 |
Software Version: 21.2.0
Document Release Date: November 2021 Software Release Date: November 2021
Legal Notices
Micro Focus The Lawn
22-30 Old Bath Road Newbury, Berkshire RG14 1QN UK
Warranty
The only warranties for products and services of Micro Focus and its affiliates and licensors (“Micro Focus”) are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Micro Focus shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice.
Restricted Rights Legend
Confidential computer software. Except as specifically indicated otherwise, a valid license from Micro Focus is required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license.
Copyright Notice
© Copyright 2009 - 2021 Micro Focus or one of its affiliates
Trademark Notices
All trademarks, service marks, product names, and logos included in this document are the property of their respective owners.
Documentation Updates
The title page of this document contains the following identifying information:
Software Version number
Document Release Date, which changes each time the document is updated
Software Release Date, which indicates the release date of this version of the software
This document was produced on November 10, 2021. To check for recent updates or to verify that you are using the most recent edition of a document, go to:
https://www.microfocus.com/support/documentation
Preface 8 Contacting Micro Focus Fortify Customer Support 8 For More Information 8 About the Documentation Set 8 Fortify Product Feature Videos 8
Chapter 1: Introduction 10 Fortify Plugin for Eclipse 10 Fortify Remediation Plugin for Eclipse 10
Related Documents 11 All Products 11 Micro Focus Fortify ScanCentral SAST 12 Micro Focus Fortify Software Security Center 12 Micro Focus Fortify Static Code Analyzer 13
Chapter 2: Using the Eclipse Complete Plugin 14
About Installing the Eclipse Complete Plugin 14 Installing the Eclipse Complete Plugin from Eclipse 15 Installing the Eclipse Complete Plugin from an Update Site 16 Posting the Eclipse Complete Plugin to an Internal Update Site 16 Installing the Eclipse Complete Plugin from an Update Site 16
About Re-installing After Upgrading Fortify SCA and Applications from Fortify Audit Workbench 17 Managing the License 17 Uninstalling the Eclipse Complete Plugin 17
Fortify Software Security Content 18 Configuring Security Content Updates 18 Updating Security Content 20 Manually Updating Security Content 21 Importing Custom Security Content 21
About Analyzing the Source Code 21
About Scanning Locally 22 About Quick Scan Mode 22 Configuring Local Analysis Options 23 Configuring Advanced Local Analysis Options 24 Configuring Analysis Options for Specific Projects 26 Viewing the Resources and Classpath to be Scanned 26 Scanning Projects Locally 27 Scanning Individual Files and Packages 27 Rescanning Projects 27 Disabling Merging Scan Results for all Projects 27 Disabling Merging Scan Results for a Specific Project 28
About Scanning with Fortify ScanCentral SAST 28 Configuring Fortify ScanCentral SAST Options 29 Scanning Projects with ScanCentral SAST 32
Running an Advanced Analysis 33
About Viewing Analysis Results 41 Static Analysis Results View 43 Filter Sets 43 Specifying the Default Filter Set 44 Folders (Tabs) 44 Group By List 46 Specifying the Default Issue Grouping 46 Sorting Issues 46 Search Box 47 Project Summary View 48 Summary Tab 48 Certification Tab 48 Build Information Tab 49 Analysis Information Tab 49 Viewing Summary Graph Information 49 Analysis Trace View 53 Issue Auditing View 55 Audit Tab 55 Details Tab 57 WebInspect Agent Details Tab 57 Recommendations Tab 58 History Tab 58
Diagram Tab 58 Filters Tab 59 Warnings Tab 60 Viewing Issues in the Source Code 61
Working with Issues 61 Filtering Issues with Audit Guide 61 Grouping Issues 63 Creating a Custom Group By Option 65 Evaluating Issues 67 Performing Quick Audits 67 Performing Quick Audits for Custom Tags 68 Adding Screen Captures to Issues 69 Viewing Images 69 Creating Issues for Undetected Vulnerabilities 69 Suppressing Issues 70 Creating Attribute Summary Tables for Multiple Issues 70 Customizing the Static Analysis Results View 72 Submitting an Issue as a Bug 74 Integrating with a Bug Tracker Application 75 Configuring Proxy Settings for Bug Tracker Integration 76
Searching for Issues 76 Search Modifiers 77 Search Query Examples 84 Performing Simple Searches 84 Performing Advanced Searches 85
Generating Reports 87 Generating Legacy Reports 87 Legacy Report Templates 88 Selecting Legacy Report Sections 88 Opening Legacy Report Templates 88 Editing Legacy Report Subsections 89 Editing Text Subsections 90 Editing Results List Subsections 91 Editing Chart Subsections 92 Saving Legacy Report Templates 92 Saving Changes to Legacy Report Templates 92 Report Template XML Files 93 Adding Legacy Report Sections 93
Adding Report Subsections 94 Adding Text Subsections 94 Adding Results List Subsections 95 Adding Charts Subsections 95
Configuring a Connection to Fortify Software Security Center 96 Logging in to Fortify Software Security Center 97 Synchronizing with Fortify Software Security Center 98 Scheduling Synchronization 99 Refreshing Permissions from Fortify Software Security Center 99
Working with Audit Projects 99 Opening an Audit Project 100 Opening an Existing Audit 100 Opening Audit Projects Without the Default Filter Set 100 Exporting an Audit Project 101 Merging Audit Data 101 Performing a Collaborative Audit 102 Uploading Audit Results to Fortify Software Security Center 102
About Issue Templates 103 Configuring Custom Filter Sets and Filters 104 Creating a New Filter Set 105 Creating a Filter from the Static Analysis Results View 105 Creating a Filter from the Issue Auditing View 106 Copying a Filter from One Filter Set to Another 107 Committing Filter Sets and Folders 107 Synchronizing Filter Sets and Folders 108 Setting the Default Filter Set 109 Managing Folders 109 Creating a Folder 110 Adding a Folder to a Filter Set 111 Renaming a Folder 112 Removing a Folder 112 Configuring Custom Tags for Auditing 113 Adding a Custom Tag 113 Hiding a Custom Tag 115 Committing Custom Tags to Fortify Software Security Center 116 Synchronizing Custom Tags with Fortify Software Security Center 116 Issue Template Sharing 117 Exporting an Issue Template 117
Importing an Issue Template 117
Troubleshooting 118 Resolving the Java OutOfMemory Message 118 Resolving Scan Failures Due to Insufficient Memory 118 Saving a Project That Exceeds the Maximum Removed Issues Limit 119 Using the Debug Option 119 Locating Log Files 120
Chapter 3: Using the Eclipse Remediation Plugin 121
Installing the Eclipse Remediation Plugin 121 Installing the Eclipse Remediation Plugin Locally 121 Installing the Eclipse Remediation Plugin from an Update Site 122 Posting the Eclipse Remediation Plugin to an Internal Update Site 122 Installing from an Update Site 122
Uninstalling the Eclipse Remediation Plugin from Eclipse 123 Opening a Fortify Software Security Center Application Version 123
Viewing Analysis Results from Fortify Software Security Center 125 Issues List 125 Grouping and Viewing Issues 126 Customizing the Issues List 127 Audit Tab 128 Assigning Users to Issues 128 Assigning Tags to Issues 128 Adding Comments to Issues 129 Recommendations Tab 129 Details Tab 129 History Tab 130
Locating the Source Code Associated with Issues 130
Generating and Downloading Reports 131 Generating Reports 131 Downloading Reports from Fortify Software Security Center 131
Send Documentation Feedback 132
Preface
Contacting Micro Focus Fortify Customer Support
Visit the Support website to:
Manage licenses and entitlements
Create and manage technical assistance requests
Browse documentation and knowledge articles
Download software
Explore the Community https://www.microfocus.com/support
For more information about Fortify software products: https://www.microfocus.com/cyberres/application-security
The Fortify Software documentation set contains installation, user, and deployment guides for all Fortify Software products and components. In addition, you will find technical notes and release notes that describe new features, known issues, and last-minute updates. You can access the latest versions of these documents from the following Micro Focus Product Documentation website:
https://www.microfocus.com/support/documentation
To be notified of documentation updates between releases, subscribe to Fortify Product Announcements on the Micro Focus Community:
https://community.microfocus.com/cyberres/fortify/w/fortify-product-announcements
Fortify Product Feature Videos
You can find videos that highlight Fortify products and features on the Fortify Unplugged YouTube channel:
https://www.youtube.com/c/FortifyUnplugged
Change Log
The following table lists changes made to this document. Revisions to this document are published only if the changes made affect product functionality.
Software Release / Document Version | Change |
21.2.0 | Updated: |
21.1.0 | Added: |
20.2.0 | Updated: |
20.1.0 | Updated: |
"Configuring Fortify ScanCentral SAST Options" on page 29 - New ability to include test files in the scan
"Running an Advanced Analysis" on page 33 - New ability to perform an advanced analysis using Fortify ScanCentral SAST
"About Analyzing the Source Code" on page 21 and "About Scanning with Fortify ScanCentral SAST" on page 28 - New ability to scan source code with Micro Focus Fortify ScanCentral SAST
"Logging in to Fortify Software Security Center" on page 97 and "Opening a Fortify Software Security Center Application Version" on page 123 - New ability to connect to Fortify Software Security Center with an authentication token
"Generating Legacy Reports" on page 87 - Removed RTF as an output format for legacy reports
This guide provides information about how to install and use the Fortify Plugins for Eclipse. This section contains the following topics:
Fortify Plugin for Eclipse 10 Fortify Remediation Plugin for Eclipse 10 Related Documents 11
The Fortify Plugin for Eclipse (Eclipse Complete Plugin) consists of three separate plugin components:
Analysis—Enables you to initiate a Micro Focus Fortify Static Code Analyzer analysis with Fortify Software Security Content, view the analysis results, and fix the code associated with uncovered issues, all within the Eclipse IDE.
Audit—Enables you to open existing analysis results and audit them. These results include detailed descriptions of the security vulnerabilities detected and recommended remediation strategies. The audit plugin component helps security code inspection by enabling you to easily navigate to the source code location associated with each vulnerability, and then prioritize and audit the results.
Collaboration—Includes server-related functionality such as connecting to Micro Focus Fortify Software Security Center, uploading results to Fortify Software Security Center, and performing collaborative audits. (If you do not want this functionality, then there is no need to install the collaboration plugin.)
Note: For information about supported versions of Eclipse, see the Micro Focus Fortify Software System Requirements document.
For instructions on how to install and use the Eclipse Complete Plugin, see "Using the Eclipse Complete Plugin" on page 14.
