stackoom
  简体   繁体   中英

Fortify plugin for gradle

 原文  2015-10-22 11:22:14       gradle/ fortify/ fortify-source

Question

I have been running fortify scan for some Java components. Below are the general steps followed: For java Project:

  • mvn com.fortify.ps.maven.plugin:sca-maven-plugin:4.30:clean
  • mvn install -DskipTests -DSTABILITY_ID=1 -DRELEASE_NUMBER=0 -DBUID_ID=1
  • mvn -Dfortify.sca.debug=true -Dfortify.sca.Xmx=1800M -Dfortify.sca.Xss=5M -DSTABILITY_ID=2 -DRELEASE_NUMBER=2 package com.fortify.ps.maven.plugin:sca-maven-plugin:4.30:translate
  • sourceanalyzer -b build_id -Xmx1800M -Xss4M -scan -f build_id_results.fpr -logfile scan.log -clobber-log -debug-verbose

After this fpr files gets generated and is uploaded to the server.

Now I have to do the same for a component using gradle. What would be the commands that I will have to use to generate the fpr files.

1 answers

solution1
 1  2015-11-20 13:40:30

I have to remove duplicity, improve a little bit and probably create a plugin, but basically, try the following snippet. 

/*
 * Performs the Fortify security scan.
 *
 * 1) Runs source code translation.
 * 2) Creates the export session file.
 * 3) Submits the export session file for processing through the scp.
 *
 * Credentials and url for the scp are obtained from the gradle.properties file
 * (or can be passed from the command line through the -P switch).
 * <ul>
 *     <li>fortifyUploadUsername</li>
 *     <li>fortifyUploadPassword</li>
 *     <li>fortifyUploadUrl</li>
 * </ul>
 */
task fortify(group: 'fortify', description: 'Security analysis by HP Fortify') << {

    def fortifyBuildId = 'myProjectId'

    logger.debug "Running command: sourceanalyzer -b $fortifyBuildId -clean"
    exec {
        commandLine 'sourceanalyzer', '-b', fortifyBuildId, '-clean'
    }

    def classpath = configurations.runtime.asPath
    logger.debug "Running command: sourceanalyzer -b ${fortifyBuildId} -source ${sourceCompatibility} -cp $classpath src/**/*.java"

    exec {
        commandLine 'sourceanalyzer', '-b', fortifyBuildId, '-source', sourceCompatibility, '-cp', classpath, 'src/**/*.java'
    }

    def fortifyBuildFolder = 'build/fortify'
    new File(fortifyBuildFolder).mkdirs()
    def fortifyArtifactFileName = "$fortifyBuildId@${project.version}.mbs"
    def fortifyArtifact = "$fortifyBuildFolder/$fortifyArtifactFileName"

    logger.debug "Running command: sourceanalyzer -b ${fortifyBuildId} -build-label ${project.version} -export-build-session $fortifyArtifact"

    exec {
        commandLine 'sourceanalyzer', '-b', fortifyBuildId, '-build-label', project.version, '-export-build-session', "$fortifyArtifact"
    }

    logger.debug "Running command: sshpass -p <password> scp $fortifyArtifact <user>@$fortifyUploadUrl:$fortifyArtifactFileName"

    exec {
        commandLine 'sshpass', '-p', fortifyUploadPassword, 'scp', "$fortifyArtifact", "$fortifyUploadUsername@$fortifyUploadUrl:$fortifyArtifactFileName"
    }

}

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question HP Fortify scan using Gradle Error while running Fortify on Gradle 7.2 project AppDistribution Gradle plugin with Gradle 7 Using fortify sca in jenkins with build tool (maven and gradle) Use gradle plugin to configure another gradle plugin Gradle Plugin Publishing Plugin with android Gradle Plugin Execution Order Gradle plugin categorisation Gradle application plugin and Scala gradle with appengine plugin
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM