FortifySCA安装使用手册

fortify sca使用手册一、简介FortifySCA（SoftwareConfigurationAnalysis）是一款功能强大的软件配置分析工具，用于帮助用户有效地管理和维护软件配置。

本手册旨在为使用者提供FortifySCA的详细使用说明，以帮助用户更好地掌握该工具的使用方法。

二、安装与配置1.安装FortifySCA：首先，您需要从Fortify官方网站下载并安装FortifySCA软件。

确保在安装过程中正确配置系统环境，以便顺利运行该工具。

2.配置数据库：在安装完成后，您需要配置FortifySCA与数据库的连接。

根据您的数据库类型（如MySQL、Oracle等），按照手册中的说明进行设置。

3.配置其他参数：根据您的需求，您可能需要调整FortifySCA的其他参数，如扫描范围、扫描时间等。

请参考手册中的相关说明进行设置。

三、使用方法1.扫描项目：使用FortifySCA扫描项目前，请确保您已经将项目中的所有文件纳入配置管理，并正确配置了相关参数。

执行扫描后，FortifySCA将分析项目中的代码，并生成报告。

2.查看报告：扫描完成后，FortifySCA将生成一份详细的报告，用于展示代码中的安全漏洞和潜在风险。

请仔细阅读报告，并根据报告中的建议进行相应的修复。

3.修复漏洞：根据FortifySCA的报告，您可以针对发现的漏洞进行修复。

修复完成后，请再次执行扫描，以确保漏洞已被完全修复。

四、常见问题及解决方法1.扫描结果不准确：可能的原因包括代码库中存在遗漏的文件或目录，或者某些文件格式不被FortifySCA支持。

解决方法是确保项目中的所有文件均已纳入配置管理，并检查文件格式是否符合FortifySCA的要求。

2.报告生成缓慢：可能的原因包括数据库性能问题或扫描范围过大。

解决方法是优化数据库配置，或适当缩小扫描范围以减少分析量。

五、维护与更新FortifySCA是一款持续优化的软件工具，我们建议您定期更新至最新版本，以获取更多功能和性能优化。

they can:• Produce SCA scans• Triage scans results to identify and prioritize security vulnerabilities• Incorporate the OpenText Fortify Solution into the development process • Actions will include:− Discuss Customer’s security policiesand secure coding standards− Discuss Customer’s developmentorganization and process− Discuss Customer’s securityorganization and process− Discuss OpenText Fortify integrationpoints− Present OpenText Fortify productoverview− Discuss Reporting and Metrics− Discuss and prepare the OpenTextFortify Developer Workshop− Discuss the way forward• OpenText Fortify Infrastructure preparation and verification• Install, configure, and deploy SSC• Install, configure, and deploy SCA• Integrate SCA with Build System• Base-line scan of the Target Application • Create Software Security Metrics• Conduct OpenText Fortify Developer Workshop• Provide OpenText Fortify Mentoring• Quick Start conclusion meetingThis service will be delivered under the following assumptions and dependencies:• OpenText and Customer agree these services include no deliverables• The service is applicable for one Target Application and one Application Development Team for that Target Application• The Target Application is built as a single unit with 500,000 or fewer lines of code • The Target Application is developed in programming language(s) supported by OpenText Fortify SCA, and uses libraries and packages supported by OpenText Fortify SCA• The OpenText Fortify Target Application Developer Workshop will be for a maximum of 12 students and course examples will be in a programming language supported by OpenText Fortify SCA Service EligibilityThe customer must provide the following fordelivery of this service:• Hardware and software requirements tosupport the OpenText Fortify Solutionas per the latest available systemrequirements for OpenText Fortify softwareproducts. Typically, components include:− SCA Scan Server, with 64 bit OSand 8–32 GB RAM− SSC Server, with 64 bit OS and4–8 GB RAM− Supported database− Supported Web Application Serverto run SSC− A clone of the existing buildenvironment for the Target Application− One or more developer workstations• All information required in the completedpre-installation customer questionnaire• For any onsite or remote services delivery,any requisite access to the customer’snetwork and servers including but notlimited to VPN token and client software,server names and IP addresses, andadministrative user names and passwords.• The customer will be responsible for allapplicable data backupService LimitationsThis service will be delivered as a single,continuous event. Environments requiringmultiple engagements or phases overlonger periods of time are not included inthis service, but can be accommodated atadditional cost through a Statement of Work.Activities such as, but not limited to, thefollowing are excluded from this service:• Installation and configuration of OpenTextsoftware appliances• Racking of appliances or servers• Performance testing or modeling servicesthat, in the opinion of OpenText, arerequired due to unauthorized attemptsby non-OpenText personnel to install,repair, maintain, or modify hardware,firmware, or software• This service offering does not include thesale of additional OpenText products orsupport services, which shall require thenecessary terms and conditions for suchpurchase pursuant to separate agreementbetween the parties.• The services described in this documentdo not include delivery of servicesprovided by OpenText Software Support,including fixing of software bugs. Customeris responsible for maintaining a validsupport contract with OpenText andcontactingOpenText Support for support-related issues.• Services required due to causes externalto the OpenText-maintained hardwareor software• Any services beyond the license limitationsof the included products• In addition, the customer will beresponsible for all applicable data backup.Customer Responsibility• Contact an OpenText Professional Servicesspecialist within 90 days of the date ofpurchase to schedule the delivery ofthe Service• Coordinate Service deployment on third-party-maintained hardware/software(if applicable) with OpenText• Assign a designated person from thecustomer’s staff who, on behalf ofthe customer, will grant all approvals,provide information, attend meetings,and otherwise be available to assistOpenText in facilitating the deliveryof this Service• Ensure access to architect and lead developer familiar with the Target Application source code, build process, and build system• Ensure access to system administrators for the set-up of the OpenText Fortify infrastructure, including but not limited to Database Server, Web Application Server, Bug Tracking System, LDAP, and Build System• Ensure Access to lead developer(s) to be trained as Project Security Leads familiar with the Target Application source code and build process• Ensure that all Service prerequisites as identified in the Service Eligibility section are met• Ensure the availability of all hardware, firmware, and software required by the OpenText Professional Services specialist to deliver this Service• Retain and provide to OpenText upon request all original software licenses, license agreements, license keys,and subscription service registration information, as applicable for this Service • The customer shall provide reasonable access and working space at the siteas OpenText may reasonably request. The customer will provide OpenText and OpenText subcontractor staff standard telephone and dial-up or comparable data access to Network at industry standard speeds. OpenText shall observe the customer work rules and security and safety policies while performing Services at the site of which OpenText is informed of in writing in advance and that are not inconsistent with OpenText’s own business practicesAdditional work area requirements may include but is not limited to:• Personal computer to run SCA for eachstudent preloaded with student’s normaldevelopment environment.• Projector with appropriate screen• Whiteboard with markers and wiperDurationDelivery of this Service will not exceed atotal of 40 continuous service hours and maybe performed remotely, onsite, or remotely.For the onsite service, this Service includesup to one onsite visit by the OpenTextProfessional Services specialist.TermsThis offering consists of a consulting andtraining effort and is governed by the Open T extCustomer Terms. All capitalized terms usedin this Data sheet, but not otherwise defined,will have the meaning assigned to them inthe Terms. For purposes of this Data sheet,“services” mean consulting, integration,professional services or technical servicesperformed by OpenT ext under this Data Sheet.Services excludes hardware maintenanceand repair, software maintenance, educationservices, or other standard support servicesprovided by OpenText; software as a service,and outsourcing servicesAcceptance of Deliverables occurs upondelivery.Hiring of Employees. Y ou agree not tosolicit, or make offers of employment to,or enter into consultant relationships with,any OpenText employee involved, directlyor indirectly, in the performance of serviceshereunder for one (1) year after the datesuch employee ceases to perform servicesunder the terms of this Data sheet. Y ou shallnot be prevented from hiring any suchemployee who responds to a general hiringprogram conducted in the ordinary courseof business and not specifically directed tosuch OpenText employees.Authorization to Install Software. Duringthe provision of services, OpenText may berequired to install copies of third-party orOpenText-branded software and be requiredto accept license terms accompanying suchsoftware (“Shrink-Wrap T erms”) on your behalf.Shrink-Wrap T erms may be in electronic format,embedded in the software, or containedwithin the software documentation. Y ou herebyacknowledge that it is your responsibilityto review ShrinkWrap Terms at the time ofinstallation, and hereby authorizes OpenTextto accept all Shrink-Wrap Terms on its behalf.Intellectual Property. OpenText may provideOpenText tools, templates, and other pre-existing intellectual property of OpenTextduring the course of providing services(“OpenTextPre-existing IP”). OpenTextPre-existing IP does not include, nor isconsidered a part of, either the Deliverables orOpenT ext software products. OpenText retainsall intellectual property ownership rights insuch OpenText Pre-existing IP. All OpenTextPre-existing IP is OpenText ConfidentialInformation. OpenText Pre-existing IP may begoverned by additional license terms that areembedded in the OpenText Pre-existing IP.Payment and ValidityThis offering will be pre-billed. Y ou agreeto pay invoiced amounts within thirty (30)days of the invoice date. If applicable, youmust schedule delivery of the offering to becompleted within a period of one (1) year fromthe date of purchase. Notwithstanding theprevious sentence, OpenText’s obligations todeliver the offering under this Data sheet areconsidered fulfilled and your rights of receiptof the offering under this Data sheet willexpire one (1) year from the date of purchase.Pricing for the offering may vary by country. CancellationTo avoid a Cancellation Fee as defined herein, you shall notify OpenText in writing of cancellation or rescheduling at least ten (10) business days prior to the offering start date. Cancellations or rescheduling with less than ten (10) business days notification will incur 100% of the offering fee (“Cancellation Fee”). If you cancel with ten (10) or more business days in advance of scheduled delivery, you may reschedule only if delivery will be complete within one year from the purchase date.Change in ScopeChanges in scope are not allowed. Y ou can request additional or different services, if available and at additional cost, through a statement of work or change order.SKUsPS-AA680(On-Site) PS-AA705 (Remote)。

Author: Vikas JohariDate: 12 February 2020 Document Version: v0.1Installing SSC 19.2.0 withMSSQL 2017 in Easy Steps onWindows 2016Fortify SCA 19.xDeployment GuideContentsContents (2)Introduction (3)Installation of MS SQL 2017 (3)Installation of MS SQL 2017 Management Studio (10)Creating Database for SSC (11)Creating the Tables for Fortify Components (13)Download and install JDK 1.8.x (15)Download and Install Tomcat 9.0.x service for Windows (16)Deploying JDBC Driver (20)Deploying SSC war file (21)IntroductionThis document will guide Pre-Sales and Partners to install SSC 19.2.0 in MS Windows 2016 with MS SQL 2017 Server Edition Database.The Hardware and Software requirements are given in the link -https:///documentation/fortify-software-security-center/1920/Fortify_Sys_Reqs_19.2.0/index.htm#SSC/SSC_Reqs.htm%3FTocPath%3DFortify%2520Software %2520Security%2520Center%2520Server%2520Requirements%7C_____0Install Windows 2016 and apply all the required patches.Installation of MS SQL 2017Mount the MS SQL 2017 Server ISO and run the installer.Click on Installation.In the Installation screen, select “New SQL Server stand-alone installation or add …..” Enter the Product key and click Next,Accept the license agreement, then click Next.Enable – Use Microsoft Upgrade to check for the updates”, then click Next.Let it complete the task.Enable the following features –•Database Engine Service•Client Tools Connectivity•Client Tools Backwards CompatibilityClick Next,If you want to change the Instance name, then change it else click Next to continue.In the server configuration screen, make sure SQL Server Agent, SQL Server Database Engine Startup Type is Automatic.Click on Collection -> Customize.Select “SQL_Latin1_General_CP1_CS_AS” click OK.Click Next.In the Database Engine Configuration, select Mixed Mode, enter the Password of user “sa” and also add the Windows Administrator user as well. Click Next.Click Next in Ready to Install screen.Wait till installation to complete.Verify all the components as install, then click Close.Open SQL Server Configuration Manager and validate the TCP/IP is enabled and it is configured with correct IP Address.Installation of MS SQL 2017 Management StudioDownload MS SQL 2017 Management Studio from https:///en-us/sql/ssms/download-sql-server-management-studio-ssms?view=sql-server-2017 and install.Click InstallWait till installation to complete.Click CloseCreating Database for SSCStart MS SQL Server Management Studio.Select Authentication to “SQL Server Authentication”, enter Login name as “sa” and its password, then click Connect.In the Object Explorer, expand the server, right-click on the Database, select New Database.Enter the database name as “FortifyDB” and change the Path of Database and Log file as “C:\SQLDB” (optional).Click on "Options" in the left panel. In the Collection make sure "SQL_Latin1_General_CP1_CS_AS" is selected. This is a mandatory step else Seeds will not be uploaded in upcoming steps.Then Click OK.Validate the database has been created.Creating the Tables for Fortify ComponentsExtract “Fortify_19.2.0.zip" in a temporary folder named "C:\Fortify_Installer”Extract the “create-tables.sql” file from Fortify_SSC_Server_19.2.0.zip -> Fortify_19.2.0_Server_WAR_Tomcat.zip -> sql -> sqlserver.Open it in notepad++.Right Click on “FortifyDB” -> New Query.Paste the content of “create-tables.sql” into the Query and Execute.Verify that the Query executed successfully.Download and install JDK 1.8.xDownload and install JDK 1.8 from https:///technetwork/java/javase/downloads/jdk8-downloads-2133151.htmlSet the “JAVA_HOME” System Environment Variables to “C:\Program Files\Java\jdk1.8.0_201”Download and Install Tomcat 9.0.x service for WindowsDownload and install “32-bit/64-bit Windows Service Installer” of tomcat Windows Service from https:///download-90.cgiClick NextClick I Agree.Select the Options as above, then click Next.Make the changes as per the above screen, then click Next.Verify the JRE folder, click Next.Change the default install location, to “C:\Tomcat9”Note: This is a very important step, if the Tomcat install folder name has any spaces then SSC will give errors during the Vulnerability auditing.Click Install.Wait for the installation to complete. Click Finish.Start the Tomcat service and test the connection. By opening the port 8080 in the browser. Set the initial memory pool as 4096 and Maximum memory pool 4096 MB.In Log On, select “Local System account”, Then click OK.Optional: If SSC has to be running on a secure HTTP protocol then configure the tomcat to use HTTPS with a certificate and document the HTTPS port.Deploying JDBC DriverDownload the JDBC Driver v6.0 for MS SQL 2017 from https:///en-in/download/details.aspx?id=11774 , you can download "sqljdbc_6.0.8112.200_enu.tar.gz" file.Extract the downloaded file. Copy “sqljdbc42.jar” file to C:\Tomcat9\lib folder.Deploying SSC war fileCopy the ssc.war file to C:\Tomcat9\webapp folder. Then restart the tomcat service. Open the URL : http://ip:8080/ssc in Chrome.Click on ADMINISTRATORS link on the top right corner.It will ask to enter the Token.Open the init.token file from C:\Windows\System32\config\systemprofile\.fortify\ssc folder into notepad++.Note: In case of any issue in SSC installation process, you can open the ssc.log file in notepad++, it will be in "C:\Windows\System32\config\systemprofile\.fortify\ssc\logs" folder.Note: if you are using tomcat standalone version or running tomcat from the command line then the init.token will be in C:\Users\Administrator\.fortify\ssc folder. Similarly the logs file will found in"C:\Users\Administrator\.fortify\ssc\logs" folder.Copy the token key and past into ssc.Click SIGN IN.Note: This token will keep on changing until you complete the setup.Click Next.Click the UPLOAD button to select and upload the “fortify.license” file.Click Next and Create a folder named C:\GlobalSearchEnter the URL for Fortify SSC i.e. http://172.17.5.240:8080/ssc or :8080/ssc enable Global Search, enter “C:\GlobalSearch” in the text box click Next.Note: Do not use http://127.0.0.1:8080/ssc as SSC URL, it will create problems in later stages.Enter the DATABASE USERNAME as “sa” and its Password.In the JDBC URL asjdbc:sqlserver://172.17.5.240:1433;database=FortifyDB;sendStringParametersAsUnicode=false ORjdbc:sqlserver://127.0.0.1:1433;database=FortifyDB;sendStringParametersAsUnicode=false Test the connection.If test is successful then click Next.In the Seed, database BROWSE and select the file and click on SEED DATABASE in the below sequence – •Fortify_Process_Seed_Bundle-2019_Q3.zip•Fortify_Report_Seed_Bundle-2019_Q3.zip•Fortify_PCI_Basic_Seed_Bundle-2019_Q3.zip•Fortify_PCI_SSF_Basic_Seed_Bundle-2019_Q3.zipBrowse and select Fortify_Process_Seed_Bundle-2019_Q3.zip.Click SEED DATABASE.After the file was processed successfully, browse and select “Fortify_Report_Seed_Bundle-2019_Q3.zip”, then click SEED DATABASE.After the file was processed successfully, browse and select “Fortify_PCI_Basic_Seed_Bundle-2019_Q3.zip”, then click SEED DATABASE.Browse and select “Fortify_PCI_SSF_Basic_Seed_Bundle-2019_Q3.zip” After files are processed successfully, Click Next.Click Finish.Now you must Restart Tomcat service.Test the SSC ServerOpen the SSC Server URL (i.e. http://172.17.5.240:8080/ssc) and login as user “admin” with the password “admin”.SSC will ask you to change the password.Now Login as admin / new password.Click Administration.Conditional: if a Proxy setting is required to download rule packs then configure it in ADMINISTRATION -> Configuration -> Proxy.Click Rulepacks and then click on UPDATE FROM SERVER.In a few mins, all the Rules will be downloaded. Click CLOSE.Now SSC Server is ready to use.Note:This guide is not an official documentation by Micro Focus. Please read and refer to the official product documentation for additional information.< !! End of the Document !! >。

Fortify使⽤⼿册中国建设银⾏⽹上银⾏投资产品创新项⽬F o r t i f y使⽤⼿册总⾏信息技术管理部⼴州开发中⼼2008年6⽉修改记录本⽂档中所包含的信息属于机密信息，如⽆中国建设银⾏的书⾯许可，任何⼈都⽆权复制或利⽤。

?Copy Right 2008 by China Construction Bank ⽬录1、引⾔ (5)1.1⽬的 (5)1.2背景 (5)1.3定义 (5)1.4环境说明 (6)1.5提醒注意 (6)1.6相关要求 (7)２、安装FORTIFY (7)2.1进⼊F ORTIFY安装⽬录 (7)2.2输⼊LICENSE KEY:BAHODPERE9I9 (8)2.3选择ALL U SERS (9)2.4下⾯选项全部选中 (10)2.5选择N O选项 (11)３、使⽤FORTIFY (12)3.1进⼊源码⽬录执⾏SCA COMMANDLINE S CAN.BAT (12)3.2SCA COMMANDLINE S CAN.BAT的内容 (12)４、结果查询 (12)5、可能的问题 (14)6、结果分析 (15)6.1R ACE C ONDITION (15)6.2SQL I NJECTION (16)6.3C ROSS-S ITE S CRIPTING (16)6.4S YSTEM I NFORMATION L EAK (18)6.5HTTP R ESPONSE S PLITTING (18)1、引⾔1.1⽬的提⾼中⼼项⽬软件安全意识转达总⾏关于软件安全编码及测试的相关要求了解、学习fortify SCA的使⽤1.2背景⽹银投资产品创新项⽬⽂档。

1.3定义Fortify Source Code Analysis Suite是美国Fortify Software为软件开发企业提供的软件源代码安全漏洞扫描、分析和管理的⼯具。

使⽤该⼯具能弥补软件开发⼈员、安全⼈员和管理⼈员在源代码⽅⾯的安全知识不⾜，加速代码安全审计和⽅便软件安全风险的管理。

Fortify SCA验收方法及操作流程本次将要验收的软件源代码安全漏洞检测产品——Fortify SCA，是由美国Fortify公司生产的产品，版本为Fortify 360_V2.1_SCA，产品为正版合格产品，有厂商正版授予的产品使用授权（纸制）。

