[英]Fortify plugin for gradle
我一直在為一些Java組件運行fortify掃描。 以下是一般步驟:對於Java項目:
生成此fpr文件並將其上載到服務器之后。
現在我必須對使用gradle的組件執行相同的操作。 我必須使用什么命令來生成fpr文件。
我必須刪除duplicity,改進一點,並可能創建一個插件,但基本上,嘗試以下代碼段。
/*
* Performs the Fortify security scan.
*
* 1) Runs source code translation.
* 2) Creates the export session file.
* 3) Submits the export session file for processing through the scp.
*
* Credentials and url for the scp are obtained from the gradle.properties file
* (or can be passed from the command line through the -P switch).
* <ul>
* <li>fortifyUploadUsername</li>
* <li>fortifyUploadPassword</li>
* <li>fortifyUploadUrl</li>
* </ul>
*/
task fortify(group: 'fortify', description: 'Security analysis by HP Fortify') << {
def fortifyBuildId = 'myProjectId'
logger.debug "Running command: sourceanalyzer -b $fortifyBuildId -clean"
exec {
commandLine 'sourceanalyzer', '-b', fortifyBuildId, '-clean'
}
def classpath = configurations.runtime.asPath
logger.debug "Running command: sourceanalyzer -b ${fortifyBuildId} -source ${sourceCompatibility} -cp $classpath src/**/*.java"
exec {
commandLine 'sourceanalyzer', '-b', fortifyBuildId, '-source', sourceCompatibility, '-cp', classpath, 'src/**/*.java'
}
def fortifyBuildFolder = 'build/fortify'
new File(fortifyBuildFolder).mkdirs()
def fortifyArtifactFileName = "$fortifyBuildId@${project.version}.mbs"
def fortifyArtifact = "$fortifyBuildFolder/$fortifyArtifactFileName"
logger.debug "Running command: sourceanalyzer -b ${fortifyBuildId} -build-label ${project.version} -export-build-session $fortifyArtifact"
exec {
commandLine 'sourceanalyzer', '-b', fortifyBuildId, '-build-label', project.version, '-export-build-session', "$fortifyArtifact"
}
logger.debug "Running command: sshpass -p <password> scp $fortifyArtifact <user>@$fortifyUploadUrl:$fortifyArtifactFileName"
exec {
commandLine 'sshpass', '-p', fortifyUploadPassword, 'scp', "$fortifyArtifact", "$fortifyUploadUsername@$fortifyUploadUrl:$fortifyArtifactFileName"
}
}
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.