HP Fortify Static Code Analyzer Software Version:4.40 User Guide DocumentReleaseDate:November2015 SoftwareReleaseDate:November2015 UserGuide LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements accompanyingsuchproductsandservices.Nothinghereinshouldbeconstruedasconstitutingan additionalwarranty.HPshallnotbeliablefortechnicaloreditorialerrorsoromissionscontainedherein. Theinformationcontainedhereinissubjecttochangewithoutnotice. RestrictedRightsLegend Confidentialcomputersoftware.ValidlicensefromHPrequiredforpossession,useorcopying.Consistent withFAR12.211and12.212,CommercialComputerSoftware,ComputerSoftwareDocumentation,and TechnicalDataforCommercialItemsarelicensedtotheU.S.Governmentundervendor'sstandard commerciallicense. Thesoftwareisrestrictedtousesolelyforthepurposeofscanningsoftwareforsecurityvulnerabilitiesthatis (i)ownedbyyou;(ii)forwhichyouhaveavalidlicensetouse;or(iii)withtheexplicitconsentoftheownerof thesoftwaretobescanned,andmaynotbeusedforanyotherpurpose. Youshallnotinstallorusethesoftwareonanythirdpartyorshared(hosted)serverwithoutexplicitconsent fromthethirdparty. CopyrightNotice ©Copyright2003-2015 HewlettPackardEnterpriseDevelopmentLP DocumentationUpdates Thetitlepageofthisdocumentcontainsthefollowingidentifyinginformation: SoftwareVersionnumber l DocumentReleaseDate,whichchangeseachtimethedocumentisupdated l SoftwareReleaseDate,whichindicatesthereleasedateofthisversionofthesoftware l Tocheckforrecentupdatesortoverifythatyouareusingthemostrecenteditionofadocument,goto: https://protect724.hp.com/welcome Youwillreceiveupdatedorneweditionsifyousubscribetotheappropriateproductsupportservice.Contact yourHPsalesrepresentativefordetails. HPFortifyStaticCodeAnalyzer(4.40) Page2of136 UserGuide Contents Preface 9 ContactingHP FortifySupport 9 ForMoreInformation 9 AbouttheHP FortifySoftwareSecurityCenterDocumentationSet 9 Change Log 10 Chapter1:Introduction 11 AbouttheHPFortifySoftwareSecurityCenterComponents 11 AboutHPFortifyStaticCodeAnalyzer 11 AboutAnalyzers 12 AboutHP FortifyCloudScan 13 AbouttheHP FortifyScanWizard 14 RelatedDocuments 14 Chapter2:AnalysisProcessOverview 15 AbouttheAnalysisProcess 15 AbouttheTranslationPhase 16 AboutSCAMobileBuildSessions 16 CreatingaMobileBuildSession 17 ImportingaMobileBuildSession 17 AbouttheAnalysisPhase 17 AboutMemoryConsiderations 18 AboutParallelAnalysis 18 AboutVerificationoftheTranslationandAnalysisPhase 18 Chapter3:Translating Java Code 20 JavaCommand-LineSyntax 20 Java/J2EEOptions 21 JavaCommand-LineExamples 22 IntegratingwithAntusingtheSCACompilerAdapter 22 HandlingResolutionWarnings 23 JavaWarnings 23 HPFortifyStaticCodeAnalyzer(4.40) Page3of136 UserGuide UsingFindBugs 23 TranslatingJ2EEApplications 24 PrerequisiteforTranslatingCodeUsingLegacyVersionsoftheJ2EESDK 25 TranslatingtheJavaFiles 25 TranslatingJSPProjects,ConfigurationFiles,andDeploymentDescriptors 26 J2EEWarnings 26 TranslatingJavaBytecode 26 Chapter4:Translating .NET Code 28 AboutTranslating.NETCode 28 .NETCommand-LineSyntax 28 .NETCommand-LineOptions 29 TranslatingSimple.NETApplications 29 TranslatingASP.NET1.1(VisualStudioVersion2003)Projects 30 HandlingResolutionWarnings 