Search code examples
fortify

Fortify SCA exclude multiple directories/files with maven plugin

Sorry for the seemingly duplicate question but the other Fortify solutions didn't seem to fit my case. I'm doing scans/uploads via the maven sca plugin

<plugin>
   <groupId>com.fortify.ps.maven.plugin</groupId>
   <artifactId>sca-maven-plugin</artifactId>
   <version>4.20</version><!--$NO-MVN-MAN-VER$-->
       <configuration>
          <projectName>sample</projectName>
          <projectVersion>${appVersion}</projectVersion>
          <exclude>**/*.(LOCAL|INT).*</exclude>
       </configuration>
</plugin>

and it works

This excludes all LOCAL and INT (integration testing) property files from being scanned. Additionally, I'd like to exclude archived xsds from being scanned as well:

<exclude>**/(*.(LOCAL|INT).*)|(xsd/archive/*)</exclude>

but this does not work. In fact, not even the original working pattern is found. Any ideas?

Solution

  • I will share my solution, albeit a little bit of work that requires you to have access to the HP fortify installation:

    I was tired of fussing for a whole day with this so I did the only sensible thing and re-wrote a portion of the fortify maven plugin! I liked the separator as ; so I changed the TranslateMojo.java file under the mavin-plugin folder as follows then re-deployed the fortify plugin:

    OLD Line:

    addOptionValuePair("-exclude", exclude);

    NEW Line:

    if(exclude != null && exclude.length() > 0){
   String[] excludeList = exclude.split(";");
   for(int i = 0; i < excludeList.length; i++){
      addOptionValuePair("-exclude", excludeList[i].trim());
   }
}

    Now my project's .pom has this sca-maven-plugin definition:

    <plugin>
  <groupId>com.fortify.ps.maven.plugin</groupId>
  <artifactId>sca-maven-plugin</artifactId>
  <version>4.20</version>
     <configuration>
      <projectName>sample</projectName>
      <projectVersion>${appVersion}</projectVersion>
      <exclude>**/*.(LOCAL|INT).*;**/xsd/archive/*</exclude>
   </configuration>
</plugin>

    The sca-translate-war.txt file that Maven generates and uses as part of the translate step now has an -exclude for each pattern provided:

    "-exclude" "**/*.(LOCAL|INT).*" "-exclude" "**/xsd/archive/*"

    This worked for me and will hopefully save someone a few hours of struggle.