How to run fortify scan for dotnet solution using MSBuild

It's simply a 4 stage process.

Step 1: Clear previous scan build

sourceanalyzer -b build_id  -clean

Here build id is an unique string that represent identification of a particular scan in the system (in our case the system is fortify-jenkins-node) where it is run. Ideally this is unique to a solution file e.g.

sourceanalyzer -b appointment_api -clean

Step 2: Analize solution

sourceanalyzer -b build_id msbuild mysolution.sln /t:ReBuild

e.g.

sourceanalyzer -b fortify_sample msbuild Fortify.Samples.sln /t:ReBuild

Step 3: Generate report

sourceanalyzer -b build_id -scan -f result.fpr

e.g.

sourceanalyzer -b fortify_sample -scan -f result.fpr

This will run the scan in local system. We can run scan in fortify server, we need to use a different command in that case, which is cloudscan.

Step 4: Upload report
This step upload report (*.fpr) file to fortify server. This step is needed if we are running local scan. If we are running cloud scan then its not needed.

fortifyclient -url http://fortify.nextgen.com/ssc -authtoken "xxxxxx-xxxxxxxxx-xxxxxxxx-xxxx-xxxxxx" uploadFPR -file result.fpr -project "Application_name" -version 9.9

Here

• URL is URL for fortify server, the system from where this command is run, should have access to fortify server
• authtoken is a token type "uploadFPR" which we can get it generated from fortify server. If we dont have one, can contact to AppSec for the same
• Application_name is name of the application that is created in fortify server for current application. Ideally one solution will have one application in fortify server
• Version is version number of the application in fortify server.

e.g.

fortifyclient -url http://fortify.myserver.com/ssc -authtoken "038bff7e-7e8c-4007-9aXX-748XXXX1a" uploadFPR -file result.fpr -project "fortify_sample" -version 1.0