Fortify - Source Code Analyzer
Download as PPTX, PDF7 likes33,347 views
The document provides an overview of Fortify Source Code Analyzer (SCA). It discusses the different analysis phases SCA performs including translation, analysis, and verification. It also describes the various types of analyzers that SCA uses like data flow, control flow, semantic, and structural analyzers. Finally, it outlines the typical commands used to clean, translate, and scan source code with SCA and run an analysis.
![Translation Options
• Analysis Options:
•
•
•
•
•
•
•
•
-disable-default-ruletype <type> : Disables all rules of the specified type
in the default rulepacks.
-encoding : Specifies the encoding for encoded source files.
-filter <file_name> : Specifies a results filter file.
-findbugs : Enables FindBugs analysis for Java code.
-quick : Scans the project in Quick Scan Mode.
-rules [<file>|<directory>] : Specifies a custom rulepack or directory.
-disable-source-rendering : Source files are not included in the FPR file.
-scan : Causes Fortify SCA to perform analysis for the specified build
ID.](https://image.slidesharecdn.com/fortifysourcecodeanalysersession-140120122358-phpapp02/85/Fortify-Source-Code-Analyzer-9-320.jpg)
Fortify - Source Code Analyzer
- 2. Agenda • • • • • • Overview of Fortify Using Fortify Type of Analyzers Analysis Phases Analysis Commands Demo
- 3. Fortify Source Code Analyser • Fortify Source Code Analyzer (SCA) is a set of software security analyzers that search for violations of security‐specific coding rules and guidelines in a variety of languages. • The rich data provided by Fortify SCA language technology enables the analyzers to pinpoint and prioritize violations so that fixes can be fast and accurate. • The analysis information produced by SCA helps you deliver more secure software, as well as making security code reviews more efficient, consistent, and complete. 3
- 4. Using Fortify • At the highest level, using Fortify SCA involves: • Choosing to run SCA as a stand‐alone process or integrating Fortify SCA as part of the build tool • Translating the source code into an intermediate translated format, preparing the code base for scanning by the different analyzers • Scanning the translated code, producing security vulnerability reports • Auditing the results of the scan, either by transferring the resulting FPR file to Audit Workbench or Fortify 360 Server for analysis, or directly with the results displayed onscreen
- 5. Analyzers • Data Flow: The data flow analyzer detects potential vulnerabilities that involve tainted data (user‐controlled input) put to potentially dangerous use. Eg. Buffer overflow, SQL Injections. • Control Flow: The control flow analyzer detects potentially dangerous sequences of operations. Eg. time of check/time of use issues and uninitialized variables. • Semantic: The semantic analyzer detects potentially dangerous uses of functions and APIs at the intra‐procedural level. Eg. Deprecated functions, unsafe functions. • Structural: The structural analyzer detects potentially dangerous flaws in the structure or definition of the program. For Eg. Dead Code. • Configuration: The configuration analyzer searches for mistakes, weaknesses, and policy violations in an application's deployment configuration files.
- 6. Analysis Phases • Fortify SCA performs source code analysis • Build Integration: The first phase of source code analysis involves making a decision whether to integrate SCA into the build compiler system. • Translation: Source code gathered using a series of commands is translated into an intermediate format which is associated with a build ID. The build ID is usually the name of the project being scanned. • Analysis: Source files identified during the translation phase are scanned and an analysis results file, typically in the Fortify project (FPR) format, is generated. FPR files are indicated by the .fpr file extension. • Verification of the translation and analysis: Ensure that the source files were scanned using the correct rulepacks and that no significant errors were reported.
- 7. Analysis Commands • The following is an example of the sequence of commands you use to analyze code: • Clean and build sourceanalyzer -b <build_id> -clean • Translation sourceanalyzer -b <build_id> ... •Scan sourceanalyzer -b <build_id> -scan -f results.fpr
- 8. Translation Options • Output Options: • • • • • • • -append : Appends results to the file specified with -f. If this option is not specified, Fortify SCA adds the new findings to the FPR file, and labels the older result as previous findings. -build-label <label> : The label of the project being scanned. -build-project <project> : The name of the project being scanned. -build-version <version> : The version of the project being scanned. -f <file> : The file to which results are written. -format <format> : Controls the output format. Valid options are fpr, fvdl, text, and auto. -html-report : Creates an HTML summary of the results produced.
- 9. Translation Options • Analysis Options: • • • • • • • • -disable-default-ruletype <type> : Disables all rules of the specified type in the default rulepacks. -encoding : Specifies the encoding for encoded source files. -filter <file_name> : Specifies a results filter file. -findbugs : Enables FindBugs analysis for Java code. -quick : Scans the project in Quick Scan Mode. -rules [<file>|<directory>] : Specifies a custom rulepack or directory. -disable-source-rendering : Source files are not included in the FPR file. -scan : Causes Fortify SCA to perform analysis for the specified build ID.
- 10. Translation Options • Build Integration Options • • • • -b <build_id> : Specifies the build ID. -bin <binary> : Used with -scan to specify a subset of source files to scan. Only the source files that were linked in the named binary at build time are included in the scan. -exclude <file_pattern> : Removes files from the list of files to translate. For example: sourceanalyzer –cp "**/*.jar" "**/*" -exclude "**/Test.java“ -nc : When specified before a compiler command line.
- 11. Translation Options • Runtime Options • • • • • • -auth-silent : Available on Fortify SCA Per Use edition only. Suppresses the prompt that displays the number of lines the scan requires to analyze the source code. -64 : Runs Fortify SCA under the 64‐bit JRE. -logfile <file_name> : Specifies the log file that is produced by Fortify SCA. -quiet : Disables the command line progress bar. -verbose : Sends verbose status messages to the console. -Xmx <size> : Specifies the maximum amount of memory used by Fortify SCA.
- 12. Demo