- About Vivit
- LUGs & SIGs
- Vivit Blogs
- News & Events
- Knowledge Base
|HPE Software Products: DevInspect|
Just so no one blows a gasket, this forum was created years ago for the SPI Dynamics (and then HP) product called DevInspect. That DevInspect was EOL (end-of-life) in 2009 and has passed all possible Support and trade-in time frames at HPE.
Now, at the end of 2015, the HPE Fortify team is working on a product called DevInspect. I suppose this choice was because we own the name, and its not a bad name given what it does. Anyways, the new product is similar to the old one in the shallow regard that it offers an integration point into an IDE and provides the developer with security information regarding their code. But there is NO related code or anything else shared between these two products.
Initially, HPE Fortify's DevInspect is being offered via the new SecurityAssistant product that came out this month (NOV 2015) with the 4.40 release. This SecurityAssistant currently supports only Eclipse and it serves like a "spell checker", high-lighting security risks inside the IDE as the developer writes their code. I believe the SecurityAssistant is initially available to anyone with a valid Fortify SCA license. It can also perform a light-weight scan of the code. While this is not nearly as thorough or as confident as a full SCA scan, it should be helpful.
http://updates.spidynamics.com/eclipse/eclipse-3.4/" in AddSite and click OK the progress is finished with error "no repository found at http://download.eclipse.org/technology/gmf/update-site/releases/site.xml". what's the problem?
We have successfully installed a licensed version of Devinspect 5.1.7677 / 10 February 2009 through Eclipse SDK 2.2.2. All the steps have been performed as per the cheatsheet and DevInspect QuickStart Guide.
1. When the "Test for Vulnerabilities" button is clicked, the following error message is displayed. "You are trying to access an older version of a SQL Server Compact Edition database. If this is a SQL Server CE 1.0 or 2.0 database, run upgrade.exe. If this is a SQL Server Compact Edition 3.0 or later database, run Compact / Repair. [Db version = 3505053, Requested version = 3004180,Filename = C:\Documents and Settings\All Users\Application Data\SPI Dynamics\DevInspect\Eclipse\5.1\SecureBase\SecureBase.sdf"
2. When Eclipse is opened, the following error messages are being displayed.
(i) HP Policy Manager did not initialize. Contact Info ------------- Plug-in Vendor: HP Plug-in Name MSNET Bridge Plug-in ID: com.spidynamics.interop Plug-in Version: 5.1.6684.2 Plug-in Documentation: http://www.hp.com/go/securitysoftware Vendor Contact info: email@example.com
(ii) HP Vulnerability Scanner did not initialize. Contact Info -------------- Plug-in Vendor: HP Plug-in Name MSNET Bridge Plug-in ID: com.spidynamics.interop Plug-in Version: 5.1.6684.2 Plug-in Documentation: http://www.hp.com/go/securitysoftware Vendor Contact info: firstname.lastname@example.org
We installed MS Visual Studio 2005 which comes with the SQL Server Compact Edition 3.5, but it did not resolve the errors. Is there a workaround available for the above errors? Kindly advice.
Another, hopefully final, surprise. HP Communities just migrated their Communities forums (all, not just the ASC) to their new Lithium platform. So first things first, you may want to reopen each of the "boards" for WebInspect, AMP, et al, and choose "Mark all as Read" from the Board Options button found to the right of the screen. If you are like me, you depend on that to help you recall what is new and what has been answered/read already or what is simply old.
We are still getting our moderators group returned access to the forums, and should be hobbling along fine this time next week. Keep your posts coming and I will do my best to respond or get an answer to you!
You may notice that now the ASC Blogs are closely related to the User Forums unlike in the old Communities site, using the central folder for the ASC, http://h30501.www3.hp.com/t5/Application-Security-Community/ct-p/AS
And now a few keywords for the Search Engines of the world...
"Official User Forums for HP Application Security Center (ASC) Including WebInspect, AMP (Assessment Management Platform), QAInspect, and even DevInspect. Fortify's discussions may eventually come to roost here as well."
I'm scanning a web app and goes well until it gets to the static analysis. I repeats the same statement over and over again in the output window:
Performing static analysis search...
This is what the vs log reveals:
We have a Java project that is comprised of web services. When we attempt to run a scan DevInspect is looking for a target (e.g web application) to scan from. The WSDL appears but DevInspect is not able to use this.
How do you run a scan of a Java project with only web services and not a web application with a UI?
Per the documentation DevInspect is supposed to be able to perform static analysis of the code and this is what we'd like to accomplish.
If someone has found a way to accomplish this please let me know.
An internal error occurred during: "Static and Dynamic Anaylsis".
And when i try to run a static analysis it shows,
Vulnerability scan started... (started 20:42:16)
Please help me to solve this issue.
With DevInspect for Java being integrated into Eclipse, or IBM Rational Software Development Platform (RSDP), the user had the option to download and install DevInspect directly to their existing IDE rather than as a binary installation. In April 2009, HP began shifting the previously "spidynamics.com" resources to HP server addresses. One of these moves updates the links used for these Update Sites to "hpsmartupdate.com". The old addresses are still functioning, but you will want to specify the newer ones going forward.
Link to the Quick Start guide in the documentation bundle: https://download.hpsmartupdate.com/DevInspect/Java/devinspectjavaguides.zip
I have a web site project with 40 pages. When I attempt a full site scan, it fails after 3 or 4 hours and 26K to 27K scan lines with a System.OutOfMemoryException either affecting and killing ScriptServer.exe or WebDev.WebServer.Exe which in turn causes the scan to quit with "The server 'localhost:2188' appears to be unreachable."
I have attempted to scan each of the pages individually in order to get a complete "green check mark" report list to turn over to our security department for implementation audit, but even that fails too. I can scan between 19 to 22 of the 40 pages until that fails with a System.OutOfMemoryException that closes Visual Studio. I watched the processes in Task Mangler and could clearly see devenv.exe eating more and more memory with each page scanned until I hit about 550,000 KB and then BOOM. VS Shutdown.
Is there any way to manage the way DevInspect uses memory?
I submitted a help ticket to the HP support desk on this issue on April 9th and still haven't got any help. I'm just hoping somebody out there can offer some suggestions/help/support.
After having installed DevInspect, I receive the following error message when I try to access to DevInspect settings in Tools>Options in Visual Studio 2005 :
Furthermore, I can't see the 'DevInspect Explorer' option in the View menu. I tried to reinstall both VS and DevInspect but nothing changed. Anyone can help?
I used to verify vulnerability in eclipse 3.3 version .
It's notify below.
"Unable to assert fact." plug-in : com.spidynamics.analysis.java
(Unique index or primary key violation: PRIMARY_KEY_E5 ON PUBLIC.ARTIFACT(ID)
How can I do it?
Please give me the answer as soon as possibe.
I am currently trying to figure out if Devinspect is able to scan Code for a website that is written as a normal Java Projects in Eclipse and not as an Web project. Will devinspect be able to scan the code as it is not dynamic web code. If a programmer use this tool and want to scan the code that he has just written, does he really need to deploy the code to an integrated server? Please help
As I went through the User Guides and Quick Start Guides, my initial understanding of Hybrid Analysis is that it is a combination of Static Code Analysis and Dynamic Code Analysis.
Please find my questions regarding the procedures as below:
1. In Static Code Analysis, I understand that the DevInspect does a through inspection of any user-supplied input for validation. If my understanding is correct, then how does it determine which unvalidated input should be listed under SQL Injection and which one for Cross-Site scripting? I mean to say it only detects the unvalidated input how is it performing classification on them?
2. In Hybrid Code Analysis, DevInspect sends HTTP request to a specified URL link and also does static code analysis. Does we need to create a localhost instance of the entire application for the Hybrid Analysis, say something like (http://localhost:80/webapp/)?
How can we say that the Hybrid Analysis helps us to identify false positives?
Please let me know.
My apologies for blunt questions as I am a new-bie in this area and am trying to understand the process in a little depth.
Does anyone has info on plans from HP to support 64 bit OS and .NET version 3.5 for 'DevInspect for .NET'?
We are planning to implement it in one of our projects but we are unable to do so because of these limitations.
Before purchasing Devinspect 5.0, we are attempting to install the trial version.
When we click the install license inside the Devinspect Explorer, Visual Studio 2008 crashes.
This is Windows XP Professional all service packs and Visual Studio 2008 with all service packs.
EventType clr20r3, P1 devenv.exe, P2 9.0.21022.8, P3 47317b3d, P4 spi.licensing.library, P5 5.1.650.0, P6 4856bdfe, P7 6d, P8 1e, P9 c1hrnlgf4kdcxtastrgwwm132323bna2, P10 NIL.
Bucket 389310578, bucket table 5, EventType clr20r3, P1 devenv.exe, P2 9.0.21022.8, P3 47317b3d, P4 spi.licensing.library, P5 5.1.650.0, P6 4856bdfe, P7 6d, P8 1e, P9 c1hrnlgf4kdcxtastrgwwm132323bna2, P10 NIL.
I am working with an employment application that requires a multi-line textbox for user input on their job duties. If a user adds a carriage return to the textbox, the validation fails. What part of the validator needs to be changed to allow this behavior to be accepted and why does a carriage return constitute a danger?
I have installed JDK 1.5 and Eclipse 3.3, but I am not able to install DevInspect for the Java platform.
Please let me know the proper steps for it. When I tried to download DevInspect from the site it gave me an exe of 1 MB size which contained only the Guide pdfs and readme doc. Please let me know from where I can download the proper exe for Java Platform.
I am trying to install DevInspect 5.0 .Net edition, but I keep getting an error that I do not have SQL Server 2005 SP1 Express Edition. I do however have SQL Server 2005 SP2 developper edition installed. Is it a hard requirement that DevInspect needs the Express Edition? Seems reasonable that it should be able to work with the developer edition or anything higher than the Express Edition.
Any help on this is appreciated. Thanks
I am using VS 2008 and am evaluating DevInspect 5.1.650.0.
I have a question to ask regards to DevInspect scanning the source codes that uses 3rd party libraries e.g. Struts, Hibernate, Springs etc.
Taking into consideration that these libraries thats imported into the project, includes the binaries only, without the source codes to the libraries - can we assume that the scan can parse information that goes through functions that uses the 3rd party libraries?