HPE Software Products: Fortify Software Security Center Discussion
Share |

HP Fortify SCA and Applications Software QueriesOpen in a New Window

Hi Team,

Currnelty we are using HP Fortify SCA and Applications 4.30 version and we have planned to migrate visual studio 2017. and so for that case, is there latest "HP Fortify SCA and Applications " version is available?. which will be compatible for visual studio 2017.
Please suggest us to proceed further.

 

Fortyfi Scan High Issue ErrorsOpen in a New Window

Fortyfi scan was throughing me a high risk Issue on the following code. 

Reading cookies from Browser:

Cookie[] cookies = request.getCookies();

Adding SessionId to the Url connection:

urlConnection.setRequestProperty(header,credentials);

Passing sessionId in requestParams:

public String getIcueSecureSessionId(@RequestParam String sessionId, @RequestParam
String appName)

Fortyfi comments for the above code:

The method getIcueSecureSessionId() in WidgetProviderController.java includes
unvalidated data in an HTTP response header on line 147. This enables attacks such
as cache-poisoning, cross-site scripting, cross-user defacement, page hijacking,
cookie manipulation or open redirect.

 

 

I was trying to solve the issues but i never get any luck. I am open with the suggestions and please let me know if you can help me.

 

Thanks.

 

Query on HP Component ArchitectureOpen in a New Window

I have few queries on the fucntionality of few components in Automated Scanning Architecture :

  • Build Server
  • Scan Pool Controller
  • Scan Pool Scan farm
  • WebInspect Scan farm
  • Fortify SSC & Databse

Request any of the SME or memebr to respond back on the details and fucntionality of above mentioned nodes/components.

 

Query on Automated Scanning ArchitectureOpen in a New Window

All Champs ,

I have few queries on the fucntionality of few components in Automated Scanning Architecture :

  • Build Server
  • Scan Pool Controller
  • Scan Pool Scan farm
  • WebInspect Scan farm
  • Fortify SSC & Databse

Request any of the SME or memebr to respond back on the details and fucntionality of above mentioned nodes/components.


 

HP Fortify SCA 4.30 -- Doesn't scan ASP .NET 4.5.2 (MVC 5) solutionOpen in a New Window

Please help!

I have to scan a ASP .NET 4.5.2 (MVC 5) solution using HP Fortify SCA 4.30.

unfortunatly it doesn't catch any issues though it runs through all the files.

But the same rule file catches issues in ASP .NET 4.5.2 solutions  ( non MVC )

seems only "*.cshtml" is additional in the solution.

I'm blocked because of this. Your help is highly appreciated!!!

 

Fortify Scan C# configuration filesOpen in a New Window

We use the Fortify scan to scan applications in the CD pipeline, hosted by TFS. there for we created a build task. I am wondering what files the Fortify scan scans. It looks like the scan is not checking the configuration files of a .Net application. The app.config for example seems to be ignored. Is there a parameter or value to add to the scan command that makes the scan check the configuration.

 

How to customize configuration of IDE Plugin in Fortify Cloudscan?Open in a New Window

I couldn't fine the right place to post this, so if it needs to be somewhere else, please move it or let me know where to post.
===========================
I have a Fortify CloudScan service set up. We are integrated into the application build process such that source code files are translated on the build server, packaged into a Mobile Build Package, which is sent to the CloudScan Controller for scanning. Pretty vanilla setup and things are working well. We also have individual developers with SCA + IDE Plugins. Currently, they are performing the full scanning process on their local workstations and uploading the .FPR to SSC. All this is in a Windows OS invironment.

Now to my question...
is there a way to configure or change the IDE plugin so when the developer selects "Run a Scan" in their IDE Plugin, it does the translate step, creates the Mobile Build Package, and sends it to the CloudScan controller just like what we are doing on the build machines?

This would free up so much time for the developers since the scan phase is what takes the longest time. I understand we will need to instal the CloudScan CI on the developer's workstation.

Finally, can we create a SCA Developer's install Package so this is the default process?

Thanks,
Jim

 

Fortify Scan Issue (in translation)Open in a New Window

.Net Solution is building succussfully!

but while translating it throws below error.

[error]: The Fortify add-in for Visual Studio did not execute; therefore, no files were translated. Ensure that the Fortify add-in is installed. If you are running Visual Studio 2005 SP1, you must also install the hotfix indicated by KB934517.

any idea! ?

 

Fortify SSC 16.x: Assign Users Lookup using LDAP with nested groupsOpen in a New Window

SSC 16.x is configured to use LDAP and nested groups.

