How to scan PL/SQL on Windows

Question

I’m trying to scan Oracle PL/SQL packages and can’t seem to get it to work.

I get the error message saying Fortify is “Unable to parse T-SQL” while trying to scan PL/SQL code.

Answer

When scanning on a Windows machine, Fortify defaults to scanning SQL code as T-SQL. To scan the files as PL/SQL, it is necessary to explicitly tell Fortify to interpret the SQL files as PL/SQL. There are several ways to accomplish this, so choose the method that best fits with your scanning environment.

  1. Property: The Fortify property com.fortify.sca.fileextensions.sql may be set to either TSQL or PLSQL as appropriate. This may be done in the standard fortify-sca.properties file or from the command line.

  2. Command-line: The SQL language may be set on the command-line (or in Audit Workbench and IDE GUI interfaces that let you modify the command line) in two ways. First using the -sql-language option with either TSQL or PL/SQL as the option value. For example:

     sourceanalyzer -b <build_id> -sql-language PL/SQL <files>

    Or the property may be set from the command line as discussed above:

     sourceanalyzer -b <build_id> -Dcom.fortify.sca.fileextensions.sql=PLSQL <files>

  3. IDE Plugins: The SQL language may also be set in the Visual Studio and Eclipse plugins. Select the Options menu item from the Fortify menu. In the options dialog, select “Default Project Settings” and the “Analysis Configuration” tab. On that tab is a dropdown box labeled “SQL Type.” Select PLSQL to scan PL/SQL code as shown below:

    Eclipse Options default project settings with SQL type set to PLSQL

Additional Information

If the SQL code is in a file using file extensions that Fortify is not aware of, then properties must be set to associate the file extension with the SQL type. The details of how to do this are described in the technical note How to scan files with non-standard file extensions.

For example, to scan PL/SQL files with the .pck and .fnc file extensions, the following would need to be added to the fortify-sca.properties file:

com.fortify.sca.fileextensions.pck        = PLSQL
com.fortify.sca.fileextensions.fnc        = PLSQL

If errors are not resolved

If SQL parsing errors are still being reported after following the above steps, the guidance in this technical note should be followed to resolve the errors.

References