本文档详细介绍了Fortify软件的安装步骤、配置方法、项目扫描流程及如何获取扫描结果。Fortify是一款用于检测应用程序安全漏洞的商业软件,通过本指南读者可以学会如何有效利用该工具进行代码安全性分析。
Fortify Guild
1 Install
1.1 Download
You can download from https://www.fortify.com/ or other places.
Note: this is commercial software, need license
1.2 Install
Run exe to install next and next by steps, then ok,you can see bellow, run Audit Workbench
2 Configuration
2.1 Get rules
There is no rulepacks after you install, need to get rules, do like this:
Menu:Options->Options->Server Configuration,set the Rulepack Update Configuration:Proxy Server.
Then click Rulepack Management, Click Update Rulepacks to get rules, and then ok.
3 Scan Project
3.1 Step 1
You can do a quickly scan by click Scan Java Project, I preferre to use the Advance scan, as you can choose what you need for youself.
3.2 Step 2
Click the Advance scan, choose the project source code at popup windows,then click ok.
3.3 Step 3
Add the jars which project depends to scan code. Then click Ok.
3.4 Step 4
Choose the jdk version adjust to project. Then click Next> button.
3.5 Step 5
Click Configure Rulepacks … button, select rules and click ok. Then click Next> button.
3.6 Step 6
Set these values for scan, then click Run scan button, and wait hours…
4 Get Rusult
After the scan finish, see like this:
Get the report by click Reports button
Note: Whatever the issues at scan result need the developers to do a Verify whether they are really a issues.
5 Resources
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