Authentication with nested groups works.

User lookup for such functions as Search during Assigning an Issue doesn't work.

Error: An internal error has occurred. Please contact your Fortify System Administrator.

Using a non-nested LDAP group with Nested Groups in LDAP configuration turned off works.

 

Thanks!

 

Custom rule to cleanse log forging does not workOpen in a New Window

We have complicated software where most user input is validated against a schema before being accepted or logged to files. Fortify throws a large number of log forging errors that are false positive.

I have written a custom rule and imported the same into Fortify. But I still get log forging complaints.

I am including the custom rule here. Note that washStringForLog is a method that removes unwanted characters from the string passed and trims the string it is too long. The idea is that if the string first passes through this method, the log forging taint should be removed and fortify should not flag an error.

 

===

<?xml version="1.0" encoding="UTF-8"?>
<RulePack xmlns="xmlns://www.fortifysoftware.com/schema/rules">
<RulePackID>D82118B1-BBAE-4047-9066-5FC821E16456</RulePackID>
<SKU>SKU-Validated-Log-Forging</SKU>
<Name><![CDATA[Validated-Log-Forging]]></Name>
<Version>1.0</Version>
<Description><![CDATA[Validated-Log-Forging]]></Description>
<Rules version="3.14">
<RuleDefinitions>
<DataflowCleanseRule formatVersion="3.14" language="java">
<RuleID>DDAB5D73-8CF6-45E0-888C-EEEFBEFF2CD5</RuleID>
<TaintFlags>-VALIDATED_LOG_FORGING</TaintFlags>
<FunctionIdentifier>
<NamespaceName>
<Pattern>com\.elster\.bulk</Pattern>
</NamespaceName>
<ClassName>
<Pattern>CommonThings</Pattern>
</ClassName>
<FunctionName>
<Pattern>washStringForLog</Pattern>
</FunctionName>
<ApplyTo implements="true" overrides="true" extends="true"/>
</FunctionIdentifier>
<OutArguments>return</OutArguments>
</DataflowCleanseRule>
</RuleDefinitions>
</Rules>
</RulePack>

 

====

WHat am I doing wrong here?

Thanks

 

How to change session timeout more than 15 minutesOpen in a New Window

I was trying to change the session timeout to the 10 hrs that would be around 600 minutes, but in the HP Fortify its only allowing  15 minutes max. Is there a way can I change to 600 minutes ? Even I have tried to change it to 600 minutes and run the Fortify scan but it doesent works. I still see the session timeout issue in the fortify report. 

<session-config>
<session-timeout>15</session-timeout>
</session-config>

Let me know if there is any solution that would be really appreciatable. 

 

Generate Source/Sink SnippetOpen in a New Window

Hi, could i know a way through which the developer workbook generates code snippet in its report . when i download the Devworkbook template and navigate to that particular section i see a file corrupted error , could i know the possible solution to this.

 

 

 

Using .Net CodeContracts with FortifyOpen in a New Window

When working on a few Null Dereferencing warnings from Fortify, I was wondering if we could use standard .Net CodeContracts clauses to help Fortify in figuring out the exceptions.

I'll use the following example to make the point across:

class Model
{
    public int Value { get; set; }
}

interface IDependency
{
    public Model GetModel();
}

class Dependency : IDependency
{
    Model IDependency.GetModel()
    {
        return new Model {Value = 1};
    }
}

class Main
{
    private IDependency _dependency;

    public Main(IDependency dependency)
    {
        _dependency = dependency;
    }

    int MainMethod()
    {
        var model = _dependency.GetModel();
        return model.Value;
    }
}


Notice we have a 'Main' class that relies on a dependency through an interface. The interface returns a 'Model' object.

In this situation, Fortify will warn us that we are potentially dereferencing a null pointer inside the 'MainMethod', because it cannot tell that the result from 'GetModel' will not be null. We know it won't because there is a single implementation to the interface, and that implementation does not return 'null'. In this particular case though, Fortify is totally correct in the assumption here because a new implementation could be created that would violate the assumption and return 'null', as 'Model' is a reference type after all.

