Description
After opened one FPR using AWB (Audit Workbench) where one vulnerability is missing, in AWB you can click under "Warnings" tab and see the SCA (Source Analyzer) or Scan Central missing files translation due to Python dependencies that were not added to the package:
Message:
The file in question is located at case C:\fortify\test1.py of the code provided, is it possible to point to the python lib folder and re run the scan with the windows sensor?
Solution
The issue is that Scan Central is not adding the dependency for a single python dependency -test1.py.
You can add your own argument like -targs "-python-path <path to local dir>/lib" WHERE that -test1.py file exist on your machine, and ScanCentral will add all the files to the package.
You can use your own -targ parameter and ScanCentral will actually go and add the files specificed on the parameter to the package.
To fix your problem, and get the vulns to show, You merely need to add a single parameter -targs "-python-path C:\Python\Python310\Lib"
In this example C:\Python310\Lib' is on the local Python install and Lib folder. You may need to alter this path to align with your local install path.
The above will add the folder to the Scan Central package zip. This will fix a missing dependency warnings and the missing vulnerability will show.
Example 1:
scancentral -debug package -bt none -bf C:\vulpy-master -yv 3 -pyr C:\vulpy-master\requirements.txt -o C:\myPackage_vulpy-masterTest.zip -targs "-python-path C:\Python310\Lib"
Example 2:
scancentral -debug package -bt none -bf C:\myPackageTest232 -yv 3 -pyr requirements.txt -o myPackageTest232.zip -targs "-python-path C:\Python312\Lib\**\*.py"
This second command will not include *.pyc files
Note: As for python, it’s important to supply the python libs for proper translation. Without them, the scan is probably generating warning messages about “unable to resolve imports”
If package size is a concern, you might be able to reduce the size by specifying *.py in your -python-path option
See point #2 from the docs here: https://www.microfocus.com/documentation/fortify-static-code-analyzer-and-tools/2320/SCA_Help_23.2.0/index.htm#python/ImportFiles.htm?TocPath=Translating%2520Python%2520Code%257C_____3
-------------------------------------------------------------------------------------------------------------------
References:
1). Description of -python-path:
Fortify Static Code Analyzer | Translating Python Code | Python Command-Line Options:
https://www.microfocus.com/documentation/fortify-static-code-analyzer-and-tools/2320/SCA_Help_23.2.0/index.htm#python/PythonOptions.htm?TocPath=Translating%2520Python%2520Code%257CPython%2520Translation%2520Command-Line%2520Syntax%257C_____1
2). Other -python-path examples:
Fortify Static Code Analyzer | Translating Python Code | Python Command-Line Examples:
https://www.microfocus.com/documentation/fortify-static-code-analyzer-and-tools/2320/SCA_Help_23.2.0/index.htm#python/PythonCL_Examples.htm?TocPath=Translating%2520Python%2520Code%257CPython%2520Translation%2520Command-Line%2520Syntax%257C_____2