Fortify throws error while scanning Visual Studio

2019-07-06 20:35发布

问题:

I'm trying to run Fortify on a Visual Studio 2008 project. The project builds successfully on its own. When I try to analyze the project with Fortify using the Visual Studio integrated controls, the project builds successfully but an error message is thrown. Here's the output from Fortify console:

Fortify SCA...
Running: "-show-runtime-properties" 
Running: "-b" "ProjectName" "-clean" 
Error setting VCProject Path. Abort VC project related scan
Scan Failed Could not load file or assembly 'Microsoft.VisualStudio.VCProjectEngine, Version=8.0.0.0, Culture=neutral, PublicKeyToken=<string here>' or one of its dependencies. The system cannot find the file specified. 
   at FortifyBase.Scanner.CPPScanUtil.ResetVCProjectExecutableDirectories()
   at FortifyCommon.Scanner.BuildListeners.VSBuildDone(vsBuildScope scope, vsBuildAction action)
Scan Failed: 
Could not load file or assembly 'Microsoft.VisualStudio.VCProjectEngine, Version=8.0.0.0, Culture=neutral, PublicKeyToken=<string here>' or one of its dependencies. The system cannot find the file specified.

When I run Fortify from the standalone Audit Workbench, I get the following error message:

SCA Commandline invocation failed
[error]: Build ID "ProjectName" doesn't exist.

I keep most of the default scan options except changing 'Is this a J2EE web application' to 'No' (I also tried leaving this to 'yes' but that didn't work either.

Searching for any info on the error messages only produced another question on Stack Overflow but the project setup seems quite different from my Visual Studio project. Anyways, I also tried running the scan from command line with the arguments provided by Visual Studio but I get the same error message.

Fortify documentation mentions that the build ID is used to track which files are compiled and linked as part of a build and later to scan those files and that it is usually the project name. I tried a few different strings as the build ID but nothing seems to work.

Anyone has any idea where I'm going wrong? Thanks in advance.

Update: The problem occurs during the translate phase of the analysis due to which the build ID is not created at all. Here's the log from the sourceanalyzer log:

[2010-08-23 21:20:53 INFO]
Fortify Source Code Analyzer 5.1.0.0061
[2010-08-23 21:20:53 INFO]
Args:
["-b", "ProjectName", "-machine-output", "-vsversion", "8.0", "C:\\Program Files (x86)\\Microsoft Visual Studio 9.0\\Common7\\IDE\\devenv.exe", "ProjectName.sln", "/rebuild", "DEBUG"]
[2010-08-23 21:20:53 INFO]
VM Args:
"-XX:SoftRefLRUPolicyMSPerMB=100 -Xss1M -Xmx600M -Xms16M"
[2010-08-23 21:21:04 INFO 1102]
Compiler execution failed (exit code: 1).
[2010-08-23 21:21:04 WARNING]
exit(1)

回答1:

OK, I think this is a known issue with C/C++ translation on VS2010. The workaround I found is:

  1. Open a Visual Studio x86 Command Prompt
  2. Change to the KindleExport.sln's directory
  3. Run: sourceanalyzer -b kindleexport devenv KindleExport.sln /REBUILD
  4. Run: sourceanalyzer -b kindleexport -scan -f KindleExport.fpr