How to scan Apex code
Question
How do I scan Apex code using Fortify?
Answer
To scan your Salesforce application, you first must download two sets of information from your Salesfore app:
- The Apex code consisting of .cls, .page. and .trigger files. This can be downloaded with the Force.com Migration Tool provided by Salesforce
- If you customized the Salesforce database, you must download a description of the changes using the sf_extractor.jar tool provided in the Fortify installation.
- Locate the tool in
<fortify_installation_dir>\Tools -
Run the following command from the command-line:
java -jar sf_extractor.jar <username> <password> <security_token> <org> - The result of running the command is a file named: sobjects.json
- Locate the tool in
Next scan the application from the command-line. This follows the the phases that are part of a Fortify scan: clean, translate, and analyze. The translate step has a couple of arguments specific to an Apex scan.
Clean:
sourceanalyzer -b <buildid> -clean
Translate:
sourceanalyzer -b <buildid> -apex <source code directory>
If you needed to generate the sobjects.json file with the description of database changes, run this translation command instead:
sourceanalyzer -b <buildid> -apex -apex-sobject-path <path-to-sobjects.json> <source code directory>
Analyze:
sourceanalyzer -b <buildid> -scan -f results.fpr
The file resutls.fpr will contain your scan results.
Warnings
The translate phase may produce a number of Java exceptions that will show up in the Fortify scan as errors like:
- -1 Parse error at line […]
- -1 Error: cannot resolve […]
In general, these errors are likely a result of Fortify not supporting the current version of Apex and can be ignored. Those types of errors will not count against passing the ATO process. If the database description file, sobjects.json was not generated or not included on the command-line, doing so may fixed some of the “cannot resolve” errors.