At GDS, we frequently encounter organizations with mature Secure Development Lifecycle (SDL) processes that have integrated HP Fortify to perform static code analysis. As discussed in our previous posting, GDS often assists organizations by developing custom security checks for security issues or insecure patterns identified after manual security code review. However there are languages that Fortify does not directly support, making it difficult to integrate code written in unsupported languages into an organization’s existing analysis framework.
Scala is an example of a language that is not supported by Fortify and therefore other static analysis tools must be used to perform security checks. In a previous blog post, we discussed how the Findbugs static analysis tool can be used to perform static analysis of Scala application bytecode. How can the Findbugs scan results be incorporated into an organization’s existing HP Fortify SSC server to manage the identified vulnerabilities? We have written a lightweight Java tool that can be used to convert a Findbugs XML report into a Fortify FPR file. This will allow the Findbugs results to be submitted to the SSC server as if scanned by HP Fortify SCA.
A Fortify FPR file is a compressed archive with a well-defined internal directory structure, as shown below:
The result of the SCA analysis is stored in the audit.fvdl file in an XML format. The tool we have developed takes a Findbugs XML report and transforms it into an FPR file.
The Findbugs XML is first merged with a messages.xml file that contains the finding descriptions and recommendations, using both the Findbugs bundled findings and the GDS-developed Scala ones. It is also possible to use a custom messages.xml as input. This is particularly useful for adding new write-ups for your own custom rules for Findbugs.
The merged file is then transformed to the FVDL data structure through an XSL Transformation.
The XSLT processor takes the XML source document, plus an XSLT stylesheet, and processes them to produce an output document.
This audit.fvdl file is then added to a pre-packaged zip archive with the other required files.
In doing so, the transformation is completely decoupled from the code, and it is only dependent on the used XSLT stylesheet, which can be modified without recompiling the tool.
The application is packaged in a single runnable jar and can be used as follows:
$ java -‐jar convert2FPR.jar findbugs report.xml
To supply a custom messages.xml file, usage is as follows:
$ java -‐jar convert2FPR.jar findbugs messages.xml report.xml
The output file, in both cases is ./report.fpr .
The first parameter (findbugs) represents the input format and maps to the corresponding XSL (see below Java example):
In order to extend the tool to support further input formats, only a new XSL file and one additional line in the above code for each added XSL stylesheet are required.
The source code and compiled tool can be found on our Github Repository below: