1 / 98

Using SCA (Visual Studio Plug-in Edition)

Using SCA (Visual Studio Plug-in Edition). Using SCA. In this course, you will learn: How to install and configure SCA How to scan a project and triage the results How to filter the issues How to handle the FPRs How to generate reports. Using SCA. Installation and configuration

mjent
Télécharger la présentation

Using SCA (Visual Studio Plug-in Edition)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Using SCA (Visual Studio Plug-in Edition)

  2. Using SCA • In this course, you will learn: • How to install and configure SCA • How to scan a project and triage the results • How to filter the issues • How to handle the FPRs • How to generate reports

  3. Using SCA • Installation and configuration • Scanning a project with the GUI interfaces • Issue Filtering • Handling FPRs • Reporting

  4. System Requirements • Supported Platforms: • HPUX 11v1 • AIX 5.2 • Linux Fedora 7, ES 4/5, SUSE 10 • Mac OSX 10.4, 10.5 • Solaris 8,9 (SPARC only), 10 (SPARC and Intel x86) • Windows 2003/XP (x86 and x64), 2000/Vista (x86 only) • Supported IDE • Visual Studio 2003/5/8 • Eclipse 3.x base IDE • IBM WSAD (Eclipse 2.0 base) • Hardware • High-end processor • At least 1 GB of RAM (recommend 2G) • 2G of hard disk

  5. Installation (Windows only)

  6. Installation Accept the license agreement to continue

  7. Installation Choose the folder that contains the license file, please get the license file from your Fortify Champion The license file is always fortify.license

  8. Installation You can install Eclipse after you have installed SCA. But you need to have VS 2003/5/8 installed before you can install the VS plug-in. An command-line add-in does not load when you start the Visual Studio 2005 SP1 (only on SP1) IDEKB934517 http://support.microsoft.com/kb/934517

  9. Installation If you have previous version of SCA, it can migrate the old setting to the new version

  10. Installation You can change the server setting after installation thru the GUI or thru scapostinstall

  11. Installation You can download rulepack later. But if you don’t have any rulepack downloaded, you will not able to find any vulnerability

  12. Installation

  13. <Install_dir>/bin/scapostinstall • Setting Fortify Manager or Fortify 360 Server URL (requires server login name and password) • Rulepack update location • Change your language • Etc…

  14. Configuration Fortify Software  Options

  15. SCA Version Server Configuration Where to DOWNLOAD rulepack Where to UPLOAD scan results

  16. You need to have an account in F360 server to complete the setup Default will update rulepack for every 15 days Server Configuration If you have F360 server, then you should download rulepack from F360 server and type in your F360 server URL in this box

  17. Typical Configuration (Download rulepack) Internet Corporate Network F360 Server Download rulepack from Fortify.com Download rulepack Desktop Desktop Desktop

  18. Typical Configuration (Upload FPR) Corporate Network F360 Server Upload scan result (FPR file) Desktop Desktop Desktop

  19. Command Line Alternative • You can change the rulepack download URL and Fortify Manager URL from scapostinstall as well

  20. Existing rulepack version Click to download manually new rulepack Rulepack Management

  21. Other Alternatives for Downloading Rulepacks • You can run <install_path>\bin\rulepackupdate.bat as well (may be as a schedule job) • You can also login to http://customerportal.fortify.com, click download rulepack, and then unzip all the files into <install_path>\Core\Config\rules Customer Portal

  22. Default Project Settings Setup memory By default, a Java application can only use 600M heap memory Set this value properly if you have more than 1G of memory

  23. Max memory you can set • Due to 32-bit OS limitation, the max heap memory you can set for a Java application is roughly as follows: • Linux 2.4 - 1800 MB • Linux 2.6 - 2650 MB • Windows 2000 - 1500 MB • Windows 2003 - 1500 MB • Windows XP - 1250 MB • Mac OS X - 1800 MB • AIX 5.2 - no limit • Solaris 8 - 1800 MB • And your Physical Memory should be at least 200M large than the SCA Memory Setting in here • SCA supports 64 bits OS as well

  24. Max Memory • For Eclipse Plug-in, you may want to setup Eclipse memory as well • Open your eclipse.ini (inside your eclipse directory) and change the “-Xmx” value directly, e.g. “-Xmx1250m” • You can also setup the max memory via environment variable • SCA_VM_OPTS=-Xmx1250m • AWB_VM_OPTS=-Xmx1250m

  25. Using SCA • Installation and configuration • Scanning a project with the GUI interfaces • Issue Filtering • Handling FPRs • Reporting

  26. Your First Scan <install_path>\Samples\advanced\csharp\VS2005\Sample1

  27. Your First Scan Noted: you should make sure all libraries are included, and source codes are compliable before you scan.

  28. Scan a project only If you have multiple projects within a solution, you can scan a particular project

  29. Your First Scan Analysis Result Source Code Summary and details Analysis Trace

  30. Default 3+1 folders: Hot, Warning, Info, ALL Customizable thru Project Configuration Default group by Category, you can also group by file name, package name, etc. You can create new grouping and sub-grouping 0/40 means total 40 SQL Injection Issues You have reviewed 0 (zero) issue Analysis Results Panel

  31. The issue title is the last node in the analysis trace (sink function)

  32. Sub-group title is the first line of the analysis trace (source function) Two issues have the same sink function

  33. SCA consider this as two issues File1.java:123 File2.java:456 File1.java:222 File2.java:567 File1.java:333 File2.java:789 sink.java:10

  34. SCA consider this as ONE issue File1.java:123 File1.java:222 File2.java:567 File1.java:333 File2.java:789 sink.java:10

  35. Counted as ONE issue

  36. Detail description of the vulnerability Short description of the vulnerability How should I fix this vulnerability Set the analysis value You can type in your comment in here Submit to bug tracking system Suppress this issue Summary Panel

  37. History Panel Comments are threaded When you change the analysis value, suppress an issue, or type in comments, the activities are logged

  38. Diagram Panel: Standard UML call graph

  39. Reviewed Issues When you set the analysis value, the icon will be changed, different value will be mapped to different icon Total 2 issues, 1 reviewed

  40. Project Summary

  41. Logical LOC, SCA doesn’t count blank lines, comments, etc. If someone tries to tamper the file directly, result certification will become invalid Project Summary

  42. Project Summary The list of all scanned files. Same as # sourceanalyzer -b build_id -show-files

  43. Scan phase only Missing Jars/libraries, invalid files, etc. Should review build warning Same as running the following command # sourceanalyzer -b build_id -show-build-warnings Project Summary

  44. Using SCA • Installation and configuration • Scanning a project with the GUI interfaces • Issue Filtering • Handling FPRs • Reporting

  45. Issue Filtering • Suppression • Filter Set and Visibility Filter • Audit Guide • Use Filter text file • Custom Rule

  46. Suppress an instance Right click on a group Right click on an instance Suppression

  47. Suppression Suppress all instances that called “clean()” function Search function: tracenode matches “clean”

  48. View suppressed issues

  49. If you enabled “Show Suppressed Issues” The total suppressed issue count will be show in the title as well Hot (117) does not contains Suppressed (1) issues Right click to un-suppress the issue The icon for suppressed issue Unsuppress issue

  50. Issue Filtering • Suppression • Filter Set and Visibility Filter • Audit Guide • Use Filter text file • Custom Rule

More Related