3. Ensuring a Working Build EnvironmentTo make it easy to integrate the Source Code Analysis Engine into your environment, the SCA Engine uses the same conventions as the tools you use to compile and build the application. The purpose of this exercise is to ensure that you are comfortable within your existing build environment before you attempt to integrate source analysis. For analyzing C and C++ programs, ensure that there is a compiler supported by Fortify Software installed on your computer. (See the README.txt on the CD for a list of supported compilers.) This exercise assumes that you are using gcc to compile C and C++. If you are using Windows and have not yet installed a supported compiler (such as Microsoft cl), you can install gcc as part of Cygwin <http://www.cygwin.com/>. Depending on how you typically build your project, it is likely that you will also need a build tool, such as make or ant, installed on your computer. Typical compilers and linkers search for and resolve certain symbols when building a working program. The SCA Engine is similar to a "security compiler" that operates on the source code base. As such, the SCA Engine functions optimally when it can resolve all of the symbols found in the program. The more code you analyze, the more comprehensive the results will be. C, C++, and .NET projects must compile completely in order for the SCA Engine to analyze them successfully. However, the architecture of the SCA Engine does make it capable of analyzing individual or incomplete Java files if you choose to do soalbeit at the cost of reduced accuracy due to the unresolved symbols.
|