Fortify command line usage

Question

Has anyone used command line to run fortify? I tryin to incorporate fortify run in my CI build and I dont know how to do it.

Answer 1

Since I can't add a comment, I'll have to offer this as an answer. Our company has integrated the scan process into our TFS build environment and it works pretty well.

We use a series of "Invoke Process" build activities to make this happen. The entire security scan sequence is wrapped in a conditional which is exposed as an argument to the build definition. This allows us to enable or disable scans as needed. We also expose a few other things like Fortify Project, Fortify Project Version, and another conditional for uploading the FPR file.

The gist of it is this:

Clean

sourceanalyzer -b "Build ID" -clean

Build

sourceanalyzer -b "Build ID" devenv BuildID.sln /Rebuild Debug /out "C:\SSCLogs\SSCBuild.log"

Scan

sourceanalyzer -b "Build ID" -scan -format fpr -f BuildID.fpr

Upload to SSC

fortifyclient.bat -url SSCServerUrl -authtoken XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX uploadFPR -file BuildID.fpr -project "MyProject" -version "MyProject v1.0.0"

If you'd like a full rundown and/or some screen captures, I'd be happy to provide something for you.

Answer 2

The commands for a typical scan would look something like this.

1. builds the code using

sourceanalyzer -b <build ID> <sourcecode>

2. scans the build with

sourceanalyzer -b <build ID> -scan -f <test>.fpr

3. (If you are using 360 server) uploads the result to fortify server with

fortifyclient uploadFPR -f <test>.fpr -project <projectname> -version <versionname> -urlhttps://fortify.com/f360 -user <username> -password <password> /// <authtoken>

However, I request help with the build labels. When we invoke SCA, we can assign a build label to it. However I am not sure what options to provide to the commands.

sourceanalyzer -b testid codebase -build-label <option>

If anyone know the format of the please do let me know.