HPE Software Products: Fortify Software Security Center Discussion
Share |

Fortify SSC 16.x: Assign Users Lookup using LDAP with nested groupsOpen in a New Window

SSC 16.x is configured to use LDAP and nested groups.

Authentication with nested groups works.

User lookup for such functions as Search during Assigning an Issue doesn't work.

Error: An internal error has occurred. Please contact your Fortify System Administrator.

Using a non-nested LDAP group with Nested Groups in LDAP configuration turned off works.

 

Thanks!

 

Custom rule to cleanse log forging does not workOpen in a New Window

We have complicated software where most user input is validated against a schema before being accepted or logged to files. Fortify throws a large number of log forging errors that are false positive.

I have written a custom rule and imported the same into Fortify. But I still get log forging complaints.

I am including the custom rule here. Note that washStringForLog is a method that removes unwanted characters from the string passed and trims the string it is too long. The idea is that if the string first passes through this method, the log forging taint should be removed and fortify should not flag an error.

 

===

<?xml version="1.0" encoding="UTF-8"?>
<RulePack xmlns="xmlns://www.fortifysoftware.com/schema/rules">
<RulePackID>D82118B1-BBAE-4047-9066-5FC821E16456</RulePackID>
<SKU>SKU-Validated-Log-Forging</SKU>
<Name><![CDATA[Validated-Log-Forging]]></Name>
<Version>1.0</Version>
<Description><![CDATA[Validated-Log-Forging]]></Description>
<Rules version="3.14">
<RuleDefinitions>
<DataflowCleanseRule formatVersion="3.14" language="java">
<RuleID>DDAB5D73-8CF6-45E0-888C-EEEFBEFF2CD5</RuleID>
<TaintFlags>-VALIDATED_LOG_FORGING</TaintFlags>
<FunctionIdentifier>
<NamespaceName>
<Pattern>com\.elster\.bulk</Pattern>
</NamespaceName>
<ClassName>
<Pattern>CommonThings</Pattern>
</ClassName>
<FunctionName>
<Pattern>washStringForLog</Pattern>
</FunctionName>
<ApplyTo implements="true" overrides="true" extends="true"/>
</FunctionIdentifier>
<OutArguments>return</OutArguments>
</DataflowCleanseRule>
</RuleDefinitions>
</Rules>
</RulePack>

 

====

WHat am I doing wrong here?

Thanks

 

How to change session timeout more than 15 minutesOpen in a New Window

I was trying to change the session timeout to the 10 hrs that would be around 600 minutes, but in the HP Fortify its only allowing  15 minutes max. Is there a way can I change to 600 minutes ? Even I have tried to change it to 600 minutes and run the Fortify scan but it doesent works. I still see the session timeout issue in the fortify report. 

<session-config>
<session-timeout>15</session-timeout>
</session-config>

Let me know if there is any solution that would be really appreciatable. 

 

Generate Source/Sink SnippetOpen in a New Window

Hi, could i know a way through which the developer workbook generates code snippet in its report . when i download the Devworkbook template and navigate to that particular section i see a file corrupted error , could i know the possible solution to this.

 

 

 

Using .Net CodeContracts with FortifyOpen in a New Window

When working on a few Null Dereferencing warnings from Fortify, I was wondering if we could use standard .Net CodeContracts clauses to help Fortify in figuring out the exceptions.

I'll use the following example to make the point across:

class Model
{
    public int Value { get; set; }
}

interface IDependency
{
    public Model GetModel();
}

class Dependency : IDependency
{
    Model IDependency.GetModel()
    {
        return new Model {Value = 1};
    }
}

class Main
{
    private IDependency _dependency;

    public Main(IDependency dependency)
    {
        _dependency = dependency;
    }

    int MainMethod()
    {
        var model = _dependency.GetModel();
        return model.Value;
    }
}


Notice we have a 'Main' class that relies on a dependency through an interface. The interface returns a 'Model' object.

In this situation, Fortify will warn us that we are potentially dereferencing a null pointer inside the 'MainMethod', because it cannot tell that the result from 'GetModel' will not be null. We know it won't because there is a single implementation to the interface, and that implementation does not return 'null'. In this particular case though, Fortify is totally correct in the assumption here because a new implementation could be created that would violate the assumption and return 'null', as 'Model' is a reference type after all.

