I recently published an article about . Once you get it running, it’s fairly simple to integrate it into your continuous integration process.
Our strategy here will be to use a down-stream job in Hudson to run static security analysis on our application build after the main compilation/packaging job completes. For this, we will use a “build other projects” post-build trigger, then set up a scanning job that uses a uses a custom workspace pointing to the original build location.
- First, install the 64-bit command-line version of CAT.NET from my original post (see above). In my case, I installed it in C:\SecureCI\CAT.NET64.
- Next, set up your job:
- Create a free-form job called “App-Analyze”
- Use the Advanced project options button to display additional project configuration options
- Use the “Use Custom Workspace” check box to enter the workspace of the ORIGINAL build project that was built.
- Enter a new Build step for “Execute Windows batch command”
:: Run CAT.NET on MyApp CD %WORKSPACE%\trunk set PATH=C:\SecureCI\CAT.NET64;%PATH% set DLL=MyApp\obj\Debug\MyApp.dll CatNetCmd64.exe /file:MyApp\obj\Debug\MyApp.dll /verbose:Debug /report:MyApp.AnalysisReport.xml /reportxsloutput:MyApp.Report.html
- Use the “Archive the artifacts” plug-in to capture the following patterns: “**/*.Report.html, **/*.AnalysisReport.xml”
- Save your job
That’s it. Run your job. It should scan the DLL you listed and capture a Report.html and AnalysisReport.xml file. The HTML report shows a browser-compatible version of your results that you can easily browse from the Hudson UI. The XML file is useful if you want to use the CAT.NET 32-bit GUI to inspect the results in Visual Studio.
