Reputation: 740
Fortify SCA exclude multiple directories/files with maven plugin
Sorry for the seemingly duplicate question but the other Fortify solutions didn't seem to fit my case. I'm doing scans/uploads via the maven sca plugin
<plugin>
<groupId>com.fortify.ps.maven.plugin</groupId>
<artifactId>sca-maven-plugin</artifactId>
<version>4.20</version><!--$NO-MVN-MAN-VER$-->
<configuration>
<projectName>sample</projectName>
<projectVersion>${appVersion}</projectVersion>
<exclude>**/*.(LOCAL|INT).*</exclude>
</configuration>
</plugin>
and it works
This excludes all LOCAL and INT (integration testing) property files from being scanned. Additionally, I'd like to exclude archived xsds from being scanned as well:
<exclude>**/(*.(LOCAL|INT).*)|(xsd/archive/*)</exclude>
but this does not work. In fact, not even the original working pattern is found. Any ideas?
Upvotes: 2
Views: 8230
Answers (4)
Reputation: 66
Actually instead of tweaking source code, you can hack it that way:
<plugin>
<groupId>com.fortify.ps.maven.plugin</groupId>
<artifactId>sca-maven-plugin</artifactId>
<version>4.20</version>
<configuration>
<projectName>sample</projectName>
<projectVersion>${appVersion}</projectVersion>
<exclude>**/*.(LOCAL|INT).*" -exclude "**/xsd/archive/*</exclude>
</configuration>
</plugin>
Please mind the " -exclude " inside exclude tag! ;)
Upvotes: 1
Reputation: 1
For anyone having trouble getting multiple exclusions to work and thinking about patching the plugin, first check that you are using the correct separator. It must be semicolon on Windows or colon on Linux.
Upvotes: 0
Reputation: 740
I will share my solution, albeit a little bit of work that requires you to have access to the HP fortify installation:
I was tired of fussing for a whole day with this so I did the only sensible thing and re-wrote a portion of the fortify maven plugin! I liked the separator as ; so I changed the TranslateMojo.java file under the mavin-plugin folder as follows then re-deployed the fortify plugin:
OLD Line:
addOptionValuePair("-exclude", exclude);
NEW Line:
if(exclude != null && exclude.length() > 0){
String[] excludeList = exclude.split(";");
for(int i = 0; i < excludeList.length; i++){
addOptionValuePair("-exclude", excludeList[i].trim());
}
}
Now my project's .pom has this sca-maven-plugin definition:
<plugin>
<groupId>com.fortify.ps.maven.plugin</groupId>
<artifactId>sca-maven-plugin</artifactId>
<version>4.20</version>
<configuration>
<projectName>sample</projectName>
<projectVersion>${appVersion}</projectVersion>
<exclude>**/*.(LOCAL|INT).*;**/xsd/archive/*</exclude>
</configuration>
</plugin>
The sca-translate-war.txt file that Maven generates and uses as part of the translate step now has an -exclude for each pattern provided:
"-exclude" "**/*.(LOCAL|INT).*" "-exclude" "**/xsd/archive/*"
This worked for me and will hopefully save someone a few hours of struggle.
Upvotes: 0
Reputation: 925
If you look in the Appendix F: Maven Integration section of the SCA User Guide, under Excluding Files from the Scan heading, it shows you how to exclude files. It tells you to use a separate file for properties and to set com.fortify.sca.exclude. I would instead try to just use a semicolon to separate your two exclude patterns.
Upvotes: 0
Related Questions
- SpotBugs Maven Plugin exclude a directory
- Maven: How to exclude a directory pattern?
- Fortify SCA Exclude Multiple Files
- How to exclude files and folders when using Fortify with MSBuild
- Fortify SCA exclude test folder\files
- How to exclude target folder from Fortify scans
- How do I exclude folders from a fortify sca jenkins build?
- Maven Exclude Files During Build
- Fortify + maven exclude xsd files
- How to exclude a folder in svn checkout in maven?