Section 6. Understanding Raw Analysis Results

Previous page
Table of content
Next page

6. Understanding Raw Analysis Results

This exercise describes the Source Code Analysis Engine output. You will examine the different output formats and contents generated by the various analyzers.

The SCA Engine produces two primary output formats: text and FVDL. The text format is human-readable and is designed for quick scans and easy verification of results. FVDL is an XML format that is consumed by Audit Workbench and other tools.

  • The Java source file for this lesson is:

    Tutorial/understand_results/StringSearch.java

  • The expected output from the SCA Engine is located in:

    Install_Directory/Tutorial/understand_results/Answers

    1. Examine the text output format. Run the SCA Engine on StringSearch.java as follows:

      sourceanalyzer StringSearch.java

      The output shows three issues.

      Issue 1

      [C9FE6AF8A29314E2DC22F0E9191802F8 : low : Unchecked Return Value : semantic ]    StringSearch.java(18) : FileInputStream.read(0)

      Issue 2

      [2AE729678F97328125F563C53BEB1524 : medium : Resource Injection : data flow ]    StringSearch.java(16) :  -> new FileInputStream(0)    StringSearch.java(14) : <=> (searchIn)    StringSearch.java(6)  :  -> StringSearch.main(0)

      Issue 3

      [3A8FE7972DB6C28956AC54DF8E63424D : medium : Unreleased Resource : control flow ]    StringSearch.java(16) : start -> loaded : fos.new FileInputStream(...)    StringSearch.java(21) : loaded -> end_of_scope : #end_scope(fos)

      The first line of the text output is the common root directory of all the files that have reported vulnerabilities, such as:

      [/opt/FortifySoftware/SCAS3.1-EE/Tutorial/understand_results]

      The first line of each issue has the following format:

      [Instance ID : severity : category : analyzer ]

      For example, Issue 1 reports that on line 18 in the StringSearch.java file, the return value of FileInputStream.read() is not checked. The issue details also indicate that this was detected by the Semantic Analyzer and that, by default, it was assigned the severity low.

      If the SCA Engine has more information about a particular issue, it includes the information on subsequent lines.

      For example, Issue 2 reports that line 16 in StringSearch.java contains a potential resource injection vulnerability that could allow an attacker to control a resource used by the application. The subsequent lines of output show that the value, potentially controlled by an attacker, enters the program at line 6 as the first argument to StringSearch.main(). This issue is identified by the Data Flow Analyzer and assigned a medium risk.

      Values that cause data flow issues can pass through several hops between where they enter the program and the point at which the program uses the data as part of a sensitive operation.

      The Control Flow Analyzer can also provide additional information about an issue. Issue 3 reports that the resource created on line 16 was not properly released before it went out of scope. In other words, the code fails to call close() on the resource.

    2. Rerun the analysis engine, this time producing FVDL output. Use the -format option to create the FVDL and the -f option to send the output to an XML results file, as follows:

      sourceanalyzer -format fvdl -f results.fvdl StringSearch.java

    3. Open and inspect results.fvdl in a text editor. Note that it contains all of the information found in the text output, plus the following information in the preamble:

      • Date and time of the analysis.

      • Number of lines of code analyzed.

Note also that the first issue corresponds to the first issue in the text output. It has the same information regarding location and category, plus it shows the unique identifier for the vulnerability class. The vulnerability class identifier references a description of the vulnerability class, located at the end of the FVDL file. The unique instance ID unambiguously refers to this vulnerability.

Exercises for the Reader

Beginner

  1. How many of the Fortify vulnerability categories can you describe in detail?

Advanced

  1. Write a piece of code containing an issue that is identified by each of the different analyzers.

  2. Give an example in which a single issue will be found more than once.

  3. Give an example in which a single issue will be found by more than one analyzer.

  4. What is the cost of being wrong about an issue (that is, calling a finding a vulnerability when it is not, and calling a finding benign when it is a vulnerability)?



Previous page
Table of content
Next page
Software Security. Building Security In
Software Security: Building Security In
ISBN: 0321356705
EAN: 2147483647
Year: 2004
Pages: 154
Authors: Gary McGraw
BUY ON AMAZON
WebLogic: The Definitive Guide
Cisco IOS in a Nutshell (In a Nutshell (OReilly))
MySQL Cookbook
Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance
The Lean Six Sigma Pocket Toolbook. A Quick Reference Guide to Nearly 100 Tools for Improving Process Quality, Speed, and Complexity
Microsoft Office Visio 2007 Step by Step (Step By Step (Microsoft))
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy