Fortify integration with Maven - install
Solution 1
I don't think the Fortify installation is required, but it's pretty hard to get the maven sca plugin without it. If you install on another machine you could copy just the plugin over, but then you wouldn't have the Audit Workbench application to work with the generated FPR. As @Eric said, you have to get it through HP and it will not work without a license.
Once you get that installed you add profiles to your pom.xml to execute the sca targets:
<profile>
<id>sca-clean</id>
<activation>
<activeByDefault>false</activeByDefault>
</activation>
<build>
<plugins>
<plugin>
<groupId>com.fortify.ps.maven.plugin</groupId>
<artifactId>sca-maven-plugin</artifactId>
<version>4.30</version>
<configuration>
<jre64>true</jre64>
<buildId>myproject</buildId>
<toplevelArtifactId>myproject.parent</toplevelArtifactId>
<skipTests>true</skipTests>
</configuration>
<executions>
<execution>
<goals>
<goal>clean</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>
</profile>
<profile>
<id>sca-translate</id>
<activation>
<activeByDefault>false</activeByDefault>
</activation>
<build>
<plugins>
<plugin>
<groupId>com.fortify.ps.maven.plugin</groupId>
<artifactId>sca-maven-plugin</artifactId>
<version>4.30</version>
<configuration>
<jre64>true</jre64>
<jreStack>8M</jreStack>
<maxHeap>12000M</maxHeap>
<verbose>true</verbose>
<buildId>myproject</buildId>
<toplevelArtifactId>myproject.parent</toplevelArtifactId>
<skipTests>true</skipTests>
<failOnSCAError>true</failOnSCAError>
</configuration>
<executions>
<execution>
<goals>
<goal>translate</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>
</profile>
<profile>
<id>sca-scan</id>
<activation>
<activeByDefault>false</activeByDefault>
</activation>
<build>
<plugins>
<plugin>
<groupId>com.fortify.ps.maven.plugin</groupId>
<artifactId>sca-maven-plugin</artifactId>
<version>4.30</version>
<configuration>
<jre64>true</jre64>
<jreStack>8M</jreStack>
<maxHeap>12000M</maxHeap>
<verbose>true</verbose>
<buildId>myproject</buildId>
<toplevelArtifactId>myproject.parent</toplevelArtifactId>
<failOnSCAError>true</failOnSCAError>
<upload>false</upload>
<projectName>My Project Main Development</projectName>
<projectVersion>${project.version}</projectVersion>
</configuration>
</plugin>
</plugins>
</build>
</profile>
Run the scan from the command line:
mvn -Dmaven.test.skip=true -Dfortify.sca.buildId=myproject -Dfortify.sca.toplevel.artifactId=myproject.parent com.fortify.ps.maven.plugin:sca-maven-plugin:clean
Obviously, you will have to figure out the buildId and artifactId naming, and it varies a little depending on if you're using parent, aggregator, or nothing.
Solution 2
Actually profiles are not needed, only the plugin configuration.
<build>
<plugins>
<plugin>
<groupId>com.fortify.ps.maven.plugin</groupId>
<artifactId>sca-maven-plugin</artifactId>
<version>4.30</version>
<configuration>
<findbugs>true</findbugs>
<htmlReport>true</htmlReport>
<maxHeap>800M</maxHeap>
<source>myJavaVersion</source>
<buildId>myBuildId</buildId>
<verbose>true</verbose>
<skipTests>true</skipTests>
<toplevelArtifactId>myTopLevelId</toplevelArtifactId>
</configuration>
</plugin>
</plugins>
</build>
By using a single Jenkins job you can write, as a pre-step, a shell script:
mvn clean sca:clean -DskipTests
mvn sca:translate -DskipTests
And then define the actual "Goals and options" as:
install sca:scan -DskipTests
Having them as separate command lines is the only way to have the sca-clean,translate and scan (and report file sending to Fortify) done in one Jenkins job.
Hope this works for you too!
Rory Lester
Updated on May 10, 2020Comments
-
Rory Lester about 4 years
I want to run a Fortify scan against a Maven Eclipse project.
Where should I start?
I understand that I need to update my
pom.xml
file to include the Fortify plugin however do I also require to have Fortify SCA installed on my machine? (I'm running MacOS X). I have been trying to find a place to download Fortify SCA but have not been able find it.I would appreciate it if someone could share some links to point me in the right direction in getting the setup complete.
-
banterCZ over 8 yearsNo fpr was generated in my case. I have to run
clean
,translate
andscan
as separate maven commands. -
pacoverflow over 7 yearsI found out that adding those 3 profiles to the pom.xml is not necessary. After installing the Fortify maven plugin, I just had to run the 3 commands mentioned here.
-
piit79 over 7 yearsHow did you come to the conclusion that they need to be separate commands? I'm executing Maven goals
clean sca:clean sca:translate sca:scan
in my Jenkins job and it works just fine... -
Prokis over 7 yearsNo specific reason, just how it worked for me, when the single line command did not do the work.