I was wondering if anyone had any information on how to change a priority on a rule in HP Fortify?
For example in C, the category "Uninitialized Variables" has the fortify priority order of LOW. I need to change to HIGH for auditing purposes. Is there any way to change a rule or do I need to create a new rule?
If I need to create a new rule, how would I make a rule that matches "Uninitialized Variables" and make it global for other users to use?
There's not really way for you to modify the existing rule pack. But that's okay. There's something much easier that I can suggest that does not involve trying to create or modify custom rules (which can get a very messy if you're not careful).
The easiest thing you can do is create a custom Folder Filter.
Open up your FPR in Audit Workbench. Select the correct Filter Set that you normally use.
Your chosen Filter Set will be home to
our new Visibility Filter. For example purposes I will use the Security Auditor View. Then select the Filters tab and click Create New Filter.
Use the values shown below, but feel free to adjust if needed, and then click Save:
At this point, you should be able to see the Uninitialized Variable findings in the High tab.
SPECIAL CONSIDERATIONS:
This change to the organization of your Fortify Findings right now, only is in effect for this one FPR. If you wish to have this filter rule exist in scan for other projects, then you will need to modify the default fortify filters be creating something called a custom Fortify Issue Template. Check your fortify documentation to get more information on this.
If you try to upload this to SSC (Software Security Center) where you might want to perform some reporting, then the default Issue Template that lives on SSC will be used to sort and organize your scan's issues, when generating reports. If you wish for your new custom Fortify Issue Template to be used for reporting and organization withing the web UI, then you will need to override the default Issue Template on the SSC server with your new custom Issue Template. Again, see your documentation for more information on this.
Finally, there is a way to potentially create a custom Fortify Control Flow rule (which will need to be used, together in combination, with a suppression rule) that will make it possible to essentially reassign the priority metadata for your particular issue, but this is quite difficult.
Related
I am trying to represent environment variables in the Salesforce codebase and came across Custom Metadata Types. So based on which Sandbox I am in, I want to vary the baseURL of an external service that I am hitting from my apex class. I want to avoid hard coding anything in the class, and hence trying to find out an environment variable like solution.
How would you represent the URL as a custom metadata type? Also, how can I access it in the class? What happens when a qa sandbox is refreshed from prod? Do they custom metadata type records get overridden?
How are you calling that external service? If it's truly a base url you might be better of using "named credential" for it. It'll abstract the base url away for you, include authentication or certificate if you have to present any...
Failing that - custom metadata might be a poor choice. They're kind of dictionary objects, you can add more (but not from apex) but if you deploy stuff using Git/Ant/SFDX CLI rather than changesets it'd become bit pain, you'd need different custom metadata value for sandbox vs prod. Kinda defeats the purpose.
You might be better off using custom setting instead (hierarchy is enabled by default, list you'd have to flip a checkbox in setup. List is useful if you need key-value kind of pairs, similar to custom metadata): https://salesforce.stackexchange.com/questions/74049/what-is-the-difference-between-custom-settings-and-custom-metadata-types
And you can modify them with Apex too. Which means that in ideal world you could have a "postcopy" class running as soon as sandbox is refreshed that overwrites the custom setting with the non-prod value. For named credential I don't think you can pull it off, you'd need a mini deployment that changes it or manual step (have you seen https://salesforce.stackexchange.com/q/955/799 ?)
I have recently taken up salesforce.com and i have very little idea about its workings and stuff. Recently i was going through some of the stuff and i had a doubt...
Is there any way through which i can find out where an particular field/ object/ visualforce page has been used in an application. For example lets say i have a field labeled Sales, i want to be able to find where that particular field is used, under which object, and the object in which visualforce page/ Apex class, and the visualforce page/ Apex class is used in which application.
Hope i have made my Q clear.
Thanking everyone for their help
It's not really a programming question, you might be better off asking about administrative stuff like that on salesforce.stackexchange.com.
If you have a test environment (sandbox) - you could always try deleting the field there ;) I'm kidding but if you'll try it the page should display you a list where the field is being used.
Similar thing could be achieved by creating a changeset, adding that field to it and then checking dependencies.
But probably the best way would require some preparations upfront. Read about Force.com IDE (or Eclipse IDE) and how to use it to download files that represent your object definitions, page layouts, classes, visualforce pages, reports... This is great as backup but also will let you search the files (Ctrl+H in Eclipse or just use whatever you want once you have the files locally). Search for API name of the field (similar to My_Custom_Field__c should be most effective.
