Verse Of The Day

Friday, April 25, 2014

Running Fortify From Gradle Build

I have been using Gradle for some time on personal projects, and recently got my company on board as well. Part of the standards at my comapny are to have all builds automated in Jenkins, along with Sonar and Fortify builds. Hooking up Sonar was not much work, as there are standard Gradle plugins and a lot of documentation.

Fortify, on the other hand, was a bear. That is a proprietary product that requires a license, so documentation and plugins were not so prevalent out on the interwebs. Lots of questions, not many definitive answers.

I finally got my Fortify build to work this past week using the Fortify ANT tasks. Below are the snippets you would add to your build.gradle file to get Fortify scanner running. Again, since this is not F/OSS, the libs won't be out on public repos. You would have to add the libs to your in-house private repo (e.g. Artifactory) to get this to work as-is (or use a local lib, see Gradle docs).

1 comment:

Ibrahim Shariff said...

Thanks a lot!

Can you let me know where can I get the dependency jar "'com.fortify:sourceanalyzer:3.90'". I was unable to find it on my company's repo.