hpe_fortify_workflow.txt

   1
   2
   3 Installing and using the HPE stuff (under linux):
   4
   5 (1) Mount (or open) the ISO file.
   6 (2) in its folder `Linux`, run the `HP_Fortify_SCA_and_Apps_16.10_linux_x64.run` file for installation.
   7      using the license file.
   8 (3) In the install folder (`~/HP_Fortify` by default) you get the folder `HP_Fortify_SCA_and_Apps_16.10`,
   9      in which there is a `bin` folder, in which there are the `sourceanalyzer` and `auditworkbench` executables.
  10     The first is used to do the static analysis, the second to view the results.
  11     However, I've just opened the workbench and run the static analysis from there
  12      (`Start new Project` > `Advanced Scan`, all defaults except `J2EE webapp?` = NO)
  13     This gives 58 criticals and 9 highs (in Quick View):
  14       critical:
  15         xss:                  50  --  lots of it.
  16         password management:   1  --  populating the password field in `reset.php`, with previous entry (on error)
  17         privacy violation:     1  --  installer.php prints results, including errors and warnings
  18         sql injection:         6  --  sql injection in installer.php
  19       high:
  20         cookie security:       1  --  not HttpOnly
  21         password management:   1  --  n/a
  22         privacy violation:     2  --  (html input autocompletion)
  23         weak encryption:       5  --  all about using php's `crypt(...)` function