问题
I need to check vulnerabilities (if any) in the third party libraries that are being used in my project using Fortify.
For a few third party libraries, I am not able to access their source files. I only have the shipped .jar files.
Is it possible to run Fortify on .jar files instead ? All I could find in most of the documentations was that Fortify can be run on .java files, something like this:
sourceanalyzer -b MyProject -cp "lib/.jar" "src/*/*.java"
回答1:
You can do one better than LaJmOn's suggestion and actually crack open the jars automatically.
for example:
sourceanalyzer -b apple -source 1.6 -Dcom.fortify.sca.fileextensions.jar=ARCHIVE /System/Library/Frameworks/JavaVM.framework/Home/lib/ext/apple_provider.jar
回答2:
You can force SCA to scan the class files using the following command:
sourceanalyzer -b MyProject -source "1.6" -cp "{source_path}/**/*.jar" -scan -f MyProject.fpr -Dcom.fortify.sca.fileextensions.class=BYTECODE -Dcom.fortify.sca.DefaultFileTypes=class "{source_path}/**/*.class"
If I remember correctly, you need to explode the JAR files containing the class files you want to scan into {source_path}.
The results will be less than spectacular compared to a Java source scan, but you should get some results.
来源:https://stackoverflow.com/questions/16278390/can-i-run-fortify-on-jar-files-instead-of-java