Fortify SCA 安装使用手册

安全编码规则包用户手册版本4.52007年4月Copyright © 2003-2007 Fortify® Software, Inc.7/24/07All Rights Reserved. Printed in the United States of America.Fortify Software, Inc.2300 Geng Road, Suite 102Palo Alto, California 94303Fortify Software, Inc.（以下简称“Fortify”）和许可证颁布者保留对此文档（以下简称“文档”）的一切所有权。

对文档的使用受适当的版权法支配。

Fortify可以在没有预先通知的情况下随时修改该文档。

此文档在没有任何类型保证的情况下按原样被提供。

对于从此文档中发现的任何错误所引起直接的、故意的、巧合的或导致严重后果的损害，Fortify决不会对此负责，包括在限制范围之外的任何损失或者对商业\利益、使用或数据造成的麻烦。

Fortify可以在没有预先通知的情况下保留对从最终产品得出的此文档中的任何细节和元素进行修改和删除的权利Fortify是Fortify Software, Inc.的注册商标。

在此文档中商标和产品名称是是他们的各自所有者的商标。

.Secure Coding Rulepacks User’s Guide目录Preface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Chapter 1: 安全编码规则包 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3介绍 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3安全编码规则包 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3漏洞分类. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4C/C++相关漏洞分类 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.NET相关漏洞分类 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9ColdFusion相关漏洞分类. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Java相关漏洞分类. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15SQL相关漏洞分类 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Fortify分类方法. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25Input Validation and Representation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25API Abuse. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Security Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Time and State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Errors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Code Quality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29Encapsulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Secure Coding Rulepacks User’s Guide iiiiv Secure Coding Rulepacks User’s GuidePreface本文档描述了安全代码规则包如果您对本文档的任何内容有疑问或者建议，请联系 Fortify Software :客户支持t650.213.5679techsupport@公司所在地2300 Geng RoadSuite 102Palo Alto, CA 94303650.213.5600contact@网址Secure Coding Rulepacks User’s Guide 12Secure Coding Rulepacks User’s GuideChapter 1: Secure Coding Rulepacks这份文档包含以下主题：•Introduction•Secure Coding Rulepacks•Vulnerability Categories•The Fortify Taxonomy介绍The Fortify Source Code Analyzer (Fortify SCA) 使用安全编码规则包作为分析依据。

fortify sca使用手册一、简介FortifySCA（SoftwareConfigurationAnalysis）是一款功能强大的软件配置分析工具，用于帮助用户有效地管理和维护软件配置。

