Automating Fortify Audit Workbench - fortify

Does Fortify Audit Workbench have any command-line options that would allow me to put it in a cron job and run it daily?
The scan takes over two hours, I would like it to run overnight and see the results in the morning.
Jason

Audit Workbench is the GUI front end for the underlying SCA engine (sourceanalyzer)
If you know how to scan your code though the commandline you can create a windows batch file or bash script to execute it.
The hardest part will be to come up with translation command. That is going to be language and project specific.
Your script should have a minimum of 3 steps
Clean
Translate
Scan
There is a fourth optional step to upload the scan results to your SSC instance. This step is utilizing the fortifyclient command.
References:
sourceanalyzer -h
HPE Security Fortify Static Code Analyzer User Guide, provides an overview of the scan process and examples depending on language and/or build tool.
HPE Security Fortify Software Security Center Installation and Configuration Guide chapter 10 talks about using the fortifyclient tool to communicate with SSC.
Without any further information, we cannot help you with the actual commands.

sourceanalyzer is the commandline tool
I run this (as a Windows batch file) as
sourceanalyzer -b 1234 devenv "VsSolution.sln" /REBUILD release

The other answers are correct, but there's an easier way. There's a Scan Wizard that creates a batch script for you. You point it at your project, answer some questions, and it creates a script. Check a box and it'll also upload to SSC.
Scan Wizard is located in /bin. It may also be in your Start menu, next to Audit Workbench.
Note: Sometimes I have to modify the script. But if you're able to scan using the Fortify button in Visual Studio, then the default script usually works.

Related

How does Fortify Touchless MSBuild work?

I have been trying to setup Fortify Touchless MSBuild. So I do not have to have visual studio installed on my build agent. How does this integration happen? The documentation does not provide any implementation details on this.
I am using Version 17.20.
You need the compiler to compile it. Fortify will only participate during the process of building, not build it itself.
I think you misundestood touchless, which the purpoise is make sourceanalyzer work with compilers that are not supported by fortify (like cmake).
The sourceanalyzer touchless build will run the original build script (like build.py) and watch the process to create its own translate files. Of course, it will need the build to work, what means it needs the compiler.
If you really dont want to have visual studio in the machine, you can scan on your VS-having machine, generate translate files, and send it to the analyzer who doesnt needs to build it.
BTW, fortify supports MSBUILD so i just recomend to install VS :)

Sonar Runner OS X

I'm currently looking at how to start using SonarQube as part of a Jenkins build process for building mobile apps.
Because we are building mobile apps our Jenkins runs on OS X so we can support iOS.
We have a Sonar server running on a windows box elsewhere on the network so all we need to do from the OS X box is send the files that relate to the analysis.
What is the best way of doing that? Using the Sonar Runner jar? If so where is the best place to source that from?
EDIT
I should have added that we are using Jenkins Workflow in our build scripts, this means it isn't easy for us to use plugins that don't support the simple build step, as I believe Sonar doesn't.
This is why we really need information on how to do Sonar analysis from the command line.
EDIT
I appreciate that Sonar uses Java but I am definitely seeing different behaviour on OS X as opposed to Windows.
On Windows the Sonar Runner script works, whereas on OS X it times out, I'm able to verify it isn't a network issue since I can get to the Sonar server though the browser.
Regarding the OS, it's all Java code, so OS is a non-issue.
Regarding using Jenkins, take a look at SonarQube Scanner for Jenkins. It will let you configure your server information and add analysis as a Build Step to a job.
Short of that, you can run an analysis from the command line by installing SonarQube Scanner, cd-ing to your project root and invoking sonar-runner.

Continuous Integration Clarification

I work in a team which maintains a Java website and back end java jobs and shell script jobs.
After all developers complete their updates, only the relevant ones are committed to source control system.
Later ant build scripts are run and war files are generated.
Along with these war files there will genrally be shell scripts etc to be copied to QA/PROD.
Then one fine day there is a team call the release management team which will transfer the code from our Dev environment to QA/PROD.
Recently I came across the Continuous Integration systems like Jenkins/Hudson.
Can these tools build all the changes committed and automatically transfer my code to QA/PROD.
BTW I work in a AIX Server environment and use Tomcat as the Container.
I am more curious whether the tool will be able to copy my code to QA/PROD.
Please Clarify.
The answer is almost certainly yes, depending on your particular setup for copying the code. There is a large number of plugins for this purposes at the appropriate Jenkins wiki page. You should be able to find something there for your needs.

Run the HTML5 Ant Build Script on a server

The HTML5 Ant Build Script seems to be primarily a front end tool - https://github.com/h5bp/ant-build-script
But does anyone know if it's possible to run the build script on a server? Reason for this is that there are three of us on our team and it makes more sense for the script to be run automatically when someone has pushed to the server via git rather than all three of us running the script locally.
I may be a million miles off with this but is someone able to offer a good solution for us not having to run the script individually?

