Menu
We have Fortify SCA and we are setting up regular, automated scans of our source code. Our intention is to have an alert if there is an introduced security issue. Is there a way, perhaps using FPRUtility (or some other method) to accomplish this? Ultimately I prefer something that can be easily run from the command line, but if this can also be accomplished using the GUI then I would appreciate knowing how to do that as well.
717
Fortify SCA comprises five distinct analyzers: data flow, control flow, semantic, structural, and configuration.
How do I run a fortify scan locally? Run a locally installed version of Fortify Static Code analyzer on the currently opened project to create an FPR. Open the FPR in Fortify Audit Workbench to view the results. Run a remote translation and scan using Fortify Scan Central.
Fortify essentially classifies the code quality issues in terms of its security impact on the solution. While Sonarqube is more of a Static code analysis tool which also gives you like "code smells," though Sonarqube also lists out the vulnerabilities as part of its analysis.
Use Audit Workbench to run a report. Choose "developer workbook" and disable all except one section. (you can choose any section you want).
In the report section's additional properties, set the filter for the issues to [issue age]:new. This means the report will show ONLY issues in your FPR that were not present in the previous scan, and were introduced in the latest scan. Save the template.
In your scan configuration, make sure to scan to the same FPR every time per project, so that "new" issues can be calculated by the report runner.
After the scan is complete, use the answer by @user1836982 to run the report. Choose the XML template and process it programmatically.
199
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
