HP Fortify Static Code Analyzer Software Version 4.10 Installation and Configuration Guide Document Release Date: April 2014 Software Release Date: April 2014
HP Fortify Static Code AnalyzerSoftware Version 4.10
Installation and Configuration Guide
Document Release Date: April 2014
Software Release Date: April 2014
LegalNotices
Warranty
TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatementsaccompanyingsuchproductsandservices.Nothinghereinshouldbeconstruedasconstitutinganadditionalwarranty.HPshallnotbeliablefortechnicaloreditorialerrorsoromissionscontainedherein.
Theinformationcontainedhereinissubjecttochangewithoutnotice.
RestrictedRightsLegend
Confidentialcomputersoftware.ValidlicensefromHPrequiredforpossession,useorcopying.ConsistentwithFAR12.211and12.212,CommercialComputerSoftware,ComputerSoftwareDocumentation,andTechnicalDataforCommercialItemsarelicensedtotheU.S.Governmentundervendor'sstandardcommerciallicense.
CopyrightNotice
©Copyright2014Hewlett‐PackardDevelopmentCompany,L.P.
DocumentationUpdates
Thetitlepageofthisdocumentcontainsthefollowingidentifyinginformation:
• SoftwareVersionnumber
• DocumentReleaseDate,whichchangeseachtimethedocumentisupdated
• SoftwareReleaseDate,whichindicatesthereleasedateofthisversionofthesoftware
Tocheckforrecentupdatesortoverifythatyouareusingthemostrecenteditionofadocument,goto:
http://h20230.www2.hp.com/selfsolve/manuals
ThissiterequiresthatyouregisterforanHPPassportandsignin.ToregisterforanHPPassportID,goto:
http://h20229.www2.hp.com/passport‐registration.html
Youwillalsoreceiveupdatedorneweditionsifyousubscribetotheappropriateproductsupportservice.ContactyourHPsalesrepresentativefordetails.
PartNumber:1‐181‐2014‐04‐410‐01
Contents iii
Contents
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .iv
HPFortifySoftwareContact ........................................................................... iv
TechnicalSupport ................................................................................. ivCorporateHeadquarters........................................................................... ivWebsite ........................................................................................... iv
AbouttheHPFortifySoftwareSecurityCenterDocumentationSet ..................................... iv
Change Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v
Chapter 1: Introduction..............................................................................6
IntendedAudience ..................................................................................... 6
TheHPFortifySoftwareSecurityCenterComponents ................................................... 6
RelatedDocuments ..................................................................................... 7
Chapter 2: Installation ...............................................................................8
AboutDownloadingtheSoftware ....................................................................... 8
AboutInstallingtheHPFortifyStaticCodeAnalyzerSuite ............................................... 8
LaunchingtheInstallation .......................................................................... 8MigratingfromaPreviousSCAInstallation ......................................................... 8UpdatingSCARulepacks............................................................................ 9InstallingtheHPFortifyPluginforEclipse.......................................................... 9
AboutthePost‐InstallationTasks ....................................................................... 9
RunningthePost‐InstallTool ....................................................................... 9MigratingPropertiesFiles ........................................................................ 10SpecifyingaLocale............................................................................... 10SpecifyingaProxyServerforRulepackUpdates................................................... 10UpdatingtheRulepack ........................................................................... 11
RegisteringtheASPNETUser......................................................................... 11
UninstallingHPFortifyStaticCodeAnalyzer.......................................................... 11
UninstallingonWindowsPlatforms .............................................................. 11UninstallingonOtherPlatforms.................................................................. 11
Chapter 3: 3.ConfigurationOptions.................................................................. 12
AboutSoftwareSecurityCenterPropertiesFiles ...................................................... 12
AbouttheOrderingofPropertiesFiles................................................................ 13
fortify.propertiesConfigurationOptions.............................................................. 14
fortify‐sca.propertiesConfigurationOptions.......................................................... 16
fortify‐sca‐quickscan.propertiesConfigurationOptions ............................................... 17
fortify‐ide.propertiesConfigurationOptions .......................................................... 22
Preface iv
PrefaceThisguidedescribeshowtoinstalltheHPFortifyStaticCodeAnalyzerfamilyofanalyzersandapplications.
HP Fortify Software ContactIfyouhavequestionsorcommentsaboutanypartofthisguide,contactHPFortifySoftwareat:
Technical [email protected]
Corporate HeadquartersMoffettTowers1140EnterpriseWaySunnyvale,CA94089
650.358.5600
Websitehttp://www.hpenterprisesecurity.com
About the HP Fortify Software Security Center Documentation SetTheHPFortifySoftwareSecurityCenterdocumentationsetcontainsinstallation,user,anddeploymentguidesforallHPFortifySoftwareSecurityCenterproductsandcomponents.Italsoincludestechnicalnotesandreleasenotesthatdescribenewfeatures,knownissues,andlast‐minuteupdates.ThelatestversionsofthesedocumentsareavailableontheHPSoftwareProductManualssite:
http://h20230.www2.hp.com/selfsolve/manuals
Change Log v
Change LogThefollowingtabletrackschangesmadetothisguide.
Software Release‐version Date Change
3.90‐01 4/9/2013 ChangeLogandIntroductionadded.
4.10‐01 3/23/2014 Updatedreleaseinformation.
Chapter 1: Introduction 6
Chapter 1: IntroductionThisdocumentcontainsinstallationandconfigurationinstructionsforHPFortifyStaticCodeAnalyzer.
Intended AudienceThisinstallationguideisintendedforindividualswhoareresponsibleforinstallingoruninstallingtheHPFortifyStaticCodeAnalyzersuiteofanalyzersandapplicationcomponents.Thisguidealsodetailsbasicpost‐installationtasksandconfigurationoptions.
RefertotheHPFortifySoftwareSecurityCenterSystemRequirementsdocumenttoensurethatyoursystemmeetstheminimumrequirementsforeachsoftwarecomponentinstallation.
Note:ThisdocumentdoesnotcovertheinstallationprocessforHPFortifySoftwareSecurityCenter(SoftwareSecurityCenter).HPFortifySoftwareSecurityCenterrequiresaseparateinstallationprocedure,whichcanbefoundintheHPFortifySoftwareSecurityCenterInstallationandConfigurationGuide.DownloadthisdocumentfromtheHPSoftwareProductManualssite:http://support.openview.hp.com/selfsolve/manuals.
The HP Fortify Software Security Center ComponentsAnHPFortifySoftwareSecurityCenterinstallationconsistsofoneormoreofthefollowinganalyzers:
• HPFortifyStaticCodeAnalyzer:Analyzesyourbuildcodeaccordingtoasetofrulesspecificallytailoredtoprovidetheinformationnecessaryforthetypeofanalysisperformed.
• HPFortifyRuntimeApplicationProtection:Monitorsandprotectsdeployedapplicationsfromcommonattacks,unintendeduse,andtargetedhacking.Inaddition,bestsecuritypractices,suchasinputverificationandproperexceptionhandling,canbeconsistentlyappliedtodeployedapplications.
• HPFortifySecurityScope:Identifiesvulnerabilitiesinpre‐deploymentapplicationsduringtheQAphase,preventingexposuretosecurityflawsbeforetheyareexploited.
AnHPFortifySoftwareSecurityCenterinstallationmayalsoincludeoneormoreofthefollowingapplicationtools:
• HPFortifyAuditWorkbench:providesagraphicaluserinterfaceforHPFortifyStaticCodeAnalyzerthathelpsyouorganize,investigate,andprioritizeanalysisresultssothatsecurityflawscanbefixedquickly.
• HPFortifyPluginforEclipse:integrateswiththeEclipsedevelopmentenvironmentandaddstheabilitytoscanandanalyzetheentirecodebaseofaprojectandapplyhundredsofsoftwaresecurityrulesthatidentifythevulnerabilitiesinyourJavacode.TheresultsaredisplayedwithintheIDE,alongwithdescriptionsofeachofthesecurityissuesandsuggestionsfortheirelimination.
• HPFortifyEclipseRemediationPlug‐in:integrateswiththeEclipsedevelopmentenvironment.TheEclipseRemediationPlug‐inisalightweightplug‐inoptionfordeveloperswhoneedremediationfunctionalitybutdonotneedthescanningandauditingcapabilitiesofAuditWorkbenchorthefullEclipsePlugin.
• HPFortifyforPackageforMicrosoftVisualStudio©:integrateswithVisualStudioPremiumandVisualStudioProfessionaltolocatesecurityvulnerabilitiesinyoursolutionsandpackagesanddisplaysthescanresultsinVisualStudio.Theresultsincludealistofissuesuncovered,descriptionsofthetypeofvulnerabilityeachissuerepresents,andsuggestionsonhowtofixthem.
• HPFortifyRemediationPackageforVisualStudio:integrateswithMicrosoftVisualStudioPremiumandVisualStudioProfessionalintegrateddevelopmentenvironments(IDEs).TheHPFortifyRemediationPackageforVisualStudioisalightweightplug‐inoptionfordeveloperswhoneedremediationfunctionalitybutdonotneedthescanningandauditingcapabilitiesofAuditWorkbenchorthefullVisualStudiopackage.
• HPFortifyExtensionforJDeveloper:integrateswiththeJDeveloperintegrateddevelopmentenvironment(IDE)andaddstheabilitytoscanandanalyzetheentirecodebaseofaprojectandapplyhundredsofsoftwaresecurityrulesthatidentifythevulnerabilitiesinyourcode.
Chapter 1: Introduction 7
• HPFortifyRemediationPluginforIntelliJ:integrateswiththeIntelliJIntegratedDevelopmentEnvironment(IDE)andaddstheabilitytoscanandanalyzetheentirecodebaseofaprojectandapplyhundredsofsoftwaresecurityrulesthatidentifythevulnerabilitiesinyourcode.
Related DocumentsThefollowingdocumentsprovideadditionalinformationaboutHPFortifyStaticCodeAnalyzer:
• HPFortifyStaticCodeAnalyzerUserGuide
Thisdocumentprovidesinstructionsonusingtheanalyzerstoidentifyvulnerabilitiesinyourcode.
• HPFortifyStaticCodeAnalyzerUtilitiesUserGuide
Thisdocumentprovidesinformationonthecommand‐linetoolsthatprovideadditionalmanagementandaccesstothefunctionsprovidedbySCA.
Chapter 2: Installation 8
Chapter 2: InstallationThischaptercoversthefollowingtopics:
• AboutDownloadingtheSoftware
• AboutInstallingtheHPFortifyStaticCodeAnalyzerSuite
• AboutthePost‐InstallationTasks
• RegisteringtheASPNETUser
• UninstallingHPFortifyStaticCodeAnalyzer
About Downloading the SoftwareHPFortifySoftwareisavailableasadownloadableISOfilewhichcanbemountedorbunedtoaDVV,orasadownloadableapplicationorpackage.Fordetailsonobtainingalicenseforyoursoftware,gototheHPFortifySoftwareSecurityCenterSystemRequirementsdocumentandrefertothe“HPFortifySoftwareLicenses”section.FordetailsonobtainingHPFortifysoftware,gototheHPFortifySoftwareSecurityCenterSystemRequirementsdocumentandrefertothe“AcquiringHPFortifySoftware”section.
About Installing the HP Fortify Static Code Analyzer SuiteThissectiondescribeshowtoinstalltheSCAsuiteofanalyzersandapplications.YouwillneedaFortifyLicensefiletocompletetheprocess.
Launching the InstallationToinstalltheSCAsuite:
1. Navigatetothedirectorycontainingtheinstallerfiles.IfyoudownloadedtheISO,theinstallerfileislocatedinthedirectoryforyouroperatingsystem.
Note:Formoreinformationonacquiringthesoftwareandlicenseforyouroperatingsystem,seetheHPFortifySoftwareSecurityCenterSystemRequirementsdocument.
2. Runtheinstallerfilethatcorrespondstoyouroperatingsystemandsystemprocessor.
3. Followthepromptstoinstallthesoftware.
Migrating from a Previous SCA InstallationTheWindowsinstallationofSCAenablesyoutomigratefromapreviousinstallationofSCAonyoursystem.MigratingfromapreviousSCAinstallationpreservesSCAartifactfiles.
YoucanmigrateSCAartifactsfromapreviousinstallationthroughtheInstallShieldwizard,orbyusingthescapostinstallpost‐installtool.Forinformationonusingthepost‐installtooltomigratefromapreviousSCAinstall,see“MigratingPropertiesFiles.”
TomigratefromapreviousSCAinstallationthroughtheInstallShieldWizard:
1. GototheSetupTypedialogboxandclickYes.ClickCCC.TheMigrationdialogboxappears.
2. SpecifythelocationofyourpreviousSCAinstallationonyoursystem.ClickOK.
3. ViewtheresultsoftheSCAmigrationintheSCAPostInstallationConfigurationResultsdialogbox.ThisdialogboxdisplaystheSCAartifactsthatweremigrated,andthelocationofthefiles.ClickNexttoproceedtotheRulepackupdate.
Chapter 2: Installation 9
Updating SCA RulepacksTheWindowsinstallationofferstheoptiontoupdatetheHPFortifySecureCodingRulepacksforyoursystem.TheSoftwareSecurityResearchgroupreleasesquarterlyupdatestoSecureCodingRulepacks,whichdrivetheSCAanalyzers.TheyaredistributedaspartofthesubscriptionservicethroughupdatesontheHPFortifycustomerdownloadsite,automatedtoolupdates,andsoftwarereleases.
YoucanupdateSCARulepacksthroughtheInstallShieldwizard,orbyusingtherulepackupdatetool.
ToupdatetheSCARulepacksforyourinstallationthroughtheInstallShieldWizard:
1. SpecifytheURLaddressoftheRulepackserver.TouseHPFortify’sserverforRulepackupdates,specifytheURLas:https://update.fortify.com.
2. SpecifytheproxyoftheRulepackserver.(Thisstepisoptional.)
3. ClickNext.TheSetupTypedialogboxasksifyouwouldliketodownloadRulepacksnow.SelectYes,andthenclickNext.
4. ViewtheresultsoftheRulepackupdateintheRulepackUpdaterdialogbox.
Installing the HP Fortify Plugin for EclipseToinstalltheHPFortifyPluginforEclipse:
1. InstalltheSCAsuiteonyoursystem,asdescribedintheprevioussections.
Note:ForWindowsplatforms,ensurethattheEclipseoptionwasselectedduringinstallation.
2. OpenEclipse.
3. SelectHelp‐SoftwareUpdates‐ManageConfiguration.
4. ClickAddanExtensionLocation.
5. Select<install_directory>/plugins/eclipse.
6. ClickOK.
TheSecureCodingRulepacksPlug‐inmenuappears.
About the Post‐Installation TasksPost‐installationtasksprepareyoutostartusingtheSCAanalyzersandapplications.Thesetasksinclude:
• RunningthePost‐InstallTool
• MigratingPropertiesFiles
• SpecifyingaLocale
• SpecifyingaProxyServerforRulepackUpdates
• UpdatingtheRulepack
IfyouareusingtheMicrosoft.NETFramework,youmightneedtoregistertheASPNETuser,describedinthesectionRegisteringtheASPNETUser.
Running the Post‐Install Tool SCAinstallsthepost‐installtool,scapostinstall,ontoyoursystemduringtheSCAinstallation.Thescapostinstalltoolallowsyoutoperformtwotasks:migratepropertiesfilesfromapreviousversionofSCA,andconfigureSCARulepackupdatessettingsonyoursystem.
Torunthepost‐installtool:
1. Navigatetothebindirectoryfromthecommandline.
2. Enterscapostinstalltostartthetool.
Chapter 2: Installation 10
3. Enterstodisplaysettings,rtoreturntoapreviousprompt,andqtoexitthetool.
Migrating Properties FilesTomigratepropertiesfilesfromapreviousversionofSCAtothecurrentversionofSCAinstalledonyoursystem:
1. Navigatetothebindirectoryfromthecommandline.
2. Enterscapostinstalltostartthetool.
3. Enter1toselectMigration.
4. Enter1toselectSCA Migration.
5. Enterthepreviousinstalldirectory.
6. Enter1toselectMigrate from an existing SCA installation.
7. Enterstoconfirmthesettings.
8. Enter2toperformthemigration.
9. Enterytoconfirm.
Specifying a LocaleBydefault,thelocaleofanSCAinstallationisEnglish.
Tospecifyadifferentlocale:
1. Navigatetothebindirectoryfromthecommandline.
2. Enterscapostinstalltostartthetool.
3. Enter2toselectSettings.
4. Enter1toselectGeneral.
5. Enter1toselectLocale.
6. Enterthelocalecode:
• English:en
• Japanese:ja
• Korean:ko
• Chinese,Simplified:zh_CN
• Chinese,Traditional:zh_TW
Specifying a Proxy Server for Rulepack UpdatesIfyournetworkusesaproxyservertoreachtheRulepackupdateserver,youmustspecifytheproxyserverwiththepost‐installtool.
