720 likes | 890 Views
Fortify SCA Command Line Interface:. Section Objectives. In this module, you will gain: The ability to use the SCA Command Line to generate clean, valid results. Course overview. Fortify SCA Command Line Interface Interactive. 3. Rationale. Extended Ability in Analyzing Source Code. 4.
E N D
Section Objectives • In this module, you will gain: • The ability to use the SCA Command Line to generate clean, valid results
Course overview Fortify SCA Command Line Interface Interactive 3
Rationale Extended Ability in Analyzing Source Code 4
Fortify SCA Command Line Interface Getting started Under the covers Build integration 5
What is Fortify SCA? The core of Fortify SCA is single executable: sourceanalyzer 6
Online help Follow the on screen suggestion, and type sourceanalyzer -h for the compiled in help information: sourceanalyzer -h 9
Online help A lot of information. Output to a text file. sourceanalyzer -h > SCAhelp.txt 12
The most simple invocation step 1: Preparation step 2: Invoking Fortify SCA 13
The most simple invocation Create a simple Java class that contains a security vulnerability: public class Exploit { public static void main( String[] args ) throws Exception { Runtime.getRuntime().exec( args[0] ); }} Exploit.java 14
The most simple invocation: Exploit.java Let's examine the vulnerability Dataflow vulnerability Information is received from the command line and it's written out to the system output stream. 15
The most simple invocation sourceanalyzer Exploit.java 16
Interpreting command line results Our results Results format Interpretation walkthrough 17
Our three results: [337DD8E25412C3E5B44CE3AFBA50DFF2 : low : Unchecked Return Value : semantic ] Exploit.java(3) : Runtime.exec() [A0E37EE40D5DA16DD9B96EC3A5A2DCE6 : high : Command Injection : dataflow ] Exploit.java(3) : ->Runtime.exec(0) Exploit.java(2) : ->Exploit.main(0) [0228A5C2FD841D36BA4F9B1DCACE80F3 : low : J2EE Bad Practices : Leftover Debug Code : structural ] Exploit.java(2) 18
Format [ Instance-ID : criticality : category : analyzer ] analysis trace 19
Instance ID Unique identifier for this finding at this location in your code. If the code base changes a bit, the instance ID will follow this point in the code (even if the line numbers change). 20
Criticality High, medium or low, based on a default severity from the matched rule, and a multiplier based on SCA's confidence of a correct finding from the context. 21
Category A vulnerability type from the Fortify taxonomy of security vulnerabilities http://www.fortify.com/vulncat http://www.fortify.com/vulncat/en/vulncat 22
Analyzer The name of the Fortify SCA analyzer that detected this issue. 23
Analysis trace This is a little different depending on which analyzer discovered the issue. Describes the vulnerability pattern detected in the context of the source code. 24
Basic interpretation [0228A5C2FD841D36BA4F9B1DCACE80F3 : low : J2EE Bad Practices : Leftover Debug Code : structural ] Exploit.java(2) Fortify SCA has provided this result on the assumption that the Java source is within a J2EE / web context. In a web context, use of method main() is a bad practice. This is an incorrect finding, since our command line utility is not actually part of a web application. 25
Basic interpretation [A0E37EE40D5DA16DD9B96EC3A5A2DCE6 : high : Command Injection : dataflow ] Exploit.java(3) : ->Runtime.exec(0) Exploit.java(2) : ->Exploit.main(0) This is a critical security finding. Data is received from the command line parameters, and that data is pushed to a sink (The system executive on the host operating system) without being validated first. 26
Basic interpretation [337DD8E25412C3E5B44CE3AFBA50DFF2 : low : Unchecked Return Value : semantic ] Exploit.java(3) : Runtime.exec() This is a code quality finding. The exec() method returns a result code, but the program never captures this value. This makes it impossible for this program's exception handling to be complete. 27
Basic interpretation: done for now Enough of thinking about the sample code… let's learn how to use the command line utility! 28
Preview SCA invocation forms preview: 1. sourceanalyzer <source file> 2. sourceanalyzer -help 3. sourceanalyzer -version 29
Fortify SCA Command Line Interface Getting started Under the covers Build integration 30
Under the covers What happened when we invoked sourceanalyzer <source file> ? TranslateFortify SCA read the source files and translated their logic into a language agnostic format called NST (normalized syntax tree). AnalysisFortify SCA loaded the NST model into memory and evaluated the model's patterns against a set of pattern definitions in the Fortify rules. RenderFortify SCA rounded up the identified vulnerabilities and placed them into an output format, in our case, the text output to the terminal. 31
Fortify SCA process flow summary The typical result format is "FPR", which we will learn about soon. 32
Translation Specifying the build ID Usually, translation is complicated enough that it is performed as a separate step. To do so, specify a Fortify SCA build ID with the -b argument. Try it now: sourceanalyzer -b exploit Exploit.java 33
Translation output: puzzler You'll notice there is no output to the terminal this time. Why? Refer to the previous few slides to support your supposition. 34
Translation output: solution When the build ID is specified with the -b parameter, only a translation is performed. In the next step we'll see what that means. 35
Build model maintenance List the files built into the model sourceanalyzer -b exploit -show-files 36
Build model maintenance Review actionable translation errors sourceanalyzer -b exploit -show-build-warnings 37
Build model maintenance Remove the build model sourceanalyzer -b exploit -clean 38
System wide maintenance List all build models sourceanalyzer -show-build-ids 39
System wide maintenance Remove all build model sourceanalyzer -clean 40
Hands on Delete the build model we created. Using the up arrow key, consult your command history to repeat the commands needed to re-create the "exploit" build ID. Check that the "exploit" build ID has no build warnings reported. 41
Under the covers NST Location The location is different depending on your operating system: Microsoft Windows: C:\Documents and Settings\<user name>\ Local Settings\Application Data\Fortify\ Unix: ~/.fortify/ 42
Under the covers - Windows Inside the Fortify directory, you will find an SCA directory with the version number. Inside that you will find the Fortify SCA build directory. 43
Under the covers - Unix In Unix 44
Under the covers What's interesting about the build directory? In the build directory is a directory exploit for our exploit build ID. The directory name is the name of the build ID. Inside the exploit directory is a full path replication to source files. For each translated source file, you see an .nst file. The entire Fortify directory is private to one logged in user. You can take a moment to look at the NST file in a text editor. It contains an extract of the logic from our Java file. 45
Review Invocation review:Simple: sourceanalyzer <source file(s)> Translation: sourceanalyzer -b buildID <source file(s)> Maintenance and query operators: sourceanalyzer -show-build-ids sourceanalyzer -clean sourceanalyzer -b <id> -show-files sourceanalyzer -b <id> -show-build-warnings sourceanalyzer -b <id> -clean 46
Scanning a build ID Scanning a built model sourceanalyzer -b exploit -scan 47
Output format • For any project more complicated than our Exploit file, the terminal output is no longer a useful format for reviewing Fortify SCA output. • The solution is to always specify a FPR (Fortify Project Result) file whenever you specify the -scan parameter. • sourceanalyzer -b exploit -scan -f exploit.fpr 48
Output format Note: Other output formats are supported by Fortify SCA. However, the only output format you will ever find useful is the FPR format. You may review the other output formats in the Fortify SCA Users' Guide: 49
Compound translation For many projects you will be specifying not only more than one source language. For example: sourceanalyzer -b blah *.java sourceanalyzer -b blah "**/*.properties" The second command adds properties files to the translated build model. 50