How to Install and Configure Fortify Static Code Analysis Tool

How to Install and Configure Fortify Static Code Analysis Tool

2 Comments / DevOps, DevSecOps, How To's / By

Fortify is a product of Micro Focus which offers a feature called Static Code Analyzer. This will help us scanning for security violations that are specific to the Coding Rule and Guidelines. Also, fortify provides enough data from Analysis and prioritizes the violations for the developers to identify and fix quickly. In this article, we will discuss How to Install and Configure Fortify Static Code Analysis Tool.

Fortify Static Code Analyzer Components

Fortify Static Code Analyzer will come with the following are the components.

  • Audit Workbench – This is a GUI-based Application that will Organize and Manage the Analysis results.
  • Plugin for Eclipse – This is part of Eclipse IDE and displays the result of Analysis within IDE
  • Plugin for IntelliJ and Android Studio – Plugin for IntelliJ IDE and Android Studio provides Analysis results within IDE
  • Custom Rules Editor – An Application from Fortify to edit and create Custom Rules for Analysis.
  • Fortify Scan Wizard – This is a Tool that provides options to run Scripts after or before the Analysis.
  • Jenkins Plugin – Plugin that will get the results from the Jenkins Job that runs the Analysis.
  • Bamboo Plugin – Plugin that will get the results from the Bamboo Job that runs the Analysis.

How to Install Fortify Static Code Analyzer Component Application

To Install the Fortify Static Code Analyzer, you need to visit the Download page from the Microfocus. This website will ask you to sign up or log in to download any package.

Steps to Install if you have GUI access to your OS

STEP 1: Run the downloaded Installer based on your operating system.

  • Windows – Fortify_SCA_and_Apps_<version>_windows_x64.exe
  • MacOS – Fortify_SCA_and_Apps_<version>_osx_x64.app.zip
  • Linux – Fortify_SCA_and_Apps_<version>_linux_x64.run

STEP 2: Follow the On-screen Instruction

STEP 3:  Optionally, you can select the additional components mentioned in above topic.

STEP 4: Specify the USER for the installation.

STEP 5: Specify the path of the fortify.license file. (This you need to purchase)

STEP 6: Mention the URL Address of the Update Server. for example . https://update.fortify.com. This will update the Rules on regular basis.

STEP 7: Click Finish at the end

Instruction to Install Fortify Static Code Analyzer with Out GUI

STEP 1: Once you downloaded the package, Create a file called named <installer_file_name>.options along with the Installation Package. For example, If the Installer file is Fortify_SCA_and_Apps_<version>_windows_x64.exe, Then Options file is Fortify_SCA_and_Apps_<version>_windows_x64.options.

STEP 2: Then, Add the following lines in the .options file.

fortify_license_path=<location to fortify.licensefile>
UpdateServer=https://update.fortify.com
Installdir=<path of installation directory>

Then save the file.

STEP 3: Then, Run the Silent Installation command in the Command line.

  • Windows – Fortify_SCA_and_Apps_<version>_windows_x64.exe --mode unattened
  • MacOS – Unzip the file and run the shell script inside the zip file. Fortify_SCA_and_Apps_<version>_osx_x64.app/Contents/MacOS/installbuilder.sh--modeunattended—optionfile <Path to Option file>
  • Linux – ./Fortify_SCA_and_Apps_<version>_osx_x64.app.zip --mode unattened

That’s all, The Installation is finished.

Post Installation Tasks

Once you Installed Fortify, you need to prepare your Fortify to start using the Fortify Static Code Analyzer. For the same, Follow the Following Steps.

STEP 1: Go to the Installation Directory and navigate to bin folder in the Command Prompt or in Command line tool.

STEP 2: Then type scapostinstall. Then, type the for the respective settings to open.

  • For Display Settings, type 2.
  • To get back menu, type r.
  • For quit, type q.

STEP 3: Then, do the following options in the same command line.

  • Select the General settings by typing 1
  • Select the Local option by Typing 1 again
  • Then type the language code, Eg, for English type en

Navigate the scapostinstall operation and do other settings like Security Content Update server, Proxy Server settings, and more if needed. That’s all the Post Installation Tasks. This will start the fortify as the service in the background.

To Verify the Installation, Type sourceanalyzer in the command line and see if it gives the help section.

Conclusion.

Developing the code without Security violations is mandatory as we are having a huge threat from hackers. So, Scanning the Source code before we get it to build is very important. Fortify is one such tool that helps in terms of scanning the Source code for Security Violation and gives you the interactive visual Report. In this article, we discussed How to Install and Configure Fortify Static Code Analysis Tool. In our Next Article, we will discuss How to run Fortify Source Code Analysis and Reports. Stay tuned and subscribe DigitalVarys for more articles and study materials on DevOpsAgileDevSecOps and App Development.

2 thoughts on “How to Install and Configure Fortify Static Code Analysis Tool”

  2. PARESHKUMAR DAVJIBHAI JADAV

    Hey I want to understand onething, my development code is with inhouse TFS server(2015) which doesnt have any internet access as its a security guideline. people working also doesn’t get to use internet access. Can I still use Fortify SAST if yes. what all things I will need to configure my TFS server to use Fortify step in the build pipeline.(Note its not an Azure server its plain old TFS 2015)

    Reply

Leave a Reply