6

As part of automating the process of running secure code analysis, I have a Jenkins job which uses the sourceanalyzer command line tool to generate an .fpr results file. At the moment I'm opening this results file in Audit Workbench application to view the results and check if there's any newly introduced issues etc, and generating a report from there in PDF/XML format.

Does anyone is it possible to invoke Audit Workbench through the command line and generate a report on the issues, which we could then leverage through a Jenkins script and also then mail the results? Looking online the command line usage seems to stop at the fpr generation stage.

Thanks in advance!

Anthony Mastrean
  • 21,850
  • 21
  • 110
  • 188
Gary O' Donoghue
  • 362
  • 2
  • 4
  • 15

3 Answers3

13

There is a command-line utility to generate an Report from the FPR file.

Currently there are two report generators: Legacy and BIRT. The BIRT report engine was introduced into Audit Workbench with version 4.40.

Here is an example using the BIRT Report engine to generate a DISA STIG report

BIRTReportGenerator -template "DISA STIG" -source HelloWorld_second.fpr 
    -output BirtReport.pdf -format PDF -showSuppressed --Version "DISA STIG 3.9" 
    -UseFortifyPriorityOrder

Using the legacy one is a little more involved. The command is: 

ReportGenerator -format pdf -f LegacyReport.pdf -source HelloWorld_second.fpr 
    -template DisaStig3.10.xml -showSuppressed -showHidden

You can either use one of the predefined template reports located in the <SCA Install Dir>/Core/config/reports directory or generate one using the Report Wizard and saving the template which gets stored in the C:\Users\<USER>\AppData\Local\Fortify\config\AWB-XX.XX\reports\ directory in Windows.

On Linux/Mac look at the configuration file <SCA Install Dir>/Core/config/fortify.properties for the com.fortify.WorkingDirectory property, this is where the reports will be stored

SBurris
  • 7,378
  • 5
  • 28
  • 36
1

@SBurris,

If you don't want to show Suppressed/Hidden is it just -hideSuppressed and -hideHidden?

Also, is there a way to add custom filters to not show things like "nones" from the STIG/SANS/OWASP like you can create in the AWB GUI?

Basically, I need a command(s) to merge two FPRs and then compare them based on what is found new on the scanned code vs. the old FPR.

Merge should be:

FPRUtility -merge -project <newest_scan.fpr> -source <previous_scan.fpr> -f <BUILDXX_MergedWith_BUILDXY.fpr>

The custom filter I need after the merge is:

"[OWASP Top 10 2013]:!<none> OR [SANS Top 25 2011]:!<none> OR [STIG 3.9]:!<none> AND [Detected On]:!/^/"

  • Where the Detected On field is a custom tag that I need to carry through from the previous FPR file into the newly merged one.

AND THEN output the report from that newly merged fpr in pdf and xml format to a location/filename I specify. Something along the lines of:

~AWB_Installation_Dir/bin/ReportGenerator -format pdf -f [BUILDXX_MergedWith_BUILDXY].pdf -source output.fpr 
    -template DisaStig3.10.xml -hideSuppressed -hideHidden

Obviously this can be a multitude of commands as long as we can get it back to Bamboo. Any help would be greatly appreciated. Thanks.

R. Skinner
  • 21
  • 4
1

FPRUtility interprets the space-separated conditions in the -information -search -query ... parameter by applying the boolean AND operator. To obtain a union of 2 conditions A || B, I figured I could intersect negations of other conditions that complement the former: !C && !D (where A || B || C || D always holds true). I.e., to find all high and critical issues, I use

FORTIFY_ROOT\jre\bin\java -d64 -Xmx4096M -jar FORTIFY_ROOT\Core\lib\exe\fpr-utility-exe.jar -project APP_VER_DATE.fpr -information -search -query "[OWASP Top 10 2017]:A [fortify priority order]:!low [fortify priority order]:!medium" -categoryIssueCounts -listIssues > issues.txt

In case of an audit, I figured I needed the older report generation utility to include suppressed issues (and their comments),

sed -e 's/\(IssueListing limit=\)"[^"]\+"/\1"-1"/' -i "FORTIFY_ROOT/Core/config/reports/DeveloperWorkbook.xml"
cmd /c call ReportGenerator -template DeveloperWorkbookAll.xml -format pdf -source APP_VER_DATE.fpr -showSuppressed -f "APP_VER_DATE_with_suppressed.pdf"
eel ghEEz
  • 1,186
  • 11
  • 24
  • Re: issue search profiles such as "OWASP Top 10 2013", I found that FPRUtility.bat corrupts the angle brackets and/or the exclamation mark used in the -search -query "[OWASP Top 10 2013]:!" parameter. Passing these parameters directly to java worked: `java -jar c:\fortify\Core\lib\exe\fpr-utility-exe.jar -project PROJ.fpr -information -search -query "[OWASP Top 10 2013]:!" -categoryIssueCounts -listIssues`. – eel ghEEz Feb 09 '18 at 19:24