Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Highlighted
achojar Absent Member.
Absent Member.
17254 views

Scan and report from command line?

Jump to solution

I have pl/sql code as individual files in
one windows folder.

Then I follow below path from windows "start"  button:-

HPE Security Fortify SCA and Applications 16.20

    Audit Workbench

        Advanced Scan

           Select above folder

Then on clicking Scan button all files of the folder are scanned and results presented.

Finally I generate a report using menu option:

     Reports

          Developer Workbook

Question - how can I do all these steps from the windows command line?

Labels (3)
0 Likes
1 Solution

Accepted Solutions
Trusted Contributor.. stephen.b.burri Trusted Contributor..
Trusted Contributor..

Re: Scan and report from command line?

Jump to solution

Scanning through the CLI:

The easiest way would be to have the command window open to the top directory that the SQL scripts are in then run these three commands:

sourceanalyzer -b sql -clean

sourceanalyzer -b sql -Dcom.fortify.sca.fileextensions.sql=PLSQL **/*.sql

sourceanalyzer -b sql -scan -f scan.fpr

For more information on the commands that I used, you can look at the help (-h) or you can look in the SCA Guide ( )

Generating a Developer Workbook report through the CLI:

There is a command-line utility to generate an Report from the FPR file.

Currently there are two report generators: Legacy and BIRT. The BIRT report engine was introduced into Audit Workbench with version 4.40.

Here is an example using the BIRT Report engine to generate a Developer Workbook report

BIRTReportGenerator -template "Developer Workbook" -source scan.fpr -output BirtReport.pdf 
     -format PDF -showSuppressed -UseFortifyPriorityOrder

Using the legacy one is a little more involved. The command is:

ReportGenerator -format pdf -f LegacyReport.pdf -source scan.fpr -template DeveloperWorkbook.xml 
     -showSuppressed -showHidden

You can either use one of the predefined template reports located in the <SCA Install Dir>/Core/config/reports directory or generate one using the Report Wizard and saving the template which gets stored in the C:\Users\<USER>\AppData\Local\Fortify\config\AWB-XX.XX\reports\ directory in Windows.

On Linux/Mac look at the configuration file <SCA Install Dir>/Core/config/fortify.properties for the com.fortify.WorkingDirectory property, this is where the reports will be stored

You can find more information on these utilities in the HPE Security Fortify Static Code Analyzer User Guide in "Chapter 15: Command-Line Utilities"

0 Likes
6 Replies
Trusted Contributor.. stephen.b.burri Trusted Contributor..
Trusted Contributor..

Re: Scan and report from command line?

Jump to solution

Scanning through the CLI:

The easiest way would be to have the command window open to the top directory that the SQL scripts are in then run these three commands:

sourceanalyzer -b sql -clean

sourceanalyzer -b sql -Dcom.fortify.sca.fileextensions.sql=PLSQL **/*.sql

sourceanalyzer -b sql -scan -f scan.fpr

For more information on the commands that I used, you can look at the help (-h) or you can look in the SCA Guide ( )

Generating a Developer Workbook report through the CLI:

There is a command-line utility to generate an Report from the FPR file.

Currently there are two report generators: Legacy and BIRT. The BIRT report engine was introduced into Audit Workbench with version 4.40.

Here is an example using the BIRT Report engine to generate a Developer Workbook report

BIRTReportGenerator -template "Developer Workbook" -source scan.fpr -output BirtReport.pdf 
     -format PDF -showSuppressed -UseFortifyPriorityOrder

Using the legacy one is a little more involved. The command is:

ReportGenerator -format pdf -f LegacyReport.pdf -source scan.fpr -template DeveloperWorkbook.xml 
     -showSuppressed -showHidden

You can either use one of the predefined template reports located in the <SCA Install Dir>/Core/config/reports directory or generate one using the Report Wizard and saving the template which gets stored in the C:\Users\<USER>\AppData\Local\Fortify\config\AWB-XX.XX\reports\ directory in Windows.

On Linux/Mac look at the configuration file <SCA Install Dir>/Core/config/fortify.properties for the com.fortify.WorkingDirectory property, this is where the reports will be stored

You can find more information on these utilities in the HPE Security Fortify Static Code Analyzer User Guide in "Chapter 15: Command-Line Utilities"

0 Likes
eelgheez Super Contributor.
Super Contributor.

Re: Scan and report from command line?

Jump to solution
BIRTReportGenerator does not show suppressed issues. FPRUtility misinterprets compound search queries.
0 Likes
achojar Absent Member.
Absent Member.

Re: Scan and report from command line?

Jump to solution

Thanks Stephen.

Would these steps also generate a Developer Workbook Report?

0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Scan and report from command line?

Jump to solution

I could not locate any CLI options for SCA (sourceaanlyzer) to produce output, whether as reports or exports.  It would seem that only the included Audit Work Bench UI ("AWB") is available to the sole developer using SCA.

However, if you are uploading your FPR files to an SSC Server, there is a CLI ReportGenerator.exe tool there that may help your cause.


-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify
0 Likes
Trusted Contributor.. stephen.b.burri Trusted Contributor..
Trusted Contributor..

Re: Scan and report from command line?

Jump to solution

There is a command-line utility to generate an Report from the FPR file.

Currently there are two report generators: Legacy and BIRT. The BIRT report engine was introduced into Audit Workbench with version 4.40.

Here is an example using the BIRT Report engine to generate a Developer Workbook report

BIRTReportGenerator -template "Developer Workbook" -source scan.fpr -output BirtReport.pdf 
     -format PDF -showSuppressed -UseFortifyPriorityOrder

Using the legacy one is a little more involved. The command is:

ReportGenerator -format pdf -f LegacyReport.pdf -source scan.fpr -template DeveloperWorkbook.xml 
     -showSuppressed -showHidden

You can either use one of the predefined template reports located in the <SCA Install Dir>/Core/config/reports directory or generate one using the Report Wizard and saving the template which gets stored in the C:\Users\<USER>\AppData\Local\Fortify\config\AWB-XX.XX\reports\ directory in Windows.

On Linux/Mac look at the configuration file <SCA Install Dir>/Core/config/fortify.properties for the com.fortify.WorkingDirectory property, this is where the reports will be stored

You can find more information on these utilities in the in "Chapter 15: Command-Line Utilities"

0 Likes
achojar Absent Member.
Absent Member.

Re: Scan and report from command line?

Jump to solution

Thanks Stephen.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.