HP Fortify Static Code Analyzer - · PDF fileThe Windows installation offers the option to...

HP Fortify Static Code AnalyzerSoftware Version 4.10

Installation and Configuration Guide

Document Release Date: April 2014

Software Release Date: April 2014

LegalNotices

Warranty

TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatementsaccompanyingsuchproductsandservices.Nothinghereinshouldbeconstruedasconstitutinganadditionalwarranty.HPshallnotbeliablefortechnicaloreditorialerrorsoromissionscontainedherein.

Theinformationcontainedhereinissubjecttochangewithoutnotice.

RestrictedRightsLegend

Confidentialcomputersoftware.ValidlicensefromHPrequiredforpossession,useorcopying.ConsistentwithFAR12.211and12.212,CommercialComputerSoftware,ComputerSoftwareDocumentation,andTechnicalDataforCommercialItemsarelicensedtotheU.S.Governmentundervendor'sstandardcommerciallicense.

CopyrightNotice

DocumentationUpdates

Thetitlepageofthisdocumentcontainsthefollowingidentifyinginformation:

• SoftwareVersionnumber

• DocumentReleaseDate,whichchangeseachtimethedocumentisupdated

• SoftwareReleaseDate,whichindicatesthereleasedateofthisversionofthesoftware

Tocheckforrecentupdatesortoverifythatyouareusingthemostrecenteditionofadocument,goto:

http://h20230.www2.hp.com/selfsolve/manuals

ThissiterequiresthatyouregisterforanHPPassportandsignin.ToregisterforanHPPassportID,goto:

http://h20229.www2.hp.com/passport‐registration.html

Youwillalsoreceiveupdatedorneweditionsifyousubscribetotheappropriateproductsupportservice.ContactyourHPsalesrepresentativefordetails.

PartNumber:1‐181‐2014‐04‐410‐01

Contents iii

Contents

Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .iv

HPFortifySoftwareContact ........................................................................... iv

TechnicalSupport ................................................................................. ivCorporateHeadquarters........................................................................... ivWebsite ........................................................................................... iv

AbouttheHPFortifySoftwareSecurityCenterDocumentationSet ..................................... iv

Change Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v

Chapter 1: Introduction..............................................................................6

IntendedAudience ..................................................................................... 6

TheHPFortifySoftwareSecurityCenterComponents ................................................... 6

RelatedDocuments ..................................................................................... 7

Chapter 2: Installation ...............................................................................8

AboutDownloadingtheSoftware ....................................................................... 8

AboutInstallingtheHPFortifyStaticCodeAnalyzerSuite ............................................... 8

LaunchingtheInstallation .......................................................................... 8MigratingfromaPreviousSCAInstallation ......................................................... 8UpdatingSCARulepacks............................................................................ 9InstallingtheHPFortifyPluginforEclipse.......................................................... 9

AboutthePost‐InstallationTasks ....................................................................... 9

RunningthePost‐InstallTool ....................................................................... 9MigratingPropertiesFiles ........................................................................ 10SpecifyingaLocale............................................................................... 10SpecifyingaProxyServerforRulepackUpdates................................................... 10UpdatingtheRulepack ........................................................................... 11

RegisteringtheASPNETUser......................................................................... 11

UninstallingHPFortifyStaticCodeAnalyzer.......................................................... 11

UninstallingonWindowsPlatforms .............................................................. 11UninstallingonOtherPlatforms.................................................................. 11

Chapter 3: 3.ConfigurationOptions.................................................................. 12

AboutSoftwareSecurityCenterPropertiesFiles ...................................................... 12

AbouttheOrderingofPropertiesFiles................................................................ 13

fortify.propertiesConfigurationOptions.............................................................. 14

fortify‐sca.propertiesConfigurationOptions.......................................................... 16

fortify‐sca‐quickscan.propertiesConfigurationOptions ............................................... 17

fortify‐ide.propertiesConfigurationOptions .......................................................... 22

Preface iv

PrefaceThisguidedescribeshowtoinstalltheHPFortifyStaticCodeAnalyzerfamilyofanalyzersandapplications.

HP Fortify Software ContactIfyouhavequestionsorcommentsaboutanypartofthisguide,contactHPFortifySoftwareat:

Technical Support650.735.2215fortifytechsupport@hp.com

Corporate HeadquartersMoffettTowers1140EnterpriseWaySunnyvale,CA94089

650.358.5600

contact@fortify.com

Websitehttp://www.hpenterprisesecurity.com

About the HP Fortify Software Security Center Documentation SetTheHPFortifySoftwareSecurityCenterdocumentationsetcontainsinstallation,user,anddeploymentguidesforallHPFortifySoftwareSecurityCenterproductsandcomponents.Italsoincludestechnicalnotesandreleasenotesthatdescribenewfeatures,knownissues,andlast‐minuteupdates.ThelatestversionsofthesedocumentsareavailableontheHPSoftwareProductManualssite:

http://h20230.www2.hp.com/selfsolve/manuals

Change Log v

Change LogThefollowingtabletrackschangesmadetothisguide.

Software Release‐version Date Change

3.90‐01 4/9/2013 ChangeLogandIntroductionadded.

4.10‐01 3/23/2014 Updatedreleaseinformation.

Chapter 1: Introduction 6

Chapter 1: IntroductionThisdocumentcontainsinstallationandconfigurationinstructionsforHPFortifyStaticCodeAnalyzer.

Intended AudienceThisinstallationguideisintendedforindividualswhoareresponsibleforinstallingoruninstallingtheHPFortifyStaticCodeAnalyzersuiteofanalyzersandapplicationcomponents.Thisguidealsodetailsbasicpost‐installationtasksandconfigurationoptions.

RefertotheHPFortifySoftwareSecurityCenterSystemRequirementsdocumenttoensurethatyoursystemmeetstheminimumrequirementsforeachsoftwarecomponentinstallation.

Note:ThisdocumentdoesnotcovertheinstallationprocessforHPFortifySoftwareSecurityCenter(SoftwareSecurityCenter).HPFortifySoftwareSecurityCenterrequiresaseparateinstallationprocedure,whichcanbefoundintheHPFortifySoftwareSecurityCenterInstallationandConfigurationGuide.DownloadthisdocumentfromtheHPSoftwareProductManualssite:http://support.openview.hp.com/selfsolve/manuals.

