Fortify analyzer issue for an C# project

Hi there,

I have been struggling for sometimes with my C# project source code scanned with Fortity 4.30 over windows 7 server. I used both Fortify GUI and command "sourceanalyzer -scan myproject myproject.sln" to do source scan , the result were the same: there never scanned any c# .cs file, there are a few hundreds of .cs files in it's current & sub-folders. Where is the problem?

Thanks in advance.

Parents
  • Hi Curtis, for C# projects we actually hook into the build of the project in order to translate the code and then scan. There's a couple of ways to go about this:

    • The first is to install the IDE plugin for the relevant version of Visual Studio which you're using. You can then run the scan from within the IDE itself. You can find full details of how to go about this here:
    • It's also possible to perform scans from the command line. As with all SCA scans you first need to clean your build ID, then perform the translation, before finally performing the scan itself. You can find the correct translation command for .NET projects on Page 22 of . The full set of command would be along the lines of:
      • sourceanalyzer -b buildID -clean
      • sourceanalyzer -b buildID devenv myproject.sln /rebuild debug
      • sourceanalyzer -b buildID -scan -f output.fpr

    Rather than simply calling devenv it may be necessary to point directly to the devenv.exe within your Visual Studio installation.

    If you run into any issues along the way please drop an email to fortifytechsupport@hp.com and the team will be able to assist you further.

Reply
  • Hi Curtis, for C# projects we actually hook into the build of the project in order to translate the code and then scan. There's a couple of ways to go about this:

    • The first is to install the IDE plugin for the relevant version of Visual Studio which you're using. You can then run the scan from within the IDE itself. You can find full details of how to go about this here:
    • It's also possible to perform scans from the command line. As with all SCA scans you first need to clean your build ID, then perform the translation, before finally performing the scan itself. You can find the correct translation command for .NET projects on Page 22 of . The full set of command would be along the lines of:
      • sourceanalyzer -b buildID -clean
      • sourceanalyzer -b buildID devenv myproject.sln /rebuild debug
      • sourceanalyzer -b buildID -scan -f output.fpr

    Rather than simply calling devenv it may be necessary to point directly to the devenv.exe within your Visual Studio installation.

    If you run into any issues along the way please drop an email to fortifytechsupport@hp.com and the team will be able to assist you further.

Children
No Data