TospecifyaproxyfortheRulepackupdateserver:
1. Navigatetothebindirectoryfromthecommandline.
2. Enterscapostinstalltostartthetool.
3. Enter2toselectSettings.
4. Enter2toselectRulepack Update.
5. Enter2toselectProxy Server Host
6. Enterthenameoftheproxyserver.
7. Enter3toselectProxy Server Port.
Chapter 2: Installation 11
8. Entertheproxyserver’sportnumber.
Updating the RulepacksTheruntimerulepacksareupdatedautomaticallyduringtheWindowsinstallationprocedure.However,youcanalsodownloadHPFortifySecureCodingRulepacksfromtheHPFortifyCustomerPortalandthenusetheRulepackUpdatetooltoupdateyourSecureCodingRulepacks.Thisoptionisprovidedforinstallationsonnon‐WindowsplatformsandfordeploymentenvironmentsthatdonothaveaccesstotheInternetduringtheinstallationprocedure.
UsetheRulepackUpdatetool,Rulepackupdate,toupdateRulepacksfromeitheraremoteserveroralocallydownloadedfile.
SeeAboutDownloadingtheSoftwareonpage8forinformationaboutdownloadingRulepacks.
ToupdateRulepacks:
1. Navigatetothebindirectoryfromthecommandline.
2. EnterrulepackupdatetostarttheRulepackUpdatetool.
ThesystemwillrespondwitheitheranerrormessageoralistoftheRulepacksthatithasdownloaded.
IfyouhavepreviouslydownloadedRulepacksfromtheHPFortifyCustomerPortal,runrulepackupdatewiththe-import optionandthepathtothedirectorywhereyoudownloadedtheRulepacks.
Registering the ASPNET UserIfyouareusingtheMicrosoft.NETFramework,youmightneedtoregistertheASPNETuser.IftheMicrosoftInternetInformationServer(IIS)isinstalledfirst,theASPNETuseriscreatedwhen.NETFrameworkisinstalled;otherwise,youmustregister.
ToregistertheASPNETuser,runthecommand:
aspnet_regiis -i
Findthecommandunderthe.NETFrameworkinstallationdirectory.Forexample,itisoftenlocatedat:
C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322
or
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727
Uninstalling HP Fortify Static Code AnalyzerThissectiondescribeshowtouninstalltheSCAsoftware.
Uninstalling on Windows PlatformsTouninstallSCAsuitesoftwareonWindows,usetheWindowsAddorRemoveProgramsutilityontheControlPanel:
1. SelectStart‐Settings‐ControlPanel‐AddorRemovePrograms.
2. Inthelistofprograms,chooseHPFortifyvX.XX,andthenclickRemove.
Chapter 2: Installation 12
Uninstalling on Other PlatformsTouninstallSCAsoftwareonMacOSX,Linux,andUnixplatforms:
1. Backupyourconfiguration,includinganyimportantfilesyouhavecreated.
2. Manuallydeletetheinstallationdirectoryusingthefollowingcommand:
rm -rf <install_directory>/
Chapter 3: Configuration Options 12
Chapter 3: Configuration OptionsThechaptercoversthefollowingtopics:
• AboutSoftwareSecurityCenterPropertiesFiles
• AbouttheOrderingofPropertiesFiles
• fortify.propertiesConfigurationOptions
• fortify‐sca.propertiesConfigurationOptions
• fortify‐sca‐quickscan.propertiesConfigurationOptions
• fortify‐ide.propertiesConfigurationOptions
About Software Security Center Properties FilesTheSoftwareSecurityCenterinstallerplacesasetofpropertiesfilesonyoursystemduringinstallation.Propertiesfilescontainalistofconfigurableruntimeanalysis,output,andperformanceforSoftwareSecurityCentercomponents.SomepropertiesfilesconfigurebehaviorandsetparametervaluesgloballyforallSoftwareSecurityCentercomponents.Otherpropertiesfilesarespecifictoonecomponent;settingparametersforaspecificanalyzerorscanmode,forexample.Theseparameterscontainedwithinthepropertiesfilesaffectanalysis,output,andperformanceofthecomponent.
TheinstalledpropertiesfilescontainSoftwareSecurityCenterdefaultvalues.HPFortifyrecommendsconsultingwithyourprojectleadsbeforeopeningandmodifyingparameterswithinthepropertiesfiles.Allpropertiesfilescanbeeditedusingatexteditor.
Uponopeningandinspectingthepropertiesfiles,youwillseethateachparameterconsistsofapairofstrings:thefirststringstoresthekeyornameoftheparameter;thesecondstringstoresthevalue.About the Ordering of Properties FilesAbout the Ordering of Properties Files
Asshownabove,thecom.fortify.locale=enparametersetsthelocaleforSoftwareSecurityCentercomponents.Theparameterkeyiscom.fortify.locale,andthevalueissettoenforEnglish.Abriefdescriptionoftheparameteralsoappearsasacomment.
Thefollowingillustratesthesyntaxfortheparameterkeyandvaluewithinthepropertiesfile:
Disabledparametersarecommentedoutofthepropertiesfile.Toenabletheseparameters,simplyremovethecommentsymbol(#)andsavethepropertiesfile.Thefollowingillustratesadisabledparameter:
Asshownabove,thecom.fortify.VSSkipASPPrecompilationparameterisdisabledwithinthepropertiesfile,andisnotpartoftheconfiguration.
#this is a brief description about the locale parametercom.fortify.locale=en
#when performing a scan of a website from Visual Studio, setting this property to true will cause SCA#to translate the default ASP output instead of running the aspnet_compiler (it is recommended to manually#clean this cache before use of this setting)#com.fortify.VS.SkipASPPrecompilation=true
Chapter 3: Configuration Options 13
ThefollowingtabledescribestheroleofeachSoftwareSecurityCenterpropertiesfile:
About the Ordering of Properties FilesSoftwareSecurityCenterprocessespropertiesinaspecificorder,usingthisordertooverrideanypreviouslysetpropertieswiththevaluesthatyouspecify.Youshouldkeepthisprocessingorderinmindwhenmakingchangestothepropertiesfiles.
Propertydefinitionsareprocessedinthefollowingorder:
1. Propertiesspecifiedonthecommandlinehavethehighestpriorityandcanbespecifiedduringanyscan.
2. Propertiesspecifiedinthefortify-sca-quickscan.propertiesfileareprocessedsecond,butonlywhenthe-quickoptionisusedtooperateinQuickScanmode.IfQuickScanisnotinvoked,thisfileisignored.
3. Propertiesspecifiedinthelocal fortify.propertiesfileareprocessedthird.Changevaluesinthisfileonascan‐by‐scanbasistofine‐tuneyourinstallation.
4. Propertiesspecifiedintheglobalfortify-sca.propertiesfileareprocessedlast.Youshouldeditthisfileifyouwanttochangethepropertyvaluesonamorepermanentbasisforallscans.
Table 1: Properties Files
Name of .properties File Role
fortify.properties DefinestheglobalconfigurationparametersforSoftwareSecurityCentercomponents.Theseparameterssetvaluesforallcomponents.
fortify-ide.properties DefinestheconfigurationparametersforSoftwareSecurityCenterIntegratedDevelopmentEnvironment(IDE)plug‐ins.
fortify-sca.properties(forWindowsinstallations).fortify-sca.properties(fornon‐Windowsinstallations)
DefinestheconfigurationparametersforSCA.
fortify-sca-quickscan.properties DefinestheconfigurationparametersapplicableforaquickscanforSCA.
Chapter 3: Configuration Options 14
fortify.properties Configuration OptionsThefortify.propertiesfiledefinesglobalparametersforallSoftwareSecurityCentercomponents.Thefortify.propertiesfileinstalledonyoursystemcontainsparameterssettoSoftwareSecurityCenterdefaultvalues.Youcanmodifytheseparametervaluesbyeditingthefile.
Thefortify.propertiesfileislocatedineitheryourWindowsuserdirectoryoryourUnixhomedirectory.
Thefollowingtablesummarizestheparametersfoundinthefortify.propertiesfile:
Table 2: HP fortify.properties Global Properties
Property Name / Default Value Description
com.fortify.Debug / false PlacesSoftwareSecurityCentercomponentsindebugmode.
com.fortify.awb.Debug / false PlacesHPFortifyAuditWorkbenchindebugmode.
com.fortify.eclipse.Debug / false PlacestheHPFortifyPluginforEclipseindebugmode.
com.fortify.VS.Debug / false PlacestheHPFortifyforPackageforMicrosoftVisualStudio©indebugmode.
com.fortify.SCAExecutablePath /(none) Specifiesthepathtotheworkingdirectoryofanyinstalledclienttools,suchasAuditWorkbenchandSecureCodingPlug‐ins.
com.fortify.WorkingDirectory /(none) SpecifiesthepathtotheWindowsLocalApplicationDatashellfolderonyoursystem.ThisistypicallyC:\Documents and Settings\<user>\Local Settings\Application Data com.fortify.WorkingDirectory=${win32.LocalAppdata}/Fortify
com.fortify.InstallationUserName /${user.name}
Specifiestheusernameforthisinstallation.
com.fortify.locale / en Specifiestheinstallationlocale.
com.fortify.VS.RequireASPPrecompilation / true
SetthisparametertofalsetoallowthescantocontinueeveniftheASPPre‐CompilationfailswhenperformingascanofawebsitefromVisualStudioinheadlessmode.
com.fortify.VS.SkipASPPrecompilation / false SetthisparametertotruetoallowSCAtotranslatethedefaultASPoutputinsteadofrunningtheaspnet_compilerwhenperformingascanofawebsitefromHPFortifyVisualStudioPackage.HPFortifyrecommendsmanuallycleaningthiscachebeforeenablingthissetting.
com.fortify.DisableProgramInfo / false SetthisparametertotruetodisabletheuseoftheCodeNavigationfeaturesinAuditWorkbenchandimproveruntimememoryusage.
com.fortify.VS.DisableCIntegration / false SetthisparametertotruetodisableintegrationwithC/C++buildsinHPFortifyVisualStudioPackage.
com.fortify.AuthenticationKey / ${com.fortify.WorkingDirectory}/config/tools
StorestheSoftwareSecurityCenterclientauthenticationtoken.
com.fortify.model.CheckSig / false SpecifiesthepathusedtostoretheSoftwareSecurityCenterclientauthenticationtoken.
com.fortify.model.MinimalLoad / false MinimizesthedataloadedfromanFPR.Setthispropertytotruetoloadonlybasicissueinformation.
Chapter 3: Configuration Options 15
com.fortify.model.UseIssueParseFilters / false
DeferstothefiltersettingsintheIssueParseFilters.propertiesfile.
com.fortify.model.EnableElementBaseIndexShift / (none)
Setthisvaluetotrueifyourequirebackwardscompatibilitywithpre‐2.5migratedprojects.
com.fortify.visualstudio.vm.args / (none) SpecifiesthedefaultvirtualmachineargumentstousewhenVisualStudioplug‐inrunsJavacommands.
enable.clean.transaction.resource / (none)
Setthispropertytotruetopreventaquartz/springbugwhencrontriggerishappened,somethreadlocalresourceisnotreleased,resultingina“Pre‐boundJDBCConnectionfound!”error.Setthispropertytotruewhenthisproblemoccurs.
com.fortify.tools.iidmigrator.scheme / (none)
SetthispropertytomigrateIIDscreatedwithdifferentversionsofSCA.ThisisgenerallyhandledbySCA.Ifyouneedtooverridethemappingscheme,pleaseconsultHPFortifycustomersupport.
max.file.path.length / 255 Setthemaximumnumberofcharactersforyourfilepath.
com.fortify.model.MergeResolveStrategy / DefaultToMasterValue
Definewhich.FPRproject(defaultorimported)shouldbeusedasthebasewhenresolvingmergeconflicts.Possiblevaluesare:‘DefaultToMasterValue’,‘DefaultToImportValue’,or‘DefaultToMasterValue’.
com.fortify.RemovedIssuePersistenceLimit / 1000
SettheRemovedIssuePersistenceLimit.Bydefault,thevalueis1000,butcanbeincreasedappreciably.
com.fortify.model.ExecMemorySetting / 1200M
SettheamountofmemoryallocatedforprocessesrequiredbyHPFortifyAuditWorkbench(i.e.,iidmigrator,events2fpr,etc.)
com.fortify.model.IssueCutoffStartIndex / (none)
Setthenumberofissuesloaded.Selectthefirstissue(bynumber)tobeloaded.
com.fortify.model.IssueCutoffEndIndex / (none)
Usedwithcom.fortify.model.IssueCutoffStartIndex thisparameterallowsyoutoselectthelastissuetobeloaded(bynumber).Selectthefirstissue(bynumber)tobeloaded.
com.fortify.model.IssueCutoffByCategoryStartIndex /
Setthispropertytoavaluethatrepresentstheminimumnumberofissuesacategoryshouldcontain.Categoriesthatcontainfewerissuesthansetherearenotdisplayed.Useinconjunctionwithtoselectarangeofvalues.
com.fortify.model.IssueCutoffByCategoryEndIndex /
Setthispropertytoavaluethatrepresentsthemaximumnumberofissuesacategoryshouldcontain.Categoriesthatcontainmoreissuesthansetherearenotdisplayed.Useinconjunctionwithtoselectarangeofvalues.Forexample:
com.fortify.model.IssueCutoffByCategoryStartIndex=10com.fortify.model.IssueCutoffByCategoryEndIndex=20
Theexampleaboveloadscategorieswhichhavebetween10and19issuesinthem.
Table 2: HP fortify.properties Global Properties (Continued)
Property Name / Default Value Description
Chapter 3: Configuration Options 16
fortify‐sca.properties Configuration OptionsSCAusestheparametervaluesdefinedinthefortify-sca.propertiesfiletoperformscansonyoursoftwareprojects.
Thefortify-sca.propertiesfileinstalledonyoursystemcontainsparameterssettodefaultvalues.YoucanmodifytheseparametervaluesspecifictoSCAoperationbyeditingthefile,locatedatthefollowinglocationonyoursystem:
<install directory>/Core/config
Thefollowingtablesummarizestheparametersfoundinthefortify-sca.propertiesfile:
fortify‐sca‐quickscan.properties Configuration Options
Table 3: SCA properties Global Properties
Parameter / Default Value
Description
com.fortify.sca.ProjectRoot /
Defaultfoldercreatedduringinstallation.Thisvariesbyplatform.
Specifiesthefolderthatstoresintermediatefilesgeneratedduringascan.
com.fortify.sca.DefaultAnalyzers /
(None)Specifiesthetypesofanalysistoperform.Bydefault,thisparameteriscommentedout,andallanalysistypesareutilizedduringscans.Theacceptablevaluesforthisparameterare:dataflow,semantic,controlflow,configuration,structural,nullptr,andcontent.
com.fortify.sca.SuppressLowSeverity / true
SetsSCAtoignorelowseverityissuesfoundduringascan.
com.fortify.sca.LowSeverityCutoff / 1.0
Specifiesthecutofflevelforseveritysuppression.AnyissuesfoundwithalowerseverityvaluethantheonespecifiedwiththisparameterareignoredbySCA.
com.fortify.sca.DefaultJarsDirs /default_jars
IncludestheJARfilesthatareaddedtoSCA’sCLASSPATHbeforeanyJARSspecifiedusing‐cpor‐classpathsourceanalyzercommandlineoptions.TheseJARSarelocatedin<Fortify_Home>/Core/default_jarsanditssubdirectories.TheseJARSarenotrequiredbySCAinordertotranslateJava/JSPfilesbutareprovidedasaconvenienceforusersanalyzingJ2EEWebapplications.YoucanconfigureSCAsothatitdoesnotusecom.fortify.sca.DefaultJarsDirbysettingcom.fortify.sca.DontUseDefaultJarstoTrue.
com.fortify.sca.CustomRulesDir / ${com.fortify.Core}/config/customrules
Setthedirectoryusedtosearchforcustomrules.Ifthisisset,thedefaultdirectoryisnotsearched.
com.fortify.sca.DontUseDefaultJars / false
SetthisvaluetoTrueifyoudonotwanttousethedefaultJARfilesinSCA’sCLASSPATH. SCAwillonlyusetheJARfilesspecifiedonthesourceanalyzercommandlineusing-cpor-classpath.
Chapter 3: Configuration Options 17
com.fortify.sca.DefaultFileTypes /java,jsp,jspx,sql,cfm,php,pks,pkh,pkb,xml,config,properties,dll,exe,inc,asp,vbscript,js,ini,bas,cls,vbs,frm,ctl,html,htm,xsd,wsdd,xmi,cfml,cfc
SpecifiesthetypesoffileextensionstoincludeintheSCAscan.
com.fortify.sca.CustomRulesDir /
(none)SpecifiesthedirectorywithSCAcustomrules.Ifyouusethisparameterandspecifyadifferentdirectory,thedefaultdirectoryCore/config/customruleswillnotbeused.
com.fortify.sca.fileextensions.<extension> /
ThelistofsupportedfileextensionsDetermineshowSCAhandlesthespecifiedfileextension.ThislistcanbeaddedtosothatSCAwillunderstandnewfileextensions.
com.fortify.sca.jsp.UseNativeParser / true SetSCAtousethenativeparser.
com.fortify.sca.SqlLanguage / TSQL SettheSQLlanguagevariant.
com.fortify.sca.compilers.<compiler> /
ThelistofsupportedcompilersInstructsSCAhowtohandlecustom‐namedcompilers.
com.fortify.sca.DaemonCompilers /
ThelistofsupportedcompilersDetermineswhichcompilersaretranslatedduringanSCAscan.
