Java utility for uploading code to Fortify on Demand
Note: Command-line arguments have been reworked since 3.1.0. If you are upgrading from an older version to the latest version, make sure to update your arguments.
The following table describes the FoDUploader arguments. Arguments are named and can be in any order:
| Short Name | Long Name | Required? | Description |
|---|---|---|---|
| -z | -zipLocation | Yes | Location of payload zip file |
| -ep | -entitlementPreferenceType | Yes | Whether to use a single scan or subscription assessment: 1/SingleScanOnly, 2/SubscriptionOnly, 3/SingleScanFirstThenSubscription, 4/SubscriptionFirstThenSingleScan |
| -ac | -apiCredentials | Yes1 | API credentials |
| -uc | -userCredentials | Yes1 | User credentials (wrap each in quotations to handle certain non-alphanumeric characters in the CLI) |
| -bsi | -bsiToken | Yes2 | BSI token |
| -rid | -releaseId | Yes2 | Release ID |
| -purl | -portalurl | Yes3 | Domain URL |
| -aurl | -apiurl | Yes3 | API root URL |
| -tc | -tenantCode | Yes3 | Tenant ID if using user credentials |
| -at | -assessmentTypeId | Yes4 | Assessment type ID |
| -eid | -entitlement | Yes4 | Entitlement ID |
| -ts | -technologyStackId | Yes4 | Technology stack as an integer: 1 (.NET), 23 (.Net Core), 2 (ABAP), 21 (Apex/Visualforce), 3 (ASP), 5 (CFML), 6 (COBOL), 22 (Go), 7 (JAVA/J2EE), 16 (JS/TS/HTML), 18 (MBS/C/C++/Scala), 9 (PHP), 10 (PYTHON), 17 (Ruby), 12 (Swift/Objective C/C++), 11 (VB6), 14 (VBScript), 12 (Swift/Objective C/C++), 9 (PHP), 27 (Infrastructure-As-Code/Dockerfile), 31 (Solidity) , 28 (React Native), 29 (DART), 26 (Kotlin), "22": "GO", |
| -l | -languageLevelId | Yes4 | Language level as an integer: .NET: 2 (2.0), 3 (3.0), 4 (3.5), 5 (4.0), 11 (4.5), 15 (4.6), 16 (4.7), 30, (4.8), 32 (5.0),33 (6.0),35 (7.0),38 (8.0) .NET Core: 23 (1.0), 24 (1.1), 25 (2.0), 26 (2.1), 27 (2.2), 28 (3.0), 29 (3.1) Java: 12 (1.8), 17 (1.9), 19 (10), 20 (11), 21 (12), 22 (13),34 (17),39 (21) GO 41(1.21) Python: 13 (2), 14 (2 Django), 18 (3), 37 (4.2 Django) , |
| -a | -auditPreferenceId | Yes4 | Audit preference: Manual, Automated |
| -bs | -isBinaryScan | No4 | Scan compiled and source code (the feature must be enabled) |
| -os | -allowopenSourceComponentAnalysis | No4 | Include open source component analysis |
| -rp | -remediationScanPreferenceType | No | Remediation scan preference: 0/RemediationScanIfAvailable, 1/RemediationScanOnly, 2/NonRemediationScanOnly (default) |
| -pp | -inProgressScanActionType | No | If in-progress scan exists, the action to take for a new scan: 0/DoNotStartScan (default), 1/CancelScanInProgress, 2/Queue |
| -purchase | -purchaseEntitlement | No | Whether to purchase an entitlement (if available) |
| -apf | -allowPolicyFail | No | Whether to return exit(0) instead of exit(1) if the scan fails the security policy specified in Fortify on Demand |
| -n | -notes | No | The notes about the scan |
| -I | -pollingInterval | No | Interval between checking scan status in minutes |
| -P | -proxy | No | Proxy connection details (order dependent): |
| -h | -help | No | Print help dialog |
| -v | -version | No | Print jar version |
1Use either apiCredentials or userCredentials.
2Use either releaseId or bsiToken. If both are provided, then the scan settings that are retrieved from the release ID will be used.
3Required if BSI token is not provided.
4Required if neither release ID nor BSI token is provided. Values override existing release ID or BSI token settings.
Syntax:
FodUpload.jar -z <zip_file_path> -ep {1|SingleScanOnly|2|SubscriptionOnly|3|SingleScanFirstThenSubscription|4|SubscriptionFirstThenSingleScan} {-ac <key> <secret> | -uc <username> <password>} {-rid <release_id> | -bsi <token> | -at <assessment_id> -eid <entitlement_id> -ts <tstack_id> -l <lang_id> <-a {Manual|Automated} bs -os} -purl <domain_url> -aurl <api_url> -tc <tenant_id> [-rp {0|RemediationScanIfAvailable|1|RemediationScanOnly|2|NonRemediationScanOnly}] [-pp {0|DoNotStartScan|1|CancelScanInProgress|2|Queue}] [-purchase] [-apf] [-n] [-I <minutes>] [-P <proxyUrl> <username> <password> <nt_domain> <nt_workstation>] [-h] [-v]The following table describes the FoDUploader arguments for 3.1.0:
| Short Name | Long Name | Required? | Description |
|---|---|---|---|
| -bsi | -bsiToken | Yes | Build server token |
| -z | -zipLocation | Yes | Location of scan |
| -ep | -entitlementPreference | Yes | Whether to use a single scan or subscription assessment (if available) (1/Single, 2/Subscription) |
| -ac | -apiCredentials | Yes* | Api credentials ("key:" does not need to be appended to <key>) |
| -uc | -userCredentials | Yes* | User login credentials (wrap each in quotations to avoid escaping characters in the CLI) |
| -a | -auditPreferenceId | No | False positive audit type (1/Manual, 2/Automated) |
| -p | -scanPreferenceId | No | Scan mode (1/Standard, 2/Express) |
| -I | -pollingInterval | No | Interval between checking scan status in minutes |
| -P | -proxy | No | Credentials for accessing the proxy |
| -os | -runOpenSourceScan | No | Whether to run an Open Source Scan |
| -h | -help | No | Print help dialog |
| -v | -version | No | Print jar version |
| -itp | -includeThirdPartyLibs | No | Include Third Party Libraries from scan |
| -r | -isRemediationScan | No | Whether the scan is in remediation |
| -b | -isBundledAssessment | No | Whether the scan is a bundled assessment |
| -purchase | -purchaseEntitlement | No | Whether to purchase an entitlement (if available) |
| -n | -notes | No | The notes about the scan. |
*Use either apiCredentials or userCredentials.
Syntax:
FodUpload.jar -bsi <token> -z <file> {-ac <key> <secret> | -uc <username> <password>} -ep {1|SingleScan|2|Subscription} [-p {1|Standard|2|Express}] [-a {1|Manual|2|Automated}] [-itp] [-os] [-b] [-r] [-purchase] [-n] [-I <minutes>] [-P <proxy_url> <username> <password> <nt_domain> <nt_workstation>] [-h] [-v] FoDUploader is configured to build a fat jar with the Gradle Shadow plugin as the default gradle task.
To compile, simply use the gradlew or gradlew.bat depending on your operating system.
.\gradlew.batFor a better breakdown of the build process, compile gradle with the following:
.\gradlew.bat -I init.gradle buildIf you are behind a firewall, you will need to configure gradle's proxy settings in:
/\
systemProp.http.proxyHost=<web-proxy-host>
systemProp.http.proxyPort=<web-proxy-port>
systemProp.https.proxyHost=<web-proxy-host>
systemProp.https.proxyPort=<web-proxy-port>