Fortify command line usage
Has anyone used command line to run fortify? I tryin to incorporate fortify run开发者_运维百科 in my CI build and I dont know how to do it.
Since I can't add a comment, I'll have to offer this as an answer. Our company has integrated the scan process into our TFS build environment and it works pretty well.
We use a series of "Invoke Process" build activities to make this happen. The entire security scan sequence is wrapped in a conditional which is exposed as an argument to the build definition. This allows us to enable or disable scans as needed. We also expose a few other things like Fortify Project, Fortify Project Version, and another conditional for uploading the FPR file.
The gist of it is this:
Clean
sourceanalyzer -b "Build ID" -clean
Build
sourceanalyzer -b "Build ID" devenv BuildID.sln /Rebuild Debug /out "C:\SSCLogs\SSCBuild.log"
Scan
sourceanalyzer -b "Build ID" -scan -format fpr -f BuildID.fpr
Upload to SSC
fortifyclient.bat -url SSCServerUrl -authtoken XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX uploadFPR -file BuildID.fpr -project "MyProject" -version "MyProject v1.0.0"
If you'd like a full rundown and/or some screen captures, I'd be happy to provide something for you.
The commands for a typical scan would look something like this.
- builds the code using
sourceanalyzer -b <build ID> <sourcecode>
- scans the build with
sourceanalyzer -b <build ID> -scan -f <test>.fpr
- (If you are using 360 server) uploads the result to fortify server with
fortifyclient uploadFPR -f <test>.fpr -project <projectname> -version <versionname> -urlhttps://fortify.com/f360 -user <username> -password <password> /// <authtoken>
However, I request help with the build labels. When we invoke SCA, we can assign a build label to it. However I am not sure what options to provide to the commands.
sourceanalyzer -b testid codebase -build-label <option>
If anyone know the format of the please do let me know.
Fortify has a static code analyzer tool, sourceanalyzer. This tool is command line based, and as such, should be something that you could integrate into a CI system.
As mentioned above, you can use the help option or review the documentation/user guide (named: HP Fortify Static Code Analyzer User Guide) which covers many languages and options.
One point you may need to consider is the speed and resource utilization of performing a such a scan in a CI scenario. You may need to consider running this over night or during off peak hours. The documentation states that the tool uses a decent amount of memory.
You may also have to figure out how to process the output fpr file that the sourceanalyzer tool produces. For example, you could make this an artifact in Team City and upload it manually to a Fortify server or use with the Fortify workbench product. I would imagine you could also get fancy and automate the upload into Fortify server.
Very good answers here, i would like to add that you can add logging while scanning this very helpful.
SCAN with Logging
sourceanalyzer -b "Build ID" -scan -format fpr -f BuildID.fpr -debug -verbose -logfile "C:\logfile.txt"
Let us know if you don't see the appropriate build command in the help text. 99% of the real world invocations are there.
Depending on what kind of source code you are trying to build, there are dozens of different command line switches and techniques to use.
I recommend you start by obtaining the SCA User Guide. It is a PDF document you can obtain from whoever provided you the Fortify installer.
At my company, we created a docker image to manage Fortify commands in the CI process.
Basically, we developed a python script to help us keep the scan centralized and then call this image docker in a job at GitlabCI.
As the guys explained, sourceanalyzer is the tool to do the scans and we use the cloudscan tool to connect with the SCC and download the scans and check the status of the analysis.
We also use:
- fortifyclient to upload to * .fpr files
- FPRUtility to merge * .fpr files
- ReportGenerator to make a pdf with the final result.
Currently we use fortify 19.10.
加载中,请稍侯......
精彩评论