HP Fortify Usage Guide

HP Fortify is a tool that performs static code analysis to detect security vulnerabilities in an
application.

The Fortify SCA binary is located in the following path in OEL 5 (64-bit) machines:

/usr/local/remote/packages/fortify_360_remote/3.8.0/bin/sourceanalyzer

Currently source code analysis can be done only for the Linux.X64 labels of OSB.

The source code analysis can be done by specifying ‘gmake fortify’ from the reliaty directory.
Source code analysis is done in two steps. The necessary changes for this have been made in
the Makefile and s_reliaty.mk.

The source analyzer first compiles and instruments the .c files to create the corresponding .nst
files. This step needs to be executed for every .c file. The following command does this:

sourceanalyzer –b <build-id> -c <compiler name> <filename>.c

The .nst files are then scanned by the sourceanalyzer during which, it generates a <GUID>.fpr
file in the work directory (It is advisable to rename this .fpr file before starting another scan
since it can be overwritten). This step needs to run only once. This is done by running the
following command:

sourceanalyzer –b <build-id> -scan –f <desired location of fpr file> -logfile < logfile>

The build-id specified for both the above steps should be the same. We normally specify the
build id as the user’s guid.

The .fpr file can be analyzed by the auditworkbench tool located in the following directory:

/usr/local/remote/packages/fortify_360_remote/3.8.0/bin/auditworkbench

(Note: Always remove the .fortify folder present in the user’s home directory before starting a
fresh scan. These are where the intermediate .nst files during fpr generation are stored. Since
the home directory is of limited capacity, future scans may abort with ‘insufficient memory’
error if the .fortify directory from a previous scan is not removed. Also, as the home directory is
common across all machines for a particular user, only one scan can be run by one user at a
time, even if it is done from different machines. Unfortunately, there seems to be no way to
change the location of the temporary working directory in fortify.)
In the Audit Workbench (GUI), choose ‘Critical Exposure’ from the drop-down corresponding to
‘Filter Set’. The following filters are available - ‘Security Auditor’ , ‘Developer View’, ‘Critical
Exposure’, ‘Hotspot’ and ‘Data Validation’. We normally analyze issues shown in ‘Developer
view’ and ‘Critical Exposure’. Inside the filters, these issues are further classified into Low,
Medium, High and Critical depending on potential severity. The issues are grouped by Category,
and when an issue is selected, the reason for the issue is shown in the Analysis Evidence in the
lower right portion of the window. Fortify also provides the option to generate a summary
report of the issues which can be exported to PDF format.

Notes:
1) Fortify is a static analysis tool, and therefore shows a lot of false positives.
2) The problem of insufficient memory in the home directory can be resolved by modifying
the fortify configuration files. But currently there is no way of doing that, as these files
are in a mounted path and we don’t have the required privileges to modify them.
3) The entire process (from running gmake fortify to the .fpr file generation) takes a few
hours to complete. This can be improved by allocating more memory to JVM by
specifying some JVM memory options while invoking the sourceanalyzer. To view more
info regarding these options, just run the command ‘Java –X’ from the command line.
Following is an example:
sourceanalyzer -Xmx4G –Xms2G –Xss100M
4) Fortify should not be run together with Parfait or any other tools. Now, parfait is
enabled by default, and parfait icc wrappers are used for compiling our .c files. Parfait
has to be explicitly disabled while running fortify scans, for which some changes need to
be made to the Makefile. Otherwise, fortify throws the following error:
“Unable to load build session with ID <GUID>”