fortify

How we can generate FortiFy report using command ??? on linux. In command, how we can include only some folders or files for analyzing and how we can give the location to store the report. etc. Please help.... Thanks, Karthik 1. Step#1 (clean cache) you need to plan scan structure before starting: scanid = 9999 (can be anything you like) ProjectRoot = /local/proj/9999/ WorkingDirectory = /local/proj/9999/working (this dir is huge, you need to "rm -rf ./working && mkdir ./working" before every scan, or byte code piles underneath this dir and consume your harddisk fast) log = /local/proj/9999

I want to run a Fortify scan against a Maven Eclipse project. Where should I start? I understand that I need to update my pom.xml file to include the Fortify plugin however do I also require to have Fortify SCA installed on my machine? (I'm running MacOS X). I have been trying to find a place to download Fortify SCA but have not been able find it. I would appreciate it if someone could share some links to point me in the right direction in getting the setup complete. I don't think the Fortify installation is required, but it's pretty hard to get the maven sca plugin without it. If you install

I need to read the properties file kept in user_home folder. PropsFile = System.getProperty("user.home") + System.getProperty("file.separator")+ "x.properties"; Fortify is giving path manipulation error in this line. The number of correct values is large so blacklisting is the only way possible. So to avoid it i changed the code as below. String propsFile = null; StringBuffer sb = new StringBuffer(); String xProperties = "x.properties"; String userHome = System.getProperty("user.home"); // * if(userHome.contains("..\\")) userHome = userHome.replace("..\\", ""); if(userHome.contains("../"))

My problem: Fortify 4.2.1 is marking below code as susceptible for XML External Entities attack. TransformerFactory factory = TransformerFactory.newInstance(); StreamSource xslStream = new StreamSource(inputXSL); Transformer transformer = factory.newTransformer(xslStream); Solution I have tried: Setting TransformerFactory feature for XMLConstants.FEATURE_SECURE_PROCESSING to true. Looked into possiblities of providing more such features to TransformerFactory, just like we do for DOM and SAX parsers. e.g. disallowing doctype declaration, etc. But TransformerFactoryImpl doesn't seem to be

I scanned with HP Fortify SCA 4.10 . Now I would like to export the raw results into Excel format to do data massaging to generate pivot tables. Can anybody suggest a easy or hard way to do it. user1836982 Reference this url for the DB script to get the EXCEL format (export DB output to Excel): How to diff Fortify SCA scans Generate a pdf/rtf/xml Report from an existing FPR ~AWB_Installation_Dir/bin/ReportGenerator -format pdf -f outputFile.pdf -source existing.fpr (replace pdf to your target format, excluding excel format) Generate a XML Report in AWB Open Audit Workbench and load your FPR

Is it sufficient to have [ System.Web.Configuration.HttpRuntimeSection.EnableHeaderChecking ]( http://msdn.microsoft.com/en-us/library/system.web.configuration.httpruntimesection.enableheaderchecking(VS.85).aspx) set to true (default) to fully prevent Http Header Injection attacks like Response Splitting etc.? I'm asking because a white box penetration testing tool (fortify) reports exploitable http header injection issues with HttpResponse.Redirect and cookies but I haven't found a way to successfully perform an attack. ( edit :..and we have EnableHeaderChecking turned on..) I've been looking

We did a Fortify scan on our ASP.net application. We found that there many header manipulation issues. All the issues are pointing to Response.Redirect(). Please have a look at the below code where I encoded the parameters. Even then the below code is counted as header manipulation issue. int iCount = 0; foreach (string Name in Request.QueryString.Keys) { iCount++; if (iCount > 1) { url += "&"; } url += Name; if (Request.Params[Name]!=null) { url += "=" + AntiXss.UrlEncode(Request.Params[Name]); } } Response.redirect(Server.UrlPathEncode(page.root) + "\Test.aspx?" + url); Can some body let me