Pages

17/10/2019

[Maven] Run HP Fortify scan during build

If you have Fortify static code analyzer (aka HP Fortify) and intend to use it with your builds, you can configure the sca-maven-plugin to perform the scan and produce a report during the build. It can also optionally upload it to your security server.

To enable the scans, you must have the software available on your machine (sourceanalyzer command has to be present on your PATH) and then you need to add this to your POM:

 <plugin>  
  <groupId>com.fortify.ps.maven.plugin</groupId>  
  <artifactId>sca-maven-plugin</artifactId>  
  <version>VERSION</version>  
  <configuration>  
   <jre64>true</jre64>  
   <maxHeap>12000M</maxHeap>  
   <buildId>YOUR_PROJECT</buildId>  
   <toplevelArtifactId>${project.artifactId}</toplevelArtifactId>  
   <skipTests>true</skipTests>  
   <verbose>true</verbose>  
   <failOnSCAError>true</failOnSCAError>  
   <upload>false</upload>  
   <projectName>${project.name}</projectName>  
   <projectVersion>${project.version}</projectVersion>  
   <resultsFile>${project.build.directory}/site/${project.artifactId}.fpr</resultsFile>  
  </configuration>  
 </plugin>  


This will enable the following goals:
  • sca:clean
  • sca:translate
  • sca:scan
which you will need to run in that exact order to perform the scan and generate a report named as your artifact WITHOUT version in folder target/site.

You can automate this by adding those goals to an execution of your choice.

No comments:

Post a Comment

With great power comes great responsibility