用于gradle的Fortify插件

时间:2015-10-22 11:22:15

标签: gradle fortify fortify-source

我一直在为一些Java组件运行fortify扫描。以下是一般步骤: 对于java Project:

  • mvn com.fortify.ps.maven.plugin:sca-maven-plugin:4.30:clean
  • mvn install -DskipTests -DSTABILITY_ID = 1 -DRELEASE_NUMBER = 0 -DBUID_ID = 1
  • mvn -Dfortify.sca.debug = true -Dfortify.sca.Xmx = 1800M -Dfortify.sca.Xss = 5M -DSTABILITY_ID = 2 -DRELEASE_NUMBER = 2 package com.fortify.ps.maven.plugin:sca-maven -plugin:4.30:翻译
  • sourceanalyzer -b build_id -Xmx1800M -Xss4M -scan -f build_id_results.fpr -logfile scan.log -clobber-log -debug-verbose

生成此fpr文件并上传到服务器后。

现在我必须对使用gradle的组件做同样的事情。 我必须使用什么命令来生成fpr文件。

1 个答案:

答案 0 :(得分:1)

我必须删除两面性,改进一点并可能创建一个插件,但基本上,请尝试以下代码段。

/*
 * Performs the Fortify security scan.
 *
 * 1) Runs source code translation.
 * 2) Creates the export session file.
 * 3) Submits the export session file for processing through the scp.
 *
 * Credentials and url for the scp are obtained from the gradle.properties file
 * (or can be passed from the command line through the -P switch).
 * <ul>
 *     <li>fortifyUploadUsername</li>
 *     <li>fortifyUploadPassword</li>
 *     <li>fortifyUploadUrl</li>
 * </ul>
 */
task fortify(group: 'fortify', description: 'Security analysis by HP Fortify') << {

    def fortifyBuildId = 'myProjectId'

    logger.debug "Running command: sourceanalyzer -b $fortifyBuildId -clean"
    exec {
        commandLine 'sourceanalyzer', '-b', fortifyBuildId, '-clean'
    }

    def classpath = configurations.runtime.asPath
    logger.debug "Running command: sourceanalyzer -b ${fortifyBuildId} -source ${sourceCompatibility} -cp $classpath src/**/*.java"

    exec {
        commandLine 'sourceanalyzer', '-b', fortifyBuildId, '-source', sourceCompatibility, '-cp', classpath, 'src/**/*.java'
    }

    def fortifyBuildFolder = 'build/fortify'
    new File(fortifyBuildFolder).mkdirs()
    def fortifyArtifactFileName = "$fortifyBuildId@${project.version}.mbs"
    def fortifyArtifact = "$fortifyBuildFolder/$fortifyArtifactFileName"

    logger.debug "Running command: sourceanalyzer -b ${fortifyBuildId} -build-label ${project.version} -export-build-session $fortifyArtifact"

    exec {
        commandLine 'sourceanalyzer', '-b', fortifyBuildId, '-build-label', project.version, '-export-build-session', "$fortifyArtifact"
    }

    logger.debug "Running command: sshpass -p <password> scp $fortifyArtifact <user>@$fortifyUploadUrl:$fortifyArtifactFileName"

    exec {
        commandLine 'sshpass', '-p', fortifyUploadPassword, 'scp', "$fortifyArtifact", "$fortifyUploadUsername@$fortifyUploadUrl:$fortifyArtifactFileName"
    }

}