产品的各项功能指标应与《Fortify SCA 产品功能详细说明》中一致，同时应能够满足我方提出的产品功能的各项需求。

为了能够顺利地对Fortify SCA进行验收，将验收内容分为如下几个方面：一、F ortify SCA 产品安装介质验收：由厂商/代理商提供的Fortify SCA产品的安装介质（光盘）应含如下内容：Fortify360_V2_SCA产品验收清单1.Fortify 360_V2_SCA安装软件列表验收清单：2. F ortify 360_V2_SCA产品技术文档:我方技术人员在检查安装介质（光盘）中内容完全与上表内容一致后，方为验收通过。

二、F ortify SCA 厂商产品使用授权（纸制）验收：检验是否有Fortify厂商授权我方的产品使用授权书（纸制）。

确保我方合法使用Fortify SCA正版产品，方为验收通过。

三、F orify SCA 产品使用License文件验收：检验并确保厂商/代理商提供的Fortify SCA产品License文件是可用的，能够正确地驱动Fortify SCA产品正常使用，方为验收通过。

四、F ortify SCA 产品验收测试环境准备：Fortify SCA 产品测试环境需要准备如下内容：硬件准备：CPU主频>= 1G, 内存>= 2G 硬盘（系统盘可用空间）：>=2G 软件准备：操作系统：Windows, Radhat Liunx, AIX 5.3 ,HP Unix 11 任一皆可。

推荐使用Windows XP 系统。

开发环境：VS2005/2003, VC6.0，Eclipse2.X，Eclipse3.X ，RAD6 ，WSAD 5 任一皆可。

Fortify SCA安装使用手册编号：GRG _YT-RDS-PD-D03_A.0.1版本：V1.0发布日期：2011-5-5文档历史记录编号与名称版本发布日期创建/修改说明参与人员版权声明本软件产品（包括所含的任何程序、图像、文档和随附的印刷材料），以及本软件产品的任何副本的产权和著作权，均属广州广电运通金融电子股份有限公司所有。

您不得使用任何工具或任何方式对本软件产品进行反向工程，反向编译。

未经广州广电运通金融电子股份有限公司许可，您不得以任何目的和方式发布本软件产品及任何相关资料的部分或全部，否则您将受到严厉的民事和刑事制裁，并在法律允许的范围内受到最大可能的民事起诉。

目录文档历史记录 (II)1. 产品说明 (9)1.1.特性说明 (10)1.2.产品更新说明 (10)2. 安装说明 (10)2.1.安装所需的文件 (11)2.2.F ORTIFY SCA支持的系统平台 (11)2.3.支持的语言 (11)2.4.F ORTIFY SCA的插件 (12)2.5.F ORTIFY SCA支持的编译器 (12)2.6.F ORTIFY SCA在WINDOWS上安装 (13)2.7.F ORTIFY SCA安装E CLISPE插件 (14)2.8.F ORTIFY SCA在LINUX上的安装(要有LINUX版本的安装文件) (14)2.9.F ORTIFY SCA在U NIX上的安装(要有U NIX版本的安装文件) (15)3. 使用说明 (15)3.1.F ORTIFY SCA扫描指南 (16)3.2.分析F ORTITFY SCA扫描的结果 (21)4．故障修复 (25)4.1使用日志文件去调试问题 (26)4.2转换失败的信息 (26)4.3JSP的转换失败 (26)4.4C/C++预编译的头文件 (27)前言Fortify SCA是目前业界最为全面的源代码白盒安全测试工具，它能精确定位到代码级的安全问题，完全自动化的完成测试，最广泛的安全漏洞规则，多维度的分析源代码的安全问题。

Deployment GuideInstallation and Configuration of Scan Central on Fortify 20.1.0 Fortify SSC 20.xAuthor: Vikas JohariDate: 01 August 2020Document Version: v0.1ContentsContents (2)Installing ScanCentral Controller (3)Configuring ScanCentral in SSC (8)Configuring ScanCentral Sensor (10)Configuring the ScanCentral Client (13)Running a Simple Sample Scan using Build Tool (14)Running a Sample Scan from Visual Studio 2019 (15)Configuring Jenkins Project to use ScanCentral (20)Running a Sample Scan and uploading to SSC (23)Installing ScanCentral ControllerIn the Download folder extract ScanCentral Controller zip file.Unzip the Fortify_ScanCentral_Controller_20.1.0_x64.zip.Move the "Fortify_ScanCentral_Controller_20.1.0_x64" folder to C:\Program Files\Fortify folder.Open the folder.Open server.xml of tomcat\conf folder in Notepad++.Note: In this server SSC and Jenkins is already running on port 8080 so, we need to change port of ScanCentral components i.e. 8280 else there will be a port conflict.Find the server port 8005, and change it to 8205.Find the port Connector port 8080 and change it to 8280.Note: In case you are planning to use SSL Port then make sure port 8443 is also change to some other non conflicting port.Save the file.Open the C:\ProgramFiles\Fortify\Fortify_ScanCentral_Controller_20.1.0_x64\tomcat\webapps\scancentra l-ctrl\WEB-INF\classes\config.properties file in Notepad++.Locate and fix the URLs.Save the File.Open CMD in ScanCentral_Controller's tomcat\bin folder. Make sure CMD is having Adminstrator privilidge.Run the command –> service.bat install ScanCentralControllerOpen services.mscFind the new Apache Tomcat 9.0 ScanCentralController service.Make this service Automatic (Delayed Start).In Log On, change to "Local System account" and Enable "Allow service to interact with desktop".Start the service.Start the Browser and connect to port 8280. The URL will be :8280/scancentral-ctrlThis message indicates that Fortify ScanCentral Controller is working. Configuring ScanCentral in SSCNow open SSC and login as admin.Open Administration -> Configuration -> ScanCentral.Enable the ScanCentral.In the ScanCentral URL: :8280/scancentral-ctrlThe Poll Period: 30 secondsShared Secret: changemeClick Save.Note: if you want to use different Shared Secret then make the changes in the below file –Restart SSC's Tomcat.Login into SSC and click on SCANS -> Controller.Validate that the information from the config file displays in the screen.Configuring ScanCentral SensorNow configure the Sensor –Create a file as "C:\ProgramFiles\Fortify\Fortify_SCA_and_Apps_20.1.0\Core\config\worker.properties" and enter the text as above.Note: if you want to change the different token then you need to first change in the controllerconfig.properties file then on worker.properties.Go to the folder "C:\ProgramFiles\Fortify\Fortify_SCA_and_Apps_20.1.0\bin\scancentral-worker-service" open CMD as Administrator.Create a folder named C:\ScanCentralWorkdirThe command will be -setupworkerservice.bat 20.1.0 :8280/scancentral-ctrl CHANGEME123!Type "Y" and hit Enter key.Open Services.mscOpen Properties of the FortifyScancentralWorkerServiceSet the Startup type as "Automatic (Delayed Start).In Log On -> Local System account and Allow service to interact with desktop. Click OK and Start the Service.Open SSC go to SCANS -> Sensors.Check the State of it.The Active State indicates that the sensor is running fine.Configuring the ScanCentral ClientOpen the "C:\ProgramFiles\Fortify\Fortify_SCA_and_Apps_20.1.0\Core\config\client.properties" and update the client_auth_token value as per the C:\ProgramFiles\Fortify\Fortify_ScanCentral_Controller_20.1.0_x64\tomcat\webapps\scancentra l-ctrl\WEB-INF\classes\config.properties file.Running a Simple Sample Scan using Build ToolChange the folder toC:\Program Files\Fortify\Fortify_SCA_and_Apps_20.1.0\plugins\maven\maven-plugin-src\samples\EightBall using CMD to test ScanCentral client.Run the below command to use mavan as build tool –scancentral -url :8280/scancentral-ctrl start -bt mvnWait for the message "Submitted job and received token: .."Go back to SSC -> SCANS -> Scan Requests.Validate the Build ID and Job token and Status of the job. Wait for few min let it to complete.can be download from EXPORT dropdown.The FPR file can be opened in AWB.Running a Sample Scan from Visual Studio 2019Open Riches DotNet Solution in Visual Studio 2019 -> Extensions -> Fortify -> Options -> ScanCentralSettings.Configure the ScanCentral Settings.Open SSC -> Administration -> Users -> Token Management.Click New.Select the ScanCentralCtrlToken, enter a description, click Save.Copy and Save the Tokens in the safe place. Click Close.Create a new version "5.0" for Visual Studio of Riches DotNet Application. The FPR file from Visual Studio's ScanCentral will be uploaded on version 5.0.Go back to Visual Studio.Enable the Send Scan Results to SSC and enter the Controler Token. Click OK.Extensions -> Fortify -> Upload Solution to ScanCentral.Enter the credentials of SSC and click OK.Select 5.0, click OK.The plugin will display the confirmation along with the Job token. Click OK to close the window. Open SSC -> SCANS -> Scan Requests.The RichesDotNet job will appear in few seconds, hit Fefresh if it is not visible.Wait for it to complete.ScanCentral will upload the FRP into the Application version. Validate in the application version -> Artifact.FPR file will be uploaded there.Configuring Jenkins Project to use ScanCentralIn SSC, create a new version "6.0" of Riches DotNet Application.Open Jenkins -> Manage Jenkins -> Configure System, scroll down to the end of the page.Validate that the SSC URL is configured and Controller URL is blank and non editable. Because this plugin expects the ScanCentral should be configured before configuring Jenkins plugin.Lets use the workaround.Remove the SSC URL, now Controller URL will be active, now enter the Controller URL, Controller Token and then SSC URL.Test SSC Connection and Test Controller Connection.Click Save.Create a new Jenkins Project named "Riches DotNet via ScanCentral", and select Copy from "Riches DotNet via GitLab" Project. This option is in the bottom of the screen.In the Post Build Action -> Fortify Assessment, select the below options –Save and run the Project.If everything goes well then the Scan job will be submitted to ScanCentral and the token will be received.Note: The logic gate will not work with ScanCentral, that’s why option for Logic Gate will be missing at this point and you will need to create them later in the software lifecycle. Since the goal with ScanCentral is to perform asynchronous scans in a way that the build pipeline does not have to wait for it to finish.Now check the Scan Requests in SSC –version.Running a Sample Scan and uploading to SSCCreate a new Application named "WebGoat for ScanCentral" version "5.0".Run the fortifyclient command to extract the list of application -fortifyclient -url :8080/ssc -authtoken db796568-9a96-4611-82d9-9a9954902087 listApplicationVersionsNote: The token generated in section "Running a Sample Scan from Visual Studio 2019" should be used.Create the build using –cd "C:\ProgramFiles\Fortify\Fortify_SCA_and_Apps_20.1.0\Samples\advanced\webgoat"sourceanalyzer -b WebGoat_via_ScanCentral -cleansourceanalyzer -b WebGoat_via_ScanCentral -source 1.5 -cp"WebGoat5.0/WebContent/WEB-INF/lib/*.jar" WebGoat5.0/JavaSourceWebGoat5.0/WebContentSubmit the scan using –scancentral -url :8280/scancentral-ctrl start -upload –-application "WebGoat for ScanCentral" --application-version "5.0" -bWebGoat_via_ScanCentral -uptoken db796568-9a96-4611-82d9-9a9954902087 -scan -Xmx2GScan is submitted to ScanCentral -Validate the Scan in Scan Requests. When status changed to "Upload Completed"< !! End of the Document !! >。

