强化命令行使用 [英] Fortify command line usage

问题描述

有人用命令行运行过 fortify 吗?我试图在我的 CI 构建中加入 fortify run，但我不知道该怎么做.

Has anyone used command line to run fortify? I tryin to incorporate fortify run in my CI build and I dont know how to do it.

推荐答案

由于我无法添加评论，因此我必须将其作为答案提供.我们公司已将扫描过程集成到我们的 TFS 构建环境中，并且运行良好.

Since I can't add a comment, I'll have to offer this as an answer. Our company has integrated the scan process into our TFS build environment and it works pretty well.

我们使用一系列调用流程"构建活动来实现这一目标.整个安全扫描序列都包含在一个条件中，该条件作为构建定义的参数公开.这允许我们根据需要启用或禁用扫描.我们还公开了一些其他内容，例如 Fortify 项目、Fortify 项目版本以及上传 FPR 文件的另一个条件.

We use a series of "Invoke Process" build activities to make this happen. The entire security scan sequence is wrapped in a conditional which is exposed as an argument to the build definition. This allows us to enable or disable scans as needed. We also expose a few other things like Fortify Project, Fortify Project Version, and another conditional for uploading the FPR file.

它的要点是:

干净

sourceanalyzer -b "Build ID" -clean

构建

sourceanalyzer -b "Build ID" devenv BuildID.sln/Rebuild Debug/out "C:SSCLogsSSCBuild.log"

扫描

sourceanalyzer -b "Build ID" -scan -format fpr -f BuildID.fpr

上传到 SSC

fortifyclient.bat -url SSCServerUrl -authtoken XXXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX uploadFPR -file BuildID.fpr -project "MyProject" -version "MyProject v1.0.0"

如果您想要完整的纲要和/或一些屏幕截图，我很乐意为您提供一些东西.

If you'd like a full rundown and/or some screen captures, I'd be happy to provide something for you.

这篇关于强化命令行使用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！