The most straighforward way to 'fix' this is to add a null check in the code, as follows:

    int MainMethod()
    {
        var model = _dependency.GetModel();
        if (model != null)
        {
            return model.Value;
        }
        else
        {
            return 0;
        }
    }


This works fine but notice the added logical overhead: does it really make sense to return 0? Wouldn't it be better if we threw an exception? Why are we even opening the door for Model to be null?
With this in mind, a much more robust form exists to handle this situation in .Net, based on design by contract. This relies on the native CodeContracts classes:

[ContractClass(typeof(DependencyContracts))]
interface IDependency
{
    public Model GetModel();
}

abstract class DependencyContracts : IDependency
{
    Model IDependency.GetModel()
    {
        Contract.Ensures(Contract.Result<Model>() != null);
        return default(Model);
    }
}


Notice how we have an extra, abstract implementation of the interface that only contains contracts. The ensures call tells the analyzer that it is never possible for the return value to be null. With this approach, there is no need to add any handling in the actual consumer, as we can be sure the instance will never be null at that point as that would be an impossible scenario, avoiding unnecessary code and bloat.

What do I need to do so that Fortify understands these contracts and does not warn about the potential null reference exceptions anymore?

 

"Null Dereferencing" false positive when using the "return early" pattern in C#Open in a New Window

Whenever we use the "return early" code pattern, Fortify is not able to understand it and raises a "possible null dereference" warning. I believe this particular behavior is a gap in the Fortify analyzer implementation, as all other static analysis tools seem to understand the code flow and will not complain about potential null references in this case. 

Follows a very simple code sample that should reproduce the issue:

        public override bool Equals(object obj)
        {
            var typedObj = obj as SomeCustomClass;

            if (typedObj == null)
                return false;

            return this.Name == typedObj.Name;
        }

In this simple excerpt Fortify complains that "typedObj" can be null in the return statement. Notice how that can never be possible since the method returns early with a 'false' value on the previous 'if' statement.

This type of 'return early' pattern is very common with validation as it avoids nested scopes thus making the code easier to read in general. I know we could change the code to remove it, but that would be changing the structure of our code because of a problem in the tool.

Could someone advise here? If there is a more proper place to file these types of bugs feel free to share and I'll proceed to file the bug there.

 

Is the "Privacy Violation: Autocomplete" warning really valid?Open in a New Window

One of the warnings we got in our scan is the "Privacy Violation: Autocomplete | (Security Features, Content)" warning. It tells us to add an "autocomplete=off" attribute to a password input in one of our forms due to potentially exposing this value. This is the recommendation text from Fortify itself:

Recommendations:

Explicitly disable autocompletion on forms or sensitive inputs. By disabling autocompletion, information previously entered will not be presented back to the user as they type. It will also disable the "remember my password" functionality of most major browsers

When we checked this further to understand the problem, we noticed that pretty much all current browsers are outright ignoring this flag on purpose, and instead giving special control to the user if he wants to save his password or not (by detecting the input with the 'password' type).

CanIUse reference for 'autocomplete'

Comparing what Fortify states, "It will also disable the "remember my password" functionality of most major browsers", with the data we found, this is actually not true.

We also found a discussion where a user was trying to disable autocomplete but IE was ignoring it. Multiple suggestions talk about this being a bad practice and a workaround to a bigger security problem.

Lastly, we checked a few big login pages like google, and even the main Fortify login page, and they are also not adding this attribute to the password inputs.

With all that in mind, is the warning being emitted by Fortify really a valid warning at this point?

 

.Net "SuppressMessageAttribute" and Fortify warningsOpen in a New Window

I was checking to see if I could suppress the warnings that Fortify generates by leveraging the standard [SuppressMessage] attribute from .Net.

After a quick search, I found this question in StackOverflow that basically describes what I wanted to know. In the answer, Eric states that there is seemingly no support for .Net attributes, but there is for Java annotations.

Could someone elaborate on this limitation here? Would it be possible for Fortify to start supporting the attribute in .Net as well? As pointed out by the original author of the thread in SO, having support for the attribute would provide a few key benefts:

  • It would be much cleaner in the .Net world, as it would comply with the current standards (all static analysis tools in the .Net world respect and use the attributes, for instance Resharper)
  • It makes it clear to other developers what is happening, without forcing them to open the Fortify tool and search for the suppresions later
  • It avoids duplication of work since the suppression is done once instead of having to suppress the same issue again when the code changes and Fortify cannot link the original suppression to the code anymore

 

The default structure of SuppressMessage seems to be generic enough in that you can specify the category of the issue, the specific warning type/id, and additional information like affected variable names and such, as can be seen here:
SuppressMessage usage examples

        [SuppressMessage("Microsoft.Performance", "CA1801:ReviewUnusedParameters", MessageId = "isChecked")]
        [SuppressMessage("Microsoft.Performance", "CA1804:RemoveUnusedLocals", MessageId = "fileIdentifier")]
        static void FileNode(string name, bool isChecked)
        {
            string fileIdentifier = name;
            string fileName = name;
            string version = String.Empty;
        }

 

Software Security Center - Internal Error after Restarting Machine - Can't Access Project InfoOpen in a New Window

The machine that I have my SSC hosted on had to go down this morning. After bringing it back up, I'm getting an internal error when trying to look at project information related to an artifact. So Overview, Artifacts, Audit, and Trend all cause this error to pop up when attempting to access them under a project. This error appears nowhere else.

 

2017-02-06 10:18:12,698 [ERROR] com.fortify.server.platform.endpoints.rest.issues.ProjectVersionIssuesController - FMInternalException: &apos;An internal error has occurred. Please contact your Fortify System Administrator.

2017-02-06 10:18:12,706 [WARN] org.springframework.web.servlet.mvc.method.annotation.ExceptionHandlerExceptionResolver - Handler execution resulted in exception: An internal error has occurred. Please contact your Fortify System Administrator.

 

Version Information

Server version: Apache Tomcat/8.5.9
Server built: Dec 5 2016 20:18:12 UTC
Server number: 8.5.9.0
OS Name: Linux
OS Version: 3.10.0-327.el7.x86_64
Architecture: amd64
JVM Version: 1.8.0_45-b14
JVM Vendor: Oracle Corporation

 

Fortify 16.20 now failing to Translate C# projectOpen in a New Window

We've been using Fortify for 2 years now, and have a pretty decent pipeline including build automation for our Fortify scans.  With the release of 16.20, one of our projects is now failing on the translation step, and I can't find why.  When running the sourceanalzer command:

sourceanalyzer -64 -Xmx5200M -Xms600M -Xss24M -b ESB devenv .\Esb.sln /REBUILD Release

I get the following error on our webbased api project:

Running: TRANSLATE : "-64" "-Xmx5200M" "-Xms600M" "-Xss24M" -dotnet-version 4.5 @"C:\Users\Tyson.hoffman\AppData\Local\Fortify\VS-14.0-16.20\Esb\Esb.
Api_Build.txt"

[error]: Translator execution failed. Please consult the Troubleshooting section of the User Manual.

Translator returned status -2147467261:

DOTNET-DEBUG: Unhandled exception: Object reference not set to an instance of an object.

I can't find any additional information to tell me why it failed.  Does anyone know where I can find log files, error code information, etc??

Assistance is much appreciated.

 

Migrating from HPE fortify ssc 3.60 to HPE fortify ssc 4.40Open in a New Window

Hello,

When I execute the ssc-configuration-wizard to seed process template, an error happened. In the log below, i see:

Unknown column 'projectmet_0.systemUsage' in 'field list'.

java.io.IOException: invalid encrypted stream
    at com.fortify.util.CryptoUtil.readHeaders(CryptoUtil.java:236) ~[fortify-crypto-1.0.jar:?]
    at com.fortify.rules.SCARulePack.loadRulepack(SCARulePack.java:260) ~[fortify-common-4.40.jar:?]
    at com.fortify.rules.SCARulePack.loadRulepack(SCARulePack.java:256) ~[fortify-common-4.40.jar:?]
    at com.fortify.manager.DAL.migration.impl.MigrationManager41Impl$1.executeNoResult(MigrationManager41Impl.java:118) [ssc-core.jar:?]
    at com.fortify.manager.BLL.migration.impl.AbstractMigrationManager$3.executeNoResult(AbstractMigrationManager.java:100) [ssc-core.jar:?]
    at com.fortify.manager.service.transaction.TransactionCallbackNoResult.execute(TransactionCallbackNoResult.java:10) [ssc-core.jar:?]
    at com.fortify.manager.service.transaction.TransactionServiceImpl.doRunInTransaction(TransactionServiceImpl.java:75) [ssc-core.jar:?]
    at com.fortify.manager.service.transaction.TransactionServiceImpl.runInTransaction(TransactionServiceImpl.java:57) [ssc-core.jar:?]
    at com.fortify.manager.BLL.migration.impl.AbstractMigrationManager.runOneTimeTask(AbstractMigrationManager.java:94) [ssc-core.jar:?]
    at com.fortify.manager.DAL.migration.impl.MigrationManager41Impl.migrateRulepacks(MigrationManager41Impl.java:106) [ssc-core.jar:?]
    at com.fortify.manager.DAL.migration.impl.MigrationManager41Impl.preSeedingMigration(MigrationManager41Impl.java:52) [ssc-core.jar:?]
    at com.fortify.manager.BLL.impl.SeedManagerImpl.batchSeed(SeedManagerImpl.java:247) [ssc-core.jar:?]
    at com.fortify.manager.BLL.impl.SeedManagerImpl$$FastClassBySpringCGLIB$$7c11a665.invoke(<generated>) [spring-core-3.2.10.RELEASE.jar:?]
    at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204) [spring-core-3.2.10.RELEASE.jar:3.2.10.RELEASE]
    at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:700) [spring-aop-3.2.10.RELEASE.jar:3.2.10.RELEASE]
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150) [spring-aop-3.2.10.RELEASE.jar:3.2.10.RELEASE]
    at org.springframework.aop.aspectj.MethodInvocationProceedingJoinPoint.proceed(MethodInvocationProceedingJoinPoint.java:80) [spring-aop-3.2.10.RELEASE.jar:3.2.10.RELEASE]
    at com.fortify.manager.logging.ExceptionInterceptor.aroundBll(ExceptionInterceptor.java:62) [ssc-core.jar:?]
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_65]
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_65]
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_65]
    at java.lang.reflect.Method.invoke(Method.java:497) ~[?:1.8.0_65]
    at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethodWithGivenArgs(AbstractAspectJAdvice.java:621) [spring-aop-3.2.10.RELEASE.jar:3.2.10.RELEASE]
    at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethod(AbstractAspectJAdvice.java:610) [spring-aop-3.2.10.RELEASE.jar:3.2.10.RELEASE]
    at org.springframework.aop.aspectj.AspectJAroundAdvice.invoke(AspectJAroundAdvice.java:65) [spring-aop-3.2.10.RELEASE.jar:3.2.10.RELEASE]
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) [spring-aop-3.2.10.RELEASE.jar:3.2.10.RELEASE]
    at org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:96) [spring-tx-3.2.10.RELEASE.jar:3.2.10.RELEASE]
    at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:260) [spring-tx-3.2.10.RELEASE.jar:3.2.10.RELEASE]
    at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:94) [spring-tx-3.2.10.RELEASE.jar:3.2.10.RELEASE]
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) [spring-aop-3.2.10.RELEASE.jar:3.2.10.RELEASE]
    at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:91) [spring-aop-3.2.10.RELEASE.jar:3.2.10.RELEASE]
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) [spring-aop-3.2.10.RELEASE.jar:3.2.10.RELEASE]
    at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:633) [spring-aop-3.2.10.RELEASE.jar:3.2.10.RELEASE]
    at com.fortify.manager.BLL.impl.SeedManagerImpl$$EnhancerBySpringCGLIB$$b47fba47.batchSeed(<generated>) [spring-core-3.2.10.RELEASE.jar:?]
    at com.fortify.server.configuration.db.Seed.configureDB(Seed.java:92) [ssc-configuration-wizard.jar:?]
    at com.fortify.server.configuration.db.Seed.main(Seed.java:53) [ssc-configuration-wizard.jar:?]
ERROR 2017-01-19 09:15:12,105 [com.fortify.manager.service.transaction.TransactionServiceImpl] - Migrate project version to 4.2 failed: e-RSB-1

