Software Security/Fortify

Uit Werkplaats
Ga naar: navigatie, zoeken

Installation and usage

We have a Fortify educational license until 17-06-2011. To get this tool working follow the following instructions:

  • Mail Fabian (f.vandenbroek@cs.ru.nl) for a login to the Fortify site (one login per group).
  • Use the login credentials to login to the Fortify site and download the following:
    • "Fortify 360 v3.0.0 Analyzers and Apps" for your desired OS and architecture
    • the license file (L09568559-81c7-4575-9886-1a3c338358fe).
  • Unpack the "Fortify 360 v3.0.0 Analyzers and Apps" and place the license file in the Fortify main directory.
  • Run the "forityupdate" program which installs the rule-packs.
  • Run the sourceanalyzer on the PHP project, e.g. for Linux:
    • >sourceanalyzer -b someprojectname -clean
    • >sourceanalyzer -b someprojectname "<phpBB-dir>/**/**/**/*.php"
    • >sourceanalyzer -b someprojectname -scan -f someoutputfile.fpr
  • Examine the output-file with the auditworkbench program.


Problems and fixes

  • The tool might complain that there are problems with insufficient memory. By default, Fortify allocates 600MB of memory for its sourceanalyzer. If this is not enough, you can use -Xmx switch to increase the memory. -Xmx800M should be more than enough for phpBB2. --Roberto Lie 13 apr 2011 14:02 (UTC)
  • The project name is an arbitrary string, but it must be consistent throughout the uses of sourceanalyzer.
  • The output file should have the .fpr extension. I didn't know this at first and gave it .txt extension, and amazingly, the result is a plaintext file that does contain all the scan results but cannot be opened in Audit Workbench. Using the .fpr extension makes a file in a different format (actually a zip file containing much more data). Peter Gyorok 28 apr 2011 23:11 (UTC)
Overgenomen van "https://lab.cs.ru.nl/algemeen/index.php?title=Software_Security/Fortify&oldid=147269"