Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class
9486 views

Doubt about scanning

Hello guys,

 

I am using fortify on windows and GUI.

 

I am looking for .WAR files to check, so:

 

I rename it to .ZIP and extract my files to a directory.

 

Inside the directory, I have many files. Follow attached my directory and files.

 

I start the Audit Workbench, choose Advance Scan, set the directory and after, choose the JDK 1.6 and follow

 

The scan starts and finish.

 

So, in this scan. Is Fortify scanning for all possible files to be analyzed inside the directory?

I would like to make sure that I am doing the correct analysis and no one file is missing in the scan

 

Therefore, is possible to scan for all files/extensions (that fortify can do) just with one scanning (in this case talking about the files in the attach)

 

Thanks,

 

Diego

Labels (1)
0 Likes
6 Replies
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class

 

The below cmd line syntax will scan recursively all files and directories within the 'whateverapp' folder, with verbosity set, with debug turned on, creating a log file, forcing a 64-bit scan, specifying 8G worth of heap for memory, specify java jdk 1.6 and dumping the output of the to 'whateverapp.fpr' audit file.

 

>sourceanalyzer.exe whateverapp/**/* -verbose -debug -logfile E:\Reports\whateverapp.log -64 -Xmx8G -jdk 1.6 -scan -f E:\Reports\whateverapp.fpr

 

Hope that helps as I usually only scan from the cmd line.

Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class

Hi,

 

Right! I will trying using CLI, but more doubt!

 

We need to run 3 commands over CLI, right?

 

1 - sourceanalyzer.exe -b Test -clean

 

2 - sourceanalyzer.exe whateverapp/**/* -verbose -debug -logfile E:\Reports\whateverapp.log -64 -Xmx8G -jdk 1.6 -scan -f E:\Reports\whateverapp.fpr (your command)

 

3 - What should it do? (here is the command to really start the scan against the .fpr file, right?

 

I am confused in those 3 steps!

 

Thanks,

 

Diego

0 Likes
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class

I did a scan with your command line.

 

The scan ran, but, I am thinking that just .jsp file was scanned.

 

I have 158 .jar files and 22 .class files

 

C:\Code>sourceanalyzer.exe APP/**/* -verbose -debug -logfile C:\code\1650.log -64 -Xmx10G -jdk 1.6 -scan -f C:\Code\1650.fpr
Fortify Static Code Analyzer 6.30.0086
Processing logs.jsp
Processing teste_relatorio.jsp
Processing index.jsp
Processing ta_arquivos.jsp
Processing sessoes.jsp
Processing index2.jsp
Processing conexao.jsp
Processing memory.jsp
Processing ta_arquivo.jsp
Processing datasources.jsp
Processing infoSistema.jsp
Processing C:/Users/my_user/AppData/Local/Fortify/sca6.3/build/_fortify_libraries_/lib.js
Processing C:/Code/teste_relatorio.jsp
Processing C:/Code/bibliotecas/js/jquery-1.9.1.min.js
Processing C:/Code/wheb_arquivos.jsp
Processing C:/Code/conexao.jsp
Processing C:/Code/bibliotecas/js/testeRelatorio.js
Processing C:/Code/wheb_arquivo.jsp
Processing C:/Code/infoSistema.jsp
Analyzing 34 source file(s)
Configuration analysis complete ]
Buffer analysis complete ]
Semantic analysis complete
Data Flow analysis complete ]
Control Flow analysis complete
Structural analysis complete
Null pointer analysis complete
Rendering 107 results ]
Analysis completed in 04:15 ]

0 Likes
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class

oh, so, you are actually looking for the SCA to inspect the contents of all your .WAR files? you can try and scan those but if you don't get positive results just explode the war contents into another folder and then scan that. 

0 Likes
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class

1 - sourceanalyzer.exe -b Test -clean

 

Answer: This is initializing a scan specifying a build named Test, and using the -clean switch which will delete all translated *.NST files from your AppData; 

 

It will basically starting creating local copies within your C:\Users\<yourUser>\AppData\Local\Fortify\sca<version>\build\<application name>\*.nst

 

2 - sourceanalyzer.exe whateverapp/**/* -verbose -debug -logfile E:\Reports\whateverapp.log -64 -Xmx8G -jdk 1.6 -scan -f E:\Reports\whateverapp.fpr 

 

Answer: -verbose makes it where you can see what the SCA is doing real-time, onscreen; debug allows you to see more details on all the processing that is occurring within the scan and it will be held within the log file shown. 64-bit scan is an absolute must when dealing with Java applications since it is exhausting for the JVM along with specifying 8GB worth of heap size to help java Not crash. Of course, you'll need at least 16GB or more of physical memory otherwise you might crash your own system. The -jdk switch tells the SCA what version of Java Development Kit you are using. The -scan swtich tells the sourceanalyzer to actually scan the code for vulnerabilities. The -f switch just tell the SCA where to put the results.

 

3 - What should it do? 

Answer: Exactly what you tell it to do. There are some misconceptions about scanning code. Sometimes you need split up your scans depending on the size of the application. I've had instances where the SCA would crash because it ran out of memory.

 

Final thought: 

 

My recommendation is to install the full SCA and apps on Linux. You will notice it scans so much faster. Especially if you have a really beefed up linux machine.

 

-Phil

0 Likes
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class

Phil,

 

When you sent me the command line, I got it working without using those 3 steps.

 

But, I am not sure that all other file extensions were analyzed. I just saw jsp files.

 

I am completely sure that I am using 5% of the tool 😞

 

Thanks,

 

Diego

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.