Fortify Remediation Plugin for Eclipse
The Fortify Remediation Plugin for Eclipse (Eclipse Remediation Plugin) works in conjunction with Micro Focus Fortify Software Security Center to add remediation functionality to your software security analysis from the Eclipse IDE. The Eclipse Remediation Plugin is a lightweight plugin option for developers who do not need the scanning and auditing capabilities of Audit Workbench and the Eclipse Complete Plugin.
The Eclipse Remediation Plugin enables developers to understand the reported vulnerabilities and implement appropriate solutions quickly and easily.
Developers can address security issues while they write code in Eclipse. Your organization can use the Eclipse Remediation Plugin with Fortify Software Security Center to manage projects and assign specific issues to the relevant developers.
For instructions on how to install and use the Eclipse Remediation Plugin, see "Using the Eclipse Remediation Plugin" on page 121.
This topic describes documents that provide information about Micro Focus Fortify software products.
The following documents provide general information for all products. Unless otherwise noted, these documents are available on the Micro Focus Product Documentation website.
Document / File Name | Description |
About Micro Focus Fortify Product Software Documentation About_Fortify_Docs_<version>.pdf | This paper provides information about how to access Micro Focus Fortify product documentation. Note: This document is included only with the product download. |
Micro Focus Fortify License and Infrastructure Manager Installation and Usage Guide LIM_Guide_<version>.pdf | This document describes how to install, configure, and use the Fortify License and Infrastructure Manager (LIM), which is available for installation on a local Windows server and as a container image on the Docker platform. |
Micro Focus Fortify Software System Requirements Fortify_Sys_Reqs_<version>.pdf | This document provides the details about the environments and products supported for this version of Fortify Software. |
Micro Focus Fortify Software Release Notes FortifySW_RN_<version>.pdf | This document provides an overview of the changes made to Fortify Software for this release and important information not included elsewhere in the product documentation. |
Document / File Name | Description |
What’s New in Micro Focus Fortify Software <version> Fortify_Whats_New_<version>.pdf | This document describes the new features in Fortify Software products. |
Micro Focus Fortify ScanCentral SAST
The following document provides information about Fortify ScanCentral SAST. Unless otherwise noted, these documents are available on the Micro Focus Product Documentation website at https://www.microfocus.com/documentation/fortify-software-security-center.
Document / File Name | Description |
Micro Focus Fortify ScanCentral SAST Installation, Configuration, and Usage Guide SC_SAST_Guide_<version>.pdf | This document provides information about how to install, configure, and use Fortify ScanCentral SAST to streamline the static code analysis process. It is written for anyone who intends to install, configure, or use Fortify ScanCentral SAST to offload the resource-intensive translation and scanning phases of their Fortify Static Code Analyzer process. |
Micro Focus Fortify Software Security Center
The following document provides information about Fortify Software Security Center. Unless otherwise noted, these documents are available on the Micro Focus Product Documentation website at https://www.microfocus.com/documentation/fortify-software-security-center.
Document / File Name | Description |
Micro Focus Fortify Software Security Center User Guide SSC_Guide_<version>.pdf | This document provides Fortify Software Security Center users with detailed information about how to deploy and use Software Security Center. It provides all of the information you need to acquire, install, configure, and use Software Security Center. It is intended for use by system and instance administrators, database administrators (DBAs), enterprise security leads, development team managers, and developers. Software Security Center provides security team leads with a high-level overview of the history and current status of a project. |
Micro Focus Fortify Static Code Analyzer
The following documents provide information about Fortify Static Code Analyzer. Unless otherwise noted, these documents are available on the Micro Focus Product Documentation website at https://www.microfocus.com/documentation/fortify-static-code.
Document / File Name | Description |
Micro Focus Fortify Static Code Analyzer User Guide SCA_Guide_<version>.pdf | This document describes how to install and use Fortify Static Code Analyzer to scan code on many of the major programming platforms. It is intended for people responsible for security audits and secure coding. |
Micro Focus Fortify Static Code Analyzer Custom Rules Guide SCA_Cust_Rules_Guide_<version>.zip | This document provides the information that you need to create custom rules for Fortify Static Code Analyzer. This guide includes examples that apply rule-writing concepts to real-world security issues. Note: This document is included only with the product download. |
Chapter 2: Using the Eclipse Complete Plugin
This section contains the following topics:
About Installing the Eclipse Complete Plugin 14 Fortify Software Security Content 18 About Analyzing the Source Code 21 About Scanning Locally 22 About Scanning with Fortify ScanCentral SAST 28 Running an Advanced Analysis 33 About Viewing Analysis Results 41 Working with Issues 61 Searching for Issues 76 Generating Reports 87 Configuring a Connection to Fortify Software Security Center 96 Working with Audit Projects 99 About Issue Templates 103 Troubleshooting 118
About Installing the Eclipse Complete Plugin
Before you install the plugin in Eclipse, you must have selected the Eclipse Plugin during your Micro Focus Fortify Static Code Analyzer installation.
You have the follow options for installing the Eclipse Complete Plugin:
"Installing the Eclipse Complete Plugin from Eclipse" on the next page
"Installing the Eclipse Complete Plugin from an Update Site" on page 16
Regardless of whether you install the Eclipse Complete Plugin locally or from an update site, you must have Fortify Static Code Analyzer and Applications locally installed to scan your projects locally or remotely (using Fortify ScanCentral SAST).
To update from an earlier Eclipse Complete Plugin version, you must first remove the existing version. For information about how to uninstall the plugin, see About Uninstalling the Eclipse Complete Plugin.
Installing the Eclipse Complete Plugin from Eclipse
To install the Eclipse Complete Plugin locally:
Start Eclipse.
Select Help > Install New Software.
Click Add.
The Add Repository dialog box opens.
To create a local update site on your file system (as opposed to one on the Internet):
(Optional) In the Name box, type a name for the local update site.
Click Local, and then browse to and select the <sca_install_dir>/plugins/eclipse
directory.
Click Add.
In the Install window, the Work with list displays the name and location of your local update site and the Fortify Eclipse Plugins node is listed as available software.
Expand the Fortify Eclipse Plugins node and select the check boxes for the features you want to install.
If you have Eclipse Java Development Tools (JDT) installed, you can clear the Contact all update sites during install to find required software check box to reduce the installation time.
Click Next.
The Install Details step lists the plugins you selected.
To display version and copyright information for a plugin in the Details section, click the feature name.
Click Next.
On the Review Licenses step, review and accept the terms of the Micro Focus license agreement.
Click Finish.
To complete the installation and restart Eclipse, click Restart Now when prompted.
After Eclipse restarts, the menu bar includes the Fortify menu.
Installing the Eclipse Complete Plugin from an Update Site
An alternative to requiring every developer to install the Eclipse Complete Plugin locally is to post the plugin to an internal update site that can serve as a single distribution point. The only requirement is that you have an internal web server.
Posting the Eclipse Complete Plugin to an Internal Update Site
To post the plugin for other users to access:
Copy the contents of <sca_install_dir>/plugins/eclipse directory on to your web server.
Provide the URL for the update site to the appropriate users.
Installing the Eclipse Complete Plugin from an Update Site
To scan your projects with the Eclipse Complete Plugin installed from an update site, you must have Fortify Static Code Analyzer and Applications locally installed.
To install the Eclipse Complete Plugin after it has been posted to an update site:
Obtain the URL of the plugin update site for your organization.
Select Help > Install New Software.
Click Add.
In the Name box, type a name for the update site.
In the Location box, type the URL of the update site.
Click OK.
In the Install window, the Work with list displays the update site you specified and the Fortify Eclipse Plugins node is listed as available software.
Expand the Fortify Eclipse Plugins node, select the Fortify Eclipse Plugins check box, and then select the check box or check boxes for the plugins you want to install.
Click Next.
The Install Details step lists the plugins you selected.
To display version and copyright information about the plugin in the Details box, click the plugin name.
Click Next.
On the Review Licenses step, review and accept the terms of the Micro Focus license agreement.
Click Finish.
Click OK.
To complete the installation, click Yes to restart Eclipse when prompted. After Eclipse restarts, the menu bar includes the Fortify menu.
About Re-installing After Upgrading Fortify SCA and Applications from Fortify Audit Workbench
If you have upgraded Fortify SCA and Applications from Audit Workbench, you must uninstall, and then reinstall the Eclipse Complete Plugin. For information about how you can upgrade the Fortify SCA and Applications from Fortify Audit Workbench, see the Micro Focus Fortify Audit Workbench User Guide.
The Eclipse Complete Plugin requires a license to scan your code. For information about how to obtain a Fortify license file, see the Micro Focus Fortify Software System Requirements document.
To update your license:
Select Fortify > Manage License.
Click Browse and locate the Fortify license file on your computer, and then click OK.
Uninstalling the Eclipse Complete Plugin
You can uninstall the Eclipse Complete Plugin from either Eclipse or from the command line. See the Eclipse instructions for how to remove installed software from Eclipse.
An uninstall script is in the <sca_install_dir>/plugins/eclipse directory. To uninstall all the Fortify Eclipse plugins from the command line:
Close Eclipse if it is open.
Run the uninstall script for your operating system:
On Windows, run uninstall_fortify_plugins.cmd.
On Linux or macOS, run uninstall_fortify_plugins.sh.
Type the location of the folder that contains the Eclipse executable.
Fortify Software Security Content
The Eclipse Complete Plugin uses a knowledge base of rules to enforce secure coding standards applicable to the codebase for static analysis. Fortify software security content consists of Fortify Secure Coding Rulepacks and external metadata:
Fortify Secure Coding Rulepacks describe general secure coding idioms for popular languages and public APIs
External metadata provides mappings from the Fortify vulnerability categories to alternative categories (such as CWE, OWASP Top 10, and PCI)
Fortify provides the ability to write custom rules that add to the functionality of Fortify Static Code Analyzer and the Secure Coding Rulepacks. For example, you might need to enforce proprietary security guidelines or analyze a project that uses third-party libraries or other pre-compiled binaries that are not already covered by the Secure Coding Rulepacks. You can also customize the external metadata to map Fortify issues to different taxonomies, such as internal application security standards or additional compliance obligations. For instructions on how to create your own custom rules or custom external metadata, see the Micro Focus Fortify Static Code Analyzer Custom Rules Guide.
If you are using collaborative auditing with Micro Focus Fortify Software Security Center, make sure that any custom rules or external metadata changes are also made in Fortify Software Security Center.
Typically, you obtain the current Fortify Software Security Content when you install Fortify SCA and Applications.
"Importing Custom Security Content" on page 21
Configuring Security Content Updates
If the analysis plugin component is installed, you can specify the server information to use to update security content. To update security content manually (without an Internet connection or Micro Focus Fortify Software Security Center), see "Manually Updating Security Content" on page 21.
To configure security content updates:
Select Fortify > Options.
In the left pane, select Server Configuration.
To update security content from your Fortify Software Security Center server:
Under Security Content Update, select the Update from Software Security Center check box.
Under Software Security Center, specify the Fortify Software Security Center server URL and if necessary, the proxy server, port number, and optionally credentials for proxy authentication.
To specify an update server from which to update security content, under Security Content Update, do the following:
In the Server URL box, type the URL for the update server.
If required, specify the proxy server, port number, and optionally credentials for proxy authentication.
To update security content automatically and with a specific frequency:
Select the Perform security content update automatically check box.
In the Update frequency (days) box, specify how often (type the number of days) you want the security content automatically updated.
Click OK.
Fortify provides security content in English, Spanish, Brazilian Portuguese, Japanese, Korean, Simplified Chinese, or Traditional Chinese. Issue descriptions and recommendations are available in the selected language and the Fortify categories are in English.
To update your security content:
Select Fortify > Options.
In the left pane, select Security Content Management.
Any custom rules and custom external mappings appear in the Installed Custom Security Content list.
In the Update Security Content list, select the security content in the language you want. The Security Content Update window displays the results of the security content update.
Click OK to close the Security Content Update window.
Manually Updating Security Content
You can manually update security content from a local ZIP file with the fortifyupdate utility. To manually update your security content:
Open a command prompt window, and then navigate to the <sca_install_dir>/bin directory.
At the prompt, type the following:
fortifyupdate -import <file>.zip
For more information about the fortifyupdate utility, see the Micro Focus Fortify Static Code Analyzer User Guide.
Importing Custom Security Content
You can import custom security content to use in your scans.
Note: To import custom external metadata, place your external metadata file in the <sca_install_ dir>/Core/config/CustomExternalMetadata directory.
To import custom rules, do the following:
Select Fortify > Options.
In the left pane, select Security Content Management.
Click Import Custom Security Content.
Select the custom rules file you want to import, and then click Open.
About Analyzing the Source Code
If you installed the analysis plugin component, you can initiate an analysis of your source code from Eclipse. To get the best analysis results, make sure that you can compile the project with no errors
before you analyze your project source code. A security analysis with Micro Focus Fortify Static Code Analyzer consists of the following main phases:
Translate the source code files into intermediate files
Scan the intermediate files to complete the security analysis
There are two ways to analyze your source code:
Use the locally installed Micro Focus Fortify Static Code Analyzer to perform the entire analysis (translation and scan phases). For information about how to configure and run the analysis locally, see "About Scanning Locally" below.
After the scan is complete, the Eclipse Complete Plugin displays the analysis results in Eclipse.
Use Micro Focus Fortify ScanCentral SAST to perform the entire analysis (translation and scan phases) or only the scan phase. For information about how to configure and run the analysis using Fortify ScanCentral SAST, see "About Scanning with Fortify ScanCentral SAST" on page 28.
To view the analysis results after a Fortify ScanCentral SAST scan, configure the Eclipse Complete Plugin to upload the analysis results to a Fortify Software Security Center server. You can then connect to Fortify Software Security Center to view the analysis results in Eclipse (see "Using the Eclipse Remediation Plugin" on page 121).
Alternatively, use the provided job token in the Fortify ScanCentral SAST command-line interface to retrieve the analysis results (FPR) file (see the Micro Focus Fortify ScanCentral SAST Installation, Configuration, and Usage Guide). You can then use the Eclipse Complete Plugin to open the analysis results in Eclipse (see "Opening an Audit Project" on page 100).
This section describes how to configure the analysis options and perform a scan of your Java source code using the locally installed Micro Focus Fortify Static Code Analyzer. The Eclipse Complete Plugin invokes Fortify Static Code Analyzer with the server Java Virtual Machine.
Fortify strongly recommends that you periodically update the security content, which contains Fortify Secure Coding Rulepacks and external metadata. For instructions, see "Updating Security Content" on page 20.
Quick scan mode provides a way to quickly scan your projects for critical- and high-priority issues. Fortify Static Code Analyzer performs the scan faster by reducing the depth of the analysis and applying the Quick View filter set. The quick scan settings are configurable. For more details about the configuration of quick scan mode, see the Micro Focus Fortify Static Code Analyzer User Guide.
Quick scans are a great way to get many applications through an assessment so that you can quickly find issues and begin remediation. The performance improvement you get depends on the complexity
and size of the application. Although the scan is faster than a full scan, it does not provide as robust a result set. Other issues that a quick scan cannot detect might exist in your application. Fortify recommends that you run full scans whenever possible.
Note: By default, Micro Focus Fortify Software Security Center does not allow you to upload scans performed in quick scan mode. However, you can configure your Fortify Software Security Center application version so that uploaded audit projects scanned in quick scan mode are processed. For more information, see analysis results processing rules in the Micro Focus Fortify Software Security Center User Guide.
You can use quick scan mode for scans that use a locally installed Fortify Static Code Analyzer. Audit quick scan results just as you audit full analysis results. To configure your scan to run in full scan or quick scan mode, see "Configuring Advanced Local Analysis Options" on the next page.
Configuring Local Analysis Options
The analysis options enable you to customize the security content and the amount of memory Micro Focus Fortify Static Code Analyzer uses during a local analysis. You can also specify the SQL type used in your project. The source code analysis options are available only if the analysis plugin is installed.
To configure the analysis options:
Select Fortify > Options.
Select Default Project Configuration. The Analysis Configuration tab opens.
To specify the amount of memory to use for the scan, type an integer in the Memory (MB) box.
