Fortify Code Scan

Posted on August 16, 2013 by Jianming Li

Contents

  1. Install Fortify Server
  2. Install Fortify Client
  3. Create Fortify Projects
  4. Fortify Scan
  5. Review Scan Results
 

Install Fortify Server

Install Fortify Client

* Install Fortify, e.g. HP_Fortify_SCA_and_Apps_3.50_Windows_x64.exe
* Add C:\Program Files\Fortify Software\HP Fortify v3.50\bin to the path environment variable.
* Copy rule files folder to C:\Program Files\Fortify Software\HP Fortify v3.50\Core\config\rules directory.

Create Fortify Projects

* Login Fortify web site at http://scc01:8080/ssc
* Click the Projects tab
* Click Add to add the project(s) you plan to scan.
* For example, for Maven projects,
– You can create a new project for every child project from the parent pom.xml file using the artifact id as project name. If child pom.xml file specifies its own project name, then use that name instead.
– Use the Maven project version you plan to scan as the version number.
– Alternatively, you can create a project with version 1.x.x to hold all version 1 related scan results.
– Also specify programming language, e.g Java, and a template for all the projects.

Fortify Scan

* Check out project source code, e.g. from SVN. Make sure the version you checked out matches the project version you created in Fortify server.
* Change directory to where parent pom.xml resides.
* Add Fortify plugin to the parent pom.xml file:

	<plugin>
		<groupId>com.fortify.ps.maven.plugin</groupId>
		<artifactId>fortify-maven-plugin</artifactId>
		<version>2.6.0002</version>
		<configuration>
			<buildId>${project.name}</buildId>
			<source>1.6</source>
			<toplevelArtifactId>${project.name}</toplevelArtifactId>
			<failOnSCAError>true</failOnSCAError>
			<upload>true</upload>
			<f360Url>http://scc01:8080/ssc</f360Url>
			<f360AuthToken>...</f360AuthToken>
			<projectName>${project.name}</projectName>
			<projectVersion>1.x.x</projectVersion>
			<!--projectVersion>${project.version}</projectVersion-->
		</configuration>
	</plugin>

* Issue Maven command

mvn fortify:clean fortify:translate fortify:scan

Review Scan Results

* Login Fortify web site at http://scc01:8080/ssc
* On Dashboard page, you should see results for the project version you scanned.
* Click the project version number to view results.
* Click Audit Results to start auditing scan results.

This entry was posted in fortify, hp and tagged , , . Bookmark the permalink.

One Response to Fortify Code Scan

Leave a Reply

Your email address will not be published. Required fields are marked *

CAPTCHA

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.