HPE Software Products: Fortify Software Security Center Discussion
Share |

Fortify Error 1359, Duplicate Rule ID: xxxxxxxOpen in a New Window

Any expansion on resolving this issue?  We have 3 programs from the same shop, all have this error.   I've noticed that they have two custom rules files, but cannot look at them directly (we're halfway across the country from the Devs).

Any suggestions ?

 

HPE SCA / SSC Integration with GocdOpen in a New Window

I am looking for way to integrate HP SSC into gocd. I think HP dosnt provide any plugin but is there a alternae way of doing it?

 

How to use Maven plugin to scan native C source codeOpen in a New Window

I am using Fortify 16.20 maven plugin and trying to run a scan against Native C project.

Is this possible to do? I don't seem to be getting any results generated.

Please advise!

Joe

 

Unreleased Resource DatabaseOpen in a New Window

Hi

System.Data.SqlClient.SqlDataReader dr = sqlComm.ExecuteReader();

if (sqlConn.State.ToString().ToUpper() == "OPEN")

these statement throwing Unreleased Resource Database.

Please help me to solve this issue

 

admin authentication failure after setting X.509 SSOOpen in a New Window

Hello,

After I configured SSO to use x.509, the login page still asks for username and password, but it fails to log me in using admin password. 

I changed in db table dbo.configproperty x.509.enabled to be false, but no luck.

How can I revert and be able to login using local username and password?

Thanks

N

 

Integrating HPE Fortify & TeamCity.Open in a New Window

Hi All,

We are in need of  integrating TeamCity with Fortify or Vice-versa. Is there any plugins available in Fortify/Teamciry to achieve this or any other way to implement. Your suggestions would be a Great Help..!!!

Thanks in Advance.

Regards,

Siva.

 

How to filter LOW Fortify Priority issues during scanOpen in a New Window

Looking for option to filter out LOW Fortify Priority issues duing scan. With this approach fpr generated from scan will not contain LOW Severity issues. Please suggest how to configure scan for this purpose. I am using command line scan.  There is quick scan mode but it is not usuful as requirment for scan is to report all Critical, High and Medium issues that would appear in normal scan mode. Just need to exclude Low issues.

Thank you.

 

 

HP Fortify SCA and Applications Software QueriesOpen in a New Window

Hi Team,

Currnelty we are using HP Fortify SCA and Applications 4.30 version and we have planned to migrate visual studio 2017. and so for that case, is there latest "HP Fortify SCA and Applications " version is available?. which will be compatible for visual studio 2017.
Please suggest us to proceed further.

 

Fortyfi Scan High Issue ErrorsOpen in a New Window

Fortyfi scan was throughing me a high risk Issue on the following code. 

Reading cookies from Browser:

Cookie[] cookies = request.getCookies();

Adding SessionId to the Url connection:

urlConnection.setRequestProperty(header,credentials);

Passing sessionId in requestParams:

public String getIcueSecureSessionId(@RequestParam String sessionId, @RequestParam
String appName)

Fortyfi comments for the above code:

The method getIcueSecureSessionId() in WidgetProviderController.java includes
unvalidated data in an HTTP response header on line 147. This enables attacks such
as cache-poisoning, cross-site scripting, cross-user defacement, page hijacking,
cookie manipulation or open redirect.

 

 

I was trying to solve the issues but i never get any luck. I am open with the suggestions and please let me know if you can help me.

 

Thanks.

 

Query on HP Component ArchitectureOpen in a New Window

I have few queries on the fucntionality of few components in Automated Scanning Architecture :

  • Build Server
  • Scan Pool Controller
  • Scan Pool Scan farm
  • WebInspect Scan farm
  • Fortify SSC & Databse

Request any of the SME or memebr to respond back on the details and fucntionality of above mentioned nodes/components.

 

Query on Automated Scanning ArchitectureOpen in a New Window

All Champs ,

I have few queries on the fucntionality of few components in Automated Scanning Architecture :

  • Build Server
  • Scan Pool Controller
  • Scan Pool Scan farm
  • WebInspect Scan farm
  • Fortify SSC & Databse

Request any of the SME or memebr to respond back on the details and fucntionality of above mentioned nodes/components.