31 About.NETWarnings 31 AboutASP.NETWarnings 32 Chapter5:Translating C and C++Code 33 CandC++Command-LineSyntax 33 BuildIntegration 34 ModifyingaBuildScripttoInvokeSCA 35 TouchlessBuildIntegration 35 ScanningPre-processedCandC++Code 36 Chapter6:Translating ABAP Code 37 AboutTranslatingABAPCode 37 AboutScanningABAPCode 37 AboutINCLUDEProcessing 38 ImportingtheHPFortifyABAPExtractorTransportRequest 38 AddingSCAtoYourFavoritesList 39 RunningtheHPFortifyABAPExtractor 40 Chapter7:Translating RubyCode 43 RubyCommand-LineSyntax 43 RubyOptions 43 AddingLibraries 44 AddingMultipleLibraryPaths 44 HPFortifyStaticCodeAnalyzer(4.40) Page4of136 UserGuide AddingGemPaths 44 Chapter8:Translating Flexand ActionScript 45 ActionScriptCommand-LineSyntax 45 FlexandActionScriptCommand-LineOptions 45 ActionScriptCommand-LineExamples 46 AboutHandlingResolutionWarnings 47 AboutActionScriptWarnings 47 Chapter9:Translating Code forMobile Platforms 48 AboutTranslatingObjective-C++Code 48 Prerequisites 48 Objective-C++Command-LineSyntax 48 XcodeCompilerErrors 49 AboutTranslatingGoogleAndroidCode 49 Chapter9:Translating COBOL Code 50 PreparingCOBOLSourceFilesforTranslation 50 COBOLCommand-LineSyntax 51 AboutAuditingCOBOLScans 52 Chapter10:Translating OtherLanguages 53 AboutTranslatingPythonCode 53 PythonCommand-LineOptions 54 AboutTranslatingColdFusionCode 54 ColdFusionCommand-LineSyntax 54 ColdFusionOptions 55 AboutTranslatingSQL 55 PL/SQLCommand-LineExample 55 T-SQLCommand-LineExample 56 AboutTranslatingASP/VBScriptVirtualRoots 56 ClassicASPCommand-LineExample 58 JavaScriptCommand-LineExample 58 VBScriptCommand-LineExample 58 PHPCommand-LineExample 58 Chapter11:Command-Line Utilities 59 AboutSCAUtilities 59 HPFortifyStaticCodeAnalyzer(4.40) Page5of136 UserGuide OtherCommand-LineUtilities 60 PrecompilingMSVisualStudio2003ASP.NETPages 60 CheckingtheSCAScanStatus 61 SCAStateUtilityOptions 61 AboutWorkingwithFPRFiles 63 MergingFPRFiles 63 DisplayingAnalysisResultsforanFPRFile 64 MigratingAuditDatafromPreviousFPRVersions 66 ExtractingaSourceArchivefromanFPRFile 67 AboutGeneratingReports 68 GeneratingaBIRTReport 68 GeneratingaLegacyReport 70 AboutUpdatingSecurityContent 71 UpdatingSecurityContent 71 Chapter12:Troubleshooting and Support 73 UsingtheLogFiletoDebugProblems 73 AbouttheTranslationFailedMessage 73 AboutJSPTranslationProblems 74 AboutC/C++PrecompiledHeaderFiles 74 ReportingBugsandRequestingEnhancements 75 AppendixA:Command-Line Interface 76 OutputOptions 76 TranslationOptions 77 AnalysisOptions 78 Directives 79 OtherOptions 80 SpecifyingFiles 81 AppendixB:Parallel AnalysisMode 82 AboutParallelAnalysisMode 82 HardwareRequirements 82 ConfiguringParallelAnalysisMode 82 RunninginParallelAnalysisMode 83 AppendixC:Using the SourceanalyzerAntTask 84 AbouttheSourceanalyzerAntTask 84 HPFortifyStaticCodeAnalyzer(4.40) Page6of136 UserGuide UsingtheSourceanalyzerAntTask 84 AntProperties 86 SourceanalyzerTaskOptions 86 AppendixD:Filtering the Analysis 90 AboutFilterFiles 90 FilterFileExample 90 AppendixE:MSBuild Integration 93 SetupforMSBuildIntegration 93 SettingWindowsEnvironmentVariablesforTouchlessIntegrationofSCA 