Fortify Code Scan

Posted on August 16, 2013 by Jianming Li

Contents

  1. Install Fortify Server
  2. Install Fortify Client
  3. Create Fortify Projects
  4. Fortify Scan
  5. Review Scan Results
 

Install Fortify Server

Install Fortify Client

* Install Fortify, e.g. HP_Fortify_SCA_and_Apps_3.50_Windows_x64.exe
* Add C:\Program Files\Fortify Software\HP Fortify v3.50\bin to the path environment variable.
* Copy rule files folder to C:\Program Files\Fortify Software\HP Fortify v3.50\Core\config\rules directory.

Create Fortify Projects

* Login Fortify web site at http://scc01:8080/ssc
* Click the Projects tab
* Click Add to add the project(s) you plan to scan.
* For example, for Maven projects,
– You can create a new project for every child project from the parent pom.xml file using the artifact id as project name. If child pom.xml file specifies its own project name, then use that name instead.
– Use the Maven project version you plan to scan as the version number.
– Alternatively, you can create a project with version 1.x.x to hold all version 1 related scan results.
– Also specify programming language, e.g Java, and a template for all the projects.

Fortify Scan

* Check out project source code, e.g. from SVN. Make sure the version you checked out matches the project version you created in Fortify server.
* Change directory to where parent pom.xml resides.
* Add Fortify plugin to the parent pom.xml file:

	<plugin>
		<groupId>com.fortify.ps.maven.plugin</groupId>
		<artifactId>fortify-maven-plugin</artifactId>
		<version>2.6.0002</version>
		<configuration>
			<buildId>${project.name}</buildId>
			<source>1.6</source>
			<toplevelArtifactId>${project.name}</toplevelArtifactId>
			<failOnSCAError>true</failOnSCAError>
			<upload>true</upload>
			<f360Url>http://scc01:8080/ssc</f360Url>
			<f360AuthToken>...</f360AuthToken>
			<projectName>${project.name}</projectName>
			<projectVersion>1.x.x</projectVersion>
			<!--projectVersion>${project.version}</projectVersion-->
		</configuration>
	</plugin>

* Issue Maven command

mvn fortify:clean fortify:translate fortify:scan

Review Scan Results

* Login Fortify web site at http://scc01:8080/ssc
* On Dashboard page, you should see results for the project version you scanned.
* Click the project version number to view results.
* Click Audit Results to start auditing scan results.

This entry was posted in fortify, hp and tagged , , . Bookmark the permalink.

One Response to Fortify Code Scan

  1. Ajit says:
    September 24, 2014 at 11:06 am

    Hi There,

    I am trying to create fortify report for a maven project. i configured as you suggested. But getting below error at the time running “mvn fortify:clean fortify:translate fortify:scan” command.
    Please suggest where i am doing mistake.
    Thanks in advance.
    Error :
    E:\gitRpository\ea-enterprise-job-scheduler>mvn fortify:clean fortify:translate
    fortify:scan
    [INFO] Scanning for projects…
    [WARNING] The POM for com.fortify.ps.maven.plugin:fortify-maven-plugin:jar:2.6.0
    002 is missing, no dependency information available
    [WARNING] Failed to retrieve plugin descriptor for com.fortify.ps.maven.plugin:f
    ortify-maven-plugin:2.6.0002: Plugin com.fortify.ps.maven.plugin:fortify-maven-p
    lugin:2.6.0002 or one of its dependencies could not be resolved: Failure to find
    com.fortify.ps.maven.plugin:fortify-maven-plugin:jar:2.6.0002 in http://repo.ma
    ven.apache.org/maven2 was cached in the local repository, resolution will not be
    reattempted until the update interval of central has elapsed or updates are for
    ced
    Downloading: http://repo.maven.apache.org/maven2/org/codehaus/mojo/maven-metadat
    a.xml
    Downloading: http://repo.maven.apache.org/maven2/org/apache/maven/plugins/maven-
    metadata.xml
    Downloaded: http://repo.maven.apache.org/maven2/org/codehaus/mojo/maven-metadata
    .xml (20 KB at 8.2 KB/sec)
    Downloaded: http://repo.maven.apache.org/maven2/org/apache/maven/plugins/maven-m
    etadata.xml (13 KB at 5.2 KB/sec)
    [INFO] ————————————————————————
    [INFO] BUILD FAILURE
    [INFO] ————————————————————————
    [INFO] Total time: 3.343 s
    [INFO] Finished at: 2014-09-24T21:11:21+05:30
    [INFO] Final Memory: 6M/15M
    [INFO] ————————————————————————
    [ERROR] No plugin found for prefix ‘fortify’ in the current project and in the p
    lugin groups [org.apache.maven.plugins, org.codehaus.mojo] available from the re
    positories [local (C:\Users\ajit.samanta\.m2\repository), central (http://repo.m
    aven.apache.org/maven2)] -> [Help 1]
    [ERROR]
    [ERROR] To see the full stack trace of the errors, re-run Maven with the -e swit
    ch.
    [ERROR] Re-run Maven using the -X switch to enable full debug logging.
    [ERROR]
    [ERROR] For more information about the errors and possible solutions, please rea
    d the following articles:
    [ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/NoPluginFoundF
    orPrefixException
    E:\gitRpository\ea-enterprise-job-scheduler>

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

CAPTCHA

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.