HPE Software Products: DevInspect
Share |

SPI DevInspect is not HPE Fortify DevinspectOpen in a New Window

Just so no one blows a gasket, this forum was created years ago for the SPI Dynamics (and then HP) product called DevInspect.  That DevInspect was EOL (end-of-life) in 2009 and has passed all possible Support and trade-in time frames at HPE.

 

Now, at the end of 2015, the HPE Fortify team is working on a product called DevInspect.  I suppose this choice was because we own the name, and its not a bad name given what it does.  Anyways, the new product is similar to the old one in the shallow regard that it offers an integration point into an IDE and provides the developer with security information regarding their code.  But there is NO related code or anything else shared between these two products.

 

Initially, HPE Fortify's DevInspect is being offered via the new SecurityAssistant product that came out this month (NOV 2015) with the 4.40 release.  This SecurityAssistant currently supports only Eclipse and it serves like a "spell checker", high-lighting security risks inside the IDE as the developer writes their code.  I believe the SecurityAssistant is initially available to anyone with a valid Fortify SCA license.  It can also perform a light-weight scan of the code.  While this is not nearly as thorough or as confident as a full SCA scan, it should be helpful.

 

fail in installing devinspectOpen in a New Window

for installing DevInspect for eclipse 3.4 when i enter "http://updates.spidynamics.com/eclipse/eclipse-3.4/" in AddSite and click OK the progress is finished with error "no repository found at http://download.eclipse.org/technology/gmf/update-site/releases/site.xml". what's the problem?

 

DevInspect Errors!Open in a New Window

Hi,

We have successfully installed a licensed version of Devinspect 5.1.7677 / 10 February 2009 through Eclipse SDK 2.2.2. All the steps have been performed as per the cheatsheet and DevInspect QuickStart Guide.

 

1. When the "Test for Vulnerabilities" button is clicked, the following error message is displayed. "You are trying to access an older version of a SQL Server Compact Edition database. If this is a SQL Server CE 1.0 or 2.0 database, run upgrade.exe. If this is a SQL Server Compact Edition 3.0 or later database, run Compact / Repair. [Db version = 3505053, Requested version = 3004180,Filename = C:\Documents and Settings\All Users\Application Data\SPI Dynamics\DevInspect\Eclipse\5.1\SecureBase\SecureBase.sdf"

 

2. When Eclipse is opened, the following error messages are being displayed.

(i) HP Policy Manager did not initialize. Contact Info ------------- Plug-in Vendor: HP Plug-in Name MSNET Bridge Plug-in ID: com.spidynamics.interop Plug-in Version: 5.1.6684.2 Plug-in Documentation: http://www.hp.com/go/securitysoftware Vendor Contact info: spisupport@hp.com

 

(ii) HP Vulnerability Scanner did not initialize. Contact Info -------------- Plug-in Vendor: HP Plug-in Name MSNET Bridge Plug-in ID: com.spidynamics.interop Plug-in Version: 5.1.6684.2 Plug-in Documentation: http://www.hp.com/go/securitysoftware Vendor Contact info: spisupport@hp.com

 

We installed MS Visual Studio 2005 which comes with the SQL Server Compact Edition 3.5, but it did not resolve the errors. Is there a workaround available for the above errors? Kindly advice.

 

ASC Forums and Blogs moved to Lithium platformOpen in a New Window

Another, hopefully final, surprise.  HP Communities just migrated their Communities forums (all, not just the ASC) to their new Lithium platform.  So first things first, you may want to reopen each of the "boards" for WebInspect, AMP, et al, and choose "Mark all as Read" from the Board Options button found to the right of the screen.  If you are like me, you depend on that to help you recall what is new and what has been answered/read already or what is simply old.

 

We are still getting our moderators group returned access to the forums, and should be hobbling along fine this time next week.  Keep your posts coming and I will do my best to respond or get an answer to you!

 

You may notice that now the ASC Blogs are closely related to the User Forums unlike in the old Communities site, using the central folder for the ASC, http://h30501.www3.hp.com/t5/Application-Security-Community/ct-p/AS

 

 

And now a few keywords for the Search Engines of the world...

 

"Official User Forums for HP Application Security Center (ASC) Including WebInspect, AMP (Assessment Management Platform), QAInspect, and even DevInspect.  Fortify's discussions may eventually come to roost here as well."

 

Scan dies on static analysis in visual studio 2008Open in a New Window

I'm scanning a web app and goes well until it gets to the static analysis.  I repeats the same statement over and over again in the output window:


Performing static analysis search...
Unexpected condition during Static Scan - search returned null results.


This is what the vs log reveals:


 <entry>
    <record>338</record>
    <time>2010/05/14 19:13:01.243</time>
    <type></type>
    <source>SPI Dynamics DevInspect</source>
    <description>Stack Trace:
   at SPI.IPA.VariableTracer.GetParameterUses(MethodBase method, Int32 parameterIndex, AssemblyMetadata asmMetadata)
   at SPI.SearchCases.Utility.updateUnvalidatedListForCallInstruction(Int32 curInstrIndex, MethodCallInfo methodCallInfo, List`1 currentPushInstrList, List`1&amp; validated, List`1&amp; unvalidated, Int32 parameterIndex, Dictionary`2 cfg, String controlFieldName, AssemblyMetadata asmMetadata, ControlValidatorList controlValidatorList, IsValidatedRecursionCallList recursionCallList)
   at SPI.SearchCases.Utility.isValidated(Int32 instrIndex, Dictionary`2 varUsage, List`1 validated, List`1 unvalidated, Dictionary`2 cfg, String controlFieldName, AssemblyMetadata asmMetadata, ControlValidatorList controlValidatorList, IsValidatedRecursionCallList recursionCallList)
   at SPI.SearchCases.Utility.isValidated(Int32 instrIndex, Dictionary`2 varUsage, List`1 validated, List`1 unvalidated, Dictionary`2 cfg, String controlFieldName, AssemblyMetadata asmMetadata, ControlValidatorList controlValidatorList, IsValidatedRecursionCallList recursionCallList)
   at SPI.SearchCases.Utility.isValidated(Int32 instrIndex, Dictionary`2 varUsage, List`1 validated, List`1 unvalidated, Dictionary`2 cfg, String controlFieldName, AssemblyMetadata asmMetadata, ControlValidatorList controlValidatorList)
   at SPI.SearchCases.Utility.GetifInputIsValidated(MethodCallInfo callInfo, MethodBase calledMethod, List`1 validated, List`1 unvalidated, String controlFieldName, AssemblyMetadata asmMetadata, ControlValidatorList controlValidatorList)
   at SPI.SearchCases.Utility.GetUnValidatedInputsForNonWebControl(List`1 validated, List`1 unvalidated, MethodBase calledMethod, List`1 callers, AssemblyMetadata asmMetadata, ControlValidatorList controlValidatorList)
   at SPI.DevInspect.Checks.NonControlUnvalidatedInputsCheck.Eval(AssemblyMetadata asmMetadata)
   at SPI.BinarySearch.SearchManager.Search()
   at SPI.BinarySearch.SearchManager.Search()
   at SPI.BinarySearch.SearchSession.Search()
   at SPI.DevInspect.DevInspect.scanProjectItemForStaticVulnerabilities(List`1&amp; staticAnalysisSearchResultList, IList`1&amp; staticAnalysisSearchResults, Dictionary`2 pageMappings, String webSiteBinaryDirectory, ProjectItem projectItem, ControlValidatorList validatorDetails, String log4NetConfigFile)
</description>
  </entry>
  <entry>
    <record>339</record>
    <time>2010/05/14 19:18:59.589</time>
    <type></type>
    <source>SPI Dynamics DevInspect</source>
    <description>Exception Type: System.IndexOutOfRangeException; Message: Index was outside the bounds of the array.; Additional Info: Static Scan Failed
</description>
  </entry>
  <entry>
    <record>340</record>
    <time>2010/05/14 19:18:59.589</time>
    <type></type>
    <source>SPI Dynamics DevInspect</source>
    <description>Stack Trace:
   at SPI.IPA.VariableTracer.GetParameterUses(MethodBase method, Int32 parameterIndex, AssemblyMetadata asmMetadata)
   at SPI.SearchCases.Utility.updateUnvalidatedListForCallInstruction(Int32 curInstrIndex, MethodCallInfo methodCallInfo, List`1 currentPushInstrList, List`1&amp; validated, List`1&amp; unvalidated, Int32 parameterIndex, Dictionary`2 cfg, String controlFieldName, AssemblyMetadata asmMetadata, ControlValidatorList controlValidatorList, IsValidatedRecursionCallList recursionCallList)
   at SPI.SearchCases.Utility.isValidated(Int32 instrIndex, Dictionary`2 varUsage, List`1 validated, List`1 unvalidated, Dictionary`2 cfg, String controlFieldName, AssemblyMetadata asmMetadata, ControlValidatorList controlValidatorList, IsValidatedRecursionCallList recursionCallList)
   at SPI.SearchCases.Utility.isValidated(Int32 instrIndex, Dictionary`2 varUsage, List`1 validated, List`1 unvalidated, Dictionary`2 cfg, String controlFieldName, AssemblyMetadata asmMetadata, ControlValidatorList controlValidatorList, IsValidatedRecursionCallList recursionCallList)
   at SPI.SearchCases.Utility.isValidated(Int32 instrIndex, Dictionary`2 varUsage, List`1 validated, List`1 unvalidated, Dictionary`2 cfg, String controlFieldName, AssemblyMetadata asmMetadata, ControlValidatorList controlValidatorList)
   at SPI.SearchCases.Utility.GetifInputIsValidated(MethodCallInfo callInfo, MethodBase calledMethod, List`1 validated, List`1 unvalidated, String controlFieldName, AssemblyMetadata asmMetadata, ControlValidatorList controlValidatorList)
   at SPI.SearchCases.Utility.GetUnValidatedInputsForNonWebControl(List`1 validated, List`1 unvalidated, MethodBase calledMethod, List`1 callers, AssemblyMetadata asmMetadata, ControlValidatorList controlValidatorList)
   at SPI.DevInspect.Checks.NonControlUnvalidatedInputsCheck.Eval(AssemblyMetadata asmMetadata)
   at SPI.BinarySearch.SearchManager.Search()
   at SPI.BinarySearch.SearchManager.Search()
   at SPI.BinarySearch.SearchSession.Search()
   at SPI.DevInspect.DevInspect.scanProjectItemForStaticVulnerabilities(List`1&amp; staticAnalysisSearchResultList, IList`1&amp; staticAnalysisSearchResults, Dictionary`2 pageMappings, String webSiteBinaryDirectory, ProjectItem projectItem, ControlValidatorList validatorDetails, String log4NetConfigFile)
</description>
  </entry>

 

How can I run a DevInspect scan on a appliation project with only web services?Open in a New Window

We have a Java project that is comprised of web services.   When we attempt to run a scan DevInspect is looking for a target (e.g web application) to scan from.  The WSDL appears but DevInspect is not able to use this.


How do you run a scan of a Java project with only web services and not a web application with a UI?


Per the documentation DevInspect is supposed to be able to perform static analysis of the code and this is what we'd like to accomplish.


If someone has found a way to accomplish this please let me know.


Terry White

 

Error when trying to run the testOpen in a New Window

 An internal error occurred during: "Static and Dynamic Anaylsis".
loader constraints violated when linking javax/servlet/ServletContext class


And when i try to run a static analysis it shows,


Vulnerability scan started... (started 20:42:16)
***
Vulnerability scan completed. Status OK (took 0:00:00).


Please help me to solve this issue.

 

New update site links for DevInspect for Java 5.1Open in a New Window

With DevInspect for Java being integrated into Eclipse, or IBM Rational Software Development Platform (RSDP), the user had the option to download and install DevInspect directly to their existing IDE rather than as a binary installation.  In April 2009, HP began shifting the previously "spidynamics.com" resources to HP server addresses.  One of these moves updates the links used for these Update Sites to "hpsmartupdate.com".  The old addresses are still functioning, but you will want to specify the newer ones going forward.


 


+++++++++++++++++++++++++++++++++++


Installing into an existing Eclipse IDE:

Eclipse allows the installation of plug-ins, such as DevInspect. The Quick Start guide
for DevInspect-Java 5.1 lists several ways to add DevInspect to an
existing installation of Eclipse. For different versions of Eclipse, it
lists different URLs for the "Update Site" source address, as follows.


































IDE Update Site Old Update Site prior APR 2009
Eclipse 3.4 http://updates.hpsmartupdate.com/eclipse/eclipse-3.4/ http://updates.spidynamics.com/eclipse/eclipse-3.4/
Eclipse 3.3 http://updates.hpsmartupdate.com/eclipse/eclipse-3.3/site.xml http://updates.spidynamics.com/eclipse/eclipse-3.3/site.xml
Eclipse 3.2 http://updates.hpsmartupdate.com/eclipse/eclipse-3.2/site.xml http://updates.spidynamics.com/eclipse/eclipse-3.2/site.xml
RSDP7 http://updates.hpsmartupdate.com/eclipse/RSDP7/site.xml http://updates.spidynamics.com/eclipse/RSDP7/site.xml
RSDP6 http://updates.hpsmartupdate.com/eclipse/RSDP6/site.xml http://updates.spidynamics.com/eclipse/RSDP6/site.xml

 



  • Eclipse 3.4 has a slightly different update process which is detailed within the QuickStart Guide.


+++++++++++++++++++++++++++++++++++


 


Link to the Quick Start guide in the documentation bundle:  https://download.hpsmartupdate.com/DevInspect/Java/devinspectjavaguides.zip

 

DevInspect Memory Leak causes Visual Studio 2008 shutdown.Open in a New Window

I have a web site project with 40 pages.  When I attempt a full site scan, it fails after 3 or 4 hours and 26K to 27K scan lines with a System.OutOfMemoryException either affecting and killing ScriptServer.exe or WebDev.WebServer.Exe which in turn causes the scan to quit with "The server 'localhost:2188' appears to be unreachable."


I have attempted to scan each of the pages individually in order to get a complete "green check mark" report list to turn over to our security department for implementation audit, but even that fails too.   I can scan between 19 to 22 of the 40 pages until that fails with a System.OutOfMemoryException that closes Visual Studio.  I watched the processes in Task Mangler and could clearly see devenv.exe eating more and more memory with each page scanned until I hit about 550,000 KB and then BOOM.  VS Shutdown.


Is there any way to manage the way DevInspect uses memory? 


I submitted a help ticket to the HP support desk on this issue on April 9th and still haven't got any help.  I'm just hoping somebody out there can offer some suggestions/help/support.


Thanks,


Tim

 

DevInspect for .NET package load failureOpen in a New Window

Hi there,


 After having installed DevInspect, I receive the following error message when I try to access to DevInspect settings in Tools>Options in Visual Studio 2005 :



 Package Load Failure



Package '?' has failed to load properly (GUID = {3E7145B5-E622-4EBE4-ACCA-C4204A27DF44} ). Please contact package vender for assistance. Application restart is recommended, due to possible environment corruption. Would you like to disable loading this package in the future? You may use 'devenv /resetskippkgs' to re-enable package loading.



Yes/No


Furthermore, I can't see the 'DevInspect Explorer' option in the View menu. I tried to reinstall both VS and DevInspect but nothing changed. Anyone can help?


Thank you.


Regards,


Pierre

 

DevInspect for java error logOpen in a New Window

Hi All.


I used to verify vulnerability in eclipse 3.3 version .


It's notify below.


#############################################################################


"Unable to assert fact."     plug-in : com.spidynamics.analysis.java


   (Unique index or primary key violation: PRIMARY_KEY_E5 ON PUBLIC.ARTIFACT(ID)


###############################################################################


How can I do it?


Please give me the answer as soon as possibe.


Thanks.


 


 

 

DevInspect expects a Dynamic Web ProjectOpen in a New Window

Hi All


 


I am currently trying to figure out if Devinspect is able to scan Code for a website that is written as a normal Java Projects in Eclipse  and not as an Web project. Will devinspect be able to scan the code as it is not dynamic web code. If a programmer use this tool and want to scan the code that he has just written, does he really need to deploy the code to an integrated server? Please help


Regards,


Vernon 


 

 

Hybrid Analysis on Java platformOpen in a New Window

Hi All,

As I went through the User Guides and Quick Start Guides, my initial understanding of Hybrid Analysis is that it is a combination of Static Code Analysis and Dynamic Code Analysis.

Please find my questions regarding the procedures as below:

1. In Static Code Analysis, I understand that the DevInspect does a through inspection of any user-supplied input for validation. If my understanding is correct, then how does it determine which unvalidated input should be listed under SQL Injection and which one for Cross-Site scripting? I mean to say it only detects the unvalidated input how is it performing classification on them?

2. In Hybrid Code Analysis, DevInspect sends HTTP request to a specified URL link and also does static code analysis. Does we need to create a localhost instance of the entire application for the Hybrid Analysis, say something like (http://localhost:80/webapp/)?
How can we say that the Hybrid Analysis helps us to identify false positives?

Please let me know.
My apologies for blunt questions as I am a new-bie in this area and am trying to understand the process in a little depth.

 

DevInspect for 64 bit OS and .Net 3.5Open in a New Window

Does anyone has info on plans from HP to support 64 bit OS and .NET version 3.5 for 'DevInspect for .NET'?


We are planning to implement it in one of our projects but we are unable to do so because of these limitations.

 

Devinspect causes Visual Studio 2008 crash attempting to install licenseOpen in a New Window

 Before purchasing Devinspect 5.0, we are attempting to install the trial version.


When we click the install license inside the Devinspect Explorer, Visual Studio 2008 crashes.


 This is Windows XP Professional all service packs and Visual Studio 2008 with all service packs.


EventType clr20r3, P1 devenv.exe, P2 9.0.21022.8, P3 47317b3d, P4 spi.licensing.library, P5 5.1.650.0, P6 4856bdfe, P7 6d, P8 1e, P9 c1hrnlgf4kdcxtastrgwwm132323bna2, P10 NIL.


 Bucket 389310578, bucket table 5, EventType clr20r3, P1 devenv.exe, P2 9.0.21022.8, P3 47317b3d, P4 spi.licensing.library, P5 5.1.650.0, P6 4856bdfe, P7 6d, P8 1e, P9 c1hrnlgf4kdcxtastrgwwm132323bna2, P10 NIL.

 

SPIValidators don't allow carriage returns in multi-line textboxOpen in a New Window

I am working with an employment application that requires a multi-line textbox for user input on their job duties.  If a user adds a carriage return to the textbox, the validation fails.  What part of the validator needs to be changed to allow this behavior to be accepted and why does a carriage return constitute a danger?

 

DevInspect Java Installation problemOpen in a New Window

I have installed JDK 1.5 and Eclipse 3.3, but I am not able to install DevInspect for the Java platform.


Please let me know the proper steps for it. When I tried to download DevInspect from the site it gave me an exe of 1 MB size which contained only the Guide pdfs and readme doc. Please let me know from where I can download the proper exe for Java Platform. 


 

 

DevInspect .Net installation problemOpen in a New Window

Greetings,


 I am trying to install DevInspect 5.0 .Net edition, but I keep getting an error that I do not have SQL Server 2005 SP1 Express Edition. I do however have SQL Server 2005 SP2 developper edition installed. Is it a hard requirement that DevInspect needs the Express Edition? Seems reasonable that it should be able to work with the developer edition or anything higher than the Express Edition.


 Any help on this is appreciated. Thanks

 

DevInspect of User ControlsOpen in a New Window

I am a newbie to DevInspect and had a quick question. How do I configure DevInspect to analyze User Controls within a project?

I am using VS 2008 and am evaluating DevInspect 5.1.650.0.

Thank you.

 

DevInspect on 3rd party library binariesOpen in a New Window

 Hi Guys,

 I have a question to ask regards to DevInspect scanning the source codes that uses 3rd party libraries e.g. Struts, Hibernate, Springs etc.

 Taking into consideration that these libraries thats imported into the project, includes the binaries only, without the source codes to the libraries - can we assume that the scan can parse information that goes through functions that uses the 3rd party libraries?

Thank you.

Contact Us

Vivit Worldwide
P.O. Box 18510
Boulder, CO 80308

Email: info@vivit-worldwide.org

Mission

Vivit's mission is to serve
the Hewlett Packard
Enterprise User
Community through
Advocacy, Community,
and Education.