Lieutenant
Lieutenant
11396 views

Fortify build for .NET Core Projects

Jump to solution

I'm trying to run following powerShell script for scan my solution(.NET Core 2.0) with Fortify:

$SolutionFilePath = "C:\Repositories\MyProject"
$SolutionFileName = "MyProjectToTest"
$SSCFPRFileName = "MyProjectToTest.fpr"
$BuildIdName = "MyProjectToTest"


$path = "D:\Fortify"
If(!(test-path $path))
{
   New-Item -ItemType Directory -Force -Path $path
}

cd \
cd "C:\Program Files (x86)\Microsoft Visual Studio\2019\BuildTools\MSBuild\Current\Bin"

sourceanalyzer -b $BuildIdName -clean
sourceanalyzer -b $BuildIdName msbuild "$SolutionFilePath\$SolutionFileName.sln" 
sourceanalyzer -b $BuildIdName -scan -f "$path\$SSCFPRFileName"

exit 0

Every things works fine in my local machine.

But when I tried to run it in the server as a build step in TeamCity (TeamCity Enterprise 2018.2.1 (build 61078)) I got an error:

Microsoft (R) Build Engine version 16.0.461+g6ff56ef63c for .NET Framework
Copyright (C) Microsoft Corporation. All rights reserved.

MSBUILD : error MSB1021: Cannot create an instance of the logger. Could not load file or assembly 'Microsoft.Build.Utilities, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a' or one of its dependencies. The system cannot find the file specified.
Switch: C:\Program Files\HPE_Security\Fortify_SCA_and_Apps_17.20\Core\lib\FortifyMSBuildTouchless.dll

I'm using same version of Fortify in my local and the server (Fortify Static Code Analyzer 17.20.0183 (using JRE 1.8.0_144) ).

In both server and local machine I installed Build Tools for Visual Studio 2019 and .Net core SDK.

I tried with different version of MsBuild(14, 15, 16) and dotnet.exe and devenv.exe and I installed PowerShell Core. I got the same error.

I also could run the script in the same server for .NETFramework projects successfully, the only change is I used different path:

cd "C:\Windows\Microsoft.NET\Framework64\v4.0.30319"

 

It seems Fortify 17.20 does not support the .NETCore 2.X, When I add the 

-dotnet-core-version 2.0

I got an error (in both local and server): 

[error]: Invalid parameter 2.0 for command line argument -dotnet-core-version

but with 1.X is ok, so how is possible the same version of fortify works fine in local but not in the server?

What is the problem with .NETCore projects? any idea?

Tags (1)
0 Likes
1 Solution

Accepted Solutions
Lieutenant
Lieutenant

After some searching I found this one and it works fine for me:

$SolutionFilePath = "C:\Repositories\MyProject"
$SolutionFileName = "MyProjectToTest"
$SSCFPRFileName = "MyProjectToTest.fpr"
$BuildIdName = "MyProjectToTest"


$path = "D:\Fortify"
If(!(test-path $path))
{
   New-Item -ItemType Directory -Force -Path $path
}

cd \
cd "$SolutionFilePath"

sourceanalyzer -b $BuildIdName -clean
sourceanalyzer -b $BuildIdName -libdirs **/* **/* 
sourceanalyzer -b $BuildIdName -scan -f "$path\$SSCFPRFileName"

exit 0

No msbuild no other commands just navigate to solution folder and run it without any extra command.

View solution in original post

0 Likes
2 Replies
Lieutenant
Lieutenant

After some searching I found this one and it works fine for me:

$SolutionFilePath = "C:\Repositories\MyProject"
$SolutionFileName = "MyProjectToTest"
$SSCFPRFileName = "MyProjectToTest.fpr"
$BuildIdName = "MyProjectToTest"


$path = "D:\Fortify"
If(!(test-path $path))
{
   New-Item -ItemType Directory -Force -Path $path
}

cd \
cd "$SolutionFilePath"

sourceanalyzer -b $BuildIdName -clean
sourceanalyzer -b $BuildIdName -libdirs **/* **/* 
sourceanalyzer -b $BuildIdName -scan -f "$path\$SSCFPRFileName"

exit 0

No msbuild no other commands just navigate to solution folder and run it without any extra command.

View solution in original post

0 Likes
Cadet 1st Class
Cadet 1st Class

I have a dotnet core 2.1 and a dotnet standard 2.0 projects.

I'm using   Azure DevOps (TFS) extention "Micro Focus Fortify" https://marketplace.visualstudio.com/items?itemName=fortifyvsts.hpe-security-fortify-vsts

The build task "Fortify Static Code Analyser Assessment" tries to run such a  command which is generated internally and i cannot change it 

sourceanalyzer.exe -b Comp2020_200507_attempt_.6 -verbose -debug -logfile E:\TFSAgents\CB-01-SVRB-agent1\_work\621\a\sca_artifacts\LoggingFramework.csproj_build.log devenv E:/TFSAgents/CB-01-SVRB-agent1/_work/621/s/NN-MIMS/AMCP_Sprinting/CoreUtilities/Logging/LoggingFramework/LoggingFramework/LoggingFramework.csproj /REBUILD DEBUG
 
It just raise an error  "Build FAILED."
log files are not infomational. In all log files there is nothing specific .  
it is while i can build the project manually via both dotnet.exe and devenv.exe without any issue
I also run  dotnet restore or dotnet build before sourceanalyzer but it makes no difference
 
I can analyse the project inside the Visual Studio using fortify Visual Studio extension SecurityAssistant_19.2.0.0383.vsix
i'm using fortify 18.20 and visual studio 2019
I tried it with VS2017 and fortify 17.20 as well
 
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.