1 / 100

Using SCA (Eclipse Plug-in Edition)

Using SCA (Eclipse Plug-in Edition). Using SCA. In this course, you will learn: How to install and configure SCA How to scan a project and triage the results How to filter the issues How to handle the FPRs How to generate reports. Using SCA. Installation and configuration

butlerj
Télécharger la présentation

Using SCA (Eclipse Plug-in Edition)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Using SCA (Eclipse Plug-in Edition)

  2. Using SCA • In this course, you will learn: • How to install and configure SCA • How to scan a project and triage the results • How to filter the issues • How to handle the FPRs • How to generate reports

  3. Using SCA • Installation and configuration • Scanning a project with the GUI interfaces • Issue Filtering • Handling FPRs • Reporting

  4. System Requirements • Supported Platforms: • HPUX 11v1 • AIX 5.2 • Linux Fedora 7, ES 4/5, SUSE 10 • Mac OSX 10.4, 10.5 • Solaris 8,9 (SPARC only), 10 (SPARC and Intel x86) • Windows 2003/XP (x86 and x64), 2000/Vista (x86 only) • Supported IDE • Visual Studio 2003/5/8 • Eclipse 3.x base IDE • IBM WSAD (Eclipse 2.0 base) • Hardware • High-end processor • At least 1 GB of RAM (recommend 2G) • 2G of hard disk

  5. Installation (Windows only)

  6. Installation Accept the license agreement to continue

  7. Installation Choose the folder that contains the license file, please get the license file from your Fortify Champion The license file is always fortify.license

  8. Installation You can install Eclipse after you have installed SCA. But you need to have VS 2003/5/8 installed before you can install the VS plug-in. An command-line add-in does not load when you start the Visual Studio 2005 SP1 (only on SP1) IDEKB934517 http://support.microsoft.com/kb/934517

  9. Installation If you have previous version of SCA, it can migrate the old setting to the new version

  10. Installation You can change the server setting after installation thru the GUI or thru scapostinstall

  11. Installation You can download rulepack later. But if you don’t have any rulepack downloaded, you will not able to find any vulnerability

  12. Installation

  13. <Fortify_install_dir>/bin/ Eclipse (3.4.x) post installation step 1 then 2

  14. Eclipse (3.3 and older) post installation step <install_path>\Core\Plugins\eclipse

  15. <Install_dir>/bin/scapostinstall • Setting Fortify Manager or Fortify 360 Server URL (requires server login name and password) • Rulepack update location • Change your language • Etc…

  16. Configuration Fortify Software  Options

  17. SCA Version Server Configuration Where to DOWNLOAD rulepack Where to UPLOAD scan results

  18. You need to have an account in F360 server to complete the setup Default will update rulepack for every 15 days Server Configuration If you have F360 server, then you should download rulepack from F360 server and type in your F360 server URL in this box

  19. Typical Configuration (Download rulepack) Internet Corporate Network F360 Server Download rulepack from Fortify.com Download rulepack Desktop Desktop Desktop

  20. Typical Configuration (Upload FPR) Corporate Network F360 Server Upload scan result (FPR file) Desktop Desktop Desktop

  21. Command Line Alternative • You can change the rulepack download URL and Fortify Manager URL from scapostinstall as well

  22. Existing rulepack version Click to download manually new rulepack Rulepack Management

  23. Other Alternatives for Downloading Rulepacks • You can run <install_path>\bin\rulepackupdate.bat as well (may be as a schedule job) • You can also login to http://customerportal.fortify.com, click download rulepack, and then unzip all the files into <install_path>\Core\Config\rules Customer Portal

  24. Default Project Settings (for IDE Plug-in only) Setup memory By default, a Java application can only use 600M heap memory Set this value properly if you have more than 1G of memory

  25. Max memory you can set • Due to 32-bit OS limitation, the max heap memory you can set for a Java application is roughly as follows: • Linux 2.4 - 1800 MB • Linux 2.6 - 2650 MB • Windows 2000 - 1500 MB • Windows 2003 - 1500 MB • Windows XP - 1250 MB • Mac OS X - 1800 MB • AIX 5.2 - no limit • Solaris 8 - 1800 MB • And your Physical Memory should be at least 200M large than the SCA Memory Setting in here • SCA supports 64 bits OS as well

  26. Max Memory • For Eclipse Plug-in, you may want to setup Eclipse memory as well • Open your eclipse.ini (inside your eclipse directory) and change the “-Xmx” value directly, e.g. “-Xmx1250m” • You can also setup the max memory via environment variable • SCA_VM_OPTS=-Xmx1250m • AWB_VM_OPTS=-Xmx1250m

  27. Using SCA • Installation and configuration • Scanning a project with the GUI interfaces • Issue Filtering • Handling FPRs • Reporting

  28. Your First Scan Eclipse Menu: File  New Project  Java Project <install_path>\ Sample\basic\EightBall

  29. Your First Scan Hightlight the project you want to scan and then click the “F” icon Noted: you should make sure all libraries are included, and source codes are compliable before you scan.

  30. Right click Scan the selected component Not recommended: SCA will only look at that particular package, and since the package may reference to other packages, there will be a lot of un-resolvable symbols Scan the whole project Scan a component only (not recommended)

  31. Your First Scan: Eclipse Analysis Result Source Code Analysis Tracer Summary and details

  32. Default 3+1 folders: Hot, Warning, Info, ALL Customizable thru Project Configuration Default group by Category, you can also group by file name, package name, etc. You can create new grouping and sub-grouping 0/40 means total 40 SQL Injection Issues You have reviewed 0 (zero) issue Analysis Results Panel

  33. The issue title is the last node in the analysis trace (sink function)

  34. Sub-group title is the first line of the analysis trace (source function) Two issues have the same sink function

  35. SCA consider this as two issues File1.java:123 File2.java:456 File1.java:222 File2.java:567 File1.java:333 File2.java:789 sink.java:10

  36. SCA consider this as ONE issue File1.java:123 File1.java:222 File2.java:567 File1.java:333 File2.java:789 sink.java:10

  37. Counted as ONE issue

  38. Detail description of the vulnerability Short description of the vulnerability How should I fix this vulnerability Set the analysis value You can type in your comment in here Submit to bug tracking system Suppress this issue Summary Panel

  39. History Panel Comments are threaded When you change the analysis value, suppress an issue, or type in comments, the activities are logged

  40. Diagram Panel: Standard UML call graph

  41. Reviewed Issues When you set the analysis value, the icon will be changed, different value will be mapped to different icon Total 2 issues, 1 reviewed

  42. Project Summary

  43. If someone tries to tamper the file directly, result certification will become invalid Project Summary

  44. Project Summary Logical LOC, SCA doesn’t count blank lines, comments, etc. Total LOC, but SCA doesn’t count HTML, XML, properties files The list of all scanned files. Same as # sourceanalyzer -b build_id -show-files

  45. Scan phase only Missing Jars/libraries, invalid files, etc. Should review build warning Same as running the following command # sourceanalyzer -b build_id -show-build-warnings Project Summary

  46. Using SCA • Installation and configuration • Scanning a project with the GUI interfaces • Issue Filtering • Handling FPRs • Reporting

  47. Issue Filtering • Suppression • Filter Set and Visibility Filter • Audit Guide • Use Filter text file • Custom Rule

  48. Suppress an instance Right click on a group Right click on an instance Suppression

  49. Suppression Suppress all instances that called “clean()” function Search function: tracenode matches “clean”

  50. View Suppressed Issues

More Related