Continuous Integration System for Delphi

Are there any CI-Systems for Delphi like Hudson for Java?
Does Hudson has any Delphi integrations?
We use Hudson :), which works just fine with Delphi.
Here's a complete setup for one of my projects:
<?xml version='1.0' encoding='UTF-8'?>
<project>
<actions/>
<description></description>
<keepDependencies>false</keepDependencies>
<properties/>
<scm class="hudson.scm.CVSSCM">
<cvsroot>:sspi:cvsonly:foo#bar:/baz</cvsroot>
<module>SIP</module>
<canUseUpdate>false</canUseUpdate>
<flatten>true</flatten>
<isTag>false</isTag>
<excludedRegions></excludedRegions>
</scm>
<canRoam>true</canRoam>
<disabled>false</disabled>
<triggers class="vector"/>
<builders>
<hudson.tasks.BatchFile>
<command>"C:\Program Files\Nant\bin\nant" -buildfile:etc\sip.build build-d7 test</command>
</hudson.tasks.BatchFile>
</builders>
<publishers>
<hudson.tasks.BuildTrigger>
<childProjects>quux, foozle, wibble</childProjects>
<threshold>
<name>SUCCESS</name>
<ordinal>0</ordinal>
<color>BLUE</color>
</threshold>
</hudson.tasks.BuildTrigger>
</publishers>
<buildWrappers/>
</project>
sip.build's delphi-7 target builds the project's test suite (DUnit's TextTestRunner) and so the output of the job is simply the count of failed/error tests thanks to:
var
R: TTestResult;
begin
R := TextTestRunner.RunRegisteredTests;
ExitCode := R.ErrorCount + R.FailureCount;
end;
FinalBuilder Server
now replaced with :
Continua CI
We use CruiseControl.NET, which works perfectly with Delphi.
It seems Embarcadero itself uses Hudson. See the comment from Nick Hodges, Development Manager at Embarcadero. http://blogs.embarcadero.com/nickhodges/2010/03/10/39369#comment-29952
Hudson is great, it is also available as MSI setup. Users of older Delphi versions (pre MSBuild), can create build scripts with the popular Apache Ant and NAnt build script environments. Simple command line (batch script) builds are possible too of course.
One of the highlights of this
installer is that it comes with a JRE,
to be fully self-contained. This is
because Windows users don't normally
know what to do with the *.war file,
and they generally don't like going to
the command prompt and running Java
command manually.
So it is easy to try without going through too many installers and command lines first.
And after installation make sure to visit the plug in page in the administration app, there are many extensions available which are also useful for Delphi developers. A plugin overview is online here.
Hudson tools for Delphi: there is also a Code Coverage tool for Delphi with Hudson support here.
TeamCity is another very nice CI system. It is a commercial product, but offers a free license for up to 20 users and 20 build configurations on 3 build agents.
Bamboo is a CI system for any language. It is available from Atlassian. Its price starts at $10 - this includes all features and unlimited users, but limited to 10 plans, running builds only on the server where it is installed. It can use Amazon Elastic Compute Cloud instances as remote agents.
Automated Build Studio from SmartBear. With Automated Build Studio Server, it introduced CI some time before FinalBuilder.
We use jenkins.
Jenkins has a RAD Studio plugin to integrate the compilation of Delphi projects into jobs. It's not mandatory to use it (plugin), we use command-line tools and MSBuild to compile the projects.
The project DUnItX (to create unit testing) integrates seamlessly with Jenkins.
Here you can find some articles about the integration of Jenkins and Delphi. Introduction, installation,... Are in Spanish but you can translate without problems and with included images and code are quite simple.
1- Integración continua con Delphi (GIT) (INTRODUCTION)
2- Integración continua con Delphi (Jenkins) – Instalación (INSTALLATION)
3- Integración continua con Delphi (Jenkins) – Primer proyecto (FIRST PROJECT)
4- Integración continua con Delphi (Jenkins) – Pipelines (USE OF PIPELINES)
Add our Parabuild to the list of tools to check out - it builds practically anything that can be built from the command line - that includes Delphi, and it provides integration with Perforce and other version control systems such as Git and Bazaar.
Hudson is simple to use, with some web-based assistants, as Delphi projects are built with MSBuild.
If you need more customization and 3rd party tools integration (integrate metrics tools for example) then CruiseControl.NET is the ideal solution.
Have a look to my CC.NET Dashboard page for DelphiCodeToDoc (and you can have a look to the configuration file also). I'm doing checkout + compilation of gui and command line version and unit test + unit test execution and report + ftp upload build delivery.
Just to throw my support for CruiseControl.NET, as Delphi 2007 and above are based around MSBuild, then there should be no problem with builds via CC.NET. There is a patch somewhere for DUNit, so that it outputs the results to an XML file, and this can then be integrated into the builds results charts.
errrm, can you define what you are actually looking for?
You use the phrase continuous integration, but do you just mean continuous build to make sure it compiles and likes, or do you actually mean continuous integration in the sense that you also run regression tests?
I would be curios as to how you do that (Auto-it?).
Not that it really matters too much, because the wonderful Hudson (which is decidedly not just for java) has numerous plug-ins, but will also allow you to execute a DOS batch script - any script that you care to write, to build, to test, to report results, etc.
Another option (although not free, $10 for limited # of users) is Atlassian Bamboo. And JetBrains TeamCity is another that is free (with limited # of users). I've tried both with Delphi 2009/2010, and they work quite well. Both allowed integration with Perforce among other SCM's.
We use Jenkins CI system with Owly CI tool as the build system and dependency handler.
Take a look on this tutorial
Initial setup takes less than 5 minutes

Resources