Would it really be a valid test to scan code generated into a different language?
What if it finds a problem that is not due to the way you coded it in PowerScript but how the language convertor coded it.
Good points Roland. I don't think there is 100% solution, but we are trying to come up with ways at least to catch some problems. Anyway, these tools never catch 100% of the issues so even if it was a pure C# project written by hand its not like you 100% safe by simply running the a code scanner.
Hi Roland .. yes it is as the C++ is a 100% "mirror" image (not syntactically of course) of the PowerScript code, any 3rd party DLL's it calls, OLE usages, etc and .... especially MS-Windows API's it uses. ;-)
Unfortunately, the HP Fortify product does not support the PowerScript language.
As a workaround though, PB does emit C++ or C# depending on whether you are a) compiling to machine code; b) deploying as a Winform app; c) deploying a .NET Assembly; or d) deploying Web Service. During these compilation / deployments - you can trap the generated C++ and/or C# code and then feed that into Fortify. The generated code is basically a 100% reflection of the PowerScript commands. Thus, the Fortify scan of the generated C++ / C# source should expose any vulnerability issues from the static perspective.
Note: the Winform deployment option was removed in PB 2017 but was present on PB versions 11.x through 12.6.
Regards ... Chris
There are no comments made yet.
There are no replies made for this question yet. However, you are not allowed to reply to this question.
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here. Register Here »