Automating Fortify Audit Workbench

Question

Does Fortify Audit Workbench have any command-line options that would allow me to put it in a cron job and run it daily?

The scan takes over two hours, I would like it to run overnight and see the results in the morning.

Jason

Answer 1

The other answers are correct, but there's an easier way. There's a Scan Wizard that creates a batch script for you. You point it at your project, answer some questions, and it creates a script. Check a box and it'll also upload to SSC.

Scan Wizard is located in /bin. It may also be in your Start menu, next to Audit Workbench.

Note: Sometimes I have to modify the script. But if you're able to scan using the Fortify button in Visual Studio, then the default script usually works.

Answer 2

Audit Workbench is the GUI front end for the underlying SCA engine (sourceanalyzer)

If you know how to scan your code though the commandline you can create a windows batch file or bash script to execute it.

The hardest part will be to come up with translation command. That is going to be language and project specific.

Your script should have a minimum of 3 steps

• Clean
• Translate
• Scan

There is a fourth optional step to upload the scan results to your SSC instance. This step is utilizing the fortifyclient command.

References:

• sourceanalyzer -h
• HPE Security Fortify Static Code Analyzer User Guide, provides an overview of the scan process and examples depending on language and/or build tool.
• HPE Security Fortify Software Security Center Installation and Configuration Guide chapter 10 talks about using the fortifyclient tool to communicate with SSC.

Without any further information, we cannot help you with the actual commands.

Answer 3

sourceanalyzer is the commandline tool

I run this (as a Windows batch file) as

sourceanalyzer -b 1234 devenv "VsSolution.sln" /REBUILD release