Fortify Sca Tools
-
Upload
rajesh-khanna -
Category
Documents
-
view
42 -
download
8
Transcript of Fortify Sca Tools
Fortify Source Code Analysis
Tools
Dr. Hyunju Kim, Jackson State University 08/2012
Fortify Source Code Analysis
Fortify Source Code Analysis features two tools which
will be covered in the following modules.
•Fortify Source Code Analyzer (SCA) performs a static
analysis of Java or C/C++ source code.
•Audit Workbench allows a user to review the results of
a static analysis.
Dr. Hyunju Kim, Jackson State University 08/2012
Fortify SCA
The Fortify SCA tool will perform a static analysis on a set of source-code input files.
The command-line tool will alert the user to any vulnerabilities or flaws in the program being analyzed.
The tool can analyze either a single file, or an entire application consisting of many files.
Dr. Hyunju Kim, Jackson State University 08/2012
Audit Workbench
The Audit Workbench allows a user to review a completed audit.
Results can be fine-tuned so that only specific types of issues are flagged.
The user can also create custom rules for audits which will allow the program to check for various things the user may want to find.
Dr. Hyunju Kim, Jackson State University 08/2012
Audit Workbench (cont.)
The Fortify SCA will check code for a number of vulnerabilities
and evaluate the threat they pose with the following categories:
•Reliability issue
•Bad practice
•Suspicious
•Dangerous
•Exploitable
•Exploit available
Dr. Hyunju Kim, Jackson State University 08/2012
Invoking SCA
The Fortify Source Code Analyzer tool can be
run from the command-line in Windows and
Linux.
The command to run the analyzer is
“sourceanalyzer” followed by the name of a
source-code file to analyze.
Dr. Hyunju Kim, Jackson State University 08/2012
SCA Options
There are a number of command-line options which control the sourceanalyzer tool.
-f <file> : specifies the name of an output file to create
-html-report : creates an html file which provides a brief summary of the report
-scan : runs analysis portion of the source code analyzer
-findbugs : runs the findbugs utility
-rules <rules-file> : specifies a particular rule pack to use
Dr. Hyunju Kim, Jackson State University 08/2012
SCA Options (cont.)
Example uses:
sourceanalyzer *.java
- runs the source analyzer on all .java files in the current directory
sourceanalyzer Example.java –rules CustomRules.xml –f Report.fpr
- runs the sourceanalyzer on Example.java using the custom rulepack CustomRules.xml and creates a report named Report.fpr
sourceanalyzer Example.java –findbugs –html-report
-runs the source analyzer and the findbugs application on Example.java and creates an html report
Dr. Hyunju Kim, Jackson State University 08/2012
SCA Output
The source code analyzer prints out a set of data for each issue discovered in the source code.
There are four types of issues that can be found:
•semantic
•dataflow
•control flow
•structural
Dr. Hyunju Kim, Jackson State University 08/2012
Semantic Issue Output
The output for a semantic issue follows the format:[# : Severity : Vulnerability Category : Vulnerability Subcategory : Analyzer]
Filename ( Line Number ) : Vulnerable Method
An example of this is:[831A38F81AC0FB : medium : System Information Leak : semantic]
Example.java(58) : Throwable.printStackTrace()
(in this case, the System Information Leak does not have a subcategory)
This issue is the result of calling an exception’s printStackTrace() method which will print out information about the call stack causing the error. Making this information available is generally not a good idea, as it may give an attacker information about the system.
Dr. Hyunju Kim, Jackson State University 08/2012
Dataflow Issue Output
The output for a dataflow issue follows the format:[ # : Severity : Vulnerability Category : Analyzer ]
Filename ( Line Number ) : -> Sink
Filename ( Line Number ) : <=> Pass-Through
Filename ( Line Number ) : <- Source
An example of this is:[B81E3811678D1 : high : SQL Injection : dataflow ]
Example.java (38) : -> Statement.executeUpdate(0)
Example.java (24) : <=> (this.query)
Example.java (24) : <- ServletRequest.getParameter(return)
This issue is the result of data being taken directly from the input at line 24 (source), being placed in a query at line 24 (pass-through) and being executed as-is at line 38 (sink). The data was not sanitized at any time between being taken from the input and being executed, which leaves the system vulnerable to SQL injection attacks.
Dr. Hyunju Kim, Jackson State University 08/2012
Control Flow Issue Output
The output for a control flow issue follows the format:[ # : Severity : Vulnerability Category : Analyzer ]
Filename ( Line Number ) : Start State : End State : Transition Expression
Filename ( Line Number ) : Start State : End State : Transition Expression
An example of this is:[5838DC1A38B : medium : Unreleased Resource : control flow ]
Example.java (15) : start -> connection : conn = getConnection(…)
Example.java (32) : connection -> end_of_scope : #end_scope(conn)
This issue is a result of a resource (conn) being allocated but never released. At line 15, conn goes from the start state to the connection state. At line 32, conn goes from the connection state to the end_of_scope state, because it has reached the end of its scope, but the resource was not released before the object disappeared.
Dr. Hyunju Kim, Jackson State University 08/2012
Structural Issue Output
The output for a structural issue follows the format:[ # : Severity : Vulnerability Category : Vulnerability Subcategory : Analyzer ]
Filename ( Line Number )
Field Declaration
An example of this is:[389A95C0581E : high : Password Management : Empty Password : structural ]
Example.java (18)
Variable: password [Example.java (18)]
This issue is the result of a string variable named “password” being created as an empty string (String password = “”;). It is not a good idea to allow password strings to start out empty. It would be better to use (String password;) and wait to create the string until it was actually needed.
Dr. Hyunju Kim, Jackson State University 08/2012
Invoking Audit Workbench
The Audit Workbench can be started either by
selecting it from the start menu (Windows) or
by typing “auditworkbench” at the command-
line (Windows or Linux).
Dr. Hyunju Kim, Jackson State University 08/2012
Turning Warnings On or Off
One convenient feature of the Audit Workbench is the ability to turn warnings on or off for specific types of issues using the AuditGuide.
The AuditGuide displays a number of types of issues in a menu on the left side of the screen, and any of these can be turned off or on by selecting “Suppress issues…”or “Warn me about …”, respectively.
Dr. Hyunju Kim, Jackson State University 08/2012
Turning Warnings On or Off (cont.)
Dr. Hyunju Kim, Jackson State University 08/2012
The Built-in Editor
Dr. Hyunju Kim, Jackson State University 08/2012
Printing Audit Reports
The Audit Workbench allows to create a report
about the audit and save it as any of several file
types (.doc, .html, .xml, and more).
Dr. Hyunju Kim, Jackson State University 08/2012
Printing Audit Reports (cont.)
Excerpt of a
.html report
created by
Audit Workbench
Dr. Hyunju Kim, Jackson State University 08/2012