The document provides an overview of Fortify Source Code Analyzer (SCA). It discusses the different analysis phases SCA performs including translation, analysis, and verification. It also describes the various types of analyzers that SCA uses like data flow, control flow, semantic, and structural analyzers. Finally, it outlines the typical commands used to clean, translate, and scan source code with SCA and run an analysis.
In deploying apps that have been containerized, you have a lot to think about regarding what to use in production. There are a lot of things to manage, so orchestrators become a huge help. providing many services together such as scheduling, container communication, scaling, health, and more. There are major platforms to consider from Kubernetes, Swarm to ECS. In this talk we'll go through the overview of orchestrators and some of the differences between the big players. You should come out of the talk knowing where to go next in determining your orchestrator needs.
SonarSource provides open source projects and commercial products the means to inspect the code for Reliability, Security, and Maintainability.
We will be reviewing SonarQube and its benefits to organizations and various roles on a development team.
The story of SonarQube told to a DevOps EngineerManu Pk
SonarQube is a open source code quality management platform. This talk focuses on the need, setup, CI Infrastructure and administration of the SonarQube to the DevOps community.
In deploying apps that have been containerized, you have a lot to think about regarding what to use in production. There are a lot of things to manage, so orchestrators become a huge help. providing many services together such as scheduling, container communication, scaling, health, and more. There are major platforms to consider from Kubernetes, Swarm to ECS. In this talk we'll go through the overview of orchestrators and some of the differences between the big players. You should come out of the talk knowing where to go next in determining your orchestrator needs.
SonarSource provides open source projects and commercial products the means to inspect the code for Reliability, Security, and Maintainability.
We will be reviewing SonarQube and its benefits to organizations and various roles on a development team.
The story of SonarQube told to a DevOps EngineerManu Pk
SonarQube is a open source code quality management platform. This talk focuses on the need, setup, CI Infrastructure and administration of the SonarQube to the DevOps community.
It is not to complicated to keep new project with good code quality for half year. Maybe, for one year. But what if team works on some project for years? Or even ”better”: you need to support and grow large project after another team. Presentation describes Continuous Inspection, main measures of code quality that will make your life better, continuous inspection and how to cook it with SonarQube.
DevOps and security. There's still no standard or even agreed-upon name, but two things are clear: DevOps is here to stay and security must be speeding up to keep pace with the speed of business, so DevSecOps.
This session will provide a guide to Alfresco truststores and keystores. Several live examples will be shown, including the replacement of existing cryptographic stores or certificates. Additionally, a troubleshooting configuration guide for mTLS communication will be provided.
Link to Youtube video: https://youtu.be/-awH_CC4DLo
You can contact me at abhimanyu.bhogwan@gmail.com
My linkdin id : https://www.linkedin.com/in/abhimanyu-bhogwan-cissp-ctprp-98978437/
Basic Introduction to DevSecOps concept
Why What and How for DevSecOps
Basic intro for Threat Modeling
Basic Intro for Security Champions
3 pillars of DevSecOps
6 important components of a DevSecOps approach
DevSecOps Security Best Practices
How to integrate security in CI/CD pipeline
Introduction of Continuous Integration (CI)
* Try to answer questions from developers, testers, team leaders, and managers.
* The topology and features of CI.
* How can CI reduce risks?
ModSecurity and NGINX: Tuning the OWASP Core Rule SetNGINX, Inc.
