Running HP Fortify from the Command Line
27 January 2016
As a developer I have been tasked with making sure our application is compliant with Defense Information Systems Agency’s (DISA) Security Technical Implementation Guide (STIG). DISA publishes a list of STIGs periodically which the development team needs to implement. One of the tools we use to accomplish this is HP Fortify. Fortify is a Static Code Analysis(SCA) tool.
Recently my work computer was replaced and I went from 32 Bit Fedora to a 64 Bit Fedora. The result of this is my 32 Bit Fortify installation quit working. To work around this problem I decided to learn how to run Fortify from the command line. At first running from the command line also didn’t work. The solution there was to rename "HP_Fortify_3.50_SCA_and_Apps/jre" to "HP_Fortify_3.50_SCA_and_Apps/jre32". After the rename the command line started working.
You can run any of the command line tools with the "-h" or "-help" command option to get a list of available options. The results are quite verbose so we will concentrate on the sourceanalyzer’s more often used options. An important build option is the "-b" option which specifies the build id. The build id is what ties all of your use of the command line tools together. The "-clean" command option will delete intermediate files and build records. "-source" is used to specify which version of Java you are using. The "-scan" command option causes sourceanalyzer to analyze your cource code. "-format" specifies in what filetype you want the scan results stored. A very handy one is "-show-build-ids" which will list the available build Ids. Finally the "-64" option tells sourceanalyzer to run in 64 bit mode.
The lifecycle of a Fortify Scan is as follows:
First let us list the available build ids. This step is useful to find any already existing analysis.
bash$ sourceanalyzer -show-build-ids ExampleProject Created: Jan 13, 2016 1:45:47 PM Last Modified: Jan 13, 2016 1:45:47 PM Errors and Warnings: 29 Project:  Label:  Version: 
Remove temporary files that might influence a new analysis.
bash$ sourceanalyzer -64 -b "RecruitingOperations" -clean
Parse source code and prepare for analysis.
bash$ sourceanalyzer -64 -b "ExampleProject" -source "1.6" "/path/to/project/source/code/" [warning]: The following references to java classes could not be resolved. Please make sure to supply all the required jar files that contain these classes to SCA. com.liferay.counter.service.CounterLocalService com.liferay.counter.service.CounterLocalServiceUtil com.liferay.portal.NoSuchModelException com.liferay.portal.kernel.bean.AutoEscape com.liferay.portal.kernel.bean.AutoEscapeBeanHandler com.liferay.portal.kernel.bean.BeanReference com.liferay.portal.kernel.bean.IdentifiableBean com.liferay.portal.kernel.bean.PortletBeanLocatorUtil ...
Analyze the prepared code.
bash$ sourceanalyzer -64 -b "ExampleProject" -format "fpr" -f "/path/to/report/ExampleProject.fpr" -scan [warning]: Some errors or warnings were suppressed. Check the results file for a full listing of all warnings and errors.
After analysis generated a human readable report.
bash$ ReportGenerator -template "DeveloperWorkbook.xml" -format "pdf" -f "/path/to/report/ExampleProject.pdf" -source "/path/to/report/ExampleProject.fpr"
This covers some basic functionality. For more help see the HP Fortify user manual.