org.hibernate.exception.SQLGrammarException: could not extract ResultSet
    at org.hibernate.exception.internal.SQLExceptionTypeDelegate.convert(SQLExceptionTypeDelegate.java:82) ~[hibernate-core-4.2.7.SP1.jar:4.2.7.SP1]
    at org.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:49) ~[hibernate-core-4.2.7.SP1.jar:4.2.7.SP1]
    at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:125) ~[hibernate-core-4.2.7.SP1.jar:4.2.7.SP1]
    at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:110) ~[hibernate-core-4.2.7.SP1.jar:4.2.7.SP1]
    at org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.extract(ResultSetReturnImpl.java:61) ~[hibernate-core-4.2.7.SP1.jar:4.2.7.SP1]
    at org.hibernate.loader.Loader.getResultSet(Loader.java:2040) ~[hibernate-core-4.2.7.SP1.jar:4.2.7.SP1]
    at org.hibernate.loader.Loader.executeQueryStatement(Loader.java:1837) ~[hibernate-core-4.2.7.SP1.jar:4.2.7.SP1]
    at org.hibernate.loader.Loader.executeQueryStatement(Loader.java:1816) ~[hibernate-core-4.2.7.SP1.jar:4.2.7.SP1]
    at org.hibernate.loader.Loader.doQuery(Loader.java:900) ~[hibernate-core-4.2.7.SP1.jar:4.2.7.SP1]
    at org.hibernate.loader.Loader.doQueryAndInitializeNonLazyCollections(Loader.java:342) ~[hibernate-core-4.2.7.SP1.jar:4.2.7.SP1]
    at org.hibernate.loader.Loader.doQueryAndInitializeNonLazyCollections(Loader.java:312) ~[hibernate-core-4.2.7.SP1.jar:4.2.7.SP1]
    at org.hibernate.loader.Loader.loadEntity(Loader.java:2121) ~[hibernate-core-4.2.7.SP1.jar:4.2.7.SP1]
    at org.hibernate.loader.entity.AbstractEntityLoader.load(AbstractEntityLoader.java:82) ~[hibernate-core-4.2.7.SP1.jar:4.2.7.SP1]
    at org.hibernate.loader.entity.AbstractEntityLoader.load(AbstractEntityLoader.java:72) ~[hibernate-core-4.2.7.SP1.jar:4.2.7.SP1]
    at org.hibernate.persister.entity.AbstractEntityPersister.load(AbstractEntityPersister.java:3941) ~[hibernate-core-4.2.7.SP1.jar:4.2.7.SP1]
    at org.hibernate.event.internal.DefaultLoadEventListener.loadFromDatasource(DefaultLoadEventListener.java:460) ~[hibernate-core-4.2.7.SP1.jar:4.2.7.SP1]
    at org.hibernate.event.internal.DefaultLoadEventListener.doLoad(DefaultLoadEventListener.java:429) ~[hibernate-core-4.2.7.SP1.jar:4.2.7.SP1]
    at org.hibernate.event.internal.DefaultLoadEventListener.load(DefaultLoadEventListener.java:206) ~[hibernate-core-4.2.7.SP1.jar:4.2.7.SP1]
    at org.hibernate.event.internal.DefaultLoadEventListener.proxyOrLoad(DefaultLoadEventListener.java:262) ~[hibernate-core-4.2.7.SP1.jar:4.2.7.SP1]
    at org.hibernate.event.internal.DefaultLoadEventListener.onLoad(DefaultLoadEventListener.java:150) ~[hibernate-core-4.2.7.SP1.jar:4.2.7.SP1]
    at org.hibernate.internal.SessionImpl.fireLoad(SessionImpl.java:1098) ~[hibernate-core-4.2.7.SP1.jar:4.2.7.SP1]
    at org.hibernate.internal.SessionImpl.internalLoad(SessionImpl.java:1025) ~[hibernate-core-4.2.7.SP1.jar:4.2.7.SP1]
    at org.hibernate.type.EntityType.resolveIdentifier(EntityType.java:671) ~[hibernate-core-4.2.7.SP1.jar:4.2.7.SP1]
    at org.hibernate.type.EntityType.resolve(EntityType.java:489) ~[hibernate-core-4.2.7.SP1.jar:4.2.7.SP1]
    at org.hibernate.engine.internal.TwoPhaseLoad.doInitializeEntity(TwoPhaseLoad.java:168) ~[hibernate-core-4.2.7.SP1.jar:4.2.7.SP1]
    at org.hibernate.engine.internal.TwoPhaseLoad.initializeEntity(TwoPhaseLoad.java:137) ~[hibernate-core-4.2.7.SP1.jar:4.2.7.SP1]
    at org.hibernate.loader.Loader.initializeEntitiesAndCollections(Loader.java:1108) ~[hibernate-core-4.2.7.SP1.jar:4.2.7.SP1]
    at org.hibernate.loader.Loader.processResultSet(Loader.java:964) ~[hibernate-core-4.2.7.SP1.jar:4.2.7.SP1]
    at org.hibernate.loader.Loader.doQuery(Loader.java:911) ~[hibernate-core-4.2.7.SP1.jar:4.2.7.SP1]
    at org.hibernate.loader.Loader.doQueryAndInitializeNonLazyCollections(Loader.java:342) ~[hibernate-core-4.2.7.SP1.jar:4.2.7.SP1]
    at org.hibernate.loader.Loader.doList(Loader.java:2526) ~[hibernate-core-4.2.7.SP1.jar:4.2.7.SP1]
    at org.hibernate.loader.Loader.doList(Loader.java:2512) ~[hibernate-core-4.2.7.SP1.jar:4.2.7.SP1]
    at org.hibernate.loader.Loader.listIgnoreQueryCache(Loader.java:2342) ~[hibernate-core-4.2.7.SP1.jar:4.2.7.SP1]
    at org.hibernate.loader.Loader.list(Loader.java:2337) ~[hibernate-core-4.2.7.SP1.jar:4.2.7.SP1]
    at org.hibernate.loader.hql.QueryLoader.list(QueryLoader.java:495) ~[hibernate-core-4.2.7.SP1.jar:4.2.7.SP1]
    at org.hibernate.hql.internal.ast.QueryTranslatorImpl.list(QueryTranslatorImpl.java:357) ~[hibernate-core-4.2.7.SP1.jar:4.2.7.SP1]
    at org.hibernate.engine.query.spi.HQLQueryPlan.performList(HQLQueryPlan.java:195) ~[hibernate-core-4.2.7.SP1.jar:4.2.7.SP1]
    at org.hibernate.internal.SessionImpl.list(SessionImpl.java:1275) ~[hibernate-core-4.2.7.SP1.jar:4.2.7.SP1]
    at org.hibernate.internal.QueryImpl.list(QueryImpl.java:101) ~[hibernate-core-4.2.7.SP1.jar:4.2.7.SP1]
    at com.fortify.manager.DAL.HibernateDatabaseInterface$1.doInHibernate(HibernateDatabaseInterface.java:816) ~[ssc-core.jar:?]
    at com.fortify.manager.DAL.HibernateDatabaseInterface$1.doInHibernate(HibernateDatabaseInterface.java:795) ~[ssc-core.jar:?]
    at com.fortify.manager.DAL.HibernateDatabaseInterface.executeBoundedListQuery(HibernateDatabaseInterface.java:338) ~[ssc-core.jar:?]
    at com.fortify.manager.DAL.HibernateDatabaseInterface.executeListQuery(HibernateDatabaseInterface.java:328) ~[ssc-core.jar:?]
    at com.fortify.manager.DAL.migration.impl.MigrationManager42Impl.migrateProjectVersion(MigrationManager42Impl.java:92) ~[ssc-core.jar:?]
    at com.fortify.manager.BLL.migration.impl.AbstractMigrationManager$1.executeNoResult(AbstractMigrationManager.java:68) ~[ssc-core.jar:?]
    at com.fortify.manager.service.transaction.TransactionCallbackNoResult.execute(TransactionCallbackNoResult.java:10) ~[ssc-core.jar:?]
    at com.fortify.manager.service.transaction.TransactionServiceImpl.doRunInTransaction(TransactionServiceImpl.java:75) [ssc-core.jar:?]
    at com.fortify.manager.service.transaction.TransactionServiceImpl.runInTransaction(TransactionServiceImpl.java:57) [ssc-core.jar:?]
    at com.fortify.manager.BLL.migration.impl.AbstractMigrationManager.migrateProjectVersions(AbstractMigrationManager.java:65) [ssc-core.jar:?]
    at com.fortify.manager.DAL.migration.impl.MigrationManager42Impl.preSeedingMigration(MigrationManager42Impl.java:41) [ssc-core.jar:?]
    at com.fortify.manager.BLL.impl.SeedManagerImpl.batchSeed(SeedManagerImpl.java:247) [ssc-core.jar:?]
    at com.fortify.manager.BLL.impl.SeedManagerImpl$$FastClassBySpringCGLIB$$7c11a665.invoke(<generated>) [spring-core-3.2.10.RELEASE.jar:?]
    at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204) [spring-core-3.2.10.RELEASE.jar:3.2.10.RELEASE]
    at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:700) [spring-aop-3.2.10.RELEASE.jar:3.2.10.RELEASE]
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150) [spring-aop-3.2.10.RELEASE.jar:3.2.10.RELEASE]
    at org.springframework.aop.aspectj.MethodInvocationProceedingJoinPoint.proceed(MethodInvocationProceedingJoinPoint.java:80) [spring-aop-3.2.10.RELEASE.jar:3.2.10.RELEASE]
    at com.fortify.manager.logging.ExceptionInterceptor.aroundBll(ExceptionInterceptor.java:62) [ssc-core.jar:?]
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_65]
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_65]
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_65]
    at java.lang.reflect.Method.invoke(Method.java:497) ~[?:1.8.0_65]
    at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethodWithGivenArgs(AbstractAspectJAdvice.java:621) [spring-aop-3.2.10.RELEASE.jar:3.2.10.RELEASE]
    at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethod(AbstractAspectJAdvice.java:610) [spring-aop-3.2.10.RELEASE.jar:3.2.10.RELEASE]
    at org.springframework.aop.aspectj.AspectJAroundAdvice.invoke(AspectJAroundAdvice.java:65) [spring-aop-3.2.10.RELEASE.jar:3.2.10.RELEASE]
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) [spring-aop-3.2.10.RELEASE.jar:3.2.10.RELEASE]
