How to scan applications using Modular Analysis

Question

How do I scan my application source using modular analysis?

Answer

Modular analysis is a feature of Fortify SCA for Java and Java EE that will allow you to scan custom libraries separately from your core project. You can then include information from the scanned libraries when you scan the core project for more accurate scans. This allows an application to be broken up into multiple scans without losing data flow information between the core project and the libraries. Note that separately-versioned libraries should be registered with OIS Software Assurance along with the calling application(s).

There are two steps involved in scanning application source using modular analysis:

Step 1 - Translating and scanning custom library source separately, for example:

sourceanalyzer -b LibA MyLibs/A/*.java
sourceanalyzer -b LibA -scan-module

Step 2 - Translating and scanning core source, and including pre-scanned libraries from Step 1, for example.

sourceanalyzer -b MyProj MyProj/*.java
sourceanalyzer -b MyProj -scan -include-modules LibA

As you can see in the library example the use of the -scan-module option, which cause Fortify Static Code Analyzer to perform analysis for the specified build ID as a separate module.

Note: Do not use the -scan-module option together with the -scan option in the same sourceanalyzer command.

In the core source example, the use of the -include-modules option specifies the libraries previously scanned as separate modules in a comma or colon-separated list of build IDs to be included in the project scan.

Additional Information

If you use modular analysis to scan your application source, the OIS Software Assurance Office requires the following artifacts to be submitted in addition to the standard artifacts:

If the custom libraries included with the application under the same application ID:

  1. Translation and scan commands used to scan each FPR

If the libraries are evaluated under separate application ID, the main application artifacts required:

  1. List of application IDs for the libraries included for the -include-modules option
    • Each library must be scanned with the same version of Fortify and the rulepacks as the main application
    • Each library must have received a PASS for the latest OIS Application Security Testing review
  2. Translation and scan commands used to scan each library
  3. Translation and scan commands used to scan the main application

References