Skip to content

Instantly share code, notes, and snippets.

@ran488
Created April 25, 2014 13:59
Show Gist options
  • Star 6 You must be signed in to star a gist
  • Fork 4 You must be signed in to fork a gist
  • Save ran488/11290538 to your computer and use it in GitHub Desktop.
Save ran488/11290538 to your computer and use it in GitHub Desktop.
Running Fortify from Gradle build. These are the snippets of code you can add to your build.gradle to run the analyzer and spit out a Fortify *.fpr file. Fortify is not F/OSS, so you (your company) will need a license, so the dependencies won't be out in public repo's. You will have to add it to your company's private repo (e.g. Artifactory).
// Add a new configuration
configurations {
fortify { extendsFrom compile }
}
// pull in the fortify libs for the new configuration
dependencies {
fortify 'com.fortify:sourceanalyzer:3.90'
}
// the 2 new tasks
task fortifySetup(dependsOn: clean) << {
ant.properties['build.compiler']='com.fortify.dev.ant.SCACompiler'
ant.typedef(name: 'sca', classname: 'com.fortify.dev.ant.SourceanalyzerTask',
classpath: configurations.fortify.asPath)
}
task fortifyReport(dependsOn: compileJava) << {
ant.sca(jdk:"1.7",
debug:true ,
verbose:true ,
failonerror:true ,
scan:true ,
logFile:file("$buildDir/reports/fortify/Fortify.log"),
resultsFile:file("$buildDir/reports/fortify/<<name of your FPR file here>>.fpr")
){
fileset(dir:'src/main') {
include(name:'**/*.java')
}
}
}
@bjm243
Copy link

bjm243 commented Sep 1, 2015

Thanks for this!

I have an Android project. I should prefix with that I am completely new to gradle. The project I am trying to scan with Fortify applies the following plugins:
apply plugin: 'com.android.application'
apply plugin: 'io.fabric'

My understanding is the compileJava dependency would need me to implement:
apply plugin 'java'

According to a couple of stackoverflow posts, you cannot apply both 'com.android.application' and 'java'. Ref: http://stackoverflow.com/questions/26861011/android-compile-error-java-plugin-has-been-applied-not-compatible-with-android#comment42297733_26861186

My question is how do I trigger the fortifyReport task? Assuming I need it to dependsOn something. However, it seems that compileJava is not an option (per remark above).

@bennybauer
Copy link

Since the 'sca' definition is in a separate task it won't be defined when called in fortifyReport. You should either merge both tasks or add a dependency to fortifyReport on fortifySetup. You can take the fix from here: https://gist.github.com/bennybauer/cce6dec12f9c55ec27d4/revisions?diff=split

@ibbishariff
Copy link

Thanks a lot!

Can you let me know where can I get the dependency jar "'com.fortify:sourceanalyzer:3.90'". I was unable to find it on my company's repo.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment