 |
Software Version: 21.2.0
Document Release Date: November 2021 Software Release Date: November 2021
Legal Notices
Micro Focus The Lawn
22-30 Old Bath Road Newbury, Berkshire RG14 1QN UK
Warranty
The only warranties for products and services of Micro Focus and its affiliates and licensors (“Micro Focus”) are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Micro Focus shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice.
Restricted Rights Legend
Confidential computer software. Except as specifically indicated otherwise, a valid license from Micro Focus is required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license.
Copyright Notice
© Copyright 2009 - 2021 Micro Focus or one of its affiliates
Trademark Notices
All trademarks, service marks, product names, and logos included in this document are the property of their respective owners.
Documentation Updates
The title page of this document contains the following identifying information:
Software Version number
Document Release Date, which changes each time the document is updated
Software Release Date, which indicates the release date of this version of the software
This document was produced on November 01, 2021. To check for recent updates or to verify that you are using the most recent edition of a document, go to:
https://www.microfocus.com/support/documentation
Preface 7 Contacting Micro Focus Fortify Customer Support 7 For More Information 7 About the Documentation Set 7 Fortify Product Feature Videos 7
Chapter 1: Introduction 10 Fortify Extension for Visual Studio 10 Fortify Security Content 11 About Analyzing the Source Code 11 Installation 12 Upgrades 12
Related Documents 12 All Products 13 Micro Focus Fortify ScanCentral SAST 14 Micro Focus Fortify Software Security Center 14 Micro Focus Fortify Static Code Analyzer 15
Chapter 2: Using the Fortify Extension for Visual Studio 16
Working with Fortify Software Security Center 16 Configuring a Connection to Fortify Software Security Center 17 Logging in to Fortify Software Security Center 17 Synchronizing with Fortify Software Security Center 18
About Updating Security Content 19 Configuring Security Content Updates 19 Updating Security Content 20 Scheduling Automatic Security Content Updates 21 Manually Updating Security Content 21 Importing Custom Security Content 21
About Scanning Locally 22 About Quick Scan Mode 22 Configuring Local Scan Options 22 Configuring Advanced Local Scan Options 24 Scanning Projects or Solutions Locally 26
About Scanning with Fortify ScanCentral SAST 26 Configuring Fortify ScanCentral SAST Options 27 Scanning Projects or Solutions with Fortify ScanCentral SAST 29 Advanced Scanning of Solutions with Fortify ScanCentral SAST 30
Viewing Analysis Results 32 Analysis Results Window 33 Filter Sets 33 Folders (Tabs) 34 Group By List 34 Customizing the Issues Display 34 Viewing Project Summary Information 35 Analysis Trace Window 36 Issue Auditing Window 38 Code Editor 42 Grouping Issues 43 Creating a Custom Group By Option 44 Searching for Issues 45 Search Modifiers 46 Search Query Examples 52 Performing Simple Searches 52 Performing Advanced Searches 53 Filtering Issues with the Audit Guide 54
Auditing Analysis Results 55 Auditing Issues 56 Suppressing Issues 57 Viewing Suppressed Issues 57 Submitting an Issue as a Bug 57
Using Issue Templates 57 Saving Issue Templates 58 Exporting Issue Templates 58 Importing Issue Templates 59
Configuring Custom Tags for Auditing 59
Adding a Custom Tag 60 Hiding a Custom Tag 61
Creating a Filter Set 62 Creating a Filter from the Analysis Results Window 62 Creating a Filter from the Filters Tab 63 Copying a Filter to Another Filter Set 64
Managing Folders 64 Creating a Folder 64 Adding a Folder to a Filter Set 65 Renaming a Folder 66 Removing a Folder 66
Generating Analysis Results Reports 67 BIRT Reports 67 Generating BIRT Reports 69 About Legacy Reports 71 Generating Legacy Reports 71 Legacy Report Templates 72 Opening Legacy Report Templates 72
Working with Audit Projects 78 Opening Audit Projects 78 About Merging Audit Data 79 Merging Audit Data 79 Performing a Collaborative Audit 79 Uploading Results to Fortify Software Security Center 80
Integrating with a Bug Tracker Application 81 Filing Bugs to Azure DevOps Server 81
Troubleshooting 82 Enabling Debug Mode 82 Locating the Log Files 82
Chapter 3: Remediating Results from Fortify Software Security Center 83
Working with Applications 83 Connecting to a Fortify Software Security Center Application 83 Viewing and Selecting Issues in an Application 84
Working with Issues 86 Audit Tab 86 Recommendation Tab 88
Details Tab 88 History Tab 89 Customizing Issue Visibility 89 Searching for Issues 89 Assigning Users to Issues 89 Assigning Tags to Issues 90 Locating Issues in Source Code 90
Send Documentation Feedback 91
Preface
Contacting Micro Focus Fortify Customer Support
Visit the Support website to:
Manage licenses and entitlements
Create and manage technical assistance requests
Browse documentation and knowledge articles
Download software
Explore the Community https://www.microfocus.com/support
For more information about Fortify software products: https://www.microfocus.com/cyberres/application-security
The Fortify Software documentation set contains installation, user, and deployment guides for all Fortify Software products and components. In addition, you will find technical notes and release notes that describe new features, known issues, and last-minute updates. You can access the latest versions of these documents from the following Micro Focus Product Documentation website:
https://www.microfocus.com/support/documentation
To be notified of documentation updates between releases, subscribe to Fortify Product Announcements on the Micro Focus Community:
https://community.microfocus.com/cyberres/fortify/w/fortify-product-announcements
Fortify Product Feature Videos
You can find videos that highlight Fortify products and features on the Fortify Unplugged YouTube channel:
https://www.youtube.com/c/FortifyUnplugged
The following table lists changes made to this document. Revisions to this document are published between software releases only if the changes made affect product functionality.
