2

Related to question: Fortify command line usage

I would like to perform a nightly Fortify scan of my .NET solution, triggered by TeamCity's command line runner. I want to post up my own custom summary of the results to a web page.

The key information I want is the number of issues per level of criticality.

I have previously used the -f command-line switch for use with the Audit Workbench client, but the resulting .FPR file looks difficult to parse and interpret manually.

I'm using Fortify Static Code Analyzer 5.15.0.0060 and there does not appear to be a -format option that I can use to specify text.

Is there a way to obtain the numbers of issues found by the scan?

Community
  • 1
  • 1
Chris B
  • 709
  • 2
  • 14
  • 32
  • 1
    Are you using the ReportGenerator utility? – LaJmOn May 13 '14 at 14:30
  • Not yet (hadn't heard of it), but after reading your message I had a quick Google and I've just seen that ReportGenerator may be able to turn an FPR file into a custom-formatted report, based on a template. This might be exactly what I need! I'll post back with results. Thank you for the pointer. – Chris B May 14 '14 at 09:23
  • Thanks so much, LaJmOn. Using the default template (without specifying -template to ReportGenerator) I can get a nice XML file with an IssueListing section that gives me the counts for each group. This is exactly what I needed. If you post this as an answer, I will accept. – Chris B May 14 '14 at 09:32
  • I have some trouble in report generator too. maybe you could try FPRUtility.bat, BIRTReportGenerator.cmd, and ReportGenerator.bat. all of them is in the path %Fortify%/bin. – Hsu Amanda May 23 '19 at 06:36

1 Answers1

3

Use the ReportGenerator utility. It was specifically designed for this purpose.

LaJmOn
  • 1,824
  • 13
  • 14
  • 1
    Thank you - is any documentation available for this tool? The XML templates don't seem the most intuitive to update. The default template gives me an issue count by category (e.g. 'Dead code: Unused method') but I'd like this breakdown with Fortify Priority Order (Critical, High, Medium etc.) too. – Chris B May 20 '14 at 12:05