Using Fortify SCA (not outdated “HP Fortify”) on Qt code

TheBubbleman

I've been trying to research this for a while and my limited experience with compiling is hindering my ability to figure it out.

Basically, I have some code which is being written in Qt Creator, then built with these build steps:

qmake.exe [project name].pro -spec win32-msvc "CONFIG+=qtquickcompiler"
jom.exe in C:\eclipseworkspace\[project directory]

I'd like to use the Fortify SCA (Static Code Analyzer) to automatically scan this code for vulnerabilities, but most of its user-friendly features are designed towards Java. I haven't given up, though, because Fortify does claim to be able to scan C++ code that uses 3rd Party Compilers (which I assume Qt falls into that category). (Page 37 of this document)

As a preliminary step to running Qt Creator on my actual code, I've wanted to see if I can at least get it to run on any Qt sample project, to see what the steps to do that would be.

I'm using Qt 5.12.7 on a Windows 10 OS with the MSVC2017 32bit compiler, but I feel any correlation between Qt and Fortify that works will be enough to set me off in the right direction.

Or perhaps my optimism is misplaced and I just don't understand the limitations of what I want to do. Either way, it'd be nice to know.

SGaist

Hi and welcome to devnet,

Qt does not use third party compiler. However it uses tools to generate code and build files.

One possible way would be to create a custom makespec based on the one used by your kit and modify there the compiler line to include the specifics of Fortify.

TheBubbleman

Thank you for your response!

I'll look into that when I get some time. In the meantime, do you have any examples of "creating a custom makespec" that I could refer to so I know I'm on the right track?
Also, to verify, Qt (and qmake) would not be considered a third party C++ compiler, either?

SGaist

To create a new one, copy the one you are using and give it a new name.