Fortify SCA源代码应用安全测试工具快速入门手册文档版本：v1.0发布日期：2022-11深圳市稳安技术有限公司*************************Fortify SCA源代码应用安全测试工具快速入门手册Fortify SCA（Static Code Analyzer）是Micro Focus公司旗下的一款静态应用程序安全性测试(SAST) 产品，可供开发团队和安全专家分析源代码，检测安全漏洞，帮助开发人员更快更轻松地识别问题并排定问题优先级，然后加以解决。

Fortify SCA支持27种编程语言：ABAP/BSP、Apex，、C/C++、C#、Classic ASP、COBOL、ColdFusion、CFML、Flex/ActionScript、Java、JavaScript、JSP、Objective C、PL/SQL、PHP、Python、T-SQL、、VBScript、VB6、XML/HTML、Ruby、Swift、Scala 、Kotlin 、Go，能够检测超过1051个漏洞类别，涵盖一百多万个独立的API。

一、安装Fortify SCA源代码应用安全测试工具1、创建华为云服务器ECS1.1、主机配置建议：1.2、操作系统支持：1.3、网络配置安全组规则配置要求：1.3.1、Linux系统：22端口(SSH登录管理)1.3.2、Windows系统：3389端口(Windows RDP)1.4、安装操作系统通过VNC或CloudShell远程登录平台服务器，根据需求选用合适的镜像安装操作系统。

1.5、代码编译环境准备以下几种语言扫描需要准备相应的编译环境，代码需要在可通过编译的情况下扫描：a)C#，，b)C/C++ on Windows or Linuxc)iPhone App用户需要根据代码安装相应的编译环境，并确保需要扫描的代码能够通过编译。

2、安装Fortify SCA2.1、上传安装包完成产品购买后，根据扫描主机的操作系统，从MicroFocus下载平台下载对应的安装文件压缩包，然后解压出安装文件上传至云服务器。

