Search code examples
c#.netfortify

Fortify to scan 3rd party dll's

Is there any way to get Fortify to scan 3rd party dll's?

I am translating .NET projects on the command line which have been prebuilt in debug mode.

The command I am using is:

sourceanalyzer -b mybuild -vsversion 14.0 -libdirs [project-root]/**/*.dll

I note in the user guide of older versions, it specified that pdb's were not needed for 3rd party dll's but in newer versions, its states that 3rd party pdb's are required for 3rd party dll's

Without scanning 3rd party dll's how useful would data flow and control flow analysis be?

Solution

  • You still want to specify the 3rd party dll's, those get specified in the -libdirs option.

    The command you specified looks like it is missing the section were you specify the files to actually scan.

    When I scan .dlls here is my translate command:

    sourceanalyzer -b test -Xmx8G -vsversion 14.0 
               @excludelist.txt 
               -Dcom.fortify.sca.SourceFiles=WebGoat.NET\WebGoat 
               -libdirs WebGoat.NET\WebGoat\bin WebGoat.NET\**/*.dll
               WebGoat.NET/**/*

    There are several things going on

    The @excludelist.txt contains a list of commands to exclude 3rd party dll's from being audited (but they are still scanned for data/control flow with the rest of the program). Here is the contents of that file:

    -exclude WebGoat.NET\WebGoat\bin\EnvDTE.dll
-exclude WebGoat.NET\WebGoat\bin\EnvDTE80.dll
-exclude WebGoat.NET\WebGoat\bin\log4net.dll
-exclude WebGoat.NET\WebGoat\bin\Microsoft.VisualStudio.OLE.Interop.dll
-exclude WebGoat.NET\WebGoat\bin\Microsoft.VisualStudio.Shell.Interop.8.0.dll
-exclude WebGoat.NET\WebGoat\bin\Microsoft.VisualStudio.Shell.Interop.dll
-exclude WebGoat.NET\WebGoat\bin\Microsoft.VisualStudio.TextManager.Interop.8.0.dll
-exclude WebGoat.NET\WebGoat\bin\Microsoft.VisualStudio.TextManager.Interop.dll
-exclude WebGoat.NET\WebGoat\bin\Microsoft.VisualStudio.VSHelp.dll
-exclude WebGoat.NET\WebGoat\bin\mysql.data.dll
-exclude WebGoat.NET\WebGoat\bin\mysql.data.entity.dll
-exclude WebGoat.NET\WebGoat\bin\mysql.visualstudio.dll
-exclude WebGoat.NET\WebGoat\bin\mysql.web.dll
-exclude WebGoat.NET\WebGoat\bin\stdole.dll
-exclude WebGoat.NET\WebGoat\bin\System.Data.SQLite.dll
-exclude WebGoat.NET\WebGoat\lib\log4net.dll
-exclude WebGoat.NET\WebGoat\lib\mysql.data.cf.dll
-exclude WebGoat.NET\WebGoat\lib\mysql.data.dll
-exclude WebGoat.NET\WebGoat\lib\mysql.data.entity.dll
-exclude WebGoat.NET\WebGoat\lib\mysql.visualstudio.dll
-exclude WebGoat.NET\WebGoat\lib\mysql.web.dll
-exclude WebGoat.NET\WebGoat\lib\System.Data.SQLite.dll

    Here is the contents of the bin folder:

    DotNetGoat.dll
DotNetGoat.dll.config
DotNetGoat.pdb
EnvDTE.dll
EnvDTE.xml
EnvDTE80.dll
EnvDTE80.xml
log4net.dll
log4net.xml
Microsoft.VisualStudio.OLE.Interop.dll
Microsoft.VisualStudio.OLE.Interop.xml
Microsoft.VisualStudio.Shell.Interop.8.0.dll
Microsoft.VisualStudio.Shell.Interop.8.0.xml
Microsoft.VisualStudio.Shell.Interop.dll
Microsoft.VisualStudio.Shell.Interop.xml
Microsoft.VisualStudio.TextManager.Interop.8.0.dll
Microsoft.VisualStudio.TextManager.Interop.8.0.xml
Microsoft.VisualStudio.TextManager.Interop.dll
Microsoft.VisualStudio.TextManager.Interop.xml
Microsoft.VisualStudio.VSHelp.dll
mysql.data.dll
mysql.data.entity.dll
mysql.visualstudio.dll
mysql.web.dll
stdole.dll
System.Data.SQLite.dll
System.Data.SQLite.xml

    I excluded all the 3rd party dll's, in this case all but the DotNetGoat.dll

    2) The -Dcom.fortify.sca.SourceFiles=WebGoat.NET\WebGoat is specifing where the source code is located.

    I hope this helps.