Using results from Fortify Static Code Analyzer
Вставка
- Опубліковано 5 лис 2020
- This video goes deep into the various ways to use results from Fortify Static Code Analyzer to help you build secure software faster. Common ways to view fortify on premise static scan results:
• Within the output from Source Analyzer (or ScanCentral) [4:15]
• Within a Supported IDE [7:05]
• Within Audit Workbench [11:53]
• Within Fortify SSC [20:15]
• Via output From CI Pipeline [25:46]
• Using FPRUtility [28:40]
• Via Fortify generated Reports [30:52]
These are some of the ways to perform scans using Fortify Static Code Analyzer:
1. From the CLI (command-line interface) or Script that use Source Analyzer (this video)
2. From the CLI or Script that use ScanCentral
3. Within a supported IDE (integrated development environment)
4. As part of a CI Pipeline
Two earlier videos looked at the ways to perform static scans in Fortify Static Code Analyzer.
• SAST with Fortify: Scanning on The Command Line or a Script ( • SAST with Fortify SCA:... )
• SAST with Fortify: Scanning in an IDE ( • SAST with Fortify SCA:... )
Fortify Results include:
• List of issues found and counts
• Files scanned
• Functions/Methods scanned
• Statistics about the scanned code
• Statistics about the scan environment
Fortify Static Code Analyzer pinpoints the root cause of security vulnerabilities in the source code, prioritizes the most serious issues, and provides detailed guidance on how to fix them so developers can resolve issues in less time with centralized software security management.
Learn more about Fortify Static Code Analyzer: www.microfocus.com/en-us/prod...
LEARN MORE about Fortify: www.microfocus.com/en-us/solu...
LEARN MORE about how Micro Focus was named a leader in the Gartner MQ for Application Security Testing: software.microfocus.com/en-us...
LEARN MORE about how Fortify received the highest score in the Gartner Critical Capabilities for Application Security Testing report for the Enterprise use case AND the Mobile and Client use case: www.microfocus.com/en-us/asse...
SUBSCRIBE TO FORTIFY UNPLUGGED: / @fortifyunplugged
CONNECT with the Fortify Online Community: community.microfocus.com/t5/F...
- Connect with peers and share your knowledge
- Find solutions and answers to your technical questions
- Stay informed on new releases and product enhancements
- Access downloads, demos, videos and support tips - Наука та технологія
I have executed scan for a directory and uploaded fpr in SSC where I could see privacy violation for a file. Later I have executed scan for that particular file and opened fpr in Auditworkbench, there this violation type is not listed. Can you please guide what am I missing here.
Generally speaking, the exact same issues can be seen in Audit Workbench and Fortify SSC, although differences may occur as a result of filter settings. Based on the question, we can't be sure what's going on. One thing that might be the case: Audit Workbench by default opens with the "quick view" filter that hides all issues except the critical ones and a selection of the high risk ones. By changing this (dropdown in the top-left corner) to "security auditor", you'll get to see all issues which may help reconciliate what you see with SSC.
Also, you mention that you were looking at a scan of the directory in SSC and at a scan of a single file in AWB. Many things that Fortify SCA detects are the result of combining information from multiple files; that includes privacy violation issues. So, it also could be the case that Fortify simply didn't find the issue in the single file scan.
How to setup fortify in ec2 Linux instance
This question is a little vague. Do you want to set up Fortify Static Code Analyzer on an Amazon EC2 instance? Or do you want the entire Fortify ecosystem (SSC/ScanCentral/etc)? I’m not too familiar with EC2, but I believe it’s just like a regular VM. If you are asking about installing Fortify Static Code Analyzer, it’s just like installing it on any VM. You just need to connect to your instance, transfer the linux installer to that instance, and run it. Then you should be able to run Static Code Analyzer as usual. Hope that helps!