FoDUploader https://emea.fortify.com/Docs/en/Content/Tools/FoDUploader/BSI_Abo...

FoDUploader
Fortify on Demand provides a build server integration (BSI) tool called FoDUploader to help you upload application code from a build
server. FoDUploader runs from the command-line on all major operating systems and thus can easily be integrated into a build script.

The benefits of using FoDUploader include:

• Sending files to Fortify on Demand without size limitations aside from those specified in Static Assessment File Requirements
• Transmitting files securely from a client workstation to Fortify on Demand
• Transmitting through a proxy, if required
• API key pair or PAT authentication

Downloading FoDUploader
FoDUploader is available as a Java application named FoDUpload.jar. FoDUpload.jar and its source code is hosted at https://
github.com/fod-dev/fod-uploader-java.

Running FoDUploader
Prerequisite: Java 8 or later must be installed.

To run FoDUploader:

In a command-line interface, run FodUpload.jar with the appropriate arguments. You can also insert the command in your build script to
integrate with your build server. The basix syntax is:

java -jar FoDUpload.jar -z "<zip_file_path>" {-ac <key> <secret>|-uc <username> <password>} {-rid
<relID>|-bsi <token>} -purl <purl> -aurl <aurl> -tc <tcode> -ep {1|SingleScanOnly|2|SubscriptionOnly|
3|SingleScanFirstThenSubscription|4|SubscriptionFirstThenSingleScan}

If the command is properly executed, the command-line displays the bytes sent and the upload status. Otherwise, the command-line
displays an error message indicating the part of the command that is incorrect.

FoDUploader Arguments
The following table describes the FoDUploader arguments. Arguments can be specified in any order.

Note: Flag arguments are false by default. Include a flag to set it to true—you do not need to specify true or false.

Note: Arguments are for version 5.4.1. Details on the latest release is available at https://github.com/fod-dev/fod-uploader-java.

1 of 4 21/10/2024, 9:32 AM
FoDUploader https://emea.fortify.com/Docs/en/Content/Tools/FoDUploader/BSI_Abo...

Argument Short Required Description

Name

-zipLocation -z Yes Location of the zip file. Enclose the path with quotation marks to
escape special characters.

-entitlementPreferenceType -ep Yes Entitlement preference: 1/SingleScanOnly, 2/SubscriptionOnly, 3/

SingleScanFirstThenSubscription, 4/SubscriptionFirstThenSingleScan

If multiple entitlements are available, the scan will use the oldest
entitlement. If the release has an active subscription, the scan will use
the active subscription.

-apiCredentials -ac Yes1 API key and secret.

-userCredentials -uc Yes1 Your user credentials. Enclose the username and password separately
with quotation marks to escape special characters.

-bsiToken -bsi Yes2 BSI token.

-releaseId -rid Yes2 Release ID. The release must have saved scan settings in the portal for
the release ID to be used as a token.

-portalurl -purl Yes3 Domain URL.

-apiurl -aurl Yes3 API root URL.

-tenantCode -tc Yes3 Tenant code if using user credentials.

- assessmentTypeId -at Yes4 Assessment type ID.

-entitlement -eid Yes 4 Entitlement ID.

-technologyStackId -ts Yes 4 Technology stack as an integer: 32 (Auto Detect) 1 (.NET), 23 (.Net
Core), 2 (ABAP), 21 (Apex/Visualforce), 3 (ASP), 5 (CFML), 6
(COBOL), 29 (Dart/Futter) 22 (Go), 27 (Infrastructure-As-Code/
Dockerfile), 7 (JAVA/J2EE/Kotlin), 16 (JS/TS/HTML), 18 (MBS/C/C++/
Scala), 9 (PHP), 10 (PYTHON), 28 (React Native), 17 (Ruby), 12
(Swift/Objective C/C++), 11 (VB6), 14 (VBScript)

-languageLevelId -l Yes4 Language level as an integer:

• .NET: 2 (2.0), 3 (3.0), 4 (3.5), 5 (4.0), 11 (4.5), 15 (4.6), 16 (4.7),

30, (4.8), 32 (5.0), 33 (6.0), 35 (7.0), 38 (8.0)
• .NET Core: 23 (1.0), 24 (1.1), 25 (2.0), 26 (2.1), 27 (2.2), 28 (3.0),
29 (3.1)
• Java: 8 (1.5), 9 (1.6), 10 (1.7), 12 (1.8), 17 (1.9), 19 (10), 20 (11),
21 (12), 22 (13), 31 (14), 34(17), 39 (21)
• Python: 13 (2), 14 (2 Django), 18 (3), 37 (4.2 Django), 40 (5.0
Django)

-auditPreferenceId -a Yes4 Audit preference: Manual, Automated

-isBinaryScan -bs No4 Scan compiled and source code (the feature must be enabled).

2 of 4 21/10/2024, 9:32 AM
FoDUploader https://emea.fortify.com/Docs/en/Content/Tools/FoDUploader/BSI_Abo...

Argument Short Required Description

Name

- -os No4 Include open source component analysis

allowopenSourceComponentAnalysis

-remediationScanPreferenceType -rp No Remediation scan preference: 0/RemediationScanIfAvailable, 1/

RemediationScanOnly, 2/NonRemediationScanOnly (default)

-inProgressScanActionType -pp No If an in-progress scan exists, the action to take for the new scan: 0/
DoNotStartScan (default), 1/CancelScanInProgress, 2/Queue

This only applies if the in-progress scan can be automatically

cancelled.

-pollingInterval -I No Length of time in minutes between polling Fortify on Demand for the
scan status. Polling stops once a scan is canceled, completed, or
paused. If the polling interval is not set or set to 0, no polling is done.

Exit codes:

• 0 = success, scan completed and passed policy

• 1 = failure, scan completed and failed policy
• 3 = failure, scan canceled
• 4 = failure, scan paused

-purchaseEntitlement - No Purchase an entitlement if none is available (the feature needs to be

purchase enabled).

-allowPolicyFail -apf No Return exit(0) instead of exit(1) if the scan fails the security policy
specified in Fortify on Demand

-proxy -P No Proxy connection details (order dependent):

• The proxy host defined with a protocol (such as http)

• The account credentials on the proxy server
• The proxy server’s domain name for NTLM authentication
• The proxy server's host name for NTLM authentication

-notes -n No Adds notes about the scan.

-help -h No Prints the help dialog.

-version -v No Prints the FoDUploader version.

1 Use either API credentials or user credentials.

2 Use either release ID or BSI token. If both are provided, then the scan settings that are retrieved from the release ID will be used.

3 Required if BSI token is not provided.

4 Required if neither release ID nor BSI token is provided. Provided values override existing release ID or BSI token settings.

3 of 4 21/10/2024, 9:32 AM
FoDUploader https://emea.fortify.com/Docs/en/Content/Tools/FoDUploader/BSI_Abo...

Examples
Command-line examples:

java -jar FodUpload.jar -z package.zip -purl https://ams.fortify.com -aurl https://api.ams.fortify.com

-tc AcmeCo -uc myUsername myPersonalAccessToken -rid 123456 -ep 2

C:\Program Files (x86)\Java\jre-9\bin\java.exe -jar C:\fod_upload\FodUpload.jar -z c:

\Build\Input\applicationFiles.zip -uc john-doe pswd!@#$ -P http://192.168.56.1:808 proxyuser1
proxyuserpassword -bsi
eyJ0ZW5hbnRJZCI6NSwidGVuYW50Q29kZSI6InR0MSIsInJlbGVhc2VJZCI6NDQwNiwicGF5bG9hZFR5cGUiOiJBTkFMWVNJU19QQVlMT0FEIiwiYX
-ep 1

Usage notes:

java is the path of the Java executable.

• If java.exe is in the directory from which the command is run or if the java.exe directory is included in the file system path, simply
reference java as the path.
• If the java.exe is not in the path, the full path is required (for example, C:\Program Files (x86)\Java\jre-9\bin\java.exe).

The -jar operator informs java.exe that it is working with a JAR file for the rest of the command set.

FoDUpload.jar is the path of the FoDUpload.jar tool.

• If FodUpload.jar is in the directory from which the command is being run, simply reference FoDUpload.jar as the path.
• If FodUpload.jar is in a different directory, the full path is required (for example, C:\fod_upload\fodupload.jar).

Copyright 2010- 2024 Open Text

4 of 4 21/10/2024, 9:32 AM