Fortify scan is not supported
Opened this issue · 2 comments
Problem statement :
nar-plugin is not being supported with Fortify scan
Description:
by using nar-plugin for C++ files compilation for preparing Binaries
the compile options includes files linking options libraries in pom.xml
now for Fortify Scan it became ecessary to duplicate the efforts of providing same options explcitely for fortify scan as Fortify scan is not consuming the options in pom.xml
Fortify scan details:
sourceanalyzer –debug –verbose –logfile translate.log -b my_proj touchless mvn com.fortify.sca.plugins.maven:sca-maven-plugin:21.1.1:translate
[warning] nar type is not supported
let us know if any more details are requied
Additonal/Fortify Plugin Details :
<build>
<plugins>
<plugin>
<groupId>com.fortify.sca.plugins.maven</groupId>
<artifactId>sca-maven-plugin</artifactId>
<version>21.1.1</version>
<executions>
<execution>
<goals>
<goal>clean</goal>
<goal>translate</goal>
<goal>scan</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>
@vijaybhas The nar-maven-pluggin doesn't call on the sca-maven-plugin, and so this project configuration doesn't relate here.
You would need to raise issues with the sca-maven-plugin with ?SCA however I don't know where that would be from as the meta info in maven repo lookup is lacking.
To configure for the nar plugin to include the fortify prefix command you would include the fortifyID setting
It also expects that fortify is configured with licence and on the system path
<plugin>
<groupId>com.github.maven-nar</groupId>
<artifactId>nar-maven-plugin</artifactId>
<configuration>
<fortifyID></fortifyID>