Highlighted
Yarix
New Member.
9829 views

Using Fortify Java Annotations

Recently I've start using Fortify Java Annotations. This document provides an short overview of Fortify Annotations, instructions on how to add dependency on them and how use them in your Java code.

Why Use Fortify Annotation?

The Fortify annotations can be used to better describe the Java code of the program that is analyzed. The annotations will help SCA to reduce false negative or false positive security issues thus increasing the accuracy of the report.

For example:

simple User class

public class User {

public final static String PASSWORD_LABEL = "password";

private String userId;

private String userKey;

public void printUserData() {

System.out.println("Fortify [userId=" + userId + ", " + PASSWORD_LABEL + "=" + userKey + "]");

}

}

The SCA will falsely report about the PASSWORD_LABEL and will ignore the real issue with exposing the real password in method toSting().

SCA reports 1 High issue: "Hardcoded passwords can compromise system security in a way that cannot be easily remedied."

Now, let's add Fortify Annotations:

adding annotation to improve SCA accuracy

@FortifyNotPassword

public final static String PASSWORD_LABEL = "password";

@FortifyPassword

private String userKey;

With annotated code, fortify remove the hardcoded password issue, and produce a new Critical issue about exposing the real password: " Privacy Violation (Security Features, Data Flow) - The method printUserData() in User.java mishandles confidential information, which can compromise user privacy and is often illegal."

Maven dependency

The HP Fortify annotations are not available on public Meven repository. However the jar can be found on :

"C:\Program Files\HP_Fortify\HP_Fortify_SCA_and_Apps_4.00\Samples\advanced\javaAnnotations\libraries\FortifyAnnotatins.jar"


You can then publish it to your local repository with command:


mvn -debug -U org.apache.maven.plugins:maven-install-plugin:2.5.2:install-file

-DcreateChecksum=true

-Dfile="C:\Program Files\HP_Fortify\HP_Fortify_SCA_and_Apps_4.00\Samples\advanced\javaAnnotations\libraries\FortifyAnnotatins.jar"

-DupdateReleaseInfo=true

-DgroupId=com.hp.fortify

-DartifactId=fortifyAnnotations -Dversion=4.0.0 -Dpackaging=jar

After the jar is published you need to add dependency:

Header 1

<dependency>

    <groupId>com.hp.fortify</groupId>

    <artifactId>fortifyAnnotations</artifactId>

    <version>4.0.0</version>

</dependency>

It is highly recommended to scope the Jar as provided with

    <scope>provided</scope>

That will allow your project to compile properly with Fortify annotations but the dependency will not be part of the production artifacts and dependency.

Available Annotations:

FortifyCheckReturnValue

FortifyCommandInjectionSink

FortifyCommandInjectionValidate

FortifyDangerous

FortifyDatabaseSource

FortifyFileSystemSource

FortifyNetworkSource

FortifyNonNegative

FortifyNonZero

FortifyNotNumberPassthrough

FortifyNotPassword

FortifyNotPrivate

FortifyNumberPassthrough

FortifyPCISink

FortifyPCISource

FortifyPCIValidate

FortifyPassthrough

FortifyPassword

FortifyPrivacySink

FortifyPrivacyValidate

FortifyPrivate

FortifyPrivateSource

FortifySQLSink

FortifySQLValidate

FortifySink

FortifySource

FortifySystemInfoSink

FortifySystemInfoValidate

FortifyValidate

FortifyWebSource

FortifyXSSSink

FortifyXSSValidate

Labels (2)
Tags (1)
8 Replies
simon.corlett@h Absent Member.
Absent Member.

Re: Using Fortify Java Annotations


Thanks a lot Yariv, that's a great write up!

0 Likes
gyeatts Absent Member.
Absent Member.

Re: Using Fortify Java Annotations

Thank you this is very helpful.

Is there a source of detailed documentation or Javadoc for the Fortify annotations?

0 Likes
vineesharma
New Member.

Re: Using Fortify Java Annotations

i want to use fortify java annotations. The first step in this artical shows a local disk path for the JAR. How should i get this?

Should i install some software? is it free?

0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Using Fortify Java Annotations

The path to the JAR file was provided as C:\Program Files\Fortify\Fortify_SCA_and_Apps_##.##\Samples\advanced\javaAnnotations\libraries\, which only exists if you have installed Fortify SCA.

This article is now 4 years old, and it seems that there is no longer a FortifyAnnotations.JAR file present (current SCA release version is 18.10).  However, there are present these other three JAR files.  I do not know which of them will work for this old method, if at all.

  • FortifyAnnotations-CLASS.jar
  • FortifyAnnotations-SOURCE.jar
  • thirdPartyComponent.jar

-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify
0 Likes
Yarix
New Member.

Re: Using Fortify Java Annotations

Hi
The jar file should come with Fortify installation. It isn't free.
However, my post is very old, things may look different today (I hope)
0 Likes
dadamore86
New Member.

Re: Using Fortify Java Annotations

We can you any one of the file(FortifyAnnotations-CLASS.jar or FortifyAnnotations-SOURCE.jar), there is multiple files based on annotation retention policy.

  • A retention policy determines at what point annotation should be discarded.
  • Java defined 3 types of retention policies through java.lang.annotation.RetentionPolicy enumeration. It has SOURCE, CLASS and RUNTIME.
  • Annotation with retention policy SOURCE will be retained only with source code, and discarded during compile time.
  • Annotation with retention policy CLASS will be retained till compiling the code, and discarded during runtime.
  • Annotation with retention policy RUNTIME will be available to the JVM through runtime.

It fortify uses source code for analysis then it is recommended to use FortifyAnnotations-SOURCE.jar and if fortify used byte code then we have use FortifyAnnotations-CLASS.jar.

0 Likes
Sridurai
Visitor.

Re: Using Fortify Java Annotations

I am using fortify annotation.I use FortifyAnnotations-SOURCE.jar.
I scope the Jar as provided with
<scope>provided</scope>
so that the dependency is not part of my production artifact.
But when i scan my application in Fortify SCA, it still shows up the violation.
When i use the FortifyAnnotations-SOURCE.jar in default scope, the violations are removed.

 

Is there a way that i get the violations removed, also the jar file is not in my production artifact.

 

Xavier R
New Member.

Re: Using Fortify Java Annotations

This is posible obtain fortify Annotations if Im using Fortify On Demand ? because im not receive any package when adquire the service.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.