The most straighforward way to 'fix' this is to add a null check in the code, as follows:

    int MainMethod()
    {
        var model = _dependency.GetModel();
        if (model != null)
        {
            return model.Value;
        }
        else
        {
            return 0;
        }
    }


This works fine but notice the added logical overhead: does it really make sense to return 0? Wouldn't it be better if we threw an exception? Why are we even opening the door for Model to be null?
With this in mind, a much more robust form exists to handle this situation in .Net, based on design by contract. This relies on the native CodeContracts classes:

[ContractClass(typeof(DependencyContracts))]
interface IDependency
{
    public Model GetModel();
}

abstract class DependencyContracts : IDependency
{
    Model IDependency.GetModel()
    {
        Contract.Ensures(Contract.Result<Model>() != null);
        return default(Model);
    }
}


Notice how we have an extra, abstract implementation of the interface that only contains contracts. The ensures call tells the analyzer that it is never possible for the return value to be null. With this approach, there is no need to add any handling in the actual consumer, as we can be sure the instance will never be null at that point as that would be an impossible scenario, avoiding unnecessary code and bloat.

What do I need to do so that Fortify understands these contracts and does not warn about the potential null reference exceptions anymore?

 

"Null Dereferencing" false positive when using the "return early" pattern in C#Open in a New Window

Whenever we use the "return early" code pattern, Fortify is not able to understand it and raises a "possible null dereference" warning. I believe this particular behavior is a gap in the Fortify analyzer implementation, as all other static analysis tools seem to understand the code flow and will not complain about potential null references in this case. 

Follows a very simple code sample that should reproduce the issue:

        public override bool Equals(object obj)
        {
            var typedObj = obj as SomeCustomClass;

            if (typedObj == null)
                return false;

            return this.Name == typedObj.Name;
        }

In this simple excerpt Fortify complains that "typedObj" can be null in the return statement. Notice how that can never be possible since the method returns early with a 'false' value on the previous 'if' statement.

This type of 'return early' pattern is very common with validation as it avoids nested scopes thus making the code easier to read in general. I know we could change the code to remove it, but that would be changing the structure of our code because of a problem in the tool.

Could someone advise here? If there is a more proper place to file these types of bugs feel free to share and I'll proceed to file the bug there.

 

Is the "Privacy Violation: Autocomplete" warning really valid?Open in a New Window

One of the warnings we got in our scan is the "Privacy Violation: Autocomplete | (Security Features, Content)" warning. It tells us to add an "autocomplete=off" attribute to a password input in one of our forms due to potentially exposing this value. This is the recommendation text from Fortify itself:

Recommendations:

Explicitly disable autocompletion on forms or sensitive inputs. By disabling autocompletion, information previously entered will not be presented back to the user as they type. It will also disable the "remember my password" functionality of most major browsers

When we checked this further to understand the problem, we noticed that pretty much all current browsers are outright ignoring this flag on purpose, and instead giving special control to the user if he wants to save his password or not (by detecting the input with the 'password' type).

CanIUse reference for 'autocomplete'

Comparing what Fortify states, "It will also disable the "remember my password" functionality of most major browsers", with the data we found, this is actually not true.

We also found a discussion where a user was trying to disable autocomplete but IE was ignoring it. Multiple suggestions talk about this being a bad practice and a workaround to a bigger security problem.

Lastly, we checked a few big login pages like google, and even the main Fortify login page, and they are also not adding this attribute to the password inputs.

With all that in mind, is the warning being emitted by Fortify really a valid warning at this point?

 

.Net "SuppressMessageAttribute" and Fortify warningsOpen in a New Window

I was checking to see if I could suppress the warnings that Fortify generates by leveraging the standard [SuppressMessage] attribute from .Net.

After a quick search, I found this question in StackOverflow that basically describes what I wanted to know. In the answer, Eric states that there is seemingly no support for .Net attributes, but there is for Java annotations.

Could someone elaborate on this limitation here? Would it be possible for Fortify to start supporting the attribute in .Net as well? As pointed out by the original author of the thread in SO, having support for the attribute would provide a few key benefts:

  • It would be much cleaner in the .Net world, as it would comply with the current standards (all static analysis tools in the .Net world respect and use the attributes, for instance Resharper)
  • It makes it clear to other developers what is happening, without forcing them to open the Fortify tool and search for the suppresions later
  • It avoids duplication of work since the suppression is done once instead of having to suppress the same issue again when the code changes and Fortify cannot link the original suppression to the code anymore

 

The default structure of SuppressMessage seems to be generic enough in that you can specify the category of the issue, the specific warning type/id, and additional information like affected variable names and such, as can be seen here:
SuppressMessage usage examples

        [SuppressMessage("Microsoft.Performance", "CA1801:ReviewUnusedParameters", MessageId = "isChecked")]
        [SuppressMessage("Microsoft.Performance", "CA1804:RemoveUnusedLocals", MessageId = "fileIdentifier")]
        static void FileNode(string name, bool isChecked)
        {
            string fileIdentifier = name;
            string fileName = name;
            string version = String.Empty;
        }

 

Software Security Center - Internal Error after Restarting Machine - Can't Access Project InfoOpen in a New Window

The machine that I have my SSC hosted on had to go down this morning. After bringing it back up, I'm getting an internal error when trying to look at project information related to an artifact. So Overview, Artifacts, Audit, and Trend all cause this error to pop up when attempting to access them under a project. This error appears nowhere else.

 

2017-02-06 10:18:12,698 [ERROR] com.fortify.server.platform.endpoints.rest.issues.ProjectVersionIssuesController - FMInternalException: &apos;An internal error has occurred. Please contact your Fortify System Administrator.

2017-02-06 10:18:12,706 [WARN] org.springframework.web.servlet.mvc.method.annotation.ExceptionHandlerExceptionResolver - Handler execution resulted in exception: An internal error has occurred. Please contact your Fortify System Administrator.

 

Version Information

Server version: Apache Tomcat/8.5.9
Server built: Dec 5 2016 20:18:12 UTC
Server number: 8.5.9.0
OS Name: Linux
OS Version: 3.10.0-327.el7.x86_64
Architecture: amd64
JVM Version: 1.8.0_45-b14
JVM Vendor: Oracle Corporation

 

Fortify 16.20 now failing to Translate C# projectOpen in a New Window

We've been using Fortify for 2 years now, and have a pretty decent pipeline including build automation for our Fortify scans.  With the release of 16.20, one of our projects is now failing on the translation step, and I can't find why.  When running the sourceanalzer command:

sourceanalyzer -64 -Xmx5200M -Xms600M -Xss24M -b ESB devenv .\Esb.sln /REBUILD Release

I get the following error on our webbased api project:

Running: TRANSLATE : "-64" "-Xmx5200M" "-Xms600M" "-Xss24M" -dotnet-version 4.5 @"C:\Users\Tyson.hoffman\AppData\Local\Fortify\VS-14.0-16.20\Esb\Esb.
Api_Build.txt"

[error]: Translator execution failed. Please consult the Troubleshooting section of the User Manual.

Translator returned status -2147467261:

DOTNET-DEBUG: Unhandled exception: Object reference not set to an instance of an object.

I can't find any additional information to tell me why it failed.  Does anyone know where I can find log files, error code information, etc??

Assistance is much appreciated.

 

Migrating from HPE fortify ssc 3.60 to HPE fortify ssc 4.40Open in a New Window

Hello,

When I execute the ssc-configuration-wizard to seed process template, an error happened. In the log below, i see:

Unknown column 'projectmet_0.systemUsage' in 'field list'.

