Question

我有一个由CMake生成的Makefile。以下CMake可执行文件的路径在Makefile中设置：

CMAKE_COMMAND = /home/xyz/opt/cmake/cmake-3.1.1/bin/cmake

如何将Fortify sourceanalyzer与它集成并运行扫描？

Answer 1

我遇到了同样的挑战但通过像这样运行来解决它：

sourceanalyzer -b project_ID -clean
转到 build 目录并执行make clean或删除所有内容，包括Makefile
通过更改CC和CXX变量来运行cmake： CC =“sourceanalyzer -b project_ID gcc”CXX =“sourceanalyzer -b project_ID g ++”cmake ..
运行make和fortify应该在编译器完成工作时翻译文件。
运行sourceanalyzer -b project_ID -scan -f results.fpr

希望它有所帮助。

Answer 2

我的任务是将我们的CMake构建系统与HP Fortify SCA集成，并且遇到了这些Thread提供了一些见解但缺乏与HP Fortify相关的细节，所以我想我会分享我的实现。

我在与源目录相同的级别创建了一个fortify_tools目录。 fortify_tools内部是一个工具链文件和fortify_cc，fortify_cxx和fortify_ar脚本，它们将通过工具链文件设置为cmake_compilers。

fortify_cc

#!/bin/bash

sourceanalyzer -b <PROJECT_ID> gcc  $@

fortify_cxx

#!/bin/bash

sourceanalyzer -b <PROJECT_ID> g++ $@

fortify_ar

#!/bin/bash

sourceanalyzer -b <PROJECT_ID> ar $@

注意：插入项目名称代替PROJECT_ID

设置cmake以使用脚本是在工具链文件中完成的。

fortify_linux_toolchain.cmake

INCLUDE (CMakeForceCompiler)

SET(CMAKE_SYSTEM_NAME Linux)
SET(CMAKE_SYSTEM_VERSION 1)

#specify the compilers
SET(CMAKE_C_COMPILER ${CMAKE_SOURCE_DIR}/fortify_tools/fortify_cc)
SET(CMAKE_CXX_COMPILER ${CMAKE_SOURCE_DIR}/fortify_tools/fortify_cxx)
SET(CMAKE_AR_COMPILER ${CMAKE_SOURCE_DIR}/fortify_tools/fortify_ar)

使用工具链文件

生成makefile

ccmake -DCMAKE_TOOLCHAIN_FILE=../fortify_tools/foritfy_linux_toolchain.cmake ../

配置并生成您的makefile并构建您的项目。

从构建目录中构建项目后，通过

生成强化报告

sourceanalyzer -Xmx2400M -debug -verbose -b <PROJECT_ID> -scan -f <PROJECT_ID>.fpr

我理解最后一步是在CMake之外，但我非常有信心可以创建一个cmake_custom_command来执行扫描步骤作为后期构建操作。

最后，这只是linux实现，但通过创建必要的批处理文件和特定于Windows的工具链文件，该概念可以很好地扩展到Windows

Answer 3

Fortify不支持CMake，我收到了Fortify支持团队的确认。

Answer 4

这个答案很晚，但可能对某人有所帮助。这实际上很容易修复 - 你只需要在sourceanalyzer中运行cmake。创建一个简单的构建脚本，调用cmake然后make，然后使用sourceanalyzer。我正在使用fortify 4.21。

Answer 5

我们用于构建手工创建的Makefile的旧Fortify脚本使用了如下构建命令：

$SOURCEANALYZER $MEMORY $LAUNCHERSWITCHES -b $BUILDID make -f Makefile -j12

在其他几个答案的启发下，我用上面的代码替换了上面的代码，从而使它能够用于已转换为CMake的项目中。

CC="$SOURCEANALYZER $MEMORY $LAUNCHERSWITCHES -b $BUILDID gcc" \
CXX="$SOURCEANALYZER $MEMORY $LAUNCHERSWITCHES -b $BUILDID g++" \
AR="$SOURCEANALYZER $MEMORY $LAUNCHERSWITCHES -b $BUILDID ar" \
cmake -G "Unix Makefiles" -DCMAKE_BUILD_TYPE=Debug ..

make -f Makefile -j12 VERBOSE=1

这是Linux上的cmake 2.8.12.2。

Answer 6

下面是我用于示例项目的脚本，用于为Android JNI C / C ++代码生成HP Fortify报告。

#!/bin/sh

# Configure NDK version and CMake version
NDK_VERSION=21.0.6113669

CMAKE_VERSION=3.10.2
CMAKE_VERSION_PATH=$CMAKE_VERSION.4988404

PROJECTID="JNI_EXAMPLE"
REPORT_NAME=$PROJECTID"_$(date +'%Y%m%d_%H:%M:%S')"

WORKING_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
BUILD_HOME=${WORKING_DIR}/../hpfortify_build
FPR="$BUILD_HOME/$REPORT_NAME.fpr"

# Following exports need to be configured according to host machine.
export ANDROID_SDK_HOME=/Library/Android/sdk
export ANDROID_CMAKE_HOME=$ANDROID_SDK_HOME/cmake/$CMAKE_VERSION_PATH/bin
export ANDROID_NDK_HOME=$ANDROID_SDK_HOME/ndk/$NDK_VERSION
# E.g. JniExample/app/hpfortify/build/CMakeFiles/3.10.2
export CMAKE_FILES_PATH=${BUILD_HOME}/CMakeFiles/$CMAKE_VERSION
export HPFORTIFY_HOME="/Applications/Fortify/Fortify_SCA_and_Apps_20.1.0/bin"
export PATH=$PATH:$ANDROID_SDK_HOME:$ANDROID_NDK_HOME:$ANDROID_CMAKE_HOME:$HPFORTIFY_HOME

echo "[========Start Android JNI C/C++ HP Fortify scanning========]"
echo "[========Build Dir: $BUILD_HOME========]"
echo "[========HP Fortify report path: $FPR========]"

function create_build_folder {
    rm -rf $BUILD_HOME
    mkdir $BUILD_HOME
}

# The standalone cmake build command can be found from below file. 
# JniExample/app/.cxx/cmake/release/x86/build_command.txt
# This file is generated after running command 
# `➜  JniExample git:(master) ✗ ./gradlew :app:externalNativeBuildRelease`
function configure_cmake_files {

    cd $BUILD_HOME
    
    $ANDROID_CMAKE_HOME/cmake -H$BUILD_HOME/. \
        -DCMAKE_CXX_FLAGS=-std=c++11 -frtti -fexceptions \
        -DCMAKE_FIND_ROOT_PATH=$BUILD_HOME/.cxx/cmake/release/prefab/x86/prefab \
        -DCMAKE_BUILD_TYPE=Release \
        -DCMAKE_TOOLCHAIN_FILE=$ANDROID_SDK_HOME/ndk/$NDK_VERSION/build/cmake/android.toolchain.cmake \
        -DANDROID_ABI=x86 \
        -DANDROID_NDK=$ANDROID_SDK_HOME/ndk/$NDK_VERSION \
        -DANDROID_PLATFORM=android-16 \
        -DCMAKE_ANDROID_ARCH_ABI=x86 \
        -DCMAKE_ANDROID_NDK=$ANDROID_SDK_HOME/ndk/$NDK_VERSION \
        -DCMAKE_EXPORT_COMPILE_COMMANDS=ON \
        -DCMAKE_LIBRARY_OUTPUT_DIRECTORY=$BUILD_HOME/intermediates/cmake/release/obj/x86 \
        -DCMAKE_MAKE_PROGRAM=$ANDROID_SDK_HOME/cmake/$CMAKE_VERSION_PATH/bin/ninja \
        -DCMAKE_SYSTEM_NAME=Android \
        -DCMAKE_SYSTEM_VERSION=16 \
        -B$BUILD_HOME/.cxx/cmake/release/x86 \
        -GNinja ..
}

function build {
    cmake --build .
}

function cleanup {
    rm -rf $BUILD_HOME/CMakeFiles/native-lib.dir
    rm -rf $FPR
    $HPFORTIFY_HOME/sourceanalyzer -clean
}

function replace_compiler_paths {
    FORTIFY_TOOLS_PATH="$WORKING_DIR"
    CLANG_PATH="$ANDROID_SDK_HOME/ndk/$NDK_VERSION/toolchains/llvm/prebuilt/darwin-x86_64/bin/clang"
    CLANGXX_PATH="$ANDROID_SDK_HOME/ndk/$NDK_VERSION/toolchains/llvm/prebuilt/darwin-x86_64/bin/clang++"
    HPFORTIFY_CCPATH="$FORTIFY_TOOLS_PATH/fortify_cc"
    HPFORTIFY_CXXPATH="$FORTIFY_TOOLS_PATH/fortify_cxx"\"
    sed -i '' 's+'$CLANG_PATH'+'$HPFORTIFY_CCPATH'+g' $CMAKE_FILES_PATH/CMakeCCompiler.cmake
    sed -i '' 's+'$CLANG_PATH.*[^")"]'+'$HPFORTIFY_CXXPATH'+g' $CMAKE_FILES_PATH/CMakeCXXCompiler.cmake
}

function scan {
    $HPFORTIFY_HOME/sourceanalyzer -b $PROJECTID -scan -f $FPR

    # copy the file to $WORKING_DIR
    cp $FPR $WORKING_DIR
}


create_build_folder

configure_cmake_files

echo "[========Compile C/C++ using normal compiler ========"]
build

echo "[========Replace the compiler with HP Fortify analyser wrapper compilers ========"]
replace_compiler_paths

echo "[========Clean up the build intermediates and the older build ID and fpr file ========"]
cleanup

echo "[========Recompile C/C++ using HP Fortify analyser wrapper compilers ========"]
build

echo "[========Scan the compiled files and generate final report ========"]
scan

echo "[========Change directory to original working dir ========"]
cd $WORKING_DIR

需要在使用以下vars之前进行配置。就我而言，我使用 NDK 21 和 CMake 3.10.2 ，并且我的项目ID为“ JNI_EXAMPLE”

# Configure NDK version and CMake version
NDK_VERSION=21.0.6113669

CMAKE_VERSION=3.10.2
CMAKE_VERSION_PATH=$CMAKE_VERSION.4988404

PROJECTID="JNI_EXAMPLE"

# Following exports need to be configured according to host machine.
export ANDROID_SDK_HOME=/Library/Android/sdk
export ANDROID_NDK_HOME=$ANDROID_SDK_HOME/ndk/$NDK_VERSION
export HPFORTIFY_HOME="/Applications/Fortify/Fortify_SCA_and_Apps_20.1.0/bin"

这是更详细的说明：Using HP Fortify to Scan Android JNI C/C++ Code

Answer 7

在最新版本的CMake上，可以使用：

CMAKE_<LANG>_COMPILER_LAUNCHER='sourceanalyzer;-b;<PROJECT_ID>'

您可以添加其他参数（例如-Xmx2G），以分号分隔，如cmake documentation所述您需要检查是否不将编译器启动器用于ccache之类的其他工具。我们可能可以同时使用

CCACHE_PREFIX='.../sourceanalyzer -b ID'

使用Fortify sourceanalyzer和CMake

7 个答案: