How to scan an iOS application
Question
How do I scan an iOS/Objective-C/Swift application with Fortify?
Answer
For iOS apps, Fortify must be able to build the code to scan it. If it can’t build the application, it won’t scan correctly.
iOS apps must be scanned on a computer running Mac OSX, because Fortify needs to have access to the build environment and dependencies so it can build the application during the translation phase of the scan. Fortify integrates with Xcode using XCodeBuild to build the application during the translation phase.
Before translating the project, first verify that the application builds successfully with XCodeBuild. The relevant compiler options can be found in the XCodeBuild documentation. For example, the name of the project can be specified with the -project attribute:
xcodebuild -project my_iOS_project [<compiler_options>]
Perform clean operations for both the XCodeBuild project and the Fortify build_id:
xcodebuild [<compiler_options>] cleansourceanalyzer -b <build_id> -clean
Next, perform the Fortify translation phase, using the same compiler options used when building the project previously with XCodeBuild:
sourceanalyzer -b <build_id> xcodebuild -project my_iOS_project [<compiler_options>]
Confirm there were no errors or warnings reported by Fortify during the translation phase before moving on. A successful scan depends on a successful translation.
After a successful translation phase, the scan phase can be initiated with the following command:
sourceanalyzer -b <build_id> -scan -f result.fpr
After the scan completes, confirm there were no errors or warnings reported by Fortify, as described here. If problems are encountered in either the translation or scan phases, running the translation or scan phases with a debug logfile enabled can help identify the problem.