java.io.IOException: invalid encrypted stream
    at com.fortify.util.CryptoUtil.readHeaders(CryptoUtil.java:236) ~[fortify-crypto-1.0.jar:?]
    at com.fortify.rules.SCARulePack.loadRulepack(SCARulePack.java:260) ~[fortify-common-4.40.jar:?]
    at com.fortify.rules.SCARulePack.loadRulepack(SCARulePack.java:256) ~[fortify-common-4.40.jar:?]
    at com.fortify.manager.DAL.migration.impl.MigrationManager41Impl$1.executeNoResult(MigrationManager41Impl.java:118) [ssc-core.jar:?]
    at com.fortify.manager.BLL.migration.impl.AbstractMigrationManager$3.executeNoResult(AbstractMigrationManager.java:100) [ssc-core.jar:?]
    at com.fortify.manager.service.transaction.TransactionCallbackNoResult.execute(TransactionCallbackNoResult.java:10) [ssc-core.jar:?]
    at com.fortify.manager.service.transaction.TransactionServiceImpl.doRunInTransaction(TransactionServiceImpl.java:75) [ssc-core.jar:?]
    at com.fortify.manager.service.transaction.TransactionServiceImpl.runInTransaction(TransactionServiceImpl.java:57) [ssc-core.jar:?]
    at com.fortify.manager.BLL.migration.impl.AbstractMigrationManager.runOneTimeTask(AbstractMigrationManager.java:94) [ssc-core.jar:?]
    at com.fortify.manager.DAL.migration.impl.MigrationManager41Impl.migrateRulepacks(MigrationManager41Impl.java:106) [ssc-core.jar:?]
    at com.fortify.manager.DAL.migration.impl.MigrationManager41Impl.preSeedingMigration(MigrationManager41Impl.java:52) [ssc-core.jar:?]
    at com.fortify.manager.BLL.impl.SeedManagerImpl.batchSeed(SeedManagerImpl.java:247) [ssc-core.jar:?]
    at com.fortify.manager.BLL.impl.SeedManagerImpl$$FastClassBySpringCGLIB$$7c11a665.invoke(<generated>) [spring-core-3.2.10.RELEASE.jar:?]
    at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204) [spring-core-3.2.10.RELEASE.jar:3.2.10.RELEASE]
    at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:700) [spring-aop-3.2.10.RELEASE.jar:3.2.10.RELEASE]
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150) [spring-aop-3.2.10.RELEASE.jar:3.2.10.RELEASE]
    at org.springframework.aop.aspectj.MethodInvocationProceedingJoinPoint.proceed(MethodInvocationProceedingJoinPoint.java:80) [spring-aop-3.2.10.RELEASE.jar:3.2.10.RELEASE]
    at com.fortify.manager.logging.ExceptionInterceptor.aroundBll(ExceptionInterceptor.java:62) [ssc-core.jar:?]
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_65]
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_65]
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_65]
    at java.lang.reflect.Method.invoke(Method.java:497) ~[?:1.8.0_65]
    at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethodWithGivenArgs(AbstractAspectJAdvice.java:621) [spring-aop-3.2.10.RELEASE.jar:3.2.10.RELEASE]
    at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethod(AbstractAspectJAdvice.java:610) [spring-aop-3.2.10.RELEASE.jar:3.2.10.RELEASE]
    at org.springframework.aop.aspectj.AspectJAroundAdvice.invoke(AspectJAroundAdvice.java:65) [spring-aop-3.2.10.RELEASE.jar:3.2.10.RELEASE]
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) [spring-aop-3.2.10.RELEASE.jar:3.2.10.RELEASE]
    at org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:96) [spring-tx-3.2.10.RELEASE.jar:3.2.10.RELEASE]
    at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:260) [spring-tx-3.2.10.RELEASE.jar:3.2.10.RELEASE]
    at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:94) [spring-tx-3.2.10.RELEASE.jar:3.2.10.RELEASE]
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) [spring-aop-3.2.10.RELEASE.jar:3.2.10.RELEASE]
    at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:91) [spring-aop-3.2.10.RELEASE.jar:3.2.10.RELEASE]
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) [spring-aop-3.2.10.RELEASE.jar:3.2.10.RELEASE]
    at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:633) [spring-aop-3.2.10.RELEASE.jar:3.2.10.RELEASE]
    at com.fortify.manager.BLL.impl.SeedManagerImpl$$EnhancerBySpringCGLIB$$b47fba47.batchSeed(<generated>) [spring-core-3.2.10.RELEASE.jar:?]
    at com.fortify.server.configuration.db.Seed.configureDB(Seed.java:92) [ssc-configuration-wizard.jar:?]
    at com.fortify.server.configuration.db.Seed.main(Seed.java:53) [ssc-configuration-wizard.jar:?]
ERROR 2017-01-19 09:15:12,105 [com.fortify.manager.service.transaction.TransactionServiceImpl] - Migrate project version to 4.2 failed: e-RSB-1