    at org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:96) [spring-tx-3.2.10.RELEASE.jar:3.2.10.RELEASE]
    at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:260) [spring-tx-3.2.10.RELEASE.jar:3.2.10.RELEASE]
    at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:94) [spring-tx-3.2.10.RELEASE.jar:3.2.10.RELEASE]
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) [spring-aop-3.2.10.RELEASE.jar:3.2.10.RELEASE]
    at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:91) [spring-aop-3.2.10.RELEASE.jar:3.2.10.RELEASE]
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) [spring-aop-3.2.10.RELEASE.jar:3.2.10.RELEASE]
    at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:633) [spring-aop-3.2.10.RELEASE.jar:3.2.10.RELEASE]
    at com.fortify.manager.BLL.impl.SeedManagerImpl$$EnhancerBySpringCGLIB$$b47fba47.batchSeed(<generated>) [spring-core-3.2.10.RELEASE.jar:?]
    at com.fortify.server.configuration.db.Seed.configureDB(Seed.java:92) [ssc-configuration-wizard.jar:?]
    at com.fortify.server.configuration.db.Seed.main(Seed.java:53) [ssc-configuration-wizard.jar:?]
Caused by: com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: Unknown column 'projectmet0_.systemUsage' in 'field list'
    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:1.8.0_65]
    at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:1.8.0_65]
    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:1.8.0_65]
    at java.lang.reflect.Constructor.newInstance(Constructor.java:422) ~[?:1.8.0_65]
    at com.mysql.jdbc.Util.handleNewInstance(Util.java:411) ~[mysql-connector-java.jar:?]
    at com.mysql.jdbc.Util.getInstance(Util.java:386) ~[mysql-connector-java.jar:?]
    at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:1054) ~[mysql-connector-java.jar:?]
    at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:4187) ~[mysql-connector-java.jar:?]
    at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:4119) ~[mysql-connector-java.jar:?]
    at com.mysql.jdbc.MysqlIO.sendCommand(MysqlIO.java:2570) ~[mysql-connector-java.jar:?]
    at com.mysql.jdbc.MysqlIO.sqlQueryDirect(MysqlIO.java:2731) ~[mysql-connector-java.jar:?]
    at com.mysql.jdbc.ConnectionImpl.execSQL(ConnectionImpl.java:2820) ~[mysql-connector-java.jar:?]
    at com.mysql.jdbc.PreparedStatement.executeInternal(PreparedStatement.java:2159) ~[mysql-connector-java.jar:?]
    at com.mysql.jdbc.PreparedStatement.executeQuery(PreparedStatement.java:2326) ~[mysql-connector-java.jar:?]
    at org.apache.commons.dbcp.DelegatingPreparedStatement.executeQuery(DelegatingPreparedStatement.java:96) ~[commons-dbcp-1.4.jar:1.4]
    at org.apache.commons.dbcp.DelegatingPreparedStatement.executeQuery(DelegatingPreparedStatement.java:96) ~[commons-dbcp-1.4.jar:1.4]
    at org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.extract(ResultSetReturnImpl.java:56) ~[hibernate-core-4.2.7.SP1.jar:4.2.7.SP1]
    ... 70 more
ERROR 2017-01-19 09:15:12,115 [com.fortify.manager.logging.ExceptionInterceptor] - Intercepted exception of type [com.fortify.manager.exception.FMDALException] thrown by target class [com.fortify.manager.BLL.impl.SeedManagerImpl] and method [public void com.fortify.manager.BLL.impl.SeedManagerImpl.batchSeed(java.util.List,java.util.List) throws java.lang.Exception]

com.fortify.manager.exception.FMDALException: Migrate project version to 4.2 failed: e-RSB-1

Any Idea ?

Thanks

 

What isThe Practical Steps on How HP Fortify Can Be Used to Achieve DevOpsOpen in a New Window

Hi,

I have HP Fortify and wanting to implement DevOps framework in my organization. How can I use HP Fortify to achieve this and do I need to purchase additional component to be able to have full-scale value ?

Contact Us

Vivit Worldwide
P.O. Box 18510
Boulder, CO 80308

Email: info@vivit-worldwide.org

Mission

Vivit's mission is to serve
the Hewlett Packard
Enterprise User
Community through
Advocacy, Community,
and Education.