1. sai macherla
  2. PowerBuilder
  3. Monday, 4 November 2019 20:32 PM

Hello All,

We have our applications on Powerbuilder 2019. Due to third party requirement, we need to scan our code for vulnerabilities using any 'Source code Analysis tools' and generate report. I didn't find any tool for PB scripts.

Can anyone kindly suggest if there is any possible way to convert the code to C/C++/C# and run against the scanning tool. 

We are neither expecting the converted code to run nor have full functionality. But just want to run against the scanning tools and find out security flaws.

Thank you so much in advance.

Accepted Answer
Chris Pollach @Appeon Accepted Answer Pending Moderation
  1. Monday, 4 November 2019 21:10 PM
  2. PowerBuilder
  3. # Permalink
0
Votes
Undo

Hi Sai;

  This Appeon Community thread might be of interest to you on this subject ...

https://community.appeon.com/index.php/qna/q-a/powerbuilder-code-review

Regards ... Chris

Comment
Thank you so much Chris. I missed that thread.

Can you kindly help me with 2 questions regarding your answer in that thread. Or do you want me to post the questions in that thread itself?



1. Is the conversion still possible with the Powerbuilder 2019 or only in the older version i.e., 12 or earlier?

2. Can you kindly help me with the MS project step - Once we compile the application in machine code, do we need to use MS project and take the machine code files to convert into C++ exe?



I'm sorry for this question as I have always used Pcode and never machine code.
  1. sai macherla
  2. Tuesday, 5 November 2019 03:03 AM
Hi Sai;

1) The C++ compile feature is still in PB2019 and it's *not* a conversion but, merely a compile option (machine code) in your "Project" object maintained by the Project Painter. Once you select an M-Code compile for the PB App's EXE - the IDE does the rest by outputing C++ source based on your PowerScript and Class definitions in the related PBL's (auto-magically). That C++ source is then compiled my the standard MicroSoft C++ compiler via a MS-Build process.

The key aspect during the C++ compilation process is to skim off the C++ *source code* and then feed that into a vulnerability software product like I mention in the former thread. I have been doing this for years when I was consulting with the Canadian Federal Government before joining Appeon. There is no way we could get any PB Apps into production without what the government calls a TRA (Threat & Risk Assessment). Part of the TRA is a software venerability scan. Note that this also happens in the TRA process for the PB run-time DLL's as well which are also C++ based.

2) The vulnerability procedure that I have suggested does not require any use of any further MS products.

HTH

Regards ... Chris
  1. Chris Pollach @Appeon
  2. Tuesday, 5 November 2019 16:39 PM
There are no comments made yet.
Michael Kramer Accepted Answer Pending Moderation
  1. Wednesday, 6 November 2019 00:56 AM
  2. PowerBuilder
  3. # 1
0
Votes
Undo

Hi Sai,

No static code analysis of PowerScript or some transpiled language will find vulnerabilities in your app's dynamic handling of DataWindow objects.

OH - and watch out for DisableBind=1  -- -- DEFAULT for most if not all DBMS! -- This generates SQL that is prone to SQL injection attacks.

You must EXPLICITLY set DisableBind=0 to ensure use of bind parameters. These days I ALWAYS use option (2) below in all apps I write.

HTH /Michael

// Enforce bind parameters in auto-generated SQL
// -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
// Option #1 :: SQLCA hardcoded
SQLCA.DBParm = "..."
SQLCA.DBParm += ",DisableBind=0"
// -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
// Option #2 :: tr_base.of_Configure(...)
this.DBParm = "..."
this.DBParm += ",DsableBind=0"
// -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
Comment
What Michael said is true to the best of my knowledge. I think that is why Sai was looking to convert the code to C#, which PowerScript Migrator could do for them if they want to go that route.
  1. Armeen Mazda @Appeon
  2. Wednesday, 6 November 2019 03:03 AM
Thank you Michael and Armeen.

We can lookout for SQL injection attacks either with the suggested DISABLEBAND or near the login and search buttons in the application where the attacks can occur.



But as we need to fetch and submit the vulnerability scan report, we are forced to try the possible ways of converting to C++ (using Chris method). Flawfinder tool is performing the scan for C/C++.
  1. sai macherla
  2. Wednesday, 6 November 2019 15:20 PM
There are no comments made yet.
sai macherla Accepted Answer Pending Moderation
  1. Wednesday, 6 November 2019 00:03 AM
  2. PowerBuilder
  3. # 2
0
Votes
Undo

Hi Chris,

Thank you for the detailed explanation.
Sorry for bugging you again but I was trying to achieve your way but cannot find C++ source code either in the project location or in the temp folder. I am trying it with the PBExample workspace.

If possible can you please direct me where I am making a mistake:

Deployed the project using machine code. Got the dll files generated in the project folder.

These are the files I found in the temp folder:

This help would be very much appreciated Chris. 

 

Regards,

Sai

Comment
Hi Sai;

Yes, the number of files and their exact use can be a bit daunting all rolled up into the one O/S Temp folder. Here is a little know tip where you can ask the PB IDE to place all the C++ working source files into a specific folder for easier viewing, by using the following settings ...

1) Locate the working PB.ini file.

Normally, this wold be in the "C:\Users\<YourWIndowsLogon>\AppData\Local\Appeon\PowerBuilder 19.0" folder.

2) Open the working PB.ini in your favourite editor.

3) Locate the [PB] section.

4) Add the following entry ...

CODEGENTEMP=d:\pb2019\CplusPlus

5) Close & save the working PB.INI

6) Open your PB IDE & build (deploy) the C++ EXE project

7) Check out the "CODEGENTEMP" location.

HTH

Regards ... Chris
  1. Chris Pollach @Appeon
  2. Wednesday, 6 November 2019 16:03 PM
Thank you so much Chris.



I am able to see the 'C' files generated and it has all the events converted to machine language.

Looks like it was doing the same in the temp folder but the files are disappearing immediately after the deployment. Happening the same way in the "CODEGENTEMP" folder. So I was copying them before the deployment completes.



This is really very very helpful solution for our issue.

We all are very thankful to you. :)



Regards,

Sai
  1. sai macherla
  2. Thursday, 7 November 2019 00:17 AM
Hi Sai;

You are most welcome!

In the previous releases of the PB IDE (before Appeon) we used to have an option in other "Target" types to call a DOS Command and/or BAT file during the complication (deploy) process. That allowed be to issue something like a "COPY *.c ....." to "skim" off he full "C" source before the IDE compile deleted them.

Since these target types are no longer present in Appeon PB, I would suggest the following ...

1) Create a PB App EXE that sits in the CODEGENTEMP folder

2) Program it to look for *.C files on a timer loop (ie: DirList() command)

3) When it locates a *.C source file, use the FileCopy() command to skim off the "C++" source file to another folder before the IDE eventually cleans it it.

4) To make this utility fancier, you could use the "FindFirstChangeNotification" and "ReadDirectoryChangesW" MS-Windows API commands to get notified when a folder is written to the CODEGENTEMP folder and action it directly at that time (nice to have kind of thing).

FYI: https://docs.microsoft.com/en-us/windows/win32/fileio/obtaining-directory-change-notifications

HTH

Regards ... Chris
  1. Chris Pollach @Appeon
  2. Thursday, 7 November 2019 15:59 PM
There are no comments made yet.
Armeen Mazda @Appeon Accepted Answer Pending Moderation
  1. Monday, 4 November 2019 21:01 PM
  2. PowerBuilder
  3. # 3
0
Votes
Undo

PowerBuilder 2019 R2 has a PowerScript-to-C# code converter: https://youtu.be/Bcn6tt7H-Kk?t=69

Comment
Thank you so much Armeen for the information. I have installed SnapDevelop and gone through all the data. Not finding the option to open the PB workspace into SnapDevelop but I'm trying all my ways.



If that works, it would be very helpful
  1. sai macherla
  2. Tuesday, 5 November 2019 02:51 AM
Sorry for not making this clear... this is new feature coming in the new R2 release of 2019. That is scheduled for general availability around March 2020. If the solution Chris said doesn't work for you, please let me know and we will try to arrange a private beta for you of the C# converter.
  1. Armeen Mazda @Appeon
  2. Tuesday, 5 November 2019 14:35 PM
Thank you Armeen for the help. I will work with Chris to make this work.



Thank you once again:)
  1. sai macherla
  2. Tuesday, 5 November 2019 23:39 PM
There are no comments made yet.
Roland Smith Accepted Answer Pending Moderation
  1. Monday, 4 November 2019 20:44 PM
  2. PowerBuilder
  3. # 4
0
Votes
Undo

The only PowerBuilder code analyzer I am aware of is: https://www.visual-expert.com/

 

Comment
Thank you Roland. I have checked with Visual Expert team and looks like they are not supporting vulnerability scan for the PB code.
  1. sai macherla
  2. Tuesday, 5 November 2019 02:52 AM
There are no comments made yet.
  • Page :
  • 1


There are no replies made for this question yet.
However, you are not allowed to reply to this question.