本手册旨在为使用者提供FortifySCA的详细使用说明，以帮助用户更好地掌握该工具的使用方法。

二、安装与配置1.安装FortifySCA：首先，您需要从Fortify官方网站下载并安装FortifySCA软件。

确保在安装过程中正确配置系统环境，以便顺利运行该工具。

2.配置数据库：在安装完成后，您需要配置FortifySCA与数据库的连接。

根据您的数据库类型（如MySQL、Oracle等），按照手册中的说明进行设置。

3.配置其他参数：根据您的需求，您可能需要调整FortifySCA的其他参数，如扫描范围、扫描时间等。

请参考手册中的相关说明进行设置。

三、使用方法1.扫描项目：使用FortifySCA扫描项目前，请确保您已经将项目中的所有文件纳入配置管理，并正确配置了相关参数。

执行扫描后，FortifySCA将分析项目中的代码，并生成报告。

2.查看报告：扫描完成后，FortifySCA将生成一份详细的报告，用于展示代码中的安全漏洞和潜在风险。

请仔细阅读报告，并根据报告中的建议进行相应的修复。

3.修复漏洞：根据FortifySCA的报告，您可以针对发现的漏洞进行修复。

修复完成后，请再次执行扫描，以确保漏洞已被完全修复。

四、常见问题及解决方法1.扫描结果不准确：可能的原因包括代码库中存在遗漏的文件或目录，或者某些文件格式不被FortifySCA支持。

解决方法是确保项目中的所有文件均已纳入配置管理，并检查文件格式是否符合FortifySCA的要求。

2.报告生成缓慢：可能的原因包括数据库性能问题或扫描范围过大。

解决方法是优化数据库配置，或适当缩小扫描范围以减少分析量。

五、维护与更新FortifySCA是一款持续优化的软件工具，我们建议您定期更新至最新版本，以获取更多功能和性能优化。

Author: Vikas JohariDate: 12 February 2020 Document Version: v0.1Installing SSC 19.2.0 withMSSQL 2017 in Easy Steps onWindows 2016Fortify SCA 19.xDeployment GuideContentsContents (2)Introduction (3)Installation of MS SQL 2017 (3)Installation of MS SQL 2017 Management Studio (10)Creating Database for SSC (11)Creating the Tables for Fortify Components (13)Download and install JDK 1.8.x (15)Download and Install Tomcat 9.0.x service for Windows (16)Deploying JDBC Driver (20)Deploying SSC war file (21)IntroductionThis document will guide Pre-Sales and Partners to install SSC 19.2.0 in MS Windows 2016 with MS SQL 2017 Server Edition Database.The Hardware and Software requirements are given in the link -https:///documentation/fortify-software-security-center/1920/Fortify_Sys_Reqs_19.2.0/index.htm#SSC/SSC_Reqs.htm%3FTocPath%3DFortify%2520Software %2520Security%2520Center%2520Server%2520Requirements%7C_____0Install Windows 2016 and apply all the required patches.Installation of MS SQL 2017Mount the MS SQL 2017 Server ISO and run the installer.Click on Installation.In the Installation screen, select “New SQL Server stand-alone installation or add …..” Enter the Product key and click Next,Accept the license agreement, then click Next.Enable – Use Microsoft Upgrade to check for the updates”, then click Next.Let it complete the task.Enable the following features –•Database Engine Service•Client Tools Connectivity•Client Tools Backwards CompatibilityClick Next,If you want to change the Instance name, then change it else click Next to continue.In the server configuration screen, make sure SQL Server Agent, SQL Server Database Engine Startup Type is Automatic.Click on Collection -> Customize.Select “SQL_Latin1_General_CP1_CS_AS” click OK.Click Next.In the Database Engine Configuration, select Mixed Mode, enter the Password of user “sa” and also add the Windows Administrator user as well. Click Next.Click Next in Ready to Install screen.Wait till installation to complete.Verify all the components as install, then click Close.Open SQL Server Configuration Manager and validate the TCP/IP is enabled and it is configured with correct IP Address.Installation of MS SQL 2017 Management StudioDownload MS SQL 2017 Management Studio from https:///en-us/sql/ssms/download-sql-server-management-studio-ssms?view=sql-server-2017 and install.Click InstallWait till installation to complete.Click CloseCreating Database for SSCStart MS SQL Server Management Studio.Select Authentication to “SQL Server Authentication”, enter Login name as “sa” and its password, then click Connect.In the Object Explorer, expand the server, right-click on the Database, select New Database.Enter the database name as “FortifyDB” and change the Path of Database and Log file as “C:\SQLDB” (optional).Click on "Options" in the left panel. In the Collection make sure "SQL_Latin1_General_CP1_CS_AS" is selected. This is a mandatory step else Seeds will not be uploaded in upcoming steps.Then Click OK.Validate the database has been created.Creating the Tables for Fortify ComponentsExtract “Fortify_19.2.0.zip" in a temporary folder named "C:\Fortify_Installer”Extract the “create-tables.sql” file from Fortify_SSC_Server_19.2.0.zip -> Fortify_19.2.0_Server_WAR_Tomcat.zip -> sql -> sqlserver.Open it in notepad++.Right Click on “FortifyDB” -> New Query.Paste the content of “create-tables.sql” into the Query and Execute.Verify that the Query executed successfully.Download and install JDK 1.8.xDownload and install JDK 1.8 from https:///technetwork/java/javase/downloads/jdk8-downloads-2133151.htmlSet the “JAVA_HOME” System Environment Variables to “C:\Program Files\Java\jdk1.8.0_201”Download and Install Tomcat 9.0.x service for WindowsDownload and install “32-bit/64-bit Windows Service Installer” of tomcat Windows Service from https:///download-90.cgiClick NextClick I Agree.Select the Options as above, then click Next.Make the changes as per the above screen, then click Next.Verify the JRE folder, click Next.Change the default install location, to “C:\Tomcat9”Note: This is a very important step, if the Tomcat install folder name has any spaces then SSC will give errors during the Vulnerability auditing.Click Install.Wait for the installation to complete. Click Finish.Start the Tomcat service and test the connection. By opening the port 8080 in the browser. Set the initial memory pool as 4096 and Maximum memory pool 4096 MB.In Log On, select “Local System account”, Then click OK.Optional: If SSC has to be running on a secure HTTP protocol then configure the tomcat to use HTTPS with a certificate and document the HTTPS port.Deploying JDBC DriverDownload the JDBC Driver v6.0 for MS SQL 2017 from https:///en-in/download/details.aspx?id=11774 , you can download "sqljdbc_6.0.8112.200_enu.tar.gz" file.Extract the downloaded file. Copy “sqljdbc42.jar” file to C:\Tomcat9\lib folder.Deploying SSC war fileCopy the ssc.war file to C:\Tomcat9\webapp folder. Then restart the tomcat service. Open the URL : http://ip:8080/ssc in Chrome.Click on ADMINISTRATORS link on the top right corner.It will ask to enter the Token.Open the init.token file from C:\Windows\System32\config\systemprofile\.fortify\ssc folder into notepad++.Note: In case of any issue in SSC installation process, you can open the ssc.log file in notepad++, it will be in "C:\Windows\System32\config\systemprofile\.fortify\ssc\logs" folder.Note: if you are using tomcat standalone version or running tomcat from the command line then the init.token will be in C:\Users\Administrator\.fortify\ssc folder. Similarly the logs file will found in"C:\Users\Administrator\.fortify\ssc\logs" folder.Copy the token key and past into ssc.Click SIGN IN.Note: This token will keep on changing until you complete the setup.Click Next.Click the UPLOAD button to select and upload the “fortify.license” file.Click Next and Create a folder named C:\GlobalSearchEnter the URL for Fortify SSC i.e. http://172.17.5.240:8080/ssc or :8080/ssc enable Global Search, enter “C:\GlobalSearch” in the text box click Next.Note: Do not use http://127.0.0.1:8080/ssc as SSC URL, it will create problems in later stages.Enter the DATABASE USERNAME as “sa” and its Password.In the JDBC URL asjdbc:sqlserver://172.17.5.240:1433;database=FortifyDB;sendStringParametersAsUnicode=false ORjdbc:sqlserver://127.0.0.1:1433;database=FortifyDB;sendStringParametersAsUnicode=false Test the connection.If test is successful then click Next.In the Seed, database BROWSE and select the file and click on SEED DATABASE in the below sequence – •Fortify_Process_Seed_Bundle-2019_Q3.zip•Fortify_Report_Seed_Bundle-2019_Q3.zip•Fortify_PCI_Basic_Seed_Bundle-2019_Q3.zip•Fortify_PCI_SSF_Basic_Seed_Bundle-2019_Q3.zipBrowse and select Fortify_Process_Seed_Bundle-2019_Q3.zip.Click SEED DATABASE.After the file was processed successfully, browse and select “Fortify_Report_Seed_Bundle-2019_Q3.zip”, then click SEED DATABASE.After the file was processed successfully, browse and select “Fortify_PCI_Basic_Seed_Bundle-2019_Q3.zip”, then click SEED DATABASE.Browse and select “Fortify_PCI_SSF_Basic_Seed_Bundle-2019_Q3.zip” After files are processed successfully, Click Next.Click Finish.Now you must Restart Tomcat service.Test the SSC ServerOpen the SSC Server URL (i.e. http://172.17.5.240:8080/ssc) and login as user “admin” with the password “admin”.SSC will ask you to change the password.Now Login as admin / new password.Click Administration.Conditional: if a Proxy setting is required to download rule packs then configure it in ADMINISTRATION -> Configuration -> Proxy.Click Rulepacks and then click on UPDATE FROM SERVER.In a few mins, all the Rules will be downloaded. Click CLOSE.Now SSC Server is ready to use.Note:This guide is not an official documentation by Micro Focus. Please read and refer to the official product documentation for additional information.< !! End of the Document !! >。

