【安全测试】【fortify】fortify的命令行使用

扫描代码路径为D:\workspace

1、打开命令提示符

2、清除上一次扫描的缓存

#sourceanalyzer -b SCG-AuthCenter -clean 

#sourceanalyzer -b DMC -clean 

3、扫描、编译源码

#sourceanalyzer -encoding UTF-8 -Xmx1024M -b DMC -cp D:\workspace\libs\*.jar -source 1.8 "D:\workspace\src\main\java\**\*.java"

4、生成fpr文件，

#sourceanalyzer -Xmx1200M -b DMC -scan -f DMC.fpr

5、生成pdf报告

#BIRTReportGenerator -template "CWE Top 25 2019"  -format pdf -output test.pdf -source DMC.fpr -showSuppressed --Version "DISA STIG 3.9" -UseFortifyPriorityOrder

6、打开test.pdf报告，查看统计结果

 

二、C/C++源码扫描

例：源码路径fortify-example

sourceanalyzer -b fortify-example make

sourceanalyzer -b fortify-example -scan -f fortify-example.fpr

例2：
源码地址sample/sample.cpp
#cd sample
#sourceanalyzer -b sample-cpp -clean
#
sourceanalyzer -b sample-cpp g++ sample.cpp
-or-
sourceanalyzer -b sample-cpp make


#sourceanalyzer -b sample-cpp -scan -f sample.fpr

在audit workbench打开sample.fpr文件，
切换左上角filter site到Security Audit View这个选项，查看各级别的漏洞信息




三、Troubshooting

1.如果make后无法扫描，将makefile中的g++命令单独拎出来执行sourceanalyzer -b sample-cpp g++ -c sample.cpp