Wednesday, May 8, 2013

Maven Fortify Plugin - Getting Help

Developers and security analysts have trouble getting the Fortify Maven plugin up and running. Even if the basic commands for translate, and scan work, I have seen them having trouble understanding the various options available to configure how the projects gets scanned.

Adding the Fortify Maven plugin is as simple as adding the following lines to your POM file. This is again optional, and in many cases if you specify the full path, you don't even have to add the following lines to all your POM.

If you don't have the source for the Plugin and you want to find out what are the configuration options which can be specified for the plugin, use the mvn help:describe command. If you want to see the options for the maven-sca-plugin shown above, use the following command:
mvn help:describe -DartifactId=maven-sca-plugin -Dversion=3.50 -Ddetail=true -Doutput=mvn-help.txt

The text file would have all the detailed information available to use with the goals.

To get help information for a specifc MOJO or a Maven goal use the following command:
mvn help:describe -DartifactId=maven-sca-plugin -Dversion=3.50 -Ddetail=true -Dgoal=scan -Doutput=mvn-help-scan.txt


  1. You basically told nothing about the plugin or it's usage. The command given is generic and has nothing to do with this plugin specifically.

  2. I know. The idea was to show what options are available. :)

  3. Can you please describe on how the plugin is used to generate the fpr report?