If you are seeing the following error while scanning your projects using Fortify Maven plugin, there is a simple fix.
[error]: Unrecognized or invalid command line argument '-disable-sourcerendering'
Fortify Static Code Analyzer 5.16.0.0042
Copyright (c) 2003-2013 Fortify Software
For command-line help, type 'sourceanalyzer -h'
[ERROR] Error invoking sourceanalyzer. Exit code: 1.
Verify your project settings and your SCA installation.
Open the file com.fortify.ps.maven.plugin.sca.ScanMojo.java, and replace the following code:
com.fortify.ps.maven.plugin.sca.ScanMojo
If (!renderSources) {
addArg(“-disable-sourcerendering");
}
With the following lines
If (!renderSources) {
addArg(“-disable-source-rendering");
}
Recompile, package, and install using:
mvn compile package install.
And rerun your scans.
I ran into many issues reported by Fortify not applicable to our project merely because we are using Java 7 and later versions to run our java software. One example of this is "Denial of Service : Parse Double " violation reported in code. The description of this violation says that it is not applicable to Java 7. In this case we are eager to allow Fortify to suppress all violations not applicable to Java 7+ versions. How can we do this ? I tried passing -Dfortify.sca.source.version=1.7 but that did not help. Thanks
ReplyDeleteYou should be able to create a custom rule for this. Fortify has a rule editor which you can use.
ReplyDeleteThanks so much for this tip. I was getting rather frustrated with this one. Much appreciated.
ReplyDelete