Build Process - Features
Build tool must execute the following features for the successful integration of Fortify with them:
- Must execute Fortify SCA supported by Compiler.
- Must run compiler in the path of Operating System, not in the user-defined path.
- Rather than executing subprocess, they must run the compiler.
Commands
Fortify can be integrated with Touchless, Ant, Gradle, Maven.
Touchless Integration
sourceanalyzer -b <build_id> touchless <build_command>
Ant Integration
sourceanalyzer -b <build_id> ant [<ant_options>]
Gradle Integration
sourceanalyzer -b <buildid> <sca_options> gradle [<gradle_options>] <gradletasks>
Translation Phase - Commands
- Successful translation requires to have the
dependencies that were needed at the time of build. - CLI command for translation is:
sourceanalyzer -b <build_id> ... <files>
-b option is the build option which ties invocations together.
Translation Phase - Warnings and Listings
- To list all the
warnings and errors arised during translation phase use the command:
sourceanalyzer -b <build_id> -show-build-warnings
- Use the following command to list the files associated with build ID
sourceanalyzer -b <build_id> -show-files
Analysis Phase - Commands
- Involves in the process of
scanning the intermediate files that were generated at the translation phase. - Produces Vulnerability Result file as Output with .fpr extension.
- CLI command
sourceanalyzer -b <build_id> -scan -f results.fpr
Analysis Phase - Incremental Analysis
- Analyzes only the code that has changed since the initial full scan.
- Reduces the Scan time of the project.
- Supports programming languages like Java, C/C++, C#, and Visual Basic.
- CLI command for initial full scan with
incremental-base option.
sourceanalyzer -b <build_id> -scan -incremental-base -f <results>.fpr
- CLI command for Incremental scan
sourceanalyzer -b <build_id> -scan -incremental -f <results>.fpr
