Running HP Fortify from the Command Line
Created: 27 January 2016 Modified:As a developer I have been tasked with making sure our application is compliant with Defense Information Systems Agency’s (DISA) Security Technical Implementation Guide (STIG). DISA publishes a list of STIGs periodically which the development team needs to implement. One of the tools we use to accomplish this is HP Fortify. Fortify is a Static Code Analysis(SCA) tool.
Recently my work computer was replaced and I went from 32 Bit Fedora to a 64 Bit Fedora. The result of this is my 32 Bit Fortify installation quit working. To work around this problem I decided to learn how to run Fortify from the command line. At first running from the command line also didn’t work. The solution there was to rename “HP_Fortify_3.50_SCA_and_Apps/jre” to “HP_Fortify_3.50_SCA_and_Apps/jre32”. After the rename the command line started working.
You can run any of the command line tools with the “-h” or “-help” command option to get a list of available options. The results are quite verbose so we will concentrate on the sourceanalyzer’s more often used options. An important build option is the “-b” option which specifies the build id. The build id is what ties all of your use of the command line tools together. The “-clean” command option will delete intermediate files and build records. “-source” is used to specify which version of Java you are using. The “-scan” command option causes sourceanalyzer to analyze your cource code. “-format” specifies in what filetype you want the scan results stored. A very handy one is “-show-build-ids” which will list the available build Ids. Finally the “-64” option tells sourceanalyzer to run in 64 bit mode.
The lifecycle of a Fortify Scan is as follows:
- Clean
- Build
- Analyze
- Report
First let us list the available build ids. This step is useful to find any already existing analysis.
Example show build ids
bash$ sourceanalyzer -show-build-ids
ExampleProject
Created: Jan 13, 2016 1:45:47 PM
Last Modified: Jan 13, 2016 1:45:47 PM
Errors and Warnings: 29
Project: [] Label: [] Version: []Remove temporary files that might influence a new analysis.
Clean by build id
bash$ sourceanalyzer -64 -b "RecruitingOperations" -cleanParse source code and prepare for analysis.
Build by build id
bash$ sourceanalyzer -64 -b "ExampleProject" -source "1.6" "/path/to/project/source/code/"
[warning]: The following references to java classes could not be resolved. Please make sure to supply all the required jar files that contain these classes to SCA.
com.liferay.counter.service.CounterLocalService
com.liferay.counter.service.CounterLocalServiceUtil
com.liferay.portal.NoSuchModelException
com.liferay.portal.kernel.bean.AutoEscape
com.liferay.portal.kernel.bean.AutoEscapeBeanHandler
com.liferay.portal.kernel.bean.BeanReference
com.liferay.portal.kernel.bean.IdentifiableBean
com.liferay.portal.kernel.bean.PortletBeanLocatorUtil
...Analyze the prepared code.
Analyze by build id
bash$ sourceanalyzer -64 -b "ExampleProject" -format "fpr" -f "/path/to/report/ExampleProject.fpr" -scan
[warning]: Some errors or warnings were suppressed. Check the results file for a full listing of all warnings and errors.After analysis generated a human readable report.
Generate report from analysis
bash$ ReportGenerator -template "DeveloperWorkbook.xml" -format "pdf" -f "/path/to/report/ExampleProject.pdf" -source "/path/to/report/ExampleProject.fpr"This covers some basic functionality. For more help see the HP Fortify user manual.
tags: hp - fortify - java - stig - disa