Fortify Source Analyzer and Apache Lenya

Question

I am trying to use Fortify Source Code Analyzer for a research project at my school to test the security for open source Java web applications. I am currently working on Apache Lenya. I am working with the last stable release (Lenya v2.0.2).

Inside the root directory there is a file named build.sh. This file is called to build Lenya using the version of Ant that ships with the release (in the tools/bin folder). I can build Lenya just fine when I run ./build.sh. So, it would be assumed that running the following command in Fortify would work :

sourceanalyzer -b lenya -Xmx1200M touchless ./build.sh

However, when I try and run:

sourceanayzer -b lenya -Xmx1200M -scan -f lenya.fpr

I get:

build id Lenya not found.

I looked at the buid.sh file and noticed that it was just resetting the current ant home, classpath, and ant options variables, running the ant build command, and resetting the values back to their defaults. So I reset all of the variables manually (without the script) instead of running the script and ran:

sourceanalyzer -b lenya -Xmx1200M touchless tools/bin/ant -logger org.apache.tools.ant.NoBannerLogger

Then I ran :

sourceanalyzer -b lenya -Xmx1200M -scan -f lenya.fpr

but I got the same error. I'm not sure if this is because I am doing something wrong or if it is something that Fortify is not doing correctly. Any insight will be great.

Answer 1

I'm not sure whether you have access to the Fortify documentation, but that will definitely help. You should refer to the SCA User's Guide to understand how to use the sourceanalyzer executable.

To cut things short, there are two ways of getting the FPR file:

1. (The long way) Write a script to translate and analyse the source code by providing the path of the source code and the classpath to the sourceanalyzer executable.
2. (The short way) Use the SCACompiler instead of javac as the compiler. You'll need to modify the build script for this.

I prefer the former due to its customizability when handling large code bases.

PS: Which version of Fortify is this?

Answer 2

Don't use the touchless command, that is for C/C++ Integration. Since Lenya is written in Java, you're better off with other commands. Try this for your first translation step (run from your base lenya dir):

sourceanalyzer -b lenya -Xmx1200M -source 1.5 -cp "**/*.jar" "**/*"

Answer 3

The command you used actually could work with Java builds, except that it has some limitations. Using the touchless build wrapper creates a number of compiler wrappers, e.g. for javac, and puts the wrappers at the front of the PATH environment variable.

If your build.sh script contains fully qualified references to javac, for example /usr/java/bin/javac, then the touchless build integration will not work.

user233276's instructions are the most broadly useful. If you want to experiment with Fortify SCA build integration, I would suggest the technique would be to modify build.sh (see http://svn.apache.org/viewvc/lenya/trunk/build.sh?view=markup&pathrev=400414) and change line 43 from:

"$ANT_HOME/bin/ant" -logger org.apache.tools.ant.NoBannerLogger -emacs $@

to:

sourceanalyzer -b Lenya "$ANT_HOME/bin/ant" -logger org.apache.tools.ant.NoBannerLogger -emacs $@

See the Fortify SCA User Guide for the three types of ant integration:

1. Override the build.compiler property:

   ant -lib sourceanalyzer.jar {Fortify ant options} {ant options}

2. Shortcut to the above:

   sourceanalyzer -b {Fortify options} ant {ant options}

3. Or, if you make a custom build.xml as shown in the appendix:

   ant -lib sourceanalyzer.jar {ant options}