Micro FocusFortify Jenkins Plugin Software Version:18.20Installation and Usage GuideDocument Release Date:November2018Software Release Date:November2018Legal NoticesMicro FocusThe Lawn22-30Old Bath RoadNewbury,Berkshire RG141QNUKhttps://WarrantyThe only warranties for products and services of Micro Focus and its affiliates and licensors(“Micro Focus”)are set forth in the express warranty statements accompanying such products and services.Nothing herein should be construed as constituting an additional warranty.Micro Focus shall not be liable for technical or editorial errors or omissions contained herein.The information contained herein is subject to change without notice.Restricted Rights LegendConfidential computer software.Except as specifically indicated otherwise,a valid license from Micro Focus is required for possession,use or copying.Consistent with FAR12.211and12.212,Commercial Computer Software,Computer Software Documentation,and Technical Data for Commercial Items are licensed to the ernment under vendor's standard commercial license.Copyright Notice©Copyright2014-2018 Micro Focus or one of its affiliatesTrademark NoticesAdobe™is a trademark of Adobe Systems Incorporated.Microsoft®and Windows®are U.S.registered trademarks of Microsoft Corporation.UNIX®is a registered trademark of The Open Group.Documentation UpdatesThe title page of this document contains the following identifying information:l Software Version numberl Document Release Date,which changes each time the document is updatedl Software Release Date,which indicates the release date of this version of the softwareTo check for recent updates or to verify that you are using the most recent edition of a document,go to:https:///support-and-services/documentationContentsPreface4 Contacting Micro Focus Fortify Customer Support4 For More Information4 About the Documentation Set4Change Log5Fortify Jenkins Plugin6 Software Requirements6 Installing the Fortify Jenkins Plugin8 Verifying the Fortify Jenkins Plugin Installation8Preparing Fortify Software Security Center to Work with the Fortify Jenkins Plugin9 Configuring the Fortify Jenkins Plugin10 Configuring a Build Step to use the Fortify Jenkins Plugin11 Viewing Analysis ResultsSecurity Vulnerability Graph for Your Project15 Viewing Issues15 Configuring the Number of Issues Displayed on a PageSend Documentation Feedback18PrefaceContacting Micro Focus Fortify Customer SupportIf you have questions or comments about using this product,contact Micro Focus Fortify Customer Support using one of the following options.To Manage Your Support Cases,Acquire Licenses,and Manage Your Accounthttps://To Call Support1.844.260.7219For More InformationFor more information about Fortify software products:https:///solutions/application-securityAbout the Documentation SetThe Fortify Software documentation set contains installation,user,and deployment guides for all Fortify Software products and components.In addition,you will find technical notes and release notes that describe new features,known issues,and last-minute updates.You can access the latest versions of these documents from the following Micro Focus Product Documentation website:https:///support-and-services/documentationChange LogThe following table lists changes made to this document.Revisions to this document are published between software releases only if the changes made affect product functionality.Fortify Jenkins PluginUse the Fortify Jenkins Plugin in your continuous integration builds to identify security issues in your source code with Micro Focus Fortify Static Code Analyzer.After the Fortify Static Code Analyzer analysis is complete,you can optionally upload the results to a Micro Focus Fortify Software Security Center server.This also enables you to view the analysis result details within Jenkins.It also provides metrics for each build and an overview of the results,without the need to log into Fortify Software Security Center.With the Fortify Jenkins Plugin,you can integrate Fortify Static Code Analyzer with the following build tools:l Gradlel Mavenl MSBuildl Visual Studio(devenv)You can also scan your source code directly without a build tool.This document provides instructions on how to prepare Fortify Software Security Center to work with the Fortify Jenkins Plugin,and how to install,configure,and use the plugin.Software RequirementsThe Fortify Jenkins Plugin works with the software packages listed in the following table.Your specific requirements depend on the build tools you are using.This table also provides information to help you prepare for the configuration of your Bamboo plan.Installing the Fortify Jenkins PluginTo install the Fortify Jenkins Plugin,you must have Jenkins installed on your system.See the Micro Focus Fortify Software System Requirements document for the supported Jenkins versions.To install the Fortify Jenkins Plugin:1.From Jenkins,select Manage Jenkins>Manage Plugins.2.On the Plugin Manager page,click the Advanced tab.3.Under Upload Plugin,click Choose File,and then locate and select Fortify_Jenkins_Plugin_<version>.hpi.4.Click Upload.5.Restart Jenkins.For more information about how to install Jenkins plugins,see the Jenkins website. Verifying the Fortify Jenkins Plugin InstallationTo verify that the Fortify Jenkins Plugin is installed:1.Open a browser window and navigate to http://<jenkins_server_url>:8080.2.From the Jenkins menu,select Manage Jenkins> Manage Plugins.3.On the Plugin Manager page,click the Installed tab.4.Verify that Fortify Jenkins Plugin is included in the list of installed plugins.Preparing Fortify Software Security Center to Work with the Fortify Jenkins PluginTo upload Fortify Static Code Analyzer results to Fortify Software Security Center or to view Fortify Static Code Analyzer results from Jenkins,you need to have an authentication token of type CIToken created in Fortify Software Security Center.You will use this authentication token to configure the Fortify Jenkins Plugin to communicate with Fortify Software Security Center.You can generate the authentication token from either the Administration view in Fortify Software Security Center or from the command-line with the fortifyclient utility.The following instructions describe how to create the authentication token with the fortifyclient utility. For information about how to create an authentication token from Fortify Software Security Center, see the Micro Focus Fortify Software Security Center User Guide.To create an authentication token of type CIToken using the fortifyclient utility:1.From the<ssc_install_dir>/Tools/fortifyclient/bin directory,run the following:where:l<ssc_url>includes both the port number and the context path/ssc.For example,http://<hostname>>:<port>/ssc.l<user_name>is the Fortify Software Security Center username of an account that has therequired privileges to read or write information from or to Fortify Software Security Center.l<number_of_days>is the number of days before the token expires.The default is365.You are prompted for a password.2.Type the password for<user_name>.The fortifyclient utility displays a token of the general form:cb79c492-0a78-44e3-b26c-65c14df52e86.3.Copy the returned token to use when you configure the Fortify Jenkins Plugin(see"Configuringthe Fortify Jenkins Plugin"on the next page).Configuring the Fortify Jenkins PluginTo configure your Jenkins server so that it can analyze your project,update Fortify security content, and upload results to Fortify Software Security Center using the Fortify Jenkins Plugin:1.Open a browser window and navigate to http://<jenkins_server_url>:<port_number>.2.From the Jenkins menu,select Jenkins> Manage Jenkins> Configure System.3.To analyze your project with Fortify Static Code Analyzer or to update Fortify security content aspart of your build,create an environment variable to specify the location of the Fortify Static Code Analyzer executables.In Global properties,create the following environment variable:l Name:FORTIFY_HOMEl Value:<sca_install_dir>where<sca_install_dir>is the path where Fortify Static Code Analyzer is installed. Forexample,on Windows the default installation location is C:\ProgramFiles\Fortify\Fortify_SCA_and_Apps_18.20.4.To upload results to Fortify Software Security Center,scroll down to the Fortify Assessmentsection,and then do the following:a.In the SSC URL box,type the Fortify Software Security Center server URL.The correct format for the Fortify Software Security Center URL is:http://<host_IP>:<port>/ssc.b.To connect to Fortify Software Security Center with a proxy server,select Use Proxy for SSC,and then specify the proxy information.c.In the Authentication token box,type the authentication token generated for the FortifySoftware Security Center server.See"Preparing Fortify Software Security Center to Work with the Fortify Jenkins Plugin"onthe previous page.d.Click Advanced settings,and then click Test Connection.The Fortify Jenkins Plugin populates the Issue Template list with available FortifySoftware Security Center issue templates.Fortify Software Security Center uses the selectedissue template when it creates new applications.The issue template optimizes the categorization,summary,and reporting of the applicationversion data.e.From the Issue template list,select the appropriate issue template for your projects.5.Click Save.Configuring a Build Step to use the Fortify Jenkins PluginTo configure a build step for your project to use the Fortify Jenkins Plugin:1.From Jenkins,select an existing job to view or create a new job.The Fortify Jenkins Plugin supports Freestyle and Multi-configuration projects.If you selected an existing job,click Configure on the job page.2.In the Post-build Actions section,click Add post-build action,and then selectFortify Assessment.3.In the Build ID box,type a unique identifier for the scan.4.In the Results file box,type a name for the Fortify results file(FPR).For example,MyAudit.fpr.Specifying the results file name is optional.If you do not provide a name:l If you are running a Fortify SCA scan,the analysis results are written to scan.fpr in theworkspace.l If you are not running a Fortify SCA scan and you are uploading results to FortifySoftware Security Center,Fortify Jenkins Plugin searches"./**/*.fpr"in the workspace for the FPR file with the latest modified date.5.(Optional)In the Maximum heap memory box,specify the maximum heap memory as an integeronly.For example,to specify48 GB,type48000.By default,Fortify Static Code Analyzer enablesautomatic allocation of memory based on the physical memory available on the system.If you specify an amount of memory in this field,it overrides the default automatic memory allocation.6.(Optional)In the Additional JVM options box,you can add additional JVM commands.7.To download Fortify security content before the scan,select the Update Fortify SecurityContent check box,and specify the following:a.In the Update server URL box,type the URL for the Fortify Rulepack update server.The default Fortify Rulepack update server URL is https://.b.To connect to the Fortify Rulepack update server with a proxy server,select the Configureupdate server proxy check box,and then specify the proxy information.8.To remove any temporary files from a previous scan for the specified build ID,select the RunFortify SCA Clean check box.Fortify recommends that you run the clean phase before each translation unless,for example,you are translating several projects with the same build ID to perform one scan for all the projects and generate a single FPR file.9.To run translation,select the Run Fortify SCA translation check box,and then specify thetranslation settings.You might want to skip the translation if,for example,the security content has changed but the source code has not.If you do skip the translation,make sure that you do not run a FortifySCA clean.Select Advanced if you are familiar with the Fortify Static Code Analyzer command-lineinterface or you want to specify all the translation options without any guidance.Specify all the Fortify Static Code Analyzer translation options including source files,if needed.See the Micro Focus Fortify Static Code Analyzer User Guide for detailed information about the translation options.Select Basic to be prompted to provide the typical information to scan Java code or to run a Maven3,or a Gradle build to perform the translation.The configuration fieldsdynamically change based on your selection.For each of the basic translation configurations,you can exclude files or directories from thetranslation by including them in the Exclude list box.The following table provides instructions for each application type in the basic configuration.b.(Optional) Enable the debug or verbose options.c.(Optional) Specify a custom location for the Fortify Static Code Analyzer log file,specify a filename(or a full path)in the Log file location box.By default,the log file is written to the workspace in/.fortify/sca<version>/log.10.To run a scan,select the Run Fortify SCA scan check box,and then specify the scan settings:a.(Optional)In the Custom Rulepacks box,specify custom rules(XML files).b.(Optional)Specify any additional scan options.c.(Optional) Enable the debug or verbose options.d.(Optional) Specify a custom location for the Fortify Static Code Analyzer log file,specify a filename(or a full path)in the Log file location box.By default,the log file is written to the workspace in/.fortify/sca<version>/log.11.To upload the scan results to Fortify Software Security Center,select the Upload FortifySCA scan results to Fortify Software Security Center check box,and then specify the upload settings:a.(Optional) Specify a filter set to use when reading the FPR.If no value is specified,the FortifyJenkins Plugin uses the Quick View filter set.The fail condition and the Normalized Vulnerability Score(NVS)calculation depend on theissues filtered by the filter set.For example,if a“Critical Exposure”filter is applied to the project issues(and no issues are found),then the fail condition determines that there is no reason toset this build to“unstable”and NVS is set to zero.The graph summary also shows zero.b.To trigger a build failure based on scan results,type a search query in the Build failure criteriabox.For example,the following search query causes the build to fail if any critical issues exist in thescan results:See the Micro Focus Fortify Software Security Center User Guide for a description of thesearch query syntax.c.Specify an Application name and Application version.If you have a successful connection to a Fortify Software Security Center server,you can select an application name and version from the list.Always specify both application name andapplication version.d.To specify an amount of time to wait for the upload to Fortify Software Security Center,clickAuto Job Assignment.The Fortify Jenkins Plugin polls Fortify Software Security Center until the FPR is processed before it runs the NVS calculation.The valid values are0-60.12.Click Save.Viewing Analysis ResultsIf you uploaded Micro Focus Fortify Static Code Analyzer results to Micro Focus Fortify Software Security Center,you can view a security vulnerability graph for your project and a summary of the issues from Jenkins.Security Vulnerability Graph for Your ProjectThe project page displays a Normalized Vulnerability Score(NVS)graph.NVS is a normalized score that gives you a rough idea of the security vulnerability of your project.The Fortify Jenkins Plugin calculates the NVS with the following formula:NVS=((CFPO* 10) + (HFPO* 5)+ (MFPO * 1)+(LFPO * 0.1))*0.5+ ((P1*2)+ (P2* 4)+ (P3*16)+ (PABOVE *64))*0.5where:l CFPO=Number of critical vulnerabilities(unless audited as Not an Issue)l HFPO=Number of high vulnerabilities(unless audited as Not an Issue)l MFPO=Number of medium vulnerabilities(unless audited as Not an Issue)l LFPO=Number of low vulnerabilities(unless audited as Not an Issue)and:l PABOVE=Exploitablel P3=Suspiciousl P2=Bad practicel P1=Reliability issueThe total issues count is not very useful.For example,if Application A has0critical issues and10low issues,the total issue count is10.If Application B has five critical issues and no low issues,the total issue count is5.These values might mislead you to think that Application B is better than Application A, when it is not.The NVS calculated for the two example applications provides a different picture(simplified equation): l Application A:NVS=0*10+10*0.1=1l Application B:NVS=5*10+0*0.1=50Viewing IssuesTo see the issues for a Fortify Static Code Analyzer analysis that you have uploaded to Micro Focus Fortify Software Security Center,open your project and click Fortify Assessment on the left.The interactive List of Fortify SSC issues page displays the Summary and Issue breakdown by Priority Order tables.The Summary table shows the difference in the number of issues in different categories between the two most recent builds.A blue arrow next to a value indicates that the number in that category has decreased,and a red arrow indicates that the number in that category has increased.The Issues breakdown by Priority Order table shows detailed information about the issues for the specified location and category in each priority folder.Wait for the table to load.If the data load takes too long,you might need to refresh the browser window(F5).By default,you see the critical issues first.To see all issues,click the All tab.To see only those issues that were introduced in the latest build of your code,click the Show New Issues link at the top of the table.The first and the second columns show the file name and line number of the issue and the full path to this file.The last column displays the category of each vulnerability.By default,issues are sorted by primary location.To organize them by category,click the Category column header.To see more details about or to audit a specific issue,click the file name in the first column.The link takes you directly to the details for that issue on the Fortify Software Security Center server.If you are not logged in to Fortify Software Security Center,you are prompted to log in.Configuring the Number of Issues Displayed on a PageBy default,the page displays up to50issues.To navigate to all the issues,use Next>>and<<Previous on the top and bottom of the table.To increase the maximum number of issues displayed to100per page,from the50|100|All section at the bottom of the page,click100.To control the number of the issues shown on a page from the Configure System page:l In the Fortify Assessment section,click Advanced Settings,and then change the value in the Issue breakdown page size box.Send Documentation FeedbackIf you have comments about this document,you can contact the documentation team by email.If an email client is configured on this computer,click the link above and an email window opens with the following information in the subject line:Feedback on Installation and Usage Guide(Fortify Jenkins Plugin18.20)Just add your feedback to the email and click send.If no email client is available,copy the information above to a new message in a web mail client,and send your feedback to*****************************.We appreciate your feedback!。

fortify使用方法Fortify是一款通用的静态代码分析工具，用于帮助开发者发现潜在的软件安全风险。

它可以扫描源代码，识别安全漏洞，并提供修复建议。

本文将介绍Fortify的使用方法，包括安装、配置和运行扫描等操作。

一、安装FortifyFortify支持在Windows、Linux和macOS等操作系统上运行。

以下是在Windows系统上安装Fortify的步骤：2. 安装Fortify SCA3. 配置Fortify SCA安装完成后，打开Fortify SCA控制台。

首次打开时，系统将要求您输入许可证密钥。

输入有效的密钥并继续。

二、配置Fortify工程在开始使用Fortify之前，您需要创建一个Fortify工程，将您的源代码导入其中，并配置一些参数。

以下是配置Fortify工程的步骤：1. 新建Fortify工程打开Fortify SCA控制台，选择“File”菜单，然后选择“New”>“Project”。

在弹出的对话框中，输入工程名称和描述，并选择源代码目录。

2.配置构建设置在Fortify工程中，您需要配置构建设置，以告诉Fortify如何生成或获取分析所需的中间文件。

选择“Build Settings”选项卡，并根据您的项目类型选择正确的构建工具。

例如，如果您的项目是基于Maven的Java项目，则需要选择"Maven (Java)"。

3.配置扫描设置在Fortify工程中，您还可以配置扫描设置，以确定Fortify在扫描源代码时应使用哪些规则集以及如何处理一些特定的代码结构。

选择"Scan Settings"选项卡，并选择适当的扫描设置。

4.导入源代码在Fortify工程中，选择"Source Files"选项卡，点击"Add"按钮，并选择要包含在扫描范围内的源代码文件或目录。

5.配置规则集在Fortify工程中，选择“RuleSets”选项卡，并选择相应的规则集。

Fortify-SCA-安装使用手册Fortify SCA 安装使用手册目录1. 产品说明 (5)1.1.特性说明 (5)1.2.产品更新说明 (5)2. 安装说明 (6)2.1.安装所需的文件 (6)2.2.F ORTIFY SCA支持的系统平台 (6)2.3.支持的语言 (6)2.4.F ORTIFY SCA的插件 (7)2.5.F ORTIFY SCA支持的编译器 (7)2.6.F ORTIFY SCA在WINDOWS上安装 (8)2.7.F ORTIFY SCA安装E CLISPE插件 (9)2.8.F ORTIFY SCA在LINUX上的安装(要有LINUX版本的安装文件) (9)2.9.F ORTIFY SCA在U NIX上的安装(要有U NIX版本的安装文件) (10)3. 使用说明 (11)3.1.F ORTIFY SCA扫描指南 (11)3.2.分析F ORTITFY SCA扫描的结果 (16)4．故障修复 (20)4.1使用日志文件去调试问题 (20)4.2转换失败的信息 (20)如果你的C/C++应用程序能够成功构建，但是当使用F ORTIFY SCA来进行构建的时候却发现一个或者多个“转换失败”的信息，这时你需要编辑/C ORE/CONFIG/FORTIFY-SCA.PROPERTIES 文件来修改下面的这些行：20 COM.FORTIFY.SCA.CPFE.OPTIONS=--REMOVE_UNNEEDED_ENTITIES --SUPPRESS_VTBL (20) TO (20)COM.FORTIFY.SCA.CPFE.OPTIONS=-W --REMOVE_UNNEEDED_ENTITIES -- (20)SUPPRESS_VTBL (20)重新执行构建，打印出转换器遇到的错误。

如果输出的结果表明了在你的编译器和F ORTIFY 转换器之间存在冲突 (20)4.3JSP的转换失败 (20)4.4C/C++预编译的头文件 (21)前言Fortify SCA是目前业界最为全面的源代码白盒安全测试工具，它能精确定位到代码级的安全问题，完全自动化的完成测试，最广泛的安全漏洞规则，多维度的分析源代码的安全问题。

Fortify SCA Windows平台安装和项目扫描指南本指南主要包括了在windows2000/windows xp平台如何安装Fortify SCA Enterprise Editor 和Developer Edition for Eclipse 3，以及如何使用这两个版本去扫描JA V A/J2EE项目。

同时也提到在windows平台如何使用SCA Enterprise Editor的命令行功能去如何扫描Visual Studio 6.0 project、Visual Studio .Net 2005 /2003项目一、Fortify SCA Enterprise Editor Windows平台安装指南为了让大家了解Fortify SCA Enterprise Editor Windows平台安装过程，快速完成软件安装过程，现把整个安装过程描述如下.1．准备安装环境和安装软件：A)确保所安装的windows机器的硬件配置不得低于如下条件：CPU>= 1G,RAM>= 1G如果扫描代码行超过20万行，最好RAM在2G以上。

B)Download Fortify SCA Enterprise Editor Windows平台软件安装包SCASEE-4.5.0.0337-WIN-XP-2000.zipDownload Address:2．解压安装软件包解压SCASEE-4[1].5.0.0337-WIN-XP-2000.zip得到FortifySCA Enterprise安装文件：install.exe3、双击install.exe进入安装界面，点击“Next”,进入下一步。

接受Fortify SCA的license协议。

应用购买的fortify SCA license Key.选择“install”(如果是第一次安装)，选择Update(如果本机先前已经安装Fortify SCA Enterprise的组件。

Fortify SCA 安装指南Fortify China Consultant:WangHonghwang@主要内容Fortify SCA 安装介质Fortify SCA 支持的语言Fortify SCA 支持的平台Fortify SCA 在不同平台的安装方法Fortify SCA 安装Eclisep 插件Fortify SCA 安装介质Fortify SCA 安装介质要求：1. Fortify SCA 安装文件2. Fortify license3. Fortify 规则库文件（安装机器能够上万维网可以不准备）4. 要安装插件的IDE环境5. 系统盘可用空间>2G 内存>=2GFortify 安装文件1。

Fortify 提供的光盘2。

https://Fortify SCA 支持的系统平台Fortify SCA 支持的语言Fortify SCA 支持的语言Fortify SCA 的插件有Fortify SCA 的插件：Fortify SCA 支持的编译器Fortify SCA 支持的编译器Fortify SCA 的安装1Fortify SCA 在Windows平台的安装1。

点击安装exe文件即可安装。

2。

选择Fortify 提供的文件license fortify.license3。

下载规则库文件下载规则库文件需要安装的机器可以访问万维网，如果不可以访问，可以向Fortify 索取规则库文件，然后将规则库文件放在{fortifyinstall}\core\config\rules中即可。

规则库文件不区分平台，都是一样的。

Fortify SCA 安装注意：Fortify SCA在windows 2003上安装时，可能会出现Error 如右图解决方法：如左图：将软件限制，由‘所有用户’--Æ除本地管理员以外的所有用户。

Fortify SCA 的安装2_LinuxFortify SCA 的安装3_UnixFortify SCA 的安装4_Mac OSFortify SCA 安装Eclipse插件WSAD PlugIn 安装Tanks!Thanks !Fotify China: Wanghonghwang@。

Fortify SCA安装使用手册编号：GRG _YT-RDS-PD-D03_A.0.1版本：V1.0发布日期：2011-5-5文档历史记录编号与名称版本发布日期创建/修改说明参与人员版权声明本软件产品（包括所含的任何程序、图像、文档和随附的印刷材料），以及本软件产品的任何副本的产权和著作权，均属广州广电运通金融电子股份有限公司所有。

您不得使用任何工具或任何方式对本软件产品进行反向工程，反向编译。

未经广州广电运通金融电子股份有限公司许可，您不得以任何目的和方式发布本软件产品及任何相关资料的部分或全部，否则您将受到严厉的民事和刑事制裁，并在法律允许的范围内受到最大可能的民事起诉。

目录文档历史记录......................................................................................................................................... I I 1. 产品说明 (9)1.1.特性说明 (10)1.2.产品更新说明 (10)2. 安装说明 (10)2.1.安装所需的文件 (11)2.2.F ORTIFY SCA支持的系统平台 (11)2.3.支持的语言 (11)2.4.F ORTIFY SCA的插件 (12)2.5.F ORTIFY SCA支持的编译器 (12)2.6.F ORTIFY SCA在WINDOWS上安装 (13)2.7.F ORTIFY SCA安装E CLISPE插件 (14)2.8.F ORTIFY SCA在LINUX上的安装(要有LINUX版本的安装文件) (14)2.9.F ORTIFY SCA在U NIX上的安装(要有U NIX版本的安装文件) (15)3. 使用说明 (15)3.1.F ORTIFY SCA扫描指南 (16)3.2.分析F ORTITFY SCA扫描的结果 (21)4．故障修复 (25)4.1使用日志文件去调试问题 (26)4.2转换失败的信息 (26)4.3JSP的转换失败 (26)4.4C/C++预编译的头文件 (27)前言Fortify SCA是目前业界最为全面的源代码白盒安全测试工具，它能精确定位到代码级的安全问题，完全自动化的完成测试，最广泛的安全漏洞规则，多维度的分析源代码的安全问题。

Fortify SCA Windows平台安装和项目扫描指南本指南主要包括了在windows2000/windows xp平台如何安装Fortify SCA Enterprise Editor 和Developer Edition for Eclipse 3，以及如何使用这两个版本去扫描JA V A/J2EE项目。

同时也提到在windows平台如何使用SCA Enterprise Editor的命令行功能去如何扫描Visual Studio 6.0 project、Visual Studio .Net 2005 /2003项目一、Fortify SCA Enterprise Editor Windows平台安装指南为了让大家了解Fortify SCA Enterprise Editor Windows平台安装过程，快速完成软件安装过程，现把整个安装过程描述如下.1．准备安装环境和安装软件：A)确保所安装的windows机器的硬件配置不得低于如下条件：CPU>= 1G,RAM>= 1G如果扫描代码行超过20万行，最好RAM在2G以上。

B)Download Fortify SCA Enterprise Editor Windows平台软件安装包SCASEE-4.5.0.0337-WIN-XP-2000.zipDownload Address:2．解压安装软件包解压SCASEE-4[1].5.0.0337-WIN-XP-2000.zip得到FortifySCA Enterprise安装文件：install.exe3、双击install.exe进入安装界面，点击“Next”,进入下一步。

接受Fortify SCA的license协议。

应用购买的fortify SCA license Key.选择“install”(如果是第一次安装)，选择Update(如果本机先前已经安装Fortify SCA Enterprise的组件。

Fortify SCA Jenkins Plugin 19.1.0Jonathan CouchFortify Security Support EngineerDownloading Jenkins plugin (latest)▪Download the latest version from the following github repositoryhttps:///jenkinsci/fortify-plugin▪Select the Master branch and download▪Requires Maven and JDK to build the Jenkins plugin and uses the version that is supported by SCA 19.1.0 found in the system requirement guide.▪This will generate a fortify.hpi file containing the SCA Jenkins pluginInstalling the plugin▪Open Jenkins and navigate to Manage Jenkins -> Manage Plugins▪Switch to the Advanced tab and under the “Upload Plugin” section click the Browse button and select the generated fortify.hpi fileAfter successfully installing the plugin, it is ready to be used in a job.-For an existing job, click on Configure eg-Scroll down to the “Post-build actions” section eg-Click the “Add post-build action” dropdown and select “Fortify Assessment”This will bring up the following field parameters and checkboxes. Enter the information needed to run a job.Depending on the language to be scanned which can be either, Java, Maven, Gradle, or .NET, here are some examples.The fields can use Jenkins System Environment variablesEg${JOB_NAME}, ${BUILD_NUMBER}Java ExampleMaven ExampleGradle Example.NET ExamplePipeline ExampleWhen something goes wrong Step 1: Check the console outputoutputSend Jenkins build logs to Fortify Technical Support. Build log are located under,EgPath\Jenkins\jobs\<Project Name>\builds\<build_number>Console output can also be found in the\jobs directory under the same JOB IDAdditional Information▪Jenkins plugin documentationhttps:///documentation/fortify-jenkins-plugin/1910/Jenkins_Plugin_Help_19.1.0/index.htm▪Jenkins Plugin for Fortify SCA/SSC to automatically upload projects https://youtu.be/cjEwDmTsxII▪Fortify Pluginhttps://wiki.jenkins.io/display/JENKINS/Fortify+Plugin▪Pipeline-compatible stepshttps://jenkins.io/doc/pipeline/steps/fortifyQuestionsThank you. 。

