Installing and configuring Fortify on Linux and Windows machines

Installing Fortify on Linux (RHEL 5 32 bit)

• Download Fortify archive Fortify-360-2.6.5-Analyzers_and_Apps-Linux-x86.tar.gz and extract it to a directory like /usr/local/fortify
• Get License file fortify.license and place it under root directory (/usr/local/fortify)
• Run utility scapostinstall under bin directory (/usr/local/fortify/bin) to perform some necessary post install activities.

        ./scapostinstall

           [1] Migration...
           [2] Settings...
           [s] Display all settings
           [q] Exit
           Please select the desired action (1,2,s,q):

          Give valid entries for  Rulepack Update and 360 Server Settings

          Select 2 and proceed for changing settings. In Rulepack Update, give http address of your fortify 360 server for  Update Server URL: field. In 360 Server Settings, give again http address of your fortify 360 server for Server URL: field and set Get Rulepack Updates from 360 Server: true

• Now update rules pack using tool rulepackupdate available at bin directory (/usr/local/fortify/bin) 
• Generate Upload access token using utility fortifyclient under bin directory. The upload access token enable account and password information to be concealed during uploading of FPRs to Fortify 360 Server          

          fortifyclient -url [360_server_URL] token -gettoken AnalysisUploadToken -user [AccountName]
 
          fortifyclient prompts for a password, type the password for [AccountName]. fortifyclient displays a token of the general form cb79c492-0a78-44e3-b26c-65c14df52e86. Copy the token returned by fortifyclient into a text file.

Updating rules in future

• In case in future if you want to update rule packs, here is the process
• You may get rules pack in a zip file of the form Se289787b-abd8-4ad6-a77d-f11d89e8ac60.zip 

          Then run the command
         /usr/local/fortify//bin/rulepackupdate -import Se289787b-abd8-4ad6-a77d-f11d89e8ac60.zip

• or if your F360 server is up to date with rules, then run the command

           /usr/local/fortify//bin/rulepackupdate -url  [360_server_URL]

Fortify report templates using ReportGenerator

Fortify Static Code Analysis Tool allows us to create scan reports using command line utility ReportGenerator.

By default ReportGenerator creates report using the template OWASP2007.xml

Here is an example of generating PDF scan report using command line utility

ReportGenerator -format pdf -f outputFile.pdf -source dev-rkm-KMS-aggregate.fpr

We can create report either in pdf or rtf or xml.

Some times we get an error like

Xlib: connection to "localhost:10.0" refused by server
Xlib: PuTTY X11 proxy: wrong authentication protocol attempted

It means ReportGenerator will open Xwindows and your server doesn't have any Xserver running. You can try to run some simple X applications like xcalc or xterm on your machine and make sure Xserver is running fine.

But there is also an option -template, using which we can generate reports of various formats.This option is not well documented. When you say "ReportGenerator -help", it just says

-template       The Fortify Report template used to define the report.

But what are the various available template names, which they are not giving information.

Anyways still we can find out available templates in the directory fortify-install-dir/Core/config/reports

Available templates are

1) DefaultReportDefinition.xml  

2) DeveloperWorkbook.xml 

3) OWASP2004.xml  

4) OWASP2007.xml  

5) ScanReport.xml

Here is an example of using template option

ReportGenerator -format pdf -f outputFile.pdf -source dev-rkm-KMS-aggregate.fpr -template "ScanReport.xml"

How to invoke xterm from putty?

When we connect to a Linux/Solaris or any Unix servers using putty from Windows machine and try to access any X applications like xterm, xeyes, etc it may throw errors like

Xlib: connection to "localhost:10.0" refused by server
Xlib: PuTTY X11 proxy: wrong authentication protocol attempted
Error: Can't open display: localhost:10.0

or

X connection to localhost:10.0 broken (explicit kill or server shutdown)

Then you need to install Xming on your Windows machine. Xming is the X Window Server for Microsoft XP/2008/Windows7.

Start Xming in your windows machine and now login to your Unix machine through putty
For Ex:

#ssh root@spodumene.ap.rsa.net

[root@spodumene build]# xeyes

Here xeyes is a simple X application, which displays a pair of eyes. If it displays this, then you can start any  X applications.

But still you may get issues if you login as root and then do "su - user" and try to access X application.

[root@spodumene build]# su - build

[build@spodumene ~]$ xeyes
Xlib: connection to "localhost:10.0" refused by server
Xlib: PuTTY X11 proxy: wrong authentication protocol attempted
Error: Can't open display: localhost:10.0

You need to temporarily transfer the authorization to the other account. First, get the key from your account
To fix this, do following. Login as root and call "xauth list" command.

[root@spodumene build]# xauth list
spodumene.ap.rsa.net/unix:12  MIT-MAGIC-COOKIE-1  e0190c6d94addb5201f3d8cbeef32b72
spodumene.ap.rsa.net/unix:13  MIT-MAGIC-COOKIE-1  b1e7ee620ddef216e32cff36945a31a0
spodumene.ap.rsa.net/unix:11  MIT-MAGIC-COOKIE-1  5db41fd092612581a408a762e252494b
spodumene.ap.rsa.net/unix:10  MIT-MAGIC-COOKIE-1  bb6f1099c09e630fd5caed5dc7b8d143

Now do "su" to your account

[root@spodumene build]# su - build

 And add auth tokens listed in the previous command using "xauth add" command.
[build@spodumene ~]$ xauth add spodumene.ap.rsa.net/unix:10  MIT-MAGIC-COOKIE-1  bb6f1099c09e630fd5caed5dc7b8d143


You can repeat this for remaining tokens. After that run "xauth list", which will display all the added tokens.
[build@spodumene ~]$ xauth list
spodumene.ap.rsa.net/unix:10  MIT-MAGIC-COOKIE-1  bb6f1099c09e630fd5caed5dc7b8d143
spodumene.ap.rsa.net/unix:12  MIT-MAGIC-COOKIE-1  e0190c6d94addb5201f3d8cbeef32b72
spodumene.ap.rsa.net/unix:13  MIT-MAGIC-COOKIE-1  b1e7ee620ddef216e32cff36945a31a0
spodumene.ap.rsa.net/unix:11  MIT-MAGIC-COOKIE-1  5db41fd092612581a408a762e252494b

Now run your X application

[build@spodumene ~]$ xterm

It will open an xterm.

Silent Installation and Uninstallation using setup.exe - Installshield

Silent installation and uninstall is a necessary requirement of automation process. In our organization we have a build dependency where one build is (c-sharp) dependent on installation of another build (C client build). Here we need to install a build package generated using installed silently and uninstall it once build completes.

Since InstallShield generated "setup.exe", there is an easy way to do silent installation. But I found the available solutions to silent uninstall is not working well for our product. Anyways I will give my findings.

Silent Installation
 - First create a InstallShield silent response file(setup.iss). This file will record the actions which we do while installing
      setup.exe -r
   It will create setup.iss file in Windows folder. i.e C:\WINNT in my case.
   Also you can use "-f1" option to create .iss file of your choice.
   For Ex: setup.exe -r -f1"C:\win32vc8\setup_inst.iss"
- Now Install with silent option (-s or /s)
   setup.exe -s
        or
   setup.exe -s -f1"C:\win32vc8\setup_inst.iss"
   If everything go well, then application will be installed and can be accessed from Program files.
- Trouble shooting errors
  Look setup.log file and make sure "ResultCode=0". By default setup.log file will be created at location where setup.exe is located. We can change this default location be providing alternative path with -f2 option.
  What various non-zero ResultCode value means?
   0 Success
   -1 General error
   -2 Invalid mode
   -3 Required data not found in the Setup.iss file
   -4 Not enough memory available
   -5 File does not exist
   -6 Cannot write to the response file
   -7 Unable to write to the log file
   -8 Invalid path to the InstallShield Silent response file
   -9 Not a valid list type (string or number)
   -10 Data type is invalid
   -11 Unknown error during setup
   -12 Dialogs are out of order
   -51 Cannot create the specified folder
   -52 Cannot access the specified file or folder
   -53 Invalid option selected

Interactive Uninstall from command line.
setup.exe /uninst

Silent Uninstall.  This is what worked for me.
Two ways
1) Using a Response File
   To run an uninstallation using a response file:

1. Prepare a response file for the uninstallation (.iss) by running Setup.exe with the /r argument: Setup.exe /r
   
2. Locate the Setup.iss file generated in the Windows folder and copy it to the desired location.
3. Type the following at the command line (items in Italics represent data that is specific to your product's uninstallation): IDriver.exe /M{Your Product GUID} /s /f1"<FULLY qualified path>\YourResponseFile.iss"

Note: The /f1 parameter is necessary only if the Setup.iss file is located in a different directory than the Setup.exe file.

2) Simple Uninstallation
If you do not want to follow the script logic and want to uninstall the product, you can use the following command line:

IDriver.exe /M{Your Product GUID} /uninst

The /uninst parameter causes a forced uninstallation without opening the script. It rolls back the system changes made during the installation, including those from the MSI package and any InstallShield scripting.
Note: For both of these uninstallation options, the /M argument is case sensitive.
Note: By default, the file "IDriver.exe" is located in the following path: C:\Program Files\Common Files\InstallShield\Driver\\Intel 32.


 This approach silently removed the application entry from Windows registry ( regedit). But it didn't remove the installed files.

If you wish to create Response file manually, here is the link for instructions http://kb.flexerasoftware.com/doc/Helpnet/installshield12helplib/CreatetheResponseFile.htm

Error while starting hudson as a service on Windows

Error

Installing a service
[hudson] $ C:\hudson\hudson.exe install
WMI.WmiException: StatusServiceExists
   at WMI.WmiRoot.BaseHandler.CheckError(ManagementBaseObject result)
   at WMI.WmiRoot.ClassHandler.Invoke(Object proxy, MethodInfo method, Object[] args)
   at WMI.Win32ServicesProxy.Create(String , String , String , ServiceType , ErrorControl , StartMode , Boolean , String[] )
   at winsw.WrapperService.Run(String[] args)
   at winsw.WrapperService.Main(String[] args)

Few words about windows service

What is windows service?
it's a program that runs invisibly in the background. But can't the same thing be said for a number of programs that run in the background such as anti-virus programs. Yes, but the real difference is that services load and start running whether or not anyone logs into the computer, unlike a program that is launched from the Startup Folder under All Programs. 

Two ways to view Services
1) Typing msconfig.exe in the Run box accessed via the Start Menu, followed by clicking the Services tab. If you want a quick visual of which items are running or stopped, this is fine, but the information is limited. 
2) launch services.msc from the Run option on the Start Menu.


How To Delete A Service? 

• Start | Run and type cmd in the Open: line. Click OK.
• Type: sc delete service-name
• Reboot the system

 How To Create A Service?

• Start | Run and type cmd in the Open: line. Click OK.
• Type: sc create service-name
• Reboot the system

0509-036 Cannot load program p4 because of the following errors

Here is the full description of error ............
bash-3.00# p4 info
exec(): 0509-036 Cannot load program p4 because of the following errors:
        0509-111   The s_scnptr or s_size field of the
                  .loader section header is invalid.
        0509-194 Examine file headers with the 'dump -ohv' command.

I got this error when I invoke perforce client (p4) from an IBM AIX 5.2 machine.

Whats going wrong here?
We installed p4 client of IBM AIX 5.3 on IBM AIX 5.2 machine

Resolution: Install proper p4 client for AIX 5.2 machine, which is available in Perforce archive
Direct link: http://www.perforce.com/downloads/perforce/r05.1/bin.aix43/p4

or
http://www.perforce.com/perforce/downloads/unixlist.html   browse to "IBM AIX 4.3 for PPC"

How to configure DNS in Solaris and AIX?

It is very simple.
Solaris
1) Create /etc/resolv.conf file with your DNS server entries
    Ex:
    bash-2.05$ cat /etc/resolv.conf
                      nameserver 10.999.9.999      #First preference server to look
                      nameserver 10.999.9.999      #Second preference server to look
                      search=domain.comp.net

2) Modify the file /etc/nsswitch.conf
    Look for
      "hosts: files"
    in this file and replace it with
     "hosts: files dns"

Thats it. DNS will be enabled


AIX
1) In /etc/netsvc.conf check for
hosts = local, bind


where the entry "bind" is for dns


2) Modify /etc/resolv.conf file with your DNS server entries

    Ex:

    bash-2.05$ cat /etc/resolv.conf

                      nameserver 10.999.9.999      #First preference server to look

                      nameserver 10.999.9.999      #Second preference server to look

                      search=domain.comp.net

Note: You can use smitty to configure this

sysck: 3001-022 The file was not found (EPM issue)

I got this error, while installing a package on IBM AIX (5.1 & 5.3) machine. Though the error looks straight forward as given here "sysck: 3001-022 The file  /usr/axm/server-61/bin/aserver.sh  was not found."

it was actually not able to find files, which are supposed to be generated at the time of installation.

We use EPM (ESP Package manager) to create AIX installer (installp). I created AIX package using EPM version 3.7.0. At the time of package creation, everything went fine. It didn't gave not even a single error. But the package which we built was getting screwed up at the time of installation.

After thorough debugging, I found using EPM version 3.7.1 or 4.0 or 4.1 to create installer solved the issue.

Unable to resolve target system name - a DNS problem

I was not able to ping to any machines from my Windows 2003 server. I did following steps to debug & resolve the issue, which was related to a DNS problem.

1) Ping some-server

Unknown host vm-cervino 

2) Ping localhost

Reply from 127.0.0.1: bytes=32 time<10ms TTL=48 (This is working)

3) tracert some-server
Unable to resolve target system name p4server.na.rsa.net. (This gave me a clue that it may be a DNS problem)

4) ping 192.777.77.77 (IP address of some-server)                                                                         
Reply from 192.777.77.77: bytes=32 time=4ms TTL=64 (This confirmed, it is a DNS issue.)

5) I had another Linux machine, where DNS is working fine. I took the working DNS server IP address In Linux machine, DNS configuration is mentioned in /etc/resolv.conf file

6) I configured my Windows Server to working DNS server IP address On Windows server, DNS configuration is mentioned in Start -> Control Panel -> Network Connections -> Local Area Connection -> Properties -> Internet Protocol (TCP/IP) -> Properties -> General tab -> Use the following DNS server addresses -> Preferred DNS server.

After changing Preferred DNS server entry, I was able to connect to machines normally using Domain name.

fatal error C1033: cannot open program database vc60.pdb

We encountered this error while doing debug build on some C programs. Our environment consists of Cygwin installed on Windows 2003 server, Visual Studio (VC98), Gmake.

This problem got resolved for us by killing some hung process on our Windows Server. Actually make clean, which in turn, trying to remove vc60.pdb file, was not able to delete this file. When I try to remove it manually, it was complaining that, this file was shared by some resources, so it can't delete.
Finally the culprit process was found out using Windows process explorer. After killing the culprit process, our build went fine. Even reboot of Windows server will resolve this problem.

Can't create transcript file No space left on device

Build was failing with this absurd error. By thorough inspection of log, I found out some command is trying to write inside a directory /var. I found out disk usage in /var is 100% full, so I thought problem is simple and I truncated some Unix system logs in /var/log and rerun the build. But again it failed with the same error.
At last, I found out that, another issue causing this problem is that inode usage in /var is 100%.

We can find the inode usage status using the command "df -i"

Finally after removing some files in /var/tmp, inode usage got reduced less than 100% and my build went fine afterward.

Linux system logs management using logrotate

You can rotate log file using logrotate software and monitor logs files using logwatch software.

Working on it, will update soon


How to truncate all the log files under /var/log? (I don't want to delete them)
bash# for x in `ls -l /var/log|grep "^-r"|awk '{print $9}'`; do >$x; done

Visual representation of Ant target dependencies using tool Grand

Is your ant build file is more than 500 lines? Is your ant build file contains hundred's of targets? Then there is no doubt that you will definitely get lost in the process of understanding it. Fortunately there are tools which graphically represents Ant target dependencies. One such tool I recently used is Grand.

You can download Grand from http://www.ggtools.net/grand/. For windows, download grand-ui.zip file and extract it.
Then double click on grand-ui.bat, which opens up an editor. From the editor, open your ANT build file through File menu (File -> Quick open). Then it generates graph of all the target dependencies. It also identifies default target in different color (yellow). If a target (represented in oval )is clicked, it displays the code for that target in bottom frame.
Another good thing is that it also traverse targets present in the build files which are imported by parent build file.

This tool emphatically helps to understand complex Ant build files

fatal error C1902: Program database manager mismatch; please check your installation

Scenario: Ssh from Linux machine ( ex: build account) to Windows machine ( Ex: Adminisrator account) with the help of cygwin and compile some c/c++ code using Microsoft Visual studio 2005. It ends with the error
fatal error C1902: Program database manager mismatch; please check your installation

This seems to be bug in VS 2005 or may be security enhancement feature. But this problem never use to occur in older VC6 (VS98).

Solution: Since we are using "build" account in Linux machine and connecting with Administrator account to Windows, which resulting in this error. The solution is to use the same account as in Linux machine on Windows too.

Create "build" account on Windows machine and add it to administrator group. Install cygwin with build account itself, run ssh-host-config file, start sshd service (net start sshd).

Make sure "Cygwin sshd" service is started with build account. You can verify it by Right click on "My computer" -> Manage -> Services and Applications -> Services -> Cygwin sshd.
If it is not running with build account (it may be running with "Local SYSTEM" instead), then you need to follow the instructions given in below link to make it run under "build" account.
http://publib.boulder.ibm.com/infocenter/wxdinfo/v6r1/index.jsp?topic=/com.ibm.websphere.ops.doc/info/odoe_task/tcimgr_sshwin.html


It resolved this problem for us.

You can also find the detailed explanation from my buddy's blog http://vijayk.blogspot.com/2010/01/fatal-error-c1902-program-database.html