Using esapi.bin with AWB and SSC

Fortify has made available esapi.bin to be used with AWB as an optional rulepack. We have attempted to upload this file to SSC and also tried to add it to AWB. With SSC is it rejected as not a valid file type. In AWB, it is accepted, but does not appear to be used when running a scan. 

We have a large number of legacy Java apps that use the ESAPI library for validation. We would like to include this rulepack in all of our instances of SCA/AWB and SSC. Other than adding it in the CLI with each scan, how can this rulepack be added to the static scanning tools and SSC?

Thanks!

Parents
  • As a follow up, when we do run a scan adding esapi.bin as an additional rulepack, we get the following error. 

    "[error]: Unable to load rules file /Applications/Fortify/customrules/esapi.bin: invalid encrypted stream"

    We also see these errors in AWB and SSC when trying to load esapi.bin. Is it possible the file is encrypted incorrectly? 

  • any update from fortify ? are u manage to resolve
  • I have not used this esapi rule pack before, but did you try putting it in this directory?

    Replace <version> with your version, ex. 19.2.0  or your installation path

    C:\Program Files\Fortify\Fortify_SCA_and_Apps_<version>\Core\config\customrules

    The README file in this directory states the following

    This directory can be used for custom rulepacks which should always be used when sourceanalyzer does a scan. Any rulepacks in this directory will always be used during analysis. The rulepack update utility will never add or remove rulepacks from this directory. To configure sourceanalyzer to look in another
    location for rulepacks, set the property com.fortify.sca.CustomRulesDir in the fortify-sca.properties file.

Reply
  • I have not used this esapi rule pack before, but did you try putting it in this directory?

    Replace <version> with your version, ex. 19.2.0  or your installation path

    C:\Program Files\Fortify\Fortify_SCA_and_Apps_<version>\Core\config\customrules

    The README file in this directory states the following

    This directory can be used for custom rulepacks which should always be used when sourceanalyzer does a scan. Any rulepacks in this directory will always be used during analysis. The rulepack update utility will never add or remove rulepacks from this directory. To configure sourceanalyzer to look in another
    location for rulepacks, set the property com.fortify.sca.CustomRulesDir in the fortify-sca.properties file.

Children