Having problems with your account or logging in?
A lot of changes are happening in the community right now. Some may affect you. READ MORE HERE
Highlighted
Regular Contributor.. jrakestraw83 Regular Contributor..
Regular Contributor..
645 views

Scanning files with non-standard file extensions

We are currently on SCA version 17.20 and looking to scan a few file types that are not standard extensions. We have gone into the fortify-sca.properties file and added a couple lines within the com.fortify.sca.fileextensions section (see below) and saved. When we go to run the scan wizard, it does not find these file types within the folder we are scanning. I have gone through the SCA Guide as well as other User Guides and am unable to find any other places that we would need to update to be able to find these file types. 


com.fortify.sca.fileextensions.grt = SQL

com.fortify.sca.fileextensions.syn = SQL

 

 

We are in the works in getting version 18.20, just looking for workarounds until that point. 

Labels (1)
0 Likes
11 Replies
Micro Focus Expert
Micro Focus Expert

Re: Scanning files with non-standard file extensions

That syntax appears to be technically correct.  Allowed Types are:  JAVA, JSP, JSPX, BYTECODE, ARCHIVE, TLD, JAVASCRIPT, PHP, PYTHON, HTML, PLSQL, TSQL, SQL, XML, JAVA_PROPERTIES, CFML, RUBY, RUBY_ERB, MSIL, CSHARP, VB, ASP, ASPX, VB6, VBSCRIPT, ABAP, BSP, ACTIONSCRIPT, MXML, COBOL

Have you tried using the TSQL or PLSQL Types rather than SQL?

I am not familiar with those specific file types, but it is also important to note that if the file does not contain source code, SCA will not scan it for vulns.


-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify
0 Likes
Regular Contributor.. jrakestraw83 Regular Contributor..
Regular Contributor..

Re: Scanning files with non-standard file extensions

Thanks. We're not getting an error when go to scan them, we just are not seeing those files listed after opening scan wizard. We set the location of that code as well as others that are in the same location. The standard .sql/.pks/.pkb files all show up, just not the couple that we added into the properties file. 

0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Scanning files with non-standard file extensions

Maybe you could try renaming one of two of the .syn and .grt files to .sql and see if it gets picked up. That will help narrow it down to non recognisable content or custom file extension not working.

0 Likes
Regular Contributor.. jrakestraw83 Regular Contributor..
Regular Contributor..

Re: Scanning files with non-standard file extensions

@Jas1We have changed over the file types to .sql and they get picked up. They are just sql files that have a different extension to help identify what is being created/updated (i.e. .tab is a sql file that creates/updates a table).

0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Scanning files with non-standard file extensions

Based on your result, the root cause should be the com.fortify.sca.fileextensions configuration.

I did some digging and there were a customer having similar issue.

It seem it's a 2 steps process. You have done step 1 for grt and syn correctly. Maybe you missed step 2 which is add grt and syn to com.fortify.sca.DefaultFileTypes.

Fingers crossed that all you are missing is step 2. 

1st step:
com.fortify.sca.fileextensions.csproj = XML  
2nd step: Make sure the extension is added here. For this specific instance where you were directly translating the csproj file it would not have mattered much but for a larger scope it should be here.
com.fortify.sca.DefaultFileTypes=java,rb,jsp,jspx,tag,tagx,tld,sql,cfm,php,csproj,phtml,ctp,pks,pkh,pkb,xml,config,Config,settings,properties,dll,exe,winmd,cs,vb,asax,ascx,ashx,asmx,aspx,master,Master,xaml,baml,cshtml,vbhtml,inc,asp,vbscript,js,ini,bas,cls,vbs,frm,ctl,html,htm,xsd,wsdd,xmi,py,cfml,cfc,abap,xhtml,cpx,xcfg,jsff,as,mxml,cbl,cscfg,csdef,wadcfg,wadcfgx,appxmanifest,wsdl,plist,bsp,ABAP,BSP,swift,page,trigger,scala

0 Likes
Regular Contributor.. jrakestraw83 Regular Contributor..
Regular Contributor..

Re: Scanning files with non-standard file extensions

We had added them into that list as well and it still did not pull them. Based on everything we've seen online and through other forums, it appears we have everything setup correctly.

 

I had quickly spoke with Micro Focus Support yesterday and will be sending over screenshots of everything to them to see if they can assist as well. 

0 Likes

Re: Scanning files with non-standard file extensions

hi... i am having a similar issue trying to scan bytecode files.  i have completed both steps in your previous replies.

here is the command...

sourceanalyzer -b <testclassscan> -cp "<src>\*.class" -Dcom.fortify.sca.fileextensions.class=BYTECODE

i probably didn't need the -D parameter, since i updated the confg file.  i get the following message...

[error]: No valid input files were specified. (Use the -scan option to analyze previously-built sources.)
HPE Security Fortify Static Code Analyzer 17.10.0156

the class files i am trying to scan were compiled from gosu code.  we have been told that as long as we have the bytecode, it should scan with no problem.

thanks!

ska Trusted Contributor.
Trusted Contributor.

Re: Scanning files with non-standard file extensions

Are your extensions capitalized?  

For example, instead of 

com.fortify.sca.fileextensions.grt = SQL

maybe try

com.fortify.sca.fileextensions.GRT = SQL

0 Likes
Regular Contributor.. jrakestraw83 Regular Contributor..
Regular Contributor..

Re: Scanning files with non-standard file extensions

I was able to attempt capitalizing the code type and it still did not work. I currently have a service request opened, so I see what fix actions they may have for the issue. 

0 Likes
markberrier Valued Contributor.
Valued Contributor.

Re: Scanning files with non-standard file extensions

Have you had a reply back from support yet?
0 Likes
Regular Contributor.. jrakestraw83 Regular Contributor..
Regular Contributor..

Re: Scanning files with non-standard file extensions

@markberrier 

Our team was messing around within the application and found that when we scanned using the Audit WorkBench instead of the Scan Wizard, that it was able to pick up on the file extensions that we added. I had a ticket in for picking the files up within the Scan Wizard, but had no real movement in the couple weeks that it was opened. 

Our fix/work around was to just use the Audit workbench to scan everything.

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.