Fortify SCA analysis code vulnerabilities the whole solution-vulnerability warning-the black bar safety net

ID MYHACK58:62201448921
Type myhack58
Reporter 佚名
Modified 2014-06-07T00:00:00


The last describes the use of FindBugs-assisted analysis of code vulnerability, this time a tools: Fortify SCA Demo 4.0.0。 Fortify is a security aspect of the quite famous company, there is not much to say. First introduce the protagonist: the Fortify SCA Demo 4.0.0, although do not know now Fortify SCA version is much, but you can be sure of is that Fortify SCA Demo 4.0.0 is a relatively old Fortify SCA analyzer, and or Demo version, so either the interface or the functions are relatively simple. Due to the Fortify SCA is not open source tool, here is not available for download, and everyone can be on the Fortify homepage application:>.

This demo is using the Fortify SCA static analysis of Java code, and FindBugs different is the Fortify SCA can also static analysis C/C++,. NET and PL/SQL and other code.

A. Fortify SCA static analysis principles

Since I'm not writing this stuff to people, and contact this tool time is also limited, so it is the working principle of cognition is relatively shallow, much of it is through its documentation.

Fortify SCA static analysis in two stages:

  1. Translation:

The various language source code converted to a uniform intermediate language code.

  1. Analysis:

According to the intermediate code analysis code vulnerabilities, and the derived report.

Fortify has a lot of language converters, but the core static analysis engine and only one set.

II. Fortify SCA to use

First look at the Fortify SCA Demo 4.0.0 directory:


This is the Fortify SCA Demo 4.0.0 directory, here there are two main files: auditworkbench.cmd和sourceanalyzer.exe that auditworkbench. cmd is to view static analysis Reporting Tool, the sourceanalyzer. exe is a static code analyzer. Here we also saw a FindBugs directory, this is because this version of the Fortify integrated with this function, you can pass parameters to the sourceanalyzer. exe call FindBugs, but I generally don't do that, you can directly use the FindBugs words, why by sourceanalyzer. exe tune? in.

Start of scan static analysis, the first CMD into the Java source code directory, and then“H:\Fortify\sourceanalyzer.exe -classpath "*/. jar" -f test. fpr.”, the In the current directory to obtain the results of the report test. fpr is.

With auditworkbench open test. fpr, the effect as shown below:


Here auditworkbench mainly divided into 4 parts:

  1. The upper left(Issues): warning classification, where the Fortify Division by 3, and severity from high to low are: hot, warning and info. Below is the scan of the problem list, double-click to locate the problem code.

  2. Upper right: the source code. Double-click the problem list can be automatically positioned code.

  3. The lower left(analysis trace): the problem of the Trace information that tells you the problem occurs in the Where the files the first few lines.

[1] [2] next