How to run Fortify Static Code Analyzer in a container

Question

How do I run Fortify SCA in a container?

Answer

Fortify currently supports installation of the Fortify SCA in a Docker image so it can be run as a Docker container. Fortify SCA can only be run in Docker on supported Linux platforms. The sections below detail how to install and run Fortify SCA in a container.

Creating an Options File

Fortify SCA will need to be installed without any user prompts. An options file enables this by specifying the installation information in a configuration file. The options file is a text file with properties in the form of key=value. The file name may be selected by the user since it will be specified on the command line.

For a full list of options that may be specified, run the installer with the --help option (e.g., ./Fortify_SCA_and_Apps_<version>_linux_x64.run --help).

One option that must be provided is the location of the license file:

fortify_license_path=<license_file_location>

An example options file might look like the following (credit: Fortify SCA Users Guide):

fortify_license_path=/opt/Fortify/fortify.license
UpdateServer=https://internalserver.abc.com
UpdateProxyServer=webproxy.abc.company.com
UpdateProxyPort=8080
MigrateSCA=1
enable-components=Samples
installdir=/opt/Fortify

Docker

Before creating a Dockerfile, prepare an options file as described above so Fortify SCA will install without user prompts.

Then create a Dockerfile which includes the following steps:

  1. Set the Linux system to use as the base image
  2. If any build tools are required when you run the Fortify SCA (e.g., a C++ compiler), they must be installed.
  3. Copy the following that are required to install Fortify SCA:
    1. The Fortify SCA installer (e.g., Fortify_SCA_and_Apps__linux_x64.run)
    2. The Fortify license file
    3. The installation options file described above
  4. Run the Fortify SCA installer. This must be run in unattended mode with the options file: Fortify_SCA_and_Apps_<version>_linux_x64.run --mode unattended --optionfile <full_path_to_option_file>
  5. Run fortifyupdate to download the Fortify Security Content. The rulepacks will not install automatically in unattended mode.
  6. Set the entry point to the location of the installed sourceanalyzer executable.

An example Docker file to install Fortify might look like the following (credit: Fortify SCA Users Guide):

FROM registry.suse.com/suse/sles12sp4
COPY fortify.license ./
COPY Fortify_SCA_and_Apps_20.2.0_linux_x64.run ./
COPY installerSettings ./
RUN zypper -n install rpm-build
RUN ./Fortify_SCA_and_Apps_20.2.0_linux_x64.run --mode unattended \
   --optionfile ./installerSettings && \
   /opt/Fortify/Fortify_SCA_and_Apps_20.2.0/bin/fortifyupdate && \
   rm Fortify_SCA_and_Apps_20.2.0_linux_x64.run fortify.license installerSettings
ENTRYPOINT [ "/opt/Fortify/Fortify_SCA_and_Apps_20.2.0/bin/sourceanalyzer" ]

Finally, use the Docker build command to create the Docker image.

To run this Docker image to perform a scan, the following must be specified:

  • Mount the directory containing the source code to analyze
  • Mount a temporary directory to store the SCA build session between sessions and to hold output files. This directory is specified using the -project-root command-line option.
  • The fcontainer option must be used in both the translate and scan commands to force Fortify SCA to only use the memory dedicated to the container.

The image must be run separately for the translate and scan commands. The following example commands mount the input directory /sources in /src and the output directory in /scratch_docker. The image name in the example is fortify-sca. (credit: Fortify SCA Users Guide)

Translation phase:

docker run -v /scratch_local/:/scratch_docker -v /sources/:/src -it fortify-sca b <build_id> 
-project-root /scratch_docker -fcontainer [<sca_options>] /src

Scan phase:

docker run -v /scratch_local/:/scratch_docker -it fortify-sca b <build_id> -project-root /scratch_docker 
scan -fcontainer [<sca_options>] f /scratch_docker/results.fpr

The results.fpr file is created in the host’s /scratch_local directory.

References

Micro Focus Security Fortify Static Code Analyzer User Guide