From 25d92ff4558e5addf42c32cb0fd5338e185b3bf9 Mon Sep 17 00:00:00 2001 From: Kelley van Evert Date: Tue, 8 Nov 2016 19:34:06 +0100 Subject: [PATCH] workflow for getting HPR Fortify to work, and the results it gives on analysis with all defaults --- hpe_fortify_workflow.txt | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 hpe_fortify_workflow.txt diff --git a/hpe_fortify_workflow.txt b/hpe_fortify_workflow.txt new file mode 100644 index 0000000..b95e422 --- /dev/null +++ b/hpe_fortify_workflow.txt @@ -0,0 +1,23 @@ + + +Installing and using the HPE stuff (under linux): + +(1) Mount (or open) the ISO file. +(2) in its folder `Linux`, run the `HP_Fortify_SCA_and_Apps_16.10_linux_x64.run` file for installation. + using the license file. +(3) In the install folder (`~/HP_Fortify` by default) you get the folder `HP_Fortify_SCA_and_Apps_16.10`, + in which there is a `bin` folder, in which there are the `sourceanalyzer` and `auditworkbench` executables. + The first is used to do the static analysis, the second to view the results. + However, I've just opened the workbench and run the static analysis from there + (`Start new Project` > `Advanced Scan`, all defaults except `J2EE webapp?` = NO) + This gives 58 criticals and 9 highs (in Quick View): + critical: + xss: 50 -- lots of it. + password management: 1 -- populating the password field in `reset.php`, with previous entry (on error) + privacy violation: 1 -- installer.php prints results, including errors and warnings + sql injection: 6 -- sql injection in installer.php + high: + cookie security: 1 -- not HttpOnly + password management: 1 -- n/a + privacy violation: 2 -- (html input autocompletion) + weak encryption: 5 -- all about using php's `crypt(...)` function \ No newline at end of file -- 2.20.1