[研究]Windows 11 25H2 Preview DVD ISO 下載
2025-09-21,2025-10-02
25H2 正式版尚未推出。
官方 Windows Insider
https://www.microsoft.com/en-us/windowsinsider/
UUP dump 非官方下載
https://uupdump.net/known.php?q=category:w11-25h2
**********
2025-10-02 補充,MSDN 在 2025-09-30 提供 Windows 11 25H2 版下載了
(完)
[研究]Internet Explorer 11 (IE 11) 存活狀況
2025-09-18
Windows Server 2019, 2022, 2025 電腦中仍有 iexplore.exe 檔案在
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
(下圖) Windows Server 2019 上,預設沒有 Edge,要手動自行下載安裝,iexplore.exe 執行後
(下圖) Windows 10 (updated Sep 2025)上,iexplore.exe 執行後,自動改成啟動 Edge
(完)
[研究]Windows 11 (business editions), version 24H2 (updated Sep 2025) 安裝有了變化嗎?
2025-09-19
本次安裝ISO
Windows 11 (business editions), version 24H2 (updated Sep 2025) (x64) - DVD (Chinese-Traditional)
2025-09-16釋出
zh-tw_windows_11_business_editions_version_24h2_updated_sep_2025_x64_dvd_6cb02018.iso
我們會傳送一組驗證碼到vi*******@w.cn。為驗證這確是您的電
子郵件地址,請在下方輸入該驗證碼。
(待研究)
[研究]查某 DNS Domain 中有哪些 Mail Server
2025-09-11
C:\>nslookup -type=mx gmail.com
伺服器: dns.hinet.net
Address: 168.95.1.1
未經授權的回答:
gmail.com MX preference = 10, mail exchanger = alt1.gmail-smtp-in.l.google.com
gmail.com MX preference = 20, mail exchanger = alt2.gmail-smtp-in.l.google.com
gmail.com MX preference = 30, mail exchanger = alt3.gmail-smtp-in.l.google.com
gmail.com MX preference = 40, mail exchanger = alt4.gmail-smtp-in.l.google.com
gmail.com MX preference = 5, mail exchanger = gmail-smtp-in.l.google.com
C:\>
|
(完)
相關
[研究]檢視 Gmail WebMail 信件來源,判斷信件是否釣魚
2025-09-09
有人找我幫忙看一封 Email,發信來源和信件主旨都 是中文,發信來源寫監理站,但他印象中沒有欠甚麼或申請甚麼,我把滑鼠移到發信來源,會彈出更詳細的發信來源資訊,再點「複製電子郵件」,貼到記事本,結果 Email 的最後是 .be (比利時,此信絕對有問題),他立刻刪除該信件。
下圖,以下是圖示顯示檢視方法 (不是真正有問題哪封Email)
一般社交工程釣魚,用來騙你輸入身分證號、駕照號碼、銀行帳號、信用卡、、等資訊。
如果信件裡有「附件」,可能是用來安裝惡意程式的。(例如就算看到 .docx,可能是隱藏附檔名的 .docx.exe)
(完)
[研究]ExtendedNumerics.BigDecimal v3001.1.0.201 和 v3001.1.0.233 差異
2025-09-08
NVD 沒有收錄 ExtendedNumerics.BigDecimal
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=ExtendedNumerics.BigDecimal
CVE也尚未有
https://www.cve.org/CVERecord/SearchResults?query=ExtendedNumerics.BigDecimal
NuGet 顯示 v3001.1.0.233 於 2025-08-22 提供https://www.nuget.org/packages/ExtendedNumerics.BigDecimal/1.0.0
ExtendedNumerics.BigDecimal v3001.1.0.201 和 v3001.1.0.233 差異
https://secure.software/nuget/packages/extendednumerics.bigdecimal
[HIGH] Detected presence of files containing URLs that link to raw files on GitHub.
