As part of automating the process of running secure code analysis, I have a Jenkins job which uses the sourceanalyzer command line tool to generate an .fpr results file. At the moment I'm opening this results file in Audit Workbench application to view the results and check if there's any newly introduced issues etc, and generating a report from there in PDF/XML format.
Does anyone is it possible to invoke Audit Workbench through the command line and generate a report on the issues, which we could then leverage through a Jenkins script and also then mail the results? Looking online the command line usage seems to stop at the fpr generation stage.
Thanks in advance!
FPRUtility interprets the space-separated conditions in the
-information -search -query ...
parameter by applying the boolean AND operator. To obtain a union of 2 conditionsA || B
, I figured I could intersect negations of other conditions that complement the former:!C && !D
(whereA || B || C || D
always holds true). I.e., to find all high and critical issues, I useIn case of an audit, I figured I needed the older report generation utility to include suppressed issues (and their comments),
@SBurris,
If you don't want to show Suppressed/Hidden is it just -hideSuppressed and -hideHidden?
Also, is there a way to add custom filters to not show things like "nones" from the STIG/SANS/OWASP like you can create in the AWB GUI?
Basically, I need a command(s) to merge two FPRs and then compare them based on what is found new on the scanned code vs. the old FPR.
Merge should be:
FPRUtility -merge -project <newest_scan.fpr> -source <previous_scan.fpr> -f <BUILDXX_MergedWith_BUILDXY.fpr>
The custom filter I need after the merge is:
"[OWASP Top 10 2013]:!<none> OR [SANS Top 25 2011]:!<none> OR [STIG 3.9]:!<none> AND [Detected On]:!/^/"
AND THEN output the report from that newly merged fpr in pdf and xml format to a location/filename I specify. Something along the lines of:
Obviously this can be a multitude of commands as long as we can get it back to Bamboo. Any help would be greatly appreciated. Thanks.
There is a command-line utility to generate an Report from the FPR file.
Currently there are two report generators: Legacy and BIRT. The BIRT report engine was introduced into Audit Workbench with version 4.40.
Here is an example using the BIRT Report engine to generate a DISA STIG report
Using the legacy one is a little more involved. The command is:
You can either use one of the predefined template reports located in the
<SCA Install Dir>/Core/config/reports
directory or generate one using the Report Wizard and saving the template which gets stored in theC:\Users\<USER>\AppData\Local\Fortify\config\AWB-XX.XX\reports\
directory in Windows.On Linux/Mac look at the configuration file
<SCA Install Dir>/Core/config/fortify.properties
for thecom.fortify.WorkingDirectory
property, this is where the reports will be stored