Using Fortify SCA to scan for vulnerabilities
We found the SQL injection vulnerability in BuggyTheApp by hand, but surely we can do better than this? Yes we can. We can use Fortify to find it for us!
Configuring Fortify SCA
Fortify SCA can analyse many programming languages for different categories of vulnerabilities.
The first step before using Fortify is configuring the basic settings.
In Android Studio, select the Fortify menu, and then choose the SQL and Android Vulnerabilities from the “analysis setting” option.
If the Android Studio asks for the executable you will find the “sourceanalyzer.exe”, where you installed Fortify. For example in Windows this is in “C:\ProgramFiles\HPE_Security\Fortify_SCA_and_Apps_16.20\bin”
Scanning with Fortify SCA
To start analysing BuggyTheApp, go to the Fortify menu and click on scan. The scan process will start and it should take about two minutes to produce a Fortify Project File (FPR). This file will be saved in the app root directory (this is in the directory that you extracted BuggyTheApp to).
Viewing the report in Audit Workbench
To view the report use the Audit Workbench to open the .fpr file.
In the top left there is a filter. Change it to “Security Auditor View”.
Below the filter option is a grouping option. Change it to “File Name”.
Now you will see all the vulnerabilities found in each file in BuggyTheApp. Fortify classifies the vulnerabilities according to their severity (low, medium, high, and critical).
To see all the vulnerabilities, click on the green tab on the top left.
We recommend this view setting because during the course we will be fixing the vulnerabilities file by file. But you are free to choose any other setting that you prefer.
The SQL injection vulnerability
Click on the DBclass.java file on the right, and expand the vulnerabilities in it.
Two SQL injection vulnerabilities will be listed.
By clicking on any listed vulnerability, Audit Workbench will show you the related code, along with a detailed explanation of the vulnerability, and recommendations on how to fix it.
Take some time to explore the tool, and try to fix the SQL injection vulnerability by yourself. We will show you our solution in the next step.
© University of Southampton 2017