Translating ASP/VBScript virtual roots

OpenText SAST allows you to handle ASP virtual roots. For web servers that use virtual directories as aliases that map to physical directories, OpenText SAST enables you to use an alias.

For example, you can have virtual directories named Include and Library that refer to the physical directories C:\WebServer\CustomerOne\inc and C:\WebServer\CustomerTwo\Stuff, respectively.

The following example shows the ASP/VBScript code for an application that uses virtual includes:

<!--#include virtual="Include/Task1/foo.inc"-->

For this example, the previous ASP code refers to the file in the following physical location:

C:\Webserver\CustomerOne\inc\Task1\foo.inc

The real directory replaces the virtual directory name Include in this example.

Accommodating virtual roots

To provide the mapping of each virtual directory to OpenText SAST, you must set the com.fortify.sca.ASPVirtualRoots.name_of_virtual_directory property in your OpenText SAST command-line invocation as shown in the following example:

sourceanalyzer -Dcom.fortify.sca.ASPVirtualRoots.<virtual_directory>=<full_path_to_corresponding_physical_directory>

On Windows, if the physical path includes spaces, you must enclose the property setting in quotes:
sourceanalyzer "-Dcom.fortify.sca.ASPVirtualRoots.<virtual_directory>=<full_path_to_corresponding_physical_directory>"

To expand on the example in the previous section, pass the following property value to OpenText SAST:

-Dcom.fortify.sca.ASPVirtualRoots.Include="C:\WebServer\CustomerOne\inc"
-Dcom.fortify.sca.ASPVirtualRoots.Library="C:\WebServer\CustomerTwo\Stuff"

This maps Include to C:\WebServer\CustomerOne\inc and Library to C:\WebServer\CustomerTwo\Stuff.

When OpenText SAST encounters the #include directive:

<!-- #include virtual="Include/Task1/foo.inc" -->

OpenText SAST determines if the project contains a physical directory named Include. If there is no such physical directory, OpenText SAST looks through its runtime properties and finds the -Dcom.fortify.sca.ASPVirtualRoots.Include=
"C:\WebServer\CustomerOne\inc" setting. OpenText SAST then looks for this file: C:\WebServer\CustomerOne\inc\Task1\foo.inc.

Alternatively, you can set this property in the fortify-sca.properties file located in <sast_install_dir>\Core\config. You must escape the backslash character (\) in the path of the physical directory as shown in the following example:

com.fortify.sca.ASPVirtualRoots.Library=C:\\WebServer\\CustomerTwo\\Stuff
com.fortify.sca.ASPVirtualRoots.Include=C:\\WebServer\\CustomerOne\\inc

The previous version of the ASPVirtualRoot property is still valid. You can use it on the OpenText SAST command line as follows:

-Dcom.fortify.sca.ASPVirtualRoots=C:\WebServer\CustomerTwo\Stuff;
C:\WebServer\CustomerOne\inc

This prompts OpenText SAST to search through the listed directories in the order specified when it resolves a virtual include directive.

Using virtual roots example

You have a file as follows:

C:\files\foo\bar.asp

To specify this file, use the following include:

<!-- #include virtual="/foo/bar.asp">

Then set the virtual root in the sourceanalyzer command as follows:

-Dcom.fortify.sca.ASPVirtualRoots=C:\files\foo

This strips the /foo from the front of the virtual root. If you do not specify foo in the com.fortify.sca.ASPVirtualRoots property, then OpenText SAST looks for C:\files\bar.asp and fails.

The sequence to specify virtual roots is as follows:

  1. Remove the first part of the path in the source.
  2. Replace the first part of the path with the virtual root as specified on the command line.