27 January 2016

Running HP Fortify from the Command Line

As a developer I have been tasked with making sure our application is compliant with Defense Information Systems Agency’s (DISA) Security Technical Implementation Guide (STIG). DISA publishes a list of STIGs periodically which the development team needs to implement. One of the tools we use to accomplish this is HP Fortify. Fortify is a Static Code Analysis(SCA) tool.

Recently my work computer was replaced and I went from 32 Bit Fedora to a 64 Bit Fedora. The result of this is my 32 Bit Fortify installation quit working. To work around this problem I decided to learn how to run Fortify from the command line. At first running from the command line also didn’t work. The solution there was to rename “HP_Fortify_3.50_SCA_and_Apps/jre” to “HP_Fortify_3.50_SCA_and_Apps/jre32”. After the rename the command line started working.

You can run any of the command line tools with the “-h” or “-help” command option to get a list of available options. The results are quite verbose so we will concentrate on the sourceanalyzer’s more often used options. An important build option is the “-b” option which specifies the build id. The build id is what ties all of your use of the command line tools together. The “-clean” command option will delete intermediate files and build records. “-source” is used to specify which version of Java you are using. The “-scan” command option causes sourceanalyzer to analyze your cource code. “-format” specifies in what filetype you want the scan results stored. A very handy one is “-show-build-ids” which will list the available build Ids. Finally the “-64” option tells sourceanalyzer to run in 64 bit mode.

The lifecycle of a Fortify Scan is as follows:

First let us list the available build ids. This step is useful to find any already existing analysis.

Example show build ids

bash$ sourceanalyzer -show-build-ids
   Created: Jan 13, 2016 1:45:47 PM
   Last Modified: Jan 13, 2016 1:45:47 PM
   Errors and Warnings: 29
   Project: []  Label: []  Version: []

Remove temporary files that might influence a new analysis.

Clean by build id

bash$  sourceanalyzer -64 -b "RecruitingOperations" -clean

Parse source code and prepare for analysis.

Build by build id

bash$  sourceanalyzer -64 -b "ExampleProject" -source "1.6" "/path/to/project/source/code/"
[warning]: The following references to java classes could not be resolved. Please make sure to supply all the required jar files that contain these classes to SCA.

Analyze the prepared code.

Analyze by build id

bash$ sourceanalyzer -64 -b "ExampleProject" -format "fpr" -f "/path/to/report/ExampleProject.fpr" -scan
[warning]: Some errors or warnings were suppressed.  Check the results file for a full listing of all warnings and errors.

After analysis generated a human readable report.

Generate report from analysis

bash$  ReportGenerator -template "DeveloperWorkbook.xml" -format "pdf" -f "/path/to/report/ExampleProject.pdf" -source  "/path/to/report/ExampleProject.fpr"

This covers some basic functionality. For more help see the HP Fortify user manual.

tags: hp - fortify - java - stig - disa

Less Is More