Tuesday, December 28, 2010

Installing and configuring Fortify on Linux and Windows machines

Installing Fortify on Linux (RHEL 5 32 bit)
  • Download Fortify archive Fortify-360-2.6.5-Analyzers_and_Apps-Linux-x86.tar.gz and extract it to a directory like /usr/local/fortify
  • Get License file fortify.license and place it under root directory (/usr/local/fortify)
  • Run utility scapostinstall under bin directory (/usr/local/fortify/bin) to perform some necessary post install activities.
        ./scapostinstall
           [1] Migration...
           [2] Settings...
           [s] Display all settings
           [q] Exit
           Please select the desired action (1,2,s,q):

          Give valid entries for  Rulepack Update and 360 Server Settings

          Select 2 and proceed for changing settings. In Rulepack Update, give http address of your fortify 360 server for  Update Server URL: field. In 360 Server Settings, give again http address of your fortify 360 server for Server URL: field and set Get Rulepack Updates from 360 Server: true

  • Now update rules pack using tool rulepackupdate available at bin directory (/usr/local/fortify/bin) 
  • Generate Upload access token using utility fortifyclient under bin directory. The upload access token enable account and password information to be concealed during uploading of FPRs to Fortify 360 Server          
          fortifyclient -url [360_server_URL] token -gettoken AnalysisUploadToken -user [AccountName]
 
          fortifyclient prompts for a password, type the password for [AccountName]. fortifyclient displays a token of the general form cb79c492-0a78-44e3-b26c-65c14df52e86. Copy the token returned by fortifyclient into a text file.

Updating rules in future

  • In case in future if you want to update rule packs, here is the process
  • You may get rules pack in a zip file of the form Se289787b-abd8-4ad6-a77d-f11d89e8ac60.zip 
          Then run the command
         /usr/local/fortify//bin/rulepackupdate -import Se289787b-abd8-4ad6-a77d-f11d89e8ac60.zip
  • or if your F360 server is up to date with rules, then run the command
           /usr/local/fortify//bin/rulepackupdate -url  [360_server_URL]

Wednesday, December 15, 2010

Fortify report templates using ReportGenerator

Fortify Static Code Analysis Tool allows us to create scan reports using command line utility ReportGenerator.
By default ReportGenerator creates report using the template OWASP2007.xml
Here is an example of generating PDF scan report using command line utility
ReportGenerator -format pdf -f outputFile.pdf -source dev-rkm-KMS-aggregate.fpr
We can create report either in pdf or rtf or xml.

Some times we get an error like
Xlib: connection to "localhost:10.0" refused by server
Xlib: PuTTY X11 proxy: wrong authentication protocol attempted


It means ReportGenerator will open Xwindows and your server doesn't have any Xserver running. You can try to run some simple X applications like xcalc or xterm on your machine and make sure Xserver is running fine.

But there is also an option -template, using which we can generate reports of various formats.This option is not well documented. When you say "ReportGenerator -help", it just says
-template       The Fortify Report template used to define the report.

But what are the various available template names, which they are not giving information.

Anyways still we can find out available templates in the directory fortify-install-dir/Core/config/reports
Available templates are
1) DefaultReportDefinition.xml  
2) DeveloperWorkbook.xml 
3) OWASP2004.xml  
4) OWASP2007.xml  
5) ScanReport.xml

Here is an example of using template option
ReportGenerator -format pdf -f outputFile.pdf -source dev-rkm-KMS-aggregate.fpr -template "ScanReport.xml"