强化命令行使用 [英] Fortify command line usage
问题描述
有人用命令行运行过 fortify 吗?我试图在我的 CI 构建中加入 fortify run,但我不知道该怎么做.
Has anyone used command line to run fortify? I tryin to incorporate fortify run in my CI build and I dont know how to do it.
推荐答案
由于我无法添加评论,因此我必须将其作为答案提供.我们公司已将扫描过程集成到我们的 TFS 构建环境中,并且运行良好.
Since I can't add a comment, I'll have to offer this as an answer. Our company has integrated the scan process into our TFS build environment and it works pretty well.
我们使用一系列调用流程"构建活动来实现这一目标.整个安全扫描序列都包含在一个条件中,该条件作为构建定义的参数公开.这允许我们根据需要启用或禁用扫描.我们还公开了一些其他内容,例如 Fortify 项目、Fortify 项目版本以及上传 FPR 文件的另一个条件.
We use a series of "Invoke Process" build activities to make this happen. The entire security scan sequence is wrapped in a conditional which is exposed as an argument to the build definition. This allows us to enable or disable scans as needed. We also expose a few other things like Fortify Project, Fortify Project Version, and another conditional for uploading the FPR file.
它的要点是:
干净
sourceanalyzer -b "Build ID" -clean
构建
sourceanalyzer -b "Build ID" devenv BuildID.sln/Rebuild Debug/out "C:SSCLogsSSCBuild.log"
扫描
sourceanalyzer -b "Build ID" -scan -format fpr -f BuildID.fpr
上传到 SSC
fortifyclient.bat -url SSCServerUrl -authtoken XXXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX uploadFPR -file BuildID.fpr -project "MyProject" -version "MyProject v1.0.0"
如果您想要完整的纲要和/或一些屏幕截图,我很乐意为您提供一些东西.
If you'd like a full rundown and/or some screen captures, I'd be happy to provide something for you.
这篇关于强化命令行使用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!