Print Page   |   Contact Us   |   Sign In   |   Register


Join Vivit
Contact Vivit
Become a Leader
Become a Sponsor
Community Search
Calendar

9/26/2016
Coffee Klatch - Back to School Edition

9/27/2016
Vivit TQA beim Treffen der deutschen HPE Software Anwender

9/27/2016
IT4IT Chapter Meeting - Houston Vivit Chapter

9/27/2016
5 Ways Digital Learning Helps Build Amazing IT Organizations

9/27/2016
Treffen der deutschen HPE Software Anwender

LinkedInTwitterFacebookGoogle Plus

 
HPE Software Products: Fortify Software Security Center Discussion
Share |

HP Fortify 6.11 ASP.NET Compiler error "Encountered: Page" on default.aspxOpen in a New Window

I'm geting a warning from HP Fortify on my API page.  This is my whole default.aspx:

<%@ Page Language="C#" %>
<script runat="server">
  protected override void OnLoad(EventArgs e)
  {
      Response.Redirect("api/swagger-ui/index.html");
      base.OnLoad(e);
  }
</script>

and I get the following error in the translate page (this is taken from the logfile):

Building line numbers from source for: C:/git/Esb/Esb.Api/default.aspx
[2016-09-21 16:46:33.219 com.fortify.frontend.translator.dotnet.vb.VBParser.parse() Thread-15 Master FINE]
Starting to parse: C:\git\Esb\Esb.Api\default.aspx
[2016-09-21 16:46:33.219 com.fortify.frontend.translator.dotnet.vb.VBParserTokenManager.TokenLexicalActions() Thread-15 Master WARNING]
Bad character in: %; line: 1; col: 2
[2016-09-21 16:46:33.219 com.fortify.frontend.translator.dotnet.vb.VBParserTokenManager.TokenLexicalActions() Thread-15 Master WARNING]
Bad character in: @; line: 1; col: 3
[2016-09-21 16:46:33.219 com.fortify.frontend.translator.dotnet.DotnetSourceParser.reportParseError() Thread-15 Master WARNING 10000]
Parse error in file C:\git\Esb\Esb.Api\default.aspx at 1:5. Encountered: "Page".

I don't know why its invoking a VB parser, or why Page would be an invalid entry

 

Getting authentication failure after java version updateOpen in a New Window

Hello,

Recently we have updated java version in our Fortify box. After update, we are unable to login into Fortify enterprise web client. We are using AD to login into Fortify. I restarted Tomcat. but no luck. let me know how to resolve.

Regards,

Sree.

 

 

 

 

 

How to exclude in Fortify scan for SQL Injection in MyBatis Mapper filesOpen in a New Window

Hi,

I am using My-batis generated fild in my project. I am getting "SQL Injection: MyBatis Mapper" errors, when i run Fortify on it.

To resolve this issue i modified the "$" to "#" in my mappers, which is not supported by My-Batis.

Could someone help me to resolve this issue, on how to exclude this SQL Injection issue in Fortify scan?

  Also please let me know why Fortify is not supporting My-Batis generated files

 

Problems with initial seeding for SSC mysql databaseOpen in a New Window

Hello,

I am trying to install and configure SSC 16.10 with Mysql.  During the process seeding I get the following error reported in the log:

Caused by: org.springframework.dao.DataIntegrityViolationException: could not perform addBatch;

SQL [insert into catpacklookup (fromExtension, orderingInfo, catPackExternalCategory_id, mappedCategory) values (?, ?, ?, ?)]; constraint [null];

nested exception is org.hibernate.exception.ConstraintViolationException: could not perform addBatch

        at org.springframework.orm.hibernate4.SessionFactoryUtils.convertHibernateAccessException(SessionFactoryUtils.java:163) ~[spring-orm-4.2.1.RELEASE.jar:4.2.1.RELEASE]

 

We've dropped and recreated the DB multiple times trying to resolve this issue.  Any pointers as to what might be causing this installation issue?

thanks

Scott

 

 

Fortify - Path Manipulation issues in JavaOpen in a New Window

I am getting Path Manipulation issues on the following statements of my Java code when I run Fortify tool on my web-application.  Below are the different sample statements where it throws HIGH priority security vulnerabilities. Please note that the filePath that is being passed is an absolute path but not relative. We have a requirement to read files that are placed in a system directory, hence I have depend on java.io file system package. 

Please suggest me the resolution to avoid security issues on below statements.

File file = new File(filePath)
FileReader fileReader = new FileReader(filePath);
FileInputSteam inputStream = new FileInputSteam(new File(filePath));
String userHome = System.getProperty("user.home");
Path path = Paths.get(filePath);

 

Cross-Frame Scripting ( 11293 ) ErrorOpen in a New Window

Facing cross frame scripting issue on site.

Tried changing web.config with below code but after rescan cross scripting error did not go.

Tried other two options like 1) adding X-frame-options in IIS for response header, 2) installed nuget package nwebsec however the rescan returned same error.

<system.webServer>
          <httpProtocol>
            <customHeaders>
              <add name="X-Frame-Options" value="DENY " />
            </customHeaders>
          </httpProtocol>
      </system.webServer>

 

Can any one help on this

 

Cross frame scripting - ASP.Net applicationOpen in a New Window

We are facing cross-frame scripting issue in our newly developed application using ASP.net 4.5. We have tried the below list of fixes but the scanner tool is still giving us the same error,

1. x-frame deny option.

2. Machine key addition in the config file.

3. x-frame deny using nuget package

But none of the fixes working and we still getting the issue. Can you someone suggest some thoughts

Thanks

Sathish

 

 

Fortify exclude option not working for my projectOpen in a New Window

I have a visual studio c/c++ project having folder structure as below

->client->ABCClient

->client->lib

"client" is the root foler which has ABCClient & lib folder inside "client" folder.

"ABCClient "project is refering some of the source file from "lib" folder also.

I want to completly exclude issues reported in fortify scan from "lib" folder. I tried exclude options but still its reporting issues from "lib" folder.

I have used below commands.

sourceanalyzer -b "test5" -exclude "**\lib\*" -quick -Xmx4G -Xss8M -debug -logfile scan.log -scan -f ABCClient8.fpr

sourceanalyzer -b "test5" -exclude "client\lib\*" -quick -Xmx4G -Xss8M -debug -logfile scan.log -scan -f ABCClient8.fpr

I have tried both wildcard chars as well as absolute path of exclude file but it didn't worked.

 

Please someone help

 

How to setup Continuous Integration gated check-in with Fortify SCA Visual Studio OnlineOpen in a New Window

Hi,

We are trying to integrate Fortify SCA into our DevOps platform VSO, we are able to run the SCA from command line and generate FPR files.

However we want to fail the build step if there are any Mandatory Issues reported by SCA, we didnt find an easy way to do this.

Do you have any recommendations on how to integrate with continuous integration gated check-in

We are using Microsoft .NET as our development platform

Thanks in advance

 

HP Fortify SCA - erroneous Insecure RandomnessOpen in a New Window

HP Fortify SCA flags math.Random in JQuery (js/jquery-1.7.1.min.js) as High Vulnerability Insecure Randomness. JQuery and GitHub forum moderators disagree (links below). The Fortify explanation is to use window.crypto.random, which I have done (see screenshot) but SCA does not accept this. Any suggestions?

Thank you,

Github disagrees             

https://github.com/jquery/jquery/issues/3136

 

JQuery disagrees

https://forum.jquery.com/topic/security-issue-about-jquery

 

Fortify issues with -python-pathOpen in a New Window

I am trying to scan a python project with HP-Fortify.

EVERYTIME I run it, I get the following error: 

   [warning]: The Python frontend was unable to resolve the following import:

I am setting -python-path "C:\Python\27\" 

I have also set -python-path "C:\Python27\Tools\Scripts\"

PLEASE help

 

Fortify Command Line InterfaceOpen in a New Window

Hi,

I have created command line interface for Fortify scan.

Somehow , but my results very different from scan, that I am running from Visual Studion 2015

Here my script example. I am trying to scan Projects of the solution, but not Solution in .NET

 

 

Fortify SCA v4.40 not support XCODE version 7.1 ?Open in a New Window

Hi.

I'm install HPE Fortify SCA v4.40 for MacOS. But Fortify SCA v4.40 show error.

"Detect Xcode version: 7.1"

"Supported Version: FALSE"

"Unsupported version detected"

Fortify SCA v4.40 not support XCODE version 7.1 ?. How do I do?

 

Thank you. :)

 

Fortify 4.2: Translator execution failed. Status 139Open in a New Window

When running the following command: sourceanalyzer -debug -b $build_id touchless make

I'm getting this error: 

Compiling C++ myFile.C

[ERROR]: Translator execution failed. Please consult the Troubleshooting section of the User Manual.

Translator returned status 139:

“/usr/include/c++/4.3/atomicity.h”, line 51: warning identifier

                “__sync_fetch_and_add” is undefined

    { return __sync_fetch_and_add(__mem, __val); }

“/usr/include/c++/4.3/atomicity.h”, line 55: warning identifier

                “__sync_fetch_and_add” is undefined

    {  __sync_fetch_and_add(__mem, __val); }

“/usr/include/c++/4.3/new”, line 95: warning: first parameter of allocation

                                Function must be of type “size_t”

                Void* operator new(std::size_t) throw (std::bad_alloc);

“/usr/include/c++/4.3/new”, line 96: warning: first parameter of allocation

                                Function must be of type “size_t”

                Void* operator new[](std::size_t) throw (std::bad_alloc);

“/usr/include/c++/4.3/new”, line 99: warning: first parameter of allocation

                                Function must be of type “size_t”

                Void* operator new(std::size_t, const std::nothrow_t&) throw ();

“/usr/include/c++/4.3/new”, line 100: warning: first parameter of allocation

                                Function must be of type “size_t”

                Void* operator new[](std::size_t, const std::nothrow_t&) throw ();

“/usr/include/c++/4.3/new”, line 105: warning: first parameter of allocation

                                Function must be of type “size_t”

                Inline void* operator new(std::size_t, void* __p) throw (){ return __p; }

“/usr/include/c++/4.3/new”, line 105: warning: first parameter of allocation

                                Function must be of type “size_t”

                Inline void* operator new[](std::size_t, void* __p) throw (){ return __p; }

“/opt/ilog51/views51/include/ilog/list.h”, line 77: warning: first parameter of allocation function must be of type “size_t”

IL_MLK_DECL();

“/opt/ilog51/views51/include/ilog/list.h”, line 110: warning:  no appropriate operator delete is visible

{ e(); delete_first; _first; _first = _last 0; _length = 0; }

 

Furthermore, when uploading the FPR file to SSC, under Artifacts the status is: Error Processing.  And when auditing issues, the ssc is unable to locate source files. 

Any ideas about this issues ?

 

Can we add a new JDK by ourselves in HP FortifyOpen in a New Window

We are using HP Fortify 4.10 and we have an applicationb developed in JDK 1.8. Fortify 4.10 only have options till 1.7. Can we add 1.8 ourselves or we have to upgrade to 4.2?

 

 

Error: Dynamic Code Evaluation: Unsafe DeserializationOpen in a New Window

Working with findings in the Dynamic Code Evaluation: Unsafe Deserialization category, Fortify keeps flagging a class names, and the class itself has no serialization at all. Is this a common problem with HP Fority?

 

HP Fortify and ALM IntegrationOpen in a New Window

Hi Team,

I have integrated HP fortify SSC with HP ALM and able to push issues to ALM. However, we require a few additional parameters to be added. Can you please suggest how to go about that.

Required Fields:

- Description

 - Recommendations

- Any other field if required.

 

SSC Portal is not accessibleOpen in a New Window

Hello,

 

I've tried installing HP Fotify SSC 16.10 on a Windows machine with a remote SQL-Server DB. I've followed the steps as per the installation guide. after generating the WAR file that would be deployed by Apache Tomcat application server, I was not able to login using the default "admin" username and password. I've checked a table in SSC DB called "fortifyuser", but this table was empty!. 

Appreciate your support.

 

Best Regards.

Mahmoud Sabry

 

HP Fortify Version SupportOpen in a New Window

Hi Team,

We are developing a MVC application with C#.We need to analyze and fix the security issues for the application.

We are using HP Fortify version 4.3 and which is not supporting the MVC.

Please find the details of our application and suggest the Fortify version to support our requirements.

MVC version 5.2.3

jquery-1.12.1

 

Newtonsoft.Json 7.0.1

Infragistics Ignite UI version 15.1

Regards,

Pradeep SE.

 

 

JNI LOAD LIBRARY USING SYSTEM.LOAD THROWS INPUT VALIDATION & REPRESENTATION FORTIFY ISSUEOpen in a New Window

Dear All,

I was running fortify check on an Android project.I got INPUT VALIDATION & REPRESNTATION Fortify issue in following code:

static

{    

      system.load("/data/data/com.mypackage.name/lib/libtest.so")

}

Following is the issue reported by Fortify:

The method <static>() in MainActivity.java loads a library without specifying an
absolute path, which could result in the program using a malicious library supplied by
an attacker.

AFAIK,i am already using the absolute path where library is present in Android File System .Can you please point what is wrong with the above code block? 

Thanks & Regards,

Surjit 






Sign In


Forgot your password?

Haven't registered yet?

Vivit Blog