I have the Eclipse plugin for Fortify.
But it only runs on the Java projects.
We have some Java projects but they are Maven based non-Java projects. I can edit the .project file of the projects and change their type to Java to enable Fortify scanning.
But is there a better way to run Fortify scans on Maven based projects?
EDIT Had to do following steps as mentioned in some of the posts below
- Install the Maven Fortify plugin
- Added Maven fortify Plugin details in my application pom
- Ran translate and scan commands. It generated fpr files under the projects
- Follow this helpful blog too http://fortify-maven.blogspot.in/
The only Question which I still have is:
I have multiple projects where an fpr file for each project is created. Can I have a consolidated fpr file being created for all the projects in one place?
Cheers,
Saurav
Fortify has a plugin for Maven that you should be able to use. Check in this directory:
<Fortify Installation Folder>\Samples\advanced\maven-plugin
You compile the plugin into maven and then you can run the translate and scan commands from within Maven. That directory has sample code and the documentation is compiled when you build the plugin.
You can run the package locally or integrate it as part of your build process. During the translation phase, the SCA Maven Plugin will search your jar file from the local repository and try to resolve classes in your application.
Follow the below commands,
- mvn sca:clean
- mvn sca:translate
- mvn sca:scan
When we ran the Static Code Analyzer (SCA) version 6.21.0005 in a maven build, the scan ran but failed to upload to the Fortify Software Security Center (SSC). The previous successful upload to the SSC was from the desktop Audit Work Bench with a Scan Engine version of 6.21.0007. We surmise this difference in minor versions caused the failure of the FPR file uploads to the Production SSC. When we revised the build script to load the FPR file into a new project, the upload worked, implying that there appears to be a bug on HP's side, which they have confirmed. We were able to do a workaround by creating a new project that only has FPR's generated from a single source. I recommend you use a single source for your SCA or at least use the same SCA version number if you must employ multiple scan sources.
