如何在 Fortify SCA 中更改 Java 版本
How to change Java version in Fortify SCA
我的Java-Maven项目是在Java1.8中实现的。我已经将我的 Maven 构建与 Fortify SCA 集成,方法是安装 Fortify 并在我的项目 pom.xml 中添加依赖项。然而,在扫描过程中,它给了我下面的日志
[INFO] --- sca-maven-plugin:4.30:scan (default-cli) @ projectname ---
[INFO] Packaging -> jar
[INFO] Top-Level Artifact ID -> null
[INFO] Build Label -> projectname-0.1.SNAPSHOT
[INFO] Build Version -> 0.1.SNAPSHOT
[INFO] Build Project Name -> projectname
[INFO] Build ID -> projectname-0.1.SNAPSHOT
[INFO] Results File -> /Users/workspaceneon/projectname/target/projectname-0.1.SNAPSHOT.fpr
[INFO] Location of SCA Executable -> sourceanalyzer
[INFO] Scan Log -> /Users/workspaceneon/projectname/target/sca-scan.log
[INFO] FindBugs Results -> true
[INFO] Fail on Error -> true
[INFO] Upload to SSC -> false
[INFO] Issues will not be tracked and trended without uploading to SSC.
[INFO] *** !! Scanning individual sub-project - projectname !! ***
[INFO] Created output dir /Users/workspaceneon/projectname/target
[INFO] cmd: "/bin/sh -c sourceanalyzer -scan -Xmx800M @/Users/workspaceneon/projectname/target/sca-scan-args.txt"
Fortify Static Code Analyzer 6.30.0086
Fortify Static Code Analyzer 6.30.0086
此外,Java 版本报告为
[INFO] Source Version -> 1.6
你可以在上面的控制台日志中看到我的Fortify版本。
我觉得 Fortify 正在扫描我的项目,假设它是一个 Java 1.6 项目。我的问题是,如何让 Fortify 将其扫描为 1.8 项目,并相应地报告错误?
使用命令行参数
-Dfortify.sca.source.version=1.8
或使用 Maven:
在您的项目中:
<fortify.sca.source.version>1.8</fortify.sca.source.version>
并且在 Maven 集成中:
<profile>
<id>sca-translate</id>
<activation>
<activeByDefault>false</activeByDefault>
</activation>
<build>
<plugins>
<plugin>
<groupId>com.fortify.ps.maven.plugin</groupId>
<artifactId>${maven-sca-plugin.name}</artifactId>
<version>${maven-sca-plugin.version}</version>
<inherited>true</inherited>
<configuration>
<source>${fortify.sca.source.version}</source>
<maxHeap>${fortify.sca.Xmx}</maxHeap>
<jre64>${fortify.sca.64bit}</jre64>
<failOnSCAError>${fortify.failOnError}</failOnSCAError>
</configuration>
<executions>
<execution>
<inherited>true</inherited>
<id>default-clean</id>
<phase>clean</phase>
<goals>
<goal>clean</goal>
</goals>
</execution>
<execution>
<inherited>true</inherited>
<id>default-translate</id>
<phase>install</phase>
<goals>
<goal>translate</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>
问题:[sourceanalyzer] [警告]:假定 Java 源级别为 1.8,因为未指定。请注意,默认值可能会在未来版本中更改。
To resolve this in ant follow the following .
<taskdef name="sourceanalyzer" classname="com.fortify.dev.ant.SourceanalyzerTask">
<classpath>
<fileset dir="${FORTIFY_HOME}/Core/lib">
<include name="sourceanalyzer.jar" />
</fileset>
</classpath>
</taskdef>
<sourceanalyzer buildid="${FORTIFY_BUILD_ID}" source = "1.8">
Adding source removes this warning
我的Java-Maven项目是在Java1.8中实现的。我已经将我的 Maven 构建与 Fortify SCA 集成,方法是安装 Fortify 并在我的项目 pom.xml 中添加依赖项。然而,在扫描过程中,它给了我下面的日志
[INFO] --- sca-maven-plugin:4.30:scan (default-cli) @ projectname ---
[INFO] Packaging -> jar
[INFO] Top-Level Artifact ID -> null
[INFO] Build Label -> projectname-0.1.SNAPSHOT
[INFO] Build Version -> 0.1.SNAPSHOT
[INFO] Build Project Name -> projectname
[INFO] Build ID -> projectname-0.1.SNAPSHOT
[INFO] Results File -> /Users/workspaceneon/projectname/target/projectname-0.1.SNAPSHOT.fpr
[INFO] Location of SCA Executable -> sourceanalyzer
[INFO] Scan Log -> /Users/workspaceneon/projectname/target/sca-scan.log
[INFO] FindBugs Results -> true
[INFO] Fail on Error -> true
[INFO] Upload to SSC -> false
[INFO] Issues will not be tracked and trended without uploading to SSC.
[INFO] *** !! Scanning individual sub-project - projectname !! ***
[INFO] Created output dir /Users/workspaceneon/projectname/target
[INFO] cmd: "/bin/sh -c sourceanalyzer -scan -Xmx800M @/Users/workspaceneon/projectname/target/sca-scan-args.txt"
Fortify Static Code Analyzer 6.30.0086
Fortify Static Code Analyzer 6.30.0086
此外,Java 版本报告为
[INFO] Source Version -> 1.6
你可以在上面的控制台日志中看到我的Fortify版本。
我觉得 Fortify 正在扫描我的项目,假设它是一个 Java 1.6 项目。我的问题是,如何让 Fortify 将其扫描为 1.8 项目,并相应地报告错误?
使用命令行参数
-Dfortify.sca.source.version=1.8
或使用 Maven:
在您的项目中:
<fortify.sca.source.version>1.8</fortify.sca.source.version>并且在 Maven 集成中:
<profile> <id>sca-translate</id> <activation> <activeByDefault>false</activeByDefault> </activation> <build> <plugins> <plugin> <groupId>com.fortify.ps.maven.plugin</groupId> <artifactId>${maven-sca-plugin.name}</artifactId> <version>${maven-sca-plugin.version}</version> <inherited>true</inherited> <configuration> <source>${fortify.sca.source.version}</source> <maxHeap>${fortify.sca.Xmx}</maxHeap> <jre64>${fortify.sca.64bit}</jre64> <failOnSCAError>${fortify.failOnError}</failOnSCAError> </configuration> <executions> <execution> <inherited>true</inherited> <id>default-clean</id> <phase>clean</phase> <goals> <goal>clean</goal> </goals> </execution> <execution> <inherited>true</inherited> <id>default-translate</id> <phase>install</phase> <goals> <goal>translate</goal> </goals> </execution> </executions> </plugin> </plugins> </build>
问题:[sourceanalyzer] [警告]:假定 Java 源级别为 1.8,因为未指定。请注意,默认值可能会在未来版本中更改。
To resolve this in ant follow the following .
<taskdef name="sourceanalyzer" classname="com.fortify.dev.ant.SourceanalyzerTask">
<classpath>
<fileset dir="${FORTIFY_HOME}/Core/lib">
<include name="sourceanalyzer.jar" />
</fileset>
</classpath>
</taskdef>
<sourceanalyzer buildid="${FORTIFY_BUILD_ID}" source = "1.8">
Adding source removes this warning