Fortify and third-party libraries - fortify

I am trying to understand in the new version of Fortify SCA 17.10, why the scan defaults to excluding third-party libraries? I found this article and it seems any open source library you use, it would be in your best interest to get these issues fixed by poll request. I noticed some of the findings I get from a Fortify scan are typically false positives, is this why now Fortify excludes third-party libraries? Is there a legitimate reason for this?

I guess this is because of you as the owner of the code cannot really fix an issue in a third-party library. The only thing you can do is suppressing the issue. This can be even true in case of dependencies maintained by another team of the same company.
So I try to manage this as an opportunity to make the auditing process simpler by using these settings.

Related

How to create a dependency in Atmel Studio 7.0?

I need to #include a file called ClearCore.h but it refuses to show up as a dependency.
https://i.stack.imgur.com/1kTvS.jpg
https://i.stack.imgur.com/dn6XT.jpg
As you can see, the file is in the library and most other files are listed as dependencies, but this one refuses to despite being #included.
Here is the error message from compilation.
https://i.stack.imgur.com/tM2wk.jpg
I am an applications engineer at Teknic and I saw your post and wanted to offer a few points to help you get your code running.
It sounds like you are having trouble adding the ClearCore library as a dependency. As this is more a function of ATMEL, there could be several reasons as to why we are running into issues here.
The easiest way to troubleshoot this would be to use one of Teknic’s already linked and ready to run example projects (we include these examples in addition to the ClearCore libraries). You can use the provided example projects as a template to sort out whatever may be causing the dependency issues.
You can find these examples here: https://teknic-inc.github.io/ClearCore-library/SdkExamples.html
Keep in mind that if you move the example projects into other directories, some of the relative file path definitions may be broken.
If you have any questions about the examples projects please feel free to give us a call at 585-784-7454, or use our "Contact Us" form online at https://www.teknic.com/contact/.
Best regards,
Mark D. – Teknic Servo Systems Engineer

Firebase-Unity Project: Exporting for iOS on Windows 10. Workaround?

Recently added Firebase Storage and Authentication to my Unity project. I work on Windows, have a single Unity Pro License, and want to export my App for iOS, as I have done many times before in this dev process.
However, since the addition of Firebase, I'm told I apparently can't export my Firebase-Enabled Unity project for iOS without swapping Unity to an OSX device (which I don't have in comparable quality).
I've noticed a singular thread here where a supposed workaround was discussed, but can't seem to pull it off myself:
"The plugin that comes with firebase depends on cocoapods to handle
transient dependencies. If you look at the Assets ->
PlayServicesResolver -> IOSResolver -> Settings
You can configure it to generate the podfile but not do the remaining
steps." - from user johnb003, March 18th 2017.
Can't seem to find the configuration settings described here. Scoured the forums/communities for solutions, but no results elsewhere.
So, that said, any other Firebase user have a workaround for this issue? I adore the collective Google has put together with their product, but I can't really afford to invest in another Unity Pro License just for the sake of working off of my sub-standard Macbook. Thoughts?
Looks like there's a Google Github project, Unity JAR resolver, describing how the Unity Play Services Resolver works for each target platform.
The documentation is pretty extensive, and solutions are use-case specific, so I can't give you much help on specific podfile settings, but hopefully you can sift through it yourself.

SonarQube Analysis for Erlang

I am trying to run sonar analysis for Erlang. I have downloaded the plug-ins and with 60+ rules, it is able to tell me which part of the source code is not compliant.
However, I cannot get the SQALE rating to work correctly, in particular, the technical debt always shows 0.0 days. How do I configure this?
It is not configurable, basically the plug-in does not support this SQALE feature. In fact, the most recent version of SonarQube does not use SQALE anymore.

Dependency management for COMPILED static libraries?

I'm aware of Cocoapods. However this isn't very useful for commercial use because we don't want to deliver source code.
We want to be able to deliver compiled libraries. But use them in our own (and client) projects, just like with Cocoapods. And just like maven does with jar files and the suchlike.
Is there anything which provides this (or similar) functionality. It seems very shortsighted of Apple not to include anything like this, or the ability to support anything like this, within XCode.
Thanks

Is there a list of classes, methods and API which will trigger RIMAPPSA2 permission when signing Blackberry application?

I understand why RIMAPPSA2 permission is thrown when signing a BlackBerry application. However, I don't know which classes, functions and/or API requires such permission.
Is there any way to find out (or better a documentation listing that information) ?
Regards,
RIMAPPSA2 permission is required when dealing with Blackberry Controlled APIs. In this particular case, I was definining new classes and redefining existing classes in one of the packages part of the Blackberry Controlled APIs.
Moving my classes to package not controlled by Blackberry Controlled APIs solved the issue.
I have just solved a similar problem for myself. As per my answer on BlackBerry RIMAPPSA2 signing key required — why?. I have updated this answer to help in case of future searches on similar words...
This might be due to a bug in Eclipse or RIM. You might not be using the RIMAPPSA2 classes.
OK, so its hard to believe but this page might fix the problem for some:
Frustrations with Blackberry Developer plugins for Eclipse
Basically its a bug, and by changing the Application Descriptor, saving, removing & re-adding the JAR file, the problem is fixed.
Follow-up #1 - might not work:
The above solution enabled me to build & sign the app. Unfortunately the app won't run on the phone Module 'MyApp" attempts to access a secure API.
Follow-up #2 - this worked for me:
I documented a full solution that worked for me here:
BlackBerry - use own JAR file in own project
In my case, I was importing my own JAR file, and I needed to set that project's build type to be a MIDLET. Setting it as LIBRARY or APPLICATION caused problems.

Resources