--- /dev/null
+
+
+Installing and using the HPE stuff (under linux):
+
+(1) Mount (or open) the ISO file.
+(2) in its folder `Linux`, run the `HP_Fortify_SCA_and_Apps_16.10_linux_x64.run` file for installation.
+ using the license file.
+(3) In the install folder (`~/HP_Fortify` by default) you get the folder `HP_Fortify_SCA_and_Apps_16.10`,
+ in which there is a `bin` folder, in which there are the `sourceanalyzer` and `auditworkbench` executables.
+ The first is used to do the static analysis, the second to view the results.
+ However, I've just opened the workbench and run the static analysis from there
+ (`Start new Project` > `Advanced Scan`, all defaults except `J2EE webapp?` = NO)
+ This gives 58 criticals and 9 highs (in Quick View):
+ critical:
+ xss: 50 -- lots of it.
+ password management: 1 -- populating the password field in `reset.php`, with previous entry (on error)
+ privacy violation: 1 -- installer.php prints results, including errors and warnings
+ sql injection: 6 -- sql injection in installer.php
+ high:
+ cookie security: 1 -- not HttpOnly
+ password management: 1 -- n/a
+ privacy violation: 2 -- (html input autocompletion)
+ weak encryption: 5 -- all about using php's `crypt(...)` function
\ No newline at end of file