aquillius.t@net Super Contributor.
Super Contributor.
4456 views

Fortify SCA and WebInspect Sample Reports

Jump to solution

Hi,

I'm quite new to Forfity. Can some share some sample reports of SCA and WebInspect? I just want to see what reports look like and how detailed it is. 

Thanks in advance!

 

Aqui

Labels (2)
0 Likes
1 Solution

Accepted Solutions
Micro Focus Expert
Micro Focus Expert

Re: Fortify SCA and WebInspect Sample Reports

Jump to solution

There are sample code and scans for both products, but you will need to do a little legwork to get reports out of them.

For WebInspect, the Sample Scans are under C:\Program Files\Fortify\Fortify WebInspect\Samples\ScanData\.  You will need to Import the scan first, either from the File menu or from the Manage Scans section of the Start Page Tab.  Once you have a scan, you click on the Reports menu and select the scan or scans to include, then the templates of choice.  WebInspect offers 6 output formats, with the *.RAW or "Native" format being only useful for opening the scan up later inside of WebInspect (and you can then use Save As to generate additional copies, without re-running the report).

For SCA, there is sample code under C:\Program Files\Fortify\Fortify_SCA_and_Apps_##.##\Samples\ (..\advanced\ or ..\basic\).  First, I generally make a copy of the desired code base and put it under C:\workspace\, and then I run scans of that copy of the code.  If you are terribly new at scanning with SCA, you can use the included Audit Work Bench tool ("AWB"), or the included Scan Wizard (which generates a scan script to be run later).  With a little reverse-engineering and searches for "sourceanalyzer", the scan scripts produced by the Scan Wizard can be helpful if you are seeking to learn how to set up your CLI scripts later.  Most users seem to operate from the CLI.  Once you have a scan (*.FPR file, "Fortify Project Results" file), you can generate the Reports from the AWB tool, or even inside the SSC Server if you have implemented that and uploaded your FPR there.


-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify
3 Replies
Raphael Hagi Super Contributor.
Super Contributor.

Re: Fortify SCA and WebInspect Sample Reports

Jump to solution

Hello,

The better way to extract some sample reports, for me, it's grab from the internet some vulnerable code samples, load them into a test enviroment and then analyze them. Look for OWASP WebGoat on Google, you will find it in different languages.

So, after that, you can run SCA and Webinspect to compile a bunch of reports to see what you can get from this two powerfull tools.

 


Data, or do not.
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Fortify SCA and WebInspect Sample Reports

Jump to solution

There are sample code and scans for both products, but you will need to do a little legwork to get reports out of them.

For WebInspect, the Sample Scans are under C:\Program Files\Fortify\Fortify WebInspect\Samples\ScanData\.  You will need to Import the scan first, either from the File menu or from the Manage Scans section of the Start Page Tab.  Once you have a scan, you click on the Reports menu and select the scan or scans to include, then the templates of choice.  WebInspect offers 6 output formats, with the *.RAW or "Native" format being only useful for opening the scan up later inside of WebInspect (and you can then use Save As to generate additional copies, without re-running the report).

For SCA, there is sample code under C:\Program Files\Fortify\Fortify_SCA_and_Apps_##.##\Samples\ (..\advanced\ or ..\basic\).  First, I generally make a copy of the desired code base and put it under C:\workspace\, and then I run scans of that copy of the code.  If you are terribly new at scanning with SCA, you can use the included Audit Work Bench tool ("AWB"), or the included Scan Wizard (which generates a scan script to be run later).  With a little reverse-engineering and searches for "sourceanalyzer", the scan scripts produced by the Scan Wizard can be helpful if you are seeking to learn how to set up your CLI scripts later.  Most users seem to operate from the CLI.  Once you have a scan (*.FPR file, "Fortify Project Results" file), you can generate the Reports from the AWB tool, or even inside the SSC Server if you have implemented that and uploaded your FPR there.


-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify
Raphael Hagi Super Contributor.
Super Contributor.

Re: Fortify SCA and WebInspect Sample Reports

Jump to solution

Thanks, Hans, I completely forgot the samples folders.

 


Data, or do not.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.