Skip to content
This repository has been archived by the owner on Mar 20, 2020. It is now read-only.

Jenkins Fortify Setup

Jump to bottom
Clint Troxel edited this page Dec 20, 2016 · 1 revision

Jenkins / Fortify Integration

Fortify SCA

Static Code Analyzer runs scans over code and ships results to SSC. SCA is a command-line application.

Fortify SSC

Software Security Center stores, processes, and displays SSC results. SSC is a web application.

SSC Setup

  1. Navigate to $HOST:8080/ssc and log into SSC.
  2. Click "Administration", "Configuration", and "Webservices"
  3. Check "Allow Token Authentication"
  4. Restart the server (Stop/Start Tomcat for me)
  5. Launch Powershell and cd to Fortify tools directory, something like ...\HP-Fortify-Server-WAR\Tools\fortifyclient\bin
  6. Generate an Authentication token. Replace $HOST and $USER and run the following command: ./fortifyclient -url http://$HOST:8080/ssc token -gettoken AnalysisUploadToken -user $USER Note: The user must have sufficient privileges, you will be asked for a password.
  7. Retrieve and remember the resulting $TOKEN
  8. Navigate back to the root of Fortify SSC and click "New Application". Later we will need both "Application Name" and "Application Version".

Jenkins

Jenkins Setup

Jenkins must run Fortify SCA on all worker nodes. Jenkins will ship SCA results to SSC.

Install Fortify SCA on all Jenkins worker boxes.

Jenkins Plugin Setup

The HP Fortify SSC install media bundle contains a compatible Jenkins plugin: HP_Fortify_Jenkins_Plugin_4.40.hpi.

  1. Load Jenkins in your browser and navigate to the "Manage Plugins" page and upload the above plugin into Jenkins.
  2. Navigate to "Configure System" page and locate the "HP Fortify Assessment" section.
  3. Specify "URL": http://$HOST:8080/ssc
  4. For "Authentication Token" paste the $TOKEN from above.
  5. Navigate to a Jenkins project and click "Configure"
  6. Add a new build step "Execute Windows Batch Command" and add the Scan Steps code example from below to perform an SCA scan. Replace $BUILD_ID with an appropriate value.
  7. Add a new post-build action "HP Fortify Assessment", set "FPR Filename" = Assessment.fpr. Set "Project Name" and "Project Version" to existing values from SSC.

Scan Steps:

cd "C:\Program Files\HP_Fortify\HP_Fortify_SCA_and_Apps_4.40\bin"
.\sourceanalyzer.exe -b $BUILD_ID -clean
.\sourceanalyzer.exe -b $BUILD_ID %WORKSPACE%
.\sourceanalyzer.exe -b $BUILD_ID -scan -64 -verbose -Xmx6G -format "fpr" -f "%WORKSPACE%\Assessment.fpr"
.\ReportGenerator -template "DeveloperWorkbook.xml" -format "pdf" -f "%WORKSPACE%\Assessment.pdf" -source  "%WORKSPACE%\Assessment.fpr"

Scan steps will probably change depending on your project.

At this point, Jenkins will execute a Fortify SCA scan as a build-step. The results of the scan are saved locally, then uploaded to Fortify SSC as a post-build step. You can view Fortify scan results in SSC at http://$HOST:8080/ssc.

Benchmarks

SCA accepts many configuration flags. We use some above to help speed up SCA scans. There are many more that, when understood, should allow SCA scans to become faster.

As-is, here are some timings for known OSS projects. I suspect these times could be lowered with further configuration.

Notes:

  • SCA Help describes command-line use: sourceanalyzer -h
  • -64: 64 bit mode
  • Xmx6G: use 6 gigs of memory
  • format: fpr is Fortify native format
  • %WORKSPACE% is a Jenkins ENV Variable

Plugin Note: There are a number of non-applicable Jenkins Plugins available online, don't use them:

Clone this wiki locally