-1

everyone! I just got security audit for my source code. This is the first time I've done this. They used Fortify static code analyzer and found a few vulnerabilities (with ASP.NET MVC bad practices optional submodel with required property) that I have to fix. Trouble is I don't understand where the problem is. So I'm thinking of get a trial of Fortify on Demand to test my fixed code. But this one is cloud-base, I have to upload source code to them. And I'm not sure if this is safe or not. Can anyone give me any advice on this?

Also, do you guys know any free (or cheap) static analyzer tools similar to Fortify? I already tried Sonarqube and PVS-Studio but they can't detect the same problem with my source code. Thank you in advance, and sorry if I made any mistakes. English is not my first language! Thanks!

madlink
  • 9
  • 5
  • Ask whomever "they" is to re-scan your modified code for you. – Dave Apr 25 '20 at 12:39
  • I want to finish it quick. 'Cos it takes a long time to schedule an appointment with them. Don't want to drag it long. – madlink Apr 25 '20 at 14:19
  • Quick and security do not go hand in hand. "They" obviously wanted a scan for a reason and now that you've addressed the concerns raised by the scan give it back to "them" to do further scanning if necessary. Uploading code to Fortify is "safe" in the sense that they aren't going to do anything more than scan it. But if it isn't scanned with the same parameters as "they" used/use the results might be very different. – Dave Apr 25 '20 at 14:23
  • Thing is I don't know if the code I fixed address their concern or not, because I'm not entirely sure where the problem is. I'm still learning. So that's why I want to use some tools to check to see if I understand the problem correctly to fix it. Thank you for your answer though. – madlink Apr 25 '20 at 14:34
  • You're missing the point. What "they" use for checking could be quite different than what you are trying to use for checking. Organizations may customize how Fortify is used and include things that may be ignored and add more things and conditions to be tested. You can't possibly know if your changes will have fixed their concerns without them running it through Fortify again. – Dave Apr 25 '20 at 14:37
  • Thanks, I understand what you're trying to say. But as I said before, testing myself help me understand the problem a little bit better (although it could be an entirely different problem). It's good for my learning even if I fix the wrong problem. Right now I don't even have the faintest idea how to fix it. So that's why I wanna try to do it. Not saying I want to pass their test right away. Just to reduce the time back and forth. – madlink Apr 25 '20 at 14:52
  • So why don't you [edit] your question and add the code in question and the results? Or do as you originally asked and upload your code to the Fortify cloud. – Dave Apr 25 '20 at 14:54
  • I don't have the official report yet. They just show me a glimpse of the problem. I just want to test the problem beforehand. And no one asked me to upload it to Fortify. If they asked, I wouldn't hesitate :D My question here is not about coding, just the tool to debug the problem. Thank you for being patient with me. – madlink Apr 25 '20 at 15:00

1 Answers1

0

Have you tried Fxcop? Accessing functions and properties without null check is one most common issue identity by fortify. Looking for static-code-review system for .Net MVC

Rajanikant Hawaldar
  • 314
  • 1
  • 5
  • 12