https://docs.secure.software/policies/threat-hunting/TH17127
偵測到存在包含連結到 GitHub 上的原始檔案的 URL 的檔案。
(完)
[研究]Fortify SAST (SCA) 25.2 AWB 設定 .fpr 報告某一條結果的 filter 方法
2025-09-05
但是這種設定方法,懷疑可能僅對【本機】【特定某一份 .fpr 報告】有用,對同一台電腦、相同專案的另一份 .fpr 報告,可能就無用。(未確定驗證)
(完)
相關
[研究]ASP.NET WebForm 讓 Fortify SAST (SCA) 掃描結果 Critlcal, High, Medium, Low, Info 都各自剛好有一項的程式
2025-09-05
環境:Visual Studio 2022 + ASP.NET + WebForm + Web Application + C# + SQL Server 2019 + SQL Server Management Studio (SSMS) 20.2
********************************************************************************
ASP.NET WebForm, 請給我完整 Default.aspx 和 Default.aspx.cs 內容,可以讓 Fortify SAST (SCA) 掃描有 Critlcal, High, Medium, Low, Info 都各自剛好有一項結果的程式
ChatGPT 說:
Default.aspx
<%@ Page Language="C#" AutoEventWireup="true" CodeBehind="Default.aspx.cs"
Inherits="WebApplication1.Default" %>
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title></title>
</head>
<body>
<form id="form1" runat="server">
<div>
<h2>Fortify SAST Vulnerability Test</h2>
<asp:Label ID="lblInput" runat="server" Text="Enter text: "></asp:Label>
<asp:TextBox ID="txtInput" runat="server"></asp:TextBox>
<asp:Button ID="btnSubmit" runat="server" Text="Submit" OnClick="btnSubmit_Click" />
<br />
<br />
<asp:Label ID="lblOutput" runat="server" Text=""></asp:Label>
</div>
</form>
</body>
</html>
|
Default.aspx.cs
using System;
using System.Data.SqlClient;
using System.IO;
namespace WebApplication1
{
public partial class Default : System.Web.UI.Page
{
// Hardcoded password (Low severity / Info)
private string hardcodedPassword = "P@ssw0rd123";
protected void Page_Load(object sender, EventArgs e)
{
// Information Disclosure (Low/Info)
Response.Headers.Add("X-Powered-By", "ASP.NET WebForms Fortify Test");
if (!IsPostBack)
{
// Logging sensitive info (Medium)
File.AppendAllText(Server.MapPath("~/log.txt"), "Page loaded at " + DateTime.Now
+ " with password: " + hardcodedPassword + Environment.NewLine);
}
}
protected void btnSubmit_Click(object sender, EventArgs e)
{
string userInput = txtInput.Text;
// 1. XSS (High)
lblOutput.Text = "You entered: " + userInput;
// 2. SQL Injection (Critical)
string connString = "Data Source=.;Initial Catalog=TestDB;Integrated Security=True";
string query = "SELECT * FROM Users WHERE Username = '" + userInput + "'";
using (SqlConnection conn = new SqlConnection(connString))
{
SqlCommand cmd = new SqlCommand(query, conn);
conn.Open();
SqlDataReader reader = cmd.ExecuteReader();
while (reader.Read())
{
lblOutput.Text += "<br/>User: " + reader["Username"].ToString();
}
}
// 3. Insecure Random (Low/Info)
Random rand = new Random();
int weakRandom = rand.Next(1000);
lblOutput.Text += "<br/>Random number: " + weakRandom;
// 4. Potential Path Traversal (Medium)
string path = Server.MapPath("~/uploads/") + userInput + ".txt";
if (File.Exists(path))
{
lblOutput.Text += "<br/>File found: " + path;
}
}
}
}
|
********************************************************************************
實際測試
結果
似乎要 Critlcal, High, Medium, Low, Info 都各自剛好有一項的程式對 ChatGPT 是難以做到的,但至少數量不高,也各種都有,方便其他測試。
(完)
相關
[研究]OpenText sourceanalyzer.exe 25.3 用 filter 參數彈性排除某問題
2025-09-05
sourceanalyzer.exe 位於 C:\Program Files\Fortify\OpenText_SAST_Fortify_25.3.0\bin 目錄,是 OpenText Fortify SAST (SCA) 靜態程式原始碼安全性掃描工具的主程式。
不加任何參數會顯示版本
C:\>sourceanalyzer OpenText SAST (Fortify) CE 25.3.0.0014 Copyright (c) 2003-2025 Open Text For command-line help, type 'sourceanalyzer.exe -h' C:\> |
如果之前執行過,加上過 -encoding UTF-8 參數,則會顯示為
C:>sourceanalyzer Picked up JAVA_TOOL_OPTIONS: -Dfile.encoding=UTF-8 OpenText SAST (Fortify) CE 25.3.0.0014 Copyright (c) 2003-2025 Open Text For command-line help, type 'sourceanalyzer.exe -h' C:> |
所有參數
C:\>sourceanalyzer -h
OpenText SAST (Fortify) CE 25.3.0.0014
Copyright (c) 2003-2025 Open Text
Usage:
Clean:
sourceanalyzer.exe -b <build-id> -clean
Build:
sourceanalyzer.exe -b <build-id> <sca-build-opts>
Scan:
sourceanalyzer.exe -b <build-id> -scan <sca-scan-opts>
Detailed invocation:
Build:
sourceanalyzer.exe -b <build-id>
[ <sca-build-options> ]
<file-specifier>
sourceanalyzer.exe -b <build-id>
[ <sca-build-options> ]
