Subscribe via RSS
Toggle Submenu
  1. Categories
  2. Recent
  3. Tags
View Replies (4)

Resolved fortify scans

  1. Issue
0
Votes
Undo
  1. Randy Zaffke
    Randy Zaffke
  2. PowerBuilder
  3. Monday, 13 November 2017 16:13 PM UTC

Does Powerbuilder 2017 support Fortify code scans?

Huge showstopper Memory leak BUG in PB 2017 build...
About using COM components in PB2017
Responses (4)
Chris Pollach @Appeon
Chris Pollach @Appeon Accepted Answer Pending Moderation
  1. Monday, 13 November 2017 16:25 PM UTC
  2. PowerBuilder
  3. # 1

Hi Randy;

    Unfortunately, the HP Fortify product does not support the PowerScript language.

    As a workaround though, PB does emit C++ or C# depending on whether you are a) compiling to machine code;  b) deploying as a Winform app; c) deploying a .NET Assembly; or d) deploying Web Service. During these compilation / deployments - you can trap the generated C++ and/or C# code and then feed that into Fortify. The generated code is basically a 100% reflection of the PowerScript commands. Thus, the Fortify scan of the generated C++ / C# source should expose any vulnerability issues from the static perspective.

   Note: the Winform deployment option was removed in PB 2017 but was present on PB versions 11.x through 12.6.

Regards ... Chris

 

Comment
There are no comments made yet.
Randy Zaffke
Randy Zaffke Accepted Answer Pending Moderation
  1. Thursday, 7 November 2019 17:56 PM UTC
  2. PowerBuilder
  3. # 2

sorry I am just coming back to this now

what do you mean

"ts - you can trap the generated C++ and/or C# code and then feed that into Fortify. "

 

thanks for any assistance

Comment
Chris Pollach @Appeon
  1. Chris Pollach @Appeon
  2. Thursday, 7 November 2019 20:53 PM UTC
Hi Randy;

Reading this related thread might help ... https://community.appeon.com/index.php/qna/q-a/convert-powerbuilder-2019-to-c-c-c-for-security-code-scan

Regards ... Chris
  1. Helpful
There are no comments made yet.
Armeen Mazda @Appeon
Armeen Mazda @Appeon Accepted Answer Pending Moderation
  1. Thursday, 7 November 2019 18:05 PM UTC
  2. PowerBuilder
  3. # 3

Hi Randy,

The question is not does PB support Fortify but rather the other way around.  To best of my knowledge, Fortify doesn't support scanning PowerScript. 

But if you convert your PowerScript to another language that Fortify does support you could effectively get your PowerScript code scanned by Fortify that way. 

Chris has a hack for generating C++ from PowerScript or you could use the new PowerScript Migrator in PB 2019 R2 to convert your PowerScript to C#.  https://youtu.be/Bcn6tt7H-Kk?t=69

Regards,
Armeen

Comment
There are no comments made yet.
Roland Smith
Roland Smith Accepted Answer Pending Moderation
  1. Thursday, 7 November 2019 18:42 PM UTC
  2. PowerBuilder
  3. # 4

Would it really be a valid test to scan code generated into a different language?

What if it finds a problem that is not due to the way you coded it in PowerScript but how the language convertor coded it.

Comment
Armeen Mazda @Appeon
  1. Armeen Mazda @Appeon
  2. Thursday, 7 November 2019 19:41 PM UTC
Good points Roland. I don't think there is 100% solution, but we are trying to come up with ways at least to catch some problems. Anyway, these tools never catch 100% of the issues so even if it was a pure C# project written by hand its not like you 100% safe by simply running the a code scanner.
  1. Helpful
Chris Pollach @Appeon
  1. Chris Pollach @Appeon
  2. Thursday, 7 November 2019 20:56 PM UTC
Hi Roland .. yes it is as the C++ is a 100% "mirror" image (not syntactically of course) of the PowerScript code, any 3rd party DLL's it calls, OLE usages, etc and .... especially MS-Windows API's it uses. ;-)
  1. Helpful
There are no comments made yet.
  • Page :
  • 1


There are no replies made for this question yet.
However, you are not allowed to reply to this question.