fortify扫描工具的说明手册,对实际工作有指导作用,讲的比较清晰。
Fortify SCA分析原理
Front-End
3rd party IDE
Java
Pug-In
C/C++
MicrOsoL
NET
IBM.eclipse
Audit workbench
PLSQL
XML
Analysis Engine
Semantic
fdi/ fpr
Gobal Data flow
N Control Flow
Configuration
Structural
Fortify Manager
NST
Rules builder
Custom
Pre-Packaged
FORTIFY
Fortify SCA分析过程
SCA Engine
Intermediate
Scan phase
fles
Using Analyzers
Tt
transation
(NST)
.Rules
Analysis
Result
File
-b build id
阶段一:转换阶段( Translation)
阶段二:分析阶段(Scan
o sourceanalyzer-b -clean
o sourceanalyzer -b
sourceanalyzer-b -Xmx1250m-scan-f results fpr
FORTIFY
Fortify SCA扫描的工作
Visual studio
Eclipse, IBM RAD
面 Audit
Workbench
Java,. Net
Fortify Global
Build Tool
C, C/C++
Analysis
JSP
Touchless Build
Fortify
PL/SQL
IDE
Intermediate
FPR
TSOL
Model
Cold
Command
Line Interface
Fusion
运己
Fortify
I m Manager
Secure Coding Rules
Fortify Customized
Rules
Rules
FORTIFY
Fortify SCA扫描的五种方式
插件方式:
Plug-In(Eclipse, vs WsAd,rad)
命令行方式
Command line
●扫描目录方式: Audit workbench scan Folder
与其他工具集成: Scan with ANt, Makefile
●编译监控器方式: Fortify SCA Build Monitor
FORTIFY
Fortify SCA扫描的四个步骤
Fortify SCA扫描总共可以分为四个步骤:
●1. Clean:清除阶段:
sourceanalyzer -b proName -clean
2. Translation:转换阶段
3.ShoW-fe:查看阶段
sourceanalyzer -b proName -show-files
4.scan:扫描阶段
sourceanalyzer-b proName -Xmx1250m -scan -f proName. fpr
FORTIFY
Fortify SCA命令行参数说明
查看SCA扫描命令及参数→> sourceanalyzer
ca\ C:\VIRDoS\syste32\cd. exe
川 icrosoft Windows XP[版不5.1268g
Kc版权所有1985-2 061 Microsoft Gorp
:Documents and settings anming >sourceanalyzer --he lp
Fortify Source Code Analyze4..日.回153
Copyright (c>2003-2006 Fortify Software
Usage
Bu⊥1d
Java: sourceanalyzer -b
sourceanalyzer -b javac
G/C++: sourceanalyzer -b
NET: sourceanalyzer -b
scan〓
sourceanalyzer -b -scan -f results. fpr
Output opt ions
-format
Controls the output format. Valid options are
auto, fpr. fvdl, and text. D
1