I need to check vulnerabilities (if any) in the third party libraries that are being used in my project using Fortify.
For a few third party libraries, I am not able to access their source files. I only have the shipped .jar files.
Is it possible to run Fortify on .jar files instead ? All I could find in most of the documentations was that Fortify can be run on .java files, something like this:
sourceanalyzer -b MyProject -cp "lib/.jar" "src/*/*.java"
You can do one better than LaJmOn's suggestion and actually crack open the jars automatically.
for example:
sourceanalyzer -b apple -source 1.6 -Dcom.fortify.sca.fileextensions.jar=ARCHIVE /System/Library/Frameworks/JavaVM.framework/Home/lib/ext/apple_provider.jar
You can force SCA to scan the class files using the following command:
sourceanalyzer -b MyProject -source "1.6" -cp "{source_path}/**/*.jar" -scan -f MyProject.fpr -Dcom.fortify.sca.fileextensions.class=BYTECODE -Dcom.fortify.sca.DefaultFileTypes=class "{source_path}/**/*.class"
If I remember correctly, you need to explode the JAR files containing the class files you want to scan into {source_path}.
The results will be less than spectacular compared to a Java source scan, but you should get some results.
Related
All usage guides show how to run native-image on a single JAR file. But I believe most projects usually use multiple JARs on classpath (e.g. Gradle default way). How to tell native-image to bundle all of them into one executable?
You can specify the class path to use for building the executable:
-cp, -classpath, --class-path <class search path of directories and zip/jar files>: a separated list of directories, JAR archives, and ZIP archives to search for class files.
Here's more docs about various options to the native-image utility: https://www.graalvm.org/reference-manual/native-image/Options/
All in all it should native-image -cp this.jar:that.jar -jar myjar.jar
I created a project in CppCheck named CppCheck_MainRls.cppcheck
that includes several directories, i can run the project from the gui and it's working.
my project is huge so i only need a few directories to pass through CppCheck and export the result into xml file (later to be read by jenkins)
The current command line is:
"C:\Program Files (x86)\Cppcheck\CppCheck.exe" --enable=all --xml-version=2 "C:\Program Files (x86)\Jenkins\jobs\MainRls\workspace\Labs\VC++\AllShared" 2> cppcheck_result.xml
which is working great for the "AllShared" directory, how can i change it to read my project file?
I am a cppcheck developer. Currently, you can't use a gui project file directly in the shell client. However it is a good idea to allow it.
As of April 2020 (cppcheck v1.90), this is supported per the cppcheck manual (PDF) section 3.1:
3.1 Cppcheck GUI project
You can import and use Cppcheck GUI project files in the command line tool:
cppcheck --project=foobar.cppcheck
With Dart's "pub" tool and its "deploy" command, you can create a deployable version of your Dart web application. The output is written to the "deploy" directory. I want to know if there's a way to specify a different output directory?
I searched the internet for a command-line option, but found no mention of it. Running "pub help deploy" shows no options for the deploy command.
If "pub deploy" has no output directory option, I want to find the pub.dart source code. I'll create a customized version that accepts an output directory option. Unfortunately, I can't find pub.dart in the SDK. I found the pub shell script. It calls pub.dart.snapshot, which is 100 thousand lines of unintelligible Dart bytecode. Is there a human readable pub.dart file? Is it in the SDK?
Your help is appreciated.
For now, this is not configurable. The source folder is always /web and the output folder is always /deploy.
The source is available at http://code.google.com/p/dart/source/browse/trunk/dart/sdk/lib/_internal/pub/lib/src/command/deploy.dart#33 .
A simple workaround is just to rename deploy once generated.
It seems to me that what I'm trying to achieve is incredibly simple, yet is becoming incredibly painful.
I have ProjectA which is a BlackBerry Application project. I have ProjectB which is a Java library project. I want to refer to ProjectB from ProjectA. I can add a reference but when I run ProjectA, it doesn't work. I have source code for both the projects and both are compiled using Java compiler 1.4
I have tried multiple things but everything fails for some reason:
1. pre-verify.exe on ProjectB
It fails with an error "JAR file creation failed with error -1" I can see that the cod and jar files have been created but when add the jar file to ProjectA and run it, it doesn't work. Not sure if I need to add the .cod file.
2. Create new BlackBerry Library Project and reference it in ProjectA
I create a new project ProjectC and then add the jar of ProjectB to it. Then I add a reference to ProjectC in ProjectA. But I cant import classes from ProjectB
Pls suggest a way out.
I'm using Eclipse Plug-in and relying on Eclipse's build capabilities
Figured out answer myself. Publishing here in case someone stumbles upon this. Here are the steps:
Create your library and export as JAR (or download the 3rd party JAR)
Run preverify.exe on the JAR
preverify.exe -verbose -classpath "C:/Program Files/Research In Motion/BlackBerry JDE 5.0.0/lib/net_rim_api.jar" jarname.jar
If you are lucky, you won't run into any issues and you will be done. But I wasn't lucky enough. I got the below error
Error: No such file or directory. JAR file creation failed with error -1
There are two possible causes of this:
jar.exe is not added to your PATH. If so, add it (found in your JAVA
installation directory) to PATH
cvfm or -cfm option on jar.exe fails to execute. I'm not aware of the reason but the way to fix this is to use -cf option, point to the .class files but don't use the manifest file. here is an
example:
"C:\Program Files\Java\jdk1.6.0_26\bin\jar.exe" -cf "output\json-1.0.jar" tmp12996/
tmp12996 contains the preverified .class files.
You may run into different issues other than the one I've listed above.
Once jar is created from above step, make sure that it's structure is as you anticipate. One way to check is to rename the .jar to .zip, unzip it and then check it. If it is not as you need, you can change the structure and then repack it (I wouldn't do any major changes though)
Then add this newly built jar to your BlackBerry application as a reference i.e. add to Java Build Path in your eclipse and Check it in Order and Export window.
That's it! You are good to go! Run you app!
You may face error indicating that the module contains verification errors when you try to run in the simulator. One possible cause of this issue is that your library (the original JAR) contains APIs that are not compatible with J2ME or BB JRE. You may not get a compiler error when you build your library independently as it is compiled against Java 1.4 (or whatever your version is). Best to figure the issue out is to move all your code into your BB App project and then build it. That will tell you all the issues upfront. You make the changes as required and then move the code back to the library. If you don't have source code for the library you are using (like a 3rd party library), you may be out of luck! Also remember that there could be other issues than what I've hit upon and solved.
I'm documenting this at length as it has taken an awful amount of time for me to figure all this out; and to say the least, was most frustrating!
I found another solution. If you get error -1 while preverifying your JAR file, just run your library application once. Because if you don't run the application, the deliverables folder will be empty. Make sure this folder is not empty.
I'm having some trouble figuring out how to install Ant on Cygwin. I want to use Ant to build Nutch. I've looked through a bunch of tutorials but I can't find anything that is low level enough for me to understand. I need something like...
Download ant, put it here
Open Cygwin
type "export ANT_HOME=..."
...
Can anyone help me out here?
Assuming you have a JDK already installed, you can do this:
$ export ANT_HOME=/cygdrive/c/apache-ant-1.7.1
which assumes you've unzipped Ant into C:\apache-ant-1.7.1. Then:
$ export PATH=$ANT_HOME/bin:$PATH
$ ant -version
Apache Ant version 1.7.1 compiled on June 27 2008
In Windows, add the path to your ant /bin directory to the Path system variable. This can easily be done by right clicking on Computer > Properties > Advanced System Settings > Environment Variables, click on Path in the System Variables, click on Edit and add ; followed by the path to your ant bin directory to the end of the Variable value.
Start or restart Cygwin.
Type ant -version The version should be displayed.
Here's a step-by-step guide:
simply download and unzip ANT binaries say into c:\apache-ant-1.8.1
download and unzip NUTCH sources say into: c:\apache-nutch-1.2
open the command prompt and run the following:
cd c:\apache-nutch-1.2
c:\apache-ant-1.8.1\bin\ant
the same would work from the Bash shell, just use Cygwin-style paths:
cd /cygdrive/c/apache-nutch-1.2
./cygdrive/c/apache-ant-1.8.1/bin/ant
That's it, you will find a new directory build containing the output.
For convenience, you might want to add the Ant bin directory to the PATH environment variable so that you don't have to give the full path each time, but that's optional.
BTW I just did those exact steps, and all went fine.
Finally, follow this tutorial to get started.