Fortify SCA 扫描指南

码德信息技术有限责任公司,第,57,页,Know your code. Trust your code,单击此处编辑母版标题样式,单击此处编辑母版文本样式,第二级,第三级,第四级,第五级,*,*,Click to edit Master title style,Click to edit Master text styles,Second level,Third level,Fourth level,Fifth level,*,Fortify SCA 扫描指南,主题,Fortify SCA 组件,Fortify SCA源代码分析过程,SCA扫描命令解释,SCA转换源代码,SCA扫描项目实验.,Fortify SCA组件,源代码分析过程,阶段一：源代码内部格式转换阶段,阶段二：分析引擎分析阶段,sourceanalyzer -b -clean,sourceanalyzer -b .,sourceanalyzer -b -scan -f,SCA扫描命令解释,查看SCA扫描命令及参数- sourceanalyzer helpe,SCA转换源代码,转换 Java 代码,Java 命令行语法,Java命令行语法Examples,转换 J2EE Applications,使用 FindBugs,转换 .NET 源代码,Visual Studio .NET Version 2003,Visual Studio .NET version 2005,转换 C/C+ 代码,转换PL/SQL/TSQL,转换 ColdFusion 代码,转换 Java 代码,Java 命令行语法,Java 命令行Examples,转换J2EE Applications,使用 FindBugs,Java 命令行语法,JAVA:,sourceanalyzer -b -cp ,sourceanalyzer -b javac ,Java 命令行Examples,To translate a single file named with j2ee.jar on the classpath, enter:,sourceanalyzer -b MyServlet -cp lib/j2ee.jar,To translate all .java files in the src directory using all jar files in the lib directory as a classpath:,sourceanalyzer -b MyProject -cp lib/*.jar src/*/*.java,To translate the file while running the javac compiler:,sourceanalyzer -b mybuild javac -classpath,使用 Compiler Adapter,Fortify SCA提供Ant compiler Adaper,使用它可以集成Java代码转换和Ant Task,可以从命令行直接使用Ant 转换java文件.为使用此功能这下面的步骤必须设置:,The sourceanalyzer executable must be on the system PATH.,(located in Core/lib) must be on ants classpath.,The property must be set to .,The property must be set to the build ID,ant -=,-=mybuildid,-lib /Core/lib/,转换 J2EE Applications,转换 J2EE applications 涉及分析java源文件, J2EE 组件,比如 JSP 文件, 部署描述文件 和配置文件 等,Translate the Java files.,命令行/Ant compiler Adapter,2. Translate the JSP files,.,Refer to the sample below.,3. Process the configuration files.,An example is:,sourceanalyzer -b my_buildid ,转换 JSP 文件,Jsp文件来源,Web Application Archive (WAR) layout.,deployment directory.,确保tag libraries 在WEB-INF/lib目录下.,JSTL,JSP compiler for that application server,指出J2EE Options,appserver supported values: weblogic/websphere,appserver-home,For Weblogic: the path to the directory containing the server/lib directory,For WebSphere: the path to the directory containing the bin/JspBatchCompiler script,appserver-version supported values:,Weblogic versions 7 and 8,WebSphere version 6,sourceanalyzer -b my_buildid -cp WEB-INF/lib/*.jar WEB-INF/*/*.jsp,一次转换 J2EE Applications,把项目的所有文件和库都放在一个目录下，运行下面的命令：,sourceanalyzer -Xmx600M -b SCA-setvontraining -encoding UTF-8 -cp */*.jar .,sourceanalyzer -Xmx600M -b SCA-setvontraining -scan -f,使用FindBugs,) 是静态分析工具,它检测java代码的质量问题.可以一起运行Findbugs和SCA查找代码的质量问题和安全问题.,Scan the sample with FindBugs and Fortify SCA as follows:,sourceanalyzer -b findbugs_sample -java-build-dir build,sourceanalyzer -b findbugs_sample -filter -scan findbug-f,Translating .NET Source Code,Visual Studio .NET Version 2003,Visual Studio .NET version 2005,Visual Studio .NET-Command line,配置Fortify plug-in for vs2003/vs2005在VS启动选项,使用VS solution文件转换,sourceanalyzer -b my_buildid -c devenv /REBUILD,sourceanalyzer -b my_buildid -scan -f,转换 .NET Applications with a Fortify Visual Studio Plug-in,配置环境,分析器和规则,内存使用,按Fortify按钮分析项目,转换 Simple .NET Applications,方法1： 直接点击V 的Fortify 按钮，就可以分析,。,方法2: 使用windows commandline,1.Open Sample1Sample1.sln in Microsoft Visual Studio .NET.,2. Do Build-Build Solution.,3. got the executable Sample1Sample1.exe.,4. Start a command prompt window and cd to this directory (Sample1) and run:,sourceanalyzer -Xmx800M -vsversion 8.0 Sample1.exe -debug -logfile -scan -f vs2005way1.fvdl / 扫描项目。,sourceanalyzer -vsversion 7.1 Sample1.exe -Xmx800M -debug -logfile -scan -f vs2003way1.fvdl # scan Visual Studio .Net 2003 project,方法三：使用Visual Studio 2005/2003 command line interface,1. Start up a Visual Studio 2005/2003 command prompt.,2. Go to this directory (VS2005Sample1) and run the following commands:,sourceanalyzer -b sampleID -c devenv Sample1.sln /rebuild debug,sourceanalyzer -Xmx800M -b sampleID,Translating ASP.NET 1.1 (Visual Studio Version 2003) Projects,使用Fortify sca plug-in for vs2003.,按”Fortify”按钮,就自动分析.,使用命令行.,参照,Translating ASP.NET 1.1 (Visual Studio Version 2003) Projects in,Translating C/C+ Code,C and C+ Command Line Syntax,C and C+ Command Line Examples,Integrating with Make,C and C+ Command Line Syntax,sourceanalyzer -b c ,is the name of the compiler you want to use during a project build scan, such as gcc or cl.,are options passed to the compiler that are typically used to compile the file,.,C and C+ Command Line Examples,To translate a file named using the gcc compiler, enter:,sourceanalyzer -b my_buildid gcc,Integrating with Make,Using the Fortify Touchless Build Adapter,Modifying a Makefile to Invoke Fortify SCA,Using the Fortify Touchless Build Adapter,sourceanalyzer -b make,Modifying a Makefile to Invoke Fortify SCA,To modify a makefile to invoke Fortify SCA, replace any calls to the compiler, archiver, or linker in the makefile with calls to Fortify SCA. These tools are typically specified in a special variable in themakefile, as in the following example:,CC=gcc,CXX=g+,AR=ar,The step can be as simple as prepending these tool references in the makefile with Fortify SCA and the appropriate options:,CC=sourceanalyzer -b mybuild -c gcc,CXX=sourceanalyzer -b mybuild -c g+,AR=sourceanalyzer -b mybuild -c ar,sourceanalyzer -b my_buildid msdev /BUILD,Translating PL/SQL,PL/SQL Command Line Syntax,PL/SQL Command Line Examples,PL/SQL Command Line Syntax,Enter the following to perform translation of PL/SQL source code:,sourceanalyzer -b ,where:,specifies the build ID for the project, specifies the PL/SQL source code files.,PL/SQL Command Line Examples,The following example demonstrates syntax for translating two PL/SQL files:,sourceanalyzer -b MyProject,The following example demonstrates how to translate all PL/SQL files under the sources directory:,sourceanalyzer -b MyProject sources/*/*.pks,Note:,By default, .sql files are assumed to be T-SQL rather than PL/SQL on Windows platforms. If you are using Windows and have PL/SQL files with the .sql extension, you should configure sourceanalyzer to treat them as PL/SQL. To change the default behavior, set the property in fortify- to TSQL“ or PLSQL.,Translating T-SQL,T-SQL Command Line Syntax,T-SQL Command Line Examples,T-SQL Command Line Syntax,Enter the following to perform translation of T-SQL source code:,sourceanalyzer -b ,where:,specifies the build ID for the project,specifies the T-SQL source code files.,T-SQL Command Line Examples,The following example demonstrates syntax for translating two T-SQL files:,sourceanalyzer -b MyProject,The following example demonstrates how to translate all T-SQL files under the sources directory:,sourceanalyzer -b MyProject sources*.sql,Translating ColdFusion Code,ColdFusion Command Line Syntax,ColdFusion Command Line Examples,ColdFusion Command Line Syntax,Enter the following to perform translation on ColdFusion source code:,sourceanalyzer -b -source-base-dir ,where:,specifies the build ID for the project.,specifies the root directory of the web application.,specifies the CFML source code files.,Note:,Fortify SCA calculates the relative path to each CFML source files by using the -source-base-dir directory as the starting point, then uses these relative paths when generating instance IDs. If the entire application source tree is moved to a different directory, the instance IDs generated by a security analysis should remain the same if you specify an appropriate value for -source-base-dir,ColdFusion Command Line Examples,The following example demonstrates syntax for translating two CFML files:,sourceanalyzer -b MyProject,The following example demonstrates how to translate all CFML files under the C:MySitedirectory:,sourceanalyzer -b MySite -source-base-dir C:MySite C:MySite*.cfm,VC6.0 实验,使用VC6.0 dsp/dsw文件:,使用把项目导入开发环境，确保所有的文件都能编译和构建。