Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class

Doubt about scanning

Hello guys,


I am using fortify on windows and GUI.


I am looking for .WAR files to check, so:


I rename it to .ZIP and extract my files to a directory.


Inside the directory, I have many files. Follow attached my directory and files.


I start the Audit Workbench, choose Advance Scan, set the directory and after, choose the JDK 1.6 and follow


The scan starts and finish.


So, in this scan. Is Fortify scanning for all possible files to be analyzed inside the directory?

I would like to make sure that I am doing the correct analysis and no one file is missing in the scan


Therefore, is possible to scan for all files/extensions (that fortify can do) just with one scanning (in this case talking about the files in the attach)





Labels (1)
6 Replies
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class


The below cmd line syntax will scan recursively all files and directories within the 'whateverapp' folder, with verbosity set, with debug turned on, creating a log file, forcing a 64-bit scan, specifying 8G worth of heap for memory, specify java jdk 1.6 and dumping the output of the to 'whateverapp.fpr' audit file.


>sourceanalyzer.exe whateverapp/**/* -verbose -debug -logfile E:\Reports\whateverapp.log -64 -Xmx8G -jdk 1.6 -scan -f E:\Reports\whateverapp.fpr


Hope that helps as I usually only scan from the cmd line.

Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class



Right! I will trying using CLI, but more doubt!


We need to run 3 commands over CLI, right?


1 - sourceanalyzer.exe -b Test -clean


2 - sourceanalyzer.exe whateverapp/**/* -verbose -debug -logfile E:\Reports\whateverapp.log -64 -Xmx8G -jdk 1.6 -scan -f E:\Reports\whateverapp.fpr (your command)


3 - What should it do? (here is the command to really start the scan against the .fpr file, right?


I am confused in those 3 steps!





Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class

I did a scan with your command line.


The scan ran, but, I am thinking that just .jsp file was scanned.


I have 158 .jar files and 22 .class files


C:\Code>sourceanalyzer.exe APP/**/* -verbose -debug -logfile C:\code\1650.log -64 -Xmx10G -jdk 1.6 -scan -f C:\Code\1650.fpr
Fortify Static Code Analyzer 6.30.0086
Processing logs.jsp
Processing teste_relatorio.jsp
Processing index.jsp
Processing ta_arquivos.jsp
Processing sessoes.jsp
Processing index2.jsp
Processing conexao.jsp
Processing memory.jsp
Processing ta_arquivo.jsp
Processing datasources.jsp
Processing infoSistema.jsp
Processing C:/Users/my_user/AppData/Local/Fortify/sca6.3/build/_fortify_libraries_/lib.js
Processing C:/Code/teste_relatorio.jsp
Processing C:/Code/bibliotecas/js/jquery-1.9.1.min.js
Processing C:/Code/wheb_arquivos.jsp
Processing C:/Code/conexao.jsp
Processing C:/Code/bibliotecas/js/testeRelatorio.js
Processing C:/Code/wheb_arquivo.jsp
Processing C:/Code/infoSistema.jsp
Analyzing 34 source file(s)
Configuration analysis complete ]
Buffer analysis complete ]
Semantic analysis complete
Data Flow analysis complete ]
Control Flow analysis complete
Structural analysis complete
Null pointer analysis complete
Rendering 107 results ]
Analysis completed in 04:15 ]

Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class

oh, so, you are actually looking for the SCA to inspect the contents of all your .WAR files? you can try and scan those but if you don't get positive results just explode the war contents into another folder and then scan that. 

Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class

1 - sourceanalyzer.exe -b Test -clean


Answer: This is initializing a scan specifying a build named Test, and using the -clean switch which will delete all translated *.NST files from your AppData; 


It will basically starting creating local copies within your C:\Users\<yourUser>\AppData\Local\Fortify\sca<version>\build\<application name>\*.nst


2 - sourceanalyzer.exe whateverapp/**/* -verbose -debug -logfile E:\Reports\whateverapp.log -64 -Xmx8G -jdk 1.6 -scan -f E:\Reports\whateverapp.fpr 


Answer: -verbose makes it where you can see what the SCA is doing real-time, onscreen; debug allows you to see more details on all the processing that is occurring within the scan and it will be held within the log file shown. 64-bit scan is an absolute must when dealing with Java applications since it is exhausting for the JVM along with specifying 8GB worth of heap size to help java Not crash. Of course, you'll need at least 16GB or more of physical memory otherwise you might crash your own system. The -jdk switch tells the SCA what version of Java Development Kit you are using. The -scan swtich tells the sourceanalyzer to actually scan the code for vulnerabilities. The -f switch just tell the SCA where to put the results.


3 - What should it do? 

Answer: Exactly what you tell it to do. There are some misconceptions about scanning code. Sometimes you need split up your scans depending on the size of the application. I've had instances where the SCA would crash because it ran out of memory.


Final thought: 


My recommendation is to install the full SCA and apps on Linux. You will notice it scans so much faster. Especially if you have a really beefed up linux machine.



Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class



When you sent me the command line, I got it working without using those 3 steps.


But, I am not sure that all other file extensions were analyzed. I just saw jsp files.


I am completely sure that I am using 5% of the tool 😞





The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.