Fortify Source Analyzer 和 Apache Lenya
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/1161101/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Fortify Source Analyzer and Apache Lenya
提问by
I am trying to use Fortify Source Code Analyzer for a research project at my school to test the security for open source Java web applications. I am currently working on Apache Lenya. I am working with the last stable release (Lenya v2.0.2).
我正在尝试将 Fortify Source Code Analyzer 用于我学校的一个研究项目,以测试开源 Java Web 应用程序的安全性。我目前正在研究 Apache Lenya。我正在使用最后一个稳定版本 (Lenya v2.0.2)。
Inside the root directory there is a file named build.sh. This file is called to build Lenya using the version of Ant that ships with the release (in the tools/binfolder). I can build Lenya just fine when I run ./build.sh. So, it would be assumed that running the following command in Fortify would work :
在根目录中有一个名为build.sh. 调用此文件以使用发行版附带的 Ant 版本(在tools/bin文件夹中)构建 Lenya 。当我运行时,我可以很好地构建 Lenya ./build.sh。因此,假设在 Fortify 中运行以下命令会起作用:
sourceanalyzer -b lenya -Xmx1200M touchless ./build.sh
However, when I try and run:
但是,当我尝试运行时:
sourceanayzer -b lenya -Xmx1200M -scan -f lenya.fpr
I get:
我得到:
build id Lenya not found.
未找到构建 ID Lenya。
I looked at the buid.shfile and noticed that it was just resetting the current ant home, classpath, and ant options variables, running the ant build command, and resetting the values back to their defaults. So I reset all of the variables manually (without the script) instead of running the script and ran:
我查看了buid.sh文件,注意到它只是重置当前的 ant 主目录、类路径和 ant 选项变量,运行 ant build 命令,并将值重置回它们的默认值。所以我手动重置所有变量(没有脚本)而不是运行脚本并运行:
sourceanalyzer -b lenya -Xmx1200M touchless tools/bin/ant -logger org.apache.tools.ant.NoBannerLogger
Then I ran :
然后我跑了:
sourceanalyzer -b lenya -Xmx1200M -scan -f lenya.fpr
but I got the same error. I'm not sure if this is because I am doing something wrong or if it is something that Fortify is not doing correctly. Any insight will be great.
但我遇到了同样的错误。我不确定这是因为我做错了什么还是 Fortify 没有正确执行。任何见解都会很棒。
采纳答案by Vineet Reynolds
I'm not sure whether you have access to the Fortify documentation, but that will definitely help. You should refer to the SCA User's Guide to understand how to use the sourceanalyzer executable.
我不确定您是否可以访问 Fortify 文档,但这肯定会有所帮助。您应该参考 SCA 用户指南以了解如何使用 sourceanalyzer 可执行文件。
To cut things short, there are two ways of getting the FPR file:
简而言之,有两种获取 FPR 文件的方法:
- (The long way) Write a script to translate and analyse the source code by providing the path of the source code and the classpath to the sourceanalyzer executable.
- (The short way) Use the SCACompiler instead of javac as the compiler. You'll need to modify the build script for this.
- (很长的路)通过提供源代码的路径和源分析器可执行文件的类路径,编写一个脚本来翻译和分析源代码。
- (简短的方法)使用 SCACompiler 而不是 javac 作为编译器。您需要为此修改构建脚本。
I prefer the former due to its customizability when handling large code bases.
我更喜欢前者,因为它在处理大型代码库时具有可定制性。
PS: Which version of Fortify is this?
PS:这是哪个版本的Fortify?
回答by user233276
Don't use the touchless command, that is for C/C++ Integration. Since Lenya is written in Java, you're better off with other commands. Try this for your first translation step (run from your base lenya dir):
不要使用无接触命令,即用于 C/C++ 集成。由于 Lenya 是用 Java 编写的,因此您最好使用其他命令。在您的第一个翻译步骤中尝试此操作(从您的基本 lenya 目录运行):
sourceanalyzer -b lenya -Xmx1200M -source 1.5 -cp "**/*.jar" "**/*"
回答by Douglas Held
The command you used actually could work with Java builds, except that it has some limitations. Using the touchless build wrapper creates a number of compiler wrappers, e.g. for javac, and puts the wrappers at the front of the PATH environment variable.
您使用的命令实际上可以用于 Java 构建,只是它有一些限制。使用非接触式构建包装器会创建许多编译器包装器,例如 javac,并将包装器放在 PATH 环境变量的前面。
If your build.sh script contains fully qualified references to javac, for example /usr/java/bin/javac, then the touchless build integration will not work.
如果您的 build.sh 脚本包含对 javac 的完全限定引用,例如 /usr/java/bin/javac,则非接触式构建集成将不起作用。
user233276's instructions are the most broadly useful. If you want to experiment with Fortify SCA build integration, I would suggest the technique would be to modify build.sh (see http://svn.apache.org/viewvc/lenya/trunk/build.sh?view=markup&pathrev=400414) and change line 43 from:
user233276 的说明是最广泛有用的。如果您想尝试 Fortify SCA 构建集成,我建议该技术是修改 build.sh(请参阅http://svn.apache.org/viewvc/lenya/trunk/build.sh?view=markup&pathrev=400414) 并将第 43 行更改为:
"$ANT_HOME/bin/ant" -logger org.apache.tools.ant.NoBannerLogger -emacs $@
to:
到:
sourceanalyzer -b Lenya "$ANT_HOME/bin/ant" -logger org.apache.tools.ant.NoBannerLogger -emacs $@
See the Fortify SCA User Guide for the three types of ant integration:
有关三种类型的 ant 集成,请参阅 Fortify SCA 用户指南:
Override the build.compiler property:
ant -lib sourceanalyzer.jar {Fortify ant options} {ant options}
Shortcut to the above:
sourceanalyzer -b {Fortify options} ant {ant options}
Or, if you make a custom build.xml as shown in the appendix:
ant -lib sourceanalyzer.jar {ant options}
覆盖 build.compiler 属性:
ant -lib sourceanalyzer.jar {强化蚂蚁选项} {蚂蚁选项}
上面的快捷方式:
sourceanalyzer -b {强化选项} ant {ant 选项}
或者,如果您按照附录中所示制作自定义 build.xml:
ant -lib sourceanalyzer.jar {ant 选项}
