Would it really be a valid test to scan code generated into a different language?
What if it finds a problem that is not due to the way you coded it in PowerScript but how the language convertor coded it.
Good points Roland. I don't think there is 100% solution, but we are trying to come up with ways at least to catch some problems. Anyway, these tools never catch 100% of the issues so even if it was a pure C# project written by hand its not like you 100% safe by simply running the a code scanner.
Hi Roland .. yes it is as the C++ is a 100% "mirror" image (not syntactically of course) of the PowerScript code, any 3rd party DLL's it calls, OLE usages, etc and .... especially MS-Windows API's it uses. ;-)
Unfortunately, the HP Fortify product does not support the PowerScript language.
As a workaround though, PB does emit C++ or C# depending on whether you are a) compiling to machine code; b) deploying as a Winform app; c) deploying a .NET Assembly; or d) deploying Web Service. During these compilation / deployments - you can trap the generated C++ and/or C# code and then feed that into Fortify. The generated code is basically a 100% reflection of the PowerScript commands. Thus, the Fortify scan of the generated C++ / C# source should expose any vulnerability issues from the static perspective.
Note: the Winform deployment option was removed in PB 2017 but was present on PB versions 11.x through 12.6.