Absent Member.
Absent Member.
14439 views

How to use HP SCA to scan my iOS project and get a report

Jump to solution

Windows:

I have HP SCA 4.21 installed on my Windows7 64 bit machine with license and rule-packs.

I have my iOS project downloaded on the same machine.

Then I did the following thing:

  1. I opened the AuditWorkbench, there is only two options under the "Start New Project": "Scan Java Project" and "Advance Scan...". I choose the Advance scan.
  2. I selected the root of the iOS project, the .h and .m files are not shown at all, the only files shown are the html files.
  3. I continued to the end finding out that it scanned only those html files.

Mac:

Then I installed SCA 4.21 on my Mac mini(OSX-10.10, Xcode-6.2, iOS-8.2) and downloaded the iOS project.

I followed the same steps and get the same result, it didn't recognize the .h and .m files either.

Then I used the sourceanalyze command in the terminal:

sourceanalyzer -b YYYY -clean sourceanalyzer -b YYYY xcodebuild -project YYYY.xcodeproj -target YYYY -configuration Debug =sdk iphonesimulator8.2 ARCHS=i386 GCC_TREAT_WARNINGS_AS_ERRORS=NO OTHER_CFLAGS="-w"

then the xcodebuild compiled the project, but with a lot of generated errors, like:

In file included from /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneSimulator.platform/Developer/SDKs/iPhoneSimulator8.2.sdk/System/Library/Frameworks/UIKit.framework/Headers/UIKit.h:9: In file included from /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneSimulator.platform/Developer/SDKs/iPhoneSimulator8.2.sdk/System/Library/Frameworks/UIKit.framework/Headers/UIAccelerometer.h:8: In file included from /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneSimulator.platform/Developer/SDKs/iPhoneSimulator8.2.sdk/System/Library/Frameworks/Foundation.framework/Headers/Foundation.h:74: /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneSimulator.platform/Developer/SDKs/iPhoneSimulator8.2.sdk/System/Library/Frameworks/Foundation.framework/Headers/NSURL.h:86:1: error: 'objc_returns_inner_pointer' attribute only applies to methods @property (readonly) __strong const char *fileSystemRepresentation NS_RETURNS_INNER_POINTER NS_AVAILABLE(10_9, 7_0); ^   ~~~~~~~~~~~~~~~~~~~~~~~~ 9 errors generated.

Or

Translation errors occurred during execution of /....../clang.fortify

No compiler error occur without using sourceanalyzer, as I tried with:

xcodebuild -project YYYY.xcodeproj -target YYYY -configuration Debug =sdk iphonesimulator8.2 ARCHS=i386 GCC_TREAT_WARNINGS_AS_ERRORS=NO OTHER_CFLAGS="-w"

Then I entered the command:

sourceanalyzer -b buildID -scan -f buildID.fpr

which gave me something like this:

[warning]: NST file: /Users/xxx/.fortify/sca6.2/build/yyy/Users/xxx/Documents/workspace/YYYY/AFNetworking/AFNetworkReachabilityManager.m.nst does not exist or removed. [warning]: Some errors or warnings were suppressed.  Check the results file for a full listing of all warnings and errors.

I opened the buildID.fpr, and the workbench told me:

  • there was no issues found, not a single one.
  • scanned 55 files, 0 LOC(Executable)
  • 661 warnings occurred during the scan, like "NST file main.m.nst not exist or removed" and a lot of "NS_RETURNS_INNER_POINTER" problem

My instinct told me a probable truth that something went wrong, and very wrong.

I just happened to be unknown of the problem here.

I have succeeded running Android project on my Windows machine.

It seems it doesn't support Object-C, but I doubt that.

Do I needs a special license that support the iOS object-c? I don't think so, but I am not sure.


So, here comes the famous question:

How to use HP SCA to scan my iOS project and get a report?

Anyone, any suggestions, any help?

0 Likes
1 Solution

Accepted Solutions
Absent Member.
Absent Member.

