top of page

.NET Core 3 Source Code Scanning

Hello, in this article, I will show you how to scan an application developed with .Net Core 3 framework using Fortify.

Visual Studio 2019 IDE

For IDE scanning, we enter the relevant project folder and open the application from the solution file.

Then we start the scan by selecting Extension -> Fortify -> Analyze solution.

Here, it will be sufficient to select Analyze solution to scan an application at solution level, and Anaylze Project to scan at project level.

When the scan starts, the screen will be as follows. Here we wait for the scan to finish without doing anything. On the one hand, we can check whether the scan is giving an error by looking at the logs falling into the Output.

When the scan is finished, Fortify will open the Analysis Results section on Visual Studio as follows and show the vulnerabilities it has detected here.



Scan Wizard

When Scan Wizard is run, the screen will be as below.


The first thing we need to do is to select the folder where the project to be scanned is located.

After making the selection, press next and we will see the screen as below. At the bottom of the screen where C#, Javascript and XML sections are selected on the right side of the screen, we see that MSBuild and Visual Studio sections can be selected.

At this stage, Scan Wizard examines the files in the folder we have provided, detects the language of the application to be scanned and offers an option for this. Here he gave us the option of MSBuild and Visual Studio.

We mark MSBuild and click next to move on to the next step.

Fortify will use MSBuild to scan. Below it shows us that it has found the solution file of the relevant project. Make sure that there is a Solution file here, and make sure that the marking of this section is as follows. After the checks, we say next and move on to the next step.

Scan Wizard generates .bat for Windows and .sh file for MacOS/Linux while scanning. Since we will perform the scanning process on Windows, we want the .bat file to be created and we can position this batch file anywhere we want. Here I set the bat file to be included in the relevant project.

Scan Wizard generates .bat for Windows and .sh file for MacOS/Linux while scanning. Since we will perform the scanning process on Windows, we want the .bat file to be created and we can position this batch file anywhere we want. Here I set the bat file to be included in the relevant project.

  • Quick scan : Just scan for High and Critical vulnerabilities. (It can be selected to save time in large projects, but other level vulnerabilities will not be obtained.)

  • Upload Scan to SSC : Uploading the FPR file created after scanning to SSC.

  • ScanCentral scan : Scanning of the application is performed by ScanCentral connected to SSC.

  • Include Custom Rule : It is the inclusion of personal rules created in the scan.


After we’re done here, let’s click next and move on to the next page.

In this step, it shows us the bat file that Scan Wizard will create as a summary. Here, if you wish, you can re-check what they have done by pressing the back button or you can play with them. I hit the finish option.

When I come to the relevant project and check, I see that it has created the Scan Wizard bat file. Here I come to the project directory via cmd.exe and make the bat file work.

If there is no problem during operation, the screen will be as follows. I can see that the FPR file has been created when I check that the scan has run smoothly via cmd.exe and look inside the folder. After this step, you can view the vulnerabilities by opening FPR.



Terminal

Optionally, we can generate source codes from within the terminal using Fortfy’s sourceanalyzer.exe.

Scan with MSBuild

We open a cmd.exe that looks at the location of the project to be scanned.



In this step, we will need to enter a command like the one below.

sourceanalyzer.exe -b build-id -clean

The explanations of the above command are as follows.

  • sourceanalyzer.exe : The exe that Fortify uses to scan the source code.

  • -b : You can think of it as a session in a web application. Here Fortify will use the name we give when it wants to keep the data it obtained for the project to be scanned in a field and access this field.

  • -clean : If there was a scan using this name before, we empty it by saying -clean here. We have never used this name before, but it is recommended to be used in this way in best practices.




After the clean process, Translation (It is the process of making the codes to be compiled in a way that fortify can understand.) needs to be done. For this we enter the following command.

sourceanalyzer.exe -b build-id msbuild /t:rebuild project.sln

The explanations of the above commands are as follows.

  • “msbuild /t:rebuild “: Fortify will use msbuild as a scanning method and compile the relevant project and then translate the output it obtains. MSBuild will be used in the in-between conversion.

  • “project.sln” : It is the part where the solution file to be scanned is named.



The post-processing screen using MSBuild will be as follows. What we need to pay attention to here is whether there is a build success text. If we see the build success fail, it means that the related project encountered an error while scanning with MSBuild. Here it is necessary to fix that error. Since we see success, we can continue.

This step is the part where the codes compiled with MSBuild will be scanned and the outputs will be produced. For this, you will need to enter a command like the following.

sourceanalyzer.exe -b build-id -scan -f output.fpr

The explanations of the above commands are as follows.

  • -scan : By giving this parameter, we ensure that the codes that are compiled and made understandable by fortify are scanned..

  • -f : An FPR file will be generated for the vulnerabilities detected after the scan. Here we specify the name of the FPR file to be produced.


The vulnerabilities will be written on cmd.exe in scans where we forget the “f “ parameter.

When the scanning operation is finished, the screen will be as follows. When we look at the folder where the application is located, you can see that the FPR file has been created.


Scan with Devenv

Scanning steps with Devnev are mostly the same as with MSBuild. In order not to prolong the article, I will not explain the parameters I explained in MSBuild here again. You can check it above if you wish. sourceanalyzer.exe -b build-id -clean

Since it uses devenv here, it is necessary to enter a command like the one below.

sourceanalyzer.exe -b build-id devenv project.sln /REBUILD Debug

  • “devenv /REBUILD Debug “Fortify will use devenv as a scanning method and compile the relevant project and then translate the output it obtains. Devenv will be used in the translation process in between.

  • “project.sln” : It is the part where the name of the solution file to be scanned is given.


This step is the part where the codes compiled with Devenv will be scanned and the outputs will be produced. For this, you will need to enter a command like the following.

sourceanalyzer.exe -b build-id -scan -f output.fpr

When the scanning operation is finished, the screen will be as follows. When you look at the scanned folder, you can see that the FPR file has been created.



Source: Medium - Erdemstar


The Tech Platform

Commentaires


bottom of page