CODEWITHSUNDEEP
teamcityfortify
Hemi81
Hemi81

Reputation: 588

Integrating Fortify into a Build Process

I am attempting to see if I can integrate Fortify scans into my build process. I have done some research, but can't seem to find anyway to extract scripts from Fortify's audit workbench. Is this at all possible? Should I just build a batch file to accomplish this?

Upvotes: 1

Views: 3486

Answers (3)

sara
sara

Reputation: 1

You can use the HP SCA's maven plugin. It would be bundled as part of HP SCA installation (under plugins folder) and would need to be installed in your Maven. Note that SCA plugin is not listed maven repository, so installation into local repository is required.

Upvotes: 0

Mike Peters
Mike Peters

Reputation: 86

Yes, use a batch script to do this.

Instead of trying to copy the commands from Audit Workbench, use the Scan Wizard. It's the tool specifically for solving this problem. You point it at your project, answer some questions, and it creates a script. Check a box and it'll also upload to SSC.

Scan Wizard is located in /bin. It may also be in your Start menu, next to Audit Workbench.

Note: Sometimes I have to modify the script. But if you're able to scan using the Fortify button in Visual Studio, then the default script usually works.

Upvotes: 1

SBurris
SBurris

Reputation: 7448

Building your own batch file would be the best approach.

You can get information on scanning your projects from the HPE Security Fortify Static Code Analyzer User Guide and from help file of the commandline sourceanalyzer -h

It really is a three step process

  1. Clean
  2. Translate
  3. Scan

There are examples at the top of the help file.

If you wanted, you could also use the Scan Wizard tool, but personally I do not like using it for build integration long term. It creates a complicated batch file, it specifies files specifically (so if new files get added over time it will not pick them up).

If you want to know how Audit workbench performs it scans, you can add the following command options: "-verbose" "-debug" "-logfile" "c:\temp\translate.log" or "c:\temp\scan.log"

Screenshot of Audit Workbench with the above commands inserted into the translation and scan portions

Then you can look at the log files for the line that is "Args:" This will contain a list of arguments (in quotes and separated by commas) of what command-line arguments were passed to sourceanalyzer.exe.

With this information, you could create a batch file to run and perform the scan. (Make sure the batch file has all three steps I mentioned earlier).

The GUIs are just a front end for sourceanalyzer.exe

Upvotes: 1

Related Questions