fortify

Can I use Fortify to scan scala-code or the generated java (jar) files ? I know that I can do the jar option technically but are there any known challenges with respect to the generated java code? Fortify SCA now officially supports Scala (since December 2017). Adding this support was a collaborative project between Lightbend and Micro Focus. I did most of the engineering work on the Lightbend side, writing a compiler plugin that translates Scala code to an intermediate form that Fortify understands. Micro Focus added Scala-specific security rules and made any necessary adjustments to the

I am running code through Hp Fortify and have some path manipulation findings. I understand the context of it and trying to resolve. Instead of going through all the places where SOME path values are queried from a database to store output files (logs, export data, whatever), I tried to centralize it. So, instead of having File.WriteAllText() with some path + file name, content, I wanted to wrap into FortifyFileWriteAllText(). Then, in this function I do path validation check once up front, and if valid, only then allow the write to continue such as... public static bool

I have multiple projects bound by a single parent pom. If i run fortify scan on parent pom using Maven fortify plugin, fpr files for each project is generated. I would like to have a single fpr file being generated for all the projects. Is it possible ? Thanks and Regards, Saurav What you want to do is an aggregate build. Try setting the same build ID for each module and then pass the -Dfortify.sca.toplevel.artifactId as the artifactID of the parent POM. This should give you a single FPR file. It should look like: mvn clean mvn -Dfortify.sca.buildId=ACMEPortal com.fortify.ps.maven.plugin:sca

I am trying to use Fortify Source Code Analyzer for a research project at my school to test the security for open source Java web applications. I am currently working on Apache Lenya. I am working with the last stable release (Lenya v2.0.2). Inside the root directory there is a file named build.sh . This file is called to build Lenya using the version of Ant that ships with the release (in the tools/bin folder). I can build Lenya just fine when I run ./build.sh . So, it would be assumed that running the following command in Fortify would work : sourceanalyzer -b lenya -Xmx1200M touchless .

As part of automating the process of running secure code analysis, I have a Jenkins job which uses the sourceanalyzer command line tool to generate an .fpr results file. At the moment I'm opening this results file in Audit Workbench application to view the results and check if there's any newly introduced issues etc, and generating a report from there in PDF/XML format. Does anyone is it possible to invoke Audit Workbench through the command line and generate a report on the issues, which we could then leverage through a Jenkins script and also then mail the results? Looking online the command