HP Fortify BIRTReportGenerator Get New Issues Only - fortify

I'm trying to get a report with only the newest issues since last scan and at the command line. For example:
Scan 1: 5 issues
Scan 2: 8 issues
What I want: A report showing only the latest 3 issues
Here's my command so far:
.\BIRTReportGenerator.cmd -format "XLS" `
-template "DISA STIG" `
--Version "DISA STIG 4.3" `
-source "C:\fortify\fortifyScan.fpr" `
-output "C:\fortify\fortifyReport.xls"

If you merge your new scan into the same FPR (either by scanning with -f set to an existing FPR with the older results, or by using FPRUtility), you can filter issues which are newly introduced to this scan by using a search string:
[issue age]:new
To use that with BIRTReportGenerator, add the switch -searchQuery and then your search, e.g.:
BIRTReportGenerator -format XLS -template "DISA STIG" \
--Version "DISA STIG 4.3" -source your.fpr \
-output report.xls -searchQuery "[issue age]:new"

Related

Automate profiling for iOS using Xcode 12 xctrace command line tools

I am trying to automate performance testing using Xcode 12 Instruments developer tool and need some help.
I want to parse .trace file into readable format and want to print leaks/CPU usage on console. I am using below xctrace command line to automate leaks/Time Profiling with Xcode 12 Instruments tool:
xcrun xctrace record --device "udid" --template "Leaks" --time-limit 10m --attach "PID" --output "xyz.trace"
xcrun xctrace export --input "xyz.trace" toc --output "xyz.xml"
Is would be really great if someone can help.
Trace file for reference: https://gofile.io/d/EpvOXa
I am not sure if I understood your problem correctly, but if I run your command, I received a an error message. The CLI-tool gave me the following instructions:
usage: xctrace export [<options>] [--toc | --xpath expression]
description:
Export given .trace using supplied query to the XML file format that can be later read and post-processed
options:
--input <file> Export data from the given .trace file
--output <path> Command output is written to the given path, if specified
--toc Present entities to export in the table of contents form
--xpath <expression> Choose elements to export using specified XPath expression
notes:
If output path is not specified, the export operation output will be written to the standard output.
Table of Contents and XPath query are two separate modes and they cannot be specified together.
examples:
xctrace export --input input.trace --toc
xctrace export --input input.trace --toc --output table_of_contents.xml
xctrace export --input input.trace --xpath '/trace-toc/run[#number="1"]/data/table[#schema="my-table-schema"]'
According to this, the parameter toc is missing the two dashes. I hope that will fix it for you.

Replacement string not working in GNU parallel

I have the script run_md.py which produces the file test.dcd from the input file named test.pdb.
I want to execute the same command on multiple input files (test*.pdb) on a remote server using GNU parallel and transfer the result back to the local computer. Therefore, I'm using the following command:
parallel --trc {.}.dcd -j 2 -S $SERVER1 './run_md.py {} 1000' ::: test*.pdb
The command is running as expected on the server using 2 slots. However, the files are not transferred back and I get the following error:
rsync: link_stat "/home/bougui/{.}.dcd" failed: No such file or directory (2)
rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1655) [Receiver=3.1.1]
It looks like the replacement string is not working. How can I make it works?
Below is the output of parallel --version:
GNU parallel 20130922
Copyright (C) 2007,2008,2009,2010,2011,2012,2013 Ole Tange and Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
GNU parallel comes with no warranty.
Web site: http://www.gnu.org/software/parallel
When using GNU Parallel for a publication please cite:
O. Tange (2011): GNU Parallel - The Command-Line Power Tool,
;login: The USENIX Magazine, February 2011:42-47.
What you are doing is 100% correct. So something on your system is breaking this. Please try this on another system and if possible follow REPORTING BUGS from man parallel.
The bug reported in that thread has been fixed and this feature works well with the latest version of GNU parallel (20160622). The GNU parallel version 20130922 packaged with Debian 8.5 is buggy for the usage of {.} string replacement, as described below:
With more test I found that the output file must be specified with a replacement string in the command run in parallel.
For testing purpose, you can find below a complete example that others can run:
echo This is input_file > input_file && parallel --trc {}.out -S $SERVER1 cat {} ">"{}.out ::: input_file
The example above works well. When I use the substitution string {.} as below:
echo This is input_file > input_file.in && parallel --trc {.}.out -S $SERVER1 cat {} ">"{.}.out ::: input_file
It works, as well. However, if I didn't specify {.}.out in the command run in parallel as below:
echo This is input_file > input_file.in && parallel --trc {.}.out -S $SERVER1 cat {} ">"input_file.out ::: input_file
... I reproduce the error:
rsync: link_stat "/home/bouvier/{.}.out" failed: No such file or directory (2)
rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1655) [Receiver=3.1.1]
rsync: [Receiver] write error: Broken pipe (32)
Therefore the output file must be specified in the command run in parallel.

Interpreting Fortify results file (.fpr) through command line

As part of automating the process of running secure code analysis, I have a Jenkins job which uses the sourceanalyzer command line tool to generate an .fpr results file. At the moment I'm opening this results file in Audit Workbench application to view the results and check if there's any newly introduced issues etc, and generating a report from there in PDF/XML format.
Does anyone is it possible to invoke Audit Workbench through the command line and generate a report on the issues, which we could then leverage through a Jenkins script and also then mail the results? Looking online the command line usage seems to stop at the fpr generation stage.
Thanks in advance!
There is a command-line utility to generate an Report from the FPR file.
Currently there are two report generators: Legacy and BIRT. The BIRT report engine was introduced into Audit Workbench with version 4.40.
Here is an example using the BIRT Report engine to generate a DISA STIG report
BIRTReportGenerator -template "DISA STIG" -source HelloWorld_second.fpr
-output BirtReport.pdf -format PDF -showSuppressed --Version "DISA STIG 3.9"
-UseFortifyPriorityOrder
Using the legacy one is a little more involved. The command is:
ReportGenerator -format pdf -f LegacyReport.pdf -source HelloWorld_second.fpr
-template DisaStig3.10.xml -showSuppressed -showHidden
You can either use one of the predefined template reports located in the <SCA Install Dir>/Core/config/reports directory or generate one using the Report Wizard and saving the template which gets stored in the C:\Users\<USER>\AppData\Local\Fortify\config\AWB-XX.XX\reports\ directory in Windows.
On Linux/Mac look at the configuration file <SCA Install Dir>/Core/config/fortify.properties for the com.fortify.WorkingDirectory property, this is where the reports will be stored
#SBurris,
If you don't want to show Suppressed/Hidden is it just -hideSuppressed and -hideHidden?
Also, is there a way to add custom filters to not show things like "nones" from the STIG/SANS/OWASP like you can create in the AWB GUI?
Basically, I need a command(s) to merge two FPRs and then compare them based on what is found new on the scanned code vs. the old FPR.
Merge should be:
FPRUtility -merge -project <newest_scan.fpr> -source <previous_scan.fpr> -f <BUILDXX_MergedWith_BUILDXY.fpr>
The custom filter I need after the merge is:
"[OWASP Top 10 2013]:!<none> OR [SANS Top 25 2011]:!<none> OR [STIG 3.9]:!<none> AND [Detected On]:!/^/"
Where the Detected On field is a custom tag that I need to carry through from the previous FPR file into the newly merged one.
AND THEN output the report from that newly merged fpr in pdf and xml format to a location/filename I specify. Something along the lines of:
~AWB_Installation_Dir/bin/ReportGenerator -format pdf -f [BUILDXX_MergedWith_BUILDXY].pdf -source output.fpr
-template DisaStig3.10.xml -hideSuppressed -hideHidden
Obviously this can be a multitude of commands as long as we can get it back to Bamboo. Any help would be greatly appreciated. Thanks.
FPRUtility interprets the space-separated conditions in the -information -search -query ... parameter by applying the boolean AND operator. To obtain a union of 2 conditions A || B, I figured I could intersect negations of other conditions that complement the former: !C && !D (where A || B || C || D always holds true). I.e., to find all high and critical issues, I use
FORTIFY_ROOT\jre\bin\java -d64 -Xmx4096M -jar FORTIFY_ROOT\Core\lib\exe\fpr-utility-exe.jar -project APP_VER_DATE.fpr -information -search -query "[OWASP Top 10 2017]:A [fortify priority order]:!low [fortify priority order]:!medium" -categoryIssueCounts -listIssues > issues.txt
In case of an audit, I figured I needed the older report generation utility to include suppressed issues (and their comments),
sed -e 's/\(IssueListing limit=\)"[^"]\+"/\1"-1"/' -i "FORTIFY_ROOT/Core/config/reports/DeveloperWorkbook.xml"
cmd /c call ReportGenerator -template DeveloperWorkbookAll.xml -format pdf -source APP_VER_DATE.fpr -showSuppressed -f "APP_VER_DATE_with_suppressed.pdf"

HP fortify scan in Ios getting error

Hi I am trying to generate reaport but I am getting warning as below and not generating report.Could you please help me out?
[warning]: NST file: /Users/xxxx/.fortify/sca6.2/build/yyyyy/Classes/AFNetworking/AFHTTPClient.m.nst does not exist or removed.
I am using below steps for scanning code. I am getting warning in third step during scanning code apart from step 1 & 2 are working for me.
sourceanalyzer-4.21 -b ${project} -clean
sourceanalyzer-4.21 -Xmx3G -debug -b ${project} -logfile ${project}-trans.log xcodebuild -project ${project}.xcodeproj -sdk iphonesimulator7.1
sourceanalyzer-4.21 -Xmx3G -b ${project} -scan -f ${project}.fpr
ReportGenerator -format pdf -f ${project}.pdf -source ${project}.fpr
Fortify generates NST files during compilation, these NST files together generate one combined FPR file.
If NST files are not generated, then you may not get an appropriate fpr.
sourceanalyzer-4.21 -Xmx3G -debug -b ${project} -logfile ${project}-trans.log xcodebuild -project ${project}.xcodeproj -sdk iphonesimulator
If you want to use iphoneos sdk, you must make sure that "i386" is listed in the Valid Architectures setting.

oclint: oclint-json-compilation-database returns "Skipping [Path] Command line not found."

After (seemingly) successfully generating compile_commands.json with oclint-xcodebuild, oclint-json-compilation-database fails to correctly create a pmd-style report.
The command looks like this:
oclint-json-compilation-database -e Pods -v -- -report-type=pmd -o=oclint.xml -debug
It returns:
Skipping [Path to Directory with compile_commands.json]. Command line not found.
I'm using oclint 0.7.
Use latest dev 0.8 or 0.9
for me it corrected the bug.
Seen in Sonar Plugin for Objective C, Prerequisites, point 4.
Your command needs to be changed. No "=" required. It should look like this:
oclint-json-compilation-database -e Pods -v -- -report-type pmd -o oclint.xml -debug

Resources