27 January 2016

As a developer I have been tasked with making sure our application is compliant with Defense Information Systems Agency’s (DISA) Security Technical Implementation Guide (STIG). DISA publishes a list of STIGs periodically which the development team needs to implement. One of the tools we use to accomplish this is HP Fortify. Fortify is a Static Code Analysis(SCA) tool.

Recently my work computer was replaced and I went from 32 Bit Fedora to a 64 Bit Fedora. The result of this is my 32 Bit Fortify installation quit working. To work around this problem I decided to learn how to run Fortify from the command line. At first running from the command line also didn’t work. The solution there was to rename “HP_Fortify_3.50_SCA_and_Apps/jre” to “HP_Fortify_3.50_SCA_and_Apps/jre32”. After the rename the command line started working.

You can run any of the command line tools with the “-h” or “-help” command option to get a list of available options. The results are quite verbose so we will concentrate on the sourceanalyzer’s more often used options. An important build option is the “-b” option which specifies the build id. The build id is what ties all of your use of the command line tools together. The “-clean” command option will delete intermediate files and build records. “-source” is used to specify which version of Java you are using. The “-scan” command option causes sourceanalyzer to analyze your cource code. “-format” specifies in what filetype you want the scan results stored. A very handy one is “-show-build-ids” which will list the available build Ids. Finally the “-64” option tells sourceanalyzer to run in 64 bit mode.

The lifecycle of a Fortify Scan is as follows:

First let us list the available build ids. This step is useful to find any already existing analysis.

Example show build ids
bash$ sourceanalyzer -show-build-ids
ExampleProject
   Created: Jan 13, 2016 1:45:47 PM
   Last Modified: Jan 13, 2016 1:45:47 PM
   Errors and Warnings: 29
   Project: []  Label: []  Version: []

Remove temporary files that might influence a new analysis.

Clean by build id
bash$  sourceanalyzer -64 -b "RecruitingOperations" -clean

Parse source code and prepare for analysis.

Build by build id
bash$  sourceanalyzer -64 -b "ExampleProject" -source "1.6" "/path/to/project/source/code/"
[warning]: The following references to java classes could not be resolved. Please make sure to supply all the required jar files that contain these classes to SCA.
	com.liferay.counter.service.CounterLocalService
	com.liferay.counter.service.CounterLocalServiceUtil
	com.liferay.portal.NoSuchModelException
	com.liferay.portal.kernel.bean.AutoEscape
	com.liferay.portal.kernel.bean.AutoEscapeBeanHandler
	com.liferay.portal.kernel.bean.BeanReference
	com.liferay.portal.kernel.bean.IdentifiableBean
	com.liferay.portal.kernel.bean.PortletBeanLocatorUtil
  ...

Analyze the prepared code.

Analyze by build id
bash$ sourceanalyzer -64 -b "ExampleProject" -format "fpr" -f "/path/to/report/ExampleProject.fpr" -scan
[warning]: Some errors or warnings were suppressed.  Check the results file for a full listing of all warnings and errors.

After analysis generated a human readable report.

Generate report from analysis
bash$  ReportGenerator -template "DeveloperWorkbook.xml" -format "pdf" -f "/path/to/report/ExampleProject.pdf" -source  "/path/to/report/ExampleProject.fpr"

This covers some basic functionality. For more help see the HP Fortify user manual.


Less Is More ~ Older posts are available in the archive.