Fortify has made available esapi.bin to be used with AWB as an optional rulepack. We have attempted to upload this file to SSC and also tried to add it to AWB. With SSC is it rejected as not a valid file type. In AWB, it is accepted, but does not appear to be used when running a scan.
We have a large number of legacy Java apps that use the ESAPI library for validation. We would like to include this rulepack in all of our instances of SCA/AWB and SSC. Other than adding it in the CLI with each scan, how can this rulepack be added to the static scanning tools and SSC?
As a follow up, when we do run a scan adding esapi.bin as an additional rulepack, we get the following error.
"[error]: Unable to load rules file /Applications/Fortify/customrules/esapi.bin: invalid encrypted stream"
We also see these errors in AWB and SSC when trying to load esapi.bin. Is it possible the file is encrypted incorrectly?
I have not used this esapi rule pack before, but did you try putting it in this directory?
Replace <version> with your version, ex. 19.2.0 or your installation path
The README file in this directory states the following
This directory can be used for custom rulepacks which should always be used when sourceanalyzer does a scan. Any rulepacks in this directory will always be used during analysis. The rulepack update utility will never add or remove rulepacks from this directory. To configure sourceanalyzer to look in another
location for rulepacks, set the property com.fortify.sca.CustomRulesDir in the fortify-sca.properties file.
I did submit a support ticket for this issue. Fortify support did try to get the esapi.bin file to work, but the got the same error as I did. See their response below. Basically, they did not create this file and do not know who did. The file is not compatible with SCA/AWB, so it is not usable in my opinion.
So it looks like the problem is related to this esapi.bin file. We don't know who the author is, so there's no way we can modify it or try to troubleshoot it, as I explained before this is a community created tool and not official from Micro Focus.
LUCAS! LUCAS!!! LUCAS!!!!
I just downloaded and tried the new file. It worked perfectly, with no errors!!!! Thank you for getting this working. We have quiet a lot of legacy Java applications that use ESAPI.
Can this file be uploaded to SSC and use it there as well?
Lucas, I was able to upload the new esapi.bin file to SSC (20.1). So far, no issues.
I can't thank you enough for fixing this file. It will save us hours of triage time!