c# - Fortify command line usage

Question

Has anyone used command line to run fortify? I tryin to incorporate fortify run in my CI build and I dont know how to do it.

Answer 1

Since I can't add a comment, I'll have to offer this as an answer. Our company has integrated the scan process into our TFS build environment and it works pretty well.

We use a series of "Invoke Process" build activities to make this happen. The entire security scan sequence is wrapped in a conditional which is exposed as an argument to the build definition. This allows us to enable or disable scans as needed. We also expose a few other things like Fortify Project, Fortify Project Version, and another conditional for uploading the FPR file.

The gist of it is this:

Clean

sourceanalyzer -b "Build ID" -clean

Build

sourceanalyzer -b "Build ID" devenv BuildID.sln /Rebuild Debug /out "C:SSCLogsSSCBuild.log"

Scan

sourceanalyzer -b "Build ID" -scan -format fpr -f BuildID.fpr

Upload to SSC

fortifyclient.bat -url SSCServerUrl -authtoken XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX uploadFPR -file BuildID.fpr -project "MyProject" -version "MyProject v1.0.0"

If you'd like a full rundown and/or some screen captures, I'd be happy to provide something for you.