fortify scans

View Replies (4)

Resolved fortify scans

Issue

Votes

Undo

Randy Zaffke
PowerBuilder
Monday, 13 November 2017 16:13 PM UTC

Does Powerbuilder 2017 support Fortify code scans?

Responses (4)

Roland Smith Accepted Answer Pending Moderation

Thursday, 7 November 2019 18:42 PM UTC
PowerBuilder
# 1

Would it really be a valid test to scan code generated into a different language?

What if it finds a problem that is not due to the way you coded it in PowerScript but how the language convertor coded it.

Comment

Armeen Mazda @Appeon
Thursday, 7 November 2019 19:41 PM UTC

Good points Roland. I don't think there is 100% solution, but we are trying to come up with ways at least to catch some problems. Anyway, these tools never catch 100% of the issues so even if it was a pure C# project written by hand its not like you 100% safe by simply running the a code scanner.

Helpful 0

Chris Pollach @Appeon
Thursday, 7 November 2019 20:56 PM UTC

Hi Roland .. yes it is as the C++ is a 100% "mirror" image (not syntactically of course) of the PowerScript code, any 3rd party DLL's it calls, OLE usages, etc and .... especially MS-Windows API's it uses. ;-)

Helpful 0

There are no comments made yet.

Armeen Mazda @Appeon Accepted Answer Pending Moderation

Thursday, 7 November 2019 18:05 PM UTC
PowerBuilder
# 2

Hi Randy,

The question is not does PB support Fortify but rather the other way around. To best of my knowledge, Fortify doesn't support scanning PowerScript.

But if you convert your PowerScript to another language that Fortify does support you could effectively get your PowerScript code scanned by Fortify that way.

Chris has a hack for generating C++ from PowerScript or you could use the new PowerScript Migrator in PB 2019 R2 to convert your PowerScript to C#. https://youtu.be/Bcn6tt7H-Kk?t=69

Regards,
Armeen

Comment

There are no comments made yet.

Randy Zaffke Accepted Answer Pending Moderation

Thursday, 7 November 2019 17:56 PM UTC
PowerBuilder
# 3

sorry I am just coming back to this now

what do you mean

"ts - you can trap the generated C++ and/or C# code and then feed that into Fortify. "

thanks for any assistance

Comment

Chris Pollach @Appeon
Thursday, 7 November 2019 20:53 PM UTC

Hi Randy;

Reading this related thread might help ... https://community.appeon.com/index.php/qna/q-a/convert-powerbuilder-2019-to-c-c-c-for-security-code-scan

Regards ... Chris

Helpful 0

There are no comments made yet.

Chris Pollach @Appeon Accepted Answer Pending Moderation

Monday, 13 November 2017 16:25 PM UTC
PowerBuilder
# 4

Hi Randy;

Unfortunately, the HP Fortify product does not support the PowerScript language.

As a workaround though, PB does emit C++ or C# depending on whether you are a) compiling to machine code; b) deploying as a Winform app; c) deploying a .NET Assembly; or d) deploying Web Service. During these compilation / deployments - you can trap the generated C++ and/or C# code and then feed that into Fortify. The generated code is basically a 100% reflection of the PowerScript commands. Thus, the Fortify scan of the generated C++ / C# source should expose any vulnerability issues from the static perspective.

Note: the Winform deployment option was removed in PB 2017 but was present on PB versions 11.x through 12.6.

Regards ... Chris

Comment

There are no comments made yet.

Page :
1

There are no replies made for this question yet.
However, you are not allowed to reply to this question.

Please login to post a reply

You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here. Register Here »

Forgot Password?

We use cookies which are necessary for the proper functioning of our websites. We also use cookies to analyze our traffic, improve your experience and provide social media features. If you continue to use this site, you consent to our use of cookies.