Pre-requisites - Maven and Java needs to be install and configured correctly
The Fortify provides the source code to create the Maven plugin. You need to build the plugin locally and use the same for anlyzing source code using maven
Step # 1 Build fortify maven plugin
Opend command prompt cd %FORTIFY_INSTALLATION_DIRECTORY%\HP_FORTIFY\HP_Fortify_SCA_and_Apps_3.90\Samples\advanced\maven-plugin
mvn clean install
After sucessful build fortify plugin will be present into your local maven repository
Step # 2 Add fortify source code analyzer dependency to your project pom file
Step # 3 Create .fpr / report file
mvn sca:translate
mvn sca:scan
This will generate fortify scan report file in the target directory
The Fortify provides the source code to create the Maven plugin. You need to build the plugin locally and use the same for anlyzing source code using maven
Step # 1 Build fortify maven plugin
Opend command prompt cd %FORTIFY_INSTALLATION_DIRECTORY%\HP_FORTIFY\HP_Fortify_SCA_and_Apps_3.90\Samples\advanced\maven-plugin
mvn clean install
After sucessful build fortify plugin will be present into your local maven repository
Step # 2 Add fortify source code analyzer dependency to your project pom file
<build>
<plugins>
<plugin>
<groupId>com.fortify.ps.maven.plugin</groupId>
<artifactId>sca-maven-plugin</artifactId>
<version>3.90</version>
</plugin>
</plugins>
</build>
Step # 3 Create .fpr / report file
mvn sca:translate
mvn sca:scan
This will generate fortify scan report file in the target directory
Before running step #3 i.e. "mvn sca:scan", I had to run "mvn sca:translate" for Fortify 3.80.
ReplyDeleteOtherwise it gave error:
[error]: Unable to load build session with ID "auditing-1.0". See log file for more details.
Thanks for the feedback I will update steps !!
ReplyDeleteHi Sarang,
ReplyDeleteI have fortify software with me but i am unable to find the maven-plugin location in my advanced folder(HP_FORTIFY\HP_Fortify_SCA_and_Apps_3.90\Samples\advanced\maven-plugin).
Can you help me out on where to get that location.
Thanks in advance,
Samba.
This comment has been removed by the author.
ReplyDeleteThanks for the article. It was a time saver!
ReplyDeleteHi Sarang,
ReplyDeleteWhile doing mvn clean install, I am getting below error.
Failed to execute goal org.apache.maven.plugins:maven-plugin-plugin:3.2:descriptor (default-descriptor) on project sca-maven-plugin:
The API of the mojo scanner is not compatible with this plugin version. Please check the plugin dependencies configured in the POM and ensure the versions match.
JVMCFRE006 invalidStackMap/StackMapTable attribute; class=sun/awt/AppContext, method=dispose()
Can you please help on this.
Regards
Gunjan
The SCA Maven Plugin was moved to /plugins/maven.
ReplyDeleteHi Sarang,
ReplyDeleteI am also using the same plugin for SCA scan and it works perfectly but it is not applying custom rule packs. I doubt this because when I scan my project through AWB, there were so many issues but when I scan through maven plugin after the build from jenkin the report was empty.
Is there any I am missing while using the plugin?
Thanks in advance for your help.
Regards,
Balavinayagam
Thanks for posting the information. How is merging a previous scan with the current scan for a project done?
ReplyDeletePlay Online Casino Games - Kadang Pintar
ReplyDeletePlay online casino games at Kadang Pintar! You can play choegocasino all your favourite casino 바카라 사이트 games kadangpintar from your mobile devices or tablet.