banner
毅种循环

毅种循环

请将那贻笑罪过以逐字吟咏 如对冰川投以游丝般倾诉
HomeArchives关于

Fortify SCA (Windows + VS Code Plugin) scans Python code

#渗透测试39
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The document outlines the process of configuring Fortify Static Code Analyzer (SCA) for scanning Python code, based on prior experience with Java. ### Preparation Steps: 1. **Install Fortify SCA**: Version 232.2 for Windows. 2. **Install VS Code** and the Fortify VSC plugin via the Extensions view. ### Configuration of Fortify VSC Plugin: - **Executable Path**: Set the path for `sourceanalyzer.exe`. If the Fortify SCA bin directory is in the system PATH, simply enter `sourceanalyzer`. Otherwise, browse to the executable. - **Build ID**: Assign a unique identifier for the scan. - **Scan Results Location**: Specify where to save the .fpr file, typically in the codebase's root directory. - **Log Location**: Default settings are usually sufficient for log file paths. - **Python-Specific Options**: Enable translation options, specifying the Python version and library paths based on the output from `python3 -c "import sys; print(sys.path)"`. - **Additional Options**: Optional parameters for the scan can be added, but defaults are generally acceptable. ### Executing the Scan: After configuration, initiate the scan by clicking the Scan button in the Fortify VSC plugin interface. The scan runs in the background, with progress viewable in the OUTPUT panel or terminal. ### Viewing Results: Upon completion, a .fpr file is generated at the specified location. Open this file in Fortify Audit Workbench to review detected vulnerabilities, their types, severity, affected code lines, data flow analysis, and remediation suggestions.

Recently received a task to perform code scanning on Python code. Previously, I had only used Fortify to scan Java class code. After searching for tools that support Python class code scanning, I found that the process is different from the conventional method. Here is a record of the process.

1. Preparation#

  1. Fortify Static Code Analyzer (SCA): Windows version 232.2.
  2. Install VS Code
  3. Install Fortify VSC Plugin:
    • Open VS Code.
    • Go to the Extensions view (shortcut Ctrl+Shift+X).
    • Search for "Fortify" and find and install the "Fortify VSC" plugin.

image

2. Fortify VSC Plugin Configuration#

In VS Code, open the Fortify plugin interface (usually found on the left activity bar with the Fortify icon). It should display as follows.

Ignore the first one and switch directly to the Static Code Analyzer executable path view.

image

2.1 Configure SCA Executable Path#

image

  • Field: Static Code Analyzer executable path
  • Description: Specify the path to sourceanalyzer.exe.
  • Settings:
    • Recommended: If you have added the bin directory of Fortify SCA to the system environment variable Path, you can simply enter sourceanalyzer here.

image

- **Alternative:** If the above method does not work, click the `Browse...` button on the right, navigate to the Fortify SCA installation directory, find the `bin` folder, and then select `sourceanalyzer.exe`.
    * **Example Path:** `C:\Program Files\Fortify\Fortify_SCA_and_Apps_<version_number>\bin\sourceanalyzer.exe`

The configuration is basically done. The remaining step is to open the directory that needs to be scanned with VS Code, and then click the Fortify plugin button to automatically fill in.

2.2 Configure Build ID#

  • Field: Build ID
  • Description: Set a unique identifier for this scanning task.

2.3 Configure Scan Results Output Path (FPR)#

  • Field: Scan results location (FPR)
  • Description: Specify the save path and filename for the scan result file (.fpr file). Fortify Audit Workbench will use this file. By default, this file is saved in the root directory of the codebase.

2.4 Configure Log Path#

  • Field: Log location
  • Description: Path for the log file of the SCA scan.
  • Settings: Usually, the default can be kept. You can click the Open button on the right to view the logs.

2.5 Configure Options (Python Specific)#

  • Field: Add translation options
  • Description: For Python code, you need to specify the Python version and dependency library path here.
  • Settings:
    1. Check the Add translation options checkbox.
    2. In the text box that appears after checking, enter the following parameters. Please adjust the paths according to your Python environment.
      • First, obtain the Python module search path by running python3 -c "import sys; print(sys.path)" in the command line. Here is what I got:
['', 'D:\\Scoop\\apps\\python311\\current\\python311.zip', 'D:\\Scoop\\apps\\python311\\current\\DLLs', 'D:\\Scoop\\apps\\python311\\current\\Lib', 'D:\\Scoop\\apps\\python311\\current', 'D:\\Scoop\\apps\\python311\\current\\Lib\\site-packages', 'D:\\Scoop\\apps\\python311\\current\\Lib\\site-packages\\win32', 'D:\\Scoop\\apps\\python311\\current\\Lib\\site-packages\\win32\\lib', 'D:\\Scoop\\apps\\python311\\current\\Lib\\site-packages\\Pythonwin']

    * Therefore, you should enter the following in the Fortify plugin:

-python-version 3 -python-path "D:\Scoop\apps\python311\current\DLLs;D:\Scoop\apps\python311\current\Lib;D:\Scoop\apps\python311\current\Lib\site-packages"

        + `-python-version 3`: Specifies the Python version as 3.
        + `-python-path "..."`: Lists the paths for Python to find standard libraries and third-party libraries, separated by semicolons `;`. These paths come from the output of your `sys.path`.

2.6 Other Options (Optional)#

  • Add scan options: Used to add extra parameters for the SCA scanning phase, generally kept as default.
  • Update security content: Use the latest vulnerability detection rules.

3. Execute Scan#

  1. After completing all the above configurations, click the Scan button at the bottom of the Fortify VSC plugin interface.
  2. The scanning process will run in the background. You can view the scan progress and detailed logs in the OUTPUT panel or terminal of VS Code.

5. View Scan Results#

  1. After the scan is complete, a .fpr file (e.g., python_results.fpr) will be generated at the path specified in Scan results location (FPR).
  2. Open the Fortify Audit Workbench client application.
  3. Click "File" -> "Open Project," and then select the generated .fpr file.
  4. In the Audit Workbench, you can view the detected security vulnerabilities, vulnerability types, severity, affected code lines, data flow analysis, and remediation suggestions in detail.

image

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.