How to exclude a specific file or file type (like config or xml) from fortify scan.
Appreciated your response.
Regards
Abdul
You can use the "**" parameter to do recursion into subdirectories. So use:
-exclude "**\*.xml"
in your translation phase, for example:
sourceanalyzer -b BUILDID ./ -exclude "**\*.xml"
Related
I have read the manual at https://cppcheck.sourceforge.io/manual.pdf and have found that I can use -i to ignore a directory. However, in my testing it doesn't seem to ignore the whole subdir. Example, I have a library that has a very long directory path (this is simplified) but I want to ignore everything under the top level
Root
> Lib
>> Lib dir 1
>>> file.c
>> Lib dir 2
>>> file.c
The wording
To ignore certain folders you can use -i. This will skip analysis of source files in
the foo folder.
cppcheck --project=compile_commands.json -ifoo
Suggests that it will skip any files in the specified dir, not any subdirs.
Is there a way to skip the dir and all sub dirs?
The way I had to achieve this was generating a compile_commands.json from cmake then write a python script to exclude anything that matched the filter I wanted to exclude, eg /libA/ will exclude anything under libA
Some of the C source files in my project are generated. They obviously are not formatted to the standard in the .clang-format file.
If I just clang-format or git clang-format that generate source is re-formatted causing unnecessary clutter in the commits.
Is there a way to specify that some files should be ignored by clang-format?
In the default implementation of the git clang-format there is no flag or something to ignore autogenerated files .
but it can be achieved by implementing a wrapper script ( I will show how to do that in bash) that will clean the files that you don't want to format and then using the git clang-format.
for example:
1.first of all lets say your generated files include a pattern for example auto_gen or generated .
2.define a regex exp for the auto generated patterns in our example
it can be : pattern_to_exclude_from_clang='.*auto_gen|.*generated'
3.define allfiles = git diff --name-only - this will give you all
the files that your commit change.
4.filter out generated files allfiles ( exclude generated files)
5.run git clang-format --diff -- ${wantedfiles[#]}
so the final script can be :
#!/bin/bash
pattern_to_exclude_from_clang='.*auto_gen|.*generated'
allfiles=`git diff --name-only`
files_array=($allfiles)
for i in "${!files_array[#]}":
do
if [[ "${files_array[$i]}" =~ $pattern_to_exclude_from_clang ]];then
printf "%s %s" "${files_array[$i]" "this file will be skipped by clang"
unset files_array[$i]
fi
done
git clang-format --diff -- ${allfiles[#]}
i try to capture 2 file types using ant glob and “findFiles” in a Jenkinsfile
in my dir i have :
xxx.ipa
foo.plist
when i do :
files = findFiles(glob: '**/*.[ipa|plist]')
or
files = findFiles(glob: '**/*.ipa|*.plist')
I'm getting none, but when i do :
files = findFiles(glob: '**/*.ipa')
I do getting the xxx.ipa file .
im using jenkins findfiles which using ant glob to capture files by pattern
https://www.jenkins.io/doc/pipeline/steps/pipeline-utility-steps/#findfiles-find-files-in-the-workspace
The problem is that glob is not a regex but Ant Style pattern.
So you either have to capture files separately or you could use a shell script with grep or find instead, e.g.:
def files = sh(returnStdout: true, script: 'find . -name "*.ipa" -o -name "*.plist"')
My app target is building and running successfully on a device but I am facing this error while running the unit test target for my app. It specifically occurs during the copying face.
PBXCp
/Users/MyUser/Library/Developer/Xcode/DerivedData/MyApp-fxuhlekykqtnhocptuufcbrgmspb/Build/Products/Debug-iphonesimulator/MyApp.app
/Users/MyUser/Library/Developer/Xcode/DerivedData/MyApp-fxuhlekykqtnhocptuufcbrgmspb/Build/Products/Debug-iphonesimulator/MyApp.app/PlugIns/MyAppTests.xctest/Frameworks/MyApp.app
cd /Users/MyUser/Documents/MyApp-iOSApp
export PATH="/Users/MyUser/Downloads/Xcode-beta.app/Contents/Developer/Platforms/iPhoneSimulator.platform/Developer/usr/bin:/Users/MyUser/Downloads/Xcode-beta.app/Contents/Developer/usr/bin:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin"
builtin-copy -exclude .DS_Store -exclude CVS -exclude .svn -exclude .git -exclude .hg -exclude Headers -exclude PrivateHeaders -exclude Modules -resolve-src-symlinks /Users/MyUser/Library/Developer/Xcode/DerivedData/MyApp-fxuhlekykqtnhocptuufcbrgmspb/Build/Products/Debug-iphonesimulator/MyApp.app
/Users/MyUser/Library/Developer/Xcode/DerivedData/MyApp-fxuhlekykqtnhocptuufcbrgmspb/Build/Products/Debug-iphonesimulator/MyApp.app/PlugIns/MyAppTests.xctest/Frameworks
error:
'/Users/Library/Developer/Xcode/DerivedData/MyApp-fxuhlekykqtnhocptuufcbrgmspb/Build/Products/Debug-iphonesimulator/MyApp.app/PlugIns/MyAppTests.xctest/Frameworks/MyApp.app/PlugIns/MyAppTests.xctest/Frameworks/MyApp.app/PlugIns/MyAppTests.xctest/Frameworks/MyApp.app/PlugIns/MyAppTests.xctest/Frameworks/MyApp.app/PlugIns/MyAppTests.xctest/Frameworks/MyApp.app/PlugIns/MyAppTests.xctest/Frameworks/MyApp.app/PlugIns/MyAppTests.xctest/Frameworks/MyApp.app/PlugIns/MyAppTests.xctest/Frameworks/MyApp.app/PlugIns/MyAppTests.xctest/Frameworks/MyApp.app/PlugIns/MyAppTests.xctest/Frameworks/MyApp.app/PlugIns/MyAppTests.xctest/Frameworks/MyApp.app/PlugIns/MyAppTests.xctest/Frameworks/MyApp.app/PlugIns/MyAppTests.xctest/Frameworks/MyApp.app/PlugIns/MyAppTests.xctest/Frameworks/MyApp.app/PlugIns/MyAppTests.xctest/Frameworks/MyApp.app/PlugIns/MyAppTests.xctest/Frameworks/MyApp.app/PlugIns/MyAppTests.xctest/Frameworks/MyApp.app/PlugIns/MyAppTests.xctest/Frameworks/MyApp.app/Base.lproj/Main.storyboardc/34u-hk-bLl-view-84B-ld-hA4.nib'
is longer than filepath buffer size (1025).
