ALERT! The community will be read-only starting on April 19, 8am Pacific as the migration begins. Read more for important details.
ALERT! The community will be read-only starting on April 19, 8am Pacific as the migration begins.Read more for important details.
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class
9656 views

Help to scan my build

Jump to solution

Hello guys,

I have Fortify SCA to scan against my source codes. Java codes.

Nowadays, I am soffering/paining to make it working, because I am doing everything manually.

So, my development team generates the build and we have many .WAR files.

I need to get it, rename to .ZIP, extract to a folder and search for .jsp, .class, and other files and copy to another one folder.

After that, I start the command line scan to those folder:

sourceanalyzer -b Build15 -clean

sourceanalyzer -b Build15 -source 1.6 -cp "C:\Program Files\Java\jdk1.8.0_60\lib\*.jar" C:/Build15/*.jsp

sourceanalyzer -b Build15 -source 1.6 -64 -Xmx10G -scan -f C:\Build15\15.frp

We are using NetBeans for generate the version. (In the future we maybe will change to another tool)

So, is possible to integrate SCA like automatically runs in the build process? And generates a report, or something like this for audit and remediation plan.

Thanks,

Diego

0 Likes
1 Solution

Accepted Solutions
Micro Focus Expert
Micro Focus Expert

The normal process for integrating with Build-time solutions is generally with the SSC Server and not simply the user's desktop SCA installation.  The finished Build-time scan would be housed on that SSC Server, and the developer would fetch it from their Project using Audit Work Bench (installed with SCA).  This promotes collaboration among several users, with SSC Server being your central repository.


-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify

View solution in original post

0 Likes
3 Replies
Micro Focus Expert
Micro Focus Expert

Diego;

Have you considered one of the Build-time integrations so your SCA scans can be run as part of the standard internal process?  Here is a recent discussion regarding Jenkins and ANT/Maven with SCA: 

There are more details buried in this product document.

    • HP_Fortify_Jenkins_Plugin_TN_4.30.pdf

You may also find related articles here on Protect:


-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify
0 Likes
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class

Hi Hans, thanks for your help!

We have here Jenkins, Ant and moving to Gradle. ( sorry I am not a developer here so I am not completelly integrated with the tools, etc...)

I have a windows server machine with "HP Fortify SCA and Applications 4.30" installed

I will check that Jenkins documentation with my developers here, but maybe in a high level, that Jenkins should starts the SCA commands against the files.

What about the result of this scan?

0 Likes
Micro Focus Expert
Micro Focus Expert

The normal process for integrating with Build-time solutions is generally with the SSC Server and not simply the user's desktop SCA installation.  The finished Build-time scan would be housed on that SSC Server, and the developer would fetch it from their Project using Audit Work Bench (installed with SCA).  This promotes collaboration among several users, with SSC Server being your central repository.


-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify

View solution in original post

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.