Using Fortify SCA (not outdated “HP Fortify”) on Qt code
-
wrote on 9 Apr 2020, 15:05 last edited by
I've been trying to research this for a while and my limited experience with compiling is hindering my ability to figure it out.
Basically, I have some code which is being written in Qt Creator, then built with these build steps:
qmake.exe [project name].pro -spec win32-msvc "CONFIG+=qtquickcompiler" jom.exe in C:\eclipseworkspace\[project directory]I'd like to use the Fortify SCA (Static Code Analyzer) to automatically scan this code for vulnerabilities, but most of its user-friendly features are designed towards Java. I haven't given up, though, because Fortify does claim to be able to scan C++ code that uses 3rd Party Compilers (which I assume Qt falls into that category). (Page 37 of this document)
As a preliminary step to running Qt Creator on my actual code, I've wanted to see if I can at least get it to run on any Qt sample project, to see what the steps to do that would be.
I'm using Qt 5.12.7 on a Windows 10 OS with the MSVC2017 32bit compiler, but I feel any correlation between Qt and Fortify that works will be enough to set me off in the right direction.
Or perhaps my optimism is misplaced and I just don't understand the limitations of what I want to do. Either way, it'd be nice to know.
-
Hi and welcome to devnet,
Qt does not use third party compiler. However it uses tools to generate code and build files.
One possible way would be to create a custom makespec based on the one used by your kit and modify there the compiler line to include the specifics of Fortify.
-
wrote on 13 Apr 2020, 15:01 last edited by
Thank you for your response!
I'll look into that when I get some time. In the meantime, do you have any examples of "creating a custom makespec" that I could refer to so I know I'm on the right track?
Also, to verify, Qt (and qmake) would not be considered a third party C++ compiler, either? -
To create a new one, copy the one you are using and give it a new name.
3/4