Thursday, May 9, 2013

Fortify – [error]: Build ID doesn’t exist.

[error]: Build ID doesn’t exist.Error invoking sourceanalyzer. Exit code: 1.
This was the strange error we kept seeing today on the Jenkins server when using Fortify to scan projects. All the jobs which were running successfully failed miserably.


Even having the source code for the Maven plug-in didn’t help much.
 Spent a few hours trying various things, and at one point I decided to just run the translate command. The translate was running fine, which made me wonder that something isn’t right here.
Fortify kept complaining that the Build ID doesn’t exist. Translate also requires the use of Build ID which made we wonder something was going wrong. When I just ran the translate, and looked at the log file it generates, the culprit was hidden there. “No space left on device”. See screen shot below:

Fortify was configured to use the default working directory and project root. The disk was full, and translate didn’t throw an exception. The stack trace was hidden in the log file. Once the default working folder was changed, all jobs started running successfully.
There are basically two options available:
1. Change the values to a mount which has more space.
com.fortify.WorkingDirectory=/your/tmp/dir/fortify
com.fortify.sca.ProjectRoot=/your/tmp/dir/fortify
2. Use the Jenkins workspace folder, so you can clear the workspace at regular intervals
com.fortify.WorkingDirectory=.yourjenkinsworkspace
com.fortify.sca.ProjectRoot=.yourjenkinsworkspace

Wednesday, May 8, 2013

Maven Fortify Plugin - Getting Help

Developers and security analysts have trouble getting the Fortify Maven plugin up and running. Even if the basic commands for translate, and scan work, I have seen them having trouble understanding the various options available to configure how the projects gets scanned.

Adding the Fortify Maven plugin is as simple as adding the following lines to your POM file. This is again optional, and in many cases if you specify the full path, you don't even have to add the following lines to all your POM.


If you don't have the source for the Plugin and you want to find out what are the configuration options which can be specified for the plugin, use the mvn help:describe command. If you want to see the options for the maven-sca-plugin shown above, use the following command:
mvn help:describe -DgroupId=com.fortify.ps.maven.plugin -DartifactId=maven-sca-plugin -Dversion=3.50 -Ddetail=true -Doutput=mvn-help.txt



The text file would have all the detailed information available to use with the goals.


To get help information for a specifc MOJO or a Maven goal use the following command:
mvn help:describe -DgroupId=com.fortify.ps.maven.plugin -DartifactId=maven-sca-plugin -Dversion=3.50 -Ddetail=true -Dgoal=scan -Doutput=mvn-help-scan.txt