Source Code Scan

Hello, I am working on how to scan source code specific to each language or framework using source code scanning tools. My work is currently going through Fortify, but for the future, I will find tools specific to each language and technology and add them as well.

SAST Tools

In this section I will give you general information about the SAST tools I use in my work.

Fortify SCA (Source Code Analyzer)

Fortify SCA is a software security product that performs security and optional code quality scanning in multiple languages. Fortify converts the codes of an application to be scanned to an intermediate format and scans on the translated format. It writes the vulnerabilities detected after scanning into a file with the .fpr (Fortify Project) extension. Fortify aims to produce good output by using Software Security Content and Analyzers while scanning source code.

Software Security Content : Fortify uses a knowledge base rules to enforce secure coding standards in static analysis. It is used in Software Security Content translation and analysis stages.

Analyzer : Fortify has 8 different security analyzers in itself. Each of these analyzers uses it to detect certain categories of vulnerabilities. A few of the analyzers used are as follows.

• Buffer Analyzer : It detects buffer overflow vulnerabilities by doing more reading or writing operations on the area occupied by the buffer.
• Configuration analyzer : Configuration looks for errors, weaknesses or policy violations in application deployment configurations files.
• Null Pointer Analyzer : Detects variables that are in use and are assigned null.
• Content Analyzer : Detects security issues and policy violations in HTML content.

I shared Fortify’s user guide for more information. You can go through the link.. Link

System/Software Requirements : Fortify has some dependencies for hardware, operating system, and language/framework used during product installation or code scanning. I have shared a screenshot of some dependencies below.

Server Requirements

Software Requirements

I’ve shared fortify to view other dependencies. You can enter via the link. Link

Source Code Scanning

In this section, I will share my articles on how to scan source code for languages and frameworks.

Net Core 3.1

• Net Core 3 scanning (Fortify): Link

Net framework 4.8

• Net Framework 4.8 scanning (Fortify) : Link

Java

• Java Source Code Scanning (Fortify) : Link

Android

• Android Source Code Scanning (Fortify) : Link

iOS

• iOS Source Code Scanning (Fortify): Link

C

• soon

C++

• soon

Python

• soon

Go

• soon

Javascript

• soon