com.fortify.sca.IndirectCallGraphBuilder /
(None)DetermineswhentocallgraphbuildersduringanSCAscan.Youcanspecifythefollowingcallgraphbuilders:com.fortify.sca.analyzer.callgraph.VirtualCGBuilder; com.fortify.sca.analyzer.callgraph.J2EEIndirectCGBuilder;com.fortify.sca.analyzer.callgraph.JNICGBuilder;com.fortify.sca.analyzer.callgraph.StoredProcedureResolver;com.fortify.sca.analyzer.callgraph.JavaWSCGBuilder;com.fortify.sca.analyzer.callgraph.StrutsCGBuilder;com.fortify.sca.analyzer.callgraph.DotNetWSCGBuilder;com.fortify.sca.analyzer.callgraph.SqlServerSPResolver
com.fortify.sca.DisableFunctionPointers /false
DisablesfunctionpointersduringtheSCAscan.
com.fortify.sca.DisableGlobals / false
Disablesfunctionpointersandglobalparameterssetbythefortify.propertiesfile.
com.fortify.sca.DisableDeadCodeElimination /false
SetthispropertytotruetodisabletheuseoftheCodeNavigationfeaturesinAuditWorkbenchandimproveruntimememoryusage.
com.fortify.sca.DeadCodeIgnoreTrivialPredicates / true
InstructsSCAtoignoredeadcode.Deadcodeisacomputerprogrammingtermforcodeinthesourcecodeofaprogramwhichisexecutedbutwhoseresultisneverusedinanyothercomputation
Table 3: SCA properties Global Properties (Continued)
Parameter / Default Value
Description
Chapter 3: Configuration Options 18
com.fortify.sca.DeadCodeFilter / true
InstructsSCAtofilterdeadcodeduringscans.Deadcodeisacomputerprogrammingtermforcodeinthesourcecodeofaprogramwhichisexecutedbutwhoseresultisneverusedinanyothercomputation
com.fortify.scaSolverTimeout / 15
InstructsSCAtotimeoutafterthespecifiedtimeperiod.
com.fortify.FVDLDisableProgramData / false
ExcludestheProgramDatasectionfromtheanalysisresultsfile(FVDLoutputfile).
com.fortify.FVDLDisableSnippets / false
Excludescodesnippetsfromtheanalysisresults(FVDLoutputfile).
com.fortify.FVDLDisableDescriptions / false
Excludesdescriptionsfromtheanalysisresults.
com.fortify.FVDLDisableStyleSheets /${com.fortify.Core}/resources/sca/fvdl2html.xsl
Specifiesthestylesheetfortheanalysisresults.
com.fortify.sca.ClobberLogFile / false
SetsSCAtooverwritethelogfileforeachnewscan.
com.fortify.sca.LogFile / ${com.fortify.sca.ProjectRoot}/sca/log/sca.log
SpecifiesthelocationofthelogfileforSCA.
com.fortify.sca.PrintPerformanceDataAfterScan /
Setsthepost‐scanloggingoption.IfSCAisindebugmode,thiswillbeautomaticallysettotrue.
com.fortify.sca.cpfe.command / ${com.fortify.Core}/private-bin/sca/cpfe
SpecifiestheCPFEbinary(version3.9)tobeusedintranslationphase.
Donotmodify.
com.fortify.sca.cpfe.new.command / ${com.fortify.Core}/private-bin/sca/cpfe441
Specifiesthenewbinary(version4.4.1)tobeusedintranslationphase.
Donotmodify.
com.fortify.sca.cpfe.options / --remove_unneeded_entities --supress_vtbl -tused
AddsoptionstoCPFEcommandlineinvokedbySCAwhentranslatingC/C++code.YoucanuseanyoptionssupportedbyCPFE,butmakesureyouunderstandtheimpactofthedesiredoptionsbeforealteringthisproperty.
com.fortify.sca.cpfe.file.option / --gen_c_file_name
SendsthenameoftheNSToutputfiletotheCPFE.
Donotmodify.
com.fortify.sca.cpfe.dont.fix.cctor.option / false
DetermineswhetherornottheCPFEshouldperformadditionalprocessingstepswhenittranslatescopyconstructorcallsinC++code.Whenthisvalueisfalse,theextraprocessingstepsaredone.
Donotmodify.
com.fortify.sca.DisplayProgress / true
AllowsSCAtodisplayprogressthroughtheuserinterfaceduringascan.
com.fortify.sca.findbugs.maxheap /
(None)SetsamaximumamountofissuestologduringanSCAscan.
Table 3: SCA properties Global Properties (Continued)
Parameter / Default Value
Description
Chapter 3: Configuration Options 19
SCAperformsscanstoidentifyissueswithinsoftwareproject.SCAalsoofferaless‐intensivescanknownasaquickscan.ThisoptionscanstheprojectinQuickScanMode,usingtheparametervaluesinthefortify-sca-quickscan.propertiesfile.Bydefault,QuickScansearchesforhigh‐confidence,high‐severityissuesonly.FormoreinformationaboutQuickScanMode,seetheHPFortifyAuditWorkbenchUser’sGuide.
Thefollowingtabledescribesthepropertiesthattunedefaultscanningperformance.ThesepropertieshavedifferentdefaultsforQuickScanmode,whichcanbeadjustedbyeditingthefortify-sca-quickscan.propertiesfile.Ifyouwanttousetherecommendedtuningparameters,youdonotneedtoeditthisfile;however,youmayfindthatyouwanttoexperimentwithothersettingstofine‐tuneyourspecificapplication.
Rememberthatpropertiesinthisfileareprocessedonlyifyouspecifythe-quickoptiononthecommandlinewheninvokingyourscan.
