Tuesday, January 7, 2014

Installing Maven Fortify Plugin

The Maven Fortify Plugin supports Maven 2.0.X, 2.2.X and 3.0.X versions. The Plugin provides functionality to translate, scan and upload using Fortify's Source Code Analyzer or SCA as it is commonly called.

The source code of the plug-in is available within the Samples folder of the fortify installation as shown below.



Make sure you have Maven installed.

If the Maven Fortify Plugin has never been installed, run the Maven clean package and install commands as shown below:


 Once the commands run, you should be able to see the jar successfully built.


At this point, you can browse the .m2 folder and see that the plugin has been installed in your local Maven repository.


Now that the plugin is installed, you can easily translate, and scan using Fortify on all your Maven projects. 

A few other posts on Fortify can be found here:

Wednesday, August 21, 2013

Job Openings @ Cigital




Cigital currently has 29 different openings across different locations.  We are actively recruiting for, with critical needs in Texas, London,  and Managing Consultant areas.  You’ll find detailed descriptions for these on our website. Leave a comment here, and I can send you an email to get your resume.



Technical Manager -  Santa Clara
 

Managing Consultant Chicago, Dallas, London, New York, Santa Clara, Toronto

Sales Director – Houston

Associate Consultants - Bloomington, Boston, Dulles and New York

Interns - Bloomington, Boston, Dulles and New York

Security Consultants - Boston, Dulles, London, Minneapolis

Sr. Security Consultant  - Dulles, London and Santa Clara


Tuesday, June 25, 2013

Beware : Yahoo Signin Alert

I received the following email at my yahoo account. Having seen these kinds of email quite a lot, I immediately knew it was an email someone was sending to compromise my account. Glad it helps when you are working for a company like "Cigital".

Beware of the email, which looks like this:

Make sure you don't click on the link, or login into your account using the link provided there.

Thursday, May 9, 2013

Fortify – [error]: Build ID doesn’t exist.

[error]: Build ID doesn’t exist.Error invoking sourceanalyzer. Exit code: 1.
This was the strange error we kept seeing today on the Jenkins server when using Fortify to scan projects. All the jobs which were running successfully failed miserably.


Even having the source code for the Maven plug-in didn’t help much.
 Spent a few hours trying various things, and at one point I decided to just run the translate command. The translate was running fine, which made me wonder that something isn’t right here.
Fortify kept complaining that the Build ID doesn’t exist. Translate also requires the use of Build ID which made we wonder something was going wrong. When I just ran the translate, and looked at the log file it generates, the culprit was hidden there. “No space left on device”. See screen shot below:

Fortify was configured to use the default working directory and project root. The disk was full, and translate didn’t throw an exception. The stack trace was hidden in the log file. Once the default working folder was changed, all jobs started running successfully.
There are basically two options available:
1. Change the values to a mount which has more space.
com.fortify.WorkingDirectory=/your/tmp/dir/fortify
com.fortify.sca.ProjectRoot=/your/tmp/dir/fortify
2. Use the Jenkins workspace folder, so you can clear the workspace at regular intervals
com.fortify.WorkingDirectory=.yourjenkinsworkspace
com.fortify.sca.ProjectRoot=.yourjenkinsworkspace

Wednesday, May 8, 2013

Maven Fortify Plugin - Getting Help

Developers and security analysts have trouble getting the Fortify Maven plugin up and running. Even if the basic commands for translate, and scan work, I have seen them having trouble understanding the various options available to configure how the projects gets scanned.

Adding the Fortify Maven plugin is as simple as adding the following lines to your POM file. This is again optional, and in many cases if you specify the full path, you don't even have to add the following lines to all your POM.


If you don't have the source for the Plugin and you want to find out what are the configuration options which can be specified for the plugin, use the mvn help:describe command. If you want to see the options for the maven-sca-plugin shown above, use the following command:
mvn help:describe -DgroupId=com.fortify.ps.maven.plugin -DartifactId=maven-sca-plugin -Dversion=3.50 -Ddetail=true -Doutput=mvn-help.txt



The text file would have all the detailed information available to use with the goals.


