Fortify Sca Tools

Fortify Source Code Analysis

Tools

Dr. Hyunju Kim, Jackson State University 08/2012

Fortify Source Code Analysis

Fortify Source Code Analysis features two tools which

will be covered in the following modules.

•Fortify Source Code Analyzer (SCA) performs a static

analysis of Java or C/C++ source code.

•Audit Workbench allows a user to review the results of

a static analysis.


Fortify SCA

The Fortify SCA tool will perform a static analysis on a set of source-code input files.

The command-line tool will alert the user to any vulnerabilities or flaws in the program being analyzed.

The tool can analyze either a single file, or an entire application consisting of many files.


Audit Workbench

The Audit Workbench allows a user to review a completed audit.

Results can be fine-tuned so that only specific types of issues are flagged.

The user can also create custom rules for audits which will allow the program to check for various things the user may want to find.


Audit Workbench (cont.)

The Fortify SCA will check code for a number of vulnerabilities

and evaluate the threat they pose with the following categories:

•Reliability issue

•Bad practice

•Suspicious

•Dangerous

•Exploitable

•Exploit available


Invoking SCA

The Fortify Source Code Analyzer tool can be

run from the command-line in Windows and

Linux.

The command to run the analyzer is

“sourceanalyzer” followed by the name of a

source-code file to analyze.


SCA Options

There are a number of command-line options which control the sourceanalyzer tool.

-f <file> : specifies the name of an output file to create

-html-report : creates an html file which provides a brief summary of the report

-scan : runs analysis portion of the source code analyzer

-findbugs : runs the findbugs utility

-rules <rules-file> : specifies a particular rule pack to use


SCA Options (cont.)

Example uses:

sourceanalyzer *.java

- runs the source analyzer on all .java files in the current directory

sourceanalyzer Example.java –rules CustomRules.xml –f Report.fpr

- runs the sourceanalyzer on Example.java using the custom rulepack CustomRules.xml and creates a report named Report.fpr

sourceanalyzer Example.java –findbugs –html-report

-runs the source analyzer and the findbugs application on Example.java and creates an html report


SCA Output

The source code analyzer prints out a set of data for each issue discovered in the source code.

There are four types of issues that can be found:

•semantic

•dataflow

•control flow

•structural


Semantic Issue Output

The output for a semantic issue follows the format:[# : Severity : Vulnerability Category : Vulnerability Subcategory : Analyzer]

Filename ( Line Number ) : Vulnerable Method

An example of this is:[831A38F81AC0FB : medium : System Information Leak : semantic]

Example.java(58) : Throwable.printStackTrace()

(in this case, the System Information Leak does not have a subcategory)

This issue is the result of calling an exception’s printStackTrace() method which will print out information about the call stack causing the error. Making this information available is generally not a good idea, as it may give an attacker information about the system.


Dataflow Issue Output

The output for a dataflow issue follows the format:[ # : Severity : Vulnerability Category : Analyzer ]

Filename ( Line Number ) : -> Sink

Filename ( Line Number ) : <=> Pass-Through

Filename ( Line Number ) : <- Source

An example of this is:[B81E3811678D1 : high : SQL Injection : dataflow ]

Example.java (38) : -> Statement.executeUpdate(0)

Example.java (24) : <=> (this.query)

Example.java (24) : <- ServletRequest.getParameter(return)

This issue is the result of data being taken directly from the input at line 24 (source), being placed in a query at line 24 (pass-through) and being executed as-is at line 38 (sink). The data was not sanitized at any time between being taken from the input and being executed, which leaves the system vulnerable to SQL injection attacks.


Control Flow Issue Output

The output for a control flow issue follows the format:[ # : Severity : Vulnerability Category : Analyzer ]

Filename ( Line Number ) : Start State : End State : Transition Expression

Filename ( Line Number ) : Start State : End State : Transition Expression

An example of this is:[5838DC1A38B : medium : Unreleased Resource : control flow ]

Example.java (15) : start -> connection : conn = getConnection(…)

Example.java (32) : connection -> end_of_scope : #end_scope(conn)

This issue is a result of a resource (conn) being allocated but never released. At line 15, conn goes from the start state to the connection state. At line 32, conn goes from the connection state to the end_of_scope state, because it has reached the end of its scope, but the resource was not released before the object disappeared.


Structural Issue Output

The output for a structural issue follows the format:[ # : Severity : Vulnerability Category : Vulnerability Subcategory : Analyzer ]

Filename ( Line Number )

Field Declaration

An example of this is:[389A95C0581E : high : Password Management : Empty Password : structural ]

Example.java (18)

Variable: password [Example.java (18)]

This issue is the result of a string variable named “password” being created as an empty string (String password = “”;). It is not a good idea to allow password strings to start out empty. It would be better to use (String password;) and wait to create the string until it was actually needed.


Invoking Audit Workbench

The Audit Workbench can be started either by

selecting it from the start menu (Windows) or

by typing “auditworkbench” at the command-

line (Windows or Linux).


Turning Warnings On or Off

One convenient feature of the Audit Workbench is the ability to turn warnings on or off for specific types of issues using the AuditGuide.

The AuditGuide displays a number of types of issues in a menu on the left side of the screen, and any of these can be turned off or on by selecting “Suppress issues…”or “Warn me about …”, respectively.


Turning Warnings On or Off (cont.)


The Built-in Editor


Printing Audit Reports

The Audit Workbench allows to create a report

about the audit and save it as any of several file

types (.doc, .html, .xml, and more).


Printing Audit Reports (cont.)

Excerpt of a

.html report

created by

Audit Workbench


Documents

Fortify Sca Tools