3.Fortify SCA 扫描指南.ppt

FortifySourceCodeAnalysisSuitescanguide 上海码德信息技有限公司 主讲人 陈安明 主题 FortifySCA组件FortifySCA源代码分析过程SCA扫描命令解释SCA转换源代码SCA扫描项目实验 FortifySCA组件 源代码分析过程 阶段一 源代码内部格式转换阶段阶段二 分析引擎分析阶段sourceanalyzer b cleansourceanalyzer b sourceanalyzer b scan fresults fpr SCA扫描命令解释 查看SCA扫描命令及参数 sourceanalyzer helpe SCA转换源代码 转换Java代码Java命令行语法Java命令行语法Examples转换J2EEApplications使用FindBugs转换 NET源代码 NETVersions1 1and2 0VisualStudio NETVersion2003VisualStudio NETversion2005转换C C 代码转换PL SQL TSQL转换ColdFusion代码 转换Java代码 Java命令行语法Java命令行Examples转换J2EEApplications使用FindBugs Java命令行语法 JAVA sourceanalyzer b cpsourceanalyzer bjavac Java命令行Examples TotranslateasinglefilenamedMyServlet javawithj2ee jarontheclasspath enter sourceanalyzer bMyServlet cplib j2ee jarMyServlet javaTotranslateall javafilesinthesrcdirectoryusingalljarfilesinthelibdirectoryasaclasspath sourceanalyzer bMyProject cp lib jar src java TotranslatetheMyCode javafilewhilerunningthejavaccompiler sourceanalyzer bmybuildjavac classpathlibs jarMyCode java 使用CompilerAdapter FortifySCA提供AntcompilerAdaper 使用它可以集成Java代码转换和AntTask 可以从命令行直接使用AntBuild xml转换java文件 为使用此功能这下面的步骤必须设置 ThesourceanalyzerexecutablemustbeonthesystemPATH sourceanalyzer jar locatedinCore lib mustbeonant sclasspath Tpilerpropertymustbesettocom fortify dev ant SCACompiler Thesourceanalyzer buildidpropertymustbesettothebuildID ant Dpiler com fortify dev ant SCACompiler Dsourceanalyzer buildid mybuildid lib Core lib sourceanalyzer jar 转换J2EEApplications 转换J2EEapplications涉及分析java源文件 J2EE组件 比如JSP文件 部署描述文件web xml和配置文件strutsconfig xml等TranslatetheJavafiles 命令行 AntcompilerAdapter2 TranslatetheJSPfiles Refertothesamplebelow 3 Processtheconfigurationfiles Anexampleis sourceanalyzer bmy buildid mydirectory myfile xml 转换JSP文件 Jsp文件来源WebApplicationArchive WAR layout deploymentdirectory 确保taglibraries在WEB INF lib目录下 JSTLJSPcompilerforthatapplicationserver 指出J2EEOptionsappserversupportedvalues weblogic websphereappserver homeForWeblogic thepathtothedirectorycontainingtheserver libdirectoryForWebSphere thepathtothedirectorycontainingthebin JspBatchCompilerscriptappserver versionsupportedvalues Weblogicversions7and8WebSphereversion6sourceanalyzer bmy buildid cp WEB INF lib jar WEB INF jsp 一次转换J2EEApplications 把项目的所有文件和库都放在一个目录下 运行下面的命令 sourceanalyzer Xmx600M bSCA setvontraining encoding UTF 8 cp jar sourceanalyzer Xmx600M bSCA setvontraining scan fseTVtrainning fvdl 使用FindBugs FindBugs 是静态分析工具 它检测java代码的质量问题 可以一起运行Findbugs和SCA查找代码的质量问题和安全问题 ScanthesamplewithFindBugsandFortifySCAasfollows sourceanalyzer bfindbugs sample java build dirbuildWarning javasourceanalyzer bfindbugs sample filterfilter txt scan findbug ffindbugs sample fpr Translating NETSourceCode NETVersions1 1and2 0VisualStudio NETVersion2003VisualStudio NETversion2005 VisualStudio NET Commandline 配置Fortifyplug inforvs2003 vs2005在VS启动选项使用VSsolution文件转换sourceanalyzer bmy buildid cdevenv REBUILDMyProject slnsourceanalyzer bmy buildid scan fresults fpr 转换 NETApplicationswithaFortifyVisualStudioPlug in 配置环境分析器和规则内存使用 按Fortify按钮分析项目 转换Simple NETApplications 方法1 直接点击V的Fortify按钮 就可以分析 方法2 使用windowscommandline1 OpenSample1 Sample1 slninMicrosoftVisualStudio NET 2 DoBuild BuildSolution 3 gottheexecutableSample1 Sample1 exe 4 Startacommandpromptwindowandcdtothisdirectory Sample1 andrun sourceanalyzer Xmx800M vsversion8 0Sample1 exe debug logfilescan log scan fvs2005way1 fvdl 扫描VS项目 sourceanalyzer vsversion7 1Sample1 exe Xmx800M debug logfilescan log scan fvs2003way1 fvdl scanVisualStudio Net2003project 方法三 使用VisualStudio2005 2003commandlineinterface1 StartupaVisualStudio2005 2003commandprompt 2 Gotothisdirectory VS2005 Sample1 andrunthefollowingcommands sourceanalyzer bsampleID cdevenvSample1 sln rebuilddebugsourceanalyzer Xmx800M bsampleID scan fvs2005plugcommandway2 fvdl TranslatingASP NET1 1 VisualStudioVersion2003 Projects 使用Fortifyscaplug inforvs2003 按 Fortify 按钮 就自动分析 使用命令行 参照TranslatingASP NET1 1 VisualStudioVersion2003 ProjectsinSCAGuid PDF TranslatingC C Code CandC CommandLineSyntaxCandC CommandLineExamplesIntegratingwithMake CandC CommandLineSyntax sourceanalyzer bc isthenameofthecompileryouwanttouseduringaprojectbuildscan suchasgccorcl areoptionspassedtothecompilerthataretypicallyusedtocompilethefile CandC CommandLineExamples Totranslateafilenamedhelloworld cusingthegcccompiler enter sourceanalyzer bmy buildidgcchelloworld c IntegratingwithMake UsingtheFortifyTouchlessBuildAdapterModifyingaMakefiletoInvokeFortifySCA UsingtheFortifyTouchlessBuildAdapter sourceanalyzer bmake ModifyingaMakefiletoInvokeFortifySCA TomodifyamakefiletoinvokeFortifySCA replaceanycallstothecompiler archiver orlinkerinthemakefilewithcallstoFortifySCA Thesetoolsaretypicallyspecifiedinaspecialvariableinthemakefile asinthefollowingexample CC gccCXX g AR arThestepcanbeassimpleasprependingthesetoolreferencesinthemakefilewithFortifySCAandtheappropriateoptions CC sourceanalyzer bmybuild cgccCXX sourceanalyzer bmybuild cg AR sourceanalyzer bmybuild car VisualStudio6 0 sourceanalyzer bmy buildidmsdev BUILDMyProject dsp TranslatingPL SQL PL SQLCommandLineSyntaxPL SQLCommandLineExamples PL SQLCommandLineSyntax EnterthefollowingtoperformtranslationofPL SQLsourcecode sourceanalyzer bwhere specifiesthebuildIDfortheprojectspecifiesthePL SQLsourcecodefiles PL SQLCommandLineExamples ThefollowingexampledemonstratessyntaxfortranslatingtwoPL SQLfiles sourceanalyzer bMyProjectx pksy pksThefollowingexampledemonstrateshowtotranslateallPL SQLfilesunderthesourcesdirectory sourceanalyzer bMyProject sources pks Note Bydefault sqlfilesareassumedtobeT SQLratherthanPL SQLonWindowsplatforms IfyouareusingWindowsandhavePL SQLfileswiththe sqlextension youshouldconfiguresourceanalyzertotreatthemasPL SQL Tochangethedefaultbehavior setthecom fortify sca fileextensions sqlpropertyinfortify sca propertiesto TSQL or PLSQL TranslatingT SQL T SQLCommandLineSyntaxT SQLCommandLineExamples T SQLCommandLineSyntax EnterthefollowingtoperformtranslationofT SQLsourcecode sourceanalyzer bwhere specifiesthebuildIDfortheprojectspecifiestheT SQLsourcecodefiles T SQLCommandLineExamples ThefollowingexampledemonstratessyntaxfortranslatingtwoT SQLfiles sourceanalyzer bMyProjectx sqly sqlThefollowingexampledemonstrateshowtotranslateallT SQLfilesunderthesourcesdirectory sourceanalyzer bMyProject sources sql TranslatingColdFusionCode ColdFusionCommandLineSyntaxColdFusionCommandLineExamples ColdFusionCommandLineSyntax EnterthefollowingtoperformtranslationonColdFusionsourcecode sourceanalyzer b source base dirwhere specifiesthebuildIDfortheproject specifiestherootdirectoryofthewebapplication specifiestheCFMLsourcecodefiles Note FortifySCAcalculatestherelativepathtoeachCFMLsourcefilesbyusingthe source base dirdirectoryasthestartingpoint thenusestheserelativepathswhengeneratinginstanceIDs Iftheentireapplicationsourcetreeismovedtoadifferentdirectory theinstanceIDsgeneratedbyasecurityanalysisshouldremainthesameifyouspecifyanappropriatevaluefor source base dir ColdFusionCommandLineExamples ThefollowingexampledemonstratessyntaxfortranslatingtwoCFMLfiles sourceanalyzer bMyProject source base dir Page1 cfmPage2 cfmThefollowingexampledemonstrateshowtotranslateallCFMLfilesundertheC MySitedirectory sourceanalyzer bMySite source base dirC MySite C MySite cfm VC6 0实验 使用VC6 0dsp dsw文件 使用VC6 0把项目导入VC6 0开发环境 确保所有的文件都能编译和构建 退出VC6 0 使用windowscommandlinegotoprojectname dsw dspdirectorythenrun 1 sourceanalyzer bBuildID cmsdevprojectname dsp MAKE clean2 sourceanalyzer bBuildID cmsdevprojectname dsp MAKE REBUILD3 sourceanalyzer bBuildID scan fprojectname fvdl4 使用FortifyAuditWorkBeanch打开fvdl文件 就可以开始审计软件安全弱点 审计完后保存审计结果为 fpr文件 5 把Fpr或者Fvdl文件导入Fortifymanager查看分析报告和与风险管理 VC6 0实验 Forexample usevc6 0dsw dspfiletoscantheproject gotoprojectname dsw dspdirectory 1 sourceanalyzer bmytest cmsdevmytest dsp MAKE clean2 sourceanalyzer bmytest cmsdevmytest dsp MAKE REBUILD3 sourceanalyzer bmytest scan fmytest fvdlyoucangotthecpptest fvdl VC6 0实验 使用VC6 0makefilescanprojectstep1 inmakefile replaceallinvocationsof cl and link with sourceanalyzer bcpptest cclsourceanalyzer bcpptest clinkstep2 incommandline nmake fcpptest makcleannmake fcpptest makstep3 sourceanalyzer bcpptest scan fcpptest fvdl java j2ee实验 UseFortifyscaforeclipseplugin安装SCASDE 4 1 0 0 0153 ECLIPSE 3 WIN zip导入java项目到eclipse环境 确保所提供的项目源代码是完整的 所参照的库都存在 最好能在开发环境编译和构建配置FortifySCAeclipsepligin的设置按fortify扫描按钮即可对项目分析 Upload扫描结果到fortifymanager java j2ee实验 使用windows命令行扫描装FortifySCA企业版 SCASEE 4 1 0 0 0153 WIN zip把项目的所有文件和库都放在一个目录下 运行下面的命令 sourceanalyzer Xmx600M bSCA setvontraining encoding UTF 8 cp jar sourceanalyzer Xmx600M bSCA setvontraining scan fseTVtrainning fvdl java j2ee实验 使用Ant扫描 ant Dpiler com fortify dev ant SCACompiler Dsourceanalyzer buildid mybuildid lib Core lib sourceanalyzer jar Net实验 UseFortifyscaforvs2003 vs2005plugin安装FortifySCA Net实验 使用windowscommandline 安装FortifySCA企业版 SCASEE 4 1 0 0 0153 WIN zip把项目导入V Net实验 使用VisualStudio2005 2003commandlineinterface 1 StartupaVisualStudio2005 2003commandprompt 2 Gotothisdirectory VS2005 Sample1 andrunthefollowingcommands sourceanalyzer bsampleID cdevenvSample1 sln rebuilddebugsourceanalyzer Xmx800M bsampleID scan fvs2005plugcommandway2 fvdl C C 项目linux Unix实验 配置环境使fortifySCA安装目录在当前用户的PATH下 exportPATH fortifyinstalldirectory PATH确保项目能正常通过make命令编译构建 IntegratingwithaMakefile EditaMakefiletoinvoketheSCAEngineduringthebuildprocess AneasywaytoeditaMakefiletoinvoketheSCAEngineistolocatetheCCvariableandinsertthesourceanalyzercommandandanyoptionsbeforetheactualcompilername Considerthefollo