(HP Fortify) Static Code Analysis of code built with the nar-maven-plugin
162 views
Skip to first unread message
ajld...@gmail.com
unread,
Mar 3, 2017, 5:58:36 AM3/3/17
Reply to author
Sign in to reply to author
Forward
Sign in to forward
Delete
You do not have permission to delete messages in this group
Copy link
Report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to NAR Maven plugin
My company requires us to perform security scans of our software use a Static Code Analysis tool called HP Fortify. Scanning is performed in 2 steps: translate and scan.
To translate c and c++ you perform the following
If you were to compile using:
gcc test.c -o test.so
You would simply prefix the call with the sourcanalyzer
sourceanalyzer -b <projectname> gcc test.c -o test.so
To scan perform after translation
sourcanalyzer -b <projectname> -scan -f scan-results.fpr
We have various legacy and new products that have c and c++ code and we would like to start moving and product in development to using the nar-maven-plugin as we do a lot of Java develpment too using maven for builds and dependency management.
Does the functionality exist for me to prefix my compiler calls used by the nar-maven-plugin with the "sourcanalyzer -b <projectname>" command so that i may perform the required Security Scans? Or will i be forced to stick with ant, shell scripts and make?
eyal...@gmail.com
unread,
May 11, 2017, 2:18:09 AM5/11/17
Reply to author
Sign in to reply to author
Forward
Sign in to forward
Delete
You do not have permission to delete messages in this group
Copy link
Report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to NAR Maven plugin
I implemented this functionality now for C/C++ code and created PR #274
If the PR will be approved- you will just need to add to each project in the relevant profile new configuration parameter <fortifyID>value</fortifyID>