![](/img/trans.png)
[英]how can i include only one folder in Fortify SCA scanning using SCA mvn plugin on my project?
[英]How to change Java version in Fortify SCA
我的Java-Maven項目是在Java 1.8中實現的。 通過安裝Fortify並在項目的pom.xml中添加依賴關系,我將我的Maven構建與Fortify SCA集成在一起。 但是,在掃描期間,它為我提供了以下日志
[INFO] --- sca-maven-plugin:4.30:scan (default-cli) @ projectname ---
[INFO] Packaging -> jar
[INFO] Top-Level Artifact ID -> null
[INFO] Build Label -> projectname-0.1.SNAPSHOT
[INFO] Build Version -> 0.1.SNAPSHOT
[INFO] Build Project Name -> projectname
[INFO] Build ID -> projectname-0.1.SNAPSHOT
[INFO] Results File -> /Users/workspaceneon/projectname/target/projectname-0.1.SNAPSHOT.fpr
[INFO] Location of SCA Executable -> sourceanalyzer
[INFO] Scan Log -> /Users/workspaceneon/projectname/target/sca-scan.log
[INFO] FindBugs Results -> true
[INFO] Fail on Error -> true
[INFO] Upload to SSC -> false
[INFO] Issues will not be tracked and trended without uploading to SSC.
[INFO] *** !! Scanning individual sub-project - projectname !! ***
[INFO] Created output dir /Users/workspaceneon/projectname/target
[INFO] cmd: "/bin/sh -c sourceanalyzer -scan -Xmx800M @/Users/workspaceneon/projectname/target/sca-scan-args.txt"
Fortify Static Code Analyzer 6.30.0086
Fortify Static Code Analyzer 6.30.0086
另外,據報道Java版本是
[INFO] Source Version -> 1.6
您可以在上面的控制台日志中看到我的Fortify版本。
我覺得Fortify假設它是Java 1.6項目,正在掃描我的項目。 我的問題是,如何告訴Fortify將其掃描為1.8項目,並相應地報告錯誤?
使用命令行參數
-Dfortify.sca.source.version=1.8
或使用Maven:
在您的項目中:
<fortify.sca.source.version>1.8</fortify.sca.source.version>
並在Maven集成中:
<profile> <id>sca-translate</id> <activation> <activeByDefault>false</activeByDefault> </activation> <build> <plugins> <plugin> <groupId>com.fortify.ps.maven.plugin</groupId> <artifactId>${maven-sca-plugin.name}</artifactId> <version>${maven-sca-plugin.version}</version> <inherited>true</inherited> <configuration> <source>${fortify.sca.source.version}</source> <maxHeap>${fortify.sca.Xmx}</maxHeap> <jre64>${fortify.sca.64bit}</jre64> <failOnSCAError>${fortify.failOnError}</failOnSCAError> </configuration> <executions> <execution> <inherited>true</inherited> <id>default-clean</id> <phase>clean</phase> <goals> <goal>clean</goal> </goals> </execution> <execution> <inherited>true</inherited> <id>default-translate</id> <phase>install</phase> <goals> <goal>translate</goal> </goals> </execution> </executions> </plugin> </plugins> </build>
問題:[sourceanalyzer] [警告]:假定未指定Java源級別為1.8。 請注意,默認值可能會在將來的版本中更改。
To resolve this in ant follow the following .
<taskdef name="sourceanalyzer" classname="com.fortify.dev.ant.SourceanalyzerTask">
<classpath>
<fileset dir="${FORTIFY_HOME}/Core/lib">
<include name="sourceanalyzer.jar" />
</fileset>
</classpath>
</taskdef>
<sourceanalyzer buildid="${FORTIFY_BUILD_ID}" source = "1.8">
Adding source removes this warning
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.