HP- Fortify Tool

Fortify is a SCA used to find the security vulnerabilities in software code.

Fortify SCA supports scanning Objective-C and Swift for iOS and about 20 other languages and numerous frameworks. See more in the Fortify SCA Data Sheet:

https://www.hpe.com/h20195/V2/GetPDF.aspx/4AA5-6055ENW.pdf

http://www8.hp.com/us/en/software-solutions/application-security-testing/index.html

down voteaccepted

HP Fortify SCA has 6 analyzers: data flow, control flow, semantic, structural, configuration, and buffer. Each analyzer finds different types of vulnerabilities. Data Flow This analyzer detects potential vulnerabilities that involve tainted data (user-controlled input) put to potentially dangerous use. The data flow analyzer uses global, inter-procedural taint propagation analysis to detect the flow of data between a source (site of user input) and a sink (dangerous function call or operation). For example, the data flow analyzer detects whether a user-controlled input string of unbounded length is being copied into a statically sized buffer, and detects whether a user controlled string is being used to construct SQL query text. Control Flow This analyzer detects potentially dangerous sequences of operations. By analyzing control flow paths in a program, the control flow analyzer determines whether a set of operations are executed in a certain order. For example, the control flow analyzer detects time of check/time of use issues and uninitialized variables, and checks whether utilities, such as XML readers, are configured properly before being used. Structural This detects potentially dangerous flaws in the structure or definition of the program. For example, the structural analyzer detects assignment to member variables in Java servlets, identifies the use of loggers that are not declared static final, and flags instances of dead code that will never be executed because of a predicate that is always false. Semantic This analyzer detects potentially dangerous uses of functions and APIs at the intra-procedural level. Basically a smart GREP. Configuration This analyzer searches for mistakes, weaknesses, and policy violations in an application's deployment configuration files. Buffer This analyzer detects buffer overflo

F

Jenkins / Fortify Integration

Fortify SCA

Static Code Analyzer runs scans over code and ships results to SSC. SCA is a command-line application.

Fortify SSC

Software Security Center stores, processes, and displays SSC results. SSC is a web application.

SSC Setup

1. Navigate to $HOST:8080/ssc and log into SSC.
2. Click "Administration", "Configuration", and "Webservices"
3. Check "Allow Token Authentication"
4. Restart the server (Stop/Start Tomcat for me)
5. Launch Powershell and cd to Fortify tools directory, something like ...\HP-Fortify-Server-WAR\Tools\fortifyclient\bin
6. Generate an Authentication token. Replace $HOST and $USER and run the following command: ./fortifyclient -url http://$HOST:8080/ssc token -gettoken AnalysisUploadToken -user $USER Note: The user must have sufficient privileges, you will be asked for a password.
7. Retrieve and remember the resulting $TOKEN
8. Navigate back to the root of Fortify SSC and click "New Application". Later we will need both "Application Name" and "Application Version".

Jenkins

Jenkins Setup

Jenkins must run Fortify SCA on all worker nodes. Jenkins will ship SCA results to SSC.

Install Fortify SCA on all Jenkins worker boxes.

Jenkins Plugin Setup

The HP Fortify SSC install media bundle contains a compatible Jenkins plugin: HP_Fortify_Jenkins_Plugin_4.40.hpi.

1. Load Jenkins in your browser and navigate to the "Manage Plugins" page and upload the above plugin into Jenkins.
2. Navigate to "Configure System" page and locate the "HP Fortify Assessment" section.
3. Specify "URL": http://$HOST:8080/ssc
4. For "Authentication Token" paste the $TOKEN from above.
5. Navigate to a Jenkins project and click "Configure"
6. Add a new build step "Execute Windows Batch Command" and add the Scan Steps code example from below to perform an SCA scan. Replace $BUILD_ID with an appropriate value.
7. Add a new post-build action "HP Fortify Assessment", set "FPR Filename" = Assessment.fpr. Set "Project Name" and "Project Version" to existing values from SSC.

Scan Steps:

cd "C:\Program Files\HP_Fortify\HP_Fortify_SCA_and_Apps_4.40\bin"
.\sourceanalyzer.exe -b $BUILD_ID -clean
.\sourceanalyzer.exe -b $BUILD_ID %WORKSPACE%
.\sourceanalyzer.exe -b $BUILD_ID -scan -64 -verbose -Xmx6G -format "fpr" -f "%WORKSPACE%\Assessment.fpr"
.\ReportGenerator -template "DeveloperWorkbook.xml" -format "pdf" -f "%WORKSPACE%\Assessment.pdf" -source  "%WORKSPACE%\Assessment.fpr"

Scan steps will probably change depending on your project.

At this point, Jenkins will execute a Fortify SCA scan as a build-step. The results of the scan are saved locally, then uploaded to Fortify SSC as a post-build step. You can view Fortify scan results in SSC at http://$HOST:8080/ssc.

Benchmarks

SCA accepts many configuration flags. We use some above to help speed up SCA scans. There are many more that, when understood, should allow SCA scans to become faster.

As-is, here are some timings for known OSS projects. I suspect these times could be lowered with further configuration.

• Elastic Search : 5 hours
• Teammates : 1 hour

Notes:

• SCA Help describes command-line use: sourceanalyzer -h
• -64: 64 bit mode
• Xmx6G: use 6 gigs of memory
• format: fpr is Fortify native format
• %WORKSPACE% is a Jenkins ENV Variable

Plugin Note: There are a number of non-applicable Jenkins Plugins available online, don't use them:

• Fortify 360 post-processing and uploading to Fortify 360, an older version of SSC.
• Fortify CloudScan Plugin is for a different kind of on-prem setup
• Fortify On Demand Uploader Plugin is for "On Demand", Fortify's SaaS.