How to scan C/C++ files in fortify sca?

Hi all,

Hope everyone is doing good.

Can someone suggest how to scan C/C++ files through fortify scan wizard or fortify audit workbench with and without build?

  • I simply would not bother without building. Why? As a professional C/C++ dev for 30 years the language makes heavy use of pre-processors.

    Unless you intercept the build then you have NO chance to determine what code is really presented to the compiler by the preprocessor.

    This is why I NEVER use Checkmarx for such langauges (Objective C etc) but instead build.

    The manual is very clear on how to do this. But in essence you clean a container, translate the files touched by the build then scan them (provided there are not a ton of warning).

    Work with your dev's who know how to build their project - hopefully they can build it from command line. But GUI integration with MS Code/VSCode/Eclipse is available.

    let's say they use make (substitute their build command for what they use)

    sourceanalyzer -b pants -clean

    make clean

    sourceanalyzer -b pants -debug -verbose -logfile tran.log make all

    check the tran.log - does it look clean?

    sourceanalyzer -b pants -debug -verbose -logfile scan.log -scan -f result.fpr

    CAVEATS

    I found Fortify to be good compare to the initial tool we had to use for C/C++. BUT after a while (and this was 12 years ago so maybe it has improved) we realized it was creating too many false positives and also IMHO just didnt understand the language. It also depends on how "clean" your C is. Ours went back to 1985, some of which was K & R rather than ANSI. And no - you DONT rewrite code like that ... not in the commercial world.

    So eventually we moved to Synopsys Coverity which reported far less issues but each one was worth fixing.

    Your experience my vary. Be prepared to write models to highlight risk in your code - without it you are unlikely to get much more than a generic look at your code.

    The Auditworkbench _might_ make it easier to write C++ rules - again I havent tried in a while. We tend to use Fortify for Java where it was baked in from the start,