Skip to content
/ gradle-fortify-plugin Public

A Gradle plugin for building and publishing of Fortify artifacts for a static security analysis.

License

BSD-3-Clause license
3 stars 4 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

sw-samuraj/gradle-fortify-plugin

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

24 Commits
example/hello-world
example/hello-world
 
 
src
src
 
 
.gitignore
.gitignore
 
 
.travis.yml
.travis.yml
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
build.gradle
build.gradle
 
 

Repository files navigation

Gradle Fortify plugin

Build Status

A Gradle plugin for building of Fortify artifacts for static security analysis.

Applying the plugin

Gradle 2.1+

plugins {
    id "cz.swsamuraj.fortify" version "0.3.0"
}

All Gradle versions (or local repository)

buildscript {
    repositories {
        maven {
            url "https://plugins.gradle.org/m2/"
        }
    }
    dependencies {
        classpath "gradle.plugin.cz.swsamuraj:gradle-fortify-plugin:0.3.0"
    }
}

apply plugin: "cz.swsamuraj.fortify"

Using the plugin

Prerequisities

Java plugin

The plugin is meant for analysis of Java source code. Therefore expects an application of the Java plugin and by default is processing Java source sets, excluding test source code.

Moreover, it re-uses sourceCompatibility property inherited from the Java plugin.

sourceanalyzer

The plugin requires that you have a local installation of the sourceanalyzer tool and that this command is available on $PATH.

Tasks

fortify

fortify task runs the following commands:

sourceanalyzer -b <Fortify build ID> -clean
sourceanalyzer -b <Fortify build ID> -source <source compatibility> -cp <project compile classpath> src/**/*.java -exclude src/test/**/*.java
sourceanalyzer -b <Fortify build ID> -build-label <project version> -export-build-session build/fortify/<Fortify build ID>@<project version>.mbs
sourceanalyzer -b <Fortify build ID> -scan -f build/fortify/<project-name>-<project-version>.fpr

Result of this task will be a <project-name>-<project-version>.fpr file, located in the build/fortify directory. The <project-name>-<project-version>.fpr file can be then uploaded to Fortify Security Center via scp, or Jenkins.

If you want to see exact sourceanalyzer commands, you can run Gradle with -i, or --info switch:

$ gradle clean fortify --info

Config options

fortifyBuildID

There must be a fortify part in the build.gradle file which defines a mandatory parameter fortifyBuildID.

fortify {
    fortifyBuildID = 'my-fort-proj'
}

sourceCompatibility

The sourceCompatibility property is inherited from the Java plugin. It can be explicitly set via standard Java plugin configuration:

plugins {
    id 'java'
}

sourceCompatibility = 1.8

Example

Usage of the plugin and example project can be found in the example directory.

License

The gradle-fortify-plugin is published under BSD 3-Clause license.

About

A Gradle plugin for building and publishing of Fortify artifacts for a static security analysis.

Resources

Readme

License

BSD-3-Clause license
Activity

Stars

3 stars

Watchers

3 watching

Forks

4 forks
Report repository

Releases

5 tags

Packages

No packages published

Languages