Hi Can Liu,

To scan iOS projects SCA hooks into the Xcode build process. As such it's not possible to perform an iOS scan on a Windows machine and you need to specify the xcodebuild command as part of your translation - you can't just point SCA to the source itself as with an Android scan.

On the Mac, you're command to translate is correct. However SCA 4.21 does not support Xcode 6.2, as such we're not actually scanning any of the source. Support for Xcode 6.2 will released as part of v4.30 which we anticipate to be able to make available next month. In the meantime there's an experimental hotfix available which should allow you to at least get some results with v4.21 - to obtain this please drop an email to our support team at fortifytechsupport@hp.com. They'll be able to assist you further.

Also, a couple of docs with further info on this:

Page 14 of

Pages 35/36 of

Just let me know if you have any queries.

Kind Regards,

Simon

View solution in original post

0 Likes
8 Replies
Absent Member.
Absent Member.

Hi Can Liu,

To scan iOS projects SCA hooks into the Xcode build process. As such it's not possible to perform an iOS scan on a Windows machine and you need to specify the xcodebuild command as part of your translation - you can't just point SCA to the source itself as with an Android scan.

On the Mac, you're command to translate is correct. However SCA 4.21 does not support Xcode 6.2, as such we're not actually scanning any of the source. Support for Xcode 6.2 will released as part of v4.30 which we anticipate to be able to make available next month. In the meantime there's an experimental hotfix available which should allow you to at least get some results with v4.21 - to obtain this please drop an email to our support team at fortifytechsupport@hp.com. They'll be able to assist you further.

Also, a couple of docs with further info on this:

Page 14 of

Pages 35/36 of

Just let me know if you have any queries.

Kind Regards,

Simon

View solution in original post

0 Likes
Absent Member.
Absent Member.

Yes, it worked. Thanks a lot

0 Likes
Absent Member.
Absent Member.

We're experiencing the same issues, and as such, have submit a request to Tech Support for the hotfix just a few minutes ago; however, what to do about the .nst warnings?

0 Likes
Absent Member.
Absent Member.

Hi Michaella,

Good to hear from you. The .nst warnings are directly related to the fact that out of the box v4.21 can't cope with Xcode 6 or above. Once you have the hotfix it should enable you to at least get scans running on v4.21. It is worth noting however that this was an experimental hotfix and so was, to use a technical term, "a little shaky".

Xcode support was completely rewritten in v4.30 and now supports up to Xcode 6.2. As such it's now much more stable and will be much easier for us to upgrade to support the latest Xcode releases going forward.

Having said that, I know you guys have only just upgraded so a further upgrade is probably a while off. The hotfix should hopefully solve your immediate problems but if there's any way to use the 4.3 engine for your iOS scans I highly recommend it - it's just so much more reliable.

If you have any trouble with the hotfix, I'm sure the team will be super helpful, but feel free to give me a shout directly if you need me.

Kind Regards,

Simon

0 Likes
Absent Member.
Absent Member.

Thanks Simon!  Good to hear from you as well!! 

We're still working on the v4.21 upgrade...hoping to get there eventually!  We've downloaded the hotfix, per your instruction and are testing it with a couple of developers.  Remaining optimistic that this will get us over the hump until we can take on another upgrade...hopefully this fall.

0 Likes
Absent Member.
Absent Member.

It is now producing an FPR...further than it had been but we're still seeing warnings about NST files that do not exist or that have been removed.  There are still no results in the report and we expected to see something.

0 Likes
Absent Member.
Absent Member.

Hi Michaella, can you please run the translation and scan with the -debug and -logfile <path to log> options and send me the resulting log and output from the command line to the Support Case you opened? I want to verify that the hotfix is being picked up correctly. As this was a rough hotfix, 9 times out of 10 (or more) it works straight off the bat, but there's also a few Xcode 6 specific options we occasionally need to tweak some settings for.

0 Likes
Absent Member.
Absent Member.

Done

Thanks!

Michaella Hess

American Family Insurance

Information Security Department

608-249-2111 x30788

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.