Fortify integration with Maven - install

Question

I want to run a Fortify scan against a Maven Eclipse project.

Where should I start?

I understand that I need to update my pom.xml file to include the Fortify plugin however do I also require to have Fortify SCA installed on my machine? (I'm running MacOS X). I have been trying to find a place to download Fortify SCA but have not been able find it.

I would appreciate it if someone could share some links to point me in the right direction in getting the setup complete.

Answer 1

I don't think the Fortify installation is required, but it's pretty hard to get the maven sca plugin without it. If you install on another machine you could copy just the plugin over, but then you wouldn't have the Audit Workbench application to work with the generated FPR. As @Eric said, you have to get it through HP and it will not work without a license.

Once you get that installed you add profiles to your pom.xml to execute the sca targets:

<profile>
  <id>sca-clean</id>
  <activation>
    <activeByDefault>false</activeByDefault>
  </activation>
  <build>
    <plugins>
      <plugin>
        <groupId>com.fortify.ps.maven.plugin</groupId>
        <artifactId>sca-maven-plugin</artifactId>
        <version>4.30</version>
        <configuration>
          <jre64>true</jre64>
          <buildId>myproject</buildId>
          <toplevelArtifactId>myproject.parent</toplevelArtifactId>
          <skipTests>true</skipTests>
        </configuration>
        <executions>
          <execution>
            <goals>
              <goal>clean</goal>
            </goals>
          </execution>
        </executions>
      </plugin>
    </plugins>
  </build>
</profile>


<profile>
  <id>sca-translate</id>
  <activation>
    <activeByDefault>false</activeByDefault>
  </activation>
  <build>
    <plugins>
      <plugin>
        <groupId>com.fortify.ps.maven.plugin</groupId>
        <artifactId>sca-maven-plugin</artifactId>
        <version>4.30</version>
        <configuration>
          <jre64>true</jre64>
          <jreStack>8M</jreStack>
          <maxHeap>12000M</maxHeap>
          <verbose>true</verbose>
          <buildId>myproject</buildId>
          <toplevelArtifactId>myproject.parent</toplevelArtifactId>
          <skipTests>true</skipTests>
          <failOnSCAError>true</failOnSCAError>
        </configuration>
        <executions>
          <execution>
            <goals>
              <goal>translate</goal>
            </goals>
          </execution>
        </executions>
      </plugin>
    </plugins>
  </build>
</profile>


<profile>
  <id>sca-scan</id>
  <activation>
    <activeByDefault>false</activeByDefault>
  </activation>
  <build>
    <plugins>
      <plugin>
        <groupId>com.fortify.ps.maven.plugin</groupId>
        <artifactId>sca-maven-plugin</artifactId>
        <version>4.30</version>
        <configuration>
          <jre64>true</jre64>
          <jreStack>8M</jreStack>
          <maxHeap>12000M</maxHeap>
          <verbose>true</verbose>
          <buildId>myproject</buildId>
          <toplevelArtifactId>myproject.parent</toplevelArtifactId>
          <failOnSCAError>true</failOnSCAError>
          <upload>false</upload>
          <projectName>My Project Main Development</projectName>
          <projectVersion>${project.version}</projectVersion>
        </configuration>
      </plugin>
    </plugins>
  </build>
</profile>

Run the scan from the command line:

mvn -Dmaven.test.skip=true -Dfortify.sca.buildId=myproject -Dfortify.sca.toplevel.artifactId=myproject.parent com.fortify.ps.maven.plugin:sca-maven-plugin:clean

Obviously, you will have to figure out the buildId and artifactId naming, and it varies a little depending on if you're using parent, aggregator, or nothing.

Answer 2

Actually profiles are not needed, only the plugin configuration.

<build>
    <plugins> 
        <plugin>
            <groupId>com.fortify.ps.maven.plugin</groupId>
            <artifactId>sca-maven-plugin</artifactId>
            <version>4.30</version>
            <configuration>
                <findbugs>true</findbugs>
                <htmlReport>true</htmlReport>
                <maxHeap>800M</maxHeap>
                <source>myJavaVersion</source>
                <buildId>myBuildId</buildId>
                <verbose>true</verbose>
                <skipTests>true</skipTests>
                <toplevelArtifactId>myTopLevelId</toplevelArtifactId>
            </configuration>
        </plugin>
    </plugins>
</build>

By using a single Jenkins job you can write, as a pre-step, a shell script:

mvn clean sca:clean -DskipTests
mvn sca:translate -DskipTests

And then define the actual "Goals and options" as:

install sca:scan -DskipTests

Having them as separate command lines is the only way to have the sca-clean,translate and scan (and report file sending to Fortify) done in one Jenkins job.

Hope this works for you too!