Start Audit Workbench in Java

Generator ANSI/AIM Code 39 in Java Start Audit Workbench
Start Audit Workbench
Code 39 Extended Creation In Java
Using Barcode creator for Java Control to generate, create Code39 image in Java applications.
1 For Windows: From the Start menu, navigate to Start All Programs Fortify Software Fortify SCA Suite Audit Workbench For other operating systems: From a terminal or command prompt, run auditworkbench 2 You will see the Audit Workbench splash screen (see Figure 1415)
Creating Bar Code In Java
Using Barcode encoder for Java Control to generate, create bar code image in Java applications.
14 Source Code Analysis Exercises for C
Decoding Barcode In Java
Using Barcode reader for Java Control to read, scan read, scan image in Java applications.
Figure 1415 Fortify Audit Workbench splash screen
Code 39 Full ASCII Creator In C#.NET
Using Barcode printer for .NET framework Control to generate, create Code39 image in .NET applications.
3 The splash screen is followed by a dialog box prompting you to select an audit project to open (see Figure 1416)
Generate Code 39 Extended In Visual Studio .NET
Using Barcode maker for ASP.NET Control to generate, create Code 3 of 9 image in ASP.NET applications.
Figure 1416 Selecting an audit project to open
Generating Code 3/9 In .NET
Using Barcode generation for Visual Studio .NET Control to generate, create Code 3 of 9 image in Visual Studio .NET applications.
Load the Audit Project You Created in Exercise 145
Encoding Code 39 Full ASCII In Visual Basic .NET
Using Barcode maker for .NET Control to generate, create Code 39 Full ASCII image in .NET applications.
1 Select the following file and click Open: <install_dir>/Tutorial/c/
Encode ECC200 In Java
Using Barcode maker for Java Control to generate, create Data Matrix 2d barcode image in Java applications.
source/qwik-smtpd/qwik-smtpdfpr
Painting Barcode In Java
Using Barcode creation for Java Control to generate, create bar code image in Java applications.
2 Click Continue to AuditGuide >>
UPC-A Supplement 2 Generation In Java
Using Barcode creation for Java Control to generate, create UPC-A image in Java applications.
Exercise 146 Use AuditGuide to Filter Quality-Related Issues
Code 39 Full ASCII Printer In Java
Using Barcode generation for Java Control to generate, create Code 39 Full ASCII image in Java applications.
1 Select Code Quality Issues on the left of the AuditGuide (see Figure 1417)
Printing EAN128 In Java
Using Barcode creation for Java Control to generate, create EAN 128 image in Java applications.
Figure 1417 Suppressing code quality issues in the Audit Guide
USPS POSTNET Barcode Generator In Java
Using Barcode encoder for Java Control to generate, create USPS POSTNET Barcode image in Java applications.
2 Select the Suppress Code Quality Issues radio button 3 Click OK to suppress code quality issues, and click OK again to confirm your choice 4 Select Show Suppressed Items from the Options menu to see which results were suppressed Figure 1418 shows the results
GTIN - 13 Generator In Visual Studio .NET
Using Barcode drawer for ASP.NET Control to generate, create European Article Number 13 image in ASP.NET applications.
Figure 1418 An overview of the issues in the current project shown in the Navigator
Making Code 128B In VS .NET
Using Barcode printer for .NET framework Control to generate, create USS Code 128 image in VS .NET applications.
14 Source Code Analysis Exercises for C
Painting Data Matrix In Visual C#
Using Barcode encoder for VS .NET Control to generate, create Data Matrix image in .NET applications.
Apply a Different Rulepack Security Level
Encode Barcode In Visual C#
Using Barcode creation for .NET Control to generate, create barcode image in .NET framework applications.
1 Select Manage Rulepacks from the Tools menu 2 Select the Medium security level (see Figure 1419) and click Apply
Recognizing Bar Code In Visual Studio .NET
Using Barcode decoder for .NET Control to read, scan read, scan image in .NET applications.
Figure 1419 Customizing the rulepack security level to Medium
Drawing UPCA In .NET Framework
Using Barcode printer for ASP.NET Control to generate, create UPC-A image in ASP.NET applications.
Notice that a large number of issues have disappeared Security levels enable you to simulate the results of running an analysis with only a subset of rules tuned, to produce results that strike a balance between reporting every possible issue and finding only the most serious issues that can be detected with the highest level of accuracy If you are continuing on to the next exercise, leave Audit Workbench open
Bar Code Encoder In C#.NET
Using Barcode maker for .NET Control to generate, create bar code image in .NET framework applications.
Going Further
Select AuditGuide from the Tools menu and experiment with the options it offers Study which issues (if any) are suppressed for each setting
Exercise 147
Select Manage Rulepacks from the Tools menu Select the Fortify Secure Coding Rules, Core, C/C++ from the rulepack drop-down and click Customize Select a new set of rules to include in the rulepack and click Apply Click Apply on the Rulepack Management window Study the effects of your decisions on the issues Audit Workbench displays
Exercise 147 Auditing One Issue
This exercise continues where the previous exercise left off and explains the process of auditing an issue, highlighting various features in Audit Workbench that are essential to completing an audit To audit most effectively, you need to understand exactly what Fortify SCA is reporting and how the code that contains the issue behaves Just as with a manual audit, an auditor using a static analysis tool needs to know the right questions to ask to make the best use possible of the results You should have already completed Exercise 146 and should have the qwik-smtpd analysis results open in Audit Workbench
Gather High-Level Issue Information in the Navigator Panel
1 The three priority lists, Hot, Warnings, and Info, display the number of issues detected at each priority level Clicking one of the lists displays the issues with that priority in the Navigator tree Select Hot and notice that, among items on the Hot list, are a set of Format String issues 2 The way the items in the Navigator tree are organized is controlled by the option selected in the Group By pull-down menu Items can be grouped by category (default), filename, package, sink, source, or taint flag, or can be displayed in a flat structure without any grouping Select Source from the Group By pull-down menu, and notice that two of the issues are the result of data entering the program through the function fgets() 3 The text field next to the Group By menu performs a search against the issues displayed in the Navigator tree, leaving visible only the issues that match the search By clicking the magnifying glass icon, searches can be performed on any field (default), instance ID, or comments, or by using an advanced query language For more information about the query language Audit Workbench supports, see the
14 Source Code Analysis Exercises for C
Audit Workbench User s Guide Enter the query string sprintf in the search field and press the Enter key Because the Group By menu is still set to Source, the Navigator tree displays all the issues that involve sprintf(), organized by the source function for the issue 4 Click the X next to the search field to clear the search and display all the issues again, and select Category under the Group By menu to return to the default view 5 When expanded, the Navigator tree lists each issue in that category and displays the source file and line number where the issue occurs We examine the Format String issues on the Hot list first Click on the Hot list, and then click to expand the Format String category in the Navigator tree 6 Expand the Format String issue in qwik-smtpdc on line 434, and then select the subissue that involves getline() Notice how the Analysis Trace and Summary panels are populated with information about the selected issue Also notice that qwik-smtpdc is opened in the source code panel with the argument where tainted data reach the function highlighted blue The capability to navigate easily through the various nodes in an issue and to quickly review the corresponding source code makes understanding an issue much easier than traversing the code manually 7 Right-click on the selected issue Notice that from this menu you can move the issue to one of the other lists (Warnings or Info), suppress the issue, or automatically generate a bug report When you finish auditing this issue, decide whether you think it belongs on the Hot list If the issue turns out to be a legitimate format string vulnerability that appears in production code, it should remain on the Hot list