Java 强化与 Maven 的集成 - 安装
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/31771796/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Fortify integration with Maven - install
提问by Rory Lester
I want to run a Fortify scan against a Maven Eclipse project.
我想对 Maven Eclipse 项目运行 Fortify 扫描。
Where should I start?
我应该从哪里开始?
I understand that I need to update my pom.xmlfile to include the Fortify plugin however do I also require to have Fortify SCA installed on my machine? (I'm running MacOS X). I have been trying to find a place to download Fortify SCA but have not been able find it.
我知道我需要更新我的pom.xml文件以包含 Fortify 插件,但是我还需要在我的机器上安装 Fortify SCA 吗?(我正在运行 MacOS X)。我一直在寻找下载 Fortify SCA 的地方,但一直找不到。
I would appreciate it if someone could share some links to point me in the right direction in getting the setup complete.
如果有人可以分享一些链接以指出我完成设置的正确方向,我将不胜感激。
采纳答案by Dave C
I don't think the Fortify installation is required, but it's pretty hard to get the maven sca plugin without it. If you install on another machine you could copy just the plugin over, but then you wouldn't have the Audit Workbench application to work with the generated FPR. As @Eric said, you have to get it through HP and it will not work without a license.
我认为不需要 Fortify 安装,但是如果没有它,很难获得 maven sca 插件。如果您安装在另一台机器上,您可以只复制插件,但是您将无法使用 Audit Workbench 应用程序来处理生成的 FPR。正如@Eric 所说,您必须通过 HP 获得它,并且没有许可证将无法使用。
Once you get that installed you add profiles to your pom.xml to execute the sca targets:
安装完成后,将配置文件添加到 pom.xml 以执行 sca 目标:
<profile>
<id>sca-clean</id>
<activation>
<activeByDefault>false</activeByDefault>
</activation>
<build>
<plugins>
<plugin>
<groupId>com.fortify.ps.maven.plugin</groupId>
<artifactId>sca-maven-plugin</artifactId>
<version>4.30</version>
<configuration>
<jre64>true</jre64>
<buildId>myproject</buildId>
<toplevelArtifactId>myproject.parent</toplevelArtifactId>
<skipTests>true</skipTests>
</configuration>
<executions>
<execution>
<goals>
<goal>clean</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>
</profile>
<profile>
<id>sca-translate</id>
<activation>
<activeByDefault>false</activeByDefault>
</activation>
<build>
<plugins>
<plugin>
<groupId>com.fortify.ps.maven.plugin</groupId>
<artifactId>sca-maven-plugin</artifactId>
<version>4.30</version>
<configuration>
<jre64>true</jre64>
<jreStack>8M</jreStack>
<maxHeap>12000M</maxHeap>
<verbose>true</verbose>
<buildId>myproject</buildId>
<toplevelArtifactId>myproject.parent</toplevelArtifactId>
<skipTests>true</skipTests>
<failOnSCAError>true</failOnSCAError>
</configuration>
<executions>
<execution>
<goals>
<goal>translate</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>
</profile>
<profile>
<id>sca-scan</id>
<activation>
<activeByDefault>false</activeByDefault>
</activation>
<build>
<plugins>
<plugin>
<groupId>com.fortify.ps.maven.plugin</groupId>
<artifactId>sca-maven-plugin</artifactId>
<version>4.30</version>
<configuration>
<jre64>true</jre64>
<jreStack>8M</jreStack>
<maxHeap>12000M</maxHeap>
<verbose>true</verbose>
<buildId>myproject</buildId>
<toplevelArtifactId>myproject.parent</toplevelArtifactId>
<failOnSCAError>true</failOnSCAError>
<upload>false</upload>
<projectName>My Project Main Development</projectName>
<projectVersion>${project.version}</projectVersion>
</configuration>
</plugin>
</plugins>
</build>
</profile>
Run the scan from the command line:
从命令行运行扫描:
mvn -Dmaven.test.skip=true -Dfortify.sca.buildId=myproject -Dfortify.sca.toplevel.artifactId=myproject.parent com.fortify.ps.maven.plugin:sca-maven-plugin:clean
Obviously, you will have to figure out the buildId and artifactId naming, and it varies a little depending on if you're using parent, aggregator, or nothing.
显然,您必须弄清楚 buildId 和 artifactId 的命名,并且根据您是使用 parent、aggregator 还是什么都不使用,它会有所不同。
回答by Prokis
Actually profiles are not needed, only the plugin configuration.
实际上不需要配置文件,只需要插件配置。
<build>
<plugins>
<plugin>
<groupId>com.fortify.ps.maven.plugin</groupId>
<artifactId>sca-maven-plugin</artifactId>
<version>4.30</version>
<configuration>
<findbugs>true</findbugs>
<htmlReport>true</htmlReport>
<maxHeap>800M</maxHeap>
<source>myJavaVersion</source>
<buildId>myBuildId</buildId>
<verbose>true</verbose>
<skipTests>true</skipTests>
<toplevelArtifactId>myTopLevelId</toplevelArtifactId>
</configuration>
</plugin>
</plugins>
</build>
By using a single Jenkins job you can write, as a pre-step, a shell script:
通过使用单个 Jenkins 作业,您可以编写一个 shell 脚本,作为前一步:
mvn clean sca:clean -DskipTests
mvn sca:translate -DskipTests
And then define the actual "Goals and options" as:
然后将实际的“目标和选项”定义为:
install sca:scan -DskipTests
Having them as separate command lines is the only way to have the sca-clean,translate and scan (and report file sending to Fortify) done in one Jenkins job.
将它们作为单独的命令行是在一项 Jenkins 工作中完成 sca-clean、翻译和扫描(并将报告文件发送到 Fortify)的唯一方法。
Hope this works for you too!
希望这对你也有用!