Fortify使⽤⼿册中国建设银⾏⽹上银⾏投资产品创新项⽬F o r t i f y使⽤⼿册总⾏信息技术管理部⼴州开发中⼼2008年6⽉修改记录本⽂档中所包含的信息属于机密信息，如⽆中国建设银⾏的书⾯许可，任何⼈都⽆权复制或利⽤。

?Copy Right 2008 by China Construction Bank ⽬录1、引⾔ (5)1.1⽬的 (5)1.2背景 (5)1.3定义 (5)1.4环境说明 (6)1.5提醒注意 (6)1.6相关要求 (7)２、安装FORTIFY (7)2.1进⼊F ORTIFY安装⽬录 (7)2.2输⼊LICENSE KEY:BAHODPERE9I9 (8)2.3选择ALL U SERS (9)2.4下⾯选项全部选中 (10)2.5选择N O选项 (11)３、使⽤FORTIFY (12)3.1进⼊源码⽬录执⾏SCA COMMANDLINE S CAN.BAT (12)3.2SCA COMMANDLINE S CAN.BAT的内容 (12)４、结果查询 (12)5、可能的问题 (14)6、结果分析 (15)6.1R ACE C ONDITION (15)6.2SQL I NJECTION (16)6.3C ROSS-S ITE S CRIPTING (16)6.4S YSTEM I NFORMATION L EAK (18)6.5HTTP R ESPONSE S PLITTING (18)1、引⾔1.1⽬的提⾼中⼼项⽬软件安全意识转达总⾏关于软件安全编码及测试的相关要求了解、学习fortify SCA的使⽤1.2背景⽹银投资产品创新项⽬⽂档。

1.3定义Fortify Source Code Analysis Suite是美国Fortify Software为软件开发企业提供的软件源代码安全漏洞扫描、分析和管理的⼯具。

使⽤该⼯具能弥补软件开发⼈员、安全⼈员和管理⼈员在源代码⽅⾯的安全知识不⾜，加速代码安全审计和⽅便软件安全风险的管理。

Fortify SCA验收方法及操作流程本次将要验收的软件源代码安全漏洞检测产品——Fortify SCA，是由美国Fortify公司生产的产品，版本为Fortify 360_V2.1_SCA，产品为正版合格产品，有厂商正版授予的产品使用授权（纸制）。

产品的各项功能指标应与《Fortify SCA 产品功能详细说明》中一致，同时应能够满足我方提出的产品功能的各项需求。

为了能够顺利地对Fortify SCA进行验收，将验收内容分为如下几个方面：一、F ortify SCA 产品安装介质验收：由厂商/代理商提供的Fortify SCA产品的安装介质（光盘）应含如下内容：Fortify360_V2_SCA产品验收清单1.Fortify 360_V2_SCA安装软件列表验收清单：2. F ortify 360_V2_SCA产品技术文档:我方技术人员在检查安装介质（光盘）中内容完全与上表内容一致后，方为验收通过。

二、F ortify SCA 厂商产品使用授权（纸制）验收：检验是否有Fortify厂商授权我方的产品使用授权书（纸制）。

确保我方合法使用Fortify SCA正版产品，方为验收通过。

三、F orify SCA 产品使用License文件验收：检验并确保厂商/代理商提供的Fortify SCA产品License文件是可用的，能够正确地驱动Fortify SCA产品正常使用，方为验收通过。

四、F ortify SCA 产品验收测试环境准备：Fortify SCA 产品测试环境需要准备如下内容：硬件准备：CPU主频>= 1G, 内存>= 2G 硬盘（系统盘可用空间）：>=2G 软件准备：操作系统：Windows, Radhat Liunx, AIX 5.3 ,HP Unix 11 任一皆可。