To get help information for a specifc MOJO or a Maven goal use the following command:
mvn help:describe -DgroupId=com.fortify.ps.maven.plugin -DartifactId=maven-sca-plugin -Dversion=3.50 -Ddetail=true -Dgoal=scan -Doutput=mvn-help-scan.txt

Wednesday, April 3, 2013

jmap & Windows7

In spite of using Java for several decades now, I had never used jmap. jmap is a JDK tool used for dumping the heap memory details of a process. jmap worked with no problems at all on the Ubuntu machine which had OpenJDK installed.

However, as soon as I tried using the same commands on my Windows 7 machine, the command just didn't do anything. I did search online and found no references on why it doesn't work the way it is supposed to on Windows. Didn't spend too much time finding what the root cause was either. The workaround is sufficient for me. :)

So, lets see how to get this jmap working on Windows.

Step 1:
Open a command window and start any Java program you have. Make sure it runs for a while so you can use this process ID to get the heap dump.

Step 2:
Run the jps command to get the process ID's. jps is the Java Virtual Machine Process Status Tool.


Step 3:
Now that you have the process ID's for the applications running, start the jmap command on another command prompt. This is where things get interesting.

jmap should have worked here, since it is in the path. However, it doesn't dump the heap and keeps displaying the usage instructions.
I tried several options, none seemed to work.

Step 4:
At this point, I decided to run the jmap command from the bin folder of the JDK to see if anything changes.

And like a charm, jmap dumped the contents of the heap.

Step 5:
Once you have the contents of the heap, use jhat the Java Heap Analysis Tool to view and browse through the heap dump file.

Below are links for the various JDK Tools:

1. jmap
2. jps
3. jhat

Saturday, February 2, 2013

SONAR Ant Task

I am using Sonar for code analysis. While writing some custom Ant build scripts for SONAR since we have an Ant task now, I was constantly seeing the following error message. I followed the steps listed on Sonar here:
http://docs.codehaus.org/display/SONAR/Analyzing+with+Sonar+Ant+Task 

The build file I created was as such:



However, every time I tried the task I kept getting the following exception:


A small change in the build file, and the Analysis ran like a charm:












Monday, November 19, 2012

Sonar OWASP Plug-in

I have done several demos to clients on Sonar. Last week, I did a Brown Bag @ Cigital on Sonar. As I was preparing the Virtual Machine which I created for Sonar, I noticed the OWASP Plug-in. I downloaded the trial version and ran analysis on a few projects.

As I was doing the demo, several of our Consultants @ Cigital had tons of questions about how this plug-in worked. Remember, Cigital helps companies improve the security of our clients most reliable applications. :)

I promised to look in detail within this plug-in to see what engine was running behind the scenes, how they mapped the OWASP Top 10 vulnerabilities and so on.

Over the last 5 years, I have used several tools for running scans on various languages. I have used tools like Coverity, IBM's AppScan Source Edition, and HP's Fortify. I was of the impression that this Plug-in was built with a powerful engine which compared to the tools I mentioned. I was really disappointed to see that it doesn't have any engine to find security vulnerabilities. The plug-in just maps rules from FindBugs, PMD and CheckStyle to the OWASP Top 10 rules.It has an XML file and you can map the rules within this file.

It gives you a false sense of security when you see the OWASP Factor Risk. The sample project I scanned using this plug-in has all the OWASP Top 10 vulnerabilities like Cross-Site Scripting, SQL Injection, Command Injection and many more. And this plug-in wasn't able to find any of these vulnerabilities. It is just a mapping of a few rules mapped to FindBugs, PMD and CheckStyle.














The idea behind this Plug-in is really great. However, if the engine can be improved behind the scenes, or if the plug-in can parse results from one of the SCR tools like Coverity, IBM's AppScan Source Edition, and HP's Fortify than there is real value to the plug-in.

You can find more details about Sonar and the OWASP Plug-in at the links provided below:

Sunday, November 18, 2012

Deleting a project from Sonar

I have been using Sonar for several years now. However, I never deleted any project. So, when one of my colleagues asked me how to delete a project from Sonar, I had to spend a few minutes looking for the same.

It is quite easy to delete a project from Sonar.Listed below are the steps to delete a project.

1. Login into Sonar as an Administrator.








2. Next, click on the project you want to delete.














3. Click on the "Project Deletion" link on the left hand side. Highlighted in red in the above image.

4. Click on the "Delete Project" button. The operation cannot be undone.

Monday, September 24, 2012

Packt Publishing Publishes 1000 Titles

I have read  and reviewed several books from Packt Publishing. I read several books and reading books from various publishers definitely brings variety.

Packt would like you to join them in celebrating this milestone with a surprise gift. Revisit Packt’s website between the 28th and 30th of September to redeem your gift, or sign up for an account with us now to receive a notification email.

Packt supports many of the Open Source projects covered by its books through a project royalty donation, which has contributed over $400,000 to Open Source projects. As part of the 1000th book celebration Packt is allocating $30,000 to share between projects and authors.

If you are interested in  reading books, go ahead and signup and get a surprise gift. It maybe a book which you always wanted to read.

Check out all the details from Packt at their website : http://www.packtpub.com/

Wednesday, August 29, 2012

FindBugs Custom Detector -Build Failure - com.sun.tools.javac.code.Symbol$CompletionFailure

I was working today on a plug-in for FindBugs, writing CustomDetectors for finding some security vulnerabilities. I was able to compile the project and create the plug-in in Eclipse IDE. However, when I started working on creating a basic Ant build file, the compile target failed miserably. The error I was seeing in the Eclipse IDE was:


Buildfile: C:\Users\msubbarao\workspace\FindBugs_Cigital_Plugin\build.xml
clean:
init:
compile:
    [javac] C:\Users\msubbarao\workspace\FindBugs_Cigital_Plugin\build.xml:32: warning: 'includeantruntime' was not set, defaulting to build.sysclasspath=last; set to false for repeatable builds
    [javac] Compiling 8 source files to C:\Users\msubbarao\workspace\FindBugs_Cigital_Plugin\bin
    [javac] An exception has occurred in the compiler (1.6.0_24). Please file a bug at the Java Developer Connection (http://java.sun.com/webapps/bugreport)  after checking the Bug Parade for duplicates. Include your program and the following diagnostic in your report.  Thank you.
    [javac] com.sun.tools.javac.code.Symbol$CompletionFailure: class file for javax.annotation.meta.When not found

BUILD FAILED
C:\Users\msubbarao\workspace\FindBugs_Cigital_Plugin\build.xml:32: Compile failed; see the compiler error output for details.

Total time: 1 second

A quick search on the web, and after adding the jsr305.jar to the classpath, the compilation error was gone.


Buildfile: C:\Users\msubbarao\workspace\FindBugs_Cigital_Plugin\build.xml
clean:
init:
compile:
    [javac] C:\Users\msubbarao\workspace\FindBugs_Cigital_Plugin\build.xml:32: warning: 'includeantruntime' was not set, defaulting to build.sysclasspath=last; set to false for repeatable builds
    [javac] Compiling 8 source files to C:\Users\msubbarao\workspace\FindBugs_Cigital_Plugin\bin
jar:
      [jar] Building jar: C:\Users\msubbarao\workspace\FindBugs_Cigital_Plugin\FindBugs_Cigital_Plugin.jar
     [copy] Copying 1 file to C:\dev\eclipse\plugins\edu.umd.cs.findbugs.plugin.eclipse_2.0.1.20120712\plugin
BUILD SUCCESSFUL
Total time: 1 second
For more details on FindBugs visit, FindBugs Site.

Stay tuned for detailed posts on how to write CustomDetectors for FindBugs.