Which Fortify tool should I use to scan my application
Question
Fortify provides several tools to scan an application. Which one should I use for my application?
Answer
Fortify provides a variety of command-line, GUI, and build environment tools to scan an application. For most applications there are multiple ways to perform the scan. All the scan methods use the sourceanalyzer tool so given the same inputs they will all produce the same output. However, for compiled languages, Fortify must be able to build the application so it is critical to choose a tool that can perform the build.
The following tools are available to scan an application:
-
Command-line tools - The
sourceanalyzercommand-line tool can be used to scan any codebase as all the other tools are based on this tool. It is a good choice to use to build scanning scripts that can be reused for consistent scans or integrated into development environments to automate scanning. The downside is that for some applications it can be difficult to set the command line options necessary to successfully scan the applications. -
Scan Wizard - The Scan Wizard is a GUI tool that provides a step-by-step guide to creating a scanning script (either a batch file or shell script). It facilitates use of the command-line tools and therefore has many of the advantages and helps reduce the difficulty in using
sourceanalyzer. The Scan Wizard cannot be used to create scanning scripts for compiled languages which Fortify doesn’t have a built-in compiler (e.g., C/C++, Objective-C, Swift). - IDE Plugins - Fortify comes with plugins for Visual Studio and Eclipse. With the plugins, Fortify scans can be run from a menu item and it will use information from the Visual Studio solution or Eclipse project to help ensure a complete scan is performed.
- Build Environment Integration - Fortify provides tools to integrate scans into many build environments. Fortify provides a plugin to integrate with Maven and an Ant task to integrate with Ant. Fortify can be integrated either directly with MSBuild, Makefile, and other build environments. The “touchless build adapter” can also be used to work with these build environments without modifying the build files.
- Audit Workbench - The primary purpose for this tool is to display and audit FPR files. It can also be used to perform scans through a series of questions to establish the codebase and how to scan it. This is similar to the Scan Wizard except the tool scans the application instead of production a scanning script. It also has similar limitations as to which languages it can scan.
The following table shows recommendations for which tool to use for each language supported by Fortify. More details about the tools and how to use them are included in the documentation provided with Fortify.
-
A recommended scanning tool for this language -
This tool can be used to scan this language, but is not recommended -
This tool should not be used to scan this language
| Language/Tool | IDE Plugin | Build Integration | Command-line | Scan Wizard | Audit Workbench | Notes |
|---|---|---|---|---|---|---|
| ABAP/BSP | | | | | | |
| ActionScript | | | | | | Please see How to scan Flex code for more information. |
| Apex | | | | | | |
| ASP.NET |
(Visual Studio Plugin) | | | | | Preferred tool is Visual Studio plugin or the devenv build integration from the command-line. |
| C# (.NET) |
(Visual Studio Plugin) | | | | | Preferred tool is Visual Studio plugin or the devenv build integration from the command-line. |
| C/C++ |
(Visual Studio Plugin) | | | | | If the code is in Visual C++, the Visual Studio plugin should be used. If the code is not Visual C++, then either the scan should be integrated into the build or the touchless adapter should be used on the command-line. Note that Visual C++ can be scanned using Audit Workbench or the scan wizard as well, but is not recommended. |
| Classic ASP | | | | | | |
| COBOL | | | | | | |
| ColdFusion CFML | | | | | | Current versions of Fortify SCA do not adequately support the ColdFusion language. The extenuating circumstances guidance should be followed for ColdFusion applications. |
| Go | | | | | | |
| HTML | | | | | | |
| Java |
(Eclipse Plugin) | | | | | IDE or build integration is preferred, if they are available, as they will handle classpath and other dependencies better. The other tools will work, but will take more developer intervention to get correct. |
| JavaScript |
(may be scanned as part of a larger project in one if the IDE plugins) | | | | | |
| JSP |
(may be scanned as part of a Java project in Eclipse) | | | | | |
| Kotlin | | | | | | |
| MXML (Flex) | | | | | | Please see How to scan Flex code for more information. |
| Objective-C/C++ | | | | | | Must be scanned using xcodebuild on the command-line on Mac OSX. Please see How to scan an iOS application for more information. |
| PHP | | | | | | |
| PL/SQL |
(may be scanned as part of a larger project in one if the IDE plugins) | | | | | Please see How to scan PL/SQL on Windows for more information. |
| Python | | | | | | |
| Ruby | | | | | | Current versions of Fortify SCA do not adequately support Ruby. The extenuating circumstances guidance should be followed for Ruby applications. |
| Scala | | | | | | Must use the Scala translation plugin from Lightbend. |
| Swift | | | | | | |
| T-SQL |
(may be scanned as part of a larger project in one if the IDE plugins) | | | | | |
| TypeScript |
(See notes) |
(See notes) | | | | TypeScript code may not be scanned by Fortify depending on how the scan is performed, and may need to be scanned independently. Please see How to scan TypeScript for more information. |
| VB.NET |
(Visual Studio Plugin) | | | | | Preferred tool is Visual Studio plugin or the devenv build integration from the command-line. |
| VBScript | | | | | | |
| Visual Basic (VB6) | | | | | | |
| XML |
(may be scanned as part of a larger project in one if the IDE plugins) | | | | |
Selecting a Tool
There are several criteria you should consider when choosing a scanning tool:
- Language(s) in the application to be scanned
- Regular build environment
- Automation requirements
- Scan repeatability
For compiled languages, Fortify must be able to build the code to scan it. If it can’t build the application, it won’t scan correctly.
The first consideration when selecting a scanning method is: how do you normally compile your code?
- If you normally compile using Visual Studio or Eclipse, the plugins for those tools are likely the best tool to use to scan the code.
- Similarly if you use Ant, Maven, or Gradle, Fortify provides tools to integrate into these build environments and is likely the easiest path to scan the code.
- For other compiled languages (except for Java), scan options are limited. They must be scanned either by integrating sourceanalyzer into the build files or use the “touchless build adapter” option with
sourceanalyzerwhile scanning on the command-line. - iOS applications must be scanned using XCodeBuild on OSX. Please see How to scan an iOS application for more details.
Most languages supported by Fortify, except those like C/C++ and Objective-C that depend on outside compilers, can either be scanned by creating a scanning script with the Scan Wizard or directly in Audit Workbench. Of these two, using the Scan Wizard is likely the better option as it produces a script that can be reused for scanning. In Audit Workbench the scanning options must be specified for each scan which can lead to failing to perform the scan the same way each time it is run. This is especially true if you have many customizations beyond a default scan.
If you want to integrate Fortify into a larger automated build environment, it is likely either working with the command-line tools directly or starting with a scan script produced by the Scan Wizard will be necessary to integrate appropriately. Note for this kind of automation, Fortify provides additional command-line tools to merge FPRs and perform other tasks available in the GUI interfaces.