2

I'm trying to use Fortify sourceanalyser binary to scan an Android project. The problem is even if I set the classpath correctly, classes are not found...

Here is my command : 

sourceanalyzer -b MS.ANDROID -clean;
sourceanalyzer -b MS.ANDROID -exclude androidTest -exclude gradle -exclude maven-config -exclude test -cp "/home/devuser/android-sdk-linux/platforms/android-21/android.jar:/var/lib/jenkins/workspace/myproject/**/*.jar" -source 1.7 src

My output is : 

[warning]: The following references to java classes could not be resolved. Please make sure to supply all the required jar files that contain these classes to SCA.
    AddressException
    BasicClientCookieHC4
    CancellationTokenSource
    ConnectionConfig.Builder
    ContentType
    Continuation
    Crashlytics
    FileBody
    HttpClientBuilder
    Immutable
    InternetAddress
    MultipartEntityBuilder
    PoolingHttpClientConnectionManager
    Registry
    RequestConfig.Builder
    SSLConnectionSocketFactory
    StringBody
    SuppressFBWarnings
    Task
    Task.TaskCompletionSource

The android.jar is found because if I remove it I have more not found classes but all jars under the project are not found even if I give for each the full path...

If anyone have some tutorial for Fortify with Android (or included in gradle) it could be nice too.

Vadim Kotov
  • 8,084
  • 8
  • 48
  • 62
jaumard
  • 8,202
  • 3
  • 40
  • 63
  • Did you get this scan error even though your application compiled? – WaltHouser Apr 19 '16 at 19:21
  • My application compile successfully with gradle but sourceanalyser don't use gradle to compile the project, that's why I have this I think but can't find a solution... – jaumard Apr 21 '16 at 06:39
  • I ignored the classes not found warning. The report is getting generated anyway. Do you know of any issues of ignoring this warning? – garnet Nov 30 '17 at 14:15

2 Answers2

0

I'm making my comment in the form of an answer because of the formatting available. So, try this:

cd /var/lib/jenkins/workspace/myproject/
find . | grep Task.class
find . -name .jar | while read jar; do grep -r 'Task' "$jar" ; done

This should tell you where, in your specified jars, at least one of those classes lies. If you don't find it in a jar, you have not specified a sufficient classpath.

Douglas Held
  • 1,452
  • 11
  • 25
  • Any way to use sourceanalyser directly from gradle ? Because dependencies are manage by gradle so jars are not find, and I don't want to include all my jars manually just for sourceanalyser. I try to include jars from gradle download under the classpath but it didn't help – jaumard Apr 21 '16 at 06:51
  • I don't know the answer to this. – Douglas Held Apr 22 '16 at 09:34
0

Currently there are no Fortify Knowledge articles covering gradle. I would try putting the Maven plug-in into Gradle at the appropriate point. That way SCA should find the dependencies.

If the application compiles successfully yet SCA returns a scan error, the jar file(s) may be missing but the application may compile because the jars are included from another application like a Tomcat server (or in your case gradle). One can 1) bundle all dependent jars with the project or 2) incorporate SCA into your build scripts (maven or ant) or package (Jenkins or gradle).

If you package the jars with the application, you know exactly what functions you are including and you have better control of your attack surface. If you look to external services like Tomcat for dependencies, you have less assurance of the functionality that could be invoked, making the solution less robust and secure.

WaltHouser
  • 273
  • 1
  • 8
  • It's an Android application so dependencies are manage by gradle. And it's not a good practice to include jar directly under the project. – jaumard Apr 21 '16 at 06:47