Geek Answers Handbook

Strengthen scanning in Eclipse projects over maven

I have an Eclipse plugin for Fortify. But it only works on Java projects.

We have some Java projects, but they are based on Maven non-Java projects. I can edit the project .project file and change their type to Java to enable scan formatting. But is there a better way to run Fortify checks in Maven-based projects?

EDIT To follow these steps as indicated in some posts below

  • Install Maven Fortify Plugin
  • Added details about the Maven plugin in my pom application
  • Ran translate and scan commands. He generated fpr files as part of projects
  • Also follow this useful blog http://fortify-maven.blogspot.in/

The only question I have is:

I have several projects in which an fpr file is created for each project. Can I create a consolidated fpr file for all projects in one place?

Cheers, Saurav

0
source share
3 answers

Fortify has a plugin for Maven that you should use. Check out this directory:

 <Fortify Installation Folder>\Samples\advanced\maven-plugin

You compile the plugin in maven, and then you can run translation and scan commands from Maven. There is sample code in this directory, and the documentation compiles when you create the plugin.

+3
source

You can run the package locally or integrate it as part of the build process. During the SCA translation phase, Maven Plugin will look for your jar file from the local repository and try to resolve the classes in your application.

Follow the commands below.

  • mvn sca: clean
  • mvn sca: translate
  • mvn sca: scan
+2
source

When we ran the Static Code Analyzer (SCA) version 6.21.0005 in the maven assembly, the scan was performed but could not be uploaded to the Fortify Software Security Center (SSC). The previous successful upload to SSC was done from the desktop audit bench with Scan Engine version 6.21.0007. We assume that this difference in lower versions caused a failure to load FPR files into SSC Production. When we reviewed the build script to upload the FPR file to a new project, the download worked, meaning that an error appeared on the HP side, which they confirmed. We were able to make a workaround by creating a new project that generates only FPR from a single source. I recommend using a single source for SCA, or at least using the same SCA version number if you must use multiple scan sources.

0
source

More articles:


All Articles