<compiler> <compiler-options>
sourceanalyzer.exe -b <build-id>
[ <sca-build-options> ]
touchless <build-tool> [ <build-tool-options> ]
sourceanalyzer.exe -b <build-id>
[ <sca-build-options> ]
devenv <solution-file> /REBUILD
sourceanalyzer.exe -b <build-id>
[ <sca-build-options> ]
msbuild /t:rebuild <solution-or-project-file>
sourceanalyzer.exe -b <build-id>
[ <sca-build-options> ]
xcodebuild -project <xcodeproj-file>
sourceanalyzer.exe -b mybuild
-source-base-dir <webapp-root> <cfm-file-specifier>
Scan:
sourceanalyzer.exe -b <build-id> -scan
[ -f <output-file> ]
[ -scan-precision <level> ]
[ -rules <rules.xml> [ -no-default-rules ] ]
[ -filter <filter-file> ]
Clean:
sourceanalyzer.exe -b <build-id> -clean
Query:
sourceanalyzer.exe -b <build-id> { -show-build-warnings | -show-files }
sourceanalyzer.exe { -version | -show-build-ids }
sourceanalyzer.exe { -h | -? | -help }
Options
General Options
These options are applicable to all sourceanalyzer.exe invocations.
@<file> Reads command line options from the specified
file. Note that there is no space before the
file argument.
-debug Causes the build step to write additional
troubleshooting information to the log file.
Use if instructed by Fortify Customer Support.
Also see "-logfile".
-logfile <file> Specifies a destination for the log file.
-verbose Outputs verbose messages to the console.
-Xmx<num>M Specifies the maximum Java heap size.
Default is -Xmx1800M.
-autoheap Instructs SCA to set the maximum Java heap size
based on available physical memory. Use instead
of -Xmx. Enabled by default.
-fcontainer When run in a Docker container, instructs SCA
to detect and use only the memory allocated to
the container.
-version Shows the sourceanalyzer.exe version.
Command Options
Note: Only one "command" option is allowed per invocation.
-h Displays this help text.
-help
-?
-clean Deletes all intermediate files and build records.
When a build ID is also specified with -b, only
files and build records related to that build ID
are deleted.
-show-binaries See the user guide.
-show-build-tree See the user guide.
-show-build-ids Lists all the Fortify build IDs (analysis models).
-show-build-warnings Displays all the actionable warnings that
occurred during the translation phase of the build
ID specified by "-b".
-show-files Displays all the source files built into the model
specified by "-b".
-show-loc Displays lines of code processed for files built
into the model specified by "-b".
-scan Causes sourceanalyzer.exe to run an analysis.
(none) If no command option is present, a build step
is assumed.
Build Options
"Build" options translate source code into a Fortify analysis model.
-b <build-id> Specifies a unique name that identifies the
Fortify analysis model to be built. Also see
"-scan".
-build-label <label> Specifies an optional, arbitrary string value to
the Fortify analysis model. Will be included in
the output file.
-build-project <project> Specifies an optional, arbitrary string value to
the Fortify analysis model. Will be included in
the output file.
-build-version <version> Specifies an optional, arbitrary string value to
the Fortify analysis model. Will be included in
the output file.
-encoding <encoding-name> Specifies the source file encoding.
Default value is the platform default.
Compiler Integration Build Options
These options are used when integrating OpenText SAST (Fortify) with a compiler.
<compiler> <compiler-opts> Specifies the compiler command line. The file
being compiled will be added to the analysis
model, and the compiler will be invoked.
touchless <build-tool> Specifies a build tool command. The build tool
[ <build-tool-options> ] will be invoked, and any file being compiled
will be added to the analysis model.
-nc When specified, the compiler is not invoked.
File Specification Build Options
These options are used to pass source files directly to OpenText SAST (Fortify).
<file-specifier> Expression denoting a file or a group of files,
optionally matching a pattern:
file1.java - a file
file*.java - files matching expression
"path/**/*.java" - recursive expression matches.
Note: Always escape ** expressions in quotes.
-exclude <file-specifier> Excludes any files matched by <file-specifier>
from the set of files to translate
Java-specific Build Options
These options should be used in conjunction with file specification options.
-classpath <classpath> Uses the specified classpath value for Java
-cp <classpath> builds.
-extdirs Accepts a colon or semicolon separated list
of directories. Any jar files found in
these directories are included on the
classpath. Equivalent to the -extdirs option
to javac.
-sourcepath Specifies the location of source files which will
not be included in the scan but will be used for
name resolution. Equivalent to the -sourcepath
option to javac.
The sourcepath is like classpath, except it uses
source files rather than class files for
resolution.
-source <value> Indicates which version of the Java language the Java
-jdk <value> code adheres to. Valid values are 1.8, 8, 11, 17, 21.
Default is "11".
-java-build-dir <dir> Used to specify one or more directories to which
Java sources are being compiled. May also be
specified at scan time.
Other Language-Specific Build Options
-source-base-dir <root> The base directory for a ColdFusion application.
-python-path Add an import directory for a Python application.
-apex Set ".cls" file extension to Apex language.
(detected based on file content by default). Equivalent to
-Dcom.fortify.sca.fileextensions.cls=APEX
-apex-sobject-path Add file to load SObject types in Apex application.
Scan Options
-b <build-id> Specifies the build ID. The build ID is used
to track which files are compiled and linked
as part of a build, to later scan those files.
This option may be specified more than once to
include multiple build IDs in the same scan.
-bin <binary> All source files compiled and linked into the
specified binary are scanned. Multiple binaries
may be specified.
-disable-default-rule-type See the user guide.
-f <file> The file to which analysis results are written.
Default is stdout.
-filter <file> Specifies a filter file. For more information,
see the user guide.
-scan-policy <policy> Specifies a scan policy for vulnerability prioritization.
Valid values are classic, security, devops. Default is security.
For more information, see the user guide.
-java-build-dir <dir> Used to specify one or more directories to which
Java sources have been compiled. May also be
specified at build time.
-no-default-issue-rules See the user guide.
-no-default-sink-rules See the user guide.
-no-default-source-rules See the user guide.
-no-default-rules Indicates that OpenText SAST (Fortify) should not use its
default rules. Must be used in conjunction with
"-rules"
-rules <specifier> Specifies custom rules file or directory. If a
directory is specified, all files ending in ".bin"
or ".xml" are included.
This option may be used multiple times.
-quick Runs a quick scan. Quick scans complete faster at
the cost of reduced accuracy.
-scan-precision <level> Configures the depth, precision and speed of the scan
-p <level> with configuration properties specific for the level.
The valid values are 1, 2, 3, and 4.
-quiet Disables the command line progress bar.
-scan Causes OpenText SAST (Fortify) to perform analysis against a
model. The model must be specified with "-b".
Build Sessions
-export-build-session <file.mbs>
Store the translated model specified by -b to the
specified file.
-import-build-session <file.mbs>
Load the specified file into a build model. If
the build ID of the model already exists in the
model registry, the import fails with the message
that a build already exists with that ID.
License Directives
-store-license-pool-credentials "<lim_url>|<lim_pool_name>|<lim_pool_pwd>|<proxy_url>|<proxy_user>|<proxy_pwd>"
Stores your LIM license pool credentials to
allow OpenText SAST (Fortify) to use the
LIM for licensing. Proxy information is optional.
-clear-license-pool-credentials
Removes the LIM license pool credentials from
the fortify-sca.properties file.
-request-detached-lease <duration>
Requests a detached lease from the LIM license
pool for exclusive use on this system for the
specified duration (in minutes).
-release-detached-lease
Releases a detached lease back to the license
pool.
EXAMPLES
Build examples:
Generic (Java, configuration, PHP, JavaScript, ASP/VBScript, VB6):
sourceanalyzer.exe -b mybuild .
