Fortify, on the other hand, was a bear. That is a proprietary product that requires a license, so documentation and plugins were not so prevalent out on the interwebs. Lots of questions, not many definitive answers.
I finally got my Fortify build to work this past week using the Fortify ANT tasks. Below are the snippets you would add to your build.gradle file to get Fortify scanner running. Again, since this is not F/OSS, the libs won't be out on public repos. You would have to add the libs to your in-house private repo (e.g. Artifactory) to get this to work as-is (or use a local lib, see Gradle docs).
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Add a new configuration | |
| configurations { | |
| fortify { extendsFrom compile } | |
| } | |
| // pull in the fortify libs for the new configuration | |
| dependencies { | |
| fortify 'com.fortify:sourceanalyzer:3.90' | |
| } | |
| // the 2 new tasks | |
| task fortifySetup(dependsOn: clean) << { | |
| ant.properties['build.compiler']='com.fortify.dev.ant.SCACompiler' | |
| ant.typedef(name: 'sca', classname: 'com.fortify.dev.ant.SourceanalyzerTask', | |
| classpath: configurations.fortify.asPath) | |
| } | |
| task fortifyReport(dependsOn: compileJava) << { | |
| ant.sca(jdk:"1.7", | |
| debug:true , | |
| verbose:true , | |
| failonerror:true , | |
| scan:true , | |
| logFile:file("$buildDir/reports/fortify/Fortify.log"), | |
| resultsFile:file("$buildDir/reports/fortify/<<name of your FPR file here>>.fpr") | |
| ){ | |
| fileset(dir:'src/main') { | |
| include(name:'**/*.java') | |
| } | |
| } | |
| } |
1 comment:
Thanks a lot!
Can you let me know where can I get the dependency jar "'com.fortify:sourceanalyzer:3.90'". I was unable to find it on my company's repo.
Post a Comment