Solved: Re: Help to scan my build - Micro Focus Community

dimago · ‎2015-09-21

Hello guys,

I have Fortify SCA to scan against my source codes. Java codes.

Nowadays, I am soffering/paining to make it working, because I am doing everything manually.

So, my development team generates the build and we have many .WAR files.

I need to get it, rename to .ZIP, extract to a folder and search for .jsp, .class, and other files and copy to another one folder.

After that, I start the command line scan to those folder:

sourceanalyzer -b Build15 -clean

sourceanalyzer -b Build15 -source 1.6 -cp "C:\Program Files\Java\jdk1.8.0_60\lib\*.jar" C:/Build15/*.jsp

sourceanalyzer -b Build15 -source 1.6 -64 -Xmx10G -scan -f C:\Build15\15.frp

We are using NetBeans for generate the version. (In the future we maybe will change to another tool)

So, is possible to integrate SCA like automatically runs in the build process? And generates a report, or something like this for audit and remediation plan.

Thanks,

Diego

HansEnders · ‎2015-09-24

The normal process for integrating with Build-time solutions is generally with the SSC Server and not simply the user's desktop SCA installation. The finished Build-time scan would be housed on that SSC Server, and the developer would fetch it from their Project using Audit Work Bench (installed with SCA). This promotes collaboration among several users, with SSC Server being your central repository.

-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify

View solution in original post

HansEnders · ‎2015-09-21

Diego;

Have you considered one of the Build-time integrations so your SCA scans can be run as part of the standard internal process? Here is a recent discussion regarding Jenkins and ANT/Maven with SCA:

There are more details buried in this product document.

- HP_Fortify_Jenkins_Plugin_TN_4.30.pdf

You may also find related articles here on Protect:

-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify

dimago · ‎2015-09-21

Hi Hans, thanks for your help!

We have here Jenkins, Ant and moving to Gradle. ( sorry I am not a developer here so I am not completelly integrated with the tools, etc...)

I have a windows server machine with "HP Fortify SCA and Applications 4.30" installed

I will check that Jenkins documentation with my developers here, but maybe in a high level, that Jenkins should starts the SCA commands against the files.

What about the result of this scan?

HansEnders · ‎2015-09-24

The normal process for integrating with Build-time solutions is generally with the SSC Server and not simply the user's desktop SCA installation. The finished Build-time scan would be housed on that SSC Server, and the developer would fetch it from their Project using Audit Work Bench (installed with SCA). This promotes collaboration among several users, with SSC Server being your central repository.

-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify

View solution in original post