(HP Fortify) Static Code Analysis of code built with the nar-maven-plugin

[ajld...@gmail.com]

My company requires us to perform security scans of our software use a Static Code Analysis tool called HP Fortify. Scanning is performed in 2 steps: translate and scan.

To translate c and c++ you perform the following

If you were to compile using:
gcc test.c -o test.so

You would simply prefix the call with the sourcanalyzer
sourceanalyzer -b <projectname> gcc test.c -o test.so

To scan perform after translation
sourcanalyzer -b <projectname> -scan -f scan-results.fpr

We have various legacy and new products that have c and c++ code and we would like to start moving and product in development to using the nar-maven-plugin as we do a lot of Java develpment too using maven for builds and dependency management.

Does the functionality exist for me to prefix my compiler calls used by the nar-maven-plugin with the "sourcanalyzer -b <projectname>" command so that i may perform the required Security Scans? Or will i be forced to stick with ant, shell scripts and make?

[eyal...@gmail.com]

I implemented this functionality now for C/C++ code and created PR  #274

If the PR will be approved- you will just need to add to each project in the relevant profile new configuration parameter <fortifyID>value</fortifyID>

Eyal