Fortify scan multiple folders. Machine A: Generate a mobile build session called sample.

01 as well. ProjectRoot=C:\Fortify\Work The path to the working files would then be: C:\Fortify\Work\sca<version>\build\MyBuild\ On the machine where the LIM is installed: Open Windows Service Manager: Start > All Programs > Administrative Tools > Services. For a full listing of fcli commands and corresponding command line options, please see the man-pages as The Fortify service provider registers the actions that Fortify published and instructs Fortify to use them when their respective tasks are executed by Fortify. For a list of other such plugins, see the Pipeline Steps Reference page. Net Assemblies if they are build in a Debug configuration and the . Jan 28, 2015 · In the report section's additional properties, set the filter for the issues to [issue age]:new. Plus, centralized software security management helps developers resolve issues in less time. This includes: l Disk I/O—Fortify Static Code Analyzer is I/O intensive so the faster the hard drive, the more savings Oct 22, 2015 · I have a Fortify FPR scan file that I open in AWB. Increase Memory Allocation: Adjust the memory settings by modifying the sca. g I have project code at C:\work\development\, few of my colleagues have something like C:\Development\mainCodeLine\ etc etc. The Translated files continue to add-up and exist unti This should work: sourceanalyzer -b 11809 -debug -logfile fortify-translate. sln. In the right panel, click the Advanced Options tab. Click SSO Login to log in to FOD. For more information, see About Upgrading Fortify Static Code Analyzer. Build Servers. Save the template. Table of Contents. To enable the polling of Controller to retrieve scan request status, select the Enable ScanCentral SAST check box. Run cmake by changing CC and CXX variables: CC="sourceanalyzer -b project_ID gcc" CXX="sourceanalyzer -b project_ID g++" cmake . Do not change default scan options. Click Save and run your pipeline, you should see the following in the output. fpr -f <output> . Add all required header files using include_directory. Even though its present in the folder i am searching. Tip: On any window presented by the API Scan Wizard, you can click Settings (at the bottom of the window) to modify the default settings or to load a settings file that you previously saved. However, after making this change, I noticed that the Fortify findings for a wmd/pack. pkb or other oracle files. I would like to have a single fpr file being generated for all the projects. 3. Pros: No integration effort is required. sourceanalyzer -b project -scan -f MyResults. The last stage submits the Fortify SCA results alongside the other SonarQube scan results. After the scan completes, the Audit Workbench should look like the following screen snapshot. Or, you can issue more than one translate command pror to issuing the Scan command. Crawl and Audit: Map the site's hierarchical data Mar 3, 2016 · If function not found, fortify will skip the source code translation, so this part will not be scanned later. To minimize theses risks, scan a non-production version of the target website if possible. Select “Scan Java Project”. sln" /Rebuild Debug. Machine A: Generate a mobile build session called sample. Fortify Static Code Analyzer by OpenTextTM uses multiple algorithms and an expansive knowledge base of secure coding rules to analyze an application’s source code for exploitable vulnerabilities. For best performance, specify only the . class file, as if the analyzer expected the WAR file was a directory. 2. This command will publish Fortify's actions to your app/Actions directory, which will be created if it does not exist. c. answered Feb 16, 2015 at 19:23. On the Fortify WebInspect Start Page, click Start an API Scan. Because the sample. Apr 26, 2017 · Typically when running a fortify scan I use these three different commands via command line: sourceanalyzer -b buildId-clean. Support for Multiple Fortify Static Code Analyzer Versions 68 Upgrading the ScanCentral SAST Controller 69 Upgrading ScanCentral SAST Sensors 71 Enabling and Disabling Auto-Updates of Clients and Sensors 72 Chapter 7: Fortify Static Code Analyzer Mobile Build Session Version Compatibility74 Chapter 8: Submitting Scan Requests 75 Apr 29, 2013 · Yes,undocumented but this option exist and is well-known by HP SCA experts. It should be sufficient to add the folders the header files are in. It can accept pre-compiled . Fortify The fcli utility can be used to interact with various Fortify products, like Fortify on Demand (FoD), Software Security Center (SSC), ScanCentral SAST and ScanCentral DAST. I found that if I run clean after the Scan Central upload (via the Azure DevOps plugin) that most of the time these intermediate files get cleaned up, but sometimes files aren't cleaned up. sourceanalyzer -b EightBall src/**/*. Nov 28, 2013 · How to suppress false positives in Fortify. Identify the Fortify License and Infrastructure Manager Agent Service. May 1, 2019 · Screen 2 of the Scan Wizard — Review Source Files. Do not change default Java version. This can be the quickest approach if you have acces to all of the For example, if you have only the SonarQube Java plugin installed, the Fortify plugin can report vulnerabilities on Java files as SonarQube issues, but it cannot report vulnerabilities on JSP or XML files. Jul 10, 2019 · The total amount of files in all of these folders is roughly 600 files. This example shows how to use MBS to run the translation on Machine A and scan the project on Machine B: Machine A: Translation the project. -exclude "Test\C". -snm, --scan-node-modules: Specifies node_modules dependencies in the package. But in short, yes Scan Engine versions can cause different results even on the same code base with the same Rulepack versions. Click “Run Scan” on “Audit Guide Wizard…”. 1 - Lets say I have a windows forms app, which asks for a username and password, and the name of the textbox for password is texboxPassword. When I scan . Dear Members, we are running the Fortify scans via Gitlab runners and use below command to initiate the scan. Migrating from a previous Fortify Static Code Analyzer installation preserves Fortify Static Code Analyzer artifact files. Multiple options exist for including additional file types in the SonarQube scan, such that Fortify vulnerabilities can be reported on those You can put in more than a single File Specifier in your command. min=2G. Oct 18, 2019 · Second, Fortify SCA scans the source code, generating an FPR and CSV report. The fortify configuration file contains a features configuration array. e. pdb files are present. Different parents of duplicate classes folder: Resolve the multiple class definitions. ). I also tried. UPDATE. 11. Both plain Java and native platform binaries for Windows Sep 9, 2020 · Manually Initiated Scans: From the Fortify on Demand (FoD) browser interface, upload the ‘payload’ (source code and dependencies that are packaged into a zip file). This still scanned all of the files. Thanks a lot for your help. This interme‑ diate format is used to locate security vulner‑ abilities. Check the service status. Oct 4, 2014 · If you are doing this all from the command line, then this is how you would do it: sourceanalyzer -b project -vsversion 10. Now when running the second command you need devenv to complete the translation. On the build servers, the files accumulate here: C:\Users\<agent account>\AppData\Local\Fortify\sca20. heap. Apr 5, 2016 · Go to your build directory and perform make clean or remove all contents including the Makefile. This technique analyzes every feasible path that execution and data can follow to identify and remediate vulnerabilities. properties file and added a couple lines within the com. sourceanalyzer -b buildId devenv "mysolution. dlls here is my translate command: sourceanalyzer -b test -Xmx8G -vsversion 14. BUT after a while (and this was 12 years ago so maybe it has improved) we realized it was creating too many false positives and also IMHO just didnt understand the language. These auditors identify and prioritize the noteworthy findings while removing the noise from the results. I tried to use -exclude in command but it still scans those test files. The data flow analyzer uses global, inter Scanning files with non-standard file extensions. In the Fortify Static Code Analyzer translation phase, specify the Java bytecode files that you want to translate. In the ScanCentral Controller URL box, type the URL for the ScanCentral Controller. In the following example, the . However, you CAN merge scan results and generate an fpr based on that. sourceanalyzer -b EightBall -clean. sln solution contains a lot of test projects I have a lot of findings in test code which I’m not interested in. jar or . Related. After a crawl has been completed, you can click Audit to assess an application’s vulnerabilities. properties file. You can even scan WAR file with: com. We all have our project code setup in different root directories e. In the Scan Name box, enter a name or brief description of the scan. log "wmd/**/*. Second, Try using one -exclude parameter for every single one folder you want to exclude, for example: Mar 29, 2022 · Fortify on Demand takes customer application source code, runs the scan, then (as a value added service) passes these raw scan results to a team of expert auditors who are subject matter experts. 20 and looking to scan a few file types that are not standard extensions. Excluding Test Projects from Fortify Scan in Azure DevOps. You can also specify these at runtime: sourceanalyzer -b MyBuild -Dcom. I found Fortify to be good compare to the initial tool we had to use for C/C++. -extdir: put all directories/files you don't want to be scanned here. Select one of the following scan modes: Crawl Only: Completely map a site's hierarchical data structure. STEP 2: Then type scapostinstall. WorkingDirectory=C:\Fortify\Work -Dcom. Fortify Features. -sargs, --scan-args: Fortify Static Code Analyzer scan arguments (repeatable) Takes a single string argument. I am hoping I can skip whole directories sourceanalyzer -b sample -scan -f result. In list of the repos I want to exclude some folders which contains test cases. 11, I tried the same on fortify 19. How are you executing the scan, by sending the scan job to the server or running the scan locally on the build server? We are sending the scan from TFS to the Fortify server where it then scans on results from TFS's build. Each analyzer finds different types of vulnerabilities. 0005 in a maven build, the scan ran but failed to upload to the Fortify Software Security Center (SSC). Dec 5, 2016 · To integrate Fortify Static Code Analyzer into your Gradle build, make sure that the sourceanalyzer executable is on the system PATH. Any ideas? Feb 18, 2020 · Setup of . class files are translated: The Fortify Support log provides: The same log messages as the standard log file, but with additional details; Additional detailed messages that are not included in the standard log file; This log file is primarily helpful to Micro Focus Fortify Customer Support or the development team to troubleshoot any issues. Consider scanning the code into multiple FPR files, if appropriate. exclude. jar files. I want to generate a report that has all the instances of where the issues are found. bat –url start -b cs-sample –scan Local scan with SSC upload scancentral. Optimize Analysis: Use the -Xmx flag to allocate more memory to the Java process running the analysis: sourceanalyzer -Xmx4G -b build_id -scan. If you have not yet updated your Fortify version, I I am trying to run source analyzer on multiple java and c source repo. Data Flow This analyzer detects potential vulnerabilities that involve tainted data (user-controlled input) put to potentially dangerous use. If the scan option has a path parameter that includes a space, enclose the path with single quotes. microfocus. Provide details and share your research! But avoid …. SourcesDirectory)/sdk -name "*. fpr file with the newly scanned . Insert a wait step for some time as needed to process the results in SSC - could take long if there are a Sep 28, 2016 · 2. fileextensions section (see below) and saved. We are currently on SCA version 17. go" to sourceanalyzer -b 11809 ". I am using Fortify 16. To integrate Fortify Software Security Center with ScanCentral SAST: Log in to Fortify Software Security Center as an administrator, and then, on the Fortify header, click ADMINISTRATION. In the left panel, select Configuration, and then select ScanCentral SAST. Click Scan. The ScanCentral SAST page opens. For instructions, see Uploading Scan Artifacts. exclude, use just -exclude. 0 projectPath\Additional. gitlab-ci. Please help me to find a command which can scan all different oracle extension files at Mar 3, 2015 · This is not really correct. In the left panel, select Configuration, and then select ScanCentral. These files are used as input for the next stage, which converts the CSV file into a JSON format required by SonarQube. Feb 1, 2021 · Add a Variable called ReleaseId and add the Release Id from Fortify. yml file, for translating the files with the sourceanalyzer, here is the script: - script: |. If the service is not running, try to start the service. /wmd/**/*. It is very difficult to write exclude option for each and every levels of the folder structures. It is not necessary to add all header files to your CMakeLists. You will get a poor scan quality but FPR looks good (low issue reported). Fortify doe not NEED to compile the code so that it can perform the scan. The ScanCentral page opens. Prepend the Gradle command line with the sourceanalyzer command as follows: sourceanalyzer -b <build_id> <sca_options> gradle [<gradle_options>] <gradle tasks>. 3\tomcat\jobFiles folder $ scancentral. 2. BuildID-disable-language: Specifies a colon-separated list of languages to exclude from the translation phase. For example: Apr 20, 2017 · To scan the whole codebase together, first translate one set of files, then translate the other set of files (using the same exact build ID), and then do the scan step (same build ID), and it'll scan all of the code together. For multiple scan arguments, use multiple -sargs options. To process code, Fortify SCA works much like a compiler—which reads source code files and converts them to an intermediate structure enhanced for security analysis. log -scan -f result. mbs. yml: In the Test phase, add your sourceanalyzer command with the appropriate switches and GitLab CI variables as appropriate. class files that require scanning. FPR ("Fortify Project Results file"). set -euo pipefail. If the folder already exists, Fortify SCA cleans the folder before starting the scan. Jun 25, 2019 · Currently, the code base has the Fortify SCA scan, Burp Suite scan and then Web Inspect. 1. CandC++ CodeTranslationPrerequisites 67 CandC++Command-LineSyntax 67 ScanningPre-processedCandC++Code 68 C/C++PrecompiledHeaderFiles 68 Chapter8 . class file packed into a WAR could not find the . pls files. Fortify SCA displays the results and saves an FPR file in the folder you specified. We have gone into the fortify-sca. Specify if you want to migrate from a previous installation of Fortify Static Code Analyzer on your system. When we go to run the scan wizard, it Verified Answer. How can I exclude the test projects? I’ve tried the –exclude switch with no luck. To selectively display the issues you Aug 3, 2021 · Meaning the scans must be performed on the same source code, same fortify settings, and same security content. It tells you to use a separate file for properties and to set com. Optionally, enter a name for the scan in the Scan Name box. Jan 8, 2019 · Is there a way that we can run the HP fortify (SSC) scan on multiple branches without merging the issues and generate reports separately? When we run the scan on Branch A (having issues 10), later run the scan on branch B (having issues 100); the next run in the branch A creating issues count as 110. In your scan configuration, make sure to scan to the same FPR every time per project, so OptimizingFPR Files 149 FilterFiles 149 ExcludingIssuesfromtheFPR withFilterSets 150 ExcludingSourceCodefromtheFPR 150 ReducingtheFPR FileSize 151 OpeningLargeFPR Files 152 MonitoringLongRunningScans 153 UsingtheSCAStateUtility 154 UsingJMXTools 154 UsingJConsole 154 UsingJavaVisualVM 154 Chapter20:Troubleshooting 156 ExitCodes 156 MemoryTuning Apr 22, 2015 · I have multiple projects bound by a single parent pom. sourceanalyzer -b build_id gcc -c test. It usually takes about 15 minutes to scan all of the folders but when I set this it ran 30 Minutes or more and no visible signs of succeeding. bat file created at the root location of your project. SHIP-HATS 2. HP Fortify SCA has 6 analyzers: data flow, control flow, semantic, structural, configuration, and buffer. Some of the fcli highlights: Interact with many different Fortify products with just a single command-line utility. 0007. 8 and above is supported. For example: com. Nov 19, 2015 · Fortify will pick up all the javascript . 12041: The Python frontend was unable to resolve import of the following optional modules [] Try configuring the -python-path argument as suggested by Fortify. reason: Between multiple FPR file created during scan , we see different file counts. Hello meghsarma, Thank you for contacting the Micro Focus forums. At its rawest form, the FPR file is simply XML data zipped up and renamed to *. Obtain the list of analyzed files and the number of lines of code (LOC) for each file. When I generate a report it generates the report with the issues by type and their count and below the type I also get names and code snippets of some files where the issue was found. Basic Scan Options. You can also compare the LOC with another FPR. 1\build. This means the report will show ONLY issues in your FPR that were not present in the previous scan, and were introduced in the latest scan. Run the purge command to delete the data you have downloaded. Feb 13, 2015 · Fortify supports C language as per my knowledge. To enable the Eclipse Plugin to merge the results of the next scan you run with results from the previous scan: Select Fortify > Options. ) answered Apr 21, 2017 at 19:53. Large, complex code bases definitely take a while longer to translate and analyze than trivial code Obtain lists of issues (including some basic information). /**/*. class and . Use a database query against the ARTIFACT table to determine which artifact ids you need to download 2. By default, it will have all directories selected. Depending on your use case, you might be better off using one of the CLI utilities included with SCA (FPRUtility, FPR Merge Fortify. To display signature information for the analysis: FPRUtility -information -signature -project <project> . scanf. Attempting to analyze the . This array defines which backend routes / features Fortify will expose by default. The sub-directories / folders can be of many levels. Clean the EightBall build model. Hello! Any help appreciated trying to solve this problem I'm trying to scan a project that include jar files (SCA 4. . First, instead of -Dfortify. Command2 -> a) here i am able to scan . STEP 1: Go to the Installation Directory and navigate to bin folder in the Command Prompt or in Command line tool. fpr. The table in the AUDIT view lists issues based on their assigned folders (by default, critical to low). The previous successful upload to the SSC was from the desktop Audit Work Bench with a Scan Engine version of 6. In the left panel of the “Options” dialog box, select Default Project Settings. max=4G. i. Consequently, Fortify on Demand customers DartandFlutterCommand-LineSyntax 85 DartandFlutterCommand-LineExamples 85 Chapter13:TranslatingRubyCode 86 RubyCommand-LineSyntax 86 RubyCommand-LineOptions 86 To display the issues you want to audit: Upload scan results for the application version you want to audit. sourceanalyzer -b build_id -scan result. The required cmake command is include_directories. Command3: sourceanalyzer -b test -scan -verbose -f Results. The API Scan Wizard opens. Venu Kumar. fpr file so that all audits and comments get reflected even in the new file. Fortify Scan Stage Building the Image Jul 6, 2012 · Unfortunately, without specific details on your scan setup and Fortify version, it's difficult to say specifically what's causing the long scan time. Next, you should migrate your database: Oct 25, 2014 · We work in a team and run Fortify software on our machines locally. Apr 29, 2018 · 1. dll projectPath\Additional. However, there is no schema, and it can change between releases as-needed. Open the AUDIT view for the application version. Select “ <Fortify Install Dir>\Samples\basic\eightball ” as project root. So need to check what files are missing between these scans. CAVEATS. Mike Peters. 0. cpp" | while read -r file; do. Click Finish. So in the designer file, you have the following, generated by the designer. Run the custom webservice calls to download the specified artifacts. Oct 29, 2018 · Fortify supports excluding files and/or folders from the scan in the translation phase. NET: In the Projects for Fortify SCA analysis box, type the relative path to the solution or project file name. bat -sscurl <ssc_url> -ssctoken <ScanCentralCtrlToken> start -upload -versionid 10 -b In the left panel, select Configuration, and then select ScanCentral SAST. Aug 19, 2014 · Inside of the folder specified by those paths, the pattern is: sca\build\. This document describes installation and general usage of fcli. com. Sep 27, 2023 · Resolution. While the above is true regarding fprs, It is possible to merge scan results. For the same, Follow the Following Steps. cpp and header only files. fortify. I would instead try to just use a semicolon to separate your two exclude patterns. Asking for help, clarification, or responding to other answers. The command you specified looks like it is missing the section were you specify the files to actually scan. The internal workings of the Scan Engine is proprietary information and the detailed changes are This specifies how Fortify Static Code Analyzer processes . Translate all source files with a known file extension located in the src directory tree. You still want to specify the 3rd party dll's, those get specified in the -libdirs option. sourceanalyzer -b MyProject -clean sourceanalyzer -b MyProject msbuild /t:rebuild Sample. Oct 6, 2022 · sourceanalyzer -b pants -debug -verbose -logfile scan. Fortify SCA outputs the results to a subfolder, specify a name for the folder for the output. -exclude "Test\B". May 5, 2021 · We want to run Fortify SCA at the time of automated deployment but exclude all the test projects from scanning. I have two questions regarding Fortify. fileextensions. May 16, 2024 · I need scan my folder with c++ files using the Fortify Static Code Analyzer. You can deselect directories such as node_modules unless you want to scan all your from an FPR file I am looking for options to list out the files that got scanned by fortify. The intent was to only scan Go files in the wmd directory of my project. com Warranty Mar 5, 2024 · The fcli utility can be used to interact with various Fortify products, like Fortify on Demand (FoD), Software Security Center (SSC), ScanCentral SAST and ScanCentral DAST. dll. For example a VS2012 project (typical VS folder structure): Go to Fortify on Demand. In the ScanCentral Controller URL box, type the URL for the Controller. You cannot merge fprs from different source codes. However, some factors do impact the scan time for Fortify: complexity of the code base. war = ARCHIVE. Read more about how to integrate steps into your Pipeline in the Steps section of the Pipeline Syntax page. The following commands illustrate the most basic way for performing a Fortify SCA scan, without utilizing any build integration. To enable the polling of ScanCentral Controller to retrieve scan request status, select the Enable ScanCentral check box. fpr" -format fpr. go file are gone in the Fortify UI. The system requirements are documented in the Micro Focus Fortify Software System Requirements document. Sep 17, 2015 · If you look in the Appendix F: Maven Integration section of the SCA User Guide, under Excluding Files from the Scan heading, it shows you how to exclude files. If i run fortify scan on parent pom using Maven fortify plugin, fpr files for each project is generated. Resolution. Java: Specify the classpath, source version, sourcepath, source files, build tool options, source files (this can be a build file), and any other additional files to include in the scan. Fortify marks this as a password in comment Once you Installed Fortify, you need to prepare your Fortify to start using the Fortify Static Code Analyzer. Preface ContactingMicroFocusFortifyCustomerSupport VisittheSupportwebsiteto: l Managelicensesandentitlements l Createandmanagetechnicalassistancerequests l May 3, 2024 · I recently changed my Fortify scan command from sourceanalyzer -b 11809 ". Here is the example of how to build and scan: sourceanalyzer -b build_id -clean. Use the ‘Start Scan’ wizard, and define scan settings beforehand. the root-folder where the project-code resides differs. @excludelist. txt. go" If it doesn't, change to the wmd directory Fortify Static Code Analyzer uses a build ID to track the files that are compiled and combined as part of a build, and then later, to scan those files. 3. May 16, 2018 · Thanks for contributing an answer to Stack Overflow! Please be sure to answer the question. However, for large and complex applications, Fortify Static Code Analyzer requires more capable hardware. How to exclude target folder from Fortify scans. LegalNotices MicroFocus TheLawn 22-30OldBathRoad Newbury,BerkshireRG141QN UK https://www. I think at the high level, you or Fortify Professional Services would want to: 1. In the Advanced Analysis Options section, select the Merge with previous Application Type Description. Apr 20, 2015 · When we ran the Static Code Analyzer (SCA) version 6. js files; one caveat is that only Javascript 1. However I would like to know how we can exclude a file OpenText Community for Micro Focus products Jun 12, 2014 · Fortify SCA Exclude Multiple Files. I tried, first of all, to include a script in my . $ sourceanalyzer -b cs-sample -show-files Local scan without SSC upload - Fortify_ScanCentral_Controller_21. You can filter these lists. Insert a fortifyclient command with appropriate references to the SSC url and the FPR file. Run make and fortify should be translating files while compilers do their job. The analysis engine, which consists of multiple specialized analyzers, uses secure php artisan fortify:install. 0 Subscription Administrators and Users can use this documentation to learn about SHIP-HATS, onboard to SHIP-HATS, use SHIP-HATS Portal and tools integrated with SHIP-HATS, and get technical support. 30), I created a new scan project in AWB, but just found 4 files (3 xml and one java file), then I created a script with scan wizard, and again it found 4 files, not the rest 20 jar files, if somebody could say what I'm doing wrong. find $(Build. Overview. Run the Fortify. echo "Translating C++ files". OpenText™ Fortify™ Static Code Analyzer pinpoints the root cause of security vulnerabilities in the source code, prioritizes the most serious issues, and provides detailed guidance on how to fix them. But only do this if it really is one application. The following plugin provides functionality available through Pipeline-compatible steps. It is important to have all dependency jars in place. Notes. 21. Is it possible ? Thanks and Regards, Saurav -sargs, --scan-args: Fortify Static Code Analyzer scan arguments (repeatable) Takes a single string argument. sourceanalyzer -b buildId -scan -f "mysolution. pls files but not . For the most part, the combination of Fortify and Burp seem to capture all findings and typically Web Inspect finds random finds that are also typically false positives but all unrelated. In addition, the FortifyServiceProvider, configuration file, and all necessary database migrations will be published. The command below doesn't exclude all the files within the sub-directories. Assembly. 0. After a scan, you may find that your default website language has been changed to Farsi, test files have been uploaded, the new blog color theme has been set to ‘Early 80s Disco’, or 13 new users have been added – complete with nonsense test Posts. Jan 7, 2020 · There could also be different settings between the to installs to cause the difference as well (filters, templates, etc. If your code base is large or the scan is in the Queued state for a long time, the scan may take longer than the maximum 60 minutes Azure DevOps allows a task to run. Command2 -> b) This command will only scan . sca. Oct 13, 2016 · I want to merge an audited fortify . My recommendation is the following: Add all *. Equivalent Property Name: com. – Oct 8, 2020 · An overview of Fortify Static Code Analyzer (SCA), including the code scanning process, and then a demo of Scanning on The Command Line or a Script. go". rz dl bg zo kb gg fs ka pz sq