HP Fortify scan using Gradle

gradle build.gradle fortify fortify-source
TechDevops picture TechDevops · Dec 5, 2016 · Viewed 7.3k times · Source

I am using the configuration below in build.gradle for running HP Fortify scan:

// Fortify configuration
configurations {
  fortify { extendsFrom compile }
}

// pull in the fortify libs for the new configuration
dependencies {
  fortify 'com.fortify:sourceanalyzer:3.90'
}

task fortifyReport(dependsOn: compileJava) << {
  ant.properties['build.compiler']='com.fortify.dev.ant.SCACompiler'
  ant.typedef(name: 'sca', classname: 'com.fortify.dev.ant.SourceanalyzerTask', classpath: configurations.fortify.asPath)
  ant.sca(jdk:"1.7",
    debug:true ,
    verbose:true ,
    failonerror:true ,
    scan:true ,
    logFile:file("$buildDir/reports/fortify/Fortify.log"),
    resultsFile:file("$buildDir/reports/fortify/${project.name}.fpr")
  ){
    fileset(dir:'src/main') {
      include(name:'**/*.java')
    }
  }
}

But when executing I am getting the below:

* What went wrong:
Execution failed for task ':fortifyReport'.
> Could not resolve all dependencies for configuration 'detachedConfiguration157'.
> Could not find com.fortify:sourceanalyzer:3.90.

I am not able to find the sourceanalyzer:3.90 plugin on the internet. Please advise on how to resolve this issue.

Answer

SBurris picture SBurris · Jan 8, 2017

As of SCA 16.20, Gradle integration is now supported.

From the official documentation HPE Security Fortify Static Code Analyzer User Guide - Chapter 13: Build Integration

Gradle Integration

You can translate projects that are built with Gradle without requiring any modification of the build.gradle file. When the build runs, Fortify Static Code Analyzer translates the source files as they are compiled. See the HPE Security Fortify Software System Requirements document for platforms and languages supported specifically for Gradle integration. Any files in the project that are use unsupported languages for Gradle integration are not translated (with no error reporting). These files are therefore not analyzed and any existing potential vulnerabilities can go undetected.

To integrate Fortify Static Code Analyzer into your Gradle build, make sure that the sourceanalyzer executable is on the system PATH. Prepend the Gradle command line with the sourceanalyzer command as follows:

sourceanalyzer -b <build_id> <sca_options> gradle [<gradle_options>] <gradle tasks>

For example:

sourceanalyzer -b buildxyz gradle clean build
sourceanalyzer -b buildxyz gradle --info assemble

Note: If you use the Fortify Static Code Analyzer -verbose option, then you must also include the -gradle option. For example:

sourceanalyzer -b buildxyz -gradle -verbose gradle assemble

Related questions

How to add local .jar file dependency to build.gradle file?

So I have tried to add my local .jar file dependency to my build.gradle file: apply plugin: 'java' sourceSets { main { java { srcDir 'src/model' } } } dependencies { runtime files('libs/mnist-tools.jar', 'libs/gson-2.2.4.jar') runtime fileTree(dir: 'libs', include: '*.…

Read More
What's the difference between implementation and compile in Gradle?

After updating to Android Studio 3.0 and creating a new project, I noticed that in build.gradle there is a new way to add new dependencies instead of compile there is implementation and instead of testCompile there is testImplementation. Example: implementation …

Read More
How to manually include external aar package using new Gradle Android Build System

I've been experimenting with the new android build system and I've run into a small issue. I've compiled my own aar package of ActionBarSherlock which I've called 'actionbarsherlock.aar'. What I'm trying to do is actually use this aar to …

Read More