By default, Fortify Static Code Analyzer treats SQL files as though they use the T-SQL procedural language on Windows systems and PL/SQL on other platforms. To specify the SQL type, from the SQL Type list, select TSQL or PLSQL.
To use specific security content to scan the project (instead of all security content), under Security Content, clear the Use All Installed Security Content check box, and then select the check boxes for the installed Fortify and custom security content to use.
To update or import custom security content, click Manage Security Content. For more information, see "Updating Security Content" on page 20.
Click OK.
Configuring Advanced Local Analysis Options
Use the advanced analysis options to customize Micro Focus Fortify Static Code Analyzer translation and scan command-line options. You can also specify whether quick scan mode is enabled, if issues are merged during a rescan, if resources in dependent projects are scanned, and the location for the analysis results file. These options are available only if the analysis plugin is installed.
To change the advanced analysis options:
Select Fortify > Options.
In the left pane, select Default Project Configuration.
Select the Advanced Analysis Options tab.
To scan only the selected project, clear the Scan resources in dependent projects check box.
By default, the Eclipse Complete Plugin includes all source files from dependent projects in scans of selected projects. For more information, see "Viewing the Resources and Classpath to be Scanned" on the next page.
Select the Use additional SCA options check box and type command-line options for either the translation or scan phase.
For example, if you include the -verbose command-line option, detailed status messages are sent to the console during the analysis.
For information about the available command-line options and the proper syntax, see the Micro Focus Fortify Static Code Analyzer User Guide.
To perform a quick scan, select the Enable quick scan mode check box.
For more information about quick scans, see "About Quick Scan Mode" on page 22.
To disable merging the results of the next scan you run with results from the previous scan, clear the Merge with previous scan check box.
For more information about merging analysis results with rescanning, see "Rescanning Projects" on page 27.
To change the default directory and FPR file name for all projects, do one of the following:
In the Output results to box, type the absolute path for FPR files.
To specify a name and a static workspace folder for FPR files, click Workspace, and then, in the Folder Selection window, navigate to and select a workspace relative directory.
To specify a name and a static folder that is not part of your workspace, click File System, and then select a directory for FPR files.
To specify a name and a dynamic path that changes based on the project you are analyzing, click Variables, and then, in the Select Variable window, select core Eclipse variables to specify the relative path for FPR files.
To change the default directory and FPR file name for a specific project, use the Eclipse Properties window (see "Configuring Analysis Options for Specific Projects" below).
Click OK to save the advanced analysis options.
Configuring Analysis Options for Specific Projects
To specify Micro Focus Fortify Static Code Analyzer analysis options a specific project:
From the Java perspective in Eclipse, right-click a project name, and then select Properties. The Properties for <project_name> window opens.
In the left pane, select Fortify Project Properties.
Select the Enable Project Specific Settings check box.
Make the changes you want for this specific project.
For descriptions of the options, see "Configuring Local Analysis Options" on page 23 and "Configuring Advanced Local Analysis Options" on page 24.
Viewing the Resources and Classpath to be Scanned
To see the project resources and the class path to be scanned for a project:
From the Java view in Eclipse, do one of the following:
Right-click a project name, and then select Advanced Analysis.
Select a project name, and then select Fortify > Advanced Analysis. The Advanced Static Analysis wizard opens.
Expand the directory tree.
The Advanced Static Analysis displays the complete absolute path of the project resources and the class path files to be scanned. If you have Scan resources in dependent projects enabled in the default project configuration options (see "Configuring Advanced Local Analysis Options" on page 24), you can see any dependent projects in the Scanning Resources root. All library JAR files configured for your project are shown in the Classpath folder.
The Eclipse Complete Plugin automatically includes all source files from dependent projects in scans. Although you can scan individual packages and files (see "Scanning Individual Files and Packages" below), the results are more accurate if you scan an entire project at once.
To scan a project:
Open the project in the Java perspective.
In the Package Explorer or Project Explorer view, right-click the project, and then select Analyze Project.
After the scan finishes, the results are loaded into and displayed in the Fortify Audit perspective.
Scanning Individual Files and Packages
You can also scan individual files and packages.
To scan individual files or packages:
Open the project in the Java perspective.
In the Package Explorer view, right-click the file or package to scan, and then select Analyze Project Component.
By default, when you rescan a project from Eclipse, the scan merges the results from the previous scan with the results from the new scan. This enables you to see specifically which issues have been fixed and which issues were introduced since the earlier scan. You can enable or disable the merging of scan results. If you disable merging analysis results, then the existing analysis results file is overwritten with the new analysis results.
Disabling Merging Scan Results for all Projects
To disable merging the results of the next scan you run with results from the previous scan as the default for all projects:
Select Fortify > Options.
In the left pane, select Default Project Configuration.
Select the Advanced Analysis Options tab.
Under Local Scan Options section, clear the Merge with previous scan check box.
Click OK.
You can specify whether the results are merged with the previous scan results on a per-scan bases using an advanced scan (see "Running an Advanced Analysis" on page 33).
Disabling Merging Scan Results for a Specific Project
You can override merging for a specific project.
To disable Fortify Plugins for Eclipse from merging scan results for a specific project:
From the Java perspective, right-click a project name, and then select Properties.
In the left pane, select Fortify Project Properties.
Select the Enable Project Specific Settings check box.
Select the Advanced Analysis Options tab.
Under Local Scan Options, clear the Merge with previous scan check box.
Click Apply and Close.
About Scanning with Fortify ScanCentral SAST
This topic describes the requirements for using Micro Focus Fortify ScanCentral SAST to analyze your code and to upload the analysis results to Micro Focus Fortify Software Security Center. For instructions about how to configure the Fortify ScanCentral SAST options, see "Configuring Fortify ScanCentral SAST Options" on the next page.
With Eclipse Complete Plugin, you can either:
Perform the entire analysis (translation and scan) with Fortify ScanCentral SAST.
Perform the translation locally and then automatically upload the translated project to Fortify ScanCentral SAST for the scan phase.
You must translate the project locally if it uses a language that Fortify ScanCentral SAST does not support for remote translation (see Micro Focus Fortify Software System Requirements).
Make sure that the Fortify Software Security Content version on the local system is the same as the version on the Fortify ScanCentral sensor. Fortify strongly recommends that you periodically update the security content. For information about how to update the security content locally, see "Updating Security Content" on page 20. Use the fortifyupdate utility to update security content on the ScanCentral sensor (see the Micro Focus Fortify Static Code Analyzer User Guide).
To analyze your code with Fortify ScanCentral SAST, you need the following:
A properly configured Fortify ScanCentral SAST installation. For more information, see the Micro Focus Fortify ScanCentral SAST Installation, Configuration, and Usage Guide.
To connect to Fortify ScanCentral SAST, you need either:
A ScanCentral Controller URL
Fortify Static Code Analyzer (in <sca_install_dir>/jre/lib/security/cacerts) and for Eclipse. For more information, see the Micro Focus Fortify ScanCentral SAST Installation, Configuration, and Usage Guide.
A Fortify Software Security Center URL and an authentication token of type ToolsConnectToken
To configure the Fortify Software Security Center URL, see "Configuring a Connection to Fortify Software Security Center" on page 96. For instructions on how to create an authentication token, see the Micro Focus Fortify Software Security Center User Guide.
dir>/jre/lib/security/cacerts) and for Eclipse. For more information, see the Micro Focus Fortify Software Security Center User Guide.
To send the analysis results to a Fortify Software Security Center server, you need the following:
A Fortify Software Security Center URL or a ScanCentral Controller that is integrated with a Fortify Software Security Center server.
A Fortify Software Security Center authentication token of type ToolsConnectToken
For instructions on how to create an authentication token, see the Micro Focus Fortify Software Security Center User Guide.
An application version that exists in Fortify Software Security Center
Permission to access the application version where you want to upload analysis results
Configuring Fortify ScanCentral SAST Options
This section describes how to configure the default Micro Focus Fortify ScanCentral SAST options to use when you submit project for analysis. You can specify the translation type (local or remote), the Fortify Static Code Analyzer translation and scan options, the sensor pool selection, and whether to upload analysis results to Micro Focus Fortify Software Security Center.
To configure the Fortify ScanCentral SAST options:
Select Fortify > Options.
In the left pane, select ScanCentral SAST Configuration.
Select Enable ScanCentral SAST Upload.
(Optional) Select Include Test Files in Scan to include the test source set (Gradle) or a test scope (Maven) with the scan.
To specify how to connect to Fortify ScanCentral SAST, do one of the following:
Select Use Controller URL, and then in the Controller URL box, type the URL for the ScanCentral Controller.
Example: https://<controller_host>:<port>/scancentral-ctrl
Select Get Controller URL from SSC, and then in the Token box, paste the decoded token value for an authentication token of type ToolsConnectToken.
Make sure that you have the Fortify Software Security Center URL that is associated with the ScanCentral Controller provided in the Server Configuration options (see "Configuring a Connection to Fortify Software Security Center" on page 96).
To upload the analysis results to Fortify Software Security Center, select the Send Scan Results to SSC check box.
If you have not already specified a Fortify Software Security Center authentication token, do the following:
In the Token box, paste the decoded token value for an authentication token of type ToolsConnectToken.
Under Default Translation Type, specify where to run the translation phase of the analysis by selecting one of the following:
Under Sensor Pool, specify whether to use the default sensor pool or to be provided a list of sensor pools to choose from when you initiate a Fortify ScanCentral SAST scan.
(Optional) In the Notification Email box, type an email address for job status notification.
(Optional) To specify Fortify Static Code Analyzer command-line options for the translation or scan phase (or to specify whether to scan resources in dependent projects):
Click Advanced Scan Options.
The Default Project Configuration page opens.
Select the Advanced Analysis Options tab.
Select the Use additional SCA Options check box and type Fortify Static Code Analyzer command-line options for the translation or scan phase. For detailed information about the available Fortify Static Code Analyzer options and the proper syntax, see the Micro Focus Fortify Static Code Analyzer User Guide.
Click OK.
Click OK to save your configuration.
Scanning Projects with ScanCentral SAST
Before you can scan your project with Fortify ScanCentral SAST, you must configure the Fortify ScanCentral SAST analysis options as described in "Configuring Fortify ScanCentral SAST Options" on page 29.
To scan a project with Fortify ScanCentral SAST:
In the Package Explorer or Project Explorer view, select a project.
Select Fortify > Analyze Project with ScanCentral.
If prompted, select the application version where you want to upload the analysis results, and then click OK.
If prompted, select a sensor pool, and then click OK.
The following dialog box contains example sensor pool names.
To view the analysis results, you can either:
Copy the provided job token and use it in the Fortify ScanCentral SAST command-line interface to check the status and retrieve the analysis results (see the Micro Focus Fortify ScanCentral
SAST Installation, Configuration, and Usage Guide). You can then open the analysis results in Eclipse (see "Opening an Audit Project" on page 100).
If you uploaded the analysis results to Fortify Software Security Center, you can check the status of the job (and view the results) on the Fortify Software Security Center server. After the scan is complete, you can open the results in Eclipse (see "Using the Eclipse Remediation Plugin" on
page 121).
Use the advanced analysis to scan Eclipse projects that have source code in multiple directories, special translation or build conditions, or that have files that you want to exclude from the project. With advanced analysis, you can scan Java projects, JavaScript projects, PHP projects, C/C++ projects, and all other types of projects that you can create in Eclipse.
Before you use advanced analysis with Fortify ScanCentral SAST, make sure you configure the Fortify ScanCentral SAST options (see "Configuring Fortify ScanCentral SAST Options" on page 29) and you have a properly configured Fortify ScanCentral SAST installation. For more information, see the Micro Focus Fortify ScanCentral SAST Installation, Configuration, and Usage Guide.
To perform an advanced analysis:
From Eclipse, select one or more projects.
Select Fortify > Advanced Analysis.
The Advanced Static Analysis wizard opens.
The selected Eclipse projects to be scanned are listed in the left pane. To exclude a project from the advanced analysis, clear the check boxes for project.
Under Type, specify where you want to run the translation phase of the analysis. Do one of the following:
To run the translation phase using a locally installed instance of Fortify Static Code Analyzer, select Local.
On the next page in the wizard, you can select whether to run the scan phase locally or remotely with Fortify ScanCentral SAST.
To run the entire analysis with Fortify ScanCentral SAST, select Remote.
When Fortify ScanCentral SAST performs the translation phase, it will automatically run the scan phase as well.
In the Build ID box, type the build ID.
If you selected only one project for the advanced analysis, the root directory name is the default build ID. Otherwise, the wizard creates a unique number for the build ID, which you can change.
To disable translation, clear the Enable Translation check box.
For example, if the security content has changed but the source code has not, you might want to disable the translate phase so that the project is scanned without retranslating.
To add additional Eclipse projects for analysis, click Add Project
above the Eclipse projects list on the left.
The wizard automatically includes all supported files in the translation as determined by the project type. For Java projects, the wizard uses Eclipse logic to resolve source paths. For non-Java projects, the wizard includes all files under the project root.
Make sure only the files or directories that you want to translate are selected. To add additional folders for translation, click Add Folders
.
Make sure to select only the files or directories that you want to translate. To add additional files for translation, click Add Folders
. To add JAR files, click Add JAR
.
|
Click Settings for each Eclipse project to specify additional Fortify Static Code Analyzer translation
options.
From the JDK version list, select the Java version of the code in the project.
By default, Micro Focus Fortify Static Code Analyzer treats SQL files as though they use the T-SQL procedural language on Windows systems and PL/SQL on other platforms. To specify the SQL type, from the SQL Type list, select TSQL or PLSQL.
Specify any additional translation options in the Additional SCA Translation Options box.
For information about the available Fortify Static Code Analyzer command-line options, see the Micro Focus Fortify Static Code Analyzer User Guide.
Click Next to configure the scan options.
For a locally run scan only, you can adjust any of the following scan options:
To skip the scan phase, clear the Enable Scan check box.
For example, to offload the scan phase to a different machine, skip the scan phase, use the command line to create a mobile build session (MBS) file, and import the MBS to the scan machine. See the Micro Focus Fortify Static Code Analyzer User Guide for instructions on how use mobile build sessions.
To specify a different output file path than the default, in the Output file box, type the path and file name for the FPR file that Fortify Static Code Analyzer is to generate.
To perform a quick scan, select the Enable quick scan mode check box.
For information about quick scans, see "About Quick Scan Mode" on page 22.
To merge these results with a previous scan, select the Merge with previous scan check box, and then click Browse to navigate to and select the previous FPR file.
To specify the amount of memory Fortify Static Code Analyzer uses for scanning, adjust the slider to the amount of memory as needed.
(Optional) Specify any additional scan options in the Additional Scan Arguments box.
For information about the available Fortify Static Code Analyzer command-line scan options, see the Micro Focus Fortify Static Code Analyzer User Guide.
(Optional) To scan the code with a custom selection of Fortify Secure Coding Rulepacks, do the following:
In the Secure Coding Rulepacks list in the left pane, expand the Installed Fortify Security Content node and display the installed Rulepacks.
In the Installed Fortify Security Content list, clear the check boxes that correspond to any Rulepacks you want to disable for the scan.
Click Next.
For a remote analysis only, the Configure SSC Upload and Sensor Pool page displays with options to upload the analysis results to Fortify Software Security Center and sensor pool selection.
To upload the analysis results to Fortify Software Security Center, do the following:
Select Send Scan Results to SSC.
Click Select Application Version.
In the Choose Application and Version Mapping for Upload results dialog box, select an application version.
Click OK.
(Optional) Select a sensor pool from the Sensor Pool list, and then click Next. The default sensor pool is selected by default.
The Preview SCA Commands page displays a preview of the Fortify Static Code Analyzer or Fortify ScanCentral SAST commands to be used for the analysis.
(Optional) On the Preview SCA Commands page, you can review and modify the Fortify Static Code Analyzer translation and scan commands.
Click Next to proceed to the Audit guide page.