推荐使用Windows XP 系统。

开发环境：VS2005/2003, VC6.0，Eclipse2.X，Eclipse3.X ，RAD6 ，WSAD 5 任一皆可。

Fortify SCA安装使用手册编号：GRG _YT-RDS-PD-D03_A.0.1版本：V1.0发布日期：2011-5-5文档历史记录编号与名称版本发布日期创建/修改说明参与人员版权声明本软件产品（包括所含的任何程序、图像、文档和随附的印刷材料），以及本软件产品的任何副本的产权和著作权，均属广州广电运通金融电子股份有限公司所有。

您不得使用任何工具或任何方式对本软件产品进行反向工程，反向编译。

未经广州广电运通金融电子股份有限公司许可，您不得以任何目的和方式发布本软件产品及任何相关资料的部分或全部，否则您将受到严厉的民事和刑事制裁，并在法律允许的范围内受到最大可能的民事起诉。

目录文档历史记录 (II)1. 产品说明 (9)1.1.特性说明 (10)1.2.产品更新说明 (10)2. 安装说明 (10)2.1.安装所需的文件 (11)2.2.F ORTIFY SCA支持的系统平台 (11)2.3.支持的语言 (11)2.4.F ORTIFY SCA的插件 (12)2.5.F ORTIFY SCA支持的编译器 (12)2.6.F ORTIFY SCA在WINDOWS上安装 (13)2.7.F ORTIFY SCA安装E CLISPE插件 (14)2.8.F ORTIFY SCA在LINUX上的安装(要有LINUX版本的安装文件) (14)2.9.F ORTIFY SCA在U NIX上的安装(要有U NIX版本的安装文件) (15)3. 使用说明 (15)3.1.F ORTIFY SCA扫描指南 (16)3.2.分析F ORTITFY SCA扫描的结果 (21)4．故障修复 (25)4.1使用日志文件去调试问题 (26)4.2转换失败的信息 (26)4.3JSP的转换失败 (26)4.4C/C++预编译的头文件 (27)前言Fortify SCA是目前业界最为全面的源代码白盒安全测试工具，它能精确定位到代码级的安全问题，完全自动化的完成测试，最广泛的安全漏洞规则，多维度的分析源代码的安全问题。

Deployment GuideInstallation and Configuration of Scan Central on Fortify 20.1.0 Fortify SSC 20.xAuthor: Vikas JohariDate: 01 August 2020Document Version: v0.1ContentsContents (2)Installing ScanCentral Controller (3)Configuring ScanCentral in SSC (8)Configuring ScanCentral Sensor (10)Configuring the ScanCentral Client (13)Running a Simple Sample Scan using Build Tool (14)Running a Sample Scan from Visual Studio 2019 (15)Configuring Jenkins Project to use ScanCentral (20)Running a Sample Scan and uploading to SSC (23)Installing ScanCentral ControllerIn the Download folder extract ScanCentral Controller zip file.Unzip the Fortify_ScanCentral_Controller_20.1.0_x64.zip.Move the "Fortify_ScanCentral_Controller_20.1.0_x64" folder to C:\Program Files\Fortify folder.Open the folder.Open server.xml of tomcat\conf folder in Notepad++.Note: In this server SSC and Jenkins is already running on port 8080 so, we need to change port of ScanCentral components i.e. 8280 else there will be a port conflict.Find the server port 8005, and change it to 8205.Find the port Connector port 8080 and change it to 8280.Note: In case you are planning to use SSL Port then make sure port 8443 is also change to some other non conflicting port.Save the file.Open the C:\ProgramFiles\Fortify\Fortify_ScanCentral_Controller_20.1.0_x64\tomcat\webapps\scancentra l-ctrl\WEB-INF\classes\config.properties file in Notepad++.Locate and fix the URLs.Save the File.Open CMD in ScanCentral_Controller's tomcat\bin folder. Make sure CMD is having Adminstrator privilidge.Run the command –> service.bat install ScanCentralControllerOpen services.mscFind the new Apache Tomcat 9.0 ScanCentralController service.Make this service Automatic (Delayed Start).In Log On, change to "Local System account" and Enable "Allow service to interact with desktop".Start the service.Start the Browser and connect to port 8280. The URL will be :8280/scancentral-ctrlThis message indicates that Fortify ScanCentral Controller is working. Configuring ScanCentral in SSCNow open SSC and login as admin.Open Administration -> Configuration -> ScanCentral.Enable the ScanCentral.In the ScanCentral URL: :8280/scancentral-ctrlThe Poll Period: 30 secondsShared Secret: changemeClick Save.Note: if you want to use different Shared Secret then make the changes in the below file –Restart SSC's Tomcat.Login into SSC and click on SCANS -> Controller.Validate that the information from the config file displays in the screen.Configuring ScanCentral SensorNow configure the Sensor –Create a file as "C:\ProgramFiles\Fortify\Fortify_SCA_and_Apps_20.1.0\Core\config\worker.properties" and enter the text as above.Note: if you want to change the different token then you need to first change in the controllerconfig.properties file then on worker.properties.Go to the folder "C:\ProgramFiles\Fortify\Fortify_SCA_and_Apps_20.1.0\bin\scancentral-worker-service" open CMD as Administrator.Create a folder named C:\ScanCentralWorkdirThe command will be -setupworkerservice.bat 20.1.0 :8280/scancentral-ctrl CHANGEME123!Type "Y" and hit Enter key.Open Services.mscOpen Properties of the FortifyScancentralWorkerServiceSet the Startup type as "Automatic (Delayed Start).In Log On -> Local System account and Allow service to interact with desktop. Click OK and Start the Service.Open SSC go to SCANS -> Sensors.Check the State of it.The Active State indicates that the sensor is running fine.Configuring the ScanCentral ClientOpen the "C:\ProgramFiles\Fortify\Fortify_SCA_and_Apps_20.1.0\Core\config\client.properties" and update the client_auth_token value as per the C:\ProgramFiles\Fortify\Fortify_ScanCentral_Controller_20.1.0_x64\tomcat\webapps\scancentra l-ctrl\WEB-INF\classes\config.properties file.Running a Simple Sample Scan using Build ToolChange the folder toC:\Program Files\Fortify\Fortify_SCA_and_Apps_20.1.0\plugins\maven\maven-plugin-src\samples\EightBall using CMD to test ScanCentral client.Run the below command to use mavan as build tool –scancentral -url :8280/scancentral-ctrl start -bt mvnWait for the message "Submitted job and received token: .."Go back to SSC -> SCANS -> Scan Requests.Validate the Build ID and Job token and Status of the job. Wait for few min let it to complete.can be download from EXPORT dropdown.The FPR file can be opened in AWB.Running a Sample Scan from Visual Studio 2019Open Riches DotNet Solution in Visual Studio 2019 -> Extensions -> Fortify -> Options -> ScanCentralSettings.Configure the ScanCentral Settings.Open SSC -> Administration -> Users -> Token Management.Click New.Select the ScanCentralCtrlToken, enter a description, click Save.Copy and Save the Tokens in the safe place. Click Close.Create a new version "5.0" for Visual Studio of Riches DotNet Application. The FPR file from Visual Studio's ScanCentral will be uploaded on version 5.0.Go back to Visual Studio.Enable the Send Scan Results to SSC and enter the Controler Token. Click OK.Extensions -> Fortify -> Upload Solution to ScanCentral.Enter the credentials of SSC and click OK.Select 5.0, click OK.The plugin will display the confirmation along with the Job token. Click OK to close the window. Open SSC -> SCANS -> Scan Requests.The RichesDotNet job will appear in few seconds, hit Fefresh if it is not visible.Wait for it to complete.ScanCentral will upload the FRP into the Application version. Validate in the application version -> Artifact.FPR file will be uploaded there.Configuring Jenkins Project to use ScanCentralIn SSC, create a new version "6.0" of Riches DotNet Application.Open Jenkins -> Manage Jenkins -> Configure System, scroll down to the end of the page.Validate that the SSC URL is configured and Controller URL is blank and non editable. Because this plugin expects the ScanCentral should be configured before configuring Jenkins plugin.Lets use the workaround.Remove the SSC URL, now Controller URL will be active, now enter the Controller URL, Controller Token and then SSC URL.Test SSC Connection and Test Controller Connection.Click Save.Create a new Jenkins Project named "Riches DotNet via ScanCentral", and select Copy from "Riches DotNet via GitLab" Project. This option is in the bottom of the screen.In the Post Build Action -> Fortify Assessment, select the below options –Save and run the Project.If everything goes well then the Scan job will be submitted to ScanCentral and the token will be received.Note: The logic gate will not work with ScanCentral, that’s why option for Logic Gate will be missing at this point and you will need to create them later in the software lifecycle. Since the goal with ScanCentral is to perform asynchronous scans in a way that the build pipeline does not have to wait for it to finish.Now check the Scan Requests in SSC –version.Running a Sample Scan and uploading to SSCCreate a new Application named "WebGoat for ScanCentral" version "5.0".Run the fortifyclient command to extract the list of application -fortifyclient -url :8080/ssc -authtoken db796568-9a96-4611-82d9-9a9954902087 listApplicationVersionsNote: The token generated in section "Running a Sample Scan from Visual Studio 2019" should be used.Create the build using –cd "C:\ProgramFiles\Fortify\Fortify_SCA_and_Apps_20.1.0\Samples\advanced\webgoat"sourceanalyzer -b WebGoat_via_ScanCentral -cleansourceanalyzer -b WebGoat_via_ScanCentral -source 1.5 -cp"WebGoat5.0/WebContent/WEB-INF/lib/*.jar" WebGoat5.0/JavaSourceWebGoat5.0/WebContentSubmit the scan using –scancentral -url :8280/scancentral-ctrl start -upload –-application "WebGoat for ScanCentral" --application-version "5.0" -bWebGoat_via_ScanCentral -uptoken db796568-9a96-4611-82d9-9a9954902087 -scan -Xmx2GScan is submitted to ScanCentral -Validate the Scan in Scan Requests. When status changed to "Upload Completed"< !! End of the Document !! >。