Pretty old thread but adding another option. I have a free and open source app that scans the fields in your Org and returns the components it's used in (Workflows, Processes, Page Layouts, Apex etc).
Keep in mind that returning fields in Apex and VF is not 100% accurate, as a field with the same API name on different objects would return as being found in a class, even though it might not (as others have mentioned).
Also, it can take quite a while to run on large Orgs.
App: http://schemalister.herokuapp.com/
Source Code: https://github.com/benedwards44/schemalister
I noticed that salesforce doesn't allow to override control function for all objects.
Say if you want to do something whenever objects get saved there is no way to attach the action
unless you create a custom page and include either standard controller or extension. Or if you want
to add the same meta-tag on all pages I run into this limitation. Is there better way to do this?
Generally - no. Roughly speaking if Salesforce doesn't allow you to do something it usually means there's pretty good hint you're doing in it wrong. I realize it sounds like I'm a fanboy but in reality - can you expand your question with concrete example why would you want to do something like that? For example governor limits are evil, annoying etc. - but they force you to write effective code that doesn't strain the database too much.
if you want to do something whenever objects get saved
That's what triggers are for. Ask yourself a question if the "action" you need to make should happen only from web UI or also when performed from API (mass data load, a smartphone application etc).
if you want to add the same meta-tag on all pages
You could maybe pull off similar result by adding a component to the sidebar. It won't cover all cases (like accessing Reports/Dashboards) but it's hard to say more without knowing what you're really after. Then again - custom VF page overrides won't help you when it comes to Reports either.
I wanted to add this as a comment, but was unable to.
Anyways, For the example that you mentioned in the comment, You can add that jQuery plugin in the Home page side bar component and activate the plugin only on those custom objects where you wnat to run this plugin. You might already know that we can deduce which object a record belongs to by looking at the 1st 3 letter of the record Id, using this logic, check if the record belongs to the custom object you want your plugin to act on and run the plugin.
But As eyescream has pointed out adding script in side bar has its own limitations: you cannot use the global variables , side bar components are not loaded on the reports and dashboard tabs etc.
-ಸಮಿರ್
I'm trying to make a custom column (for a custom list), where the users can upload files without overwriting the previous - this way they can keep past versions of the files and upload newer ones and the new ones append. There already exist "append only" comment columns and file upload columns that I can see.
I'm working with Sharepoint designer 2007 (2010 doesn't work with the site), and I'm referencing this code I found online somewhere (http://pastebin.com/raw.php?i=0qN89meu), trying to research the Sharepoint documentation on MSDN. I can open the site in designer, but don't know where to go from there (it's already running on a web server, not opening it locally).
I'm just not clear on how to start, I thought there'd be a simple "right+click -> new column" feature but I can't find it. If someone could point me in the right direction to where I could start creating columns on the site, that would be great. Thanks!
An untested idea :
Create a document library with a lookup column to the custom list.
Create an event receiver (ItemAdded and ItemUpdated) than will take the attached files and move them to the other list (with the correct lookup value). --> Code with Visual Studio
Grant to this document library only read permissions.
Adapt the view to display the related documents in the dispform of the custom list.
Advantages:
this seems to answer to your need
you gain all the usability of a document library (nothing prevent you to grant edit rights to other users, force check out, etc.)
Disadvantages:
you have to play with lookup. Can be tricky sometimes, if you play with features
you split one business entity to two entities. You will have to deal with cascading delete (if you need it).
I'm doing a personal, just for fun, project that is using screen scraping to give me a System Tray notification in case another line on an HTML table is added, modified or deleted.
Having done this before I thought: well let's go with the regular expression thing and that's it, but being a curious person, made me think that there could be something else out there that could have another paradigm but be as simple to use.
I know about DOM and X-Path and all the xml'ish approaches. I'm looking for something outside the box, something that can even be defined in a set of rules so you can make a plugin system to aggregate various sites.
See Options for HTML Scraping
Here's an idea: assuming your main use case is getting a notification whenever an HTML file changes, why not use a standard diff tool and then loop through the changed lines, applying your rules?
Also, if this is a situation where you have access to the server and the files you're watching, you might be able to put everything under source control with CVS (or similar) and just watch for commits. If you want to use this approach for random sites on the web, just write a script that periodically downloads the html for the appropriate URLs and then commits it to source control and watch the diffs.
Not very practical, but outside the box.
If you can convert the source into valid XHTML/XML using something like SgmlReader or HtmlTidy then you could use XSLT. Simply create a XSL template for each site you wish to scrape.