View Full Version : VBP and HP Fortify
James.Mathews
08-14-2013, 03:27 PM
I am using VBP 7.7a
Is there a way to turn off quotation marks around the default location of the Devenv / MSBuild / VCBuild?
Is there a way to turn off escape characters around the same? similar to:{Tools\Application Options\Logging(More)\"Escape special characters in step output macros"}
Alternatively is there a way to keep VBP from inserting "&&" after "Command to run before main command"?
Also how does VBP determine the default location of devenv?
Thank you,
James Mathews
kinook
08-14-2013, 04:05 PM
I am using VBP 7.7a
Is there a way to turn off quotation marks around the default location of the Devenv / MSBuild / VCBuild?
If the executable path+filename contains spaces, quotes are required and will be included. If the filename doesn't contain spaces, quotes are not required and will not be included.
Is there a way to turn off escape characters around the same? similar to:{Tools\Application Options\Logging(More)\"Escape special characters in step output macros"}
What escape characters? Please provide more info.
http://www.kinook.com/Forum/showthread.php?t=3044
Alternatively is there a way to keep VBP from inserting "&&" after "Command to run before main command"?
No -- that is required syntax for executing multiple commands at once.
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/ntcmds_shelloverview.mspx?mfr=true
Also how does VBP determine the default location of devenv?
The Make VS* actions determine the version of the solution/project being built and attempt to locate the corresponding version of devenv.com.
James.Mathews
08-14-2013, 04:47 PM
If the executable path+filename contains spaces, quotes are required and will be included. If the filename doesn't contain spaces, quotes are not required and will not be included.
I need to override this behavior. I need to end up with something like this:
{[1]"}sourceanalyzer{[1]"} -b %someBuildID% {[2]"}%devenv%{[2]"} {[3]"}%solutionToCompile%{[3]"} %anyBuildVariables%
where {[x]"} indicate quotes that follow the behavior you outlined and x indicates a set (both must be either present or absent.)
What escape characters?
I include a quote in the override devenv path, something like this:
"sourceanalyzer -b %buildID% "%devenv%
hoping for:
""sourceanalyzer -b someBuildID "pathtodevenv\devenv.com" ....
but getting:
"\"sourceanalyzer -b someBuildID \"pathtodevenv\devenv.com" ....
No -- that is required syntax for executing multiple commands at once.
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/ntcmds_shelloverview.mspx?mfr=true
I understand, but I need to pass:
%devenv% %solutionToCompile% %anyBuildVariables%
as parameters to sourceanalyzer -b %buildID%
The Make VS* actions determine the version of the solution/project being built and attempt to locate the corresponding version of devenv.com.
yes, but where does Make VS* get the information? If it is the registry I can set a Write Registry at the beginning of each section of the script to change it to:
sourceanalyzer -b %buildID% %correctDEVENV%
and reset it afterwards. Using this solution I would still need to overcome the quotation issue from above, but would save me a lot of time modifying each step by hand.
Also before you sugest using something like "Run Script" let me explain my situation...
To give you a idea of the size of the project, using VBP it takes over 14 hours to compile, one of the 2 current versions of this software utilize VB6 and VS2010, the other version uses VS2010, vs2008, VS2005, and VB6 (it is the older version). The older version has over 2000 steps, the newer is segmented across ~40 build files.
In addition, we are not the developers, we provide software assurance on these products for the US Govt. Every time the developer drops new software, we provide static code analysis and regression testing on it. They use VBP 7.7a, and every time there is a new drop we get a new set of build files.
Thank you for your assistance,
James Mathews
kinook
08-14-2013, 05:25 PM
There isn't a way to prevent quoting of the devenv command or escaping of additional extra quote characters added to a command.
Locating devenv.com does use registry lookups, but it's fairly involved for the various versions, bitness of Windows, fallback to App Paths, etc.
I think you might need to use a Run Program action and call sourceanalyzer directly. You could use the object model to iterate over all Make VS steps in the projects and create matching Run Program steps calling sourceanalyzer.
http://www.kinook.com/VisBuildPro/Manual/objectmodel.htm
http://www.kinook.com/VisBuildPro/Manual/scriptsample.htm
Another possibility might be to create your own custom executable that calls sourceanalyzer, and specify that executable in the Override field on the Options tab of the Make VS action.
http://www.kinook.com/VisBuildPro/Manual/vsnetoptionstab.htm
James.Mathews
08-14-2013, 05:32 PM
I think you might need to use a Run Program action and call sourceanalyzer directly. You could use the object model to iterate over all Make VS steps in the projects and create matching Run Program steps calling sourceanalyzer
I will look into this.
Another possibility might be to create your own custom executable that calls sourceanalyzer, and specify that executable in the Override field on the Options tab of the Make VS action.
http://www.kinook.com/VisBuildPro/Manual/vsnetoptionstab.htm
I have considered this approach, was hoping to avoid it.
Is there any possibility of integrating Fortify into future versions of VBP? Say a check box in the to turn it on and a textbox to enter a build id in the various Make VS* actions?
It won't help me now but down the road it probably will (up to the developer)
Thank you,
James Mathews
kinook
08-14-2013, 09:09 PM
Possibly. Does the vendor provide a trial download or online documentation for the product?
James.Mathews
08-15-2013, 07:40 AM
Possibly. Does the vendor provide a trial download or online documentation for the product?
I just sent a email to my HP contact, we'll see what he says.
kinook
10-25-2013, 04:13 PM
In the latest build (8.5.0.1), there is a new Prefix main command option on the Advanced tab of Run Program and derived actions to prefix the main command instead of running as a separate command (&&), which should allow you to call sourceanalyzer from a Make VS* action.
vBulletin® v3.8.11, Copyright ©2000-2025, vBulletin Solutions Inc.