,退出VC6.0, 使用windows commandline go to directory,then run:,1sourceanalyzer -b BuildID -c msdev /MAKE /clean,2sourceanalyzer -b BuildID -c msdev /MAKE /REBUILD,3sourceanalyzer -b BuildID -scan -f,4. 使用Fortify Audit WorkBeanch 打开fvdl文件，就可以开始审计软件安全弱点 。,审计完后保存审计结果为.fpr文件。,5. 把Fpr或者Fvdl文件导入 Fortify manager查看分析报告和与风险管理,。,VC6.0 实验,For example: use vc6.0 dsw/dsp file to scan the project.,go to directory:,1sourceanalyzer -b mytest -c msdev /MAKE /clean,2sourceanalyzer -b mytest -c msdev /MAKE /REBUILD,3sourceanalyzer -b mytest -scan -f,you can got the .,VC6.0 实验,使用VC6.0 makefile scan project,step1: in makefile,replace all invocationsof cl and link with:,sourceanalyzer -b cpptest -c cl,sourceanalyzer -b cpptest -c link,step2: in command line :,nmake -f clean,nmake -f,step3: sourceanalyzer -b cpptest -scan -f,java/j2ee实验,Use Fortify sca for eclipse plugin,安装SCASDE-41.0.0.0153-ECLIPSE-3-WIN.zip,导入java项目到eclipse环境,确保所提供的项目源代码是完整的，所参照的库都存在，最好能在开发环境编译和构建,配置Fortify SCA eclipse pligin的设置,按fortify扫描按钮即可对项目分析.,Upload 扫描结果到fortify manager,java/j2ee实验,使用windows命令行扫描,装Fortify SCA企业版：SCASEE-41.0.0.0153-WIN.zip,把项目的所有文件和库都放在一个目录下，运行下面的命令：,sourceanalyzer -Xmx600M -b SCA-setvontraining -encoding UTF-8 -cp */*.jar .,sourceanalyzer -Xmx600M -b SCA-setvontraining -scan -f,java/j2ee实验,使用Ant扫描,ant -=,-=mybuildid,-lib /Core/lib/,.Net实验,Use Fortify sca for vs2003/vs2005 plugin,安装pluhin: SCASDE-41.0.0.0153-VS.NET-2005-WIN.zip,set Sca 的扫描配置,直接点击的Fortify 按钮，就可以分析。,.Net实验,使用windows commandline,.安装Fortify SCA企业版：SCASEE-41.0.0.0153-WIN.zip,把项目导入开发环境，确保所有的文件都能编译和构建.,1. Open Sample1Sample1.sln in Microsoft Visual Studio .NET.,2. Do Build-Build Solution.,3. i got the executable Sample1Sample1.exe.,4. Start a command prompt window and cd to this directory (Sample1) and run:,sourceanalyzer -Xmx800M -vsversion 8.0 Sample1.exe -debug -logfile -scan -f vs2005way1.fvdl / 扫描项目。,sourceanalyzer -vsversion 7.1 Sample1.exe -Xmx800M -debug -logfile -scan -f vs2003way1.fvdl # scan Visual Studio .Net 2003 project,.Net实验,使用Visual Studio 2005/2003 command line interface:,1. Start up a Visual Studio 2005/2003 command prompt.,2. Go to this directory (VS2005Sample1) and run the following commands:,sourceanalyzer -b sampleID -c devenv Sample1.sln /rebuild debug,sourceanalyzer -Xmx800M -b sampleID,C/C+ 项目linux/Unix实验,配置环境使fortify SCA安装目录在当前用户的PATH下:,export PATH=fortify install directory:$PATH,确保项目能正常通过make命令编译构建.,Integrating with a Makefile,Edit a Makefile to invoke the SCA Engine during the build process.,An easy way to edit a Makefile to invoke the SCA Engine is to locate the CC variable and,insert the sourceanalyzer command and any options before the actual compiler name.,Consider the following Makefile segment:,6: # Tools,7:,8: CC = gcc,9: AR = ar sr,10: LINK = ld,11:,12: # Options,The following shows the changes to the Makefile:,5: # Tools: introduced sourceanalyzer command and,6: # buildid/projectid=345,7:,8: CC = sourceanalyzer b 345 c gcc,9: AR = sourceanalyzer b 345 c ar sr,10: LINK = sourceanalyzer b 345 c ld,11:,12: # Options,2. Run the build as you normally would, but follow it with a command to perform the actual security scan with a reference to the build ID:,$ make ;,sourceanalyzer scan b 345 f / format fvdl,Fortify SCA Java/J2EE项目扫描,Java环境准备,硬件要求,： CPU =1G,RAM=1G,CDROM/DVD 光驱。,软件要求:,开发环境。,Fortify Sca for Java安装软件,企业版,CCB trainingSCA installSCASDE-41.5.0.0337-ECLIPSE-3-WIN-XP-2000 Eclipse开发版.,安装指南,WIN-XP-2000企业版,Eclipse开发版,JAVA测试项目要求,确保所有的项目文件都能够通过JAVA编译器编译.,确保所有项目的配置文件都齐备,Jsp,*.xml,*.jar,SCA命令行分析命令,Sourceanalyzer -Xmx600M -b SCA-splc -clean,sourceanalyzer -Xmx600M -b SCA-splc -debug -logfile -encoding UTF-8 -cp */*.jar .,sourceanalyzer -Xmx600M -b SCA-splc -scan -f -debug -logfile,查看扫描结果,Thank You !,不尽之处，恳请指正！,