04-24-2013 09:45 AM - edited 05-17-2013 08:41 AM
In light of the new WebInspect 10.0 that was released April 22, I wanted to post some caveats to the upgrade process. I posted a similar article in the AMP section for our AMP and WebInspect Enterprise customers who are upgrading their Sensors.
If I come across anything else glaring, I may Edit this post.
Back up your scan database:
If you are using a normal SQL Server rather than SQL Express, you must back-up your scan database prior to upgrading WebInspect. Well, this is not exactly a requirement, but you should know better. ;-)
Downgrading back from WebInspect 10:
If there is any chance that you think you will need to back-track to WebInspect 9.30 after upgrading to WebInspect 10, then you should back up your WebInspect data files prior to upgrading. When you load 10.0 on a machine that used to have 9.30, the files in your \programdata\hp\hp webinspect\ and \users\...\appdata\local\hp\hp webinspect\ folders will be converted to a format that will no longer be compatible with 9.30. The best thing to do if you know ahead of time that you will be switching back and forth is to save off those two folders and then when you go back to 9.3 you can restore them. If this happened and you forgot to save the directories you can try deleting the .config files that are in those folders, or work with Fortify Support.
WebInspect 10.0 now requires .NET 4:
You may or may not notice this warning when installing 10.0. You will need to fetch and install that .NET component first. Check the system requirements here: https://download.hpsmartupdate.com/webinspect/
SmartUpdate should work fine:
Per normal, anyone with a valid license, i.e. paid Support and Maintenance, can fetch the latest WebInspect automatically via the SmartUpdate function. Provided you noticed the need for .NET 4.0, this upgrade should be fully automated.
Database Schema updates:
As often occurs between releases, the scan database schema got some changes. If you are using SQL Express, these updates should occur quietly and automatically for you. You may see a prompt to permit the update if you open older scans.
If you are using a normal MS SQL Server (Standard or Enterprise) for your scan repository, you may be able to update the schema automatically, or get a warning and a Query script provided, depending on your own SQL credentials and permissions. If the automated update fails, you will need to use the offered script as a Query run directly against the scan database used by WebInspect. You can do this in SQL Studio, or you may need to ask your DBA to run it for you. The referenced script will generally be a TXT file on your WebInspect installation.
You can also find these SQL Queries out on the public product page.
WebInspect 10.0 has a new, more powerful script parsing engine. Tuning up your Content-Analyzers scan settings should really dig deep into RIA sites. That being said, the suggested memory of 2 GB Minimum and 4 GB Recommended should be taken with a grain for salt. I would go for the most RAM your boss will allow. Why suffer slow scans?
While we are on this, recall that scanning is a balance between speed and thoroughness. You generally cannot have both, so bear this in mind when scans initially take longer than they used to.
Saved Scan Settings:
HP Fortify does not stomp on your existing saved Scan Settings files (XML). What we will do during an upgrade is add any new features or settings with their new default values. If there is an edit or improvement to an existing setting, we will not "correct" your setting.
The fall-out from this is that for any old scans that you repeat with the Rescan feature, or old scan settings files you use in the new product, the old product's settings will be in effect. With WebInspect 10.0 we have rebuilt and improved our script engine. You can see this now as an option pair under the Content-Analyzers scan settings. There is a choice to either use the new engine or the legacy one. Your saved scan settings files will still have the legacy option enabled, but you will probably want the new engine instead. Based on the quantity of saved scan settings files you depend on, this non-update behavior may be of little disruption to you, or a major pain.
Event-based (IE-based) Web Macro Recorder tool:
This tool was removed, but is still present if you simply must use it. It is not accessible from the Trouble-shoot area in TruClient nor from the Application Settings in WebInspect! We have retained the older Session-based (Traffic-based) WMR as well as our latest TruClient WMR tool. These two have been combined into one UI, sometimes being referred to as the "Unified Macro Recorder".
If you simply must have this tool back, you can open it by saving an old EB Macro and double-clicking on it. This will open that prior WMR tool. And alternative is to edit your user.config file as detailed below. This config file used to be set form the Application Settings UI, but those buttons are no longer available.
Path for Windows 2003 (32-bit):
C:\Documents and Settings\%CURRENTUSER%\Local Settings\Application Data\HP\HP WebInspect\Logs\user.config
Path for Win7 (64-bit):
Trick: Typing %appdata% into the Windows Run field will drop you into Explorer at the ..\Roaming\ peer folder. Go up and then down into the ..\Local\ path.
Setting of interest: "DefaultWebMacroRecorder"
Sample configuration, for TruClient:
<setting name="DefaultWebMacroRecorder" serializeAs="String">
Values to use:
0 = Session-based WMR
1 = Event-based WMR
2 = TruClient WMR
If you hard-coded the event-based Web Macro Recorder tool:
If you happened to be the rare user who previously set the Event-based WMR tool as your default in the Application Settings of WebInspect 9.30, your upgrade to WebInspect 10.0 may not have updated your aforementioned user.config file. With the removal of the WMR options in the UI, you will find you cannot open the other WMR tools now! Rather than reset the Application Settings back to factory defaults, you can manually edit the user.config file and detailed above.
Vista no longer supported:
Vista is not longer shown on the System Requirements. Vista SP2 (32- or 64-bit) may still work, but Fortify Support will not be pleased with your installation. Oddly enough, Windows XP SP3 is still listed as supported for WebInspect, although it will be reaching Microsoft end-of-life in 12 months.
-- Habeas Data
07-01-2013 06:48 AM
-- Habeas Data