Thefortify-sca-quickscan.propertiesfileinstalledonyoursystemcontainsparameterssettodefaultvalues.Youcanmodifytheseparametervaluesbyeditingthefile,locatedatthefollowinglocationonyoursystem:
<install directory>/Core/config
Thefollowingtableprovidestwosetsofdefaultvalues.Thefirstvalueisthedefaultvaluefornormalscans.Thesecondvalueisthedefaultvalueforquickscans.Ifonlyonedefaultvalueisshown,thevalueisvalidforbothnormalscansandquickscans.Thefollowingtablesummarizestheparametersfoundinthefortify-sca-quickscan.propertiesfile.
com.fortify.sca.AllocationWebServicesURL / https://per-use.fortify.com/services/GasAllocationService
SpecifiestheURLofWebservicesforSCA.
com.fortify.sca.CfmlUndefinedVariablesAreTainted / false
InstructsundefinedvariablesinCFMLpagestobeconsideredtaintedbySCA.
com.fortify.sca.AddImpliedMethods / true SetSCAtogenerateimpliedmethodswhenimplementationbyinheritanceisencountered.
Table 4: HP fortify‐sca‐quickscan.properties Global Properties
Property Name / Default Value
Description
com.fortify.sca.FilterSet /
(None)QuickScanvalue:Critical Exposure
WhensettoCritical Exposure,thispropertyrunsrulesonlyforthehigh‐severityfilterset.RunningonlyasubsetofthedefinedrulesallowstheSCAscantocompletemorequickly.ThiscausesSCAtorunonlythoserulesthatcancauseissuesidentifiedinthenamedfilterset,asdefinedbythedefaultprojecttemplateforyourapplication.Formoreinformationaboutfiltersets,seetheHPFortifyAuditWorkbenchUserGuide.
com.fortify.sca.FPRDisableSrcHtml /FalseQuickScanvalue:True
DisablessourcecoderenderingintotheFPRfile.DisablesSCAfromgeneratingmarked‐upsourcecodefilesduringascan.Whensettotrue,thispropertypreventsthegenerationofmarked‐upsourcefiles.IfyouplantouploadFPRsthataregeneratedasaresultofaquickscan,youmustsetthispropertytofalse.
Table 3: SCA properties Global Properties (Continued)
Parameter / Default Value
Description
Chapter 3: Configuration Options 20
com.fortify.sca.limiters.ConstraintPredicateSize /50000QuickScanvalue:10000
SpecifiesthesizelimitforcomplexcalculationsintheBufferAnalyzer.SkipscalculationsthatarebiggerthanthespecifiedsizevalueintheBufferAnalyzertoimprovescanningtime.
com.fortify.sca.BufferConfidenceInconclusiveOnTimeout /trueQuickScanvalue:false
InstructsSCAtoskipcomplexcalculationsintheBufferAnalyzertoimprovescanningtime.
com.fortify.sca.limiters.MaxChainDepth / 5 QuickScanvalue:4
ControlsthemaximumcalldepththroughwhichtheDataflowAnalyzertrackstainteddata.Increasingthisvalueincreasesthecoverageofdataflowanalysis,andresultsinlongeranalysistimes.Note:Calldepthreferstothemaximumcalldepthonadataflowpathbetweenataintsourceandsink,ratherthancalldepthfromtheprogramentrypoint,suchasmain().
com.fortify.sca.limiters.MaxTaintDefForVar /1000QuickScanvalue:500
SetsacomplexitylimitforDataFlowanalysis.DataFlowwillincrementallydecreaseprecisionofanalysisonfunctionsthatexceedthiscomplexitymetricforagivenprecisionlevel.
com.fortify.sca.limiters.MaxTaintDefForVarAbort /4000QuickScanvalue:1000
Setsahardlimitforfunctioncomplexity.Ifcomplexityofafunctionexceedsthislimitatthelowestprecisionlevel,theanalyzerskipsanalysisofthefunction.
com.fortify.sca.DisableGlobals /false
InstructsSCAtonottracktainteddatathroughtheglobalvariablessetwiththefortify.propertiesfile.
com.fortify.sca.CtrlflowSkipJSPs /false
InstructsSCAtoskipControlFlowanalysisonJSPs.
com.fortify.sca.NullPtrMaxFunctionTime /300000QuickScanvalue:30000
Setsthetimelimit(inmilliseconds)forNullPointeranalysisonasinglefunction.Settingittoashorterlimitdecreasesoverallscanningtime.
com.fortify.sca.CtrlflowMaxFunctionTime /600000QuickScanvalue:30000
Setsthetimelimit(inmilliseconds)forControlFlowanalysisonasinglefunction.
com.fortify.sca.TrackPaths /
(Notset)QuickScanvalue:NoJSP
DisablespathtrackingforControlflowanalysis.Pathtrackingprovidesmoredetailedreportingforissues,butrequiresmorescanningtime.YoucandisablethisforJSPonlybysettingittoNoJSP.SpecifyNonetodisableallfunctions.
com.fortify.sca.translator.java.Incremental /false
InstructsSCAtotranslateJavasourcefilesoneatatimeinsteadofallatoncewhenthispropertyissettoTrue.SCAwilluselessmemorywhiletranslatingfilesbutwillprocessthefilesmoreslowly.
Table 4: HP fortify‐sca‐quickscan.properties Global Properties (Continued)
Property Name / Default Value
Description
Chapter 3: Configuration Options 21
fortify‐ide.properties Configuration OptionsThefortify-ide.properties filedefinesconfigurationsettingsforAuditWorkbench.ThiscomponentallowsyoutoexaminethescanresultsproducedbySoftwareSecurityCenteranalyzers,suchasSCA.Thefortify-ide.propertiesfileinstalledonyoursystemcontainsparameterssettodefaultvalues.Youcanmodifytheseparametervaluesbyeditingthefile,locatedatthefollowinglocationonyoursystem:
<install directory>/Core/config
Thefollowingtablesummarizestheparametersinthefortify-ide.propertiesfile:
Table 5: HP fortify‐ide.properties Global Properties
Property Name / Default Value
Description
rulepack.days /15
SetsthenumberofdaysbeforeperforminganautomaticupdateofRulepacks.
rulepack.auto.update /true
EnablesautomaticupdatingofRulepacks.
override.results.path /
(None)OverridesthesavedFPRlocationtoanewlocation:${user.home}