tags:

views:

707

answers:

2
+2  Q: 

Fortify Source Analyzer and Apache Lenya

Hey everyone! First off, any help is much appreciated!

I am trying to use Fortify Source Code Analyzer for a research project at my school to test the security for open source Java web applications. I am currently working on Apache Lenya. I am working with the last stable release (Lenya v2.0.2).

Inside the root directory there is a file named build.sh. This file is called to build Lenya using the version of Ant that ships with the release (in the 'tools/bin' folder). I can build Lenya just fine when I run ./build.sh. So, it would be assumed that running the following command in Fortify would work : 

sourceanalyzer -b lenya -Xmx1200M touchless ./build.sh

However, when I try and run :

sourceanayzer -b lenya -Xmx1200M -scan -f lenya.fpr

I get a "build id Lenya not found."

I looked at the buid.sh file and noticed that it was just resetting the current ant home, classpath, and ant options variables, running the ant build command, and resetting the values back to their defaults. So, I, instead of running the script, reset all of the variables manually (without the script) and ran : 

sourceanalyzer -b lenya -Xmx1200M touchless tools/bin/ant -logger org.apache.tools.ant.NoBannerLogger

Then I ran : 

sourceanalyzer -b lenya -Xmx1200M -scan -f lenya.fpr

but I got the same error. I'm not sure if this is because I am doing something wrong or if it is something that Fortify is not doing correctly. Any insight is great.

Thanks! John

+2  A: 

I'm not sure whether you have access to the Fortify documentation, but that will definitely help. You should refer to the SCA User's Guide to understand how to use the sourceanalyzer executable.

To cut things short, there are two ways of getting the FPR file:

  1. (The long way) Write a script to translate and analyse the source code by providing the path of the source code and the classpath to the sourceanalyzer executable.
  2. (The short way) Use the SCACompiler instead of javac as the compiler. You'll need to modify the build script for this.

I prefer the former due to its customizability when handling large code bases.

PS: Which version of Fortify is this?

Vineet Reynolds  2009-07-21 21:00:09
+1  A: 

Don't use the touchless command, that is for C/C++ Integration. Since Lenya is written in Java, you're better off with other commands. Try this for your first translation step (run from your base lenya dir):

sourceanalyzer -b lenya -Xmx1200M -source 1.5 -cp "**/*.jar" "**/*"
 2009-12-16 20:53:34

related questions

Java Time Zone is messed up
Eclipse on win64
Automate builds for Java RCP for deployment with JNLP
Why are professors or schools picking Java over C++ to teach to students?
Is there a real benefit of using J#?
Public/Popular Websites using JavaServer Faces
Why can't I use a try block around my super() call?
Accessing post variables using Java Servlets
Personal Linux web server
Is this really widening vs autoboxing?
How can I Java webstart multiple, dependent, native libraries?
Why can't I call toString() on a Java primitive?
How do I use Java to read from a file that is actively being written?
What code analysis tools do you use for your Java projects?
IllegalArgumentException or NullPointerException for a null parameter?
How do I configure and communicate with a serial port?
What is the best way to parse strings in Java
Getting started with a custom JXTA PeerGroup
Creating a custom button in Java
How to get started "writing" a code coverage tool?
Which Build-/Configuration Management Tool?
What is the difference between an int and an Integer in Java/C#?
What is the meaning of the type safety warning in certain Java generics casts?
How would you access Object properties from within an object method?
Converting CSV File to XML in Java