On demand recording: nginx.com/watch-on-demand/?id=modsecurity-and-nginx-tuning-the-owasp-core-rule-set
In this webinar we discuss how to install the OWASP Core Rule Set (CRS) with NGINX and ModSecurity, as well as how to tune it. The CRS protects against many types of attack, including SQL Injection (SQLi), Local File Inclusion (LFI), and Remote Code Execution (RCE). Watch this webinar to learn:
- How to install the OWASP Core Rule Set (CRS) with ModSecurity
- About the types of attacks the CRS blocks, such SQLi, RFI, and LFI
- How to tune the CRS to minimize false positives
- What it looks like when ModSecurity blocks an attack (in a live demo), and how to interpret the audit log
Security in CI/CD Pipelines: Tips for DevOps EngineersDevOps.com
While DevOps is becoming a new norm for most of the companies, security is typically still behind. The new architectures create a number of new process considerations and technical issues. In this practical talk, we will present an overview of the practical issues that go into making security a part of DevOps processes. Will cover incorporating security into existing CI/CD pipelines and tools DevOps professionals need to know to implement the automation and adhere to secure coding practices.
Join Stepan Ilyin, Chief Product Officer at Wallarm for an engaging conversation where you’ll learn:
Methodologies and tooling for dynamic and static security testing
Composite and OSS license analysis benefits
Secrets and analysis and secrets management approaches in distributed applications
Security automation and integration in CI/CD
Apps, APIs and workloads protection in cloud-native K8s enabled environments
In this session I will present best practices of how open source tools (used in the DevOps and security communities) can be properly chained together to form a framework that can - as part of an agile software development CI chain - perform automated checking of certain security aspects. This does not remove the requirement for manual pentests, but tries to automate early security feedback to developers.
Based on my experience of applying SecDevOps techniques to projects, I will present the glue steps required on every commit and at nightly builds to achieve different levels of depth in automated security testing during the CI workflow.
I will conclude with a "SecDevOps Maturity Model" of different stages of automated security testing and present concrete examples of how to achieve each stage with open source security tools.
[DevSecOps Live] DevSecOps: Challenges and OpportunitiesMohammed A. Imran
In this Practical DevSecOps's DevSecOps Live online meetup, you’ll learn DevSecOps Challenges and Opportunities.
Join Mohan Yelnadu, head of application security at Prudential Insurance on his DevSecOps Journey.
He will cover DevSecOps challenges he has faced and how he converted them into opportunities.
He will cover the following as part of the session.
DevSecOps Challenges.
DevSecOps Opportunities.
Converting Challenges into Opportunities.
Quick wins and lessons learned.
… and more useful takeaways!
Monitoring Kafka without instrumentation using eBPF with Antón Rodríguez | Ka...HostedbyConfluent
Imagine a world where you can access metrics, events, traces, and logs in seconds without changing code. Even more, a world where you can run scripts to debug metrics as code. In this session, you will learn about eBPF, a powerful technology with origins in the Linux kernel that holds the potential to fundamentally change how Networking, Observability, and Security are delivered.
We’ll see eBPF in action applied to the Kafka world: identify Kafka consumers, producers, and brokers, see how they interact with each other and how many resources they consume. We'll even learn how to measure consumer lag without external components. If you want to know what’s next in Kafka observability, this session is for you.
The SonarQube Platform is made of 4 components:
- Server, Database, Plugins and Scanner
One or more SonarQube Scanners running on your Build / Continuous Integration Servers to analyze projects
It is not to complicated to keep new project with good code quality for half year. Maybe, for one year. But what if team works on some project for years? Or even ”better”: you need to support and grow large project after another team. Presentation describes Continuous Inspection, main measures of code quality that will make your life better, continuous inspection and how to cook it with SonarQube.
DevOps and security. There's still no standard or even agreed-upon name, but two things are clear: DevOps is here to stay and security must be speeding up to keep pace with the speed of business, so DevSecOps.
This session will provide a guide to Alfresco truststores and keystores. Several live examples will be shown, including the replacement of existing cryptographic stores or certificates. Additionally, a troubleshooting configuration guide for mTLS communication will be provided.
Link to Youtube video: https://youtu.be/-awH_CC4DLo
You can contact me at abhimanyu.bhogwan@gmail.com
My linkdin id : https://www.linkedin.com/in/abhimanyu-bhogwan-cissp-ctprp-98978437/
Basic Introduction to DevSecOps concept
Why What and How for DevSecOps
Basic intro for Threat Modeling
Basic Intro for Security Champions
3 pillars of DevSecOps
6 important components of a DevSecOps approach
DevSecOps Security Best Practices
How to integrate security in CI/CD pipeline
Introduction of Continuous Integration (CI)
* Try to answer questions from developers, testers, team leaders, and managers.
* The topology and features of CI.
* How can CI reduce risks?
ModSecurity and NGINX: Tuning the OWASP Core Rule SetNGINX, Inc.
On demand recording: nginx.com/watch-on-demand/?id=modsecurity-and-nginx-tuning-the-owasp-core-rule-set
In this webinar we discuss how to install the OWASP Core Rule Set (CRS) with NGINX and ModSecurity, as well as how to tune it. The CRS protects against many types of attack, including SQL Injection (SQLi), Local File Inclusion (LFI), and Remote Code Execution (RCE). Watch this webinar to learn:
- How to install the OWASP Core Rule Set (CRS) with ModSecurity
- About the types of attacks the CRS blocks, such SQLi, RFI, and LFI
- How to tune the CRS to minimize false positives
- What it looks like when ModSecurity blocks an attack (in a live demo), and how to interpret the audit log
Security in CI/CD Pipelines: Tips for DevOps EngineersDevOps.com
While DevOps is becoming a new norm for most of the companies, security is typically still behind. The new architectures create a number of new process considerations and technical issues. In this practical talk, we will present an overview of the practical issues that go into making security a part of DevOps processes. Will cover incorporating security into existing CI/CD pipelines and tools DevOps professionals need to know to implement the automation and adhere to secure coding practices.
Join Stepan Ilyin, Chief Product Officer at Wallarm for an engaging conversation where you’ll learn:
Methodologies and tooling for dynamic and static security testing
Composite and OSS license analysis benefits
Secrets and analysis and secrets management approaches in distributed applications
Security automation and integration in CI/CD
Apps, APIs and workloads protection in cloud-native K8s enabled environments
In this session I will present best practices of how open source tools (used in the DevOps and security communities) can be properly chained together to form a framework that can - as part of an agile software development CI chain - perform automated checking of certain security aspects. This does not remove the requirement for manual pentests, but tries to automate early security feedback to developers.
Based on my experience of applying SecDevOps techniques to projects, I will present the glue steps required on every commit and at nightly builds to achieve different levels of depth in automated security testing during the CI workflow.
I will conclude with a "SecDevOps Maturity Model" of different stages of automated security testing and present concrete examples of how to achieve each stage with open source security tools.
[DevSecOps Live] DevSecOps: Challenges and OpportunitiesMohammed A. Imran
In this Practical DevSecOps's DevSecOps Live online meetup, you’ll learn DevSecOps Challenges and Opportunities.
Join Mohan Yelnadu, head of application security at Prudential Insurance on his DevSecOps Journey.
He will cover DevSecOps challenges he has faced and how he converted them into opportunities.
He will cover the following as part of the session.
DevSecOps Challenges.
DevSecOps Opportunities.
Converting Challenges into Opportunities.
Quick wins and lessons learned.
… and more useful takeaways!
Monitoring Kafka without instrumentation using eBPF with Antón Rodríguez | Ka...HostedbyConfluent
Imagine a world where you can access metrics, events, traces, and logs in seconds without changing code. Even more, a world where you can run scripts to debug metrics as code. In this session, you will learn about eBPF, a powerful technology with origins in the Linux kernel that holds the potential to fundamentally change how Networking, Observability, and Security are delivered.
We’ll see eBPF in action applied to the Kafka world: identify Kafka consumers, producers, and brokers, see how they interact with each other and how many resources they consume. We'll even learn how to measure consumer lag without external components. If you want to know what’s next in Kafka observability, this session is for you.
The SonarQube Platform is made of 4 components:
- Server, Database, Plugins and Scanner
One or more SonarQube Scanners running on your Build / Continuous Integration Servers to analyze projects
Managing Open Source Software Supply ChainsnexB Inc.
Heather Meeker and Michael Herzog discuss the latest trends in open source compliance for supply chain activities: the key legal issues for supply chain management as well as the latest automation tools and projects for open source management.
Agenda
• Legal issues for supply chain management
• Best practices to avoid claims and reduce risk
• Latest automation tools and projects for open source compliance management
Contain your risk: Deploy secure containers with trust and confidenceBlack Duck by Synopsys
Presented on September 22, 2016 by Brent Baude, Principle Software Engineer, Atomic and Docker Development, Red Hat; Randy Kilmon, VP, Engineering, Black Duck
Organizations are increasingly turning to container environments to meet the demand for faster, more agile software development. But a 2015 study conducted by Forrester Consulting on behalf of Red Hat revealed that 53% of IT operations and development decision makers at global enterprises reported container security concerns as a barrier to adoption.
The challenges of managing security risk increase in scope and complexity when hundreds or even thousands of different open source software components and licenses are part of your application code base. Since 2014, more than 6,000 new open source security vulnerabilities have been reported, making it essential to have good visibility into and control over the open source in use in order to understand if any known vulnerabilities are present.
In this webinar, experts from Red Hat and Black Duck will share the latest insights and recommendations for securing the open source in your containers, including protecting them from vulnerabilities like Heartbleed, Shellshock and Venom. You’ll learn:
• Why container environments present new application security challenges, including those posed by ever-increasing open source use.
• How to scan applications running in containers to identify open source in use and map known open source security vulnerabilities.
• Best practices and methodologies for deploying secure containers with trust and confidence.
Heather Meeker and Michael Herzog discuss the primary open source license obligations and some practical approaches for compliance with attribution and redistribution obligations.
EMBEDDED SYSTEMS SYBSC IT SEM IV UNIT V Embedded Systems Integrated Developme...Arti Parab Academics
Design and Development: Embedded system development Environment – IDE, types of file generated on cross compilation, disassembler/ de-compiler, simulator, emulator and debugging, embedded product development life-cycle, trends in embedded industry.
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...AlienVault
Ever feel like you spend more time converting security information from one format to another, than actually connecting the dots hidden within it? The Collective Intelligence Framework (CIF) is a data processor for pulling in and normalizing out all these threat intel sources into a single combined dataset. Watch it on-demand http://ow.ly/li8Lf #TTTSec
Managing Software Inventories & Automating Open Source Software CompliancenexB Inc.
Stephen Gillespie of Fenwick & West and Michael Herzog of nexB review the most common open source license obligations, highlight the challenges of fast paced component-based software development from a compliance angle and what you can do to better monitor this in your software inventories.
Thursday, June 12th 2014
Discussing strategies in Rails development for keeping multiple application environments as consistent as possible for the best development, testing, and deployment experience.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
3. Fortify Source Code Analyser
•
Fortify Source Code Analyzer (SCA) is a set of software security analyzers
that search for violations of security‐specific coding rules and guidelines in a
variety of languages.
•
The rich data provided by Fortify SCA language technology enables the
analyzers to pinpoint and prioritize violations so that fixes can be fast and
accurate.
•
The analysis information produced by SCA helps you deliver more secure
software, as well as making security code reviews more efficient, consistent, and
complete.
3
4. Using Fortify
• At the highest level, using Fortify SCA involves:
• Choosing to run SCA as a stand‐alone process or
integrating Fortify SCA as part of the build tool
• Translating the source code into an intermediate
translated format, preparing the code base for scanning
by the different analyzers
• Scanning the translated code, producing security
vulnerability reports
• Auditing the results of the scan, either by transferring the
resulting FPR file to Audit Workbench or Fortify 360
Server for analysis, or directly with the results displayed
onscreen
5. Analyzers
• Data Flow: The data flow analyzer detects potential vulnerabilities
that involve tainted data (user‐controlled input) put to potentially
dangerous use. Eg. Buffer overflow, SQL Injections.
• Control Flow: The control flow analyzer detects potentially
dangerous sequences of operations. Eg. time of check/time of use
issues and uninitialized variables.
• Semantic: The semantic analyzer detects potentially dangerous
uses of functions and APIs at the intra‐procedural level. Eg.
Deprecated functions, unsafe functions.
• Structural: The structural analyzer detects potentially dangerous
flaws in the structure or definition of the program. For Eg. Dead
Code.
• Configuration: The configuration analyzer searches for mistakes,
weaknesses, and policy violations in an application's deployment
configuration files.
6. Analysis Phases
• Fortify SCA performs source code analysis
• Build Integration: The first phase of source code analysis involves
making a decision whether to integrate SCA into the build compiler
system.
• Translation: Source code gathered using a series of commands is
translated into an intermediate format which is associated with a
build ID. The build ID is usually the name of the project being
scanned.
• Analysis: Source files identified during the translation phase are
scanned and an analysis results file, typically in the Fortify project
(FPR) format, is generated. FPR files are indicated by the .fpr file
extension.
• Verification of the translation and analysis: Ensure that the
source files were scanned using the correct rulepacks and that no
significant errors were reported.
7. Analysis Commands
• The following is an example of the sequence of
commands you use to analyze code:
• Clean and build
sourceanalyzer -b <build_id> -clean
• Translation
sourceanalyzer -b <build_id> ...
•Scan
sourceanalyzer -b <build_id> -scan -f results.fpr
8. Translation Options
• Output Options:
•
•
•
•
•
•
•
-append : Appends results to the file specified with -f. If this option is not
specified, Fortify SCA adds the new findings to the FPR file, and labels
the older result as previous findings.
-build-label <label> : The label of the project being scanned.
-build-project <project> : The name of the project being scanned.
-build-version <version> : The version of the project being scanned.
-f <file> : The file to which results are written.
-format <format> : Controls the output format. Valid options are fpr, fvdl,
text, and auto.
-html-report : Creates an HTML summary of the results produced.
9. Translation Options
• Analysis Options:
•
•
•
•
•
•
•
•
-disable-default-ruletype <type> : Disables all rules of the specified type
in the default rulepacks.
-encoding : Specifies the encoding for encoded source files.
-filter <file_name> : Specifies a results filter file.
-findbugs : Enables FindBugs analysis for Java code.
-quick : Scans the project in Quick Scan Mode.
-rules [<file>|<directory>] : Specifies a custom rulepack or directory.
-disable-source-rendering : Source files are not included in the FPR file.
-scan : Causes Fortify SCA to perform analysis for the specified build
ID.
10. Translation Options
• Build Integration Options
•
•
•
•
-b <build_id> : Specifies the build ID.
-bin <binary> : Used with -scan to specify a subset of source files to
scan. Only the source files that were linked in the named binary at build
time are included in the scan.
-exclude <file_pattern> : Removes files from the list of files to translate.
For example: sourceanalyzer –cp "**/*.jar" "**/*" -exclude "**/Test.java“
-nc : When specified before a compiler command line.
11. Translation Options
• Runtime Options
•
•
•
•
•
•
-auth-silent : Available on Fortify SCA Per Use edition only. Suppresses
the prompt that displays the number of lines the scan requires to
analyze the source code.
-64 : Runs Fortify SCA under the 64‐bit JRE.
-logfile <file_name> : Specifies the log file that is produced by Fortify
SCA.
-quiet : Disables the command line progress bar.
-verbose : Sends verbose status messages to the console.
-Xmx <size> : Specifies the maximum amount of memory used by
Fortify SCA.