SCA和gradle包装器集成

Question

注意到，我可以在文档中使用gradle与SCA一起使用

sourceanalyzer -b build gradle clean build

但是我试着用包装器，但是我一直在用error=2.

>>>>>>>sourceanalyzer -b buildxyz ./gradlew clean build
starting init script
TaskListener registered.
Configuration on demand is an incubating feature.
> Task :clean


FAILURE: Build failed with an exception.

* Where:
Initialization script '/Users/.../.fortify/sca17.2/build/buildxyz/init-script4841163810233991317.gradle' line: 203

* What went wrong:
java.io.IOException: Cannot run program "sourceanalyzer": error=2, No such file or directory
> Cannot run program "sourceanalyzer": error=2, No such file or directory

* Try:
Run with --stacktrace option to get the stack trace. Run with --info or --debug option to get more log output. Run with --scan to get full insights.

* Get more help at https://help.gradle.org

Deprecated Gradle features were used in this build, making it incompatible with Gradle 5.0.
See https://docs.gradle.org/4.8.1/userguide/command_line_interface.html#sec:command_line_warnings

即使仅仅使用gradle，我也会犯不同的错误.

>>>>>>>sourceanalyzer -b buildxyz gradle clean build
[warning]: File clean not found

Answer 1

我在Fortify &gradle中使用了三个步骤：

1. 打扫 sourceanalyzer -b ${SEC_REPORT_NAME} -verbose -clean
2. 构建 -b ${SEC_REPORT_NAME} -gradle -verbose gradle -Dorg.gradle.java.home=/opt/jdk8 8 ${SEC_BUILD_TARGETS}
3. 扫瞄

源分析器-b ${SEC_REPORT_NAME} -verbose -scan -f ${SEC_TARGET}/${SEC_REPORT_NAME}.fpr

如果${SEC_REPORT_NAME}是一个应用程序报告id -应该是相同的，对于每个步骤，${SEC_BUILD_TARGETS}是gradle的标准构建目标(“干净构建”)，${SEC_TARGET}是输出目录。

Answer 2

它看起来好像没有在路径中，因为在基于以下消息的系统中找不到它：

• 出了什么问题: java.io.IOException:无法运行程序“源分析器”：error=2，没有这样的文件或目录不能运行程序“源分析器”：error=2，没有这样的文件或目录

确保源分析器安装在本地和路径中。

Answer 3

如果您正经历此错误，这主要是由于Fortify安装没有添加到系统的PATH中。

从技术上讲，您可以做以下任何一件事：

MAC/Linux

zsh:
export PATH="/Application/<Fortify Installation Dir>/bin:$PATH" >> ~/.zshrc

bash:
export PATH="/Application/<Fortify Installation Dir>/bin:$PATH" >> ~/.bashrc

窗口：

将bin安装目录添加到GUI路径。