How Can I do data sampling and consistency for fortify args file?

Hello, everyone

I don't know what that means data sampling and consistency process.

I wonder what this means and what I need to do to get this to work.

please help me.

  • any more context on why you need to do this - I have used Fortify for 12 years and I never heard of this before. What are you trying to achieve please? I have seen this sort of thing when profiling an application with Sun Solaris tools - but for sure this isnt what you are doing.

  • This is my customer's order. 

    They want binary analyze specific args file then check about data sampling and consistency result data.

    here is args file detail

    "-exclude" "/sdb1/.jenkins/workspace/ocb-webview-frontend/**/*.py"
    "-exclude" "/sdb1/.jenkins/workspace/ocb-webview-frontend/**/*.rb"
    "-exclude" "/sdb1/.jenkins/workspace/ocb-webview-frontend/**/*.php"
    "-exclude" "/sdb1/.jenkins/workspace/ocb-webview-frontend/node_modules/**/*.js"
    "/sdb1/.jenkins/workspace/ocb-webview-frontend"

    And this is linux shell script file detail 

    BUILD_ID=ocb-webview-frontend
    APPLICATION_ID=81
    SRC_DIR=/home/sa/jenkins/workspace/ocb-webview-frontend
    ARGS_FILE=/home/sa/fortify_work/scripts/ARGS/${BUILD_ID}.args
    ARGS_BYTE_FILE=/home/sa/fortify_work/scripts/ARGS/${BUILD_ID}.bytecode.args
    JAVAOPT="-Xmx12288M"

    ###########################################################
    #

    #
    ###########################################################
    THIS_IS_CONFIG_FILE="/home/sa/fortify_work/scripts/__init__.conf"
    echo "###########################################################"
    echo "# Read the ${THIS_IS_CONFIG_FILE} file..."
    echo "###########################################################"
    if [ -f ${THIS_IS_CONFIG_FILE} ]; then
    . ${THIS_IS_CONFIG_FILE}
    else
    echo "${THIS_IS_CONFIG_FILE} can't be read."
    exit 1
    fi
    echo "** Log File: ${BUILD_LOG_FILE}"
    echo "** Build Directory: ${SCA_DATA_DIR}/build/${BUILD_ID}"
    echo "** MBS File: ${MBS_FILE}"
    echo "** FPR File: ${FPR_FILE}"

    ###########################################################
    #
    # 빌드
    #
    ###########################################################
    cd ${SRC_DIR}
    echo "** sca clean"
    sourceanalyzer -b ${BUILD_ID} -clean
    echo "** sca ARGS_FILE"
    sourceanalyzer -verbose -debug -b ${BUILD_ID} ${JAVAOPT} -logfile ${BUILD_LOG_FILE} @$ARGS_FILE

    ###########################################################
    #

    #
    ###########################################################
    sourceanalyzer -b ${BUILD_ID} -export-build-session ${MBS_FILE}
    sourceanalyzer -b ${BUILD_ID} -clean

    ###########################################################
    #
    #
    #
    ###########################################################
    if [ -f ${MBS_FILE} ]
    then
    scancentral -url ${SC_CONTROLLER_URL} start -upload -versionid ${APPLICATION_ID} -uptoken ${SC_CTRL_TOKEN} -block -o -f ${FPR_FILE} -mbs ${MBS_FILE} -scan ${JAVAOPT}
    rm -f ${MBS_FILE}
    fi

    # Upload the FPR to the Dev SSC Server
    upload_to_devssc ${FPR_FILE} ${APPLICATION_ID}

  • I dont see any binary analysis here at all - well not explicit at least.
    If I read the script properly you clean out the container.

    then you load in an MBS

    Then you send it off to scan central (we need to trial this in my company - I added it to a VM and it seems to work well - you are modelling the case where the user provides you with a translate - if you knew how to build their code you could even do that)

    if successful you upload the FPR.


    now any binary analysis of JAR files say will happen only if the SCA has found the classpaths and can understand the format of the JAR - from what I understood the format changes sometimes as the JDK changes - so later SCAs are required to process more modern JDKs.