I wrote in my previous blog about installing and configuring Fortify client. This blog presents standard steps to automate fortify scan for c/c++ code which are compiled using Makefiles.
Step 1: Compile your source code by instrumenting Fortify
Normally we compile source code using compilers like cc, gcc, cl.exe or devenv. To instrument fortify append sourceanalyzer (fortify tool) to your compilation command at the beginning.
For ex: sourceanalyzer -b testing-fortify cc test.c
This command will compile test.c and generates NST file, which is understood by Fortify tool.
Note: .nst files can be located at $HOME/.fortify
In most cases we don't compile individual files like it shown above. We will be using Makefiles to manage compilation. In that case we need to inform Make to call sourceanalyzer at the time compilation.
If our Makefiles (usually top level makefiles) have defined the CC variable, then we can modify it as given below
ifdef FORTIFY
CC="sourceanalyzer -b MyProject $CC"
endif
With this definition, your Make command will be able to compile all your source files using sourceanalyzer.
Step 2: Scan NST files to generate fpr file
Fortify generates a fpr file using the NST files generated in step 1. Once all your files are compiled in step 1, you need to run this step only once to generate one combined FPR file. This FPR file will be understood by other fortify tools used for reporting.
sourceanalyzer -b MyProject -scan -f MyProject.fpr
This will generate a FPR file named myproject.fpr which will be used in next steps.
Step 3: Upload the FPR file to Fortify 360 server
Fortify 360 server is web based tool, which displays fortify scan result. The input to this tool is the FPR file which we generated in Step 2.
We can upload the FPR file to Fortify 360 server using the command given below
fortifyclient -url http://my-fortify-360-server:8282/f360 -authtoken afknafowqnewksdgjsgddkg uploadFPR -file MyProject.fpr -project MyProject -version 1.0
where for
-authtoken : You need to generate authentication token for login to Fortify 360 server. Refer my previous blog to know how to generate it
-project: You need to create your project name in your Fortify 360 server, prior to this step.
-version: You need to create your project version in your Fortify 360 server, prior to this step.
Step 4: Generating PDF report using the FPR file
You can generate a PDF or XML report out of FPR file, which can be sent through mail for developers.
Here is the command to do it
ReportGenerator -format pdf -f MyProject.pdf -source MyProject.fpr
Refer my previous blog for detailed information about this step.
This completes the automation steps for Fortify scan on c/c++ code.
Note: You can use an application called auditworkbench to analyze fortify scan report. Even input for auditworkbench is FPR file.
Some more useful commands
- Use sourceanalyzer -b MyProject -show-files to know what all files are associated with the tag MyProject
- Use sourceanalyzer -b MyProject -show-build-warnings to show errors and warnings
- Use sourceanalyzer -b MyProject -show-loc to show Lines of code.
Step 1: Compile your source code by instrumenting Fortify
Normally we compile source code using compilers like cc, gcc, cl.exe or devenv. To instrument fortify append sourceanalyzer (fortify tool) to your compilation command at the beginning.
For ex: sourceanalyzer -b testing-fortify cc test.c
This command will compile test.c and generates NST file, which is understood by Fortify tool.
Note: .nst files can be located at $HOME/.fortify
In most cases we don't compile individual files like it shown above. We will be using Makefiles to manage compilation. In that case we need to inform Make to call sourceanalyzer at the time compilation.
If our Makefiles (usually top level makefiles) have defined the CC variable, then we can modify it as given below
ifdef FORTIFY
CC="sourceanalyzer -b
endif
With this definition, your Make command will be able to compile all your source files using sourceanalyzer.
Step 2: Scan NST files to generate fpr file
Fortify generates a fpr file using the NST files generated in step 1. Once all your files are compiled in step 1, you need to run this step only once to generate one combined FPR file. This FPR file will be understood by other fortify tools used for reporting.
sourceanalyzer -b
This will generate a FPR file named myproject.fpr which will be used in next steps.
Step 3: Upload the FPR file to Fortify 360 server
Fortify 360 server is web based tool, which displays fortify scan result. The input to this tool is the FPR file which we generated in Step 2.
We can upload the FPR file to Fortify 360 server using the command given below
fortifyclient -url
where for
-authtoken : You need to generate authentication token for login to Fortify 360 server. Refer my previous blog to know how to generate it
-project: You need to create your project name in your Fortify 360 server, prior to this step.
-version: You need to create your project version in your Fortify 360 server, prior to this step.
Step 4: Generating PDF report using the FPR file
You can generate a PDF or XML report out of FPR file, which can be sent through mail for developers.
Here is the command to do it
ReportGenerator -format pdf -f
Refer my previous blog for detailed information about this step.
This completes the automation steps for Fortify scan on c/c++ code.
Note: You can use an application called auditworkbench to analyze fortify scan report. Even input for auditworkbench is FPR file.
Some more useful commands
- Use sourceanalyzer -b MyProject -show-files to know what all files are associated with the tag MyProject
- Use sourceanalyzer -b MyProject -show-build-warnings to show errors and warnings
- Use sourceanalyzer -b MyProject -show-loc to show Lines of code.
7 comments:
Hey Siddesh, great Fortify how-tos...
Hey Siddesh, great Fortify how-tos...
Hey Siddesh, you could have just pointed to the Fortify documentation.
Did you ever compile using libtool instead of c directly?
Is that possible with the sourceanalyzer?
Help! I am trying to upload my fpr file via command line in Jenkins, the Audit Workbench, command line in RHEL, and the FortifySCC web page. When attempted in the workbench and RHEL, I receive an error telling me that it cannot upload it because the file has comments in it. When attempted thru the webpage, it tells me its an internal error and to contact my administrator. ( I am the admin). Any ideas?
Hey, does Fortify support Cmake also?
Hi, Can we run Fortify for C/C++ codes using eclipse??
If yes, please reply back.
Post a Comment