如何在 Fortify SCA 中更改 Java 版本

How to change Java version in Fortify SCA

我的Java-Maven项目是在Java1.8中实现的。我已经将我的 Maven 构建与 Fortify SCA 集成,方法是安装 Fortify 并在我的项目 pom.xml 中添加依赖项。然而,在扫描过程中,它给了我下面的日志

[INFO] --- sca-maven-plugin:4.30:scan (default-cli) @ projectname ---
[INFO]                    Packaging -> jar
[INFO]        Top-Level Artifact ID -> null
[INFO]                  Build Label -> projectname-0.1.SNAPSHOT
[INFO]                Build Version -> 0.1.SNAPSHOT
[INFO]           Build Project Name -> projectname
[INFO]                     Build ID -> projectname-0.1.SNAPSHOT
[INFO]                 Results File -> /Users/workspaceneon/projectname/target/projectname-0.1.SNAPSHOT.fpr
[INFO]   Location of SCA Executable -> sourceanalyzer
[INFO]                     Scan Log -> /Users/workspaceneon/projectname/target/sca-scan.log
[INFO]             FindBugs Results -> true
[INFO]                Fail on Error -> true
[INFO]                Upload to SSC -> false
[INFO] Issues will not be tracked and trended without uploading to SSC.
[INFO] *** !! Scanning individual sub-project - projectname !! ***
[INFO] Created output dir /Users/workspaceneon/projectname/target
[INFO] cmd: "/bin/sh -c sourceanalyzer -scan -Xmx800M @/Users/workspaceneon/projectname/target/sca-scan-args.txt"
Fortify Static Code Analyzer 6.30.0086
Fortify Static Code Analyzer 6.30.0086

此外,Java 版本报告为

[INFO]               Source Version -> 1.6

你可以在上面的控制台日志中看到我的Fortify版本。

我觉得 Fortify 正在扫描我的项目,假设它是一个 Java 1.6 项目。我的问题是,如何让 Fortify 将其扫描为 1.8 项目,并相应地报告错误?

使用命令行参数

-Dfortify.sca.source.version=1.8

或使用 Maven:

  1. 在您的项目中:

    <fortify.sca.source.version>1.8</fortify.sca.source.version>
    
  2. 并且在 Maven 集成中:

    <profile>
    <id>sca-translate</id>
    <activation>
        <activeByDefault>false</activeByDefault>
    </activation>
    <build>
        <plugins>
            <plugin>
                <groupId>com.fortify.ps.maven.plugin</groupId>
                <artifactId>${maven-sca-plugin.name}</artifactId>
                <version>${maven-sca-plugin.version}</version>
                <inherited>true</inherited>
                <configuration>
                    <source>${fortify.sca.source.version}</source>
                    <maxHeap>${fortify.sca.Xmx}</maxHeap>
                    <jre64>${fortify.sca.64bit}</jre64>
                    <failOnSCAError>${fortify.failOnError}</failOnSCAError>
                </configuration>
                <executions>
                    <execution>
                        <inherited>true</inherited>
                        <id>default-clean</id>
                        <phase>clean</phase>
                        <goals>
                            <goal>clean</goal>
                        </goals>
                    </execution>
                    <execution>
                        <inherited>true</inherited>
                        <id>default-translate</id>
                        <phase>install</phase>
                        <goals>
                            <goal>translate</goal>
                        </goals>
                    </execution>
                </executions>
            </plugin>
        </plugins>
    </build>
    

问题:[sourceanalyzer] [警告]:假定 Java 源级别为 1.8,因为未指定。请注意,默认值可能会在未来版本中更改。

To resolve this in ant follow the following . 

<taskdef name="sourceanalyzer" classname="com.fortify.dev.ant.SourceanalyzerTask"> 
        <classpath>
            <fileset dir="${FORTIFY_HOME}/Core/lib">
                <include name="sourceanalyzer.jar" />
            </fileset>
        </classpath>
    </taskdef>
<sourceanalyzer buildid="${FORTIFY_BUILD_ID}" source = "1.8"> 

Adding source removes this warning