SCA integration with Visual Studio 2015 broke
I am using a standalone installation of Static Code Analyzer integrated with Visual Studio 2015. I run Fortify against my C# code from within the Visual Studio IDE using Fortify button appears in the menu. All was going well till recently, when my company decided to move my workstation from one domain to another. After the move , Fortify menu is gone from all my Visual Studio projects, after some poking i observed that as Fortify keeps its working directory in the user profile, and domain move created a new profile hence the old integration with Visual Studio is broken now. Please, remember that i still have a copy of my old user profile and can see the working folder \AppData\Local\Fortify...
My biggest worry is that i don't have to redo the audits on my entire codebase (thousands of lines of code), as there are hundreds of suppressed findings with appropriate justifications. what are my options here?
- can i point Fortify working folder to my old profile in properties here \Core\config\ ? that magically, makes everything to start working as before...
- if i have to reinstall the plugin, can i take the old audit file that has suppressed/not an issue findings with justifications and apply to the new installation? if yes, where does that file resides?
-Also, what is the best way to handle such situations ? Please be aware that its a standalone installation, no SCC option available.
Will really appreciate your help!!
Regarding you question about the previous scans and losing all the good the work you did to suppressed findings, justifications, etc.
That analysis information should not be lost, it should be stored in the Fortify scan results on your machine. These are stored in a file with an extension of .fpr. When scanning like you do via Visual Studio, that FPR file is typically stored in the same location as the Visual Studio solution file. For instance
C:\Users\me\source\repos\MyVSProject\MyProject.sln << VS solution file
The directory above would also contain the FPR scan file, scan-myproject.sln.fpr
Inside this file are all the findings, plus all the analysis information, such as which items you suppressed, comments and justifications you added, etc.
If you cannot locate these files, try searching your machine for files with an .fpr extension.
Regarding the loss of the Fortify option in Visual Studio itself, I suspect that when you installed this it was not installed for "All Users" and there fore when the domain change happened, this extension was lost.
You should be able to just re-install the VS extension.
Mr Helsens, thanks so much for the response!
I found .fpr files at two locations...
1- In local workspace( mapped to Team Foundation Server workspace), I do checkin/checkout to my version control from this folder. I do see .sln and .fpr files in the root of each solution folders.
2- C:\Users\username\AppData\Local\Fortify\VS-14.0-16.20\xxxVS Studio solution names\scan.fpr
The size and timestamps are almost the same for both .frp, so its fair to assume that Fortify keeps .fpr at both locations?
I do agree with you that Fortify was not installed for all users and installing the Fortify extensions again should resolve it.
However, I am wondering if my local workspace folder is changed, will I have to apply/merge .fpr in visual studio to include my previous audit work?
Once again, thanks so much for your the valuable input.
Your work is not lost as all audit information is stored in the FPR which would be located under the old user directory,
Depending on what Fortify analyze option was used, "Analyze Solution" or "Analyze Project", will determine the FPR filename.
"Analyze Solution" will have a file eg Scan_filename.sln.fpr
"Analyze Project" will have a file eg Scan_filename.csproj.fpr
Here are the steps that was tested on our side to get this to work for a different domain user on the same host machine.
1. install VS Plugin for the new user by locating and running VS plugin installer
2. start VS 2015 and from the menu go to Fortify which will request to specify the SCA installation directory. Point it to the SCA directory eg c:\Program Files\Fortify\Fortify_SCA_and_Apps_<ver>.
3. close VS 2015
4. rename C:\Users\newuser\AppData\Local\fortify
5. copy C:\Users\olduser\AppData\Local\fortify to C:\Users\newuser\AppData\Local
6. start VS 2015 and open the VS project or solution
7. open the FPR by going to the menu Fortify -> Open Audit Project
You should now be able to see the audit comments and analysis tag information that was previously saved for the VS project or solution.
If you have any follow-up questions, please open a new Fortify SCA case and reference this thread for further assistance.
Fortify Technical Support
Fortify SCA & SSC Certified Professional