Can I run fortify on .jar files instead of .java?

fortify
Ankit Sharma picture Ankit Sharma · Apr 29, 2013 · Viewed 10k times · Source

I need to check vulnerabilities (if any) in the third party libraries that are being used in my project using Fortify.

For a few third party libraries, I am not able to access their source files. I only have the shipped .jar files.

Is it possible to run Fortify on .jar files instead ? All I could find in most of the documentations was that Fortify can be run on .java files, something like this:

sourceanalyzer -b MyProject -cp "lib/.jar" "src/*/*.java"

Answer

Douglas Held picture Douglas Held · May 17, 2013

You can do one better than LaJmOn's suggestion and actually crack open the jars automatically.

for example:

sourceanalyzer -b apple -source 1.6 -Dcom.fortify.sca.fileextensions.jar=ARCHIVE /System/Library/Frameworks/JavaVM.framework/Home/lib/ext/apple_provider.jar

Related questions

How does Fortify software work?

Fortify is a SCA used to find the security vulnerabilities in software code. I was just curious about how this software works internally. I know that you need to configure a set of rules against which the code will be …

Read More
How to fix "Path Manipulation Vulnerability" in some Java Code?

The below simple java code getting Fortify Path Manipulation error. Please help me to resolve this. I am struggling from long time. public class Test { public static void main(String[] args) { File file=new File(args[0]); } }

Read More
Fortify command line usage

Has anyone used command line to run fortify? I tryin to incorporate fortify run in my CI build and I dont know how to do it.

Read More