Fortify插件用於gradle

Question

我一直在為一些Java組件運行fortify掃描。 以下是一般步驟：對於Java項目：

• mvn com.fortify.ps.maven.plugin：sca-maven-plugin：4.30：clean
• mvn install -DskipTests -DSTABILITY_ID = 1 -DRELEASE_NUMBER = 0 -DBUID_ID = 1
• mvn -Dfortify.sca.debug = true -Dfortify.sca.Xmx = 1800M -Dfortify.sca.Xss = 5M -DSTABILITY_ID = 2 -DRELEASE_NUMBER = 2 package com.fortify.ps.maven.plugin：sca-maven-plugin： 4.30：翻譯
• sourceanalyzer -b build_id -Xmx1800M -Xss4M -scan -f build_id_results.fpr -logfile scan.log -clobber-log -debug-verbose

生成此fpr文件並將其上載到服務器之后。

現在我必須對使用gradle的組件執行相同的操作。 我必須使用什么命令來生成fpr文件。

Answer 1

我必須刪除duplicity，改進一點，並可能創建一個插件，但基本上，嘗試以下代碼段。

/*
 * Performs the Fortify security scan.
 *
 * 1) Runs source code translation.
 * 2) Creates the export session file.
 * 3) Submits the export session file for processing through the scp.
 *
 * Credentials and url for the scp are obtained from the gradle.properties file
 * (or can be passed from the command line through the -P switch).
 * <ul>
 *     <li>fortifyUploadUsername</li>
 *     <li>fortifyUploadPassword</li>
 *     <li>fortifyUploadUrl</li>
 * </ul>
 */
task fortify(group: 'fortify', description: 'Security analysis by HP Fortify') << {

    def fortifyBuildId = 'myProjectId'

    logger.debug "Running command: sourceanalyzer -b $fortifyBuildId -clean"
    exec {
        commandLine 'sourceanalyzer', '-b', fortifyBuildId, '-clean'
    }

    def classpath = configurations.runtime.asPath
    logger.debug "Running command: sourceanalyzer -b ${fortifyBuildId} -source ${sourceCompatibility} -cp $classpath src/**/*.java"

    exec {
        commandLine 'sourceanalyzer', '-b', fortifyBuildId, '-source', sourceCompatibility, '-cp', classpath, 'src/**/*.java'
    }

    def fortifyBuildFolder = 'build/fortify'
    new File(fortifyBuildFolder).mkdirs()
    def fortifyArtifactFileName = "$fortifyBuildId@${project.version}.mbs"
    def fortifyArtifact = "$fortifyBuildFolder/$fortifyArtifactFileName"

    logger.debug "Running command: sourceanalyzer -b ${fortifyBuildId} -build-label ${project.version} -export-build-session $fortifyArtifact"

    exec {
        commandLine 'sourceanalyzer', '-b', fortifyBuildId, '-build-label', project.version, '-export-build-session', "$fortifyArtifact"
    }

    logger.debug "Running command: sshpass -p <password> scp $fortifyArtifact <user>@$fortifyUploadUrl:$fortifyArtifactFileName"

    exec {
        commandLine 'sshpass', '-p', fortifyUploadPassword, 'scp', "$fortifyArtifact", "$fortifyUploadUsername@$fortifyUploadUrl:$fortifyArtifactFileName"
    }

}