Fortify to scan 3rd party dll's

Question

Is there any way to get Fortify to scan 3rd party dll's?

I am translating .NET projects on the command line which have been prebuilt in debug mode.

The command I am using is:

sourceanalyzer -b mybuild -vsversion 14.0 -libdirs [project-root]/**/*.dll

I note in the user guide of older versions, it specified that pdb's were not needed for 3rd party dll's but in newer versions, its states that 3rd party pdb's are required for 3rd party dll's

Without scanning 3rd party dll's how useful would data flow and control flow analysis be?

See [Fortify command line usage](http://stackoverflow.com/q/3925173/402022) — Theraot, Sep 28 '16 at 02:49

SBurris · Accepted Answer · 2016-09-30T15:45:34.347

You still want to specify the 3rd party dll's, those get specified in the -libdirs option.

The command you specified looks like it is missing the section were you specify the files to actually scan.

When I scan .dlls here is my translate command:

sourceanalyzer -b test -Xmx8G -vsversion 14.0 
               @excludelist.txt 
               -Dcom.fortify.sca.SourceFiles=WebGoat.NET\WebGoat 
               -libdirs WebGoat.NET\WebGoat\bin WebGoat.NET\**/*.dll
               WebGoat.NET/**/*

There are several things going on

The @excludelist.txt contains a list of commands to exclude 3rd party dll's from being audited (but they are still scanned for data/control flow with the rest of the program). Here is the contents of that file:

-exclude WebGoat.NET\WebGoat\bin\EnvDTE.dll
-exclude WebGoat.NET\WebGoat\bin\EnvDTE80.dll
-exclude WebGoat.NET\WebGoat\bin\log4net.dll
-exclude WebGoat.NET\WebGoat\bin\Microsoft.VisualStudio.OLE.Interop.dll
-exclude WebGoat.NET\WebGoat\bin\Microsoft.VisualStudio.Shell.Interop.8.0.dll
-exclude WebGoat.NET\WebGoat\bin\Microsoft.VisualStudio.Shell.Interop.dll
-exclude WebGoat.NET\WebGoat\bin\Microsoft.VisualStudio.TextManager.Interop.8.0.dll
-exclude WebGoat.NET\WebGoat\bin\Microsoft.VisualStudio.TextManager.Interop.dll
-exclude WebGoat.NET\WebGoat\bin\Microsoft.VisualStudio.VSHelp.dll
-exclude WebGoat.NET\WebGoat\bin\mysql.data.dll
-exclude WebGoat.NET\WebGoat\bin\mysql.data.entity.dll
-exclude WebGoat.NET\WebGoat\bin\mysql.visualstudio.dll
-exclude WebGoat.NET\WebGoat\bin\mysql.web.dll
-exclude WebGoat.NET\WebGoat\bin\stdole.dll
-exclude WebGoat.NET\WebGoat\bin\System.Data.SQLite.dll
-exclude WebGoat.NET\WebGoat\lib\log4net.dll
-exclude WebGoat.NET\WebGoat\lib\mysql.data.cf.dll
-exclude WebGoat.NET\WebGoat\lib\mysql.data.dll
-exclude WebGoat.NET\WebGoat\lib\mysql.data.entity.dll
-exclude WebGoat.NET\WebGoat\lib\mysql.visualstudio.dll
-exclude WebGoat.NET\WebGoat\lib\mysql.web.dll
-exclude WebGoat.NET\WebGoat\lib\System.Data.SQLite.dll

Here is the contents of the bin folder:

DotNetGoat.dll
DotNetGoat.dll.config
DotNetGoat.pdb
EnvDTE.dll
EnvDTE.xml
EnvDTE80.dll
EnvDTE80.xml
log4net.dll
log4net.xml
Microsoft.VisualStudio.OLE.Interop.dll
Microsoft.VisualStudio.OLE.Interop.xml
Microsoft.VisualStudio.Shell.Interop.8.0.dll
Microsoft.VisualStudio.Shell.Interop.8.0.xml
Microsoft.VisualStudio.Shell.Interop.dll
Microsoft.VisualStudio.Shell.Interop.xml
Microsoft.VisualStudio.TextManager.Interop.8.0.dll
Microsoft.VisualStudio.TextManager.Interop.8.0.xml
Microsoft.VisualStudio.TextManager.Interop.dll
Microsoft.VisualStudio.TextManager.Interop.xml
Microsoft.VisualStudio.VSHelp.dll
mysql.data.dll
mysql.data.entity.dll
mysql.visualstudio.dll
mysql.web.dll
stdole.dll
System.Data.SQLite.dll
System.Data.SQLite.xml

I excluded all the 3rd party dll's, in this case all but the DotNetGoat.dll

2) The -Dcom.fortify.sca.SourceFiles=WebGoat.NET\WebGoat is specifing where the source code is located.

I hope this helps.

Thank you, this looks like exactly what I am looking for. One question and forgive me if this is obvious, but I am new to fortify, with the above, would I need the pdb files for the excluded third party dll's? — hamo, Sep 29 '16 at 14:57
I've tried the above with WebGoat but it bombs out during translation if I specify the bin folder in the `-libdirs` option — hamo, Sep 29 '16 at 23:02
An update on this, the translation phase fails either when I add the third party dll's in the bin folder to the exclude list and add the path to the bin folder in the `-libdirs` option. If I do either of these on their own, translation does not fail but I get errors in my results warning me that it can't find the dll's classes `in the given search path and the Microsoft .Net framework libraries.` The problem seems to be with loading the dll's into cache. — hamo, Sep 30 '16 at 00:56
If possible, it would be useful for me if you could provide the full contents of your bin folder and the full @excludelist.txt. — hamo, Sep 30 '16 at 08:31

Fortify to scan 3rd party dll's

1 Answers1

Linked