Fortify Source Analyzer and Apache Lenya

java apache static-analysis fortify
user131441 picture user131441 · Jul 21, 2009 · Viewed 9.5k times · Source

I am trying to use Fortify Source Code Analyzer for a research project at my school to test the security for open source Java web applications. I am currently working on Apache Lenya. I am working with the last stable release (Lenya v2.0.2).

Inside the root directory there is a file named build.sh. This file is called to build Lenya using the version of Ant that ships with the release (in the tools/bin folder). I can build Lenya just fine when I run ./build.sh. So, it would be assumed that running the following command in Fortify would work : 

sourceanalyzer -b lenya -Xmx1200M touchless ./build.sh

However, when I try and run:

sourceanayzer -b lenya -Xmx1200M -scan -f lenya.fpr

I get:

build id Lenya not found.

I looked at the buid.sh file and noticed that it was just resetting the current ant home, classpath, and ant options variables, running the ant build command, and resetting the values back to their defaults. So I reset all of the variables manually (without the script) instead of running the script and ran: 

sourceanalyzer -b lenya -Xmx1200M touchless tools/bin/ant -logger org.apache.tools.ant.NoBannerLogger

Then I ran : 

sourceanalyzer -b lenya -Xmx1200M -scan -f lenya.fpr

but I got the same error. I'm not sure if this is because I am doing something wrong or if it is something that Fortify is not doing correctly. Any insight will be great.

Answer

Vineet Reynolds picture Vineet Reynolds · Jul 21, 2009

I'm not sure whether you have access to the Fortify documentation, but that will definitely help. You should refer to the SCA User's Guide to understand how to use the sourceanalyzer executable.

To cut things short, there are two ways of getting the FPR file:

  1. (The long way) Write a script to translate and analyse the source code by providing the path of the source code and the classpath to the sourceanalyzer executable.
  2. (The short way) Use the SCACompiler instead of javac as the compiler. You'll need to modify the build script for this.

I prefer the former due to its customizability when handling large code bases.

PS: Which version of Fortify is this?

Related questions

how to make log4j to write to the console as well

Is there any way to tell to log4j to write its log to the file and to the console? thanks there are my properties: log4j.rootLogger=DEBUG,console,R log4j.rootLogger=INFO, FILE log4j.appender.CONSOLE=…

Read More
Tomcat is not running even though JAVA_HOME path is correct

When I am trying to run tomcat using startup.bat I get the following error, The JAVA_HOME environment variable is not defined correctly This environment variable is needed to run this program NB: JAVA_HOME should point to a …

Read More
How to read Excel cell having Date with Apache POI?

I'm using Apache POI 3.6, I want to read an excel file which has a date like this 8/23/1991. switch (cell.getCellType()) { ... ... case HSSFCell.CELL_TYPE_NUMERIC: value = "NUMERIC value=" + cell.getNumericCellValue(); break; ... } But it takes the numeric value type and returns …

Read More