org.hibernate.exception.SQLGrammarException: could not extract ResultSet
    at org.hibernate.exception.internal.SQLExceptionTypeDelegate.convert(SQLExceptionTypeDelegate.java:82) ~[hibernate-core-4.2.7.SP1.jar:4.2.7.SP1]
    at org.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:49) ~[hibernate-core-4.2.7.SP1.jar:4.2.7.SP1]
    at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:125) ~[hibernate-core-4.2.7.SP1.jar:4.2.7.SP1]
    at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:110) ~[hibernate-core-4.2.7.SP1.jar:4.2.7.SP1]
    at org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.extract(ResultSetReturnImpl.java:61) ~[hibernate-core-4.2.7.SP1.jar:4.2.7.SP1]
    at org.hibernate.loader.Loader.getResultSet(Loader.java:2040) ~[hibernate-core-4.2.7.SP1.jar:4.2.7.SP1]
    at org.hibernate.loader.Loader.executeQueryStatement(Loader.java:1837) ~[hibernate-core-4.2.7.SP1.jar:4.2.7.SP1]
    at org.hibernate.loader.Loader.executeQueryStatement(Loader.java:1816) ~[hibernate-core-4.2.7.SP1.jar:4.2.7.SP1]
    at org.hibernate.loader.Loader.doQuery(Loader.java:900) ~[hibernate-core-4.2.7.SP1.jar:4.2.7.SP1]
    at org.hibernate.loader.Loader.doQueryAndInitializeNonLazyCollections(Loader.java:342) ~[hibernate-core-4.2.7.SP1.jar:4.2.7.SP1]
    at org.hibernate.loader.Loader.doQueryAndInitializeNonLazyCollections(Loader.java:312) ~[hibernate-core-4.2.7.SP1.jar:4.2.7.SP1]
    at org.hibernate.loader.Loader.loadEntity(Loader.java:2121) ~[hibernate-core-4.2.7.SP1.jar:4.2.7.SP1]
    at org.hibernate.loader.entity.AbstractEntityLoader.load(AbstractEntityLoader.java:82) ~[hibernate-core-4.2.7.SP1.jar:4.2.7.SP1]
    at org.hibernate.loader.entity.AbstractEntityLoader.load(AbstractEntityLoader.java:72) ~[hibernate-core-4.2.7.SP1.jar:4.2.7.SP1]
    at org.hibernate.persister.entity.AbstractEntityPersister.load(AbstractEntityPersister.java:3941) ~[hibernate-core-4.2.7.SP1.jar:4.2.7.SP1]
    at org.hibernate.event.internal.DefaultLoadEventListener.loadFromDatasource(DefaultLoadEventListener.java:460) ~[hibernate-core-4.2.7.SP1.jar:4.2.7.SP1]
    at org.hibernate.event.internal.DefaultLoadEventListener.doLoad(DefaultLoadEventListener.java:429) ~[hibernate-core-4.2.7.SP1.jar:4.2.7.SP1]
    at org.hibernate.event.internal.DefaultLoadEventListener.load(DefaultLoadEventListener.java:206) ~[hibernate-core-4.2.7.SP1.jar:4.2.7.SP1]
    at org.hibernate.event.internal.DefaultLoadEventListener.proxyOrLoad(DefaultLoadEventListener.java:262) ~[hibernate-core-4.2.7.SP1.jar:4.2.7.SP1]
    at org.hibernate.event.internal.DefaultLoadEventListener.onLoad(DefaultLoadEventListener.java:150) ~[hibernate-core-4.2.7.SP1.jar:4.2.7.SP1]
    at org.hibernate.internal.SessionImpl.fireLoad(SessionImpl.java:1098) ~[hibernate-core-4.2.7.SP1.jar:4.2.7.SP1]
    at org.hibernate.internal.SessionImpl.internalLoad(SessionImpl.java:1025) ~[hibernate-core-4.2.7.SP1.jar:4.2.7.SP1]
    at org.hibernate.type.EntityType.resolveIdentifier(EntityType.java:671) ~[hibernate-core-4.2.7.SP1.jar:4.2.7.SP1]
    at org.hibernate.type.EntityType.resolve(EntityType.java:489) ~[hibernate-core-4.2.7.SP1.jar:4.2.7.SP1]
    at org.hibernate.engine.internal.TwoPhaseLoad.doInitializeEntity(TwoPhaseLoad.java:168) ~[hibernate-core-4.2.7.SP1.jar:4.2.7.SP1]
    at org.hibernate.engine.internal.TwoPhaseLoad.initializeEntity(TwoPhaseLoad.java:137) ~[hibernate-core-4.2.7.SP1.jar:4.2.7.SP1]
    at org.hibernate.loader.Loader.initializeEntitiesAndCollections(Loader.java:1108) ~[hibernate-core-4.2.7.SP1.jar:4.2.7.SP1]
    at org.hibernate.loader.Loader.processResultSet(Loader.java:964) ~[hibernate-core-4.2.7.SP1.jar:4.2.7.SP1]
    at org.hibernate.loader.Loader.doQuery(Loader.java:911) ~[hibernate-core-4.2.7.SP1.jar:4.2.7.SP1]
    at org.hibernate.loader.Loader.doQueryAndInitializeNonLazyCollections(Loader.java:342) ~[hibernate-core-4.2.7.SP1.jar:4.2.7.SP1]
    at org.hibernate.loader.Loader.doList(Loader.java:2526) ~[hibernate-core-4.2.7.SP1.jar:4.2.7.SP1]
    at org.hibernate.loader.Loader.doList(Loader.java:2512) ~[hibernate-core-4.2.7.SP1.jar:4.2.7.SP1]
    at org.hibernate.loader.Loader.listIgnoreQueryCache(Loader.java:2342) ~[hibernate-core-4.2.7.SP1.jar:4.2.7.SP1]
    at org.hibernate.loader.Loader.list(Loader.java:2337) ~[hibernate-core-4.2.7.SP1.jar:4.2.7.SP1]
    at org.hibernate.loader.hql.QueryLoader.list(QueryLoader.java:495) ~[hibernate-core-4.2.7.SP1.jar:4.2.7.SP1]
    at org.hibernate.hql.internal.ast.QueryTranslatorImpl.list(QueryTranslatorImpl.java:357) ~[hibernate-core-4.2.7.SP1.jar:4.2.7.SP1]
    at org.hibernate.engine.query.spi.HQLQueryPlan.performList(HQLQueryPlan.java:195) ~[hibernate-core-4.2.7.SP1.jar:4.2.7.SP1]
    at org.hibernate.internal.SessionImpl.list(SessionImpl.java:1275) ~[hibernate-core-4.2.7.SP1.jar:4.2.7.SP1]
    at org.hibernate.internal.QueryImpl.list(QueryImpl.java:101) ~[hibernate-core-4.2.7.SP1.jar:4.2.7.SP1]
    at com.fortify.manager.DAL.HibernateDatabaseInterface$1.doInHibernate(HibernateDatabaseInterface.java:816) ~[ssc-core.jar:?]
    at com.fortify.manager.DAL.HibernateDatabaseInterface$1.doInHibernate(HibernateDatabaseInterface.java:795) ~[ssc-core.jar:?]
    at com.fortify.manager.DAL.HibernateDatabaseInterface.executeBoundedListQuery(HibernateDatabaseInterface.java:338) ~[ssc-core.jar:?]
    at com.fortify.manager.DAL.HibernateDatabaseInterface.executeListQuery(HibernateDatabaseInterface.java:328) ~[ssc-core.jar:?]
    at com.fortify.manager.DAL.migration.impl.MigrationManager42Impl.migrateProjectVersion(MigrationManager42Impl.java:92) ~[ssc-core.jar:?]
    at com.fortify.manager.BLL.migration.impl.AbstractMigrationManager$1.executeNoResult(AbstractMigrationManager.java:68) ~[ssc-core.jar:?]
    at com.fortify.manager.service.transaction.TransactionCallbackNoResult.execute(TransactionCallbackNoResult.java:10) ~[ssc-core.jar:?]
    at com.fortify.manager.service.transaction.TransactionServiceImpl.doRunInTransaction(TransactionServiceImpl.java:75) [ssc-core.jar:?]
    at com.fortify.manager.service.transaction.TransactionServiceImpl.runInTransaction(TransactionServiceImpl.java:57) [ssc-core.jar:?]
    at com.fortify.manager.BLL.migration.impl.AbstractMigrationManager.migrateProjectVersions(AbstractMigrationManager.java:65) [ssc-core.jar:?]
    at com.fortify.manager.DAL.migration.impl.MigrationManager42Impl.preSeedingMigration(MigrationManager42Impl.java:41) [ssc-core.jar:?]
    at com.fortify.manager.BLL.impl.SeedManagerImpl.batchSeed(SeedManagerImpl.java:247) [ssc-core.jar:?]
    at com.fortify.manager.BLL.impl.SeedManagerImpl$$FastClassBySpringCGLIB$$7c11a665.invoke(<generated>) [spring-core-3.2.10.RELEASE.jar:?]
    at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204) [spring-core-3.2.10.RELEASE.jar:3.2.10.RELEASE]
    at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:700) [spring-aop-3.2.10.RELEASE.jar:3.2.10.RELEASE]
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150) [spring-aop-3.2.10.RELEASE.jar:3.2.10.RELEASE]
    at org.springframework.aop.aspectj.MethodInvocationProceedingJoinPoint.proceed(MethodInvocationProceedingJoinPoint.java:80) [spring-aop-3.2.10.RELEASE.jar:3.2.10.RELEASE]
    at com.fortify.manager.logging.ExceptionInterceptor.aroundBll(ExceptionInterceptor.java:62) [ssc-core.jar:?]
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_65]
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_65]
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_65]
    at java.lang.reflect.Method.invoke(Method.java:497) ~[?:1.8.0_65]
    at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethodWithGivenArgs(AbstractAspectJAdvice.java:621) [spring-aop-3.2.10.RELEASE.jar:3.2.10.RELEASE]
    at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethod(AbstractAspectJAdvice.java:610) [spring-aop-3.2.10.RELEASE.jar:3.2.10.RELEASE]
    at org.springframework.aop.aspectj.AspectJAroundAdvice.invoke(AspectJAroundAdvice.java:65) [spring-aop-3.2.10.RELEASE.jar:3.2.10.RELEASE]
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) [spring-aop-3.2.10.RELEASE.jar:3.2.10.RELEASE]
    at org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:96) [spring-tx-3.2.10.RELEASE.jar:3.2.10.RELEASE]
    at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:260) [spring-tx-3.2.10.RELEASE.jar:3.2.10.RELEASE]
    at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:94) [spring-tx-3.2.10.RELEASE.jar:3.2.10.RELEASE]
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) [spring-aop-3.2.10.RELEASE.jar:3.2.10.RELEASE]
    at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:91) [spring-aop-3.2.10.RELEASE.jar:3.2.10.RELEASE]
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) [spring-aop-3.2.10.RELEASE.jar:3.2.10.RELEASE]
    at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:633) [spring-aop-3.2.10.RELEASE.jar:3.2.10.RELEASE]
    at com.fortify.manager.BLL.impl.SeedManagerImpl$$EnhancerBySpringCGLIB$$b47fba47.batchSeed(<generated>) [spring-core-3.2.10.RELEASE.jar:?]
    at com.fortify.server.configuration.db.Seed.configureDB(Seed.java:92) [ssc-configuration-wizard.jar:?]
    at com.fortify.server.configuration.db.Seed.main(Seed.java:53) [ssc-configuration-wizard.jar:?]
Caused by: com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: Unknown column 'projectmet0_.systemUsage' in 'field list'
    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:1.8.0_65]
    at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:1.8.0_65]
    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:1.8.0_65]
    at java.lang.reflect.Constructor.newInstance(Constructor.java:422) ~[?:1.8.0_65]
    at com.mysql.jdbc.Util.handleNewInstance(Util.java:411) ~[mysql-connector-java.jar:?]
    at com.mysql.jdbc.Util.getInstance(Util.java:386) ~[mysql-connector-java.jar:?]
    at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:1054) ~[mysql-connector-java.jar:?]
    at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:4187) ~[mysql-connector-java.jar:?]
    at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:4119) ~[mysql-connector-java.jar:?]
    at com.mysql.jdbc.MysqlIO.sendCommand(MysqlIO.java:2570) ~[mysql-connector-java.jar:?]
    at com.mysql.jdbc.MysqlIO.sqlQueryDirect(MysqlIO.java:2731) ~[mysql-connector-java.jar:?]
    at com.mysql.jdbc.ConnectionImpl.execSQL(ConnectionImpl.java:2820) ~[mysql-connector-java.jar:?]
    at com.mysql.jdbc.PreparedStatement.executeInternal(PreparedStatement.java:2159) ~[mysql-connector-java.jar:?]
    at com.mysql.jdbc.PreparedStatement.executeQuery(PreparedStatement.java:2326) ~[mysql-connector-java.jar:?]
    at org.apache.commons.dbcp.DelegatingPreparedStatement.executeQuery(DelegatingPreparedStatement.java:96) ~[commons-dbcp-1.4.jar:1.4]
    at org.apache.commons.dbcp.DelegatingPreparedStatement.executeQuery(DelegatingPreparedStatement.java:96) ~[commons-dbcp-1.4.jar:1.4]
    at org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.extract(ResultSetReturnImpl.java:56) ~[hibernate-core-4.2.7.SP1.jar:4.2.7.SP1]
    ... 70 more
ERROR 2017-01-19 09:15:12,115 [com.fortify.manager.logging.ExceptionInterceptor] - Intercepted exception of type [com.fortify.manager.exception.FMDALException] thrown by target class [com.fortify.manager.BLL.impl.SeedManagerImpl] and method [public void com.fortify.manager.BLL.impl.SeedManagerImpl.batchSeed(java.util.List,java.util.List) throws java.lang.Exception]

