I'm trying to build a fortify report using BIRTReportGenerator as outlined in the SCA user guide. The scans work fine and generate an fpr file, but when I run the report generator I get the following error.
FPR source file not found or not readable.
Here are the commands I'm using. These were cut and pasted straight from the user guide. The only thing modified is the paths.
sourceanalyzer -b myproject -clean
sourceanalyzer -b myproject -cp /Users/ginger.mcmurray/Mobuyle-Android-New-Ui/MobuyleCore/libs -Dcom.fortify.sca.SuppressLowSeverity=true -Dcom.fortify.sca.LowSeverityCutoff=10.0 -jdk 1.6 MobuyleCore/src
sourceanalyzer -b myproject -scan -f results.fpr
BIRTReportGenerator -template "OWASP Top 10" -source results.fpr -format PDF -showSuppressed --Version "OWASP Top 10 2013" --UseFortifyPriorityOrder -output MyOWASP_Top10_Report.pdf
If I use ReportGenerator instead, everything works. However, I need the ability to create BIRT reports for our security department.
This is for an android java project, just in case that changes anything.
Also, I get a lot of unknown function and reference issues for things that are inside my jar files, despite including the path in the command.
Output from BIRTReportGenerator with -debug option.
Start VM: -Xms40m
-Xmx1088m
-XX:MaxPermSize=320m
-XX:-UseCompressedOops
-Xdock:icon=../Resources/Awb.icns
-XstartOnFirstThread
-Dorg.eclipse.swt.internal.carbon.smallFonts
-Dcom.fortify.InstallRoot=../../../../../../..
-Djava.awt.headless=true
-Dcom.fortify.InstallRoot=/Applications/HP_Fortify/HP_Fortify_SCA_and_Apps_16.10/bin/..
-Xmx1000M
-XX:MaxPermSize=256m
-Djava.class.path=/Applications/HP_Fortify/HP_Fortify_SCA_and_Apps_16.10/Core/private-bin/awb/eclipse/Auditworkbench.app/Contents/MacOS//../../../plugins/org.eclipse.equinox.launcher_1.3.0.v20140415-2008.jar
-os macosx
-ws cocoa
-arch x86_64
-launcher /Applications/HP_Fortify/HP_Fortify_SCA_and_Apps_16.10/Core/private-bin/awb/eclipse/Auditworkbench.app/Contents/MacOS/eclipse
-name HPE Security Fortify Report Generation
--launcher.library /Applications/HP_Fortify/HP_Fortify_SCA_and_Apps_16.10/Core/private-bin/awb/eclipse/Auditworkbench.app/Contents/MacOS//../../../plugins/org.eclipse.equinox.launcher.cocoa.macosx.x86_64_1.1.200.v20150204-1316/eclipse_1607.so
-startup /Applications/HP_Fortify/HP_Fortify_SCA_and_Apps_16.10/Core/private-bin/awb/eclipse/Auditworkbench.app/Contents/MacOS//../../../plugins/org.eclipse.equinox.launcher_1.3.0.v20140415-2008.jar
--launcher.appendVmargs
-application com.hp.fortify.birt.report.generator.console.Application
-data /Users/ginger.mcmurray/.fortify/BIRT16.10/workspace
-configuration /Users/ginger.mcmurray/.fortify/BIRT16.10/configuration442
-template OWASP Top 10
-source results.fpr
-format PDF
-showSuppressed
--Version OWASP Top 10 2013
--UseFortifyPriorityOrder
-debug
-output MyOWASP_Top10_Report.pdf
-consoleLog
-vm /Applications/HP_Fortify/HP_Fortify_SCA_and_Apps_16.10/jre/lib/jli/libjli.dylib
-vmargs
-Xms40m
-Xmx1088m
-XX:MaxPermSize=320m
-XX:-UseCompressedOops
-Xdock:icon=../Resources/Awb.icns
-XstartOnFirstThread
-Dorg.eclipse.swt.internal.carbon.smallFonts
-Dcom.fortify.InstallRoot=../../../../../../..
-Djava.awt.headless=true
-Dcom.fortify.InstallRoot=/Applications/HP_Fortify/HP_Fortify_SCA_and_Apps_16.10/bin/..
-Xmx1000M
-XX:MaxPermSize=256m
-Djava.class.path=/Applications/HP_Fortify/HP_Fortify_SCA_and_Apps_16.10/Core/private-bin/awb/eclipse/Auditworkbench.app/Contents/MacOS//../../../plugins/org.eclipse.equinox.launcher_1.3.0.v20140415-2008.jar
Configuration location:
file:/Users/ginger.mcmurray/.fortify/BIRT16.10/configuration442/
Configuration file:
file:/Users/ginger.mcmurray/.fortify/BIRT16.10/configuration442/config.ini loaded
Install location:
file:/Applications/HP_Fortify/HP_Fortify_SCA_and_Apps_16.10/Core/private-bin/awb/eclipse/
Configuration file:
file:/Applications/HP_Fortify/HP_Fortify_SCA_and_Apps_16.10/Core/private-bin/awb/eclipse/configuration/config.ini loaded
Loading timestamp file from:
file:/Users/ginger.mcmurray/.fortify/BIRT16.10/configuration442/ .baseConfigIniTimestamp
No timestamp file found
Timestamps found:
config.ini in the base: 1458848541000
remembered -1
Shared configuration location:
file:/Applications/HP_Fortify/HP_Fortify_SCA_and_Apps_16.10/Core/private-bin/awb/eclipse/configuration/
Framework located:
file:/Applications/HP_Fortify/HP_Fortify_SCA_and_Apps_16.10/Core/private-bin/awb/eclipse/plugins/org.eclipse.osgi_3.10.2.v20150203-1939.jar
Loading extension: reference:file:org.eclipse.osgi.compatibility.state_1.0.1.v20140709-1414.jar
eclipse.properties not found
Framework classpath:
file:/Applications/HP_Fortify/HP_Fortify_SCA_and_Apps_16.10/Core/private-bin/awb/eclipse/plugins/org.eclipse.osgi_3.10.2.v20150203-1939.jar
file:/Applications/HP_Fortify/HP_Fortify_SCA_and_Apps_16.10/Core/private-bin/awb/eclipse/plugins/
file:/Applications/HP_Fortify/HP_Fortify_SCA_and_Apps_16.10/Core/private-bin/awb/eclipse/plugins/org.eclipse.osgi.compatibility.state_1.0.1.v20140709-1414.jar
Debug options:
file:/Applications/HP_Fortify/HP_Fortify_SCA_and_Apps_16.10/Core/private-bin/awb/eclipse/Auditworkbench.app/Contents/MacOS/.options not found
Time to load bundles: 5
Starting application: 864
FPR source file not found or not readable.
There seems to be a bug in the
BIRTReportGenerator
in versions 16.10/16.20 when on the MacOS having to do with relative paths.This has been fixed in 17.10 (current version as of Oct 2017).
I do not know of a workaround, you can try contacting Fortify Technical Support ([email protected]) and see if they have a workaround.