93 AddingCustomTaskstoyourMSBuildProject 94 AddingFortify.TranslateTask 96 AddingFortify.ScanTask 96 AddingFortify.CleanTask 97 AddingFortify.SSCTask 97 AddingFortify.CloudScanTask 98 AppendixF:Maven Integration 99 AbouttheMavenPlugin 99 InstallingtheMavenPlugin 100 TestingtheMavenPlugin 100 UpdatingtheMavenPlugin 101 UsingtheMavenPlugin 101 ExcludingFilesfromtheScan 103 UninstallingtheMavenPlugin 103 AdditionalDocumentation 103 AppendixG:HP FortifyScan Wizard 104 AboutHP FortifyScanWizard 104 StartingtheHP FortifyScanWizard 105 StartingScanWizardonaSystemwithSCAandApplicationsInstalled 105 StartingHP FortifyScanWizardasaStand-AloneUtility 106 AppendixH:Sample Files 107 AbouttheSampleFiles 107 BasicSamples 107 AdvancedSamples 109 HPFortifyStaticCodeAnalyzer(4.40) Page7of136 UserGuide AppendixI:Issue Tuning 111 WrapperDetection 111 InterproceduralConstantPropagation 112 SelectiveMapOperationTracking 112 AppendixJ:Configuration Options 113 AboutHPFortifyStaticCodeAnalyzerPropertiesFiles 113 PropertiesFileFormat 113 PrecedenceofSettingProperties 114 fortify-sca.properties 115 fortify-sca-quickscan.properties 132 Send Documentation Feedback 136 HPFortifyStaticCodeAnalyzer(4.40) Page8of136 UserGuide Preface Preface Contacting HP Fortify Support Ifyouhavequestionsorcommentsaboutusingthisproduct,contactHP FortifyTechnicalSupport usingoneofthefollowingoptions. ToManageYourSupportCases, AcquireLicenses, andManageYourAccount https://support.fortify.com ToEmail Support [email protected] ToCall Support 650.735.2215 For More Information FormoreinformationonHP EnterpriseSecuritySoftwareproducts: http://www.hpenterprisesecurity.com About the HP Fortify Software Security Center Documentation Set TheHP FortifySoftwareSecurityCenterdocumentationsetcontainsinstallation,user,and deploymentguidesforallHP FortifySoftwareSecurityCenterproductsandcomponents.Inaddition, youwillfindtechnicalnotesandreleasenotesthatdescribenewfeatures,knownissues,andlast- minuteupdates.Youcanaccessthelatestversionsofthesedocumentsfromthefollowing HP ESP usercommunityProtect724website: https://protect724.hp.com/welcome Youwillneedtoregisterforanaccount. HPFortifyStaticCodeAnalyzer(4.40) Page9of136 UserGuide ChangeLog Change Log Thefollowingtablelistschangesmadetothisguide. Software Release-Version Change 4.40-01 Added: "Command-LineUtilities"onpage59(wasaseparateuserguide) l "HP FortifyScanWizard"onpage104(wasaseparateTechnicalNote) l "GeneratingaBIRTReport"onpage68command-lineutility l Updated: "MavenIntegration"onpage99 l "TranslatingJavaBytecode"onpage26 l "SCAStateUtilityOptions"onpage61 l "ConfigurationOptions"onpage113 l Removed:"AboutCommandLineBuildsinVisualStudio6.0"(nolonger supported) 4.30-01 Updated: "ConfigurationOptions"onpage113 l Pythoninformation l "Translating.NETCode"onpage28withsupportforVisualStudio2015 l iOSscanninginformationin"TranslatingCodeforMobilePlatforms"onpage l 48 Added:SectiononJavaBytecodein"TranslatingJavaCode"onpage20 4.21-02 Removed:BuildMonitor(deprecated) 4.21-01 Added:"TranslatingRubyCode"onpage43 Updated:"TranslatingABAPCode"onpage37 HPFortifyStaticCodeAnalyzer(4.40) Page10of136
Description: