Created
April 25, 2014 13:59
-
-
Save ran488/11290538 to your computer and use it in GitHub Desktop.
Running Fortify from Gradle build. These are the snippets of code you can add to your build.gradle to run the analyzer and spit out a Fortify *.fpr file. Fortify is not F/OSS, so you (your company) will need a license, so the dependencies won't be out in public repo's. You will have to add it to your company's private repo (e.g. Artifactory).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Add a new configuration | |
| configurations { | |
| fortify { extendsFrom compile } | |
| } | |
| // pull in the fortify libs for the new configuration | |
| dependencies { | |
| fortify 'com.fortify:sourceanalyzer:3.90' | |
| } | |
| // the 2 new tasks | |
| task fortifySetup(dependsOn: clean) << { | |
| ant.properties['build.compiler']='com.fortify.dev.ant.SCACompiler' | |
| ant.typedef(name: 'sca', classname: 'com.fortify.dev.ant.SourceanalyzerTask', | |
| classpath: configurations.fortify.asPath) | |
| } | |
| task fortifyReport(dependsOn: compileJava) << { | |
| ant.sca(jdk:"1.7", | |
| debug:true , | |
| verbose:true , | |
| failonerror:true , | |
| scan:true , | |
| logFile:file("$buildDir/reports/fortify/Fortify.log"), | |
| resultsFile:file("$buildDir/reports/fortify/<<name of your FPR file here>>.fpr") | |
| ){ | |
| fileset(dir:'src/main') { | |
| include(name:'**/*.java') | |
| } | |
| } | |
| } |
Since the 'sca' definition is in a separate task it won't be defined when called in fortifyReport. You should either merge both tasks or add a dependency to fortifyReport on fortifySetup. You can take the fix from here: https://gist.github.com/bennybauer/cce6dec12f9c55ec27d4/revisions?diff=split
Thanks a lot!
Can you let me know where can I get the dependency jar "'com.fortify:sourceanalyzer:3.90'". I was unable to find it on my company's repo.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Thanks for this!
I have an Android project. I should prefix with that I am completely new to gradle. The project I am trying to scan with Fortify applies the following plugins:
apply plugin: 'com.android.application'
apply plugin: 'io.fabric'
My understanding is the compileJava dependency would need me to implement:
apply plugin 'java'
According to a couple of stackoverflow posts, you cannot apply both 'com.android.application' and 'java'. Ref: http://stackoverflow.com/questions/26861011/android-compile-error-java-plugin-has-been-applied-not-compatible-with-android#comment42297733_26861186
My question is how do I trigger the fortifyReport task? Assuming I need it to dependsOn something. However, it seems that compileJava is not an option (per remark above).