Wednesday, December 15, 2010

Fortify report templates using ReportGenerator

Fortify Static Code Analysis Tool allows us to create scan reports using command line utility ReportGenerator.
By default ReportGenerator creates report using the template OWASP2007.xml
Here is an example of generating PDF scan report using command line utility
ReportGenerator -format pdf -f outputFile.pdf -source dev-rkm-KMS-aggregate.fpr
We can create report either in pdf or rtf or xml.

Some times we get an error like
Xlib: connection to "localhost:10.0" refused by server
Xlib: PuTTY X11 proxy: wrong authentication protocol attempted

It means ReportGenerator will open Xwindows and your server doesn't have any Xserver running. You can try to run some simple X applications like xcalc or xterm on your machine and make sure Xserver is running fine.

But there is also an option -template, using which we can generate reports of various formats.This option is not well documented. When you say "ReportGenerator -help", it just says
-template       The Fortify Report template used to define the report.

But what are the various available template names, which they are not giving information.

Anyways still we can find out available templates in the directory fortify-install-dir/Core/config/reports
Available templates are
1) DefaultReportDefinition.xml  
2) DeveloperWorkbook.xml 
3) OWASP2004.xml  
4) OWASP2007.xml  
5) ScanReport.xml

Here is an example of using template option
ReportGenerator -format pdf -f outputFile.pdf -source dev-rkm-KMS-aggregate.fpr -template "ScanReport.xml"
Posted by at
Labels:

4 comments:

Anonymous said...

Hi, I tried using report generator option to generate a report in rtf format with all the instances say 30000 issues but i was not able to generate the report with all instances.

For example Lets say XSS is 6000 in that 30000 issues but none of the xss issues were reported in the report.I need all the 6000 instances of xss to be reported in the report.

can u please help me in acheiving the desired result.

Thanks

April 23, 2012 at 4:45 AM
Unknown said...

Hi, i tried to generate fortify report for an application that means child application it gives an error how can i achieve that

March 21, 2013 at 10:35 PM
Richard Dingwall said...

Thanks for this - the documentation is not very clear.

Also it seems on some installations of SCA 3.8.0, reportgenerator.bat is missing from the bin directory. (you can just copy it from another installation).

June 14, 2013 at 5:29 AM
Unknown said...

Hi
I am trying to generate the pdf through MAVEN. Do you know how to do that?

June 6, 2014 at 9:01 AM

Post a Comment

Subscribe to: Post Comments (Atom)