Strengthening scanning across multiple machines
We work as a team and run the Fortify software on our machines locally. We all have our project code setup in different root directories, for example I have the project code in C: \ work \ development \, few of my colleagues have something like C: \ Development \ mainCodeLine \ etc, etc. , I.e. the root folder where the project -code is different. Initially, I was the only one working on Fortify, but now there are many team members on the Fortify team. We are currently sharing an FPR file that is stored in the repository. We download it from the repository and run SCA commands over the same file to preserve details like hidden / suppressed issues. Over time, we have noticed that:
-
The Unique Instance ID that is generated is unique to only one machine. that is, the Unique Instance ID remains the same as it does when scanning on my computer only, and it changes when scanning is performed on my collaborative machine. Is there any way I can configure Fortify to stay the same across multiple scans on multiple computers? Because of this, we cannot use a unique instance ID in the filter file.
-
If my partner and I are scanning in parallel on two separate machines on the same code (only the project root is different as stated earlier), is there any way to integrate these 2 reports?
source to share
There are indeed methods for combining scan results generated on different machines. I believe the best way to achieve this is by using the Fortify Software Security Protection Center (SSC). Users conduct "fresh" checks every time, and when they are loaded into a project in SSC, they will be merged - retaining any previous audit information.
An alternative approach is to use the FPRUtility command line. (I don't have a setup in front of me at the moment, so the name might be off a bit, but it's in the bin directory along with sourceanalyzer and auditworkbench). The option -h
should provide information to start combining the FPR.
Hope this helps.
source to share
If different IDNs are changed by a different common root, it seems like a bug. SCA usually uses the canonical root, so it shouldn't make any difference where to place it. Xelco52 has partially corrected, but if you want to merge when they have different IIDs it is better to use FPRUtility with an option -forceMigration
like:
FPRUtility -merge -project Results1.fpr -source Results2.fpr -f mergedResults.fpr -forceMigration
You can also get this impact in AWB by setting com.fortify.model.ForceIIDMigration=true
in Core / config / fortify.properties (and restarting AWB)
source to share
Have a look, if possible, at using the HP Fortify Software Security Center (SSC). This will allow users to upload scans to a central repository and merge the results. It helps to create a current scan history and find out who downloaded what.
It will also allow your team to use the "Collaborative Audit" feature, which will allow each developer to pull the latest FPR from the Software Security Center (SSC) and into their IDE. Developers can then make changes and return to the SSC, where the results are merged again.
source to share
I don't think merge is the right approach. I would do it like this: (1) Among all the developers (user #) on their own machine, set the naming convention ProjectRoot (point to the user's code base # like / home / user # / mycode) and WorkDirectory (i.e. / local / sharebuild)
(2) Each user uses the following commands on their machine: (2a) CLEAN CACHE: ~ / sourceanalyzer -b user # -Dcom.fortify.sca.ProjectRoot = / home / user # / mycode -Dcom.fortify.WorkingDirectory = / local / sharebuild / -logfile / local / sharebuild / user # .sca.log -clean
(2b) TRANSLATE: ~ / sourceanalyzer -b user # -64 -Xmx11000M -Xss24M -Dcom.fortify.sca.ProjectRoot = / home / user # /mycode/-Dcom.fortify.WorkingDirectory = / local / sharebuild / -logfile / local / sharebuild / user # .sca.log -source 1.5 -cp 'your_class_path' -extdirs' your * .war file '' / home / user # / mycode / ** / * '
(3) INTEGRATE ALL INTERMEDIATE CODE TO BUILD MACHINE: each user copies their entire / local / sharebuild / sca #. ## to the centralized build machine in the / local / sharebuild / sca #. ## / build / directory (you will find a subdirectory. / user # (each build ID) which contains the entire intermediate code tree (.nst).
(4) SCAN: On the build server, do a scan with the command: ~ / sourceanalyzer -b user1 -b user2 -b user3 -b user # -64 -Xmx11000M -Xss24M -Dcom.fortify.sca.ProjectRoot = / home / user # /mycode/-Dcom.fortify.WorkingDirectory = / local / sharebuild / -logfile / local / sharebuild / scan.sca.log -scan -f build_all.fpr
Step 4 will select all .nst (normalized syntax tree) files and scan.
If each user installs their piece of code on the centralized machine in step 2a, then step 3 can be omitted.
source to share