UPDATE! The community will be go into read-only on April 19, 8am Pacific in preparation for migration on April 21. Read more.
UPDATE! The community will be go into read-only on April 19, 8am Pacific in preparation for migration on April 21.Read more.
Cadet 3rd Class
Cadet 3rd Class
271 views

Azure DevOps no FPR File Generated

Attempting to run an SCA scan on a very simple .NET solution.  The task appears to run without error (no errors in console output or log file using verbose logging).  However, no FPR file is generated by the task.  See included screen shot of task configuration.

0 Likes
4 Replies
Knowledge Partner Knowledge Partner
Knowledge Partner

You mention checking the console output and log file... that was my first thought.... so there are no indications of errors there? Do you see INFO output messages indicating that the scan is processing/completing?

For instance...

[2021-01-06 09:34:19.402 INFO 1455] Configuration analysis complete
[2021-01-06 09:36:40.933 INFO 1458] Rendering 22 results
[2021-01-06 09:36:54.810 INFO 1459] Analysis completed in 05:45

Is it possible that the .fpr file is being created but saved in a folder/location that you do not expect?

I am not familiar with this plug-in, but is there an option to define/name the fpr file , such as -f \mylocation\myscanresults.fpr

On my Windows machine, the SCA log file is located here: 

C:\Users\<user>\AppData\Local\Fortify\sca20.2\log\sca.log

 

 

0 Likes
Cadet 3rd Class
Cadet 3rd Class

@rhelsens Thanks for the reply.  Based on your example, I do not see anything in the log that would indicate that the scan is processing/completing.  The log files are being generated to a known location so I would assume the FPR file would be in the same path.  The build log file in this case is empty.  The support log file has a variety of entries but nothing that looks like the example you showed.  The console output is shown below.

 

==============================================================================
Task : Fortify Static Code Analyzer Assessment
Description : Run Fortify Static Code Analyzer
Version : 7.0.1
Author : Micro Focus
Help :
==============================================================================
Executing sourceanalyzer.exe --version to determine if proper SCA version is installed
[command]sourceanalyzer.exe -b 20210303.2 -verbose -clean
Fortify Static Code Analyzer 19.1.0.2241 (using JRE 1.8.0_271)
[command]sourceanalyzer.exe -b 20210303.2 -verbose -logfile F:\DevOpsAgent\_work\10\a\sca_artifacts\SaveSearchStatusEmailer.sln_build.log devenv F:/DevOpsAgent/_work/10/s/Main/UnifiedSearch/SaveSearchStatusEmailer/SaveSearchStatusEmailer.sln /REBUILD DEBUG
Fortify Static Code Analyzer 19.1.0.2241 (using JRE 1.8.0_271)
Microsoft (R) Build Engine version 15.7.179.6572 for .NET Framework
Copyright (C) Microsoft Corporation. All rights reserved.

Building the projects in this solution one at a time. To enable parallel build, please add the "/m" switch.
SaveSearchStatusEmailer -> F:\DevOpsAgent\_work\10\s\Main\UnifiedSearch\SaveSearchStatusEmailer\SaveSearchStatusEmailer\bin\Debug\SaveSearchStatusEmailer.exe
Build started 3/3/2021 9:57:43 AM.

Running translation: "-Xmx30923325850" "-Xss16M" -dotnet-version 4.6.1 @"C:\Users\svc-taz-tfs\AppData\Local\Fortify\MSBuildPlugin\SaveSearchStatusEmailer\SaveSearchStatusEmailer_Build.txt"


Build succeeded.

Time Elapsed 00:00:56.71
(node:10848) Warning: Use Cipheriv for counter mode of aes-256-ctr
(node:10848) Warning: Use Cipheriv for counter mode of aes-256-ctr
(node:10848) Warning: Use Cipheriv for counter mode of aes-256-ctr
(node:10848) Warning: Use Cipheriv for counter mode of aes-256-ctr
(node:10848) Warning: Use Cipheriv for counter mode of aes-256-ctr
(node:10848) Warning: Use Cipheriv for counter mode of aes-256-ctr
(node:10848) Warning: Use Cipheriv for counter mode of aes-256-ctr
(node:10848) Warning: Use Cipheriv for counter mode of aes-256-ctr
(node:10848) Warning: Use Cipheriv for counter mode of aes-256-ctr
(node:10848) Warning: Use Cipheriv for counter mode of aes-256-ctr
(node:10848) Warning: Use Cipheriv for counter mode of aes-256-ctr
(node:10848) Warning: Use Cipheriv for counter mode of aes-256-ctr
(node:10848) Warning: Use Cipheriv for counter mode of aes-256-ctr
(node:10848) Warning: Use Cipheriv for counter mode of aes-256-ctr
(node:10848) Warning: Use Cipheriv for counter mode of aes-256-ctr
(node:10848) Warning: Use Cipheriv for counter mode of aes-256-ctr
(node:10848) Warning: Use Cipheriv for counter mode of aes-256-ctr
(node:10848) Warning: Use Cipheriv for counter mode of aes-256-ctr

0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Hi,

Based on that log file, I do not see a -SCAN step occurring.

You can see there are only 2 [command]sourceanalyzer.exe being executed, the final step is to issue a -SCAN command such as

[command]sourceanalyzer.exe -b 20210303.2 -scan -format fpr -f results.fpr

I am not familiar with that plug-in, are you missing a check or value somewhere that is preventing this scan step from running?

 

 

0 Likes
Cadet 3rd Class
Cadet 3rd Class

Thanks again. But not sure what else I would need to do besides checking the box to perform the scan as shown in the screenshot attached to the original post.

 

 

 

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.