The HP Fortify Software Security Center ComponentsAnHPFortifySoftwareSecurityCenterinstallationconsistsofoneormoreofthefollowinganalyzers:

• HPFortifyStaticCodeAnalyzer:Analyzesyourbuildcodeaccordingtoasetofrulesspecificallytailoredtoprovidetheinformationnecessaryforthetypeofanalysisperformed.

• HPFortifyRuntimeApplicationProtection:Monitorsandprotectsdeployedapplicationsfromcommonattacks,unintendeduse,andtargetedhacking.Inaddition,bestsecuritypractices,suchasinputverificationandproperexceptionhandling,canbeconsistentlyappliedtodeployedapplications.

• HPFortifySecurityScope:Identifiesvulnerabilitiesinpre‐deploymentapplicationsduringtheQAphase,preventingexposuretosecurityflawsbeforetheyareexploited.

AnHPFortifySoftwareSecurityCenterinstallationmayalsoincludeoneormoreofthefollowingapplicationtools:

• HPFortifyAuditWorkbench:providesagraphicaluserinterfaceforHPFortifyStaticCodeAnalyzerthathelpsyouorganize,investigate,andprioritizeanalysisresultssothatsecurityflawscanbefixedquickly.

• HPFortifyPluginforEclipse:integrateswiththeEclipsedevelopmentenvironmentandaddstheabilitytoscanandanalyzetheentirecodebaseofaprojectandapplyhundredsofsoftwaresecurityrulesthatidentifythevulnerabilitiesinyourJavacode.TheresultsaredisplayedwithintheIDE,alongwithdescriptionsofeachofthesecurityissuesandsuggestionsfortheirelimination.

• HPFortifyEclipseRemediationPlug‐in:integrateswiththeEclipsedevelopmentenvironment.TheEclipseRemediationPlug‐inisalightweightplug‐inoptionfordeveloperswhoneedremediationfunctionalitybutdonotneedthescanningandauditingcapabilitiesofAuditWorkbenchorthefullEclipsePlugin.

• HPFortifyforPackageforMicrosoftVisualStudio©:integrateswithVisualStudioPremiumandVisualStudioProfessionaltolocatesecurityvulnerabilitiesinyoursolutionsandpackagesanddisplaysthescanresultsinVisualStudio.Theresultsincludealistofissuesuncovered,descriptionsofthetypeofvulnerabilityeachissuerepresents,andsuggestionsonhowtofixthem.

• HPFortifyRemediationPackageforVisualStudio:integrateswithMicrosoftVisualStudioPremiumandVisualStudioProfessionalintegrateddevelopmentenvironments(IDEs).TheHPFortifyRemediationPackageforVisualStudioisalightweightplug‐inoptionfordeveloperswhoneedremediationfunctionalitybutdonotneedthescanningandauditingcapabilitiesofAuditWorkbenchorthefullVisualStudiopackage.

• HPFortifyExtensionforJDeveloper:integrateswiththeJDeveloperintegrateddevelopmentenvironment(IDE)andaddstheabilitytoscanandanalyzetheentirecodebaseofaprojectandapplyhundredsofsoftwaresecurityrulesthatidentifythevulnerabilitiesinyourcode.

Chapter 1: Introduction 7

• HPFortifyRemediationPluginforIntelliJ:integrateswiththeIntelliJIntegratedDevelopmentEnvironment(IDE)andaddstheabilitytoscanandanalyzetheentirecodebaseofaprojectandapplyhundredsofsoftwaresecurityrulesthatidentifythevulnerabilitiesinyourcode.

Related DocumentsThefollowingdocumentsprovideadditionalinformationaboutHPFortifyStaticCodeAnalyzer:

• HPFortifyStaticCodeAnalyzerUserGuide

Thisdocumentprovidesinstructionsonusingtheanalyzerstoidentifyvulnerabilitiesinyourcode.

• HPFortifyStaticCodeAnalyzerUtilitiesUserGuide

Thisdocumentprovidesinformationonthecommand‐linetoolsthatprovideadditionalmanagementandaccesstothefunctionsprovidedbySCA.

Chapter 2: Installation 8

Chapter 2: InstallationThischaptercoversthefollowingtopics:

• AboutDownloadingtheSoftware

• AboutInstallingtheHPFortifyStaticCodeAnalyzerSuite

• AboutthePost‐InstallationTasks

• RegisteringtheASPNETUser

• UninstallingHPFortifyStaticCodeAnalyzer

About Downloading the SoftwareHPFortifySoftwareisavailableasadownloadableISOfilewhichcanbemountedorbunedtoaDVV,orasadownloadableapplicationorpackage.Fordetailsonobtainingalicenseforyoursoftware,gototheHPFortifySoftwareSecurityCenterSystemRequirementsdocumentandrefertothe“HPFortifySoftwareLicenses”section.FordetailsonobtainingHPFortifysoftware,gototheHPFortifySoftwareSecurityCenterSystemRequirementsdocumentandrefertothe“AcquiringHPFortifySoftware”section.

About Installing the HP Fortify Static Code Analyzer SuiteThissectiondescribeshowtoinstalltheSCAsuiteofanalyzersandapplications.YouwillneedaFortifyLicensefiletocompletetheprocess.

Launching the InstallationToinstalltheSCAsuite:

1. Navigatetothedirectorycontainingtheinstallerfiles.IfyoudownloadedtheISO,theinstallerfileislocatedinthedirectoryforyouroperatingsystem.

Note:Formoreinformationonacquiringthesoftwareandlicenseforyouroperatingsystem,seetheHPFortifySoftwareSecurityCenterSystemRequirementsdocument.

2. Runtheinstallerfilethatcorrespondstoyouroperatingsystemandsystemprocessor.

3. Followthepromptstoinstallthesoftware.

Migrating from a Previous SCA InstallationTheWindowsinstallationofSCAenablesyoutomigratefromapreviousinstallationofSCAonyoursystem.MigratingfromapreviousSCAinstallationpreservesSCAartifactfiles.

YoucanmigrateSCAartifactsfromapreviousinstallationthroughtheInstallShieldwizard,orbyusingthescapostinstallpost‐installtool.Forinformationonusingthepost‐installtooltomigratefromapreviousSCAinstall,see“MigratingPropertiesFiles.”

TomigratefromapreviousSCAinstallationthroughtheInstallShieldWizard:

1. GototheSetupTypedialogboxandclickYes.ClickCCC.TheMigrationdialogboxappears.

2. SpecifythelocationofyourpreviousSCAinstallationonyoursystem.ClickOK.

3. ViewtheresultsoftheSCAmigrationintheSCAPostInstallationConfigurationResultsdialogbox.ThisdialogboxdisplaystheSCAartifactsthatweremigrated,andthelocationofthefiles.ClickNexttoproceedtotheRulepackupdate.

Updating SCA RulepacksTheWindowsinstallationofferstheoptiontoupdatetheHPFortifySecureCodingRulepacksforyoursystem.TheSoftwareSecurityResearchgroupreleasesquarterlyupdatestoSecureCodingRulepacks,whichdrivetheSCAanalyzers.TheyaredistributedaspartofthesubscriptionservicethroughupdatesontheHPFortifycustomerdownloadsite,automatedtoolupdates,andsoftwarereleases.

YoucanupdateSCARulepacksthroughtheInstallShieldwizard,orbyusingtherulepackupdatetool.

ToupdatetheSCARulepacksforyourinstallationthroughtheInstallShieldWizard:

1. SpecifytheURLaddressoftheRulepackserver.TouseHPFortify’sserverforRulepackupdates,specifytheURLas:https://update.fortify.com.

2. SpecifytheproxyoftheRulepackserver.(Thisstepisoptional.)

3. ClickNext.TheSetupTypedialogboxasksifyouwouldliketodownloadRulepacksnow.SelectYes,andthenclickNext.

4. ViewtheresultsoftheRulepackupdateintheRulepackUpdaterdialogbox.

Installing the HP Fortify Plugin for EclipseToinstalltheHPFortifyPluginforEclipse:

1. InstalltheSCAsuiteonyoursystem,asdescribedintheprevioussections.

Note:ForWindowsplatforms,ensurethattheEclipseoptionwasselectedduringinstallation.

2. OpenEclipse.

3. SelectHelp‐SoftwareUpdates‐ManageConfiguration.

4. ClickAddanExtensionLocation.

5. Select<install_directory>/plugins/eclipse.

6. ClickOK.

TheSecureCodingRulepacksPlug‐inmenuappears.

About the Post‐Installation TasksPost‐installationtasksprepareyoutostartusingtheSCAanalyzersandapplications.Thesetasksinclude:

• RunningthePost‐InstallTool

• MigratingPropertiesFiles

• SpecifyingaLocale

• SpecifyingaProxyServerforRulepackUpdates

• UpdatingtheRulepack

IfyouareusingtheMicrosoft.NETFramework,youmightneedtoregistertheASPNETuser,describedinthesectionRegisteringtheASPNETUser.

Running the Post‐Install Tool SCAinstallsthepost‐installtool,scapostinstall,ontoyoursystemduringtheSCAinstallation.Thescapostinstalltoolallowsyoutoperformtwotasks:migratepropertiesfilesfromapreviousversionofSCA,andconfigureSCARulepackupdatessettingsonyoursystem.

Torunthepost‐installtool:

1. Navigatetothebindirectoryfromthecommandline.

2. Enterscapostinstalltostartthetool.

3. Enterstodisplaysettings,rtoreturntoapreviousprompt,andqtoexitthetool.

Migrating Properties FilesTomigratepropertiesfilesfromapreviousversionofSCAtothecurrentversionofSCAinstalledonyoursystem:

3. Enter1toselectMigration.

4. Enter1toselectSCA Migration.

5. Enterthepreviousinstalldirectory.

6. Enter1toselectMigrate from an existing SCA installation.

7. Enterstoconfirmthesettings.

8. Enter2toperformthemigration.

9. Enterytoconfirm.

Specifying a LocaleBydefault,thelocaleofanSCAinstallationisEnglish.

Tospecifyadifferentlocale:

3. Enter2toselectSettings.

4. Enter1toselectGeneral.

5. Enter1toselectLocale.

6. Enterthelocalecode:

• English:en

• Japanese:ja

• Korean:ko

• Chinese,Simplified:zh_CN

• Chinese,Traditional:zh_TW

Specifying a Proxy Server for Rulepack UpdatesIfyournetworkusesaproxyservertoreachtheRulepackupdateserver,youmustspecifytheproxyserverwiththepost‐installtool.

TospecifyaproxyfortheRulepackupdateserver:

3. Enter2toselectSettings.

4. Enter2toselectRulepack Update.

5. Enter2toselectProxy Server Host

6. Enterthenameoftheproxyserver.

7. Enter3toselectProxy Server Port.

8. Entertheproxyserver’sportnumber.

Updating the RulepacksTheruntimerulepacksareupdatedautomaticallyduringtheWindowsinstallationprocedure.However,youcanalsodownloadHPFortifySecureCodingRulepacksfromtheHPFortifyCustomerPortalandthenusetheRulepackUpdatetooltoupdateyourSecureCodingRulepacks.Thisoptionisprovidedforinstallationsonnon‐WindowsplatformsandfordeploymentenvironmentsthatdonothaveaccesstotheInternetduringtheinstallationprocedure.

UsetheRulepackUpdatetool,Rulepackupdate,toupdateRulepacksfromeitheraremoteserveroralocallydownloadedfile.

SeeAboutDownloadingtheSoftwareonpage8forinformationaboutdownloadingRulepacks.

ToupdateRulepacks:

2. EnterrulepackupdatetostarttheRulepackUpdatetool.

ThesystemwillrespondwitheitheranerrormessageoralistoftheRulepacksthatithasdownloaded.

IfyouhavepreviouslydownloadedRulepacksfromtheHPFortifyCustomerPortal,runrulepackupdatewiththe-import optionandthepathtothedirectorywhereyoudownloadedtheRulepacks.

Registering the ASPNET UserIfyouareusingtheMicrosoft.NETFramework,youmightneedtoregistertheASPNETuser.IftheMicrosoftInternetInformationServer(IIS)isinstalledfirst,theASPNETuseriscreatedwhen.NETFrameworkisinstalled;otherwise,youmustregister.

ToregistertheASPNETuser,runthecommand:

aspnet_regiis -i

Findthecommandunderthe.NETFrameworkinstallationdirectory.Forexample,itisoftenlocatedat:

C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727

Uninstalling HP Fortify Static Code AnalyzerThissectiondescribeshowtouninstalltheSCAsoftware.

Uninstalling on Windows PlatformsTouninstallSCAsuitesoftwareonWindows,usetheWindowsAddorRemoveProgramsutilityontheControlPanel:

1. SelectStart‐Settings‐ControlPanel‐AddorRemovePrograms.

2. Inthelistofprograms,chooseHPFortifyvX.XX,andthenclickRemove.

Uninstalling on Other PlatformsTouninstallSCAsoftwareonMacOSX,Linux,andUnixplatforms:

1. Backupyourconfiguration,includinganyimportantfilesyouhavecreated.

2. Manuallydeletetheinstallationdirectoryusingthefollowingcommand:

rm -rf <install_directory>/

Chapter 3: Configuration Options 12

Chapter 3: Configuration OptionsThechaptercoversthefollowingtopics:

• AboutSoftwareSecurityCenterPropertiesFiles

• AbouttheOrderingofPropertiesFiles

• fortify.propertiesConfigurationOptions

• fortify‐sca.propertiesConfigurationOptions

• fortify‐sca‐quickscan.propertiesConfigurationOptions

• fortify‐ide.propertiesConfigurationOptions

About Software Security Center Properties FilesTheSoftwareSecurityCenterinstallerplacesasetofpropertiesfilesonyoursystemduringinstallation.Propertiesfilescontainalistofconfigurableruntimeanalysis,output,andperformanceforSoftwareSecurityCentercomponents.SomepropertiesfilesconfigurebehaviorandsetparametervaluesgloballyforallSoftwareSecurityCentercomponents.Otherpropertiesfilesarespecifictoonecomponent;settingparametersforaspecificanalyzerorscanmode,forexample.Theseparameterscontainedwithinthepropertiesfilesaffectanalysis,output,andperformanceofthecomponent.

TheinstalledpropertiesfilescontainSoftwareSecurityCenterdefaultvalues.HPFortifyrecommendsconsultingwithyourprojectleadsbeforeopeningandmodifyingparameterswithinthepropertiesfiles.Allpropertiesfilescanbeeditedusingatexteditor.

Uponopeningandinspectingthepropertiesfiles,youwillseethateachparameterconsistsofapairofstrings:thefirststringstoresthekeyornameoftheparameter;thesecondstringstoresthevalue.About the Ordering of Properties FilesAbout the Ordering of Properties Files

Asshownabove,thecom.fortify.locale=enparametersetsthelocaleforSoftwareSecurityCentercomponents.Theparameterkeyiscom.fortify.locale,andthevalueissettoenforEnglish.Abriefdescriptionoftheparameteralsoappearsasacomment.

Thefollowingillustratesthesyntaxfortheparameterkeyandvaluewithinthepropertiesfile:

Disabledparametersarecommentedoutofthepropertiesfile.Toenabletheseparameters,simplyremovethecommentsymbol(#)andsavethepropertiesfile.Thefollowingillustratesadisabledparameter:

Asshownabove,thecom.fortify.VSSkipASPPrecompilationparameterisdisabledwithinthepropertiesfile,andisnotpartoftheconfiguration.

#this is a brief description about the locale parametercom.fortify.locale=en

#when performing a scan of a website from Visual Studio, setting this property to true will cause SCA#to translate the default ASP output instead of running the aspnet_compiler (it is recommended to manually#clean this cache before use of this setting)#com.fortify.VS.SkipASPPrecompilation=true

ThefollowingtabledescribestheroleofeachSoftwareSecurityCenterpropertiesfile:

About the Ordering of Properties FilesSoftwareSecurityCenterprocessespropertiesinaspecificorder,usingthisordertooverrideanypreviouslysetpropertieswiththevaluesthatyouspecify.Youshouldkeepthisprocessingorderinmindwhenmakingchangestothepropertiesfiles.

Propertydefinitionsareprocessedinthefollowingorder:

1. Propertiesspecifiedonthecommandlinehavethehighestpriorityandcanbespecifiedduringanyscan.

2. Propertiesspecifiedinthefortify-sca-quickscan.propertiesfileareprocessedsecond,butonlywhenthe-quickoptionisusedtooperateinQuickScanmode.IfQuickScanisnotinvoked,thisfileisignored.

3. Propertiesspecifiedinthelocal fortify.propertiesfileareprocessedthird.Changevaluesinthisfileonascan‐by‐scanbasistofine‐tuneyourinstallation.

4. Propertiesspecifiedintheglobalfortify-sca.propertiesfileareprocessedlast.Youshouldeditthisfileifyouwanttochangethepropertyvaluesonamorepermanentbasisforallscans.

Table 1: Properties Files

Name of .properties File Role

fortify.properties DefinestheglobalconfigurationparametersforSoftwareSecurityCentercomponents.Theseparameterssetvaluesforallcomponents.

fortify-ide.properties DefinestheconfigurationparametersforSoftwareSecurityCenterIntegratedDevelopmentEnvironment(IDE)plug‐ins.

fortify-sca.properties(forWindowsinstallations).fortify-sca.properties(fornon‐Windowsinstallations)

DefinestheconfigurationparametersforSCA.

fortify-sca-quickscan.properties DefinestheconfigurationparametersapplicableforaquickscanforSCA.

fortify.properties Configuration OptionsThefortify.propertiesfiledefinesglobalparametersforallSoftwareSecurityCentercomponents.Thefortify.propertiesfileinstalledonyoursystemcontainsparameterssettoSoftwareSecurityCenterdefaultvalues.Youcanmodifytheseparametervaluesbyeditingthefile.

Thefortify.propertiesfileislocatedineitheryourWindowsuserdirectoryoryourUnixhomedirectory.

Thefollowingtablesummarizestheparametersfoundinthefortify.propertiesfile:

Table 2: HP fortify.properties Global Properties

Property Name / Default Value Description

com.fortify.Debug / false PlacesSoftwareSecurityCentercomponentsindebugmode.

com.fortify.awb.Debug / false PlacesHPFortifyAuditWorkbenchindebugmode.

com.fortify.eclipse.Debug / false PlacestheHPFortifyPluginforEclipseindebugmode.

com.fortify.VS.Debug / false PlacestheHPFortifyforPackageforMicrosoftVisualStudio©indebugmode.

com.fortify.SCAExecutablePath /(none) Specifiesthepathtotheworkingdirectoryofanyinstalledclienttools,suchasAuditWorkbenchandSecureCodingPlug‐ins.

com.fortify.WorkingDirectory /(none) SpecifiesthepathtotheWindowsLocalApplicationDatashellfolderonyoursystem.ThisistypicallyC:\Documents and Settings\<user>\Local Settings\Application Data com.fortify.WorkingDirectory=${win32.LocalAppdata}/Fortify

com.fortify.InstallationUserName /${user.name}

Specifiestheusernameforthisinstallation.

com.fortify.locale / en Specifiestheinstallationlocale.

com.fortify.VS.RequireASPPrecompilation / true

SetthisparametertofalsetoallowthescantocontinueeveniftheASPPre‐CompilationfailswhenperformingascanofawebsitefromVisualStudioinheadlessmode.

com.fortify.VS.SkipASPPrecompilation / false SetthisparametertotruetoallowSCAtotranslatethedefaultASPoutputinsteadofrunningtheaspnet_compilerwhenperformingascanofawebsitefromHPFortifyVisualStudioPackage.HPFortifyrecommendsmanuallycleaningthiscachebeforeenablingthissetting.

com.fortify.DisableProgramInfo / false SetthisparametertotruetodisabletheuseoftheCodeNavigationfeaturesinAuditWorkbenchandimproveruntimememoryusage.

com.fortify.VS.DisableCIntegration / false SetthisparametertotruetodisableintegrationwithC/C++buildsinHPFortifyVisualStudioPackage.

com.fortify.AuthenticationKey / ${com.fortify.WorkingDirectory}/config/tools

StorestheSoftwareSecurityCenterclientauthenticationtoken.

com.fortify.model.CheckSig / false SpecifiesthepathusedtostoretheSoftwareSecurityCenterclientauthenticationtoken.

com.fortify.model.MinimalLoad / false MinimizesthedataloadedfromanFPR.Setthispropertytotruetoloadonlybasicissueinformation.

com.fortify.model.UseIssueParseFilters / false

DeferstothefiltersettingsintheIssueParseFilters.propertiesfile.

com.fortify.model.EnableElementBaseIndexShift / (none)

Setthisvaluetotrueifyourequirebackwardscompatibilitywithpre‐2.5migratedprojects.

com.fortify.visualstudio.vm.args / (none) SpecifiesthedefaultvirtualmachineargumentstousewhenVisualStudioplug‐inrunsJavacommands.

enable.clean.transaction.resource / (none)

Setthispropertytotruetopreventaquartz/springbugwhencrontriggerishappened,somethreadlocalresourceisnotreleased,resultingina“Pre‐boundJDBCConnectionfound!”error.Setthispropertytotruewhenthisproblemoccurs.

com.fortify.tools.iidmigrator.scheme / (none)

SetthispropertytomigrateIIDscreatedwithdifferentversionsofSCA.ThisisgenerallyhandledbySCA.Ifyouneedtooverridethemappingscheme,pleaseconsultHPFortifycustomersupport.

max.file.path.length / 255 Setthemaximumnumberofcharactersforyourfilepath.

com.fortify.model.MergeResolveStrategy / DefaultToMasterValue

Definewhich.FPRproject(defaultorimported)shouldbeusedasthebasewhenresolvingmergeconflicts.Possiblevaluesare:‘DefaultToMasterValue’,‘DefaultToImportValue’,or‘DefaultToMasterValue’.

com.fortify.RemovedIssuePersistenceLimit / 1000

SettheRemovedIssuePersistenceLimit.Bydefault,thevalueis1000,butcanbeincreasedappreciably.

com.fortify.model.ExecMemorySetting / 1200M

SettheamountofmemoryallocatedforprocessesrequiredbyHPFortifyAuditWorkbench(i.e.,iidmigrator,events2fpr,etc.)

com.fortify.model.IssueCutoffStartIndex / (none)

Setthenumberofissuesloaded.Selectthefirstissue(bynumber)tobeloaded.

com.fortify.model.IssueCutoffEndIndex / (none)

Usedwithcom.fortify.model.IssueCutoffStartIndex thisparameterallowsyoutoselectthelastissuetobeloaded(bynumber).Selectthefirstissue(bynumber)tobeloaded.

com.fortify.model.IssueCutoffByCategoryStartIndex /

Setthispropertytoavaluethatrepresentstheminimumnumberofissuesacategoryshouldcontain.Categoriesthatcontainfewerissuesthansetherearenotdisplayed.Useinconjunctionwithtoselectarangeofvalues.

com.fortify.model.IssueCutoffByCategoryEndIndex /

Setthispropertytoavaluethatrepresentsthemaximumnumberofissuesacategoryshouldcontain.Categoriesthatcontainmoreissuesthansetherearenotdisplayed.Useinconjunctionwithtoselectarangeofvalues.Forexample:

com.fortify.model.IssueCutoffByCategoryStartIndex=10com.fortify.model.IssueCutoffByCategoryEndIndex=20

Theexampleaboveloadscategorieswhichhavebetween10and19issuesinthem.

Table 2: HP fortify.properties Global Properties (Continued)

Property Name / Default Value Description

fortify‐sca.properties Configuration OptionsSCAusestheparametervaluesdefinedinthefortify-sca.propertiesfiletoperformscansonyoursoftwareprojects.

Thefortify-sca.propertiesfileinstalledonyoursystemcontainsparameterssettodefaultvalues.YoucanmodifytheseparametervaluesspecifictoSCAoperationbyeditingthefile,locatedatthefollowinglocationonyoursystem:

<install directory>/Core/config

Thefollowingtablesummarizestheparametersfoundinthefortify-sca.propertiesfile:

fortify‐sca‐quickscan.properties Configuration Options

Table 3: SCA properties Global Properties

Parameter / Default Value

Description

com.fortify.sca.ProjectRoot /

Defaultfoldercreatedduringinstallation.Thisvariesbyplatform.

Specifiesthefolderthatstoresintermediatefilesgeneratedduringascan.

com.fortify.sca.DefaultAnalyzers /

(None)Specifiesthetypesofanalysistoperform.Bydefault,thisparameteriscommentedout,andallanalysistypesareutilizedduringscans.Theacceptablevaluesforthisparameterare:dataflow,semantic,controlflow,configuration,structural,nullptr,andcontent.

com.fortify.sca.SuppressLowSeverity / true

SetsSCAtoignorelowseverityissuesfoundduringascan.

com.fortify.sca.LowSeverityCutoff / 1.0

Specifiesthecutofflevelforseveritysuppression.AnyissuesfoundwithalowerseverityvaluethantheonespecifiedwiththisparameterareignoredbySCA.

com.fortify.sca.DefaultJarsDirs /default_jars

IncludestheJARfilesthatareaddedtoSCA’sCLASSPATHbeforeanyJARSspecifiedusing‐cpor‐classpathsourceanalyzercommandlineoptions.TheseJARSarelocatedin<Fortify_Home>/Core/default_jarsanditssubdirectories.TheseJARSarenotrequiredbySCAinordertotranslateJava/JSPfilesbutareprovidedasaconvenienceforusersanalyzingJ2EEWebapplications.YoucanconfigureSCAsothatitdoesnotusecom.fortify.sca.DefaultJarsDirbysettingcom.fortify.sca.DontUseDefaultJarstoTrue.

com.fortify.sca.CustomRulesDir / ${com.fortify.Core}/config/customrules

Setthedirectoryusedtosearchforcustomrules.Ifthisisset,thedefaultdirectoryisnotsearched.

com.fortify.sca.DontUseDefaultJars / false

SetthisvaluetoTrueifyoudonotwanttousethedefaultJARfilesinSCA’sCLASSPATH. SCAwillonlyusetheJARfilesspecifiedonthesourceanalyzercommandlineusing-cpor-classpath.

com.fortify.sca.DefaultFileTypes /java,jsp,jspx,sql,cfm,php,pks,pkh,pkb,xml,config,properties,dll,exe,inc,asp,vbscript,js,ini,bas,cls,vbs,frm,ctl,html,htm,xsd,wsdd,xmi,cfml,cfc

SpecifiesthetypesoffileextensionstoincludeintheSCAscan.

com.fortify.sca.CustomRulesDir /

(none)SpecifiesthedirectorywithSCAcustomrules.Ifyouusethisparameterandspecifyadifferentdirectory,thedefaultdirectoryCore/config/customruleswillnotbeused.

com.fortify.sca.fileextensions.<extension> /

ThelistofsupportedfileextensionsDetermineshowSCAhandlesthespecifiedfileextension.ThislistcanbeaddedtosothatSCAwillunderstandnewfileextensions.

com.fortify.sca.jsp.UseNativeParser / true SetSCAtousethenativeparser.

com.fortify.sca.SqlLanguage / TSQL SettheSQLlanguagevariant.

com.fortify.sca.compilers.<compiler> /

ThelistofsupportedcompilersInstructsSCAhowtohandlecustom‐namedcompilers.

com.fortify.sca.DaemonCompilers /

ThelistofsupportedcompilersDetermineswhichcompilersaretranslatedduringanSCAscan.

com.fortify.sca.IndirectCallGraphBuilder /

(None)DetermineswhentocallgraphbuildersduringanSCAscan.Youcanspecifythefollowingcallgraphbuilders:com.fortify.sca.analyzer.callgraph.VirtualCGBuilder; com.fortify.sca.analyzer.callgraph.J2EEIndirectCGBuilder;com.fortify.sca.analyzer.callgraph.JNICGBuilder;com.fortify.sca.analyzer.callgraph.StoredProcedureResolver;com.fortify.sca.analyzer.callgraph.JavaWSCGBuilder;com.fortify.sca.analyzer.callgraph.StrutsCGBuilder;com.fortify.sca.analyzer.callgraph.DotNetWSCGBuilder;com.fortify.sca.analyzer.callgraph.SqlServerSPResolver

com.fortify.sca.DisableFunctionPointers /false

DisablesfunctionpointersduringtheSCAscan.

com.fortify.sca.DisableGlobals / false

Disablesfunctionpointersandglobalparameterssetbythefortify.propertiesfile.

com.fortify.sca.DisableDeadCodeElimination /false

SetthispropertytotruetodisabletheuseoftheCodeNavigationfeaturesinAuditWorkbenchandimproveruntimememoryusage.

com.fortify.sca.DeadCodeIgnoreTrivialPredicates / true

InstructsSCAtoignoredeadcode.Deadcodeisacomputerprogrammingtermforcodeinthesourcecodeofaprogramwhichisexecutedbutwhoseresultisneverusedinanyothercomputation

Table 3: SCA properties Global Properties (Continued)

Description

com.fortify.sca.DeadCodeFilter / true

InstructsSCAtofilterdeadcodeduringscans.Deadcodeisacomputerprogrammingtermforcodeinthesourcecodeofaprogramwhichisexecutedbutwhoseresultisneverusedinanyothercomputation

com.fortify.scaSolverTimeout / 15

InstructsSCAtotimeoutafterthespecifiedtimeperiod.

com.fortify.FVDLDisableProgramData / false

ExcludestheProgramDatasectionfromtheanalysisresultsfile(FVDLoutputfile).

com.fortify.FVDLDisableSnippets / false

Excludescodesnippetsfromtheanalysisresults(FVDLoutputfile).

com.fortify.FVDLDisableDescriptions / false

Excludesdescriptionsfromtheanalysisresults.

com.fortify.FVDLDisableStyleSheets /${com.fortify.Core}/resources/sca/fvdl2html.xsl

Specifiesthestylesheetfortheanalysisresults.

com.fortify.sca.ClobberLogFile / false

SetsSCAtooverwritethelogfileforeachnewscan.

com.fortify.sca.LogFile / ${com.fortify.sca.ProjectRoot}/sca/log/sca.log

SpecifiesthelocationofthelogfileforSCA.

com.fortify.sca.PrintPerformanceDataAfterScan /

Setsthepost‐scanloggingoption.IfSCAisindebugmode,thiswillbeautomaticallysettotrue.

com.fortify.sca.cpfe.command / ${com.fortify.Core}/private-bin/sca/cpfe

SpecifiestheCPFEbinary(version3.9)tobeusedintranslationphase.

Donotmodify.

com.fortify.sca.cpfe.new.command / ${com.fortify.Core}/private-bin/sca/cpfe441

Specifiesthenewbinary(version4.4.1)tobeusedintranslationphase.

Donotmodify.

com.fortify.sca.cpfe.options / --remove_unneeded_entities --supress_vtbl -tused

AddsoptionstoCPFEcommandlineinvokedbySCAwhentranslatingC/C++code.YoucanuseanyoptionssupportedbyCPFE,butmakesureyouunderstandtheimpactofthedesiredoptionsbeforealteringthisproperty.

com.fortify.sca.cpfe.file.option / --gen_c_file_name

SendsthenameoftheNSToutputfiletotheCPFE.

Donotmodify.

com.fortify.sca.cpfe.dont.fix.cctor.option / false

DetermineswhetherornottheCPFEshouldperformadditionalprocessingstepswhenittranslatescopyconstructorcallsinC++code.Whenthisvalueisfalse,theextraprocessingstepsaredone.

Donotmodify.

com.fortify.sca.DisplayProgress / true

AllowsSCAtodisplayprogressthroughtheuserinterfaceduringascan.

com.fortify.sca.findbugs.maxheap /

(None)SetsamaximumamountofissuestologduringanSCAscan.

Description

SCAperformsscanstoidentifyissueswithinsoftwareproject.SCAalsoofferaless‐intensivescanknownasaquickscan.ThisoptionscanstheprojectinQuickScanMode,usingtheparametervaluesinthefortify-sca-quickscan.propertiesfile.Bydefault,QuickScansearchesforhigh‐confidence,high‐severityissuesonly.FormoreinformationaboutQuickScanMode,seetheHPFortifyAuditWorkbenchUser’sGuide.

Thefollowingtabledescribesthepropertiesthattunedefaultscanningperformance.ThesepropertieshavedifferentdefaultsforQuickScanmode,whichcanbeadjustedbyeditingthefortify-sca-quickscan.propertiesfile.Ifyouwanttousetherecommendedtuningparameters,youdonotneedtoeditthisfile;however,youmayfindthatyouwanttoexperimentwithothersettingstofine‐tuneyourspecificapplication.

Rememberthatpropertiesinthisfileareprocessedonlyifyouspecifythe-quickoptiononthecommandlinewheninvokingyourscan.

Thefortify-sca-quickscan.propertiesfileinstalledonyoursystemcontainsparameterssettodefaultvalues.Youcanmodifytheseparametervaluesbyeditingthefile,locatedatthefollowinglocationonyoursystem:

Thefollowingtableprovidestwosetsofdefaultvalues.Thefirstvalueisthedefaultvaluefornormalscans.Thesecondvalueisthedefaultvalueforquickscans.Ifonlyonedefaultvalueisshown,thevalueisvalidforbothnormalscansandquickscans.Thefollowingtablesummarizestheparametersfoundinthefortify-sca-quickscan.propertiesfile.

com.fortify.sca.AllocationWebServicesURL / https://per-use.fortify.com/services/GasAllocationService

SpecifiestheURLofWebservicesforSCA.

com.fortify.sca.CfmlUndefinedVariablesAreTainted / false

InstructsundefinedvariablesinCFMLpagestobeconsideredtaintedbySCA.

com.fortify.sca.AddImpliedMethods / true SetSCAtogenerateimpliedmethodswhenimplementationbyinheritanceisencountered.

Table 4: HP fortify‐sca‐quickscan.properties Global Properties

Property Name / Default Value

Description

com.fortify.sca.FilterSet /

(None)QuickScanvalue:Critical Exposure

WhensettoCritical Exposure,thispropertyrunsrulesonlyforthehigh‐severityfilterset.RunningonlyasubsetofthedefinedrulesallowstheSCAscantocompletemorequickly.ThiscausesSCAtorunonlythoserulesthatcancauseissuesidentifiedinthenamedfilterset,asdefinedbythedefaultprojecttemplateforyourapplication.Formoreinformationaboutfiltersets,seetheHPFortifyAuditWorkbenchUserGuide.

com.fortify.sca.FPRDisableSrcHtml /FalseQuickScanvalue:True

DisablessourcecoderenderingintotheFPRfile.DisablesSCAfromgeneratingmarked‐upsourcecodefilesduringascan.Whensettotrue,thispropertypreventsthegenerationofmarked‐upsourcefiles.IfyouplantouploadFPRsthataregeneratedasaresultofaquickscan,youmustsetthispropertytofalse.

Description

com.fortify.sca.limiters.ConstraintPredicateSize /50000QuickScanvalue:10000

SpecifiesthesizelimitforcomplexcalculationsintheBufferAnalyzer.SkipscalculationsthatarebiggerthanthespecifiedsizevalueintheBufferAnalyzertoimprovescanningtime.

com.fortify.sca.BufferConfidenceInconclusiveOnTimeout /trueQuickScanvalue:false

InstructsSCAtoskipcomplexcalculationsintheBufferAnalyzertoimprovescanningtime.

com.fortify.sca.limiters.MaxChainDepth / 5 QuickScanvalue:4

ControlsthemaximumcalldepththroughwhichtheDataflowAnalyzertrackstainteddata.Increasingthisvalueincreasesthecoverageofdataflowanalysis,andresultsinlongeranalysistimes.Note:Calldepthreferstothemaximumcalldepthonadataflowpathbetweenataintsourceandsink,ratherthancalldepthfromtheprogramentrypoint,suchasmain().

com.fortify.sca.limiters.MaxTaintDefForVar /1000QuickScanvalue:500

SetsacomplexitylimitforDataFlowanalysis.DataFlowwillincrementallydecreaseprecisionofanalysisonfunctionsthatexceedthiscomplexitymetricforagivenprecisionlevel.

com.fortify.sca.limiters.MaxTaintDefForVarAbort /4000QuickScanvalue:1000

Setsahardlimitforfunctioncomplexity.Ifcomplexityofafunctionexceedsthislimitatthelowestprecisionlevel,theanalyzerskipsanalysisofthefunction.

com.fortify.sca.DisableGlobals /false

InstructsSCAtonottracktainteddatathroughtheglobalvariablessetwiththefortify.propertiesfile.

com.fortify.sca.CtrlflowSkipJSPs /false

InstructsSCAtoskipControlFlowanalysisonJSPs.

com.fortify.sca.NullPtrMaxFunctionTime /300000QuickScanvalue:30000

Setsthetimelimit(inmilliseconds)forNullPointeranalysisonasinglefunction.Settingittoashorterlimitdecreasesoverallscanningtime.

com.fortify.sca.CtrlflowMaxFunctionTime /600000QuickScanvalue:30000

Setsthetimelimit(inmilliseconds)forControlFlowanalysisonasinglefunction.

com.fortify.sca.TrackPaths /

(Notset)QuickScanvalue:NoJSP

DisablespathtrackingforControlflowanalysis.Pathtrackingprovidesmoredetailedreportingforissues,butrequiresmorescanningtime.YoucandisablethisforJSPonlybysettingittoNoJSP.SpecifyNonetodisableallfunctions.

com.fortify.sca.translator.java.Incremental /false

InstructsSCAtotranslateJavasourcefilesoneatatimeinsteadofallatoncewhenthispropertyissettoTrue.SCAwilluselessmemorywhiletranslatingfilesbutwillprocessthefilesmoreslowly.

Table 4: HP fortify‐sca‐quickscan.properties Global Properties (Continued)

Description

fortify‐ide.properties Configuration OptionsThefortify-ide.properties filedefinesconfigurationsettingsforAuditWorkbench.ThiscomponentallowsyoutoexaminethescanresultsproducedbySoftwareSecurityCenteranalyzers,suchasSCA.Thefortify-ide.propertiesfileinstalledonyoursystemcontainsparameterssettodefaultvalues.Youcanmodifytheseparametervaluesbyeditingthefile,locatedatthefollowinglocationonyoursystem:

Thefollowingtablesummarizestheparametersinthefortify-ide.propertiesfile:

Table 5: HP fortify‐ide.properties Global Properties

Description

rulepack.days /15

SetsthenumberofdaysbeforeperforminganautomaticupdateofRulepacks.

rulepack.auto.update /true

EnablesautomaticupdatingofRulepacks.

override.results.path /

(None)OverridesthesavedFPRlocationtoanewlocation:${user.home}

HP Fortify Static Code Analyzer - · PDF fileThe Windows installation offers the option to...

Documents

HP Fortify CloudScan

HP FortiFy SoFtware Security center - HP - United States | Laptop

HP Fortify Static Code Analyzer - HP Fortify Static Code Analyzer provides a suite of analyzers and application components.This guide provides instructions on scanning code on most

4 Channel HP Analyzer - wmich.edu

HP Fortify Process Designer User Guide 3.70

HP FortiFy SoFtware Security center - Orasi Software, Inc. · HP Fortify Software Security Center provides the ability to eliminate risk in existing applications and deliver new

Source code security testing - Eventworld.cz€¦ · HP Fortify Static Code Analyzer (SCA) •Features: • Automate static application security testing to identify security vulnerabilities

Micro Focus Fortify Static Code Analyzer User Guide

HP Spectrum Analyzer - Modulation

Title (46 pt. HP Simplified bold) - DAWNING TECH APJ... · 例如，ArcSight Specialist 賣Fortify, 或Fortify Specialist賣ArcSight 不適用。 Partners must submit deal to HP PMB/Sales

Service Equipment and Analyzer Options HP 8752C network analyzer

What's New in HP Fortify Software Security Center 4.30 and HP …community.softwaregrp.com/.../16/1/HP_Fortify_Whats_… · · 2017-11-20What’s New in HP Fortify . Software Security

HP Fortify Audit Workbenchcommunity.softwaregrp.com/.../33/1/...Workbench_User_Guide_4.00.pdf · HP Fortify Audit Workbench Software Version 4.00 User Guide Document Release Date:

HP Fortify CloudScan - Micro Focus CommunityThe following document provides additional information relevant to HP Fortify CloudScan: HP Fortify Static Code Analyzer User Guide HP Fortify

HP Fortify Software Security Center v 4.00 System Requirements€¦ · MOFFETT TOWERS, 1140 ENTERPRISE WAY, SUNNYVALE, CA 94089 USA 650.735.2215 1 HP Fortify Software Security Center

Affinity Credit Union chooses HP Fortify on Demand€¦ · applications in the HP Fortify on Demand ecosystem. That knowledge through the auditing process gets shared as best practices

HP Fortify Plugin for Eclipse · 2017. 11. 17. · HP Fortify Plugin for Eclipse 8 HP Fortify Plugin for Eclipse The following topics provide information about how to install and

Micro Focus Fortify Software Security Center User Guide · Micro Focus Fortify Static Code Analyzer 29 Micro Focus Fortify WebInspect 31 ... Using Micro Focus Fortify Software Security

HP Fortify on Demand - ResultsPositive · 2014-11-05 · application. HP Fortify on Demand conducts a thorough security test (dynamic or static) of the application. Customer reviews

HPE Security Fortify Static Code Analyzer Installation Guide€¦ · · 2018-02-12TheHPESecurityFortifySoftwaredocumentationsetcontainsinstallation,user,anddeployment ... l HP-UX:HPE_Security_Fortify_SCA__hpux_ia64.run