Jenkins Fortify Setup
Static Code Analyzer runs scans over code and ships results to SSC. SCA is a command-line application.
Software Security Center stores, processes, and displays SSC results. SSC is a web application.
- Navigate to
$HOST:8080/ssc
and log into SSC. - Click "Administration", "Configuration", and "Webservices"
- Check "Allow Token Authentication"
- Restart the server (Stop/Start Tomcat for me)
- Launch Powershell and
cd
to Fortify tools directory, something like...\HP-Fortify-Server-WAR\Tools\fortifyclient\bin
- Generate an Authentication token. Replace
$HOST
and$USER
and run the following command:./fortifyclient -url http://$HOST:8080/ssc token -gettoken AnalysisUploadToken -user $USER
Note: The user must have sufficient privileges, you will be asked for a password. - Retrieve and remember the resulting
$TOKEN
- Navigate back to the root of Fortify SSC and click "New Application". Later we will need both "Application Name" and "Application Version".
Jenkins must run Fortify SCA on all worker nodes. Jenkins will ship SCA results to SSC.
Install Fortify SCA on all Jenkins worker boxes.
The HP Fortify SSC install media bundle contains a compatible Jenkins plugin: HP_Fortify_Jenkins_Plugin_4.40.hpi
.
- Load Jenkins in your browser and navigate to the "Manage Plugins" page and upload the above plugin into Jenkins.
- Navigate to "Configure System" page and locate the "HP Fortify Assessment" section.
- Specify "URL":
http://$HOST:8080/ssc
- For "Authentication Token" paste the
$TOKEN
from above. - Navigate to a Jenkins project and click "Configure"
- Add a new build step "Execute Windows Batch Command" and add the Scan Steps code example from below to perform an SCA scan. Replace
$BUILD_ID
with an appropriate value. - Add a new post-build action "HP Fortify Assessment", set "FPR Filename" =
Assessment.fpr
. Set "Project Name" and "Project Version" to existing values from SSC.
cd "C:\Program Files\HP_Fortify\HP_Fortify_SCA_and_Apps_4.40\bin"
.\sourceanalyzer.exe -b $BUILD_ID -clean
.\sourceanalyzer.exe -b $BUILD_ID %WORKSPACE%
.\sourceanalyzer.exe -b $BUILD_ID -scan -64 -verbose -Xmx6G -format "fpr" -f "%WORKSPACE%\Assessment.fpr"
.\ReportGenerator -template "DeveloperWorkbook.xml" -format "pdf" -f "%WORKSPACE%\Assessment.pdf" -source "%WORKSPACE%\Assessment.fpr"
Scan steps will probably change depending on your project.
At this point, Jenkins will execute a Fortify SCA scan as a build-step. The results of the scan are saved locally, then uploaded to Fortify SSC as a post-build step. You can view Fortify scan results in SSC at http://$HOST:8080/ssc
.
SCA accepts many configuration flags. We use some above to help speed up SCA scans. There are many more that, when understood, should allow SCA scans to become faster.
As-is, here are some timings for known OSS projects. I suspect these times could be lowered with further configuration.
- Elastic Search : 5 hours
- Teammates : 1 hour
- SCA Help describes command-line use:
sourceanalyzer -h
-
-64
: 64 bit mode -
Xmx6G
: use 6 gigs of memory -
format
: fpr is Fortify native format -
%WORKSPACE%
is a Jenkins ENV Variable
Plugin Note: There are a number of non-applicable Jenkins Plugins available online, don't use them:
- Fortify 360 post-processing and uploading to Fortify 360, an older version of SSC.
- Fortify CloudScan Plugin is for a different kind of on-prem setup
- Fortify On Demand Uploader Plugin is for "On Demand", Fortify's SaaS.