gradle - gradle 的 Fortify 插件

Question

我一直在对一些 Java 组件运行强化扫描。以下是一般步骤: 对于java项目:

• mvn com.fortify.ps.maven.plugin:sca-maven-plugin:4.30:clean
• mvn install -DskipTests -DSTABILITY_ID=1 -DRELEASE_NUMBER=0 -DBUID_ID=1
• mvn -Dfortify.sca.debug=true -Dfortify.sca.Xmx=1800M -Dfortify.sca.Xss=5M -DSTABILITY_ID=2 -DRELEASE_NUMBER=2 软件包 com.fortify.ps.maven.plugin:sca-maven -插件:4.30:翻译
• sourceanalyzer -b build_id -Xmx1800M -Xss4M -scan -f build_id_results.fpr -logfile scan.log -clobber-log -debug-verbose

生成此 fpr 文件并上传到服务器后。

现在我必须对使用 gradle 的组件执行相同的操作。 我必须使用哪些命令来生成 fpr 文件。

Answer 1

我必须消除口是心非，改进一点，并可能创建一个插件，但基本上，尝试以下代码片段。

/*
 * Performs the Fortify security scan.
 *
 * 1) Runs source code translation.
 * 2) Creates the export session file.
 * 3) Submits the export session file for processing through the scp.
 *
 * Credentials and url for the scp are obtained from the gradle.properties file
 * (or can be passed from the command line through the -P switch).
 * <ul>
 *     <li>fortifyUploadUsername</li>
 *     <li>fortifyUploadPassword</li>
 *     <li>fortifyUploadUrl</li>
 * </ul>
 */
task fortify(group: 'fortify', description: 'Security analysis by HP Fortify') << {

    def fortifyBuildId = 'myProjectId'

    logger.debug "Running command: sourceanalyzer -b $fortifyBuildId -clean"
    exec {
        commandLine 'sourceanalyzer', '-b', fortifyBuildId, '-clean'
    }

    def classpath = configurations.runtime.asPath
    logger.debug "Running command: sourceanalyzer -b ${fortifyBuildId} -source ${sourceCompatibility} -cp $classpath src/**/*.java"

    exec {
        commandLine 'sourceanalyzer', '-b', fortifyBuildId, '-source', sourceCompatibility, '-cp', classpath, 'src/**/*.java'
    }

    def fortifyBuildFolder = 'build/fortify'
    new File(fortifyBuildFolder).mkdirs()
    def fortifyArtifactFileName = "$fortifyBuildId@${project.version}.mbs"
    def fortifyArtifact = "$fortifyBuildFolder/$fortifyArtifactFileName"

    logger.debug "Running command: sourceanalyzer -b ${fortifyBuildId} -build-label ${project.version} -export-build-session $fortifyArtifact"

    exec {
        commandLine 'sourceanalyzer', '-b', fortifyBuildId, '-build-label', project.version, '-export-build-session', "$fortifyArtifact"
    }

    logger.debug "Running command: sshpass -p <password> scp $fortifyArtifact <user>@$fortifyUploadUrl:$fortifyArtifactFileName"

    exec {
        commandLine 'sshpass', '-p', fortifyUploadPassword, 'scp', "$fortifyArtifact", "$fortifyUploadUsername@$fortifyUploadUrl:$fortifyArtifactFileName"
    }

}