我一直在对一些 Java 组件运行强化扫描。以下是一般步骤: 对于java项目:
- mvn com.fortify.ps.maven.plugin:sca-maven-plugin:4.30:clean
- mvn install -DskipTests -DSTABILITY_ID=1 -DRELEASE_NUMBER=0 -DBUID_ID=1
- mvn -Dfortify.sca.debug=true -Dfortify.sca.Xmx=1800M -Dfortify.sca.Xss=5M -DSTABILITY_ID=2 -DRELEASE_NUMBER=2 软件包 com.fortify.ps.maven.plugin:sca-maven -插件:4.30:翻译
- sourceanalyzer -b build_id -Xmx1800M -Xss4M -scan -f build_id_results.fpr -logfile scan.log -clobber-log -debug-verbose
生成此 fpr 文件并上传到服务器后。
现在我必须对使用 gradle 的组件执行相同的操作。 我必须使用哪些命令来生成 fpr 文件。
最佳答案
我必须消除口是心非,改进一点,并可能创建一个插件,但基本上,尝试以下代码片段。
/*
* Performs the Fortify security scan.
*
* 1) Runs source code translation.
* 2) Creates the export session file.
* 3) Submits the export session file for processing through the scp.
*
* Credentials and url for the scp are obtained from the gradle.properties file
* (or can be passed from the command line through the -P switch).
* <ul>
* <li>fortifyUploadUsername</li>
* <li>fortifyUploadPassword</li>
* <li>fortifyUploadUrl</li>
* </ul>
*/
task fortify(group: 'fortify', description: 'Security analysis by HP Fortify') << {
def fortifyBuildId = 'myProjectId'
logger.debug "Running command: sourceanalyzer -b $fortifyBuildId -clean"
exec {
commandLine 'sourceanalyzer', '-b', fortifyBuildId, '-clean'
}
def classpath = configurations.runtime.asPath
logger.debug "Running command: sourceanalyzer -b ${fortifyBuildId} -source ${sourceCompatibility} -cp $classpath src/**/*.java"
exec {
commandLine 'sourceanalyzer', '-b', fortifyBuildId, '-source', sourceCompatibility, '-cp', classpath, 'src/**/*.java'
}
def fortifyBuildFolder = 'build/fortify'
new File(fortifyBuildFolder).mkdirs()
def fortifyArtifactFileName = "$fortifyBuildId@${project.version}.mbs"
def fortifyArtifact = "$fortifyBuildFolder/$fortifyArtifactFileName"
logger.debug "Running command: sourceanalyzer -b ${fortifyBuildId} -build-label ${project.version} -export-build-session $fortifyArtifact"
exec {
commandLine 'sourceanalyzer', '-b', fortifyBuildId, '-build-label', project.version, '-export-build-session', "$fortifyArtifact"
}
logger.debug "Running command: sshpass -p <password> scp $fortifyArtifact <user>@$fortifyUploadUrl:$fortifyArtifactFileName"
exec {
commandLine 'sshpass', '-p', fortifyUploadPassword, 'scp', "$fortifyArtifact", "$fortifyUploadUsername@$fortifyUploadUrl:$fortifyArtifactFileName"
}
}
关于gradle - gradle 的 Fortify 插件,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/33279825/