.bin to be used with AWB as an optional rulepack. We have attempted to upload this file to SSC and also tried to add it to AWB. With SSC is it rejected as not a valid file type. In AWB, it is accepted, but does not appear to be used when running a scan. 

We have a large number of legacy Java apps that use the ESAPI library for validation. We would like to include this rulepack in all of our instances of SCA/AWB and SSC. Other than adding it in the CLI with each scan, how can this rulepack be added to the static scanning tools and SSC?

Thanks!

Parents
  • As a follow up, when we do run a scan adding esapi.bin as an additional rulepack, we get the following error. 

    "[error]: Unable to load rules file /Applications/Fortify/customrules/esapi.bin: invalid encrypted stream"

    We also see these errors in AWB and SSC when trying to load esapi.bin. Is it possible the file is encrypted incorrectly? 

Reply
  • As a follow up, when we do run a scan adding esapi.bin as an additional rulepack, we get the following error. 

    "[error]: Unable to load rules file /Applications/Fortify/customrules/esapi.bin: invalid encrypted stream"

    We also see these errors in AWB and SSC when trying to load esapi.bin. Is it possible the file is encrypted incorrectly? 

Children