【安全测试】【fortify】fortify的命令行使用
2022-09-26 16:39 码上起舞 阅读(1229) 评论(0) 编辑 收藏 举报扫描代码路径为D:\workspace
1、打开命令提示符
2、清除上一次扫描的缓存
#sourceanalyzer -b SCG-AuthCenter -clean
#sourceanalyzer -b DMC -clean
3、扫描、编译源码
#sourceanalyzer -encoding UTF-8 -Xmx1024M -b DMC -cp D:\workspace\libs\*.jar -source 1.8 "D:\workspace\src\main\java\**\*.java"
4、生成fpr文件,
#sourceanalyzer -Xmx1200M -b DMC -scan -f DMC.fpr
5、生成pdf报告
#BIRTReportGenerator -template "CWE Top 25 2019" -format pdf -output test.pdf -source DMC.fpr -showSuppressed --Version "DISA STIG 3.9" -UseFortifyPriorityOrder
6、打开test.pdf报告,查看统计结果
二、C/C++源码扫描
例:源码路径fortify-example
sourceanalyzer -b fortify-example make
sourceanalyzer -b fortify-example -scan -f fortify-example.fpr
例2:
源码地址sample/sample.cpp
#cd sample
#sourceanalyzer -b sample-cpp -clean
#
sourceanalyzer -b sample-cpp g++ sample.cpp
-or-
sourceanalyzer -b sample-cpp make
#sourceanalyzer -b sample-cpp -scan -f sample.fpr
在audit workbench打开sample.fpr文件,
切换左上角filter site到Security Audit View这个选项,查看各级别的漏洞信息
三、Troubshooting
1.如果make后无法扫描,将makefile中的g++命令单独拎出来执行sourceanalyzer -b sample-cpp g++ -c sample.cpp