Running HP Fortify from the Command LineCreated: 27 January 2016 Modified:
As a developer I have been tasked with making sure our application is compliant with Defense Information Systems Agency’s (DISA) Security Technical Implementation Guide (STIG). DISA publishes a list of STIGs periodically which the development team needs to implement. One of the tools we use to accomplish this is HP Fortify. Fortify is a Static Code Analysis(SCA) tool.
Recently my work computer was replaced and I went from 32 Bit Fedora to a 64 Bit Fedora. The result of this is my 32 Bit Fortify installation quit working. To work around this problem I decided to learn how to run Fortify from the command line. At first running from the command line also didn’t work. The solution there was to rename “HP_Fortify_3.50_SCA_and_Apps/jre” to “HP_Fortify_3.50_SCA_and_Apps/jre32”. After the rename the command line started working.
You can run any of the command line tools with the “-h” or “-help” command option to get a list of available options. The results are quite verbose so we will concentrate on the sourceanalyzer’s more often used options. An important build option is the “-b” option which specifies the build id. The build id is what ties all of your use of the command line tools together. The “-clean” command option will delete intermediate files and build records. “-source” is used to specify which version of Java you are using. The “-scan” command option causes sourceanalyzer to analyze your cource code. “-format” specifies in what filetype you want the scan results stored. A very handy one is “-show-build-ids” which will list the available build Ids. Finally the “-64” option tells sourceanalyzer to run in 64 bit mode.
The lifecycle of a Fortify Scan is as follows:
First let us list the available build ids. This step is useful to find any already existing analysis.
Example show build ids
Remove temporary files that might influence a new analysis.
Clean by build id
Parse source code and prepare for analysis.
Build by build id
Analyze the prepared code.
Analyze by build id
After analysis generated a human readable report.
Generate report from analysis
This covers some basic functionality. For more help see the HP Fortify user manual.tags: hp - fortify - java - stig - disa