Using Fortify SCA (not outdated "HP Fortify") on Qt code

Question

I've been trying to research this for a while and my limited experience with compiling is hindering my ability to figure it out.

Basically, I have some code which is being written in Qt Creator, then built with these build steps:

qmake.exe [project name].pro -spec win32-msvc "CONFIG+=qtquickcompiler"
jom.exe in C:\eclipseworkspace\[project directory]

I'd like to use the Fortify SCA (Static Code Analyzer) to automatically scan this code for vulnerabilities, but most of its user-friendly features are designed towards Java. I haven't given up, though, because Fortify does claim to be able to scan C++ code that uses 3rd Party Compilers (which I assume Qt falls into that category). (Page 37 of this document)

As a preliminary step to running Qt Creator on my actual code, I've wanted to see if I can at least get it to run on any Qt sample project, to see what the steps to do that would be.

I'm using Qt 5.12.7 on a Windows 10 OS with the MSVC2017 32bit compiler, but I feel any correlation between Qt and Fortify that works will be enough to set me off in the right direction.

Or perhaps my optimism is misplaced and I just don't understand the limitations of what I want to do. Either way, it'd be nice to know.

Answer 1

I have found this to be easiest on Linux. I think this solution translates to Windows.

You must inject the sourceanalyzer into your compiler command. For example, I run cmake to configure my projects.

export CC="sourceanalyzer -b <your_project_name_here> gcc"
export CXX="sourceanalyzer -b <your_project_name_here> g++"
cmake <bunch of my cmake definitions> <path_to_src>
# I do a clean to remove what sourceanalyzer picks up during configuration time tests.
sourceanalyzer -b <your_project_name_here> -clean
sourceanalyzer -b <your_project_name_here> -scan -f scanResults.fpr