Fortify 源分析器和 Apache Lenya
我正在尝试将 Fortify 源代码分析器用于我学校的一个研究项目,以测试开源 Java Web 应用程序的安全性。 我目前正在研究 Apache Lenya。 我正在使用最新的稳定版本(Lenya v2.0.2)。
根目录中有一个名为 build.sh 的文件。 调用此文件以使用发行版附带的 Ant 版本(在 tools/bin 文件夹中)构建 Lenya。 当我运行 ./build.sh 时,我可以很好地构建 Lenya。 因此,假设在 Fortify 中运行以下命令可以工作:
sourceanalyzer -b lenya -Xmx1200M touchless ./build.sh
但是,当我尝试运行:
sourceanayzer -b lenya -Xmx1200M -scan -f lenya.fpr
我得到:
未找到构建 ID Lenya。
我查看了 buid.sh 文件,注意到它只是重置当前的 ant home、classpath 和 ant options 变量,运行 ant build 命令,并将这些值重置回默认值。 因此,我手动重置所有变量(没有脚本),而不是运行脚本并运行:
sourceanalyzer -b lenya -Xmx1200M touchless tools/bin/ant -logger org.apache.tools.ant.NoBannerLogger
然后我运行 :
sourceanalyzer -b lenya -Xmx1200M -scan -f lenya.fpr
但我得到了相同的错误。 我不确定这是因为我做错了什么,还是 Fortify 做得不正确。 任何见解都会很棒。
I am trying to use Fortify Source Code Analyzer for a research project at my school to test the security for open source Java web applications. I am currently working on Apache Lenya. I am working with the last stable release (Lenya v2.0.2).
Inside the root directory there is a file named build.sh. This file is called to build Lenya using the version of Ant that ships with the release (in the tools/bin folder). I can build Lenya just fine when I run ./build.sh. So, it would be assumed that running the following command in Fortify would work :
sourceanalyzer -b lenya -Xmx1200M touchless ./build.sh
However, when I try and run:
sourceanayzer -b lenya -Xmx1200M -scan -f lenya.fpr
I get:
build id Lenya not found.
I looked at the buid.sh file and noticed that it was just resetting the current ant home, classpath, and ant options variables, running the ant build command, and resetting the values back to their defaults. So I reset all of the variables manually (without the script) instead of running the script and ran:
sourceanalyzer -b lenya -Xmx1200M touchless tools/bin/ant -logger org.apache.tools.ant.NoBannerLogger
Then I ran :
sourceanalyzer -b lenya -Xmx1200M -scan -f lenya.fpr
but I got the same error. I'm not sure if this is because I am doing something wrong or if it is something that Fortify is not doing correctly. Any insight will be great.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
我不确定您是否有权访问 Fortify 文档,但这肯定会有所帮助。 您应该参阅《SCA 用户指南》以了解如何使用 sourceanalyzer 可执行文件。
简而言之,有两种获取 FPR 文件的方法:(
我更喜欢前者,因为它在处理大型代码库时具有可定制性。
PS:这是哪个版本的Fortify?
I'm not sure whether you have access to the Fortify documentation, but that will definitely help. You should refer to the SCA User's Guide to understand how to use the sourceanalyzer executable.
To cut things short, there are two ways of getting the FPR file:
I prefer the former due to its customizability when handling large code bases.
PS: Which version of Fortify is this?
不要使用非接触式命令,该命令用于 C/C++ 集成。 由于 Lenya 是用 Java 编写的,因此您最好使用其他命令。 尝试执行您的第一个翻译步骤(从您的基本 lenya 目录运行):
Don't use the touchless command, that is for C/C++ Integration. Since Lenya is written in Java, you're better off with other commands. Try this for your first translation step (run from your base lenya dir):
您使用的命令实际上可以与 Java 构建一起使用,但它有一些限制。 使用非接触式构建包装器会创建许多编译器包装器(例如 javac),并将包装器放在 PATH 环境变量的前面。
如果您的 build.sh 脚本包含对 javac 的完全限定引用,例如 /usr/java/bin/javac,则非接触式构建集成将不起作用。
user233276 的说明是最广泛有用的。 如果您想尝试 Fortify SCA 构建集成,我建议该技术是修改 build.sh(请参阅 http://svn.apache.org/viewvc/lenya/trunk/build.sh?view=markup&pathrev=400414)并更改第 43 行from:
to:
请参阅《Fortify SCA 用户指南》了解三种类型的 ant 集成:
覆盖 build.compiler 属性:
ant -lib sourceanalyzer.jar {Fortify ant options} {ant options}
上图:
sourceanalyzer -b {Fortify options} ant {ant options}
或者,如果您将自定义 build.xml 制作为见附录:
ant -lib sourceanalyzer.jar {ant options}
The command you used actually could work with Java builds, except that it has some limitations. Using the touchless build wrapper creates a number of compiler wrappers, e.g. for javac, and puts the wrappers at the front of the PATH environment variable.
If your build.sh script contains fully qualified references to javac, for example /usr/java/bin/javac, then the touchless build integration will not work.
user233276's instructions are the most broadly useful. If you want to experiment with Fortify SCA build integration, I would suggest the technique would be to modify build.sh (see http://svn.apache.org/viewvc/lenya/trunk/build.sh?view=markup&pathrev=400414) and change line 43 from:
to:
See the Fortify SCA User Guide for the three types of ant integration:
Override the build.compiler property:
ant -lib sourceanalyzer.jar {Fortify ant options} {ant options}
Shortcut to the above:
sourceanalyzer -b {Fortify options} ant {ant options}
Or, if you make a custom build.xml as shown in the appendix:
ant -lib sourceanalyzer.jar {ant options}