Fortify integration with Maven - install

java eclipse maven fortify fortify-source

28,561

Solution 1

I don't think the Fortify installation is required, but it's pretty hard to get the maven sca plugin without it. If you install on another machine you could copy just the plugin over, but then you wouldn't have the Audit Workbench application to work with the generated FPR. As @Eric said, you have to get it through HP and it will not work without a license.

Once you get that installed you add profiles to your pom.xml to execute the sca targets:

<profile>
  <id>sca-clean</id>
  <activation>
    <activeByDefault>false</activeByDefault>
  </activation>
  <build>
    <plugins>
      <plugin>
        <groupId>com.fortify.ps.maven.plugin</groupId>
        <artifactId>sca-maven-plugin</artifactId>
        <version>4.30</version>
        <configuration>
          <jre64>true</jre64>
          <buildId>myproject</buildId>
          <toplevelArtifactId>myproject.parent</toplevelArtifactId>
          <skipTests>true</skipTests>
        </configuration>
        <executions>
          <execution>
            <goals>
              <goal>clean</goal>
            </goals>
          </execution>
        </executions>
      </plugin>
    </plugins>
  </build>
</profile>


<profile>
  <id>sca-translate</id>
  <activation>
    <activeByDefault>false</activeByDefault>
  </activation>
  <build>
    <plugins>
      <plugin>
        <groupId>com.fortify.ps.maven.plugin</groupId>
        <artifactId>sca-maven-plugin</artifactId>
        <version>4.30</version>
        <configuration>
          <jre64>true</jre64>
          <jreStack>8M</jreStack>
          <maxHeap>12000M</maxHeap>
          <verbose>true</verbose>
          <buildId>myproject</buildId>
          <toplevelArtifactId>myproject.parent</toplevelArtifactId>
          <skipTests>true</skipTests>
          <failOnSCAError>true</failOnSCAError>
        </configuration>
        <executions>
          <execution>
            <goals>
              <goal>translate</goal>
            </goals>
          </execution>
        </executions>
      </plugin>
    </plugins>
  </build>
</profile>


<profile>
  <id>sca-scan</id>
  <activation>
    <activeByDefault>false</activeByDefault>
  </activation>
  <build>
    <plugins>
      <plugin>
        <groupId>com.fortify.ps.maven.plugin</groupId>
        <artifactId>sca-maven-plugin</artifactId>
        <version>4.30</version>
        <configuration>
          <jre64>true</jre64>
          <jreStack>8M</jreStack>
          <maxHeap>12000M</maxHeap>
          <verbose>true</verbose>
          <buildId>myproject</buildId>
          <toplevelArtifactId>myproject.parent</toplevelArtifactId>
          <failOnSCAError>true</failOnSCAError>
          <upload>false</upload>
          <projectName>My Project Main Development</projectName>
          <projectVersion>${project.version}</projectVersion>
        </configuration>
      </plugin>
    </plugins>
  </build>
</profile>

Run the scan from the command line:

mvn -Dmaven.test.skip=true -Dfortify.sca.buildId=myproject -Dfortify.sca.toplevel.artifactId=myproject.parent com.fortify.ps.maven.plugin:sca-maven-plugin:clean

Obviously, you will have to figure out the buildId and artifactId naming, and it varies a little depending on if you're using parent, aggregator, or nothing.

Solution 2

Actually profiles are not needed, only the plugin configuration.

<build>
    <plugins> 
        <plugin>
            <groupId>com.fortify.ps.maven.plugin</groupId>
            <artifactId>sca-maven-plugin</artifactId>
            <version>4.30</version>
            <configuration>
                <findbugs>true</findbugs>
                <htmlReport>true</htmlReport>
                <maxHeap>800M</maxHeap>
                <source>myJavaVersion</source>
                <buildId>myBuildId</buildId>
                <verbose>true</verbose>
                <skipTests>true</skipTests>
                <toplevelArtifactId>myTopLevelId</toplevelArtifactId>
            </configuration>
        </plugin>
    </plugins>
</build>

By using a single Jenkins job you can write, as a pre-step, a shell script:

mvn clean sca:clean -DskipTests
mvn sca:translate -DskipTests

And then define the actual "Goals and options" as:

install sca:scan -DskipTests

Having them as separate command lines is the only way to have the sca-clean,translate and scan (and report file sending to Fortify) done in one Jenkins job.

Hope this works for you too!

28,561

Author by

Rory Lester

Updated on May 10, 2020

Comments

Rory Lester about 4 years

I want to run a Fortify scan against a Maven Eclipse project.

Where should I start?

I understand that I need to update my pom.xml file to include the Fortify plugin however do I also require to have Fortify SCA installed on my machine? (I'm running MacOS X). I have been trying to find a place to download Fortify SCA but have not been able find it.

I would appreciate it if someone could share some links to point me in the right direction in getting the setup complete.
banterCZ over 8 years

No fpr was generated in my case. I have to run clean, translate and scan as separate maven commands.
pacoverflow over 7 years

I found out that adding those 3 profiles to the pom.xml is not necessary. After installing the Fortify maven plugin, I just had to run the 3 commands mentioned here.
piit79 over 7 years

How did you come to the conclusion that they need to be separate commands? I'm executing Maven goals clean sca:clean sca:translate sca:scan in my Jenkins job and it works just fine...
Prokis over 7 years

No specific reason, just how it worked for me, when the single line command did not do the work.