1. Randy Zaffke
  2. PowerBuilder
  3. Monday, 13 November 2017

Does Powerbuilder 2017 support Fortify code scans?

Roland Smith Accepted Answer Pending Moderation
0
Votes
Undo

Would it really be a valid test to scan code generated into a different language?

What if it finds a problem that is not due to the way you coded it in PowerScript but how the language convertor coded it.

Comment
Good points Roland. I don't think there is 100% solution, but we are trying to come up with ways at least to catch some problems. Anyway, these tools never catch 100% of the issues so even if it was a pure C# project written by hand its not like you 100% safe by simply running the a code scanner.
  1. Armeen Mazda
  2. Thursday, 7 November 2019
Hi Roland .. yes it is as the C++ is a 100% "mirror" image (not syntactically of course) of the PowerScript code, any 3rd party DLL's it calls, OLE usages, etc and .... especially MS-Windows API's it uses. ;-)
  1. Chris Pollach
  2. Thursday, 7 November 2019
There are no comments made yet.
  1. Thursday, 7 November 2019
  2. PowerBuilder
  3. # 1
Armeen Mazda Accepted Answer Pending Moderation
0
Votes
Undo

Hi Randy,

The question is not does PB support Fortify but rather the other way around.  To best of my knowledge, Fortify doesn't support scanning PowerScript. 

But if you convert your PowerScript to another language that Fortify does support you could effectively get your PowerScript code scanned by Fortify that way. 

Chris has a hack for generating C++ from PowerScript or you could use the new PowerScript Migrator in PB 2019 R2 to convert your PowerScript to C#.  https://youtu.be/Bcn6tt7H-Kk?t=69

Regards,
Armeen

Comment
There are no comments made yet.
  1. Thursday, 7 November 2019
  2. PowerBuilder
  3. # 2
Randy Zaffke Accepted Answer Pending Moderation
0
Votes
Undo

sorry I am just coming back to this now

what do you mean

"ts - you can trap the generated C++ and/or C# code and then feed that into Fortify. "

 

thanks for any assistance

Comment
Hi Randy;

Reading this related thread might help ... https://community.appeon.com/index.php/qna/q-a/convert-powerbuilder-2019-to-c-c-c-for-security-code-scan

Regards ... Chris
  1. Chris Pollach
  2. Thursday, 7 November 2019
There are no comments made yet.
  1. Thursday, 7 November 2019
  2. PowerBuilder
  3. # 3
Chris Pollach Accepted Answer Pending Moderation
0
Votes
Undo

Hi Randy;

    Unfortunately, the HP Fortify product does not support the PowerScript language.

    As a workaround though, PB does emit C++ or C# depending on whether you are a) compiling to machine code;  b) deploying as a Winform app; c) deploying a .NET Assembly; or d) deploying Web Service. During these compilation / deployments - you can trap the generated C++ and/or C# code and then feed that into Fortify. The generated code is basically a 100% reflection of the PowerScript commands. Thus, the Fortify scan of the generated C++ / C# source should expose any vulnerability issues from the static perspective.

   Note: the Winform deployment option was removed in PB 2017 but was present on PB versions 11.x through 12.6.

Regards ... Chris

 

Comment
There are no comments made yet.
  1. Monday, 13 November 2017
  2. PowerBuilder
  3. # 4
  • Page :
  • 1


There are no replies made for this question yet.
However, you are not allowed to reply to this question.