Micro Focus Fortify Static Code Analyzer User Guide, Which Are No Longer Published As of This Release
Total Page:16
File Type:pdf, Size:1020Kb
Micro Focus Fortify Static Code Analyzer Software Version: 20.2.0 User Guide Document Release Date: Revision 1: December 2020 Software Release Date: November 2020 User Guide Legal Notices Micro Focus The Lawn 22-30 Old Bath Road Newbury, Berkshire RG14 1QN UK https://www.microfocus.com Warranty The only warranties for products and services of Micro Focus and its affiliates and licensors (“Micro Focus”) are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Micro Focus shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice. Restricted Rights Legend Confidential computer software. Except as specifically indicated otherwise, a valid license from Micro Focus is required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. Copyright Notice © Copyright 2003 - 2020 Micro Focus or one of its affiliates Trademark Notices All trademarks, service marks, product names, and logos included in this document are the property of their respective owners. Documentation Updates The title page of this document contains the following identifying information: l Software Version number l Document Release Date, which changes each time the document is updated l Software Release Date, which indicates the release date of this version of the software This document was produced on December 09, 2020. To check for recent updates or to verify that you are using the most recent edition of a document, go to: https://www.microfocus.com/support/documentation Micro Focus Fortify Static Code Analyzer (20.2.0) Page 2 of 216 User Guide Contents Preface 12 Contacting Micro Focus Fortify Customer Support 12 For More Information 12 About the Documentation Set 12 Change Log 13 Chapter 1: Introduction 17 Fortify Static Code Analyzer 17 Fortify ScanCentral SAST 18 Fortify Scan Wizard 18 Fortify Software Security Content 18 About the Analyzers 19 Related Documents 20 All Products 21 Micro Focus Fortify ScanCentral SAST 21 Micro Focus Fortify Software Security Center 22 Micro Focus Fortify Static Code Analyzer 22 Chapter 2: Installing Fortify Static Code Analyzer 25 Fortify Static Code Analyzer Component Applications 25 About Downloading the Software 27 About Installing Fortify Static Code Analyzer and Applications 27 Installing Fortify Static Code Analyzer and Applications 28 Installing Fortify Static Code Analyzer and Applications Silently (Unattended) 29 Installing Fortify Static Code Analyzer and Applications in Text-Based Mode on Non-Windows Platforms 32 Manually Installing Fortify Security Content 32 Using Docker to Install and Run Fortify Static Code Analyzer 33 Creating a Dockerfile to Install Fortify Static Code Analyzer 33 Running the Container 34 Example Docker Run Commands for Translation and Scan 35 Micro Focus Fortify Static Code Analyzer (20.2.0) Page 3 of 216 User Guide About Upgrading Fortify Static Code Analyzer and Applications 35 Notes About Upgrading the Fortify Extension for Visual Studio 36 About Uninstalling Fortify Static Code Analyzer and Applications 36 Uninstalling Fortify Static Code Analyzer and Applications 36 Uninstalling Fortify Static Code Analyzer and Applications Silently 37 Uninstalling Fortify Static Code Analyzer and Applications in Text-Based Mode on Non- Windows Platforms 37 Post-Installation Tasks 38 Running the Post-Install Tool 38 Migrating Properties Files 38 Specifying a Locale 39 Configuring for Security Content Updates 39 Configuring the Connection to Fortify Software Security Center 40 Removing Proxy Server Settings 40 Chapter 3: Analysis Process Overview 41 Analysis Process 41 Parallel Processing 42 Translation Phase 42 Mobile Build Sessions 43 Mobile Build Session Version Compatibility 43 Creating a Mobile Build Session 43 Importing a Mobile Build Session 43 Analysis Phase 44 Higher-Order Analysis 45 Modular Analysis 45 Modular Command-Line Examples 45 Translation and Analysis Phase Verification 46 Chapter 4: Translating Java Code 47 Java Command-Line Syntax 47 Java Command-Line Options 48 Java Command-Line Examples 50 Handling Resolution Warnings 50 Java Warnings 50 Using FindBugs 51 Micro Focus Fortify Static Code Analyzer (20.2.0) Page 4 of 216 User Guide Translating Java EE Applications 52 Translating Java Files 52 Translating JSP Projects, Configuration Files, and Deployment Descriptors 52 Java EE Translation Warnings 53 Translating Java Bytecode 53 Troubleshooting JSP Translation Issues 54 Chapter 5: Translating Kotlin Code 55 Kotlin Command-Line Syntax 55 Kotlin Command-Line Options 56 Kotlin Command-Line Examples 57 Kotlin and Java Translation Interoperability 57 Chapter 6: Translating Visual Studio and MSBuild Projects 58 Visual Studio and MSBuild Project Translation Prerequisites 58 Visual Studio and MSBuild Project Translation Command-Line Syntax 59 Handling Special Cases for Translating Visual Studio and MSBuild Projects 59 Running Translation From a Script 59 Translating Plain .NET and ASP.NET Projects 60 Translating C/C++ and Xamarin Projects 60 Translating Projects with Settings Containing Spaces 60 Translating a Single Project from a Visual Studio Solution 60 Translating Visual Studio Solutions with Excluded or Skipped Projects 61 Working with Multiple Targets and Projects for MSBuild Command 61 Analyzing Projects That Build Multiple Executable Files 61 Alternative Ways to Translate Visual Studio and MSBuild Projects 62 Alternative Translation Options for Visual Studio Solutions 62 Translating Without Explicitly Running Fortify Static Code Analyzer 62 Chapter 7: Translating C and C++ Code 64 C and C++ Code Translation Prerequisites 64 C and C++ Command-Line Syntax 64 Scanning Pre-processed C and C++ Code 65 C/C++ Precompiled Header Files 65 Troubleshooting Translation Failed Message 65 Micro Focus Fortify Static Code Analyzer (20.2.0) Page 5 of 216 User Guide Chapter 8: Translating JavaScript and TypeScript Code 67 Translating Pure JavaScript Projects 67 Excluding Dependencies 67 Excluding NPM Dependencies 68 Translating JavaScript Projects with HTML Files 68 Including External JavaScript or HTML in the Translation 69 Chapter 9: Translating Python Code 71 Python Translation Command-Line Syntax 71 Including Import Files 71 Including Namespace Packages 72 Using the Django Framework with Python 72 Python Command-Line Options 72 Python Command-Line Examples 73 Chapter 10: Translating Code for Mobile Platforms 74 Translating Apple iOS Projects 74 iOS Project Translation Prerequisites 74 iOS Code Analysis Command-Line Syntax 75 Translating Android Projects 75 Android Project Translation Prerequisites 75 Android Code Analysis Command-Line Syntax 76 Filtering Issues Detected in Android Layout Files 76 Chapter 11: Translating Go Code 77 Go Command-Line Syntax 77 Go Command-Line Options 77 Resolving Dependencies 78 Chapter 12: Translating Ruby Code 79 Ruby Command-Line Syntax 79 Ruby Command-Line Options 79 Adding Libraries 80 Micro Focus Fortify Static Code Analyzer (20.2.0) Page 6 of 216 User Guide Adding Gem Paths 80 Chapter 13: Translating Apex and Visualforce Code 81 Apex Translation Prerequisites 81 Apex and Visualforce Command-Line Syntax 81 Apex and Visualforce Command-Line Options 82 Downloading Customized Salesforce Database Structure Information 82 Chapter 14: Translating COBOL Code 84 Preparing COBOL Source and Copybook Files for Translation 84 COBOL Command-Line Syntax 85 Translating COBOL Source Files Without File Extensions 86 COBOL Command-Line Options 86 Chapter 15: Translating Other Languages and Configurations 88 Translating PHP Code 88 PHP Command-Line Options 88 Translating ABAP Code 89 INCLUDE Processing 90 Importing the Transport Request 90 Adding Fortify Static Code Analyzer to Your Favorites List 91 Running the Fortify ABAP Extractor 92 Uninstalling the Fortify ABAP Extractor 96 Translating Flex and ActionScript 97 Flex and ActionScript Command-Line Options 97 ActionScript Command-Line Examples 98 Handling Resolution Warnings 99 ActionScript Warnings 99 Translating ColdFusion Code 99 ColdFusion Command-Line Syntax 99 ColdFusion Command-Line Options 100 Translating SQL 100 PL/SQL Command-Line Example 101 T-SQL Command-Line Example 101 Translating Scala Code 101 Micro Focus Fortify Static Code Analyzer (20.2.0) Page 7 of 216 User Guide Translating ASP/VBScript Virtual Roots 101 Translating Dockerfiles 103 Classic ASP Command-Line Example 104 VBScript Command-Line Example 104 Chapter 16: Integrating into a Build 105 Build Integration 105 Make Example 106 Modifying a Build Script to Invoke Fortify Static Code Analyzer 106 Touchless Build Integration 107 Ant Integration 107 Gradle Integration 107 Including Verbose and Debug Options 108 Maven Integration 109 Installing and Updating the Fortify Maven Plugin 109 Testing the Fortify Maven Plugin Installation 109 Using the Fortify Maven Plugin 110 Chapter 17: Command-Line Interface 112 Translation Options 112 Analysis Options 114 Output Options 117 Other Options 120 Directives 122 Specifying Files and Directories 123 Chapter 18: Command-Line Utilities 125 Fortify Static Code Analyzer Utilities 125 About Updating Security Content 126 Updating Security Content 127 fortifyupdate Command-Line Options 127 Working with FPR Files from the Command Line