Roman's Answer is what did it for me. I had a circular dependency where appname.app was in my copy resources. I don't fully understand why removing that fixed the issue, but I figured I'd post here.
I think that your storyboard size is too large try breaking your storyboard file into multiple storyboards using storyboard references
watch this tutorial for storyboard reference :
https://www.youtube.com/watch?v=0xxbflasmOc
Hope this be the right answer and helps you
How we can generate FortiFy report using command ??? on linux.
In command, how we can include only some folders or files for analyzing and how we can give the location to store the report. etc.
Please help....
Thanks,
Karthik
1. Step#1 (clean cache)
you need to plan scan structure before starting:
scanid = 9999 (can be anything you like)
ProjectRoot = /local/proj/9999/
WorkingDirectory = /local/proj/9999/working
(this dir is huge, you need to "rm -rf ./working && mkdir ./working" before every scan, or byte code piles underneath this dir and consume your harddisk fast)
log = /local/proj/9999/working/sca.log
source='/local/proj/9999/source/src/**.*'
classpath='local/proj/9999/source/WEB-INF/lib/*.jar; /local/proj/9999/source/jars/**.*; /local/proj/9999/source/classes/**.*'
./sourceanalyzer -b 9999 -Dcom.fortify.sca.ProjectRoot=/local/proj/9999/ -Dcom.fortify.WorkingDirectory=/local/proj/9999/working -logfile /local/proj/working/9999/working/sca.log -clean
It is important to specify ProjectRoot, if not overwrite this system default, it will put under your /home/user.fortify
sca.log location is very important, if fortify does not find this file, it cannot find byte code to scan.
You can alter the ProjectRoot and Working Directory once for all if your are the only user: FORTIFY_HOME/Core/config/fortify_sca.properties).
In such case, your command line would be ./sourceanalyzer -b 9999 -clean
2. Step#2 (translate source code to byte code)
nohup ./sourceanalyzer -b 9999 -verbose -64 -Xmx8000M -Xss24M -XX:MaxPermSize=128M -XX:+CMSClassUnloadingEnabled -XX:+UseConcMarkSweepGC -XX:+UseParallelGC -Dcom.fortify.sca.ProjectRoot=/local/proj/9999/ -Dcom.fortify.WorkingDirectory=/local/proj/9999/working -logfile /local/proj/9999/sca.log -source 1.5 -classpath '/local/proj/9999/source/WEB-INF/lib/*.jar:/local/proj/9999/source/jars/**/*.jar:/local/proj/9999/source/classes/**/*.class' -extdirs '/local/proj/9999/source/wars/*.war' '/local/proj/9999/source/src/**/*' &
always unix background job (&) in case your session to server is timeout, it will keep working.
cp : put all your known classpath here for fortify to resolve the functiodfn calls. If function not found, fortify will skip the source code translation, so this part will not be scanned later. You will get a poor scan quality but FPR looks good (low issue reported). It is important to have all dependency jars in place.
-extdir: put all directories/files you don't want to be scanned here.
the last section, files between ' ' are your source.
-64 is to use 64-bit java, if not specified, 32-bit will be used and the max heap should be <1.3 GB (-Xmx1200M is safe).
-XX: are the same meaning as in launch application server. only use these to control the class heap and garbage collection. This is to tweak performance.
-source is java version (1.5 to 1.8)
3. Step#3 (scan with rulepack, custom rules, filters, etc)
nohup ./sourceanalyzer -b 9999 -64 -Xmx8000M -Dcom.fortify.sca.ProjectRoot=/local/proj/9999 -Dcom.fortify.WorkingDirectory=/local/proj/9999/working -logfile /local/ssap/proj/9999/working/sca.log **-scan** -filter '/local/other/filter.txt' -rules '/local/other/custom/*.xml -f '/local/proj/9999.fpr' &
-filter: file name must be filter.txt, any ruleguid in this file will not be reported.
rules: this is the custom rule you wrote. the HP rulepack is in FORTIFY_HOME/Core/config/rules directory
-scan : keyword to tell fortify engine to scan existing scanid. You can skip step#2 and only do step#3 if you did notchange code, just want to play with different filter/custom rules
4. Step#4 Generate PDF from the FPR file (if required)
./ReportGenerator -format pdf -f '/local/proj/9999.pdf' -source '/local/proj/9999.fpr'