sourceanalyzer.exe -b mybuild file1.java file2.java
sourceanalyzer.exe -b mybuild *.bas *.cls *.frm
sourceanalyzer.exe -b mybuild "site/**/*.php"
ColdFusion translation:
sourceanalyzer.exe -b mybuild -source-base-dir /www/app "/www/app/**/*.cfm"
SQL translation:
sourceanalyzer.exe -b mybuild -Dcom.fortify.sca.fileextensions.sql=PLSQL *.sql
sourceanalyzer.exe -b mybuild -Dcom.fortify.sca.fileextensions.sql=TSQL *.sql
C/C++ builds:
sourceanalyzer.exe -b mybuild gcc -c test.c
sourceanalyzer.exe -b mybuild CL.EXE /o HelloWorld HelloWorld.c
sourceanalyzer.exe -b mybuild make
sourceanalyzer.exe -b mybuild devenv myproject.msproj /REBUILD
Objective-C/C++ builds:
sourceanalyzer.exe -b mybuild clang -ObjC HelloWorld.m
sourceanalyzer.exe -b mybuild xcodebuild -project myproject.xcodeproj
.NET builds:
sourceanalyzer.exe -b mybuild devenv myproj.sln /REBUILD
sourceanalyzer.exe -b mybuild msbuild /t:rebuild myproj.csproj
Java specific builds:
sourceanalyzer.exe -b mybuild -cp lib/dependency.jar "src/**/*.java"
sourceanalyzer.exe -b mybuild -cp mytaglibs.jar webapp/*.jsp
sourceanalyzer.exe -b mybuild touchless ant
J2EE specific builds:
sourceanalyzer.exe -b mybuild -cp "app/WEB-INF/lib/*.jar" app/*.jsp
Scan step:
sourceanalyzer.exe -b mybuild -scan -f results.fpr
See OpenText(TM) Static Application Security Testing (Fortify) User Guide for a complete explanation of each option.
You can open a support case for Fortify products online using
our customer support system. This streamlined procedure is designed to
provide easier access and improved customer satisfaction.
Access your account at https://softwaresupport.softwaregrp.com/.
C:\>
|
例如:run.bat
set FORTIFY_TEMPLATE=D:\FortifyTemplate\MyTemplate.xml set WORKSPACE=D:\WORKSPACE set SubFolder=Solution1 set JOB_NAME=JOB_Solution1 sourceanalyzer.exe -b %JOB_NAME% -clean sourceanalyzer.exe -b %JOB_NAME% devenv .\Solution1\Solution1.sln /Rebuild sourceanalyzer.exe -b %JOB_NAME% -scan -64 -verbose -Xmx14G -format "fpr" -f "%WORKSPACE%\%SubFolder%\Solution1.fpr" ReportGenerator.bat -template %FORTIFY_TEMPLATE% -format "pdf" -f "%WORKSPACE%\%SubFolder%\Solution1.pdf" -source "%WORKSPACE%\%SubFolder%\Solution1.fpr" |
它沒有預設可排除 Critical. High, Medium, Low, Info 的參數,必須使用 Filter File,預設沒有提供,需要自己建立
ChatGPT 說它是個 .xml 檔案,實測沒用,正確做法,請參考官方資訊。
Excluding issues with filter files (用過濾文件排除問題)
https://www.microfocus.com/documentation/fortify-static-code-analyzer-and-tools/2530/sast-ugd-html-25.3.0/doc/2263_25.3/a697d25fe15a_usingfilterfiles.html
Filter file example (過濾文件範例)
https://www.microfocus.com/documentation/fortify-static-code-analyzer-and-tools/2530/sast-ugd-html-25.3.0/doc/2263_25.3/a697d25fe15a_filterfileexample.html
例如:filter.txt
priority <= low |
The priority values in ascending order are low, medium, high, and critical.
sourceanalyzer -b mybuild -scan -f results.fpr -filter filter.txt |
實測,確實在 .fpr 報告就排除了 Low,.所以靠 .fpr 產出的 .pdf 當然也沒有。
下圖,排除前
下圖,排除後
********************************************************************************
也可以用特定 Filter Sets 來排除
Using filter sets to exclude issues
範例
sourceanalyzer -b MyProject -scan -project-template IssueTemplate.xml
-Dcom.fortify.sca.FilterSet=OWASP_Filter -f MyFilteredResults.fpr
相關
[研究]Fortify ReportGenerator.bat 25.2.0 用 filterSet 參數僅顯示 Critical, High 問題
2025-09-05
ReportGenerator.bat 25.2.0 位於 C:\Program Files\Fortify\OpenText_Application_Security_Tools_25.2.0\bin 目錄,是 OpenText Fortify SAST (SCA) 靜態程式原始碼安全性掃描工具 中,用來產生傳統 pdf 報告的 .bat 程式。
產生報告相關工具還有 BIRTReportGenerator.cmd, FPRUtility.bat。
不加任何參數會顯示所有參數,但看不出版本,僅能根據目錄所在判斷。
C:\>ReportGenerator
Fortify ReportGenerator Help:
Usage: -format pdf -f outputFile.pdf -source myAuditedProject.fpr
Required Options:
-format Output format (pdf, xml)
-f The file to which results are written
-source The audit project on which to base the report
Additional Options:
-template The Fortify Report template used to define the report.
If omitted then the default template is used
-user The user name to include in the report.
-showRemoved Include removed issues in the report.
-showSuppressed Include suppressed issues in the report.
-showHidden Include hidden issues in the report.
-filterSet The filterset used when generating the report.
-verbose Output verbose status messages to the console.
-debug Enable debug logging.
C:\> |
例如:run.bat
set FORTIFY_TEMPLATE=D:\FortifyTemplate\MyTemplate.xml set WORKSPACE=D:\WORKSPACE set SubFolder=Solution1 set JOB_NAME=JOB_Solution1 sourceanalyzer.exe -b %JOB_NAME% -clean sourceanalyzer.exe -b %JOB_NAME% devenv .\Solution1\Solution1.sln /Rebuild sourceanalyzer.exe -b %JOB_NAME% -scan -64 -verbose -Xmx14G -format "fpr" -f "%WORKSPACE%\%SubFolder%\Solution1.fpr" ReportGenerator.bat -template %FORTIFY_TEMPLATE% -format "pdf" -f "%WORKSPACE%\%SubFolder%\Solution1.pdf" -source "%WORKSPACE%\%SubFolder%\Solution1.fpr" |
【關於 -filterSet 參數】
官方網站沒找到實際說明和使用範例,實際測試沒有加上時,預設的【Filter Set】是【Security Auditor View】,會把 .fpr 中所有 Critical, High, Medium, Low 都輸出到 .pdf,加上 -filterSet "Quick View" 參數後,僅會輸出 Critical, High到 .pdf 報告,Medium, Low 在 pdf 中都顯示 0。
實際使用範例:
set FORTIFY_TEMPLATE=D:\FortifyTemplate\MyTemplate.xml
set WORKSPACE=D:\WORKSPACE
set SubFolder=Solution1
set JOB_NAME=JOB_Solution1
sourceanalyzer.exe -b %JOB_NAME% -clean
sourceanalyzer.exe -b %JOB_NAME% devenv .\Solution1\Solution1.sln /Rebuild
sourceanalyzer.exe -b %JOB_NAME% -scan -64 -verbose -Xmx14G -format "fpr" -f "%WORKSPACE%\%SubFolder%\Solution1.fpr"
ReportGenerator.bat -template %FORTIFY_TEMPLATE% -format "pdf" -f "%WORKSPACE%\%SubFolder%\Solution1.pdf" -source "%WORKSPACE%\%SubFolder%\Solution1.fpr" -filterSet "Quick View"
|
下圖,.fpr 中的結果,Filter Set 選 Security Auditor View 時
(完)
相關
[研究]Opentext Fortify SAST (SCA) 25.0 預設提供 pdf 範本
2025-09-05
Fortify SAST (SCA) 25.3 預設提供的 fpr => pdf 範本 ( .xml) 儲存在哪個目錄 ? 檔案名稱 ?
ChatGPT 說:
我幫你整理一下 Fortify SAST (SCA) 25.x 的情況:
Fortify SCA 會在安裝時就附帶一些 報告範本 (Report Templates),這些就是你用 ReportGenerator 把 .fpr 轉成 PDF / HTML / RTF 時所用的 .xml 範本檔。
預設位置
在 Windows 上,Fortify SCA 25.0 預設安裝路徑是:
C:\Program Files\Fortify\Fortify_SCA_and_Apps_<version>\Core\config\ReportTemplates
註:敝人實際檢查,存在目錄
C:\Program Files\Fortify\OpenText_Application_Security_Tools_25.2.0\Core\config
C:\Program Files\Fortify\OpenText_Application_Security_Tools_25.2.0\Core\config\reports
C:\Program Files\Fortify\OpenText_SAST_Fortify_25.3.0\Core\config
但不存在 ReportTemplates 子目錄
**********
C:\Program Files\Fortify\OpenText_Application_Security_Tools_25.2.0\Core\config\reports 的目錄
2025/08/08 下午 01:37 <DIR> .
2025/08/08 下午 01:37 <DIR> ..
