Shanmuganathan Sivaraj

I recently had an opportunity to work with HP Fortify code analysis tool and I thought I would note down some of my thoughts on the tool.

What is HP Fortify?

HP Fortify is a static code analyzer that uses HP’s proprietary technology to scan the source code to identify any security vulnerabilities.
As per HP documentation, HP Fortify Source Code Analyzer (SCA) version 4.21 consists of six distinct analyzers –

Data Flow - Flow of user input etc.
Control Flow - Potentially dangerous sequence of operation including variable initialization etc.
Semantic - Deprecated functions etc.
Structural - Dead code etc.
Configuration - Configuration issues etc.
Buffer - Buffer overflow etc.

Scan generates .FPR (Fortify Project Format) files that can be viewed by couple of tools –

General Observations

HP Fortify compiles the source code & converts them to a proprietary intermediate format (NST files) before launching the scan.
As part of the scan process, HP Fortify requires the ASP.NET pages to be pre-compiled before it runs the scan. Since Visual studio does not pre-compile by default, HP Fortify will not launch the scan if there are any ASP.NET Runtime errors.
HP Fortify does static analysis, so it does not take into account any web or app config setting that gets applied at runtime.
XML based services or code without proper schema will throw a lot of XML External Entity Injection issues.
Single line of code that is accessed from multiple paths will be shown as multiple issues instead of just one.
There is no clarity on prioritization of the issues – a line of code in one file could be tagged Critical while the same line in a different file could be a High priority.

Previous Posts