Author: Vikas JohariDate: 06 March 2020 Document Version: v0.1Installing Fortify SSC 19.2.0 withMySQL 8 in Easy Steps onCentOS 8Fortify SCA 19.xDeployment GuideContents Contents (2)Introduction (3)Installation of Oracle JDK 1.8 (3)Installing Tomcat 9.0.31 (4)Configure Apache (optional) (5)Installing MySQL 8 Community Edition (6)Configuring MySQL Database for SSC (8)Deploying JDBC Driver on Tomcat Server (11)Deploying SSC on Tomcat Server (11)IntroductionThis document is written to guide Pre-Sales and Partners to install Fortify SSC 19.2.0 in CentOS 8 with MySQL 8 Community edition Database, in the same server.This document is not written to install Fortify SSC 19.2.0 in a Production Environment. However, this document can be used to setup Fortify SSC 19.2.0 in a controlled environment like Lab or PoC or CoE Environment.The Hardware and Software requirements are given in the link –https:///documentation/fortify-software-security-center/1920/Fortify_Sys_Reqs_19.2.0/index.htm#SSC/SSC_Reqs.htm%3FTocPath%3DFortify%2520Software %2520Security%2520Center%2520Server%2520Requirements%7C_____0Detailed SSC 19.2.0 User Guide is given in https:///documentation/fortify-software-security-center/1920/SSC_Help_19.2.0/index.htmI have used a VM with the below hardware configuration –CPU: 4 VCPURAM: 8 GB RAMDisk: 100 GB Thin ProvisionedCentOS 8: Download link /centos/8/isos/x86_64/CentOS-8.1.1911-x86_64-dvd1.isoMySQL 8 Community EditionInternet Connection on CentOS VMInstall CentOS 8 and apply all the required patches.Installation of Oracle JDK 1.8Download Oracle JDK 1.8 “jdk-8u241-linux-x64.rpm” file fromhttps:///technetwork/java/javase/downloads/jdk8-downloads-2133151.html and upload “jdk-8u241-linux-x64.rpm” to server.Install Oracle JDK 1.8 using –[root@localhost ~]# rpm -ivh jdk-8u241-linux-x64.rpmVerify that only Oracle JDK is installed in the server –[root@localhost ~]# rpm -qa | grep -i jdkjdk1.8-1.8.0_241-fcs.x86_64Add the below lines in /etc/profile file (at the end of it) using a text editor.export JAVA_HOME=$(dirname $(dirname $(readlink $(readlink $(which javac))))) export PATH=$PATH:$JAVA_HOME/binexport CLASSPATH=.:$JAVA_HOME/jre/lib:$JAVA_HOME/lib:$JAVA_HOME/lib/tools.jarReboot the server and login as root.Installing Tomcat 9.0.31Post-installation of JDK 1.8, now we can install tomcat 9.[root@localhost ~]# cd Downloads[root@localhost Downloads]# wgethttps:///dist/tomcat/tomcat-9/v9.0.31/bin/apache-tomcat-9.0.31.tar.gzExtract tomcat[root@localhost Downloads]# tar -xvf apache-tomcat-9.0.31.tar.gz -C /usr/share/Create a symbolic link -[root@localhost Downloads]# ln -s /usr/share/apache-tomcat-9.0.31/ /usr/share/tomcatCreate a tomcat service[root@localhost Downloads]# vi /etc/systemd/system/tomcat.service Add the below configuration –[Unit]Description=Tomcat 9 ServerAfter=syslog.target network.target[Service]Type=forkingUser=rootGroup=rootEnvironment='JAVA_OPTS=-Djava.awt.headless=true'Environment=CATALINA_HOME=/usr/share/tomcatEnvironment=CATALINA_BASE=/usr/share/tomcatEnvironment=CATALINA_PID=/usr/share/tomcat/temp/tomcat.pidEnvironment='CATALINA_OPTS=-Xms4096M -Xmx4096M'ExecStart=/usr/share/tomcat/bin/catalina.sh startExecStop=/usr/share/tomcat/bin/catalina.sh stop[Install]WantedBy=multi-user.targetStart and enable the tomcat service[root@localhost Downloads]# systemctl daemon-reload[root@localhost Downloads]# systemctl start tomcat[root@localhost Downloads]# systemctl status tomcat● tomcat.service - Tomcat 9 ServerLoaded: loaded (/etc/systemd/system/tomcat.service; disabled; vendor preset: disabled)Active: active (running) since Wed 2020-02-12 07:13:31 EST; 6s agoProcess: 3949 ExecStart=/usr/share/tomcat/bin/catalina.sh start (code=exited, status=0/SUCCESS)Main PID: 3963 (java)Tasks: 33 (limit: 49658)Memory: 194.7MCGroup: /system.slice/tomcat.service└─3963 /usr/bin/java -Djava.util.logging.config.file=/usr/share/tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.C>Feb 12 07:13:31 localhost.localdomain systemd[1]: Starting Tomcat 9 Server...Feb 12 07:13:31 localhost.localdomain catalina.sh[3949]: Existing PID file found during start.Feb 12 07:13:31 localhost.localdomain catalina.sh[3949]: Removing/clearing stale PID file.Feb 12 07:13:31 localhost.localdomain catalina.sh[3949]: Tomcat started.Feb 12 07:13:31 localhost.localdomain systemd[1]: Started Tomcat 9 Server.[root@localhost Downloads]# systemctl enable tomcatCreated symlink /etc/systemd/system/multi-user.target.wants/tomcat.service →/etc/systemd/system/tomcat.service.Open Port 8080 & 80 in the firewall.[root@localhost Downloads]# firewall-cmd --permanent --add-port=8080/tcp success[root@localhost Downloads]# firewall-cmd --permanent --add-port=80/tcp success[root@localhost Downloads]# firewall-cmd --reloadsuccessConfigure Apache (optional)Apache is an optional component, it is used to act as a reverse proxy for tomcat server.Install apache server using -[root@localhost ~]# yum install httpd -yCreate a reverse proxy configuration for tomcat using a text editor -[root@localhost ~]# vi /etc/httpd/conf.d/tomcat9.conf<VirtualHost *:80>ServerAdmin root@localhostServerName DefaultType text/htmlProxyRequests offProxyPreserveHost OnProxyPass / http://localhost:8080/ProxyPassReverse / http://localhost:8080/</VirtualHost>Configure SELinux Rules –[root@localhost ~]# setsebool -P httpd_can_network_connect 1[root@localhost ~]# setsebool -P httpd_can_network_relay 1[root@localhost ~]# setsebool -P httpd_graceful_shutdown 1[root@localhost ~]# setsebool -P nis_enabled 1Restart and enable the apache service.[root@localhost ~]# systemctl restart httpd[root@localhost ~]# systemctl enable httpdUse a browser to validate the tomcat and apache service is running as per configuration, using, http://ip, :8080, http://ip:8080 of the server.Installing MySQL 8 Community EditionRun the below command to download and install MySQL 8 community edition database.[root@localhost Downloads]# wget https:///get/Downloads/MySQL-8.0/mysql-community-libs-8.0.19-1.el8.x86_64.rpm[root@localhost Downloads]# wget https:///get/Downloads/MySQL-8.0/mysql-community-common-8.0.19-1.el8.x86_64.rpm[root@localhost Downloads]# wget https:///get/Downloads/MySQL-8.0/mysql-community-client-8.0.19-1.el8.x86_64.rpm[root@localhost Downloads]# wget https:///get/Downloads/MySQL-8.0/mysql-community-server-8.0.19-1.el8.x86_64.rpm[root@localhost Downloads]# rpm -ivh mysql-community-client-8.0.19-1.el8.x86_64.rpm mysql-community-common-8.0.19-1.el8.x86_64.rpm mysql-community-libs-8.0.19-1.el8.x86_64.rpm mysql-community-server-8.0.19-1.el8.x86_64.rpmStart and Enable the MySQL Service[root@localhost Downloads]# systemctl start mysqld[root@localhost Downloads]# systemctl enable mysqldGrab the temporary password for root user of mysql[root@localhost ~]# cat /var/log/mysqld.log | grep -i 'temporary password' Note down the password.2020-02-12T13:23:05.319292Z 5 [Note] [MY-010454] [Server] A temporary password is generated for root@localhost: niy4pkkn1t,TTest MySQL server.[root@localhost ~]# mysql -u root -pEnter password: niy4pkkn1t,T <- Enter the temporary password from log fileWelcome to the MySQL monitor. Commands end with ; or \g.Your MySQL connection id is 8Server version: 8.0.19 MySQL Community Server - GPLCopyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.Oracle is a registered trademark of Oracle Corporation and/or itsaffiliates. Other names may be trademarks of their respectiveowners.Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.mysql> show databases;+--------------------+| Database |+--------------------+| information_schema || mysql || performance_schema || sys |+--------------------+4 rows in set (0.00 sec) mysql>quitByeConfiguring MySQL Database for SSCModify the MySQL Configuration file for SSC.[root@localhost ~]# mv /etc/f /etc/f_orig [root@localhost ~]# mv /etc/fPaste the below content in the file -[client]port = 3306socket = /var/run/mysqld/mysqld.sock[mysql]no-beepsocket = /var/run/mysqld/mysqld.sock[mysqld]collation-server = latin1_general_csinit-connect = 'SET NAMES latin1'character-set-server = latin1pid-file = /var/run/mysqld/mysqld.pidsocket = /var/run/mysqld/mysqld.sockport = 3306datadir = /var/lib/mysql/datadefault_authentication_plugin = mysql_native_passworddefault-storage-engine = INNODBsql-mode = "TRADITIONAL"long_query_time=10report_port = 3306lower_case_table_names = 1secure-file-priv = NULLsymbolic-links = 0max_connections = 151table_open_cache = 2000tmp_table_size = 648Mthread_cache_size = 10myisam_max_sort_file_size = 100Gmyisam_sort_buffer_size = 2Gkey_buffer_size = 8Mread_buffer_size = 64Kread_rnd_buffer_size = 256Kinnodb_flush_log_at_trx_commit = 1innodb_log_buffer_size = 1Minnodb_buffer_pool_size = 10Ginnodb_log_file_size = 5Ginnodb_lock_wait_timeout = 300innodb_thread_concurrency = 9innodb_autoextend_increment = 64innodb_buffer_pool_instances = 8innodb_concurrency_tickets = 5000innodb_old_blocks_time = 1000innodb_open_files = 300innodb_stats_on_metadata = 0innodb_file_per_table = 1innodb_checksum_algorithm = 0back_log = 80flush_time = 0join_buffer_size = 256Kmax_allowed_packet = 1Gmax_connect_errors = 100open_files_limit = 4161sort_buffer_size = 256Ktable_definition_cache = 1400binlog_row_event_max_size = 8Ksync_master_info = 10000sync_relay_log = 10000sync_relay_log_info = 10000#!includedir /etc/mysql/conf.d/[mysqldump]max_allowed_packet = 1GStop MySQL Service[root@localhost ~]# service mysqld stopInitialize the MySQL Database server.[root@localhost ~]# mysqld --initialize-insecure --console --user=mysql 2020-03-05T10:20:08.891111Z 0 [Warning] [MY-011070] [Server] 'Disabling symbolic links using --skip-symbolic-links (or equivalent) is the default. Consider not using this option as it' is deprecated and will be removed in a future release.2020-03-05T10:20:08.891266Z 0 [System] [MY-013169] [Server] /usr/sbin/mysqld (mysqld8.0.19) initializing of server in progress as process 32938100 200 300 400 500 600 700 800 900 1000 1100 1200 1300 1400 1500 1600 1700 1800 1900 2000 2100 2200 2300 2400 2500 2600 2700 2800 2900 3000 3100 3200 3300 3400 3500 3600 3700 3800 3900 4000 4100 4200 4300 4400 4500 4600 4700 4800 4900 5000 5100100 200 300 400 500 600 700 800 900 1000 1100 1200 1300 1400 1500 1600 1700 1800 1900 2000 2100 2200 2300 2400 2500 2600 2700 2800 2900 3000 3100 3200 3300 3400 3500 3600 3700 3800 3900 4000 4100 4200 4300 4400 4500 4600 4700 4800 4900 5000 51002020-03-05T10:21:25.170585Z 5 [Warning] [MY-010453] [Server] root@localhost is createdwith an empty password ! Please consider switching off the --initialize-insecure option. Start the MySQL Service[root@localhost ~]# service mysqld startValidate the service, make sure it is running[root@localhost ~]# service mysqld statusSecure the installation of MySQL server.[root@localhost ~]# mysql_secure_installationThis wizard will ask many questions, answer them carefully.Would you like to setup VALIDATE PASSWORD component?Press y|Y for Yes, any other key for No: nPlease set the password for root here.New password: <- Enter a password for root user of mysqlRe-enter new password: <- ReEnter a password for root user of mysqlEstimated strength of the password: 100Do you wish to continue with the password provided?(Press y|Y for Yes, any other key for No) : y......Remove anonymous users? (Press y|Y for Yes, any other key for No) : y......Disallow root login remotely? (Press y|Y for Yes, any other key for No) : y......Remove test database and access to it? (Press y|Y for Yes, any other key for No) : y....Reload privilege tables now? (Press y|Y for Yes, any other key for No) : ySuccess.All done!Now let's create a Database and a User which will be used by SSC.[root@localhost ~]# mysql -u root -pEnter password:<- Enter the root’s password of mysqlmysql> create database SSC_DB DEFAULT CHARACTER SET latin1 COLLATElatin1_general_cs;mysql> CREATE USER 'sscuser'@'localhost' IDENTIFIED WITH mysql_native_password BY 'SscUser@123';mysql> GRANT ALL PRIVILEGES ON *.* TO 'sscuser'@'localhost' WITH GRANT OPTION; Query OK, 0 rows affected (0.02 sec)mysql> FLUSH PRIVILEGES;mysql> quitByeNow Create the DB structure.Extract the Fortify_SSC_Server_19.2.0.zip file, then extract Fortify_19.2.0_Server_WAR_Tomcat.zip file. The \Fortify_SSC_Server_19.2.0\Fortify_19.2.0_Server_WAR_Tomcat\sql\mysqlIt contains two files.Upload “create-tables.sql” file into /root/Downloads folder of CentOS server.[root@localhost Downloads]# mysql --user="sscuser" -p --database="ssc_db" --host="localhost" < "create-tables.sql"Enter password: <- Type the password of sscuser and then hit enterValidate the DB Structure is created.[root@localhost Downloads]# mysql -u sscuser -pEnter password: <- Type the password of sscuser and then hit enterWelcome to the MySQL monitor. Commands end with ; or \g.Your MySQL connection id is 23Server version: 8.0.19 MySQL Community Server - GPLCopyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.Oracle is a registered trademark of Oracle Corporation and/or itsaffiliates. Other names may be trademarks of their respectiveowners.Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.mysql> use ssc_db;Reading table information for completion of table and column namesYou can turn off this feature to get a quicker startup with -ADatabase changedmysql> show tables;+------------------------------+| Tables_in_ssc_db |+------------------------------+| activity || activity_persona || activitycomment || activityinstance |mysql> quit;Deploying JDBC Driver on Tomcat ServerDownload the JDBC Driver of MySQL 8.[root@localhost Downloads]# wget https:///get/Downloads/Connector-J/mysql-connector-java-8.0.19.tar.gzExtract the Driver.[root@localhost Downloads]# tar -zxvf mysql-connector-java-8.0.19.tar.gzCopy the JDBC Driver to tomcat’s lib folder.[root@localhost Downloads]# cp mysql-connector-java-8.0.19/mysql-connector-java-8.0.19.jar /usr/share/tomcat/lib/Restart tomcat server[root@localhost Downloads]# service tomcat restartDeploying SSC on Tomcat ServerStop Tomcat server.[root@localhost Downloads]# service tomcat stopUpload ssc.war file from Fortify_19.2.0_Server_WAR_Tomcat.zip file to /usr/share/tomcat/webapps. Start tomcat.[root@localhost Downloads]# service tomcat startWait for few mins, tomcat will take few mins to deploy ssc war file.Open Chrome browser and open the URL http://ip_of_server:8080/sscClick on ADMINISTRATORS.Token will be in the file /root/.fortify/ssc/init.token, copy the token from /root/.fortify/ssc/init.token and paste it in the token field.Click Sign In.Click Next.Click Upload, browse and select “fortify.license” file, click on “I have read and understood this warning.” Click Next.In the URL: http://ip_of_server:8080/sscEnable HTTP host header validation: DisabledGlobal Search: /globalsearchI have read and understood this warning: EnabledClick Next.Database username: sscuserDatabase Password: sscuser’s passwordJDBC URL:jdbc:mysql://127.0.0.1:3306/ssc_db?connectionCollation=latin1_general_cs&rewriteB atchedStatements=trueClick Test Connection.If Test connection is successful, then click Next.Browse and Select the Process Seed Bundle, then click Seed Database.Browse and Select Report Seed Bundle and click on Seed Database.Browse and Select PCI Basic Seed Bundle and click on Seed Database.Browse and select PCI SSF Basic Bundle then click on Seed Database.Click Next.Click Finish.Restart tomcat.Close and Start Browser, then open SSC url.Login as “admin” and password “admin”.In the Change Password window, change the admin’s password. Click Save.Login with new admin credentials.Click on ADMINISTRTION.Click on Rulepacks, then click on “Update from Server”.Wait for Rulepacks to be download and deployed in SSC. Click Close.Now SSC is ready to use.Note: This guide is not an official documentation by Micro Focus. Please read and refer to the official product documentation for additional information.< !! End of the Document !! >21。

安全编码规则包用户手册版本4.52007年4月Copyright © 2003-2007 Fortify® Software, Inc.7/24/07All Rights Reserved. Printed in the United States of America.Fortify Software, Inc.2300 Geng Road, Suite 102Palo Alto, California 94303Fortify Software, Inc.（以下简称“Fortify”）和许可证颁布者保留对此文档（以下简称“文档”）的一切所有权。

对文档的使用受适当的版权法支配。

Fortify可以在没有预先通知的情况下随时修改该文档。

此文档在没有任何类型保证的情况下按原样被提供。

对于从此文档中发现的任何错误所引起直接的、故意的、巧合的或导致严重后果的损害，Fortify决不会对此负责，包括在限制范围之外的任何损失或者对商业\利益、使用或数据造成的麻烦。

Fortify可以在没有预先通知的情况下保留对从最终产品得出的此文档中的任何细节和元素进行修改和删除的权利Fortify是Fortify Software, Inc.的注册商标。

在此文档中商标和产品名称是是他们的各自所有者的商标。

.Secure Coding Rulepacks User’s Guide目录Preface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Chapter 1: 安全编码规则包 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3介绍 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3安全编码规则包 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3漏洞分类. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4C/C++相关漏洞分类 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.NET相关漏洞分类 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9ColdFusion相关漏洞分类. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Java相关漏洞分类. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15SQL相关漏洞分类 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Fortify分类方法. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25Input Validation and Representation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25API Abuse. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Security Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Time and State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Errors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Code Quality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29Encapsulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Secure Coding Rulepacks User’s Guide iiiiv Secure Coding Rulepacks User’s GuidePreface本文档描述了安全代码规则包如果您对本文档的任何内容有疑问或者建议，请联系 Fortify Software :客户支持t650.213.5679techsupport@公司所在地2300 Geng RoadSuite 102Palo Alto, CA 94303650.213.5600contact@网址Secure Coding Rulepacks User’s Guide 12Secure Coding Rulepacks User’s GuideChapter 1: Secure Coding Rulepacks这份文档包含以下主题：•Introduction•Secure Coding Rulepacks•Vulnerability Categories•The Fortify Taxonomy介绍The Fortify Source Code Analyzer (Fortify SCA) 使用安全编码规则包作为分析依据。