Software Release / Document Version | Changes |
21.2.0 | Updated: page 83 - Updates made for filtering the issues list and assigning users to issues |
21.1.0 | Updated: |
20.2.0 | Updated: |
"About Analyzing the Source Code" on page 11 - Changes made to describe the new capabilities in scanning source code with Micro Focus Fortify ScanCentral SAST
"Configuring Advanced Local Scan Options" on page 24 - New option to disable merging of analysis results when you rescan a project or solution
"About Scanning with Fortify ScanCentral SAST" on page 26 - New ability to perform remote translation and scan with Fortify ScanCentral SAST
"BIRT Reports" on page 67 - Report template renamed CWE Top 25 to accommodate multiple versions now supported
"Logging in to Fortify Software Security Center" on page 17 - New ability to connect to Fortify Software Security Center with an authentication token
"Updating Security Content" on page 20 - New option to update Fortify Security Content in different languages
"Configuring Advanced Local Scan Options" on page 24 - New option to specify a custom build ID for the scan
"Adding a Custom Tag" on page 60 - New ability to make a custom tag the primary tag
Software Release / Document Version | Changes |
20.1.0 | Updated: |
"BIRT Reports" on page 67 - Added a description of a new report: OWASP ASVS 4.0
"Remediating Results from Fortify Software Security Center" on page 83 - Edited to reflect minor user interface changes
Replaced all references to Micro Focus Fortify ScanCentral with the new product name: Micro Focus Fortify ScanCentral SAST
Replaced all references to Micro Focus Fortify CloudScan with the new product name: Micro Focus Fortify ScanCentral SAST
"BIRT Reports" on page 67 - Added a description of a new report: CWE Top 25 2019
This guide describes how to use the Fortify Extension for Visual Studio to scan and analyze your project source code to uncover security vulnerabilities (issues), which you can then evaluate and remediate.
This section contains the following topics:
Fortify Extension for Visual Studio 10 Fortify Security Content 11 About Analyzing the Source Code 11 Installation 12 Upgrades 12 Related Documents 12
Fortify Extension for Visual Studio
The Fortify Extension for Visual Studio works with the Visual Studio integrated development environment (IDE). The extension integrates into the Visual Studio IDE as a software extension.
Software security analysis typically consists of the following phases:
Analysis—Scan a codebase for vulnerabilities
Auditing—Review the analysis results to eliminate false positives and prioritize remediation efforts
Remediation—Fix and eliminate security vulnerabilities in your code
The Fortify Extension for Visual Studio uses Micro Focus Fortify Static Code Analyzer and Fortify Secure Coding Rulepacks to locate security vulnerabilities in your solutions and projects (includes support for the following languages: C/C++, C#, Visual Basic (VB.NET), and ASP.NET). The analysis results are displayed in Visual Studio and include a list of issues uncovered, descriptions of the vulnerability type each issue represents, and suggestions on how to fix them.
Your organization can also use the Fortify Extension for Visual Studio with Micro Focus Fortify Software Security Center to manage applications and assign specific issues to developers. You can connect with Fortify Software Security Center to review the reported vulnerabilities and implement appropriate solutions from Visual Studio.
Micro Focus Fortify Static Code Analyzer uses a knowledge base of rules to enforce secure coding standards applicable to the codebase for static analysis. Fortify Security Content consists of Fortify Secure Coding Rulepacks and external metadata:
Secure Coding Rulepacks describe general secure coding idioms for popular languages and public APIs
External metadata includes mappings from the Fortify vulnerability categories to alternative categories (such as CWE, OWASP Top 10, and PCI)
Fortify provides the ability to write custom rules that add to the functionality of Fortify Static Code Analyzer and the Secure Coding Rulepacks. For example, you might need to enforce proprietary security guidelines or analyze a project that uses third-party libraries or other pre-compiled binaries that are not already covered by the Secure Coding Rulepacks. You can also customize the external metadata to map Fortify issues to different taxonomies, such as internal application security standards or additional compliance obligations. For instructions on how to create your own custom rules or custom external metadata, see the Micro Focus Fortify Static Code Analyzer Custom Rules Guide.
If you are using collaborative auditing with Micro Focus Fortify Software Security Center, make sure that any custom rules or external metadata changes are also made in Fortify Software Security Center.
Typically, you obtain the current Fortify Security Content when you install Fortify Extension for Visual Studio. For information about updating Fortify Security Content or installing it manually, see "About Updating Security Content" on page 19.
About Analyzing the Source Code
You analyze the source code from Visual Studio at the solution or project level. A security analysis with Micro Focus Fortify Static Code Analyzer consists of the following main phases:
Translate all .NET files and other existing supported files, such as T-SQL, into intermediate files
Scan the intermediate files to complete the security analysis
There are two ways to analyze your source code:
Use the locally installed Fortify Static Code Analyzer to perform the entire analysis (translation and scan phases). For information about how to configure and run the analysis locally, see "About Scanning Locally" on page 22.
After the scan is complete, Fortify Extension for Visual Studio displays the analysis results in Visual Studio.
Use Micro Focus Fortify ScanCentral SAST to perform the entire analysis (translation and scan phases) or only the scan phase. For information about how to configure and run the analysis using Fortify ScanCentral SAST, see "About Scanning with Fortify ScanCentral SAST" on page 26.
To view the analysis results, configure the Fortify Extension for Visual Studio to upload the analysis results to a Micro Focus Fortify Software Security Center server (see "Remediating Results from Fortify Software Security Center" on page 83).
