Wednesday, May 8, 2013

Maven Fortify Plugin - Getting Help

Developers and security analysts have trouble getting the Fortify Maven plugin up and running. Even if the basic commands for translate, and scan work, I have seen them having trouble understanding the various options available to configure how the projects gets scanned.

Adding the Fortify Maven plugin is as simple as adding the following lines to your POM file. This is again optional, and in many cases if you specify the full path, you don't even have to add the following lines to all your POM.


If you don't have the source for the Plugin and you want to find out what are the configuration options which can be specified for the plugin, use the mvn help:describe command. If you want to see the options for the maven-sca-plugin shown above, use the following command:
mvn help:describe -DgroupId=com.fortify.ps.maven.plugin -DartifactId=maven-sca-plugin -Dversion=3.50 -Ddetail=true -Doutput=mvn-help.txt



The text file would have all the detailed information available to use with the goals.


To get help information for a specifc MOJO or a Maven goal use the following command:
mvn help:describe -DgroupId=com.fortify.ps.maven.plugin -DartifactId=maven-sca-plugin -Dversion=3.50 -Ddetail=true -Dgoal=scan -Doutput=mvn-help-scan.txt

14 comments:

  1. You basically told nothing about the plugin or it's usage. The command given is generic and has nothing to do with this plugin specifically.

    ReplyDelete
  2. I know. The idea was to show what options are available. :)

    ReplyDelete
  3. Can you please describe on how the plugin is used to generate the fpr report?

    ReplyDelete
  4. Does this work with the release plugin? Need to run scan prior to the pom changing to SNAPSHOT.

    ReplyDelete
  5. I've got a large code base (more that 60 projects linked together) and I want to generate a unique FPR report for all the suite (Xmx Java Heap 1300M on 32bits host -corporate PC-).

    What would you recommended to useMAVEN on these 60 projects ?
    a) call 60 times the goal translate (with default value 'scanEnabled=true)
    b) call 60 times the goal with the option 'scanEnabled=false' and the call 1 final time the goal scan separately ?
    Thank you

    ReplyDelete
  6. Specify the fortify.sca.toplevel.artifactId=${JOB_NAME} and you should be able to translate and scan in one command and generate a consolidated FPR.

    ReplyDelete
  7. can i add parameters to exclude some source files to be scanned? thanks.

    ReplyDelete
  8. does fortify support multiple development langs in one project, suppose we have java source and c files in one project, thanks!

    ReplyDelete
  9. Hi,

    Currently i am unable to download the maven-sca-plugin of given version above. Can you provide me the alternative version to download this plugin.

    Here is the command i am using.

    mvn help:describe -DgroupId=com.fortify.ps.maven.plugin -DartifactId=maven-sca-plugin -Dversion=3.50 -Ddetail=true -Doutput=mvn-help.txt

    Thanks in Advance,
    Samba.

    ReplyDelete
  10. Hi,

    I am currently unable to download the maven-sca-plugin which was mention above. Can you please provide the alternative to download the plugin.

    I am using the below command :

    mvn help:describe -DgroupId=com.fortify.ps.maven.plugin -DartifactId=maven-sca-plugin -Dversion=2.6 -Ddetail=true -Doutput=mvn-help.txt

    Thanks and Regards,
    Samba.

    ReplyDelete
  11. When I run the command mvn sca:scan,
    I get the below :
    No plugin found for prefix 'sca' in the current project and in the plugin groups [com.fortify.ps.maven.plugin, org.jenkins-ci.plugins, org.apache.maven.plugins, org.codehaus.mojo] available from the repositories

    ReplyDelete