Thursday, September 27, 2018

Fortify scan with sourceanalyzer using Jenkins - Unable to load build session with ID "sample_id"

Are you running fortify scan through sourceanalyzer for MSBuild? Are you running it with Jenkins? Jenkins node is running with Windows? May be following a process describe here.

Following steps working fine if you are running with powershell or cmd, but not working when you run with Jenkins? Scan is failing on scan step?
sourceanalyzer -b fortify_sample -clean
sourceanalyzer -b fortify_sample msbuild Fortify.Samples.sln /t:ReBuild
sourceanalyzer -b fortify_sample -scan -f result.fpr
Saying-

[error]: Unable to load build session with ID " fortify_sample". See log file for more details.

Provable solution:
Please check the output of the MSBuild step. There will be some .txt file generated for the build step. Please check the location of the files generated. If the files are not generated, that means there are some permission issue of the user under which Jenkins service or agent service is running.

In my case the issue was my Jenkins service was running under local system and it was trying to write to C:\Windows\system32\config\systemprofile\AppData.

I changed service running user id to a service account and started working fine.

How to run fortify scan for dotnet solution using MSBuild

It's simply a 4 stage process.

Step 1: Clear previous scan build
sourceanalyzer -b build_id  -clean
Here build id is an unique string that represent identification of a particular scan in the system (in our case the system is fortify-jenkins-node) where it is run. Ideally this is unique to a solution file e.g.
sourceanalyzer -b appointment_api -clean
Step 2: Analize solution
sourceanalyzer -b build_id msbuild mysolution.sln /t:ReBuild
e.g.
sourceanalyzer -b fortify_sample msbuild Fortify.Samples.sln /t:ReBuild
Step 3: Generate report
sourceanalyzer -b build_id -scan -f result.fpr
e.g.
sourceanalyzer -b fortify_sample -scan -f result.fpr
This will run the scan in local system. We can run scan in fortify server, we need to use a different command in that case, which is cloudscan.

Step 4: Upload report
This step upload report (*.fpr) file to fortify server. This step is needed if we are running local scan. If we are running cloud scan then its not needed.
fortifyclient -url http://fortify.nextgen.com/ssc -authtoken "xxxxxx-xxxxxxxxx-xxxxxxxx-xxxx-xxxxxx" uploadFPR -file result.fpr -project "Application_name" -version 9.9
Here
  • URL is URL for fortify server, the system from where this command is run, should have access to fortify server
  • authtoken is a token type "uploadFPR" which we can get it generated from fortify server. If we dont have one, can contact to AppSec for the same
  • Application_name is name of the application that is created in fortify server for current application. Ideally one solution will have one application in fortify server
  • Version is version number of the application in fortify server.
e.g.

fortifyclient -url http://fortify.myserver.com/ssc -authtoken "038bff7e-7e8c-4007-9aXX-748XXXX1a" uploadFPR -file result.fpr -project "fortify_sample" -version 1.0

Tuesday, August 7, 2018

Microsoft.WebApplication.targets not found with MSBuild for Build Tools for Visual Studio 2017

Was working with Jenkins integration and was using MSBuild for Build Tools for Visual Studio 2017(which by default gets installed into C:\Program Files (x86)\Microsoft Visual Studio\2017\BuildTools\MSBuild\15.0). While building a web application developed with framework 4.7.1 (in my case). Class library was getting build successfully but was getting following error for web application.
error MSB4226: The imported project "C:\Program Files (x86)\Microsoft Visual Studio\2017\BuildTools\MSBuild\Microsoft\VisualStudio\v15.0\WebApplications\Microsoft.WebApplication.targets" was not found. Also, tried to find "WebApplications\Microsoft.WebApplication.targets" in the fallback search path(s) for $(VSToolsPath) - "C:\Program Files (x86)\MSBuild\Microsoft\VisualStudio\v15.0" . These search paths are defined in "C:\Program Files (x86)\Microsoft Visual Studio\2017\BuildTools\MSBuild\15.0\Bin\MSBuild.exe.Config". Confirm that the path in the declaration is correct, and that the file exists on disk in one of the search paths.
Resolution-

In my case I have downloaded Build Tools for Visual Studio 2017 from https://visualstudio.microsoft.com/downloads/#build-tools-for-visual-studio-2017(search inside All downloads). Downloaded exe will have name like vs_buildtools__1674480101.1516182736.exe.
But while installing build tool I have not selected the following option(Web development build tools)-



Steps:
  • Download build tools from above and rename it to vs_buildtools.exe
  • Open command prompt and CD to the same folder where vs_buildtools.exe is
  • Run the following command- vs_buildtools.exe --add Microsoft.VisualStudio.Workload.WebBuildTools
This command will mark Web development build tools preselected in the installation window. Complete the installation and you should get the issue resolved.