workflow for getting HPR Fortify to work, and the results it gives on analysis with...

diff --git a/hpe_fortify_workflow.txt b/hpe_fortify_workflow.txt
new file mode 100644 (file)
index 0000000..b95e422
--- /dev/null
+++ b/hpe_fortify_workflow.txt
@@ -0,0 +1,23 @@
+
+
+Installing and using the HPE stuff (under linux):
+
+(1) Mount (or open) the ISO file.
+(2) in its folder `Linux`, run the `HP_Fortify_SCA_and_Apps_16.10_linux_x64.run` file for installation.
+     using the license file.
+(3) In the install folder (`~/HP_Fortify` by default) you get the folder `HP_Fortify_SCA_and_Apps_16.10`,
+     in which there is a `bin` folder, in which there are the `sourceanalyzer` and `auditworkbench` executables.
+    The first is used to do the static analysis, the second to view the results.
+    However, I've just opened the workbench and run the static analysis from there
+     (`Start new Project` > `Advanced Scan`, all defaults except `J2EE webapp?` = NO)
+    This gives 58 criticals and 9 highs (in Quick View):
+      critical:
+        xss:                  50  --  lots of it.
+        password management:   1  --  populating the password field in `reset.php`, with previous entry (on error)
+        privacy violation:     1  --  installer.php prints results, including errors and warnings
+        sql injection:         6  --  sql injection in installer.php
+      high:
+        cookie security:       1  --  not HttpOnly
+        password management:   1  --  n/a
+        privacy violation:     2  --  (html input autocompletion)
+        weak encryption:       5  --  all about using php's `crypt(...)` function
\ No newline at end of file