问题
I am using Visual Studio 2012 and HP Fortify 4.21 with the latest rule packs.
The code (C#) lives on the same machine that has HP Fortify and I am only using AWB not SCC. The code successfully builds when the developer does the build, but when I try to scan with Fortify I get an error.
ASP Pre-compilation error
This error happens whether I am launching from VS or from command line. The logs show no errors or warnings, but stating at the end that there is nothing to store, so a fpr file is never created. If I run the scan from Audit Workbench it crashes only stating that it cannot create the build ID.
I did find a suggestion (below) to resolve the ASP issue but it fails and does not create the fpr file to be able to run the last line (to do the scan).
I appreciate any assistance!
Step 1: Clean sourceanalyzer -b "Build ID" -clean
Step 2: Translation/Build sourceanalyzer -b "Build ID" -Xmx1280M -Xss8M -debug -logfile trans.log devenv "Sample.sln" /Rebuild Debug
Step 3: Analysis sourceanalyzer -b "Build ID" -Xmx1280M -Xss8M -debug -logfile scan.log -scan -f Results.fpr
回答1:
I was running into this issue and this took care of my problem.
Step 1. Click the "BUILD" tab Step 2. Click "Clean Solution" Step 3. Most likely two folders appeared in the Solution Explorer (bin and obj). Right click each one and delete it, doesn't matter what order you do it in. Step 4. Click the "BUILD" tab Step 5. Click "Rebuild Solution" Step 6. Try to run FORTIFY again
Extra steps Step 7. If it still doesn't work check your web.config for errors. The project will build with errors but will cause the precompilation to fail with Fortify.
Step 8. Try allocating more RAM to Fortify by going to HP Fortify -> Options -> Project Settings -> Memory (MB) -> 1024 (or higher).
回答2:
I've run into similar problems. Try it on another machine. Sometimes that makes it work. When it hasn't it has been due to a Fortify bug. Working with Fortify support has helped me track the problem down. HP files a bug on it though I don't believe it helps. That said, once I know what construct in the file has caused the failure I've been able to modify the file to get Fortify to complete.
Sorry I don't have more help.
回答3:
The problem is with one or more of your ASPX files. For dotnet web forms the ASPX pages are not compiled by Visual Studio, they are compiled dynamically on the server. In order for Fortify to scan that code, it is calling the ASPNET_compiler to compile your ASPX files. Pass -debug from the command line and then look in the log for a call to ASPNET_compiler. You can copy those arguments and then run them in the Visual Studio command prompt to find the ASPX file that is causing the problem. Keep in mind that when passing ASPNET_compiler a directory to compile, it dies when it finds the first error. You may have to run it a few times to find all of the errors.
回答4:
Check the Analysis Information Tab in AWB for a related scan error. Also look at the scan log file for a related entry there as well.
If Eric is correct, you may want to put sourceanalyzer into the build script in case the problem re-appears.
回答5:
step 1. - click "build" tab
step 2. - click "clean solution"
step 3. - 2 folders appeared in solution explorer (bin , obj). right click
each 1 , delete it, doesn't matter order in. step 4. click "build" tab step 5. click "rebuild solution" step 6. try run fortify again
extra steps step 7. - f still doesn't work check web.config errors. project build errors cause precompilation fail fortify.
step 8. - try allocating more ram fortify going hp fortify -> options -> project settings -> memory (mb) -> 1024 (or higher).
The below link helped to solve my problems. http://nayviocde12.blogspot.be/2012/08/aspnet-hp-fortify-scans-get-asp-pre.html
回答6:
Fortify SCA version 16.20 and after
Starting with Fortify SCA version 16.20, ASP.Net code no longer uses the Microsoft aspnet_compiler.exe so this particular issue will not occur again.
Before Fortify SCA version 16.20
My preferred method of debugging precompiler issues is to add this command into the post-build event of the web project in Visual Studio, that way the error shows up in the error list.
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe" -v / -p $(ProjectDir)
Another thing to keep in mind, if you have files that are not part of the solution but are part in the web projects directory, the aspnet_compiler will still read them.
I find this situation common when developers would excluded files from Visual Studio. This does not delete them. Or if they delete them, then delete through the Visual Studio interface but not from the underlying source code repository and they just get downloaded again on checkout.
An easy way to check this would be to turn on Show All Files in the Visual Studio Solution Explorer window.
来源:https://stackoverflow.com/questions/30336928/hp-fortify-scans-get-asp-pre-compilation-error