Alternatively, you can use the provided job token in the Fortify ScanCentral SAST command-line interface to retrieve the analysis results (FPR) file, and then open them in Visual Studio (see "Opening Audit Projects" on page 78).
You install the Fortify Extension for Visual Studio by selecting the extension during the Micro Focus Fortify Static Code Analyzer and Applications installation (which includes Audit Workbench and other plugins that you can install). For installation instructions, see the Micro Focus Fortify Static Code Analyzer User Guide.
During the Fortify Static Code Analyzer installation, make sure that you select the extension that corresponds to the Visual Studio version installed on your system.
If you plan to scan your code from Visual Studio, make sure that you select the Update security content after installation? check box at the end of the Micro Focus Fortify Static Code Analyzer and Applications installation unless your administrator has set up an alternative way to deliver Fortify Security Content to you (see "Manually Updating Security Content" on page 21).
After you install the Fortify Extension for Visual Studio, when you subsequently upgrade Micro Focus Fortify Static Code Analyzer and select to also install the Fortify Extension for Visual Studio, the new version of the extension is automatically upgraded. You can upgrade Fortify Static Code Analyzer (along with Audit Workbench and any plugins you have installed) manually or automatically from Audit Workbench. For instructions, see the Micro Focus Fortify Audit Workbench User Guide.
This topic describes documents that provide information about Micro Focus Fortify software products.
The following documents provide general information for all products. Unless otherwise noted, these documents are available on the Micro Focus Product Documentation website.
Document / File Name | Description |
About Micro Focus Fortify Product Software Documentation About_Fortify_Docs_<version>.pdf | This paper provides information about how to access Micro Focus Fortify product documentation. Note: This document is included only with the product download. |
Micro Focus Fortify License and Infrastructure Manager Installation and Usage Guide LIM_Guide_<version>.pdf | This document describes how to install, configure, and use the Fortify License and Infrastructure Manager (LIM), which is available for installation on a local Windows server and as a container image on the Docker platform. |
Micro Focus Fortify Software System Requirements Fortify_Sys_Reqs_<version>.pdf | This document provides the details about the environments and products supported for this version of Fortify Software. |
Micro Focus Fortify Software Release Notes FortifySW_RN_<version>.pdf | This document provides an overview of the changes made to Fortify Software for this release and important information not included elsewhere in the product documentation. |
What’s New in Micro Focus Fortify Software <version> Fortify_Whats_New_<version>.pdf | This document describes the new features in Fortify Software products. |
Micro Focus Fortify ScanCentral SAST
The following document provides information about Fortify ScanCentral SAST. Unless otherwise noted, these documents are available on the Micro Focus Product Documentation website at https://www.microfocus.com/documentation/fortify-software-security-center.
Document / File Name | Description |
Micro Focus Fortify ScanCentral SAST Installation, Configuration, and Usage Guide SC_SAST_Guide_<version>.pdf | This document provides information about how to install, configure, and use Fortify ScanCentral SAST to streamline the static code analysis process. It is written for anyone who intends to install, configure, or use Fortify ScanCentral SAST to offload the resource-intensive translation and scanning phases of their Fortify Static Code Analyzer process. |
Micro Focus Fortify Software Security Center
The following document provides information about Fortify Software Security Center. Unless otherwise noted, these documents are available on the Micro Focus Product Documentation website at https://www.microfocus.com/documentation/fortify-software-security-center.
Document / File Name | Description |
Micro Focus Fortify Software Security Center User Guide SSC_Guide_<version>.pdf | This document provides Fortify Software Security Center users with detailed information about how to deploy and use Software Security Center. It provides all of the information you need to acquire, install, configure, and use Software Security Center. It is intended for use by system and instance administrators, database administrators (DBAs), enterprise security leads, development team managers, and developers. Software Security Center provides security team leads with a high-level overview of the history and current status of a project. |
Micro Focus Fortify Static Code Analyzer
The following documents provide information about Fortify Static Code Analyzer. Unless otherwise noted, these documents are available on the Micro Focus Product Documentation website at https://www.microfocus.com/documentation/fortify-static-code.
Document / File Name | Description |
Micro Focus Fortify Static Code Analyzer User Guide SCA_Guide_<version>.pdf | This document describes how to install and use Fortify Static Code Analyzer to scan code on many of the major programming platforms. It is intended for people responsible for security audits and secure coding. |
Micro Focus Fortify Static Code Analyzer Custom Rules Guide SCA_Cust_Rules_Guide_<version>.zip | This document provides the information that you need to create custom rules for Fortify Static Code Analyzer. This guide includes examples that apply rule-writing concepts to real-world security issues. Note: This document is included only with the product download. |
Chapter 2: Using the Fortify Extension for Visual Studio
Use the Fortify Extension for Visual Studio to perform Micro Focus Fortify Static Code Analyzer scans, review and audit analysis results, and remediate issues in Visual Studio.
This section contains the following topics:
Working with Fortify Software Security Center 16 About Updating Security Content 19 About Scanning Locally 22 About Scanning with Fortify ScanCentral SAST 26 Viewing Analysis Results 32 Auditing Analysis Results 55 Using Issue Templates 57 Configuring Custom Tags for Auditing 59 Creating a Filter Set 62 Managing Folders 64 Generating Analysis Results Reports 67 Working with Audit Projects 78 Integrating with a Bug Tracker Application 81 Troubleshooting 82
Working with Fortify Software Security Center
You need to configure a connection to Micro Focus Fortify Software Security Center to perform any of the following tasks:
Upload your analysis results to Fortify Software Security Center
Audit applications collaboratively using Fortify Software Security Center
Update your Fortify Security Content from Fortify Software Security Center
The following sections describe how to configure a connection to the Fortify Software Security Center server, the different ways to login to Fortify Software Security Center and how to synchronize your work on audit projects with Fortify Software Security Center.
Configuring a Connection to Fortify Software Security Center
Before you can upload to or access the audit results on Micro Focus Fortify Software Security Center, you need to configure your connection to Fortify Software Security Center.
To configure a connection to Fortify Software Security Center:
From the Fortify extension menu, select Options.
In the left pane, select Server Configuration.
Under Software Security Center, specify the Server URL for Fortify Software Security Center.
Click OK.
Logging in to Fortify Software Security Center
The first time you perform an operation that requires a connection to Fortify Software Security Center such as uploading an audit project or opening a collaborative application, you are prompted to log in.
To log in to Fortify Software Security Center:
From the Login method list, select the login method set up for you on Fortify Software Security Center.
To save your login information, select the Save login method check box.
The Fortify Extension for Visual Studio saves your login information for all future use of this extension until you install a new Fortify Extension for Visual Studio.
Depending on the login method you selected, do one of the following:
Login Method | Procedure |
Username/Password | Type your Fortify Software Security Center user name and password. |
Authentication Token | Specify the decoded value of a Fortify Software Security Center authentication token of type ToolsConnectToken. Note: For instructions about how to create an authentication token from Fortify Software Security Center, see the Micro Focus Fortify Software Security Center User Guide |
X.509 SSO | Fortify Software Security Center must be configured to use X.509 Certification-based SSO. Note: Your certificate must be in the current user certificate store and in the Personal store. |
Kerberos SSO | Fortify Software Security Center must be configured to use SPNEGO-based Kerberos authentication. Note: Support for Kerberos SSO is limited to Windows systems. |
Click Browse for Certificate
.
Select the certificate for the sign-on, and then click OK.
Click OK to connect to Fortify Software Security Center.
Synchronizing with Fortify Software Security Center
The Fortify Extension for Visual Studio supports the ability to synchronize the local version of your project with the corresponding application version on the Micro Focus Fortify Software Security Center server. With synchronization to the server enabled, each time you load, merge, scan, or save your project locally on your system, the extension automatically uploads your changes to the version of your project on the server. This automatic synchronization prevents work loss during a power outage and enables you to work locally and synchronize your work when you connect later.
If synchronization is enabled, then when you perform a scan, partial scan, save, or merge on your project, a dialog box prompts you to specify whether you want to auto-synchronize your project with the server.
To change whether synchronization occurs automatically with the server:
From the Fortify extension menu, select Options.
In the left pane, select Project Configuration.
Select the Synchronization Options tab.
Either clear the Auto Synchronize all Projects with Server Application check box to disable automatic synchronization or select it to enable automatic synchronization.
You can customize which action synchronizes your local version project with the server. For instance, you can customize so that synchronization occurs only when you merge or scan a project.
To customize the actions that trigger synchronization with the server:
From the Fortify extension menu, select Options.
In the left pane, select Project Configuration.
Select the Synchronization Options tab.
Select any action to exclude from automatic synchronization, and then click OK.
About Updating Security Content
To optimize the Fortify Extension for Visual Studio functionality to scan with Micro Focus Fortify Static Code Analyzer, you must have up-to-date security content. First configure how you plan to obtain security content updates (see "Configuring Security Content Updates" below). Then obtain the latest security content by doing one of the following:
"Manually Updating Security Content" on page 21
You can also import custom security content from the Fortify Extension for Visual Studio (see "Importing Custom Security Content" on page 21).
Configuring Security Content Updates
Before you update security content, configure the server information to use for security content updates. To update security content manually (without an internet connection or Micro Focus Fortify Software Security Center), see "Manually Updating Security Content" on page 21.
To configure the server from where you will obtain security content:
From the Fortify extension menu, select Options.
The Options dialog box opens to the Server Configuration section.
Under Security Content Update, select one of the following:
To update security content from your Fortify Software Security Center instance, select Update from Software Security Center.
To specify a server from which to update security content, select Update from Fortify Update Server.
If you selected Update from Fortify Update Server, do the following:
In the Server URL box, type the URL for the Fortify Rulepack update server.
If you selected Update from Fortify Software Security Center, do the following:
Under Software Security Center, specify the Server URL for Fortify Software Security Center (for example, http://my.domain.com:8080/ssc).
Fortify Extension for Visual Studio updates the Fortify Security Content from the location specified in the Server Configuration options (see "Configuring Security Content Updates" on the previous page).
To update security content:
From the Fortify extension menu, select Options.
In the left pane, select Security Content Management.
(Optional) From the Locale list, select the language you want for the Fortify Security Content. By default, English is the selected language.
Click Update.
If new content is available, it is updated and listed under Installed Fortify Security Content and
Click OK.
Scheduling Automatic Security Content Updates
To schedule automatic security content updates:
From the Fortify extension menu, select Options.
In the left pane, select Server Configuration.
Under Security Content Update, select the Update security content automatically check box.
In the Update Frequency (Days) box, specify how often to update the security content, and then click OK.
Manually Updating Security Content
You can manually update security content from a local ZIP file with the fortifyupdate utility. To manually update the security content:
Open a command prompt, and then navigate to the <sca_install_dir>\bin directory.
Type fortifyupdate.cmd -import <file>.zip.
For more information about the fortifyupdate utility, see the Micro Focus Fortify Static Code Analyzer User Guide.
Importing Custom Security Content
You can import custom security content to use in your scans. Fortify Extension for Visual Studio imports custom rules to the <sca_install_dir>\Core\config\customrules directory.
Note: To import custom external metadata, place your external metadata file in the <sca_ install_dir>\Core\config\CustomExternalMetadata directory.
To import custom rules:
From the Fortify extension menu, select Options.
In the left pane, select Security Content Management.
Click Import.
The Select Security Content dialog box opens.
Browse to and select a *.xml or *.bin file to import.
The imported file is listed under Installed Custom Security Content.
Click OK to close the Options dialog box.
This section describes how to perform a scan of your source code on the local system. In the analysis configuration, you can specify the SQL type, how much memory to use for the scan, select the security content you want to use, whether you want to scan in quick scan mode, and other advanced scanning options.
Fortify strongly recommends that you periodically update the security content, which contains Fortify Secure Coding Rulepacks and external metadata. For information about how to update the security content, see "About Updating Security Content" on page 19.
Quick scan mode provides a way to quickly scan your projects for critical- and high-priority issues. Fortify Static Code Analyzer performs the scan faster by reducing the depth of the analysis and applying the Quick View filter set. Quick scan settings are configurable. For more details about the configuration of quick scan mode, see the Micro Focus Fortify Static Code Analyzer User Guide.
Quick scans are a great way to get many applications through an assessment so that you can quickly find issues and begin remediation. The performance improvement you get depends on the complexity and size of the application. Although the scan is faster than a full scan, it does not provide as robust a result set. Other issues that a quick scan cannot detect might exist in your application. Fortify recommends that you run full scans whenever possible.
Note: By default, Micro Focus Fortify Software Security Center ignores uploaded scans performed in quick scan mode. However, you can configure your Fortify Software Security Center application version so that it processes uploaded audit projects scanned in quick scan mode. For more information, see analysis results processing rules in the Micro Focus Fortify Software Security Center User Guide.
You can use quick scan mode for scans that use a locally installed Fortify Static Code Analyzer. Audit quick analysis results just as you audit full analysis results. To perform a quick scan, see "Configuring Advanced Local Scan Options" on page 24.
Configuring Local Scan Options
Use the analysis configuration to customize the security content, specify the SQL type, and specify the amount of memory Micro Focus Fortify Static Code Analyzer uses during a local scan.
To configure the analysis options:
With a solution open in Visual Studio, select Options from the Fortify extension menu.
In the left pane, select Project Configuration.
The Project Configuration dialog box opens to show the Analysis Configuration tab.
To specify the scope of the configuration, do one of the following:
To configure the settings for the projects in the open solution only, select the Enable Project Specific Settings check box.
To change the default scan configuration for all projects scanned from this Visual Studio instance, click Configure Defaults.
By default, Fortify Static Code Analyzer treats SQL files as T-SQL. If your files use PL/SQL, from the SQL Type list, select PL/SQL.
To specify the amount of memory to use for the scan, type an integer in the Memory (MB) box.
To customize the security content that you want to use, clear the Use all installed security content check box, and then select the Secure Coding Rulepacks and any specific custom security content that you want to use.
Click OK.
Configuring Advanced Local Scan Options
Use the advanced scan options to enable or disable quick scan mode and customize Fortify Static Code Analyzer translation and scan command-line options.
To change the advanced translation and scan options:
With a solution open in Visual Studio, select Options from the Fortify extension menu.
In left pane, select Project Configuration.
To specify the scope of the settings, do one of the following:
To customize the settings for the projects in the open solution only, select Enable Project Specific Settings.
To change the default scan settings for all projects scanned from this Visual Studio instance, click Configure Defaults.
Select the Advanced Scan Options tab.
Select the Use Additional SCA Options check box and type Fortify Static Code Analyzer command-line options for either the translation or scan phase.
For detailed information about the available Fortify Static Code Analyzer options and the proper syntax, see the Micro Focus Fortify Static Code Analyzer User Guide.
Under Local Scan Options, the Command-Line Preview box shows the complete Fortify Static Code Analyzer scan command line.
(Optional) In the Build ID box, type a build ID for the scan. The default build ID is the name of the project or solution.
To disable merging the results of the next scan you run with results from the previous scan, clear the Merge with Previous Scan check box.
By default, when you rescan a project from Visual Studio, the scan merges results from the previous scan with the results from the new scan. This enables you to see specifically which issues have been fixed and which issues were introduced since the earlier scan.
To perform a quick scan, select the Enable Quick Scan Mode check box.
For information about quick scans, see "About Quick Scan Mode" on page 22.
Click OK to save the advanced scan options.
Scanning Projects or Solutions Locally
Before you perform the scan, make sure that the active solution configuration is valid for the projects loaded in the solution. If the configuration is invalid, Fortify Static Code Analyzer cannot successfully scan the solution and a message indicating that the configuration is invalid is written to the log file.
To scan a solution or project on the local system, start the scan in one of the following ways:
To scan at the solution level, select Analyze Solution from the Fortify extension menu.
To scan at the project level, select a project, and then select Analyze Project from the Fortify extension menu.
After the scan has finished, the Fortify Extension for Visual Studio displays the results in the auditing interface.
You can now audit the analysis results in Visual Studio. For information, see "Auditing Issues" on page 56. If the codebase was audited before, results from the previous audit are automatically integrated with the new analysis results.
By default, the analysis results are stored as an FPR file in the folder that contains the solution or project. To save this file to a different location, select Fortify > Save Audit Project As.
About Scanning with Fortify ScanCentral SAST
This section describes the requirements for using Micro Focus Fortify ScanCentral SAST to analyze your code and to upload the analysis results to Micro Focus Fortify Software Security Center. For instructions about how to configure the Fortify ScanCentral SAST options, see "Configuring Fortify ScanCentral SAST Options" on the next page.
With Fortify Extension for Visual Studio, you can either:
Perform the entire analysis (translation and scan) with Fortify ScanCentral SAST
Perform the translation locally and then automatically upload the translated project to Fortify ScanCentral SAST for the scan phase
You must translate the project or solution locally if it uses a language that Fortify ScanCentral SAST does not support for remote translation. For a list of languages supported with remote translation, see the Micro Focus Fortify Software System Requirements document.
Make sure that the Fortify Security Content version on the local system is the same as the version on the Fortify ScanCentral sensor. Fortify strongly recommends that you periodically update the security content. For information about how to update the security content locally, see "About Updating Security Content" on page 19. Use the fortifyupdate utility to update security content on the ScanCentral sensor (see the Micro Focus Fortify Static Code Analyzer User Guide).
To analyze your code with Fortify ScanCentral SAST, you need the following:
A properly configured Fortify ScanCentral SAST installation. For more information, see the Micro Focus Fortify ScanCentral SAST Installation, Configuration, and Usage Guide.
To connect to Fortify ScanCentral SAST, you need either:
A ScanCentral Controller URL
Fortify Static Code Analyzer (in <sca_install_dir>/jre/lib/security/cacerts). For more information, see the Micro Focus Fortify ScanCentral SAST Installation, Configuration, and Usage Guide.
A Fortify Software Security Center URL and an authentication token of type ToolsConnectToken
To configure the Fortify Software Security Center URL, see "Configuring a Connection to Fortify Software Security Center" on page 17. For instructions on how to create an authentication token, see the Micro Focus Fortify Software Security Center User Guide.
dir>/jre/lib/security/cacerts). For more information, see the Micro Focus Fortify Software Security Center User Guide or the Micro Focus Fortify ScanCentral SAST Installation, Configuration, and Usage Guide.
To send the analysis results to a Fortify Software Security Center server, you need the following:
A Fortify Software Security Center URL or a ScanCentral Controller that is integrated with a Fortify Software Security Center server.
A Fortify Software Security Center authentication token of type ToolsConnectToken
For instructions on how to create an authentication token, see the Micro Focus Fortify Software Security Center User Guide.
An application and application version that exists in Fortify Software Security Center
Permission to access the application and application version to which you want to upload
Configuring Fortify ScanCentral SAST Options
This section describes how to configure the default Fortify ScanCentral SAST options to use when you submit a solution or project for analysis to Fortify ScanCentral SAST. You can specify the translation type (local or remote), the Fortify Static Code Analyzer translation and scan options, the sensor pool selection, and whether to upload analysis results to Fortify Software Security Center. To change the analysis options and perform a scan for a specific solution, see "Advanced Scanning of Solutions with Fortify ScanCentral SAST" on page 30.
To configure the Fortify ScanCentral SAST options:
From the Fortify extension menu, select Options.
In the left pane, select ScanCentral SAST Configuration.
Select Enable ScanCentral SAST Upload.
To specify how to connect to Fortify ScanCentral SAST, do one of the following:
Select Use Controller URL, and then in the Controller URL box, type the URL for the ScanCentral Controller.
Example: https://<controller_host>:<port>/scancentral-ctrl
Select Get Controller URL from SSC, and then in the Token box, paste the decoded token value for an authentication token of type ToolsConnectToken.
Make sure that you have the Fortify Software Security Center URL that is associated with the ScanCentral Controller provided in the Server Configuration options (see "Configuring a Connection to Fortify Software Security Center" on page 17).
To upload the analysis results to Fortify Software Security Center, select the Send Scan Results to SSC check box.
In the Token box, paste the decoded token value for an authentication token of type ToolsConnectToken.
Under Default Translation Type, specify where to run the translation phase of the analysis by selecting one of the following:
(Optional) To specify Fortify Static Code Analyzer command-line options for the translation or scan phase:
Click Advanced Scan Options.
The Project Configuration page opens to the Advanced Scan Options tab.
Select the Use Additional SCA Options check box and type Fortify Static Code Analyzer command-line options for the translation or scan phase.
For detailed information about the available Fortify Static Code Analyzer options and the proper syntax, see the Micro Focus Fortify Static Code Analyzer User Guide.
In the left pane, select ScanCentral SAST Configuration to return to the Fortify ScanCentral SAST option configuration.
Under Sensor Pool, specify whether to use the default sensor pool or be provided a list of sensor pools to choose from when you start a scan with Fortify ScanCentral SAST.
(Optional) in the Notification Email box, type an email address to receive job status notifications.
Click OK to save your configuration.
Scanning Projects or Solutions with Fortify ScanCentral SAST
Before you can scan your project or solution with Fortify ScanCentral SAST, you must configure the Fortify ScanCentral SAST options as described in "Configuring Fortify ScanCentral SAST Options" on page 27. In addition, make sure that the active solution configuration is valid for the projects loaded in the solution. If the configuration is invalid, Fortify Static Code Analyzer cannot successfully scan the solution and a message indicating that the configuration is invalid is written to the log file.
To scan a project or solution with Fortify ScanCentral SAST:
To start the scan with Fortify ScanCentral SAST, do one of the following:
To scan at the solution level, select ScanCentral > Upload Solution from the Fortify extension menu.
To scan at the project level, select a project and then select ScanCentral > Upload Project from the Fortify extension menu.
To scan at the solution level with custom Fortify ScanCentral SAST options for this solution, see "Advanced Scanning of Solutions with Fortify ScanCentral SAST" below.
If prompted, select the application version where you want to upload the analysis results, and then click OK.
If prompted, select a sensor pool from the Select Sensor Pool dialog box, and then click OK.
To view the analysis results, you can either:
Copy the provided job token and use it in the Fortify ScanCentral SAST command-line interface to retrieve the analysis results (see the Micro Focus Fortify ScanCentral SAST Installation, Configuration, and Usage Guide). You can then open the analysis results in Fortify Extension for Visual Studio (see "Opening Audit Projects" on page 78).
If you uploaded the analysis results to Fortify Software Security Center, you can check the status of the job (and view the results) on the Fortify Software Security Center server. After the scan is complete, you can open the analysis results in Fortify Extension for Visual Studio (see either "Performing a Collaborative Audit" on page 79 or "Configuring a Connection to Fortify Software Security Center" on page 17).
Advanced Scanning of Solutions with Fortify ScanCentral SAST
You can customize the Fortify ScanCentral SAST scan configuration for the current solution. You can adjust the translation type (local or remote), Fortify Static Code Analyzer options for translation and scan, whether to upload analysis results to Fortify Software Security Center, and the sensor pool selection.
To run a customized scan using Fortify ScanCentral SAST:
From the Fortify extension menu, select ScanCentral > Advanced Scan.
Any existing Fortify ScanCentral SAST configuration options are displayed in the ScanCentral SAST Advanced Scan dialog box.
Specify where to run the translation phase of the analysis by selecting one of the following:
To specify Fortify Static Code Analyzer command-line options for the translation or scan phase, under SCA Options, type command-line options for the translation and scan phase.
For detailed information about the available Fortify Static Code Analyzer options and the proper syntax, see the Micro Focus Fortify Static Code Analyzer User Guide.
To upload the analysis results to Fortify Software Security Center, select the Send Scan Results to SSC check box.
Specify whether to use the default sensor pool or be prompted to select a sensor pool from a list.
Click Scan.
If prompted, select the application version where you want to upload the analysis results, and then click OK.
If prompted, select a sensor pool from the Select Sensor Pool dialog box, and then click OK.
To view the analysis results, you can either:
Copy the provided job token and use it in the Fortify ScanCentral SAST command-line interface to retrieve the analysis results (see the Micro Focus Fortify ScanCentral SAST Installation, Configuration, and Usage Guide). You can then open the analysis results in Fortify Extension for Visual Studio (see "Opening Audit Projects" on page 78).
If you uploaded the analysis results to Fortify Software Security Center, you can check the status of the job (and view the results) on the Fortify Software Security Center server. After the scan is complete, you can open the analysis results in Fortify Extension for Visual Studio (see either "Performing a Collaborative Audit" on page 79 or "Configuring a Connection to Fortify Software Security Center" on page 17).
After a scan has been performed (or after you open an existing audit project), a summary of the analysis results is displayed in the Analysis Results window and in the Project Summary window. The Analysis Trace and Issue Auditing windows are open, but do not contain any information until you select an issue from the Analysis Results window.
Window | For More Information |
Analysis Results | |
Project Summary | |
Analysis Trace | |
Issue Auditing |
The Analysis Results window enables you to group, filter, and select the issues you want to audit.
The selected filter set controls which issues the Analysis Results window displays. The filter set determines the number and types of containers (folders) and how and where issues are displayed.
Each project can have unique sets because the filter sets are saved in an audit project results file.
The filter sets sort the issues into Critical, High, Medium, and Low folders, based on potential severity. All default filter sets have the same sorting mechanism.
The Fortify Extension for Visual Studio provides the following filter sets:
If you open an FPR file that contains no custom filtertemplate.xml file or if you open an FVDL file or a webinspect.xml file, the audit project results open with the Quick View filter set selected.
For information about how to create your own filter sets, see "Creating a Filter Set" on page 62.
The tabs on the Analysis Results window are called folders. You can customize the settings for the color-coded folders. The number of folders, names, colors, and the issue list can vary between filter sets and audit projects. For information about how to create your own folders, see "Creating a Folder" on page 64.
Within each color-coded folder, issues are grouped into subfolders. At the end of each folder name, enclosed in brackets, is the number of audited issues and the total number of issues in the folder. For example, a folder with the name Command Injection - [1 / 3] indicates that one issue out of three categorized as Command Injection has been audited.
Each folder contains a list of issues. An issue is sorted into a folder if its attributes match the folder filter
conditions. One folder in each filter set is the default folder, indicated by (default) in the folder name. If an issue does not match any of the folder filters, the issue is listed in the default folder.
The Group By option sorts the issue list into subfolders. The selected option is applied to all visible folders. Use the <none> option to list all issues in the folder without any groups. The Group By settings are for the application instance. You can apply the Group By option to any audit project opened with that instance of the application.
You can customize the existing groups by changing which attributes the groups are sorted by, adding or removing the attributes to create sub-groupings, and adding your own group options.
Customizing the Issues Display
You can customize the issues displayed in the Analysis Results window. Determine which issues it displays by using the visibility menu
in the Analysis Results toolbar.
The visibility options are as follows:
Viewing Project Summary Information
The Project Summary window provides detailed information about the scan. To open the Project Summary dialog box:
Open an audit project file (FPR, FVDL, or XML).
From the Fortify extension menu, select Project Summary.
The following table describes the information provided on the Project Summary tabs.
Tab | Description |
Summary | Displays high level audit project information. |
Certification | Displays the result certification status. Results certification is a check to make sure that the analysis has not been altered since Fortify Static Code Analyzer produced it. |
Tab | Description |
Build Information | Displays the following scan information: |
Analysis Information | Displays the Fortify Static Code Analyzer version, computer details, and the name of the user who performed the scan. The Analysis Information subtabs contain the following information: |
Build details such as the build ID, number of files scanned, lines of code, and the date of the scan, which might be different than the date the files were translated
List of files scanned with file sizes and timestamps
Libraries referenced for the scan
Security Content—Lists information about the Rulepacks (including the Rulepack name, version, ID, and SKU) and the external metadata used in the scan
Properties—Displays the Micro Focus Fortify Static Code Analyzer properties files settings
Commandline Arguments—Displays the command-line options used to scan the project
Warnings—Lists all errors and warnings that occurred during the analysis. To view more information about an item, click it.
