Fortify and source code repositories - configuration

I am starting with HP Fortify SCA and I want to know how connect it to a source code repository. I read and look for how to integrate it but I didn't find anything about it.

You could try using Jenkins (https://jenkins-ci.org/) to download your code from a repository and then call HP Fortify from Jenkins. You could even use Jenkins to trigger automatic analysis with HP Fortify whenever it detects a new version or once a day/week/month.

Fortify does not natively make a direct connection to the repo. The code has to be local to the scan so that it can be cleaned, translated, and compiled.
Jenkins could probably do it like #Syslog said, but personally I wouldn't until you are very familiar with how Fortify runs against your codebase. If you are just getting started with Fortify, run it manually for a few months until you learn its (many, many ) quirks.

Related

DIY Tomcat, where is the webapp folder on the local git repo

following OpenShift tutorials, creating a tomcat application and clone it, the local repository will contain a pom.xml, webapp folder.
What's the equivalent on a diy application that contain a diy and misc folders
Thank's in advance, any help is appreciated cause I'm really stuck here !?
Update
Well I've install a Tomcat 8 DIY application following this tutorial here everything works fine, I can see the Tomcat page in the browser, the problem is how to deploy a .war file.
For a Tomcat 6/7 application on OpenShift, the local git repository have this structure:
____Tomcat7/6
|_________ webapp
|_________ src
|_________ pom.xml
But for a Tomcat 8 DYI application I have this structure
________Tomcat8/diy
|__________ Diy
|__________ misc
|__________ readme
So Where to deploy my .war files, cause there is no webapp folder?
The title of your question suggests that you are mixing up at least 5 different, completely independent & orthogonal tools and concepts:
Git is a version control system ("push", "local repo")
Maven is a build tool ("pom.xml")
Apache Tomcat is a servlet container ("Tomcat 6/7/8")
rhc is some client tool provided by yet another cloud computing platform ("OpenShift")
Your code is the stuff that you have written, it's completely under your responsibility.
Before you start doing anything, please make sure that you have at least some basic understanding of what each of these tools does. Then ask yourself whether you really need Tomcat 8 instead of Tomcat 7, and whether a 2 year blog post about the compilation of Tomcat 8 within an OpenShift gear is the best source. All these deployment details can change pretty quickly, if it worked two years ago, it's not guaranteed that it would work now.
I've never worked with OpenShift, but as far as I understand, the basic idea is this:
You write your code
You create your OpenShift account and allocate some "Gear" (or "Dyno" or whatever...) for your application
You commit your source code (/src) and the files that are necessary for the build (pom.xml), and use git to push it to the repository OpenShift gave you.
OpenShift then uses your pom.xml and builds all the WAR-files on it's own
Then you can use your rhc client tool to start your application, if that's not done automatically.
Some of these steps can be changed.
If you really have to, you can indeed compile your own Tomcat8, the tutorial you linked tells you how (more or less. The dude who did it obviously knew what he was doing there, so he might have skipped some details that seemed trivial to him).
Furthermore, if you really want, you can deploy pre-packaged WAR-files, by deliberately removing all the stuff that is necessary to build you app (removing pom.xml and all the /src), and instead adding the packaged application to your git repo, and then pushing it all to OpenShift. Then it will skip the build step, and just run what you gave it. OpenShift seems to provide some information about this deployment strategy: https://help.openshift.com/hc/en-us/articles/202399740. Please read the documentation and make sure you understand what you want to do. For example, filter-branching your git repo and removing all source files you have ever written is not a good idea, even if you don't need these files on OpenShift.
Currently, I don't see anything of the standard tomcat directory structure in the tree that you show. Instead, there seem to be just some basic ruby-scripts or some other default-demo-app-stuff... That's why it's called "do it yourself". If you don't want this, take a standard Tomcat7 app.

How to bundle jre with .exe file created from .jar

I created .exe file from .jar file .Now my client demands to run the application without installing jre in the sytem.I have heard that with bundled jre it is possible ...but i dont know how to bundle jre with .exe file..
The JavaFX is working on this. Here are the up-coming features in Java SE 7 u10:
https://blogs.oracle.com/talkingjavadeployment/entry/packaging_improvements_in_jdk_7#3
https://blogs.oracle.com/talkingjavadeployment/entry/packaging_improvements_in_jdk_7
I have used VMware ThinApp to do exactly what you are trying to do. It does cost money, but works extremely well. It allows you to roll up all the dependencies your application uses into a single executable that can then run on vanilla installations of Windows. It can be used for a lot more than just Java, and it does so by recording the changes you make to a system after installing your application + the JRE for example, and then wraps up all of those changes. It certainly simplifies application deployment, since the applications are now portable. I've even used it to roll up Visual C++ redistributables, and .NET as well. This certainly increases the size of the executable, but it's also convenient knowing the application will run successfully. See more info at http://www.vmware.com/products/thinapp/overview.html.
The open source Launch4j allows you to produce an exe with an embedded JRE. This SO article also discusses this topic. Caveat: I've had very good success with Launch4j, but never used the embedded JRE feature.

How to implement continuous deployment with Nexus and Jenkins

I'm trying to implement a continuous deployment system and I seem to not be able to find a good answer for our problem.
We use Jenkins to run a maven build to generate our artifacts and deploy them to Nexus. I see a few projects that bundle up everything into a single war or tar file, extract one file per request from Nexus by name and deploy it to an application server, but this requires them to know beforehand what versions they have available.
My project has quite a few jars/wars/binaries among other artifacts, which don't get deployed using an application server. What we want to do is be able to do is pull any snapshot or release revision of the software out of nexus and either generate an install package or deliver it directly to a remote server.
Clarification: I want QA or development to be able to select a version from Jenkins; where Jenkins will poll Nexus for the available versions, then perform an automated deploy to a server from Nexus.
Is there an easy nexus/maven way to get software out to a testing system?
So, is there a way to poll nexus to determine what revisions are available through ant/ivy, Jenkins, maven, gradle? I'll write in something else if it helps.
I see that a similar question was asked here: How do I choose an artifact from Nexus in a Hudson / Jenkins job?, but it is as of yet unanswered 9 months later.
Nexus gives you a standard HTTP browsing capability. You could browse the repository through HTTP and see what is available.
I still don't understand your Use Case though. If you know which versions of the project you want then what is the problem?
The easiest would be to write an installer pom.xml that has in it a ${} placeholder for the version you want for the artifacts then invoke mvn with mvn package -Dproduct.version=1.0.0
If you use a container, PAX has plugins that allow you to specific artifacts like mvn:myGroup/myArtifact/myVersion and it will auto pull from Maven.
Nexus isn't doing any magic. It's all well known paths on a URL of groups/artifactId/versions

How do I install a program that involves make, configure, and build?

I knew this day would come, so I guess it is here. (P.S. I am on windows XP).
I am trying to use this program here. I installed it fine, but it doesnt seem to work when I type in equations. So I went back to the site and it says I need JRE version 5.0 or above, (check). Then it also says I need dvipng, which I dont think I have.
So I went to the site it tells me to, (here), and I downloaded the most recent one, "dvipng-1.14.tar.gz". I unzipped it and I have it all sitting in one directory.
Ok... now what?
Im afraid I need guidance on exactly how to proceed here. The readme and installation instructions say to run "./configure", then "make", etc, I opened the command prompt and did all that but doesnt recognize. I have never had to build in this way, I always used an IDE for compiling C++ programs that I write myself. (Anyway, why am I even having to make an exe why dont they just make one and let us download that?)
Very confused as to what I need to do here, appreciate some step by step help.
Thank you
Even though Mohammad's problem was solved in the comments, I'll have a go at answering his question:
To run a build system that uses ./configure, you need something that can run shell scripts, as well as the usual suite of unix tools that the script expects, plus a compiler that behaves in the standard sort of way.
The two projects that I know of that do this are cygwin and MSYS. cygwin is aimed at creating a full POSIX environment on windows, while MSYS is an add-on to MinGW that aims to provide just the parts needed to run a ./configure script and build a program.

Execute command in Hudson as Post-build Actions

I am new in Hudson.
I would like to execute a 'sourcecodeanalyzer' command in Hudson as Post-build Actions to generate an html report. Please let me know is this at all possible, if yes let me know the Hudson configuration steps to execute the command.
Your earliest response in this regard will be extremely helpful.
Thanks in advance.
Yes, it is almost certainly possible.
You will need to configure the Hudson project to have either a post-build action or a build step that runs your source code analyzer.
You've not stated in your question precisely which analyzer - it may be that Hudson already has a plug-in installed for it, in which case it may be listed on the Config page for the project at the bottom under Post-build Actions.
If not, next check to see if there's a plug-in available for the analyzer that hasn't been installed. From the main Hudson page select Manage Hudson, then Manage Plugins, and choose the Available tab. If there is a plug-in available it's definitely a good idea to use it as they are generally very well integrated with Hudson itself.
As a last resort you'll have to configure a build step to run the analyzer. Configure the project, then choose "Add build step". The drop-down that appears depends on your environment (Windows or Linux) but should include the ability to run a shell command or batch file. You can configure your analyzer there.
(If you're building Windows Visual Studio applications, a more flexible way that I've used is to use the MSBuild plug-in for builds, and have an MSBuild script that builds the application and then runs analysis tools. This can automate pretty much everything: mine builds the application, builds an acceptance test database, runs the acceptance tests and copies the result HTML to a page linked from the project.)
You could create a new job with a "Execute Shell" build step. Type in the command you wish to run in the text box. Then all you have to do is trigger this job by selecting:
"Build after other projects are built"
And select the trigger job from the list.
Hope this helps!
As a follow up to Jeremy's post. If you don't see the ability to add post build steps, you might work with maven jobs. In that case you need the Hudson M2 Extra Steps Plugin. This will give you pre and post build steps.
I use the 'Post build task' plugin to delete some resources after a build. You could call any shell script or command lines. If you want you could make the call depends on some logging output.
there is one best way to solve this:
Upgrade to Fortify SCA 2.6.x (as of writing, latest version is 2.6.5).
Download the Fortify Maven Plugin version 2.6 from https://customerportal.fortify.com and install it into your Hudson server's Maven repository.
Update your project's pom to carry out the Fortify scan. There is an example provided with the Maven plugin.
Currently , I am experiment with sonar plug in. It looks great check the details here
http://sonar.codehaus.org/a-new-hudson-plugin-for-a-closer-integration-with-sonar/
http://wiki.hudson-ci.org/display/HUDSON/Sonar+plugin