Open in app

Sign in

Write

Sign in

Fortify Static Code Analyzer

Murat Karaöz
5 min readJan 12, 2020

--

This is a quick cheat sheet for Fortify Static Code Analyzer (SCA). For detailed usage you should check the official User Guide.

Fortify SCA is a set of software security analyzers that search for violations of security-specific coding rules and guidelines in a variety of languages.

At the highest level, using Fortify translates the source code in to an intermediate translated format, scans the translated code and produces vulnerability reports.

To scan a project basically you run 3 commands:

The three commands in the previous example illustrates the following steps in the analysis process:

  1. Remove all existing Fortify Static Code Analyzer temporary files for the specified build ID. Always begin an analysis with this step to analyze a project with a previously used build ID.
  2. Translate the project code. This step can consist of multiple calls to sourceanalyzer with the same build ID.
  3. Analyze the project code and produce the Fortify Project Results file (FPR).

Specifying Files‌

File specifiers are expressions that allow you to pass a long list of files to Fortify Static Code Analyzer using wildcard characters.

On Windows, separate the file names with a semicolon(;) and on all other platforms use a colon(:).

Plugins

Fortify has plugins for Eclipse, IntelliJ Idea IDEs and Maven projects. If your code is developed using one of these two IDEs, you can install the plugin and directly scan the code from user interface. Plugins are located under Fortify_Install_Dir/plugins folder.

Fortify plugins

You can install these plugins as any other plugin. In the screenshot below you can see Fortify menu on Idea.

Idea Fortify plugin

Quick scan mode provides a way to quickly scan your projects for major issues. By default, quick scan mode searches for high‐confidence, high‐severity issues. Although the scan is faster than a full scan, it does not provide as robust a result set.‌

Translating Java Code

Fortify in action

Translating Java EE Applications

Fortify can process Java source files and Java EE components such as JSP files, deployment descriptors, and configuration files. The Java code of the application can be translated using the same methods described in Translating Java Code section.

‌To translate JSP files, configuration files, and deployment descriptors, you should place them in a directory that is organized in a WAR layout. After that you can use the following commands to translate the files:

If you get the following error this means that the files are not deployed in the standard WAR directory format.

Could not locate the root (WEB-INF) of the web application. Please build your web application and try again. Failed to parse the following jsp files:

list of files…

Translating Java Bytecode

In addition to translating source code, you can translate the bytecode in your project.

Translating Maven Projects

‌You need to install maven plugin first.

Translating .NET Code

Running the commands on Visual Studio Developer Command Prompt usually causes random build errors to disappear. First build the code from command line. If you get any errors at this step, you should fix them before translating the project code with sourceanalyzer.

devenv SolutionFile.sln /rebuild debug

If the above command succeeds, run the following 2 commands.

Translating C and C++ Code

To translate C/C++ code you must compile the code on command line. If your code compiles without any errors, you just append this command to sourceanalyzer.

‌Lets say you have a C file and you can compile it like this:

gcc -o bof -fno-stack-protector bof.c

‌Then you can translate and scan the code with the following commands:

Translating JavaScript Code

Pure Javascript

JavaScript with HTML

By default, Fortify Static Code Analyzer scans the following HTML tags: body, button, div, form, iframe, input, head, html, and p.

‌If you want to include extra tags you can the following option:

-Dcom.fortify.sca.DOMModeling.tags

For example, to include the HTML tags ul and li in the DOM model, use the following command:

Translating Apple iOS Projects

First make sure that you can build the code on Xcode without any errors. After a successful compile you can translate and scan the code with following commands:

If the project uses CacaoPods:

If you cannot compile because you do not have a paid developer account, disable autosign, make sure provisioning profile is none then disable all capabilities.

https://stackoverflow.com/questions/44568009/how-to-disable-push-notification-capability-in-xcode-project

Error: “ProjectName.debug.xcconfig unable to open file error during compile”

Run pod install command on root project directory.

https://forums.developer.apple.com/thread/115475

If for some reason you need to use Xcode 10 and get this error “Cycle inside ; building could produce unreliable results” in Xcode go to File -> Project/Workspace settings and change the build system to Legacy Build system.

Error: Main_iPhone.storyboard: Compilation failed. Unable to write to path:

https://stackoverflow.com/questions/25172271/main-iphone-storyboard-compilation-failed-unable-to-write-to-path

Translating Android Projects

Android Studio has a plugin for Fortify. It is automatically installed if you install Idea plugin. It is best to use the plugin for translating and scanning Android code.

At the time of this writing (7/1/20) Fortify does not support Kotlin.‌

Translating SQL‌

T-SQL files:

PL/SQL files:

Extras

Incremental Analysis‌

With incremental analysis, you can run a full analysis on a project, and then run subsequent incremental scans to analyze only the code that changed since the initial full scan. This reduces the scan time for subsequent incremental scans on the project.

You must use the same buildID for subsequent incremental scans.

Initial full scan must include -incremental-base option and any subsequent scans must be run with the -incremental option.

Useful Commands

Show build warnings

sourceanalyzer -b <build_id> -show-build-warnings

View the files associated with a build ID and the number of lines in the code being translated.

sourceanalyzer -b <build_id> -show-files
sourceanalyzer -b <build_id> -show-loc

Open report from command line

auditworkbench report.fpr

Out of Memory Errors

‌Add following options to scan command if you get out of memory errors.

-XX:+CMSClassUnloadingEnabled -XX:+UseParallelGC

See scan job stuck at 9% discussion on Fortify forums.‌

Setting Encoding

This option is useful if the code contains non-English chars.

sourceanalyzer -b buildID -encoding UTF-8

Translation Log

sourceanalyzer -b buildID -logfile translation.log ...

Exclude Flag

During the translation phase you can exclude whole directories or single files using -exclude option.

//Exclude files
sourceanalyzer -b BUILD_ID -exclude "fileA:fileB:fileC:" ...//Exclude everything under a specific dir
sourceanalyzer -b BUILD_ID -exclude "/path/to/dir" ...//Exclude Test Files
sourceanalyzer -b BUILD_ID -exclude "**/Test/*.java" ...//Exclude All class files
sourceanalyzer -b BUILD_ID -exclude "pat/to/dir/**/*.class" ...
Fortify
Static Code Analysis

--

--

Murat Karaöz
Murat Karaöz

Written by Murat Karaöz

102 Followers
13 Following

Responses (1)

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams