22
HP Fortify Static Code Analyzer Software Version 4.10 Installation and Configuration Guide Document Release Date: April 2014 Software Release Date: April 2014

HP Fortify Static Code Analyzer - · PDF fileThe Windows installation offers the option to update the HP Fortify Secure Coding Rulepacks for your system. The Software Security Research

Embed Size (px)

Citation preview

HP Fortify Static Code AnalyzerSoftware Version 4.10

Installation and Configuration Guide

Document Release Date: April 2014

Software Release Date: April 2014

LegalNotices

Warranty

TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatementsaccompanyingsuchproductsandservices.Nothinghereinshouldbeconstruedasconstitutinganadditionalwarranty.HPshallnotbeliablefortechnicaloreditorialerrorsoromissionscontainedherein.

Theinformationcontainedhereinissubjecttochangewithoutnotice.

RestrictedRightsLegend

Confidentialcomputersoftware.ValidlicensefromHPrequiredforpossession,useorcopying.ConsistentwithFAR12.211and12.212,CommercialComputerSoftware,ComputerSoftwareDocumentation,andTechnicalDataforCommercialItemsarelicensedtotheU.S.Governmentundervendor'sstandardcommerciallicense.

CopyrightNotice

©Copyright2014Hewlett‐PackardDevelopmentCompany,L.P.

DocumentationUpdates

Thetitlepageofthisdocumentcontainsthefollowingidentifyinginformation:

• SoftwareVersionnumber

• DocumentReleaseDate,whichchangeseachtimethedocumentisupdated

• SoftwareReleaseDate,whichindicatesthereleasedateofthisversionofthesoftware

Tocheckforrecentupdatesortoverifythatyouareusingthemostrecenteditionofadocument,goto:

http://h20230.www2.hp.com/selfsolve/manuals

ThissiterequiresthatyouregisterforanHPPassportandsignin.ToregisterforanHPPassportID,goto:

http://h20229.www2.hp.com/passport‐registration.html

Youwillalsoreceiveupdatedorneweditionsifyousubscribetotheappropriateproductsupportservice.ContactyourHPsalesrepresentativefordetails.

PartNumber:1‐181‐2014‐04‐410‐01

Contents   iii

Contents

Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .iv

HPFortifySoftwareContact ........................................................................... iv

TechnicalSupport ................................................................................. ivCorporateHeadquarters........................................................................... ivWebsite ........................................................................................... iv

AbouttheHPFortifySoftwareSecurityCenterDocumentationSet ..................................... iv

Change Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v

Chapter 1: Introduction..............................................................................6

IntendedAudience ..................................................................................... 6

TheHPFortifySoftwareSecurityCenterComponents ................................................... 6

RelatedDocuments ..................................................................................... 7

Chapter 2: Installation ...............................................................................8

AboutDownloadingtheSoftware ....................................................................... 8

AboutInstallingtheHPFortifyStaticCodeAnalyzerSuite ............................................... 8

LaunchingtheInstallation .......................................................................... 8MigratingfromaPreviousSCAInstallation ......................................................... 8UpdatingSCARulepacks............................................................................ 9InstallingtheHPFortifyPluginforEclipse.......................................................... 9

AboutthePost‐InstallationTasks ....................................................................... 9

RunningthePost‐InstallTool ....................................................................... 9MigratingPropertiesFiles ........................................................................ 10SpecifyingaLocale............................................................................... 10SpecifyingaProxyServerforRulepackUpdates................................................... 10UpdatingtheRulepack ........................................................................... 11

RegisteringtheASPNETUser......................................................................... 11

UninstallingHPFortifyStaticCodeAnalyzer.......................................................... 11

UninstallingonWindowsPlatforms .............................................................. 11UninstallingonOtherPlatforms.................................................................. 11

Chapter 3: 3.ConfigurationOptions.................................................................. 12

AboutSoftwareSecurityCenterPropertiesFiles ...................................................... 12

AbouttheOrderingofPropertiesFiles................................................................ 13

fortify.propertiesConfigurationOptions.............................................................. 14

fortify‐sca.propertiesConfigurationOptions.......................................................... 16

fortify‐sca‐quickscan.propertiesConfigurationOptions ............................................... 17

fortify‐ide.propertiesConfigurationOptions .......................................................... 22

Preface   iv

PrefaceThisguidedescribeshowtoinstalltheHPFortifyStaticCodeAnalyzerfamilyofanalyzersandapplications.

HP Fortify Software ContactIfyouhavequestionsorcommentsaboutanypartofthisguide,contactHPFortifySoftwareat:

Technical [email protected]

Corporate HeadquartersMoffettTowers1140EnterpriseWaySunnyvale,CA94089

650.358.5600

[email protected]

Websitehttp://www.hpenterprisesecurity.com

About the HP Fortify Software Security Center Documentation SetTheHPFortifySoftwareSecurityCenterdocumentationsetcontainsinstallation,user,anddeploymentguidesforallHPFortifySoftwareSecurityCenterproductsandcomponents.Italsoincludestechnicalnotesandreleasenotesthatdescribenewfeatures,knownissues,andlast‐minuteupdates.ThelatestversionsofthesedocumentsareavailableontheHPSoftwareProductManualssite:

http://h20230.www2.hp.com/selfsolve/manuals

Change Log   v

Change LogThefollowingtabletrackschangesmadetothisguide.

Software Release‐version Date Change

3.90‐01 4/9/2013 ChangeLogandIntroductionadded.

4.10‐01 3/23/2014 Updatedreleaseinformation.

Chapter 1: Introduction   6

Chapter 1: IntroductionThisdocumentcontainsinstallationandconfigurationinstructionsforHPFortifyStaticCodeAnalyzer.

Intended AudienceThisinstallationguideisintendedforindividualswhoareresponsibleforinstallingoruninstallingtheHPFortifyStaticCodeAnalyzersuiteofanalyzersandapplicationcomponents.Thisguidealsodetailsbasicpost‐installationtasksandconfigurationoptions.

RefertotheHPFortifySoftwareSecurityCenterSystemRequirementsdocumenttoensurethatyoursystemmeetstheminimumrequirementsforeachsoftwarecomponentinstallation.

Note:ThisdocumentdoesnotcovertheinstallationprocessforHPFortifySoftwareSecurityCenter(SoftwareSecurityCenter).HPFortifySoftwareSecurityCenterrequiresaseparateinstallationprocedure,whichcanbefoundintheHPFortifySoftwareSecurityCenterInstallationandConfigurationGuide.DownloadthisdocumentfromtheHPSoftwareProductManualssite:http://support.openview.hp.com/selfsolve/manuals.

The HP Fortify Software Security Center ComponentsAnHPFortifySoftwareSecurityCenterinstallationconsistsofoneormoreofthefollowinganalyzers:

• HPFortifyStaticCodeAnalyzer:Analyzesyourbuildcodeaccordingtoasetofrulesspecificallytailoredtoprovidetheinformationnecessaryforthetypeofanalysisperformed.

• HPFortifyRuntimeApplicationProtection:Monitorsandprotectsdeployedapplicationsfromcommonattacks,unintendeduse,andtargetedhacking.Inaddition,bestsecuritypractices,suchasinputverificationandproperexceptionhandling,canbeconsistentlyappliedtodeployedapplications.

• HPFortifySecurityScope:Identifiesvulnerabilitiesinpre‐deploymentapplicationsduringtheQAphase,preventingexposuretosecurityflawsbeforetheyareexploited.

AnHPFortifySoftwareSecurityCenterinstallationmayalsoincludeoneormoreofthefollowingapplicationtools:

• HPFortifyAuditWorkbench:providesagraphicaluserinterfaceforHPFortifyStaticCodeAnalyzerthathelpsyouorganize,investigate,andprioritizeanalysisresultssothatsecurityflawscanbefixedquickly.

• HPFortifyPluginforEclipse:integrateswiththeEclipsedevelopmentenvironmentandaddstheabilitytoscanandanalyzetheentirecodebaseofaprojectandapplyhundredsofsoftwaresecurityrulesthatidentifythevulnerabilitiesinyourJavacode.TheresultsaredisplayedwithintheIDE,alongwithdescriptionsofeachofthesecurityissuesandsuggestionsfortheirelimination.

• HPFortifyEclipseRemediationPlug‐in:integrateswiththeEclipsedevelopmentenvironment.TheEclipseRemediationPlug‐inisalightweightplug‐inoptionfordeveloperswhoneedremediationfunctionalitybutdonotneedthescanningandauditingcapabilitiesofAuditWorkbenchorthefullEclipsePlugin.

• HPFortifyforPackageforMicrosoftVisualStudio©:integrateswithVisualStudioPremiumandVisualStudioProfessionaltolocatesecurityvulnerabilitiesinyoursolutionsandpackagesanddisplaysthescanresultsinVisualStudio.Theresultsincludealistofissuesuncovered,descriptionsofthetypeofvulnerabilityeachissuerepresents,andsuggestionsonhowtofixthem.

• HPFortifyRemediationPackageforVisualStudio:integrateswithMicrosoftVisualStudioPremiumandVisualStudioProfessionalintegrateddevelopmentenvironments(IDEs).TheHPFortifyRemediationPackageforVisualStudioisalightweightplug‐inoptionfordeveloperswhoneedremediationfunctionalitybutdonotneedthescanningandauditingcapabilitiesofAuditWorkbenchorthefullVisualStudiopackage.

• HPFortifyExtensionforJDeveloper:integrateswiththeJDeveloperintegrateddevelopmentenvironment(IDE)andaddstheabilitytoscanandanalyzetheentirecodebaseofaprojectandapplyhundredsofsoftwaresecurityrulesthatidentifythevulnerabilitiesinyourcode.

Chapter 1: Introduction   7

• HPFortifyRemediationPluginforIntelliJ:integrateswiththeIntelliJIntegratedDevelopmentEnvironment(IDE)andaddstheabilitytoscanandanalyzetheentirecodebaseofaprojectandapplyhundredsofsoftwaresecurityrulesthatidentifythevulnerabilitiesinyourcode.

Related DocumentsThefollowingdocumentsprovideadditionalinformationaboutHPFortifyStaticCodeAnalyzer:

• HPFortifyStaticCodeAnalyzerUserGuide

Thisdocumentprovidesinstructionsonusingtheanalyzerstoidentifyvulnerabilitiesinyourcode.

• HPFortifyStaticCodeAnalyzerUtilitiesUserGuide

Thisdocumentprovidesinformationonthecommand‐linetoolsthatprovideadditionalmanagementandaccesstothefunctionsprovidedbySCA.

Chapter 2: Installation   8

Chapter 2: InstallationThischaptercoversthefollowingtopics:

• AboutDownloadingtheSoftware

• AboutInstallingtheHPFortifyStaticCodeAnalyzerSuite

• AboutthePost‐InstallationTasks

• RegisteringtheASPNETUser

• UninstallingHPFortifyStaticCodeAnalyzer

About Downloading the SoftwareHPFortifySoftwareisavailableasadownloadableISOfilewhichcanbemountedorbunedtoaDVV,orasadownloadableapplicationorpackage.Fordetailsonobtainingalicenseforyoursoftware,gototheHPFortifySoftwareSecurityCenterSystemRequirementsdocumentandrefertothe“HPFortifySoftwareLicenses”section.FordetailsonobtainingHPFortifysoftware,gototheHPFortifySoftwareSecurityCenterSystemRequirementsdocumentandrefertothe“AcquiringHPFortifySoftware”section.

About Installing the HP Fortify Static Code Analyzer SuiteThissectiondescribeshowtoinstalltheSCAsuiteofanalyzersandapplications.YouwillneedaFortifyLicensefiletocompletetheprocess.

Launching the InstallationToinstalltheSCAsuite:

1. Navigatetothedirectorycontainingtheinstallerfiles.IfyoudownloadedtheISO,theinstallerfileislocatedinthedirectoryforyouroperatingsystem.

Note:Formoreinformationonacquiringthesoftwareandlicenseforyouroperatingsystem,seetheHPFortifySoftwareSecurityCenterSystemRequirementsdocument.

2. Runtheinstallerfilethatcorrespondstoyouroperatingsystemandsystemprocessor.

3. Followthepromptstoinstallthesoftware.

Migrating from a Previous SCA InstallationTheWindowsinstallationofSCAenablesyoutomigratefromapreviousinstallationofSCAonyoursystem.MigratingfromapreviousSCAinstallationpreservesSCAartifactfiles.

YoucanmigrateSCAartifactsfromapreviousinstallationthroughtheInstallShieldwizard,orbyusingthescapostinstallpost‐installtool.Forinformationonusingthepost‐installtooltomigratefromapreviousSCAinstall,see“MigratingPropertiesFiles.”

TomigratefromapreviousSCAinstallationthroughtheInstallShieldWizard:

1. GototheSetupTypedialogboxandclickYes.ClickCCC.TheMigrationdialogboxappears.

2. SpecifythelocationofyourpreviousSCAinstallationonyoursystem.ClickOK.

3. ViewtheresultsoftheSCAmigrationintheSCAPostInstallationConfigurationResultsdialogbox.ThisdialogboxdisplaystheSCAartifactsthatweremigrated,andthelocationofthefiles.ClickNexttoproceedtotheRulepackupdate.

Chapter 2: Installation   9

Updating SCA RulepacksTheWindowsinstallationofferstheoptiontoupdatetheHPFortifySecureCodingRulepacksforyoursystem.TheSoftwareSecurityResearchgroupreleasesquarterlyupdatestoSecureCodingRulepacks,whichdrivetheSCAanalyzers.TheyaredistributedaspartofthesubscriptionservicethroughupdatesontheHPFortifycustomerdownloadsite,automatedtoolupdates,andsoftwarereleases.

YoucanupdateSCARulepacksthroughtheInstallShieldwizard,orbyusingtherulepackupdatetool.

ToupdatetheSCARulepacksforyourinstallationthroughtheInstallShieldWizard:

1. SpecifytheURLaddressoftheRulepackserver.TouseHPFortify’sserverforRulepackupdates,specifytheURLas:https://update.fortify.com.

2. SpecifytheproxyoftheRulepackserver.(Thisstepisoptional.)

3. ClickNext.TheSetupTypedialogboxasksifyouwouldliketodownloadRulepacksnow.SelectYes,andthenclickNext.

4. ViewtheresultsoftheRulepackupdateintheRulepackUpdaterdialogbox.

Installing the HP Fortify Plugin for EclipseToinstalltheHPFortifyPluginforEclipse:

1. InstalltheSCAsuiteonyoursystem,asdescribedintheprevioussections.

Note:ForWindowsplatforms,ensurethattheEclipseoptionwasselectedduringinstallation.

2. OpenEclipse.

3. SelectHelp‐SoftwareUpdates‐ManageConfiguration.

4. ClickAddanExtensionLocation.

5. Select<install_directory>/plugins/eclipse.

6. ClickOK.

TheSecureCodingRulepacksPlug‐inmenuappears.

About the Post‐Installation TasksPost‐installationtasksprepareyoutostartusingtheSCAanalyzersandapplications.Thesetasksinclude:

• RunningthePost‐InstallTool

• MigratingPropertiesFiles

• SpecifyingaLocale

• SpecifyingaProxyServerforRulepackUpdates

• UpdatingtheRulepack

IfyouareusingtheMicrosoft.NETFramework,youmightneedtoregistertheASPNETuser,describedinthesectionRegisteringtheASPNETUser.

Running the Post‐Install Tool SCAinstallsthepost‐installtool,scapostinstall,ontoyoursystemduringtheSCAinstallation.Thescapostinstalltoolallowsyoutoperformtwotasks:migratepropertiesfilesfromapreviousversionofSCA,andconfigureSCARulepackupdatessettingsonyoursystem.

Torunthepost‐installtool:

1. Navigatetothebindirectoryfromthecommandline.

2. Enterscapostinstalltostartthetool.

Chapter 2: Installation   10

3. Enterstodisplaysettings,rtoreturntoapreviousprompt,andqtoexitthetool.

Migrating Properties FilesTomigratepropertiesfilesfromapreviousversionofSCAtothecurrentversionofSCAinstalledonyoursystem:

1. Navigatetothebindirectoryfromthecommandline.

2. Enterscapostinstalltostartthetool.

3. Enter1toselectMigration.

4. Enter1toselectSCA Migration.

5. Enterthepreviousinstalldirectory.

6. Enter1toselectMigrate from an existing SCA installation.

7. Enterstoconfirmthesettings.

8. Enter2toperformthemigration.

9. Enterytoconfirm.

Specifying a LocaleBydefault,thelocaleofanSCAinstallationisEnglish.

Tospecifyadifferentlocale:

1. Navigatetothebindirectoryfromthecommandline.

2. Enterscapostinstalltostartthetool.

3. Enter2toselectSettings.

4. Enter1toselectGeneral.

5. Enter1toselectLocale.

6. Enterthelocalecode:

• English:en

• Japanese:ja

• Korean:ko

• Chinese,Simplified:zh_CN

• Chinese,Traditional:zh_TW

Specifying a Proxy Server for Rulepack UpdatesIfyournetworkusesaproxyservertoreachtheRulepackupdateserver,youmustspecifytheproxyserverwiththepost‐installtool.

TospecifyaproxyfortheRulepackupdateserver:

1. Navigatetothebindirectoryfromthecommandline.

2. Enterscapostinstalltostartthetool.

3. Enter2toselectSettings.

4. Enter2toselectRulepack Update.

5. Enter2toselectProxy Server Host

6. Enterthenameoftheproxyserver.

7. Enter3toselectProxy Server Port.

Chapter 2: Installation   11

8. Entertheproxyserver’sportnumber.

Updating the RulepacksTheruntimerulepacksareupdatedautomaticallyduringtheWindowsinstallationprocedure.However,youcanalsodownloadHPFortifySecureCodingRulepacksfromtheHPFortifyCustomerPortalandthenusetheRulepackUpdatetooltoupdateyourSecureCodingRulepacks.Thisoptionisprovidedforinstallationsonnon‐WindowsplatformsandfordeploymentenvironmentsthatdonothaveaccesstotheInternetduringtheinstallationprocedure.

UsetheRulepackUpdatetool,Rulepackupdate,toupdateRulepacksfromeitheraremoteserveroralocallydownloadedfile.

SeeAboutDownloadingtheSoftwareonpage8forinformationaboutdownloadingRulepacks.

ToupdateRulepacks:

1. Navigatetothebindirectoryfromthecommandline.

2. EnterrulepackupdatetostarttheRulepackUpdatetool.

ThesystemwillrespondwitheitheranerrormessageoralistoftheRulepacksthatithasdownloaded.

IfyouhavepreviouslydownloadedRulepacksfromtheHPFortifyCustomerPortal,runrulepackupdatewiththe-import optionandthepathtothedirectorywhereyoudownloadedtheRulepacks.

Registering the ASPNET UserIfyouareusingtheMicrosoft.NETFramework,youmightneedtoregistertheASPNETuser.IftheMicrosoftInternetInformationServer(IIS)isinstalledfirst,theASPNETuseriscreatedwhen.NETFrameworkisinstalled;otherwise,youmustregister.

ToregistertheASPNETuser,runthecommand:

aspnet_regiis -i

Findthecommandunderthe.NETFrameworkinstallationdirectory.Forexample,itisoftenlocatedat:

C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322

or

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727

Uninstalling HP Fortify Static Code AnalyzerThissectiondescribeshowtouninstalltheSCAsoftware.

Uninstalling on Windows PlatformsTouninstallSCAsuitesoftwareonWindows,usetheWindowsAddorRemoveProgramsutilityontheControlPanel:

1. SelectStart‐Settings‐ControlPanel‐AddorRemovePrograms.

2. Inthelistofprograms,chooseHPFortifyvX.XX,andthenclickRemove.

Chapter 2: Installation   12

Uninstalling on Other PlatformsTouninstallSCAsoftwareonMacOSX,Linux,andUnixplatforms:

1. Backupyourconfiguration,includinganyimportantfilesyouhavecreated.

2. Manuallydeletetheinstallationdirectoryusingthefollowingcommand:

rm -rf <install_directory>/

Chapter 3: Configuration Options   12

Chapter 3: Configuration OptionsThechaptercoversthefollowingtopics:

• AboutSoftwareSecurityCenterPropertiesFiles

• AbouttheOrderingofPropertiesFiles

• fortify.propertiesConfigurationOptions

• fortify‐sca.propertiesConfigurationOptions

• fortify‐sca‐quickscan.propertiesConfigurationOptions

• fortify‐ide.propertiesConfigurationOptions

About Software Security Center Properties FilesTheSoftwareSecurityCenterinstallerplacesasetofpropertiesfilesonyoursystemduringinstallation.Propertiesfilescontainalistofconfigurableruntimeanalysis,output,andperformanceforSoftwareSecurityCentercomponents.SomepropertiesfilesconfigurebehaviorandsetparametervaluesgloballyforallSoftwareSecurityCentercomponents.Otherpropertiesfilesarespecifictoonecomponent;settingparametersforaspecificanalyzerorscanmode,forexample.Theseparameterscontainedwithinthepropertiesfilesaffectanalysis,output,andperformanceofthecomponent.

TheinstalledpropertiesfilescontainSoftwareSecurityCenterdefaultvalues.HPFortifyrecommendsconsultingwithyourprojectleadsbeforeopeningandmodifyingparameterswithinthepropertiesfiles.Allpropertiesfilescanbeeditedusingatexteditor.

Uponopeningandinspectingthepropertiesfiles,youwillseethateachparameterconsistsofapairofstrings:thefirststringstoresthekeyornameoftheparameter;thesecondstringstoresthevalue.About the Ordering of Properties FilesAbout the Ordering of Properties Files

Asshownabove,thecom.fortify.locale=enparametersetsthelocaleforSoftwareSecurityCentercomponents.Theparameterkeyiscom.fortify.locale,andthevalueissettoenforEnglish.Abriefdescriptionoftheparameteralsoappearsasacomment.

Thefollowingillustratesthesyntaxfortheparameterkeyandvaluewithinthepropertiesfile:

Disabledparametersarecommentedoutofthepropertiesfile.Toenabletheseparameters,simplyremovethecommentsymbol(#)andsavethepropertiesfile.Thefollowingillustratesadisabledparameter:

Asshownabove,thecom.fortify.VSSkipASPPrecompilationparameterisdisabledwithinthepropertiesfile,andisnotpartoftheconfiguration.

#this is a brief description about the locale parametercom.fortify.locale=en

#when performing a scan of a website from Visual Studio, setting this property to true will cause SCA#to translate the default ASP output instead of running the aspnet_compiler (it is recommended to manually#clean this cache before use of this setting)#com.fortify.VS.SkipASPPrecompilation=true

Chapter 3: Configuration Options   13

ThefollowingtabledescribestheroleofeachSoftwareSecurityCenterpropertiesfile:

About the Ordering of Properties FilesSoftwareSecurityCenterprocessespropertiesinaspecificorder,usingthisordertooverrideanypreviouslysetpropertieswiththevaluesthatyouspecify.Youshouldkeepthisprocessingorderinmindwhenmakingchangestothepropertiesfiles.

Propertydefinitionsareprocessedinthefollowingorder:

1. Propertiesspecifiedonthecommandlinehavethehighestpriorityandcanbespecifiedduringanyscan.

2. Propertiesspecifiedinthefortify-sca-quickscan.propertiesfileareprocessedsecond,butonlywhenthe-quickoptionisusedtooperateinQuickScanmode.IfQuickScanisnotinvoked,thisfileisignored.

3. Propertiesspecifiedinthelocal fortify.propertiesfileareprocessedthird.Changevaluesinthisfileonascan‐by‐scanbasistofine‐tuneyourinstallation.

4. Propertiesspecifiedintheglobalfortify-sca.propertiesfileareprocessedlast.Youshouldeditthisfileifyouwanttochangethepropertyvaluesonamorepermanentbasisforallscans.

Table 1: Properties Files

Name of .properties File Role

fortify.properties DefinestheglobalconfigurationparametersforSoftwareSecurityCentercomponents.Theseparameterssetvaluesforallcomponents.

fortify-ide.properties DefinestheconfigurationparametersforSoftwareSecurityCenterIntegratedDevelopmentEnvironment(IDE)plug‐ins.

fortify-sca.properties(forWindowsinstallations).fortify-sca.properties(fornon‐Windowsinstallations)

DefinestheconfigurationparametersforSCA.

fortify-sca-quickscan.properties DefinestheconfigurationparametersapplicableforaquickscanforSCA.

Chapter 3: Configuration Options   14

fortify.properties Configuration OptionsThefortify.propertiesfiledefinesglobalparametersforallSoftwareSecurityCentercomponents.Thefortify.propertiesfileinstalledonyoursystemcontainsparameterssettoSoftwareSecurityCenterdefaultvalues.Youcanmodifytheseparametervaluesbyeditingthefile.

Thefortify.propertiesfileislocatedineitheryourWindowsuserdirectoryoryourUnixhomedirectory.

Thefollowingtablesummarizestheparametersfoundinthefortify.propertiesfile:

Table 2: HP fortify.properties Global Properties  

Property Name / Default Value Description

com.fortify.Debug / false PlacesSoftwareSecurityCentercomponentsindebugmode.

com.fortify.awb.Debug / false PlacesHPFortifyAuditWorkbenchindebugmode.

com.fortify.eclipse.Debug / false PlacestheHPFortifyPluginforEclipseindebugmode.

com.fortify.VS.Debug / false PlacestheHPFortifyforPackageforMicrosoftVisualStudio©indebugmode.

com.fortify.SCAExecutablePath /(none) Specifiesthepathtotheworkingdirectoryofanyinstalledclienttools,suchasAuditWorkbenchandSecureCodingPlug‐ins.

com.fortify.WorkingDirectory /(none) SpecifiesthepathtotheWindowsLocalApplicationDatashellfolderonyoursystem.ThisistypicallyC:\Documents and Settings\<user>\Local Settings\Application Data com.fortify.WorkingDirectory=${win32.LocalAppdata}/Fortify

com.fortify.InstallationUserName /${user.name}

Specifiestheusernameforthisinstallation.

com.fortify.locale / en Specifiestheinstallationlocale.

com.fortify.VS.RequireASPPrecompilation / true

SetthisparametertofalsetoallowthescantocontinueeveniftheASPPre‐CompilationfailswhenperformingascanofawebsitefromVisualStudioinheadlessmode.

com.fortify.VS.SkipASPPrecompilation / false SetthisparametertotruetoallowSCAtotranslatethedefaultASPoutputinsteadofrunningtheaspnet_compilerwhenperformingascanofawebsitefromHPFortifyVisualStudioPackage.HPFortifyrecommendsmanuallycleaningthiscachebeforeenablingthissetting.

com.fortify.DisableProgramInfo / false SetthisparametertotruetodisabletheuseoftheCodeNavigationfeaturesinAuditWorkbenchandimproveruntimememoryusage.

com.fortify.VS.DisableCIntegration / false SetthisparametertotruetodisableintegrationwithC/C++buildsinHPFortifyVisualStudioPackage.

com.fortify.AuthenticationKey / ${com.fortify.WorkingDirectory}/config/tools

StorestheSoftwareSecurityCenterclientauthenticationtoken.

com.fortify.model.CheckSig / false SpecifiesthepathusedtostoretheSoftwareSecurityCenterclientauthenticationtoken.

com.fortify.model.MinimalLoad / false MinimizesthedataloadedfromanFPR.Setthispropertytotruetoloadonlybasicissueinformation.

Chapter 3: Configuration Options   15

com.fortify.model.UseIssueParseFilters / false

DeferstothefiltersettingsintheIssueParseFilters.propertiesfile.

com.fortify.model.EnableElementBaseIndexShift / (none)

Setthisvaluetotrueifyourequirebackwardscompatibilitywithpre‐2.5migratedprojects.

com.fortify.visualstudio.vm.args / (none) SpecifiesthedefaultvirtualmachineargumentstousewhenVisualStudioplug‐inrunsJavacommands.

enable.clean.transaction.resource / (none)

Setthispropertytotruetopreventaquartz/springbugwhencrontriggerishappened,somethreadlocalresourceisnotreleased,resultingina“Pre‐boundJDBCConnectionfound!”error.Setthispropertytotruewhenthisproblemoccurs.

com.fortify.tools.iidmigrator.scheme / (none)

SetthispropertytomigrateIIDscreatedwithdifferentversionsofSCA.ThisisgenerallyhandledbySCA.Ifyouneedtooverridethemappingscheme,pleaseconsultHPFortifycustomersupport.

max.file.path.length / 255 Setthemaximumnumberofcharactersforyourfilepath.

com.fortify.model.MergeResolveStrategy / DefaultToMasterValue

Definewhich.FPRproject(defaultorimported)shouldbeusedasthebasewhenresolvingmergeconflicts.Possiblevaluesare:‘DefaultToMasterValue’,‘DefaultToImportValue’,or‘DefaultToMasterValue’.

com.fortify.RemovedIssuePersistenceLimit / 1000

SettheRemovedIssuePersistenceLimit.Bydefault,thevalueis1000,butcanbeincreasedappreciably.

com.fortify.model.ExecMemorySetting / 1200M

SettheamountofmemoryallocatedforprocessesrequiredbyHPFortifyAuditWorkbench(i.e.,iidmigrator,events2fpr,etc.)

com.fortify.model.IssueCutoffStartIndex / (none)

Setthenumberofissuesloaded.Selectthefirstissue(bynumber)tobeloaded.

com.fortify.model.IssueCutoffEndIndex / (none)

Usedwithcom.fortify.model.IssueCutoffStartIndex thisparameterallowsyoutoselectthelastissuetobeloaded(bynumber).Selectthefirstissue(bynumber)tobeloaded.

com.fortify.model.IssueCutoffByCategoryStartIndex /

Setthispropertytoavaluethatrepresentstheminimumnumberofissuesacategoryshouldcontain.Categoriesthatcontainfewerissuesthansetherearenotdisplayed.Useinconjunctionwithtoselectarangeofvalues.

com.fortify.model.IssueCutoffByCategoryEndIndex /

Setthispropertytoavaluethatrepresentsthemaximumnumberofissuesacategoryshouldcontain.Categoriesthatcontainmoreissuesthansetherearenotdisplayed.Useinconjunctionwithtoselectarangeofvalues.Forexample:

com.fortify.model.IssueCutoffByCategoryStartIndex=10com.fortify.model.IssueCutoffByCategoryEndIndex=20

Theexampleaboveloadscategorieswhichhavebetween10and19issuesinthem.

Table 2: HP fortify.properties Global Properties  (Continued)

Property Name / Default Value Description

Chapter 3: Configuration Options   16

fortify‐sca.properties Configuration OptionsSCAusestheparametervaluesdefinedinthefortify-sca.propertiesfiletoperformscansonyoursoftwareprojects.

Thefortify-sca.propertiesfileinstalledonyoursystemcontainsparameterssettodefaultvalues.YoucanmodifytheseparametervaluesspecifictoSCAoperationbyeditingthefile,locatedatthefollowinglocationonyoursystem:

<install directory>/Core/config

Thefollowingtablesummarizestheparametersfoundinthefortify-sca.propertiesfile:

fortify‐sca‐quickscan.properties Configuration Options

Table 3: SCA properties Global Properties  

Parameter / Default Value

Description

com.fortify.sca.ProjectRoot /

Defaultfoldercreatedduringinstallation.Thisvariesbyplatform.

Specifiesthefolderthatstoresintermediatefilesgeneratedduringascan.

com.fortify.sca.DefaultAnalyzers /

(None)Specifiesthetypesofanalysistoperform.Bydefault,thisparameteriscommentedout,andallanalysistypesareutilizedduringscans.Theacceptablevaluesforthisparameterare:dataflow,semantic,controlflow,configuration,structural,nullptr,andcontent.

com.fortify.sca.SuppressLowSeverity / true

SetsSCAtoignorelowseverityissuesfoundduringascan.

com.fortify.sca.LowSeverityCutoff / 1.0

Specifiesthecutofflevelforseveritysuppression.AnyissuesfoundwithalowerseverityvaluethantheonespecifiedwiththisparameterareignoredbySCA.

com.fortify.sca.DefaultJarsDirs /default_jars

IncludestheJARfilesthatareaddedtoSCA’sCLASSPATHbeforeanyJARSspecifiedusing‐cpor‐classpathsourceanalyzercommandlineoptions.TheseJARSarelocatedin<Fortify_Home>/Core/default_jarsanditssubdirectories.TheseJARSarenotrequiredbySCAinordertotranslateJava/JSPfilesbutareprovidedasaconvenienceforusersanalyzingJ2EEWebapplications.YoucanconfigureSCAsothatitdoesnotusecom.fortify.sca.DefaultJarsDirbysettingcom.fortify.sca.DontUseDefaultJarstoTrue.

com.fortify.sca.CustomRulesDir / ${com.fortify.Core}/config/customrules

Setthedirectoryusedtosearchforcustomrules.Ifthisisset,thedefaultdirectoryisnotsearched.

com.fortify.sca.DontUseDefaultJars / false

SetthisvaluetoTrueifyoudonotwanttousethedefaultJARfilesinSCA’sCLASSPATH. SCAwillonlyusetheJARfilesspecifiedonthesourceanalyzercommandlineusing-cpor-classpath.

Chapter 3: Configuration Options   17

com.fortify.sca.DefaultFileTypes /java,jsp,jspx,sql,cfm,php,pks,pkh,pkb,xml,config,properties,dll,exe,inc,asp,vbscript,js,ini,bas,cls,vbs,frm,ctl,html,htm,xsd,wsdd,xmi,cfml,cfc

SpecifiesthetypesoffileextensionstoincludeintheSCAscan.

com.fortify.sca.CustomRulesDir /

(none)SpecifiesthedirectorywithSCAcustomrules.Ifyouusethisparameterandspecifyadifferentdirectory,thedefaultdirectoryCore/config/customruleswillnotbeused.

com.fortify.sca.fileextensions.<extension> /

ThelistofsupportedfileextensionsDetermineshowSCAhandlesthespecifiedfileextension.ThislistcanbeaddedtosothatSCAwillunderstandnewfileextensions.

com.fortify.sca.jsp.UseNativeParser / true SetSCAtousethenativeparser.

com.fortify.sca.SqlLanguage / TSQL SettheSQLlanguagevariant.

com.fortify.sca.compilers.<compiler> /

ThelistofsupportedcompilersInstructsSCAhowtohandlecustom‐namedcompilers.

com.fortify.sca.DaemonCompilers /

ThelistofsupportedcompilersDetermineswhichcompilersaretranslatedduringanSCAscan.

com.fortify.sca.IndirectCallGraphBuilder /

(None)DetermineswhentocallgraphbuildersduringanSCAscan.Youcanspecifythefollowingcallgraphbuilders:com.fortify.sca.analyzer.callgraph.VirtualCGBuilder; com.fortify.sca.analyzer.callgraph.J2EEIndirectCGBuilder;com.fortify.sca.analyzer.callgraph.JNICGBuilder;com.fortify.sca.analyzer.callgraph.StoredProcedureResolver;com.fortify.sca.analyzer.callgraph.JavaWSCGBuilder;com.fortify.sca.analyzer.callgraph.StrutsCGBuilder;com.fortify.sca.analyzer.callgraph.DotNetWSCGBuilder;com.fortify.sca.analyzer.callgraph.SqlServerSPResolver

com.fortify.sca.DisableFunctionPointers /false

DisablesfunctionpointersduringtheSCAscan.

com.fortify.sca.DisableGlobals / false

Disablesfunctionpointersandglobalparameterssetbythefortify.propertiesfile.

com.fortify.sca.DisableDeadCodeElimination /false

SetthispropertytotruetodisabletheuseoftheCodeNavigationfeaturesinAuditWorkbenchandimproveruntimememoryusage.

com.fortify.sca.DeadCodeIgnoreTrivialPredicates / true

InstructsSCAtoignoredeadcode.Deadcodeisacomputerprogrammingtermforcodeinthesourcecodeofaprogramwhichisexecutedbutwhoseresultisneverusedinanyothercomputation

Table 3: SCA properties Global Properties  (Continued)

Parameter / Default Value

Description

Chapter 3: Configuration Options   18

com.fortify.sca.DeadCodeFilter / true

InstructsSCAtofilterdeadcodeduringscans.Deadcodeisacomputerprogrammingtermforcodeinthesourcecodeofaprogramwhichisexecutedbutwhoseresultisneverusedinanyothercomputation

com.fortify.scaSolverTimeout / 15

InstructsSCAtotimeoutafterthespecifiedtimeperiod.

com.fortify.FVDLDisableProgramData / false

ExcludestheProgramDatasectionfromtheanalysisresultsfile(FVDLoutputfile).

com.fortify.FVDLDisableSnippets / false

Excludescodesnippetsfromtheanalysisresults(FVDLoutputfile).

com.fortify.FVDLDisableDescriptions / false

Excludesdescriptionsfromtheanalysisresults.

com.fortify.FVDLDisableStyleSheets /${com.fortify.Core}/resources/sca/fvdl2html.xsl

Specifiesthestylesheetfortheanalysisresults.

com.fortify.sca.ClobberLogFile / false

SetsSCAtooverwritethelogfileforeachnewscan.

com.fortify.sca.LogFile / ${com.fortify.sca.ProjectRoot}/sca/log/sca.log

SpecifiesthelocationofthelogfileforSCA.

com.fortify.sca.PrintPerformanceDataAfterScan /

Setsthepost‐scanloggingoption.IfSCAisindebugmode,thiswillbeautomaticallysettotrue.

com.fortify.sca.cpfe.command / ${com.fortify.Core}/private-bin/sca/cpfe

SpecifiestheCPFEbinary(version3.9)tobeusedintranslationphase.

Donotmodify.

com.fortify.sca.cpfe.new.command / ${com.fortify.Core}/private-bin/sca/cpfe441

Specifiesthenewbinary(version4.4.1)tobeusedintranslationphase.

Donotmodify.

com.fortify.sca.cpfe.options / --remove_unneeded_entities --supress_vtbl -tused

AddsoptionstoCPFEcommandlineinvokedbySCAwhentranslatingC/C++code.YoucanuseanyoptionssupportedbyCPFE,butmakesureyouunderstandtheimpactofthedesiredoptionsbeforealteringthisproperty.

com.fortify.sca.cpfe.file.option / --gen_c_file_name

SendsthenameoftheNSToutputfiletotheCPFE.

Donotmodify.

com.fortify.sca.cpfe.dont.fix.cctor.option / false

DetermineswhetherornottheCPFEshouldperformadditionalprocessingstepswhenittranslatescopyconstructorcallsinC++code.Whenthisvalueisfalse,theextraprocessingstepsaredone.

Donotmodify.

com.fortify.sca.DisplayProgress / true

AllowsSCAtodisplayprogressthroughtheuserinterfaceduringascan.

com.fortify.sca.findbugs.maxheap /

(None)SetsamaximumamountofissuestologduringanSCAscan.

Table 3: SCA properties Global Properties  (Continued)

Parameter / Default Value

Description

Chapter 3: Configuration Options   19

SCAperformsscanstoidentifyissueswithinsoftwareproject.SCAalsoofferaless‐intensivescanknownasaquickscan.ThisoptionscanstheprojectinQuickScanMode,usingtheparametervaluesinthefortify-sca-quickscan.propertiesfile.Bydefault,QuickScansearchesforhigh‐confidence,high‐severityissuesonly.FormoreinformationaboutQuickScanMode,seetheHPFortifyAuditWorkbenchUser’sGuide.

Thefollowingtabledescribesthepropertiesthattunedefaultscanningperformance.ThesepropertieshavedifferentdefaultsforQuickScanmode,whichcanbeadjustedbyeditingthefortify-sca-quickscan.propertiesfile.Ifyouwanttousetherecommendedtuningparameters,youdonotneedtoeditthisfile;however,youmayfindthatyouwanttoexperimentwithothersettingstofine‐tuneyourspecificapplication.

Rememberthatpropertiesinthisfileareprocessedonlyifyouspecifythe-quickoptiononthecommandlinewheninvokingyourscan.

Thefortify-sca-quickscan.propertiesfileinstalledonyoursystemcontainsparameterssettodefaultvalues.Youcanmodifytheseparametervaluesbyeditingthefile,locatedatthefollowinglocationonyoursystem:

<install directory>/Core/config

Thefollowingtableprovidestwosetsofdefaultvalues.Thefirstvalueisthedefaultvaluefornormalscans.Thesecondvalueisthedefaultvalueforquickscans.Ifonlyonedefaultvalueisshown,thevalueisvalidforbothnormalscansandquickscans.Thefollowingtablesummarizestheparametersfoundinthefortify-sca-quickscan.propertiesfile.

com.fortify.sca.AllocationWebServicesURL / https://per-use.fortify.com/services/GasAllocationService

SpecifiestheURLofWebservicesforSCA.

com.fortify.sca.CfmlUndefinedVariablesAreTainted / false

InstructsundefinedvariablesinCFMLpagestobeconsideredtaintedbySCA.

com.fortify.sca.AddImpliedMethods / true SetSCAtogenerateimpliedmethodswhenimplementationbyinheritanceisencountered.

Table 4: HP fortify‐sca‐quickscan.properties Global Properties  

Property Name / Default Value

Description

com.fortify.sca.FilterSet /

(None)QuickScanvalue:Critical Exposure

WhensettoCritical Exposure,thispropertyrunsrulesonlyforthehigh‐severityfilterset.RunningonlyasubsetofthedefinedrulesallowstheSCAscantocompletemorequickly.ThiscausesSCAtorunonlythoserulesthatcancauseissuesidentifiedinthenamedfilterset,asdefinedbythedefaultprojecttemplateforyourapplication.Formoreinformationaboutfiltersets,seetheHPFortifyAuditWorkbenchUserGuide.

com.fortify.sca.FPRDisableSrcHtml /FalseQuickScanvalue:True

DisablessourcecoderenderingintotheFPRfile.DisablesSCAfromgeneratingmarked‐upsourcecodefilesduringascan.Whensettotrue,thispropertypreventsthegenerationofmarked‐upsourcefiles.IfyouplantouploadFPRsthataregeneratedasaresultofaquickscan,youmustsetthispropertytofalse.

Table 3: SCA properties Global Properties  (Continued)

Parameter / Default Value

Description

Chapter 3: Configuration Options   20

com.fortify.sca.limiters.ConstraintPredicateSize /50000QuickScanvalue:10000

SpecifiesthesizelimitforcomplexcalculationsintheBufferAnalyzer.SkipscalculationsthatarebiggerthanthespecifiedsizevalueintheBufferAnalyzertoimprovescanningtime.

com.fortify.sca.BufferConfidenceInconclusiveOnTimeout /trueQuickScanvalue:false

InstructsSCAtoskipcomplexcalculationsintheBufferAnalyzertoimprovescanningtime.

com.fortify.sca.limiters.MaxChainDepth / 5 QuickScanvalue:4

ControlsthemaximumcalldepththroughwhichtheDataflowAnalyzertrackstainteddata.Increasingthisvalueincreasesthecoverageofdataflowanalysis,andresultsinlongeranalysistimes.Note:Calldepthreferstothemaximumcalldepthonadataflowpathbetweenataintsourceandsink,ratherthancalldepthfromtheprogramentrypoint,suchasmain().

com.fortify.sca.limiters.MaxTaintDefForVar /1000QuickScanvalue:500

SetsacomplexitylimitforDataFlowanalysis.DataFlowwillincrementallydecreaseprecisionofanalysisonfunctionsthatexceedthiscomplexitymetricforagivenprecisionlevel.

com.fortify.sca.limiters.MaxTaintDefForVarAbort /4000QuickScanvalue:1000

Setsahardlimitforfunctioncomplexity.Ifcomplexityofafunctionexceedsthislimitatthelowestprecisionlevel,theanalyzerskipsanalysisofthefunction.

com.fortify.sca.DisableGlobals /false

InstructsSCAtonottracktainteddatathroughtheglobalvariablessetwiththefortify.propertiesfile.

com.fortify.sca.CtrlflowSkipJSPs /false

InstructsSCAtoskipControlFlowanalysisonJSPs.

com.fortify.sca.NullPtrMaxFunctionTime /300000QuickScanvalue:30000

Setsthetimelimit(inmilliseconds)forNullPointeranalysisonasinglefunction.Settingittoashorterlimitdecreasesoverallscanningtime.

com.fortify.sca.CtrlflowMaxFunctionTime /600000QuickScanvalue:30000

Setsthetimelimit(inmilliseconds)forControlFlowanalysisonasinglefunction.

com.fortify.sca.TrackPaths /

(Notset)QuickScanvalue:NoJSP

DisablespathtrackingforControlflowanalysis.Pathtrackingprovidesmoredetailedreportingforissues,butrequiresmorescanningtime.YoucandisablethisforJSPonlybysettingittoNoJSP.SpecifyNonetodisableallfunctions.

com.fortify.sca.translator.java.Incremental /false

InstructsSCAtotranslateJavasourcefilesoneatatimeinsteadofallatoncewhenthispropertyissettoTrue.SCAwilluselessmemorywhiletranslatingfilesbutwillprocessthefilesmoreslowly.

Table 4: HP fortify‐sca‐quickscan.properties Global Properties  (Continued)

Property Name / Default Value

Description

Chapter 3: Configuration Options   21

fortify‐ide.properties Configuration OptionsThefortify-ide.properties filedefinesconfigurationsettingsforAuditWorkbench.ThiscomponentallowsyoutoexaminethescanresultsproducedbySoftwareSecurityCenteranalyzers,suchasSCA.Thefortify-ide.propertiesfileinstalledonyoursystemcontainsparameterssettodefaultvalues.Youcanmodifytheseparametervaluesbyeditingthefile,locatedatthefollowinglocationonyoursystem:

<install directory>/Core/config

Thefollowingtablesummarizestheparametersinthefortify-ide.propertiesfile:

Table 5: HP fortify‐ide.properties Global Properties

Property Name / Default Value

Description

rulepack.days /15

SetsthenumberofdaysbeforeperforminganautomaticupdateofRulepacks.

rulepack.auto.update /true

EnablesautomaticupdatingofRulepacks.

override.results.path /

(None)OverridesthesavedFPRlocationtoanewlocation:${user.home}