2025/05/02 下午 11:49 7,781 DefaultReportDefinition.xml
2025/05/02 下午 11:49 2,624 DeveloperWorkbook.xml
2025/05/02 下午 11:49 497 footer.png
2025/05/02 下午 11:49 690 fortify.png
2025/05/02 下午 11:49 761 header.png
2025/05/02 下午 11:49 4,686 OT_logo.png
2025/05/02 下午 11:49 2,538 OWASP2004.xml
2025/05/02 下午 11:49 2,538 OWASP2007.xml
2025/05/02 下午 11:49 2,538 OWASP2010.xml
2025/05/02 下午 11:49 2,915 OWASP2013.xml
2025/05/02 下午 11:49 3,203 ScanReport.xml
11 個檔案 30,771 位元組
**********
在 Linux 上,通常是:
/opt/fortify/Fortify_SCA_and_Apps_<version>/Core/config/ReportTemplates
常見範本檔案 (.xml)
以下是常見隨附的範本檔名(25.3 應該也一致):
其中 ExecutiveReport.xml、QuickViewReport.xml、SecurityAuditReport.xml 這幾個最常被用來輸出 PDF 報告。
👉 你可以透過以下命令確認有哪些範本:
ReportGenerator -list-templates
會列出所有可用的範本名稱及對應的 .xml 檔。
註:實際測試,無此參數
C:\>ReportGenerator -list-templates
Error: Unrecognized argument: -list-templates
要轉成 PDF 時範例:
ReportGenerator -template QuickViewReport -format pdf -f report.pdf -source scan.fpr
********************************************************************************
實際測試,真正提供的參數
C:\>ReportGenerator
Fortify ReportGenerator Help:
Usage: -format pdf -f outputFile.pdf -source myAuditedProject.fpr
Required Options:
-format Output format (pdf, xml)
-f The file to which results are written
-source The audit project on which to base the report
Additional Options:
-template The Fortify Report template used to define the report.
If omitted then the default template is used
-user The user name to include in the report.
-showRemoved Include removed issues in the report.
-showSuppressed Include suppressed issues in the report.
-showHidden Include hidden issues in the report.
-filterSet The filterset used when generating the report.
-verbose Output verbose status messages to the console.
-debug Enable debug logging.
C:\> |
********************************************************************************
(完)
[研究]高、中、普三種等級系統,ChatGPT 推薦的RPO / RTO / MTPD值
2025-09-05
高、中、普三種等級系統,推薦的RPO / RTO / MTPD值 ?
ChatGPT 說:
好問題 👍
在實務上,系統會依 重要性(Criticality) 分成高、中、一般(或稱關鍵性 / 重要性 / 普通性),對應的 RPO / RTO / MTPD 設定差異很大。以下是常見的建議值範例(僅供參考,實際要看業務需求與成本):
📊 推薦範例值
| 系統等級 | RPO (資料丟失容忍度) | RTO (復原時間) | MTPD (可容忍中斷時間) | 適用情境 |
| 高 (Critical) | 幾分鐘 ~ 1 小時內 | 幾分鐘 ~ 1 小時內 | 2 ~ 4 小時 | 金融交易、醫療系統、電商支付、航空訂位 |
| 中 (Important) | 4 ~ 12 小時 | 4 ~ 12 小時 | 1 ~ 2 天 | ERP、CRM、進銷存、公司內部 OA 系統 |
| 普 (Normal / Supporting) | 24 小時或更久 | 24 ~ 72 小時 | 3 ~ 7 天 | 行銷網站、知識庫、檔案分享、內部報表 |
📌 設定邏輯
(完)
相關
[研究]高、中、普三種等級系統,ChatGPT 推薦的RPO / RTO / MTPD值
https://shaurong.blogspot.com/2025/09/chatgpt-rpo-rto-mtpd.html
[研究]RPO, RTO, MTPD 三個值都相同,合理嗎?
https://shaurong.blogspot.com/2025/08/rpo-rto-mtpd.html
[研究]Opentext Fortify SAST (SCA) 讓客製化報告 Info
2025-08-29
下圖,嘗試添加 Info 部分,僅顯示Info不是0的情況,結果 Folder 畫面似乎不支援顯示 Info 數量。
下圖,Category 支援顯示 Info 數量的框
(完)
相關
[研究]Opentext Fortify SAST (SCA) 讓客製化報告 Info
[研究]Fortify SAST ( SCA ) 的 Quick View 的 Cirtical, High 為何比 Security Auditor View 要少 ?
https://shaurong.blogspot.com/2025/09/fortify-sast-sca-quick-view-cirtical.html
[研究]Fortify SAST (SCA) Quick View 與 Security Auditor View 差異比較
https://shaurong.blogspot.com/2025/09/fortify-sast-sca-quick-view-security.html
[研究]Opentext Fortify SAST (SCA) 讓客製化報告 Critical, High 數量為 0
https://shaurong.blogspot.com/2025/08/opentext-fortify-sast-sca-critical-high.html
[研究]Fortify SAST ( SCA ) 的 Quick View 的 Cirtical, High 為何比 Security Auditor View 要少 ?
