1 / 69

Fortify SCA Command Line Interface:

Fortify SCA Command Line Interface:. Section Objectives. In this module, you will gain: The ability to use the SCA Command Line to generate clean, valid results. Course overview. Fortify SCA Command Line Interface Interactive. 3. Rationale. Extended Ability in Analyzing Source Code. 4.

cbelinda
Download Presentation

Fortify SCA Command Line Interface:

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Fortify SCA Command Line Interface:

  2. Section Objectives • In this module, you will gain: • The ability to use the SCA Command Line to generate clean, valid results

  3. Course overview Fortify SCA Command Line Interface Interactive 3

  4. Rationale Extended Ability in Analyzing Source Code 4

  5. Fortify SCA Command Line Interface Getting started Under the covers Build integration 5

  6. What is Fortify SCA? The core of Fortify SCA is single executable: sourceanalyzer 6

  7. What is Fortify SCA? (Windows) 7

  8. What is Fortify SCA? (Unix) 8

  9. Online help Follow the on screen suggestion, and type sourceanalyzer -h for the compiled in help information: sourceanalyzer -h 9

  10. Online help (Windows output) 10

  11. Online help (Unix output) 11

  12. Online help A lot of information. Output to a text file. sourceanalyzer -h > SCAhelp.txt 12

  13. The most simple invocation step 1: Preparation step 2: Invoking Fortify SCA 13

  14. The most simple invocation Create a simple Java class that contains a security vulnerability: public class Exploit { public static void main( String[] args ) throws Exception { Runtime.getRuntime().exec( args[0] ); }} Exploit.java 14

  15. The most simple invocation: Exploit.java Let's examine the vulnerability Dataflow vulnerability Information is received from the command line and it's written out to the system output stream. 15

  16. The most simple invocation sourceanalyzer Exploit.java 16

  17. Interpreting command line results Our results Results format Interpretation walkthrough 17

  18. Our three results: [337DD8E25412C3E5B44CE3AFBA50DFF2 : low : Unchecked Return Value : semantic ] Exploit.java(3) : Runtime.exec() [A0E37EE40D5DA16DD9B96EC3A5A2DCE6 : high : Command Injection : dataflow ] Exploit.java(3) : ->Runtime.exec(0) Exploit.java(2) : ->Exploit.main(0) [0228A5C2FD841D36BA4F9B1DCACE80F3 : low : J2EE Bad Practices : Leftover Debug Code : structural ] Exploit.java(2) 18

  19. Format [ Instance-ID : criticality : category : analyzer ] analysis trace 19

  20. Instance ID Unique identifier for this finding at this location in your code. If the code base changes a bit, the instance ID will follow this point in the code (even if the line numbers change). 20

  21. Criticality High, medium or low, based on a default severity from the matched rule, and a multiplier based on SCA's confidence of a correct finding from the context. 21

  22. Category A vulnerability type from the Fortify taxonomy of security vulnerabilities http://www.fortify.com/vulncat http://www.fortify.com/vulncat/en/vulncat 22

  23. Analyzer The name of the Fortify SCA analyzer that detected this issue. 23

  24. Analysis trace This is a little different depending on which analyzer discovered the issue. Describes the vulnerability pattern detected in the context of the source code. 24

  25. Basic interpretation [0228A5C2FD841D36BA4F9B1DCACE80F3 : low : J2EE Bad Practices : Leftover Debug Code : structural ] Exploit.java(2) Fortify SCA has provided this result on the assumption that the Java source is within a J2EE / web context. In a web context, use of method main() is a bad practice. This is an incorrect finding, since our command line utility is not actually part of a web application. 25

  26. Basic interpretation [A0E37EE40D5DA16DD9B96EC3A5A2DCE6 : high : Command Injection : dataflow ] Exploit.java(3) : ->Runtime.exec(0) Exploit.java(2) : ->Exploit.main(0) This is a critical security finding. Data is received from the command line parameters, and that data is pushed to a sink (The system executive on the host operating system) without being validated first. 26

  27. Basic interpretation [337DD8E25412C3E5B44CE3AFBA50DFF2 : low : Unchecked Return Value : semantic ] Exploit.java(3) : Runtime.exec() This is a code quality finding. The exec() method returns a result code, but the program never captures this value. This makes it impossible for this program's exception handling to be complete. 27

  28. Basic interpretation: done for now Enough of thinking about the sample code… let's learn how to use the command line utility! 28

  29. Preview SCA invocation forms preview: 1. sourceanalyzer <source file> 2. sourceanalyzer -help 3. sourceanalyzer -version 29

  30. Fortify SCA Command Line Interface Getting started Under the covers Build integration 30

  31. Under the covers What happened when we invoked sourceanalyzer <source file> ? TranslateFortify SCA read the source files and translated their logic into a language agnostic format called NST (normalized syntax tree). AnalysisFortify SCA loaded the NST model into memory and evaluated the model's patterns against a set of pattern definitions in the Fortify rules. RenderFortify SCA rounded up the identified vulnerabilities and placed them into an output format, in our case, the text output to the terminal. 31

  32. Fortify SCA process flow summary The typical result format is "FPR", which we will learn about soon. 32

  33. Translation Specifying the build ID Usually, translation is complicated enough that it is performed as a separate step. To do so, specify a Fortify SCA build ID with the -b argument. Try it now: sourceanalyzer -b exploit Exploit.java 33

  34. Translation output: puzzler You'll notice there is no output to the terminal this time. Why? Refer to the previous few slides to support your supposition. 34

  35. Translation output: solution When the build ID is specified with the -b parameter, only a translation is performed. In the next step we'll see what that means. 35

  36. Build model maintenance List the files built into the model sourceanalyzer -b exploit -show-files 36

  37. Build model maintenance Review actionable translation errors sourceanalyzer -b exploit -show-build-warnings 37

  38. Build model maintenance Remove the build model sourceanalyzer -b exploit -clean 38

  39. System wide maintenance List all build models sourceanalyzer -show-build-ids 39

  40. System wide maintenance Remove all build model sourceanalyzer -clean 40

  41. Hands on Delete the build model we created. Using the up arrow key, consult your command history to repeat the commands needed to re-create the "exploit" build ID. Check that the "exploit" build ID has no build warnings reported. 41

  42. Under the covers NST Location The location is different depending on your operating system: Microsoft Windows: C:\Documents and Settings\<user name>\ Local Settings\Application Data\Fortify\ Unix: ~/.fortify/ 42

  43. Under the covers - Windows Inside the Fortify directory, you will find an SCA directory with the version number. Inside that you will find the Fortify SCA build directory. 43

  44. Under the covers - Unix In Unix 44

  45. Under the covers What's interesting about the build directory? In the build directory is a directory exploit for our exploit build ID. The directory name is the name of the build ID. Inside the exploit directory is a full path replication to source files. For each translated source file, you see an .nst file. The entire Fortify directory is private to one logged in user. You can take a moment to look at the NST file in a text editor. It contains an extract of the logic from our Java file. 45

  46. Review Invocation review:Simple: sourceanalyzer <source file(s)> Translation: sourceanalyzer -b buildID <source file(s)> Maintenance and query operators: sourceanalyzer -show-build-ids sourceanalyzer -clean sourceanalyzer -b <id> -show-files sourceanalyzer -b <id> -show-build-warnings sourceanalyzer -b <id> -clean 46

  47. Scanning a build ID Scanning a built model sourceanalyzer -b exploit -scan 47

  48. Output format • For any project more complicated than our Exploit file, the terminal output is no longer a useful format for reviewing Fortify SCA output. • The solution is to always specify a FPR (Fortify Project Result) file whenever you specify the -scan parameter. • sourceanalyzer -b exploit -scan -f exploit.fpr 48

  49. Output format Note: Other output formats are supported by Fortify SCA. However, the only output format you will ever find useful is the FPR format. You may review the other output formats in the Fortify SCA Users' Guide: 49

  50. Compound translation For many projects you will be specifying not only more than one source language. For example: sourceanalyzer -b blah *.java sourceanalyzer -b blah "**/*.properties" The second command adds properties files to the translated build model. 50

More Related