com.fortify.manager.exception.FMDALException: Migrate project version to 4.2 failed: e-RSB-1

Any Idea ?

Thanks

 

What isThe Practical Steps on How HP Fortify Can Be Used to Achieve DevOpsOpen in a New Window

Hi,

I have HP Fortify and wanting to implement DevOps framework in my organization. How can I use HP Fortify to achieve this and do I need to purchase additional component to be able to have full-scale value ?

 

Fortify Scan failing backend initialization on Jenkins jobOpen in a New Window

During my Jenkins build I get the following errors when the scan is being started:

Unexpected exception: com.fortify.sca.backend.InitializationException: Unable to create file system space
com.fortify.sca.backend.InitializationException: Unable to create file system space
at com.fortify.sca.backend.BackEnd.<init>(BackEnd.java:207)
at com.fortify.sca.backend.BackEnd.initialize(BackEnd.java:181)
at com.fortify.sca.Main$Sourceanalyzer.runSourceanalyzer(Main.java:777)
at com.fortify.sca.Main$Sourceanalyzer.run(Main.java:489)
Caused by: java.io.IOException: Permission denied
at java.io.UnixFileSystem.createFileExclusively(Native Method)
at java.io.File.createNewFile(Unknown Source)
at java.io.File.createTempFile(Unknown Source)
at com.fortify.sca.frontend.FrontEnd.createTempFileInProjectRoot(FrontEnd.java:147)
at com.fortify.sca.frontend.FrontEnd.createTempDirectoryInProjectRoot(FrontEnd.java:257)
at com.fortify.sca.backend.data.FileSystemDataStore.<init>(FileSystemDataStore.java:32)
at com.fortify.sca.backend.BackEnd.<init>(BackEnd.java:205)

The root cause, I believe,  is that the jenkins account doesn't have access to some directory.  Anybody know which directory Fortify is attempting to access?

 

 

How can we schedule a scan for code on daily/weekly basis ?Open in a New Window

We have got one of requirement from client. 

Requirement: Client want to scan there folder which would be containing there source code in one of folder now they want that HP SSC /FSCA should automatically scan that folder ideally whenever new code is pushed into it or on daily/weekly basis. 

Is there any matching scenario that we can recommend to client which can address there auto scanning requirement ? 

 

 

What are the default credentials for HP Software Security Center ?Open in a New Window

I need the default credentails for HP SSC , I am using currenlty (HPE_Security_Fortify_SSC_16.10_Server_WAR)

i have tried "admin/admin"  its not working on this newer version of SSC. If anyone can share and point me to its official guide. 

Urgent response would be highly appreciated. 

 

 

does fortify sca support analyze .net project on linux platform with mono?Open in a New Window

I tried to use fortify to analyze .net project with xbuild and monodis on centos 7, but failed, it always mentioned "No valid input files were specified" is it possible to do this? 

 

Is Fortify Static Code Analyzer and WebInspect the same software?Open in a New Window

Is Fortify Static Code Analyzer and WebInspect the same software? Because I can't see any trial software link for Fortify Static Code Analyzer.

 

Resolving Fortify IssueOpen in a New Window

Hi,

We are executing Fortify scan on our source code. One of the issue reported is 'Missing XML Validation". The priority is Low and the kingdom is "Input Validation and Representation". 

The code snippet for this issue is as follows:


DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();

documentBuilderFactory.setValidating(true);
documentBuilderFactory.setNamespaceAware(true);

DocumentBuilder documentBuilder;
documentBuilder = documentBuilderFactory.newDocumentBuilder();
documentBuilder.setErrorHandler(new SimpleErrorHandler());

Document xmlDoc;
xmlDoc = documentBuilder.parse( new InputSource( new StringReader(xmlStr)));

Fortify complains about Missing XML Validation for the last line  i.e. xmlDoc = documentBuilder.parse( new InputSource( new StringReader(xmlStr)));

We have set the validation on the parser as true. But not sure why Fortify doesn't accept that as a secure code.

Kindly help in resolving this.

 

Scan CSharp project with SCA Audit Workbench 16Open in a New Window

Hello.

I have win10 64 bit, SCA 16 version and all needed software for correct SCA 16 work.

When I scan old C# project (which have 17500 LOC) I get report that project have only 88loc and 37loc was scanned.

I fixed ildasm.exe path in configuration file but it didn't help me.

 

 

 

Concerns about accuracy in Compliance Report templatesOpen in a New Window

Hi all, I wanted to put out there some possible concerns I have with the results I'm seeing in Compliance Report templates run using Fortify SCA scan data.

Everything below involves the same set of SCA assessment data being filtered through Compliance Reports and yielding surprisingly different results. I don't have access to the Foritfy system and am not a Fortify expert, I just have the reports -- so I can't 100% rule out operator error somewhere. 

Multiple different entities I support are running the compliance reports and assume they're getting complete assessment reports. But the reports vary wildly in length, severity and number of findings. It seems like the compliance reports are discarding some findings (or else are multiplying the number and risk of the findings).

The DISA STIG compliance reports I'm seeing are by far the longest (and most complete?) at 600 pages and 3500 findings / code snippets. Two other compliance reports, FISMA/FIPS200 and CWE SANS 2011, were 50 pages each, but list 75 or 130 findings/snippets, respectively.

I considered the possibility that maybe each single code vulnerability was being counted and re-counted as being applicable to multiple controls. But, I don't expect the STIG report should be 25x to 50x larger than the FISMA report. If anything, I would expect the FISMA report to be amplified from single findings counting against multiple controls, compared to DISA STIG.

Or if some of the reports are hiding some of the findings from the SCA data, that seems undesirable.

Another possible concern is the severity rankings for findings. In the DISA STIG report for example, many CAT I and CAT II findings are being marked as Low severity. In some places, CAT II findings are marked High while CAT I findings are marked Low. Which would be fine if there was some intelligence behind the decision, but on inspecting some of them, the DISA CAT ratings seem more accurate.

Some risk categories are totally blank.  My DISA STIG report lists zero CAT III findings, which seems unexpected.  All 3 reports I looked at (STIG, FISMA and SANS) listed 0 Medium findings. Note that the STIG report was 90% CAT II findings, so there should be at least some Mediums. 

The FISMA report lists 0 Medium and 0 Low findings, so 100% of the findings are Critical or High. By comparison, the STIG report lists almost 90% Low (but with zero CAT III findings).  100% High (FISMA) vs 90% Low (STIG) are very different risk reports from the same SCA data.

I can't figure out how the logic for giving severity ratings is working. The fact that there are thousands of Low findings in STIG and zero in FISMA suggests that the Compliance Template has some effect on the ratings, they aren't coming straight from the SCA scan data uniformly. But then on the other hand, the DISA STIG CAT ratings seem to be overridden by some other source of severity ratings, presumably from SCA.

Am I wrong in thinking these are issues that could be done better? And how might I give this feedback to HP? I don't know yet whether or not we have a support contract. I found an email address fortifytechsupport@hp.com that might be relevant.  Thanks!

Contact Us

Vivit Worldwide
P.O. Box 18510
Boulder, CO 80308

Email: info@vivit-worldwide.org

Mission

Vivit's mission is to serve
the Hewlett Packard
Enterprise User
Community through
Advocacy, Community,
and Education.