Fortify, how to start analysis through command

Question

How we can generate FortiFy report using command ??? on linux.

In command, how we can include only some folders or files for analyzing and how we can give the location to store the report. etc.

Please help....

Thanks, Karthik

Answer 1

1. Step#1 (clean cache)

• you need to plan scan structure before starting:

scanid = 9999 (can be anything you like)

ProjectRoot = /local/proj/9999/

WorkingDirectory = /local/proj/9999/working

• (this dir is huge, you need to "rm -rf ./working && mkdir ./working" before every scan, or byte code piles underneath this dir and consume your harddisk fast)

log = /local/proj/9999/working/sca.log

source='/local/proj/9999/source/src/**.*'

classpath='local/proj/9999/source/WEB-INF/lib/*.jar; /local/proj/9999/source/jars/**.*; /local/proj/9999/source/classes/**.*'

./sourceanalyzer -b 9999 -Dcom.fortify.sca.ProjectRoot=/local/proj/9999/ -Dcom.fortify.WorkingDirectory=/local/proj/9999/working -logfile  /local/proj/working/9999/working/sca.log  -clean

• It is important to specify ProjectRoot, if not overwrite this system default, it will put under your /home/user.fortify
• sca.log location is very important, if fortify does not find this file, it cannot find byte code to scan.
• You can alter the ProjectRoot and Working Directory once for all if your are the only user: FORTIFY_HOME/Core/config/fortify_sca.properties).
• In such case, your command line would be ./sourceanalyzer -b 9999 -clean

2. Step#2 (translate source code to byte code)

nohup ./sourceanalyzer -b 9999 -verbose -64 -Xmx8000M -Xss24M -XX:MaxPermSize=128M -XX:+CMSClassUnloadingEnabled -XX:+UseConcMarkSweepGC  -XX:+UseParallelGC -Dcom.fortify.sca.ProjectRoot=/local/proj/9999/ -Dcom.fortify.WorkingDirectory=/local/proj/9999/working  -logfile /local/proj/9999/sca.log -source 1.5 -classpath '/local/proj/9999/source/WEB-INF/lib/*.jar:/local/proj/9999/source/jars/**/*.jar:/local/proj/9999/source/classes/**/*.class'  -extdirs '/local/proj/9999/source/wars/*.war'  '/local/proj/9999/source/src/**/*'  &

• always unix background job (&) in case your session to server is timeout, it will keep working.

• cp : put all your known classpath here for fortify to resolve the functiodfn calls. If function not found, fortify will skip the source code translation, so this part will not be scanned later. You will get a poor scan quality but FPR looks good (low issue reported). It is important to have all dependency jars in place.

• -extdir: put all directories/files you don't want to be scanned here.

• the last section, files between ' ' are your source.

• -64 is to use 64-bit java, if not specified, 32-bit will be used and the max heap should be <1.3 GB (-Xmx1200M is safe).

• -XX: are the same meaning as in launch application server. only use these to control the class heap and garbage collection. This is to tweak performance.

• -source is java version (1.5 to 1.8)

3. Step#3 (scan with rulepack, custom rules, filters, etc)

nohup ./sourceanalyzer -b 9999  -64 -Xmx8000M -Dcom.fortify.sca.ProjectRoot=/local/proj/9999 -Dcom.fortify.WorkingDirectory=/local/proj/9999/working -logfile /local/ssap/proj/9999/working/sca.log **-scan** -filter '/local/other/filter.txt' -rules '/local/other/custom/*.xml -f '/local/proj/9999.fpr' & 

• -filter: file name must be filter.txt, any ruleguid in this file will not be reported.

• rules: this is the custom rule you wrote. the HP rulepack is in FORTIFY_HOME/Core/config/rules directory

• -scan : keyword to tell fortify engine to scan existing scanid. You can skip step#2 and only do step#3 if you did notchange code, just want to play with different filter/custom rules

4. Step#4 Generate PDF from the FPR file (if required)

./ReportGenerator -format pdf -f '/local/proj/9999.pdf' -source '/local/proj/9999.fpr'