Fortify SCA源代码应用安全测试工具快速入门手册文档版本：v1.0发布日期：2022-11深圳市稳安技术有限公司*************************Fortify SCA源代码应用安全测试工具快速入门手册Fortify SCA（Static Code Analyzer）是Micro Focus公司旗下的一款静态应用程序安全性测试(SAST) 产品，可供开发团队和安全专家分析源代码，检测安全漏洞，帮助开发人员更快更轻松地识别问题并排定问题优先级，然后加以解决。

Fortify SCA支持27种编程语言：ABAP/BSP、Apex，、C/C++、C#、Classic ASP、COBOL、ColdFusion、CFML、Flex/ActionScript、Java、JavaScript、JSP、Objective C、PL/SQL、PHP、Python、T-SQL、、VBScript、VB6、XML/HTML、Ruby、Swift、Scala 、Kotlin 、Go，能够检测超过1051个漏洞类别，涵盖一百多万个独立的API。

一、安装Fortify SCA源代码应用安全测试工具1、创建华为云服务器ECS1.1、主机配置建议：1.2、操作系统支持：1.3、网络配置安全组规则配置要求：1.3.1、Linux系统：22端口(SSH登录管理)1.3.2、Windows系统：3389端口(Windows RDP)1.4、安装操作系统通过VNC或CloudShell远程登录平台服务器，根据需求选用合适的镜像安装操作系统。

1.5、代码编译环境准备以下几种语言扫描需要准备相应的编译环境，代码需要在可通过编译的情况下扫描：a)C#，，b)C/C++ on Windows or Linuxc)iPhone App用户需要根据代码安装相应的编译环境，并确保需要扫描的代码能够通过编译。

2、安装Fortify SCA2.1、上传安装包完成产品购买后，根据扫描主机的操作系统，从MicroFocus下载平台下载对应的安装文件压缩包，然后解压出安装文件上传至云服务器。