search

maven-nar / nar-maven-plugin

Native ARchive plugin for Maven
https://maven-nar.github.io/
Apache License 2.0
231 stars 158 forks source link

Fortify scan is not supported #386

Open vijaybhas opened 3 years ago

vijaybhas commented 3 years ago

Problem statement : nar-plugin is not being supported with Fortify scan

Description: by using nar-plugin for C++ files compilation for preparing Binaries the compile options includes files linking options libraries in pom.xml now for Fortify Scan it became ecessary to duplicate the efforts of providing same options explcitely for fortify scan as Fortify scan is not consuming the options in pom.xml

Fortify scan details: sourceanalyzer –debug –verbose –logfile translate.log -b my_proj touchless mvn com.fortify.sca.plugins.maven:sca-maven-plugin:21.1.1:translate

[warning] nar type is not supported

let us know if any more details are requied

vijaybhas commented 3 years ago

Additonal/Fortify Plugin Details :

            <build>
                <plugins>
                    <plugin>
                        <groupId>com.fortify.sca.plugins.maven</groupId>
                        <artifactId>sca-maven-plugin</artifactId>
                        <version>21.1.1</version>
                        <executions>
                            <execution>
                                <goals>
                                    <goal>clean</goal>
                                    <goal>translate</goal>
                                    <goal>scan</goal>
                                </goals>
                            </execution>
                        </executions>
                    </plugin>
                </plugins>
            </build>
GregDomjan commented 3 years ago

@vijaybhas The nar-maven-pluggin doesn't call on the sca-maven-plugin, and so this project configuration doesn't relate here. You would need to raise issues with the sca-maven-plugin with ?SCA however I don't know where that would be from as the meta info in maven repo lookup is lacking.

To configure for the nar plugin to include the fortify prefix command you would include the fortifyID setting It also expects that fortify is configured with licence and on the system path

            <plugin>
                <groupId>com.github.maven-nar</groupId>
                <artifactId>nar-maven-plugin</artifactId>
                <configuration>
                    <fortifyID></fortifyID>