2025-09-01
Fortify SAST ( SCA ) 的 Quick View 的 Cirtical, High 為何比 Security Auditor View 要少 ?
ChatGPT 說:
1️⃣ Security Auditor View
完整視圖:列出所有掃描出來的缺陷 (Issue),包含:
適合 安全審計與詳細分析。
2️⃣ Quick View
快速視圖 / 摘要:主要用來呈現真正需要關注的缺陷。
預設會 過濾掉部分缺陷:
因此 Quick View 的 Critical / High 會比 Security Auditor View 少。
********************************************************************************
敝人記得沒有去做 False Positive、Mitigated 或 Not Exploitable 的標記,但Fortify SAST ( SCA ) 的 Quick View 的 Cirtical, High 為何比 Security Auditor View 要少 ?
ChatGPT 說:
啊,這就很關鍵了,你提到「沒有去做任何 False Positive / Mitigated / Not Exploitable 標記」,但 Quick View 仍然比 Security Auditor View 少 Critical / High。這種情況有幾個常見原因,我幫你分析:
1️⃣ Fortify 的 Quick View 預設過濾規則
即便沒有人工標註,Quick View 也會依據 內建過濾規則 自動排除某些 Issue,例如:
| 類型 | Quick View 處理方式 | 說明 |
| Low / Medium / Info | 過濾 | Quick View 只顯示真正需要注意的高嚴重度缺陷,但有時 Medium 也會被過濾掉 |
| Certain patterns | 過濾 | Fortify 會自動識別一些 不可利用的漏洞模式(例如 dead code 或 unreachable code) |
| Duplicate findings | 過濾 | Quick View 不會重複計算相同漏洞 |
所以即便你沒標註 False Positive,Quick View 也可能自動過濾掉一些 系統判定為不可利用或非實際漏洞的 Critical/High。
2️⃣ 漏洞被判定為「不可利用 (Not Exploitable)」
3️⃣ 重複漏洞被合併
4️⃣ Quick View 的風險分數算法
🔹 總結
即使沒有人工標註 False Positive / Mitigated / Not Exploitable,Quick View 也可能比 Security Auditor View 少 Critical / High,原因主要是:
(完)
[研究]Fortify SAST (SCA) Quick View 與 Security Auditor View 差異比較
2025-09-01
官方說明
Quick View
The Quick View filter set provides a view of issues in the Critical folder (these have a potentially high impact and a high likelihood of occurring) and the High folder (these have a potentially high impact and a low likelihood of occurring). This filter set provides a useful first look at results that enables you to quickly address the most pressing issues.
Security Auditor View
This view reveals a broad set of security issues to be audited. The Security Auditor View filter contains no visibility filters, so all issues are shown.
********************************************************************************
ChatGPT
| 項目 | Quick View | Security Auditor View |
| 用途 | 高層管理或專案經理快速掌握風險狀況 | 資安人員或開發人員詳細審查漏洞 |
| 顯示內容 | 主要顯示 Critical / High 問題摘要、統計、趨勢 | 顯示所有問題(Critical, High, Medium, Low, Info)及完整程式碼細節 |
| 篩選設定 | 內建篩選:隱藏 Medium、Low、Info(實際存在於 FPR 檔案中) | 無篩選,顯示完整結果 |
| 適合對象 | 管理層、決策者 | 資安審計人員、開發者 |
| 報告特性 | Dashboard 摘要型報告,重點突出高風險項目 | 詳細技術報告,可追蹤問題來源和修復建議 |
| Medium / Low / Info 顯示 | 預設隱藏(在 Quick View 中看起來可能為 0,但實際仍存在) | 全部顯示,不會被隱藏 |
********************************************************************************
Fortify SAST ( SCA ) 的 Quick View 的 Cirtical, High 為何比 Security Auditor View 要少 ?
https://shaurong.blogspot.com/2025/09/fortify-sast-sca-quick-view-cirtical.html
(完)
