How does Fottify translate the Java code?

Question

Translation of Java Code

Let's review the process of translating the Java code with Fortify.

• The basic CLI command for translating Java Code is

sourceanalyzer -b <build_id> -cp <classpath> <file_list>

• SCA processes the Java Code by:
  • Convenient Build Integration by emulating Compiler.
  • Convenient Command Line scans by accepting Source Files directly.

Process of Java Code Translation

• SCA by emulating Compiler:

sourceanalyzer -b <build_id> javac [<translation_options>]

• SCA by accepting Source code:

sourceanalyzer -b <build_id> -cp <classpath> [<translation_options>] <files> | 
<file_specifier>

Parameters of Command

• <translation_options> : Parameters passed to the compiler.

• -cp<classpath> : Java Source Code Class Path

  NOTE:

• Class Path: The path where the JRE searches for the class files and resource files.

• The List of paths are separated by either Colon(:) or semicolon(;).

• When you miss specifying the Class path, Fortify makes use of CLASSPATH Environmental variable.

Ambiguity Case

Consider the Scenario where we want Fortify to analyze two JAR files which contain similar named class files. Which class file does the Fortify loads?

Fortify Static Code Analyzer loads classes in the sequence they are inputted in the classpath of command.

An Example for Ambiguity case

• Let's assume that there are 2 JAR Files: A.jar and B.jar with a class file myclass.class in both.

• The command given :

sourceanalyzer -cp A.jar:B.jar myfile.java

• Fortify loads the myclass.class of A.jar file since it appears first in the class path before B.jar

Order of Loading JAR Files

Fortify SCA loads the JAR files in the order of:

• -cp option
• jre/lib
• <sca_install_dir> or /Core/default_jars

Handling Resolution Warnings

Do you want to see the warnings that were generated during the Translation phase?

Here is the command!

sourceanalyzer -b <build_id> -show-build-warnings

Few examples of Warnings generated during translation are:

• Unable to resolve type
• Unable to resolve function
• Unable to resolve field
• Unable to locate import
• Unable to resolve symbol

FindBugs

• Statistical Analysis tools that detect the issues of Quality in Java.
• Works on ByteCode.

Some of the bugs include:

1. Dead Local Store
2. Object Model violations
3. Bad Cast of Object References
4. Unwritten fields

Needy Commands for You!

• Translate a file named MyWorld.java with javajar.jar as classpath

sourceanalyzer -b MyWorld -cp lib/javajar.jar MyWorld.java

• Translate all the .java files in the project directory supported by all JAR files in the project named MyProject.

sourceanalyzer -b MyProject -cp "lib/*.jar" "src/**/*.java"

• Translate and compile the MyWorld.java file with the Java compiler.

sourceanalyzer -b MyProject javac -classpath libs.jar MyWorld.java