When you select an issue, the Analysis Trace window displays the trace that the analyzer used to detect the issue.
This trace is presented in sequential order. For dataflow issues, this trace is a presentation of the path that the tainted data follows from the source function to the sink function. For example, when you
select an issue that is related to potentially tainted dataflow, the Analysis Trace window shows the direction of the dataflow in this section of the source code.
The Analysis Trace window uses the icons described in the following table to show how the dataflow moves in this section of the source code or execution order.
Icon | Description | |
| Data is assigned to a field or variable | |
| Information is read from a source external to the code (HTML form, URL, and so on) | |
| Data is assigned to a globally scoped field or variable | |
| A comparison is made | |
| The function call receives tainted data | |
| The function call returns tainted data | |
| Passthrough, tainted data passes from one parameter to another in a function call | |
| An alias is created for a memory location | |
| Data is read from a variable | |
| Data is read from a global variable | |
| Tainted data is returned from a function | |
| A pointer is created | |
| A pointer is dereferenced | |
| The scope of a variable ends | |
| The execution jumps |
Icon | Description | |
| A branch is taken in the code execution | |
| A branch is not taken in the code execution | |
| Generic | |
| A runtime source, sink, or validation step | |
| Taint change |
The Analysis Trace window can contain inductions. Inductions provide supporting evidence for their parent nodes. Inductions consist of:
A text node displayed in italics as a child of the trace node. This text node is expanded by default.
An induction trace, displayed as a child of the text node.
To display the induction reference information for that induction, click it.
The Issue Auditing window displays detailed information about each issue on the following tabs:
The Audit tab displays information about the selected issue and enables auditors to add an audit evaluation, comments, and custom tag values.
The following table describes the elements of the Audit tab.
Element | Description |
Issue | Displays the issue location, which includes the file name and line number. |
Analysis | Lists values that the auditor can use to assess the issue. Valid values for the Analysis tag are Not an Issue, Reliability Issue, Bad Practice, Suspicious, and Exploitable. |
<custom_tagname> | Displays any custom tags if defined for the audit project. If the audit results have been submitted to Audit Assistant in Micro Focus Fortify Software Security Center, then in addition to any other custom tags, the tab displays the following tags: For more information about Audit Assistant, see the Micro Focus Fortify Software Security Center User Guide. |
Suppress | Suppresses the issue. |
File Bug | Provides access to a supported bug tracking system, such as Bugzilla or Azure DevOps Server. See the Micro Focus Fortify Software System Requirements document for a list of supported bug tracking systems. |
Comments | Appends additional information about the issue as a comment. |
Rule Information | Shows information, such as the category and kingdom that describes the issue. |
More Information | Opens the Details tab. |
Recommendations | Opens the Recommendations tab. |
AA_Prediction—Exploitability level that Audit Assistant assigned to the issue. You cannot change this tag value.
AA_Confidence—Confidence level from Audit Assistant for the accuracy of its AA_Prediction value. This is a percentage, expressed in values that range from 0.000 to 1.000. For example, a value of 0.982 indicates a confidence level of 98.2 percent. You cannot change this tag value.
AA_Training—Whether to include or exclude the issue from Audit Assistant training. You can change this value.
For information about auditing, see "Auditing Issues" on page 56.
The Details tab provides a detailed description of the selected issue and offers guidelines to address it.
The Details tab includes some or all the sections described in the following table.
Element | Description |
Abstract/Custom Abstract | Provides a summary of the issue, including custom abstracts defined by your organization. |
Explanation/Custom Explanation | Provides a description of the conditions in which this type of issue occurs. This description includes a discussion of the vulnerability, the constructs typically associated with it, how it can be exploited, and the potential ramifications of an attack. This element also provides custom explanations defined by your organization. |
Instance ID | Provides a unique identifier for the issue. |
Primary Rule ID | Identifies the primary rule that found the issue. |
Priority Metadata Values | Includes IMPACT and LIKELIHOOD values. |
Legacy Priority Metadata Values | Includes SEVERITY and CONFIDENCE values. |
The Recommendations tab provides suggestions and examples of how to secure the vulnerability or remedy the bad practice. The recommendations include some or all the sections described in the following table.
Element | Description |
Recommendations/Custom Recommendations | Provides recommendations for how to resolve this type of issue, including examples, and any custom recommendations defined by your organization. |
Tips/Custom Tips | Provides tips for this type of issue, including any custom tips defined by your organization. |
References/Custom References | Provides reference information, including any custom reference defined by your organization. |
The History tab shows a complete list of audit actions, including details such as the date and time, and the name of the user who modified the issue.
The Diagram tab presents a graphical representation of the node execution order, call depth, and expression type of the selected issue. The tab displays information relevant to the rule type. The vertical axis shows the execution order.
For dataflow issues, the trace starts with the first function to call the taint source, then traces the calls to the source (blue node) and ends the trace at the sink (red node). In the diagram, the source (src) and sink nodes are also labeled. A red X on a vertical axis indicates that the function called finished executing.
The horizontal axis shows the call depth. A line shows the direction that control is passed. If control passes with tainted data traveling through a variable the line is red, and when it is without tainted data, the line is black.
The icons used for the expression type of each node in the diagram are the same icons used in the Analysis Trace window. To see the icons and the descriptions, see "Analysis Trace Window" on page 36.
The Filters tab displays all the filters in the selected filter set.
