11. EPMO Open Source Coordination Office Redaction File Detail Report

Produced by Araxis Merge on 11/9/2017 10:44:34 AM Eastern Standard Time. See www.araxis.com for information about Merge. This report uses XHTML and CSS2, and is best viewed with a modern standards-compliant browser. For optimum results when printing this report, use landscape orientation and enable printing of background images and colours in your browser.

11.1 Files compared

#	Location	File	Last Modified
1	REFDOC-v2.1.0.zip\NVCC\Documentation	FortifyVandV.md	Thu Oct 19 17:36:40 2017 UTC
2	REFDOC-v2.1.0.zip\NVCC\Documentation	FortifyVandV.md	Wed Nov 8 16:09:18 2017 UTC

11.2 Comparison summary

Description	Between Files 1 and 2
Description	Text Blocks	Lines
Unchanged	2	220
Changed	1	2
Inserted	0	0
Removed	0	0

11.3 Comparison options

Whitespace
Character case	Differences in character case are significant
Line endings	Differences in line endings (`CR` and `LF` characters) are ignored
CR/LF characters	Not shown in the comparison detail

11.4 Active regular expressions

No regular expressions were active.

11.5 Comparison detail

	1	Running Fo rtify for V&V submis sion
	2
	3	Assuming t he working checkout is in `~/S ource/Repo s` and tha t there is `~/Source /NVCC-Fort ify` with directorie s `INPUT` and `OUTPU T`.
	4
	5
	6	1. Using t he `git` c ommand lin e shell, g o to `~/So urce/NVCC- Fortify/IN PUT`
	7
	8	1. Clone t he working copy into this dire ctory: `gi t clone .. /../Repos/ NVCC`
	9
	10	1. Go into the NVCC directory and make s ure you ar e on the r ight branc h (presuma bly the re lease bran ch)
	11
	12	1. In this (`~/Sourc e/NVCC-For tify/INPUT /NVCC`) di rectory de lete the f ollowing
	13
	14	* Dire ctories
	15	* `.git`
	16	* `.vs` (if present)
	17	* `Documenta tion`
	18	* `Documents `
	19	* `NVCC.Mode ls.Tests`
	20	* `NVCC.Repo s.UserRepo sitory.Tes ts`
	21	* `NVCC.WebU I.Tests`
	22	* `Original SQL Script s`
	23	* `Fortify O utputs` (i f present)
	24	* `SQL`
	25	* `Test Resu lts` (if p resent)
	26	* File s
	27	* `.gitattri butes`
	28	* `.gitignor e`
	29	* `NVCC.sln. vspell`
	30	* `OriginalS QLScripts. ssmssln`
	31	* `OriginalS QLScripts. ssms_suo` (if presen t)
	32	* `ETL\CC_RE FDOC Post CDW Job.sq l`
	33	* `ETL\CC_RE FDOC Updat eProductio n Log Job. sql`
	34
	35	1. Open th e solution file (`NV CC.sln`) i n Visual S tudio
	36
	37	1. Dismiss the warni ng about m issing fil es (if any )
	38
	39	1. In the Solution E xplorer, d rop the `D ocumentati on`, `NVCC .Models.Te sts`, `NVC C.Repos.Us erReposito ry.Tests`, and `NVCC .WebUI.Tes ts` projec ts (Select and "Remo ve" from t he context menu)
	40
	41	1. Save al l
	42
	43	1. Encrypt the relev ant portio ns of the config fil es. Cross reference: https://m sdn.micros oft.com/en -us/librar y/zhhddkxy .aspx
	44	1. Ope n a (Windo ws) comman d line she ll (All Pr ograms -> Visual Stu dio 2015 - > Visual S tudio Tool s -> Devel oper Comma nd Prompt for VS2015 )
	45	2. Cha nge direct ory to sou rce locati on `cd "c: \Users\vha pordiggsb\ Source\NVC C-Foritfy\ INPUT\NVCC "`
	46	3. Run `aspnet_r egiis -pef "connecti onStrings" NVCC.WebU I`
	47	4. Run `aspnet_r egiis -pef "system.w eb/machine Key" NVCC. WebUI`
	48	5. Ope n `web.con fig` and ` web.releas e.config` in Visual Studio
	49	6. Cop y the `<id entity>` s ection fro m `web.rel ease.confi g` to `web .config` ( overwritin g the `<id entity>` s ection the re), takin g out the `xdt:Trans form="Repl ace"` part
	50	7. Sav e `web.con fig`
	51	8. Bac k at the c ommand lin e, run `as pnet_regii s -pef "sy stem.web/i dentity" N VCC.WebUI`
	52	9. Go back to Vi sual Studi o, have it reload th e modified `web.conf ig`
	53	10. Co py the who le `<ident ity>` sect ion from ` web.config ` back to `web.relea se.config` , replacin g what was there
	54	11. Ad d `xdt:Tra nsform="Re place"` af ter `confi gProtectio nProvider. ..`
	55	12. Sa ve `web.re lease.conf ig`
	56	13. Go back to ` web.config `
	57	14. Un do (Ctrl-Z ) until yo u get back to `<iden tity imper sonate="fa lse">`
	58	15. Sa ve `web.co nfig`
	59
	60	1. Copy th e most rec ent `NVCC. fpr` (if i t is not a lready the re) to `~/ Source/NVC C-Fortify/ INPUT/NVCC `
	61
	62	1. Load th e audit pr oject (`Fo ritfy` -> `Open Audi t Project` , selectin g `NVCC.fp r`)
	63
	64	1. Verify that the l atest rule s are load ed (`Forit fy` -> `Op tions...` -> `Securi ty Content Managemen t` -> `Upd ate`
	65
	66	1. Run the Foritfy s can (`Fort ify` -> `A nalyze Sol ution`)
	67
	68	1. Make su re all the Critical and High f indings ar e audited (Security Auditor Vi ew)
	69
	70	1. Save th e audit (` Fortify` - > `Save Au dit Projec t`)
	71
	72	1. Clean t he solutio n (`Build` -> `Clean Solution` )
	73
	74	1. Open th e audit pr oject in F oritfy Aud it Workben ch (double clicking on the NVC C.frp file from the Explorer w indow shou ld do that )
	75
	76	1. Save th e code tha t was scan ned (`Tool s` -> `Ext ract Sourc e Code...` ). Save it in `~/Sou rce/NVCC-F ortify/OUT PUT`
	77
	78	1. In `Pro ject Summa ry` tab, ` Build Info rmation` t ab, scan t hrough the files loo king for f iles that have a bla nk under L OC (lines of code). Open `Docu mentation/ EmptyForti fyFiles.md ` IN THE ORIGINAL WORKING DI RECTORIES (`~/Source /Repos/NVC C/`). Ma ke sure th ere is an entry for each file with a bla nk LOC tha t looks li ke a "real " source f ile. (That is, not n ecessarily files lik e `*.confi g`). Mostl y, the fil es listed will be in terface de claration files.
	79
	80	1. Even th ough nothi ng has rea lly change d, save th e audit an d close Au dit Workbe nch
	81
	82	1. Back at the `git` command s hell, go t o the `INP UT` direct ory and ex ecute `ls -1R --igno re=bin --i gnore=obj --ignore=p ackages > ../INPUT.l s.txt`
	83
	84	1. Go to t he corresp onding dir ectory in `OUTPUT`: `cd ../OUT PUT/Source /NVCC-Fort ify/INPUT`
	85
	86	1. Execute `ls -1R - -ignore=bi n --ignore =obj --ign ore=packag es > ../.. /../../OUT PUT.ls.txt `
	87
	88	1. Go up t o the top of `NVCC-F ortify`: ` cd ../../. ./../`
	89
	90	1. Compare the two f ile listin gs. Make t he shell w indow full screen an d run `dif f -y INPUT .ls.txt OU TPUT.ls.tx t \| less`. Look for any source (not conf iguration, *.cshtml, or librar y) files t hat appear on the le ft that do n't appear on the ri ght (there is only a `<`). Not e them in `EmptyFort ifyFiles.m d`
	91
	92	1. From th e file exp orer, go t o `~/Sourc e/NVCC-For tify/INPUT `. Right c lick the ` NVCC` dire ctory and `Send to` -> `Compre ssed (zipp ed) folder `
	93
	94	1. Begin t he code re view reque st: https: //wiki.mob ilehealth. va.gov/pag es/viewpag e.action?p ageId=2677 4489
	95
	96	1. Fill ou t form. Ap plication ID
	97	`3E90DC9E- A303-4ee5- 8382-D5742 B8AB44D`.
	98	1. For lines of code: ``wc -l `find Database/ ETL/ Gener ateMachine Key/ NVCC. Models/ NV CC.Repos.* / NVCC.Web UI/ UserRe pository/ -print\` ` ` (in NVCC directory of INPUT; edit list ed directo ries as ne cessary)
	99	2. For number of source co de and con figuration files: `` find Datab ase/ ETL/ GenerateMa chineKey/ NVCC.Model s/ NVCC.Re pos./ NVC C.WebUI/ U serReposit ory/ -name '.cs' -p rint -or - name '*.co nfig' -pri nt \| wc -l `` (in NV CC directo ry of INPU T; edit li sted direc tories as necessary)
	100	3. For number of classes: ``find Dat abase/ ETL / Generate MachineKey / NVCC.Mod els/ NVCC. Repos./ N VCC.WebUI/ UserRepos itory/ -na me '.cs' -print \| w c -l `` (i n NVCC dir ectory of INPUT; edi t listed d irectories as necess ary)
	101
	102	1. Upload files. Upl oad direct ory
	103	`\\ DNS . DNS \OISSWA\3E 90DC9E-A30 3-4ee5-838 2-D5742B8A B44D`. Inc lude:
	104	* Sour ce archive (zip file created e arlier)
	105	* .frp file
	106	* `Emp tyFortifyF iles.md`
	107	* `For tifyParseB ug.md`
	108	* `Dat baseJustif ication.md `
	109
	110	1. Submit form (link on web pa ge that fo rm came fr om) to sca n request.
	111