 

HP Fortify SCA 4.30 -- Doesn't scan ASP .NET 4.5.2 (MVC 5) solutionOpen in a New Window

Please help!

I have to scan a ASP .NET 4.5.2 (MVC 5) solution using HP Fortify SCA 4.30.

unfortunatly it doesn't catch any issues though it runs through all the files.

But the same rule file catches issues in ASP .NET 4.5.2 solutions  ( non MVC )

seems only "*.cshtml" is additional in the solution.

I'm blocked because of this. Your help is highly appreciated!!!

 

Fortify Scan C# configuration filesOpen in a New Window

We use the Fortify scan to scan applications in the CD pipeline, hosted by TFS. there for we created a build task. I am wondering what files the Fortify scan scans. It looks like the scan is not checking the configuration files of a .Net application. The app.config for example seems to be ignored. Is there a parameter or value to add to the scan command that makes the scan check the configuration.

 

How to customize configuration of IDE Plugin in Fortify Cloudscan?Open in a New Window

I couldn't fine the right place to post this, so if it needs to be somewhere else, please move it or let me know where to post.
===========================
I have a Fortify CloudScan service set up. We are integrated into the application build process such that source code files are translated on the build server, packaged into a Mobile Build Package, which is sent to the CloudScan Controller for scanning. Pretty vanilla setup and things are working well. We also have individual developers with SCA + IDE Plugins. Currently, they are performing the full scanning process on their local workstations and uploading the .FPR to SSC. All this is in a Windows OS invironment.

Now to my question...
is there a way to configure or change the IDE plugin so when the developer selects "Run a Scan" in their IDE Plugin, it does the translate step, creates the Mobile Build Package, and sends it to the CloudScan controller just like what we are doing on the build machines?

This would free up so much time for the developers since the scan phase is what takes the longest time. I understand we will need to instal the CloudScan CI on the developer's workstation.

Finally, can we create a SCA Developer's install Package so this is the default process?

Thanks,
Jim

 

Fortify Scan Issue (in translation)Open in a New Window

.Net Solution is building succussfully!

but while translating it throws below error.

[error]: The Fortify add-in for Visual Studio did not execute; therefore, no files were translated. Ensure that the Fortify add-in is installed. If you are running Visual Studio 2005 SP1, you must also install the hotfix indicated by KB934517.

any idea! ?

 

Fortify SSC 16.x: Assign Users Lookup using LDAP with nested groupsOpen in a New Window

SSC 16.x is configured to use LDAP and nested groups.

Authentication with nested groups works.

User lookup for such functions as Search during Assigning an Issue doesn't work.

Error: An internal error has occurred. Please contact your Fortify System Administrator.

Using a non-nested LDAP group with Nested Groups in LDAP configuration turned off works.

 

Thanks!

 

Custom rule to cleanse log forging does not workOpen in a New Window

We have complicated software where most user input is validated against a schema before being accepted or logged to files. Fortify throws a large number of log forging errors that are false positive.

I have written a custom rule and imported the same into Fortify. But I still get log forging complaints.

I am including the custom rule here. Note that washStringForLog is a method that removes unwanted characters from the string passed and trims the string it is too long. The idea is that if the string first passes through this method, the log forging taint should be removed and fortify should not flag an error.

 

===

<?xml version="1.0" encoding="UTF-8"?>
<RulePack xmlns="xmlns://www.fortifysoftware.com/schema/rules">
<RulePackID>D82118B1-BBAE-4047-9066-5FC821E16456</RulePackID>
<SKU>SKU-Validated-Log-Forging</SKU>
<Name><![CDATA[Validated-Log-Forging]]></Name>
<Version>1.0</Version>
<Description><![CDATA[Validated-Log-Forging]]></Description>
<Rules version="3.14">
<RuleDefinitions>
<DataflowCleanseRule formatVersion="3.14" language="java">
<RuleID>DDAB5D73-8CF6-45E0-888C-EEEFBEFF2CD5</RuleID>
<TaintFlags>-VALIDATED_LOG_FORGING</TaintFlags>
<FunctionIdentifier>
<NamespaceName>
<Pattern>com\.elster\.bulk</Pattern>
</NamespaceName>
<ClassName>
<Pattern>CommonThings</Pattern>
</ClassName>
<FunctionName>
<Pattern>washStringForLog</Pattern>
</FunctionName>
<ApplyTo implements="true" overrides="true" extends="true"/>
</FunctionIdentifier>
<OutArguments>return</OutArguments>
</DataflowCleanseRule>
</RuleDefinitions>
</Rules>
</RulePack>

 

====

WHat am I doing wrong here?

Thanks

 

How to change session timeout more than 15 minutesOpen in a New Window

I was trying to change the session timeout to the 10 hrs that would be around 600 minutes, but in the HP Fortify its only allowing  15 minutes max. Is there a way can I change to 600 minutes ? Even I have tried to change it to 600 minutes and run the Fortify scan but it doesent works. I still see the session timeout issue in the fortify report. 

<session-config>
<session-timeout>15</session-timeout>
</session-config>

Let me know if there is any solution that would be really appreciatable. 

 

Generate Source/Sink SnippetOpen in a New Window

Hi, could i know a way through which the developer workbook generates code snippet in its report . when i download the Devworkbook template and navigate to that particular section i see a file corrupted error , could i know the possible solution to this.

 

 

 

Using .Net CodeContracts with FortifyOpen in a New Window

When working on a few Null Dereferencing warnings from Fortify, I was wondering if we could use standard .Net CodeContracts clauses to help Fortify in figuring out the exceptions.

I'll use the following example to make the point across:

class Model
{
    public int Value { get; set; }
}

interface IDependency
{
    public Model GetModel();
}

class Dependency : IDependency
{
    Model IDependency.GetModel()
    {
        return new Model {Value = 1};
    }
}

class Main
{
    private IDependency _dependency;

    public Main(IDependency dependency)
    {
        _dependency = dependency;
    }

    int MainMethod()
    {
        var model = _dependency.GetModel();
        return model.Value;
    }
}


Notice we have a 'Main' class that relies on a dependency through an interface. The interface returns a 'Model' object.

In this situation, Fortify will warn us that we are potentially dereferencing a null pointer inside the 'MainMethod', because it cannot tell that the result from 'GetModel' will not be null. We know it won't because there is a single implementation to the interface, and that implementation does not return 'null'. In this particular case though, Fortify is totally correct in the assumption here because a new implementation could be created that would violate the assumption and return 'null', as 'Model' is a reference type after all.

The most straighforward way to 'fix' this is to add a null check in the code, as follows:

    int MainMethod()
    {
        var model = _dependency.GetModel();
        if (model != null)
        {
            return model.Value;
        }
        else
        {
            return 0;
        }
    }


This works fine but notice the added logical overhead: does it really make sense to return 0? Wouldn't it be better if we threw an exception? Why are we even opening the door for Model to be null?
With this in mind, a much more robust form exists to handle this situation in .Net, based on design by contract. This relies on the native CodeContracts classes:

[ContractClass(typeof(DependencyContracts))]
interface IDependency
{
    public Model GetModel();
}

abstract class DependencyContracts : IDependency
{
    Model IDependency.GetModel()
    {
        Contract.Ensures(Contract.Result<Model>() != null);
        return default(Model);
    }
}


Notice how we have an extra, abstract implementation of the interface that only contains contracts. The ensures call tells the analyzer that it is never possible for the return value to be null. With this approach, there is no need to add any handling in the actual consumer, as we can be sure the instance will never be null at that point as that would be an impossible scenario, avoiding unnecessary code and bloat.

What do I need to do so that Fortify understands these contracts and does not warn about the potential null reference exceptions anymore?

Contact Us

Vivit Worldwide
P.O. Box 18510
Boulder, CO 80308

Email: info@vivit-worldwide.org

Mission

Vivit's mission is to serve
the Hewlett Packard
Enterprise User
Community through
Advocacy, Community,
and Education.