I have multiple projects bound by a single parent pom.

If i run fortify scan on parent pom using Maven fortify plugin, fpr files for each project is generated. I would like to have a single fpr file being generated for all the projects. Is it possible ?

Thanks and Regards, Saurav

What you want to do is an aggregate build. Try setting the same build ID for each module and then pass the -Dfortify.sca.toplevel.artifactId as the artifactID of the parent POM. This should give you a single FPR file. It should look like:

mvn clean
mvn -Dfortify.sca.buildId=ACMEPortal com.fortify.ps.maven.plugin:sca-maven-plugin:<version>:clean
mvn -Dfortify.sca.buildId=ACMEPortal package com.fortify.ps.maven.plugin:sca-maven-plugin:<version>:translate
mvn -Dfortify.sca.Xmx=800M -Dfortify.sca.buildId=ACMEPortal -Dfortify.sca.toplevel.artifactId=AcmePortal com.fortify.ps.maven.plugin:sca-maven-plugin:<version>:scan

The latest versions of SCA Maven Plugin aggregate scans by default and so module based maven projects do not need any explicit settings anymore. It is evident from plugin documentation (extract below):

$mvn com.fortify.sca.plugins.maven:sca-maven-plugin:help -Ddetail=true -Dgoal=scan

output:

Available parameters:

aggregate (Default: true)
  If set to true, aggregate mode is enabled.
  User property: fortify.sca.aggregate

buildId (Default: ${project.artifactId}-${project.version})
  Specifies the SCA build ID. The default is project artifact ID and
  version. In aggregate mode, the top level project artifact ID and version
  is used for all modules.