Friday, April 8, 2011

Fortify scan automation steps for analyzing c/c++ code (Makefiles)

I wrote in my previous blog about installing and configuring Fortify client. This blog presents standard steps to automate fortify scan for c/c++ code which are compiled using Makefiles.

Step 1: Compile your source code by instrumenting Fortify
      Normally we compile source code using  compilers like cc, gcc, cl.exe or devenv. To instrument fortify append sourceanalyzer (fortify tool) to your compilation command at the beginning.
     For ex: sourceanalyzer -b testing-fortify cc test.c

     This command will compile test.c and generates NST file, which is understood by Fortify tool.
      Note: .nst files can be located at $HOME/.fortify 

     In most cases we don't compile individual files like it shown above. We will be using Makefiles to manage compilation. In that case we need to inform Make to call sourceanalyzer at the time compilation.
    If our Makefiles (usually top level makefiles) have defined the CC variable, then we can modify it as given below
    ifdef FORTIFY
        CC="sourceanalyzer -b MyProject $CC"
    endif

    With this definition, your Make command will be able to compile all your source files using sourceanalyzer.

Step 2: Scan NST files to generate fpr file
    Fortify generates a fpr file using the NST files generated in step 1. Once all your files are compiled in step 1, you need to run this step only once to generate one combined FPR file. This FPR file will be understood by other fortify tools used for reporting.

   sourceanalyzer -b MyProject -scan -f MyProject.fpr

  This will generate a FPR file named myproject.fpr which will be used in next steps.

Step 3: Upload the FPR file to Fortify 360 server
   Fortify 360 server is web based tool, which displays fortify scan result. The input to this tool is the FPR file which we generated in Step 2.
   We can upload the FPR file to Fortify 360 server using the command given below

    fortifyclient -url http://my-fortify-360-server:8282/f360 -authtoken afknafowqnewksdgjsgddkg  uploadFPR -file MyProject.fpr -project MyProject  -version 1.0

  where for
      -authtoken : You need to generate authentication token for login to Fortify 360 server. Refer my previous blog to know how to generate it
      -project: You need to create your project name in your Fortify 360 server, prior to this step.
      -version: You need to create your project version in your Fortify 360 server, prior to this step.

Step 4: Generating PDF report using the FPR file
   You can generate a PDF or XML report out of FPR file, which can be sent through mail for developers.
   Here is the command to do it
    ReportGenerator -format pdf -f MyProject.pdf -source MyProject.fpr

    Refer my previous blog for detailed information about this step.

 This completes the automation steps for Fortify scan on c/c++ code.


Note: You can use an application called auditworkbench to analyze fortify scan report. Even input for auditworkbench is FPR file.

Some more useful commands
 - Use sourceanalyzer -b MyProject -show-files to know what all files are associated with the tag MyProject
 - Use sourceanalyzer -b MyProject -show-build-warnings to show errors and warnings
 - Use sourceanalyzer -b MyProject -show-loc to show Lines of code.