HP Fortify Android SCA build

Question

I'm trying to use Fortify sourceanalyser binary to scan an Android project. The problem is even if I set the classpath correctly, classes are not found...

Here is my command :

sourceanalyzer -b MS.ANDROID -clean;
sourceanalyzer -b MS.ANDROID -exclude androidTest -exclude gradle -exclude maven-config -exclude test -cp "/home/devuser/android-sdk-linux/platforms/android-21/android.jar:/var/lib/jenkins/workspace/myproject/**/*.jar" -source 1.7 src

My output is :

[warning]: The following references to java classes could not be resolved. Please make sure to supply all the required jar files that contain these classes to SCA.
    AddressException
    BasicClientCookieHC4
    CancellationTokenSource
    ConnectionConfig.Builder
    ContentType
    Continuation
    Crashlytics
    FileBody
    HttpClientBuilder
    Immutable
    InternetAddress
    MultipartEntityBuilder
    PoolingHttpClientConnectionManager
    Registry
    RequestConfig.Builder
    SSLConnectionSocketFactory
    StringBody
    SuppressFBWarnings
    Task
    Task.TaskCompletionSource

The android.jar is found because if I remove it I have more not found classes but all jars under the project are not found even if I give for each the full path...

If anyone have some tutorial for Fortify with Android (or included in gradle) it could be nice too.

Answer 1

I'm making my comment in the form of an answer because of the formatting available. So, try this:

cd /var/lib/jenkins/workspace/myproject/
find . | grep Task.class
find . -name .jar | while read jar; do grep -r 'Task' "$jar" ; done

This should tell you where, in your specified jars, at least one of those classes lies. If you don't find it in a jar, you have not specified a sufficient classpath.

Answer 2

Currently there are no Fortify Knowledge articles covering gradle. I would try putting the Maven plug-in into Gradle at the appropriate point. That way SCA should find the dependencies.

If the application compiles successfully yet SCA returns a scan error, the jar file(s) may be missing but the application may compile because the jars are included from another application like a Tomcat server (or in your case gradle). One can 1) bundle all dependent jars with the project or 2) incorporate SCA into your build scripts (maven or ant) or package (Jenkins or gradle).

If you package the jars with the application, you know exactly what functions you are including and you have better control of your attack surface. If you look to external services like Tomcat for dependencies, you have less assurance of the functionality that could be invoked, making the solution less robust and secure.