Geek Answers Handbook

Strengthening Maven Integration - Installation

I want to run Fortify validation for a Maven Eclipse project.

Where to begin?

I understand that I need to update my pom.xml file to enable the Fortify plugin, but also do I need Fortify SCA installed on my machine? (I am running MacOS X). I tried to find a place to download Fortify SCA, but could not find it.

I would appreciate it if someone could share some links to point me in the right direction to complete the installation.

+4
source share
2 answers

I do not think Fortify installation is required, but it is rather difficult to get the maven sca plugin without it. If you install on another computer, you can only copy the plugin, but then you would not have the Audit Workbench application for working with the generated FPR. As @Eric said, you must get it through HP and it will not work without a license.

Once you have installed this, you will add profiles to your pom.xml to accomplish sca goals:

 <profile> <id>sca-clean</id> <activation> <activeByDefault>false</activeByDefault> </activation> <build> <plugins> <plugin> <groupId>com.fortify.ps.maven.plugin</groupId> <artifactId>sca-maven-plugin</artifactId> <version>4.30</version> <configuration> <jre64>true</jre64> <buildId>myproject</buildId> <toplevelArtifactId>myproject.parent</toplevelArtifactId> <skipTests>true</skipTests> </configuration> <executions> <execution> <goals> <goal>clean</goal> </goals> </execution> </executions> </plugin> </plugins> </build> </profile> <profile> <id>sca-translate</id> <activation> <activeByDefault>false</activeByDefault> </activation> <build> <plugins> <plugin> <groupId>com.fortify.ps.maven.plugin</groupId> <artifactId>sca-maven-plugin</artifactId> <version>4.30</version> <configuration> <jre64>true</jre64> <jreStack>8M</jreStack> <maxHeap>12000M</maxHeap> <verbose>true</verbose> <buildId>myproject</buildId> <toplevelArtifactId>myproject.parent</toplevelArtifactId> <skipTests>true</skipTests> <failOnSCAError>true</failOnSCAError> </configuration> <executions> <execution> <goals> <goal>translate</goal> </goals> </execution> </executions> </plugin> </plugins> </build> </profile> <profile> <id>sca-scan</id> <activation> <activeByDefault>false</activeByDefault> </activation> <build> <plugins> <plugin> <groupId>com.fortify.ps.maven.plugin</groupId> <artifactId>sca-maven-plugin</artifactId> <version>4.30</version> <configuration> <jre64>true</jre64> <jreStack>8M</jreStack> <maxHeap>12000M</maxHeap> <verbose>true</verbose> <buildId>myproject</buildId> <toplevelArtifactId>myproject.parent</toplevelArtifactId> <failOnSCAError>true</failOnSCAError> <upload>false</upload> <projectName>My Project Main Development</projectName> <projectVersion>${project.version}</projectVersion> </configuration> </plugin> </plugins> </build> </profile>

Run the check from the command line:

 mvn -Dmaven.test.skip=true -Dfortify.sca.buildId=myproject -Dfortify.sca.toplevel.artifactId=myproject.parent com.fortify.ps.maven.plugin:sca-maven-plugin:clean

Obviously, you will need to define the buildId and artifactId names, and that will change a little depending on whether you use a parent, aggregator or nothing.

+4
source

In fact, profiles are not needed, only the plugin configuration.

 <build> <plugins> <plugin> <groupId>com.fortify.ps.maven.plugin</groupId> <artifactId>sca-maven-plugin</artifactId> <version>4.30</version> <configuration> <findbugs>true</findbugs> <htmlReport>true</htmlReport> <maxHeap>800M</maxHeap> <source>myJavaVersion</source> <buildId>myBuildId</buildId> <verbose>true</verbose> <skipTests>true</skipTests> <toplevelArtifactId>myTopLevelId</toplevelArtifactId> </configuration> </plugin> </plugins> </build>

Using a single Jenkins task, you can write a shell script as a preliminary step:

 mvn clean sca:clean -DskipTests mvn sca:translate -DskipTests

And then define the actual "Goals and Options" as:

 install sca:scan -DskipTests

Having them as separate command lines is the only way to get sca-clean, translate and scan (and send the report file to Fortify), performed in one Jenkins job.

Hope this works for you too!

+4
source

More articles:


All Articles