Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
451 views
in Technique[技术] by (71.8m points)

c# - Fortify command line usage

Has anyone used command line to run fortify? I tryin to incorporate fortify run in my CI build and I dont know how to do it.

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

Since I can't add a comment, I'll have to offer this as an answer. Our company has integrated the scan process into our TFS build environment and it works pretty well.

We use a series of "Invoke Process" build activities to make this happen. The entire security scan sequence is wrapped in a conditional which is exposed as an argument to the build definition. This allows us to enable or disable scans as needed. We also expose a few other things like Fortify Project, Fortify Project Version, and another conditional for uploading the FPR file.

The gist of it is this:

Clean

sourceanalyzer -b "Build ID" -clean

Build

sourceanalyzer -b "Build ID" devenv BuildID.sln /Rebuild Debug /out "C:SSCLogsSSCBuild.log"

Scan

sourceanalyzer -b "Build ID" -scan -format fpr -f BuildID.fpr

Upload to SSC

fortifyclient.bat -url SSCServerUrl -authtoken XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX uploadFPR -file BuildID.fpr -project "MyProject" -version "MyProject v1.0.0"

If you'd like a full rundown and/or some screen captures, I'd be happy to provide something for you.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...