Fortify SCA

I'm starting into custom extension #4, and looking to automate Fortify scans. This is the first time I've really been unsure what sort of extension this should be. It's a source control analyzer, so it feels like it should be a Reporting Action like FxCop or NCover, but the native output format "FPR" is a binary blob that clearly doesn't fit any of the ReportType enum options. Could output it into a Deployable, but that sounds wrong conceptually. In some cases we can just send the report directly to a central server, so having it just be a random deployable isn't entirely inaccurate if you consider the step to deploy to a Fortify server.

Other complications here are that Fortify SCA can sometimes be extremely slow and I would almost rather it be a promotion requirement of sorts, if we could find a good way to background schedule it, but I don't see any examples of long-running background tasks in the extensions up on GitHub.

Product: BuildMaster
Version: 4.1.0

This sounds like a good candidate for a Reporting Action, but with the ZippedHtml option. Although the report outputs a binary file, you could write an html file to disk with a hyperlink to the file, and use that as the index. Both would be included in the zip file, and present in the report. If the FPR file is large, it might be better to save these on disk so it's not saved in the database.

There are some additional built-in reporting actions that are not on GitHub; you can find those thru Reflector or something or fill out the Source Code Request Form.

There are no background actions of course, but one option could be...

Trigger that watches Promotion Completed event
Runs report in background; adds report to the Build using the BuildOutputs_AddOutput action
Add a Promotion Requirement to verify report has completed

hope that helps. I'd be curious to see what you come up with.