I'm trying to use Fortify sourceanalyser binary to scan an Android project. The problem is even if I set the classpath correctly, classes are not found...
Here is my command :
sourceanalyzer -b MS.ANDROID -clean;
sourceanalyzer -b MS.ANDROID -exclude androidTest -exclude gradle -exclude maven-config -exclude test -cp "/home/devuser/android-sdk-linux/platforms/android-21/android.jar:/var/lib/jenkins/workspace/myproject/**/*.jar" -source 1.7 src
My output is :
[warning]: The following references to java classes could not be resolved. Please make sure to supply all the required jar files that contain these classes to SCA.
AddressException
BasicClientCookieHC4
CancellationTokenSource
ConnectionConfig.Builder
ContentType
Continuation
Crashlytics
FileBody
HttpClientBuilder
Immutable
InternetAddress
MultipartEntityBuilder
PoolingHttpClientConnectionManager
Registry
RequestConfig.Builder
SSLConnectionSocketFactory
StringBody
SuppressFBWarnings
Task
Task.TaskCompletionSource
The android.jar is found because if I remove it I have more not found classes but all jars under the project are not found even if I give for each the full path...
If anyone have some tutorial for Fortify with Android (or included in gradle) it could be nice too.
I'm making my comment in the form of an answer because of the formatting available. So, try this:
This should tell you where, in your specified jars, at least one of those classes lies. If you don't find it in a jar, you have not specified a sufficient classpath.