强化扫描第三方dll
[英]Fortify to scan 3rd party dll's
问题描述
Is there any way to get Fortify to scan 3rd party dll's? 
有什么办法让Fortify扫描第三方dll?
I am translating .NET projects on the command line which have been prebuilt in debug mode. 我在命令行上翻译.NET项目,这些项目已在调试模式下预先构建。
The command I am using is: 我正在使用的命令是:
sourceanalyzer -b mybuild -vsversion 14.0 -libdirs [project-root]/**/*.dll
I note in the user guide of older versions, it specified that pdb's were not needed for 3rd party dll's but in newer versions, its states that 3rd party pdb's are required for 3rd party dll's 我注意到在较旧版本的用户指南中,它指定了第三方dll不需要pdb,但在较新版本中,它指出第三方dll需要第三方pdb。
Without scanning 3rd party dll's how useful would data flow and control flow analysis be? 如果不扫描第三方dll,数据流和控制流分析的有用性如何?
1 个解决方案
解决方案1
1 已采纳 2016-09-29 14:46:47
You still want to specify the 3rd party dll's, those get specified in the -libdirs option. 您仍然要指定第3方dll,这些是在-libdirs选项中指定的。
The command you specified looks like it is missing the section were you specify the files to actually scan. 您指定的命令似乎缺少您指定要实际扫描的文件的部分。
When I scan .dlls here is my translate command: 当我扫描.dll时,这是我的转换命令:
sourceanalyzer -b test -Xmx8G -vsversion 14.0
@excludelist.txt
-Dcom.fortify.sca.SourceFiles=WebGoat.NET\WebGoat
-libdirs WebGoat.NET\WebGoat\bin WebGoat.NET\**/*.dll
WebGoat.NET/**/*
There are several things going on 有几件事发生
The @excludelist.txt contains a list of commands to exclude 3rd party dll's from being audited (but they are still scanned for data/control flow with the rest of the program). @excludelist.txt包含一个命令列表,这些命令可以排除对第三方dll的审核(但仍然会与程序的其余部分一起扫描它们的数据/控制流)。 Here is the contents of that file: 这是该文件的内容:
-exclude WebGoat.NET\WebGoat\bin\EnvDTE.dll
-exclude WebGoat.NET\WebGoat\bin\EnvDTE80.dll
-exclude WebGoat.NET\WebGoat\bin\log4net.dll
-exclude WebGoat.NET\WebGoat\bin\Microsoft.VisualStudio.OLE.Interop.dll
-exclude WebGoat.NET\WebGoat\bin\Microsoft.VisualStudio.Shell.Interop.8.0.dll
-exclude WebGoat.NET\WebGoat\bin\Microsoft.VisualStudio.Shell.Interop.dll
-exclude WebGoat.NET\WebGoat\bin\Microsoft.VisualStudio.TextManager.Interop.8.0.dll
-exclude WebGoat.NET\WebGoat\bin\Microsoft.VisualStudio.TextManager.Interop.dll
-exclude WebGoat.NET\WebGoat\bin\Microsoft.VisualStudio.VSHelp.dll
-exclude WebGoat.NET\WebGoat\bin\mysql.data.dll
-exclude WebGoat.NET\WebGoat\bin\mysql.data.entity.dll
-exclude WebGoat.NET\WebGoat\bin\mysql.visualstudio.dll
-exclude WebGoat.NET\WebGoat\bin\mysql.web.dll
-exclude WebGoat.NET\WebGoat\bin\stdole.dll
-exclude WebGoat.NET\WebGoat\bin\System.Data.SQLite.dll
-exclude WebGoat.NET\WebGoat\lib\log4net.dll
-exclude WebGoat.NET\WebGoat\lib\mysql.data.cf.dll
-exclude WebGoat.NET\WebGoat\lib\mysql.data.dll
-exclude WebGoat.NET\WebGoat\lib\mysql.data.entity.dll
-exclude WebGoat.NET\WebGoat\lib\mysql.visualstudio.dll
-exclude WebGoat.NET\WebGoat\lib\mysql.web.dll
-exclude WebGoat.NET\WebGoat\lib\System.Data.SQLite.dll
Here is the contents of the bin folder: 这是bin文件夹的内容:
DotNetGoat.dll
DotNetGoat.dll.config
DotNetGoat.pdb
EnvDTE.dll
EnvDTE.xml
EnvDTE80.dll
EnvDTE80.xml
log4net.dll
log4net.xml
Microsoft.VisualStudio.OLE.Interop.dll
Microsoft.VisualStudio.OLE.Interop.xml
Microsoft.VisualStudio.Shell.Interop.8.0.dll
Microsoft.VisualStudio.Shell.Interop.8.0.xml
Microsoft.VisualStudio.Shell.Interop.dll
Microsoft.VisualStudio.Shell.Interop.xml
Microsoft.VisualStudio.TextManager.Interop.8.0.dll
Microsoft.VisualStudio.TextManager.Interop.8.0.xml
Microsoft.VisualStudio.TextManager.Interop.dll
Microsoft.VisualStudio.TextManager.Interop.xml
Microsoft.VisualStudio.VSHelp.dll
mysql.data.dll
mysql.data.entity.dll
mysql.visualstudio.dll
mysql.web.dll
stdole.dll
System.Data.SQLite.dll
System.Data.SQLite.xml
I excluded all the 3rd party dll's, in this case all but the DotNetGoat.dll 我排除了所有第三方dll,在这种情况下,除了DotNetGoat.dll
2) The -Dcom.fortify.sca.SourceFiles=WebGoat.NET\\WebGoat is specifing where the source code is located. 2) -Dcom.fortify.sca.SourceFiles=WebGoat.NET\\WebGoat指定源代码的位置。
I hope this helps. 我希望这有帮助。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.