Fortify + maven exclude xsd files

Question

I have an issue with running scan with excluding xsd files in fortify SCA. I am using maven (with fortify plugin) + jenkins. My POM.xml used by Jenkins:

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>pl.bluecode</groupId>
<artifactId>bc</artifactId>
<version>1.0</version>
<packaging>pom</packaging>
<properties>

</properties>
<scm>
    <connection>scm:svn:https://subversion......</connection>
    <developerConnection>scm:svn:https://subversion.....</developerConnection>
    <tag>HEAD</tag>
    <url>https://subversion......</url>
</scm>
<profiles>
    <profile>
        <id>common</id>
         <activation>
            <activeByDefault>true</activeByDefault>
            <property>
                <name>!skipCommonProfile</name>
            </property>
         </activation>
        <modules>
            <module>Project1</module>
            <module>Project2</module> 
        </modules>
    </profile>
    <profile>
        <id>profile1</id>
        <modules>
            <module>Project3</module>
            <module>Project4</module>
        </modules>
    </profile>
</profiles>

<build>
    <sourceDirectory>${basedir}/src</sourceDirectory>
    <finalName>${project.artifactId}</finalName>
    <resources>
        <resource>
            <directory>${basedir}/src</directory>
            <includes>
                <include>**/*.properties</include>
            </includes>
        </resource>
        <resource>
            <directory>${basedir}/src</directory>
        </resource>
    </resources>
    <pluginManagement>
        <plugins>
            <plugin>
                <groupId>com.fortify.ps.maven.plugin</groupId>
                <artifactId>maven-sca-plugin</artifactId>
                <version>2.6</version>
                <configuration>
                    <source>1.5</source>
                    <failOnSCAError>true</failOnSCAError>
                </configuration>
            </plugin>
        </plugins>
    </pluginManagement>
</build>

My Jenkins Maven goals looks like: 1st goal: com.fortify.ps.maven.plugin:maven-sca-plugin:2.6:clean -Pprofile1

2nd goal: com.fortify.ps.maven.plugin:maven-sca-plugin:2.6:translate -Pprofile1

3rd goal: com.fortify.ps.maven.plugin:maven-sca-plugin:2.6:scan -Pprofile1

Unfortunately I can not attach image.

Above configuration is working as expected till now.
Now, I'd like to exclude all XSD files from scan.

How to do it? I tried to add -exclude ".xsd" entry in maven goals: com.fortify.ps.maven.plugin:maven-sca-plugin:2.6:scan -Pprofile -exclude ".xsd"

but it doesn't work.

If someone can help we I would be grateful.

Thanks.

Answer 1

in theory the Fortify Maven Plugin supports the exclusion of files, but it doesn't always work as expected.

Now, that being said, you are not invoking the exclusion correctly. Where you built the Fortify Maven Plugin, find the documentation for the translate goal, e.g. for me: /Samples/advanced/maven-plugin/target/site/translate-mojo.html#exclude.

There you can find the correct way to invoke exclusion. On the command line:

"-Dfortify.sca.exclude=*.xsd"

or in the POM (if you set up the fortify translate job there)

<exclude>
 *.xsd
</exclude>

Now back to my first point. Sometimes exclusion is more difficult to effect than just by setting the value as *.extension. You may also need to specify the directory as well, so if the above doesn't work, try also the Fortify special glob parameter "**" which means any recursive subdirectory match. To wit:

"-Dfortify.sca.exclude=**/*.xsd"

or

<exclude>
 **/*.xsd
</exclude>

If neither of the above work, then contact Fortify Technical Support.

Pro tip: you can also set this value in Core/config/fortify-sca.properties, where it will affect every invocation of sourceanalyzer on the system. That includes invocations via the maven plugin.