fortify

问题 I am using Log4net for logging into my web api application. I am using below code to log warnings and error in database. public async Task<int> ExecuteNonQuery(string procedureName,params SqlParameter[] parameters) { try { this.logger.DebugFormat("{0} stating call",procedureName); ...... ...... ...... } further code When i ran fortify scan it gives me log forging issue. Is there any idea how we can resolve this issue. I tried below code but didn't work procedureName = Regex.Replace

问题 I'm using the following code to run fortify using Gradle, but this code takes time to generate reports, I'm not sure how to optimize this script to run faster, it will be great if someone can help me to optimize this script // Add a new configuration configurations { fortify { extendsFrom compile } } // pull in the fortify libs for the new configuration dependencies { fortify fileTree(dir: 'C:/Program Files/Fortify Software/HP Fortify v3.20/Core/lib', include: '*.jar') } task fortifyReport

问题 In a portion of my J2EE/java code, I do a URLEncoding on the output of getRequestURI() to sanitize it to prevent XSS attacks, but Fortify SCA considers that poor validation. Why? 回答1: The key point is that you need to convert HTML special characters to HTML entities. This is also called "HTML escaping" or "XML escaping". Basically, the characters < , > , " , & and ' needs to be replaced by < , > , " , & and ' . URL encoding does not do that. URL encoding converts URL special characters to

问题 Can I use Fortify to scan scala-code or the generated java (jar) files ? I know that I can do the jar option technically but are there any known challenges with respect to the generated java code? 回答1: Fortify SCA now officially supports Scala (since December 2017). Adding this support was a collaborative project between Lightbend and Micro Focus. I did most of the engineering work on the Lightbend side, writing a compiler plugin that translates Scala code to an intermediate form that Fortify

问题 I need to check vulnerabilities (if any) in the third party libraries that are being used in my project using Fortify. For a few third party libraries, I am not able to access their source files. I only have the shipped .jar files. Is it possible to run Fortify on .jar files instead ? All I could find in most of the documentations was that Fortify can be run on .java files, something like this: sourceanalyzer -b MyProject -cp "lib/ .jar" "src/ */*.java" 回答1: You can do one better than LaJmOn

问题 I am trying to use Fortify Source Code Analyzer for a research project at my school to test the security for open source Java web applications. I am currently working on Apache Lenya. I am working with the last stable release (Lenya v2.0.2). Inside the root directory there is a file named build.sh . This file is called to build Lenya using the version of Ant that ships with the release (in the tools/bin folder). I can build Lenya just fine when I run ./build.sh . So, it would be assumed that

问题 What is the difference between Fortify SCA and Fortify SSC. Is there any difference between the reports generated by these softwares. I am aware that Fortify SSC is a web-based app. Can I use Fortify SCA as a web-based app as well? 回答1: SCA used to be known as the source code analyzer (in fortify 360), but is now Static code analyzer. Same acronym, same code, just the name changed. SSC ("Software Security Center") used to be known as Fortify 360 Server. HP renamed it and made additional

问题 We did a Fortify scan on our ASP.net application. We found that there many header manipulation issues. All the issues are pointing to Response.Redirect(). Please have a look at the below code where I encoded the parameters. Even then the below code is counted as header manipulation issue. int iCount = 0; foreach (string Name in Request.QueryString.Keys) { iCount++; if (iCount > 1) { url += "&"; } url += Name; if (Request.Params[Name]!=null) { url += "=" + AntiXss.UrlEncode(Request.Params[Name

问题 I am getting SUBSCRIPTION_JSON from client which I am converting it to String and then setting it to Model Object using gson library. On running the code on Fortify security, It is giving me Json injection error on below code with following message : Here is the error : On line 159 of ActionHelper.java, the method jsonToObject() writes unvalidated input into JSON. This call could allow an attacker to inject arbitrary elements or attributes into the JSON entity.The method writes unvalidated

问题 I want to see the specific rules of Fortify Secure Coding Rules (the rules that Fortify uses by default), because I want to write a report about all rules that are used by Fortify: I have tried to see them in C:\Program Files\Fortify Software\HP Fortify v3.60\Core\config\rules but I have found .bin files and I can't see them. I also have opened AuditWorkbench and in Security Content Management I can't see them either. Is there any way to see them?? Thanks for your help. 回答1: Short of becoming