Solved: Re: Using esapi.bin with AWB and SSC - Micro Focus Community

bn_pep · ‎2020-08-04

Fortify has made available esapi.bin to be used with AWB as an optional rulepack. We have attempted to upload this file to SSC and also tried to add it to AWB. With SSC is it rejected as not a valid file type. In AWB, it is accepted, but does not appear to be used when running a scan.

We have a large number of legacy Java apps that use the ESAPI library for validation. We would like to include this rulepack in all of our instances of SCA/AWB and SSC. Other than adding it in the CLI with each scan, how can this rulepack be added to the static scanning tools and SSC?

Thanks!

lvonstockhausen · ‎2020-12-04

Hello

Can you tray again to download the file

We have it updated

Thanks

View solution in original post

bn_pep · ‎2020-08-06

As a follow up, when we do run a scan adding esapi.bin as an additional rulepack, we get the following error.

"[error]: Unable to load rules file /Applications/Fortify/customrules/esapi.bin: invalid encrypted stream"

We also see these errors in AWB and SSC when trying to load esapi.bin. Is it possible the file is encrypted incorrectly?

mogudoom1985 · ‎2020-12-04

any update from fortify ? are u manage to resolve

rhelsens · ‎2020-12-04

I have not used this esapi rule pack before, but did you try putting it in this directory?

Replace <version> with your version, ex. 19.2.0 or your installation path

C:\Program Files\Fortify\Fortify_SCA_and_Apps_<version>\Core\config\customrules

The README file in this directory states the following

This directory can be used for custom rulepacks which should always be used when sourceanalyzer does a scan. Any rulepacks in this directory will always be used during analysis. The rulepack update utility will never add or remove rulepacks from this directory. To configure sourceanalyzer to look in another
location for rulepacks, set the property com.fortify.sca.CustomRulesDir in the fortify-sca.properties file.

bn_pep · ‎2020-12-04

I did submit a support ticket for this issue. Fortify support did try to get the esapi.bin file to work, but the got the same error as I did. See their response below. Basically, they did not create this file and do not know who did. The file is not compatible with SCA/AWB, so it is not usable in my opinion.

So it looks like the problem is related to this esapi.bin file. We don't know who the author is, so there's no way we can modify it or try to troubleshoot it, as I explained before this is a community created tool and not official from Micro Focus.

rhelsens · ‎2020-12-04

Ah, yes I see how that could be a problem. Sorry I can't offer any more help.

Good luck!

lvonstockhausen · ‎2020-12-04

Hi

It looks like the zip file got corrupted on the server

we are in the process of exchanging it - please stay tuned

Thanks

lvonstockhausen · ‎2020-12-04

Hello

Can you tray again to download the file

We have it updated

Thanks

View solution in original post

bn_pep · ‎2020-12-04

LUCAS! LUCAS!!! LUCAS!!!!

I just downloaded and tried the new file. It worked perfectly, with no errors!!!! Thank you for getting this working. We have quiet a lot of legacy Java applications that use ESAPI.

Can this file be uploaded to SSC and use it there as well?

Thanks again!!!

lvonstockhausen · ‎2020-12-05

Good morning - happy to hear it works

in regards to SSC - yes, that should work for distribution

I just uploaded it

bn_pep · ‎2020-12-07

Lucas, I was able to upload the new esapi.bin file to SSC (20.1). So far, no issues.

I can't thank you enough for fixing this file. It will save us hours of triage time!