Fortify CloudScan Plugin for Jenkins CI Available

I wanted to let everyone know that I developed and published a Jenkins plugin for Fortify CloudScan. The plugin greatly simplifies the configuration of CloudScan jobs.

For those that do not know, Fortify CloudScan allows an organization to host their own internal cloud-based infrastructure of Static Code Analyzer (SCA) machines that are distributed scan jobs by a centralized controller and optionally integrated with Software Security Center (SSC). CloudScan is included with HP Fortify 4.30 and higher and was an optional component in previous versions of Fortify.

My organization recently rolled out CloudScan across our global R&D organization and every Fortify job in the company is leveraging the technology. If you've ever played with CloudScan, you'll know that the command to execute can get insanely huge, especially when SSC is involved. We needed something that would greatly simplify configuration, especially for build engineers without prior Fortify knowledge.

The plugin was just published today and will show up on the Jenkins update site later tonight.

Fortify CloudScan Plugin - Jenkins - Jenkins Wiki

jenkinsci/fortify-cloudscan-plugin · GitHub

Tags:

Parents
  • An updated version of the plugin was pushed out yesterday. Lots of improvements since the initial release. If you haven't checked it out already and you use CloudScan with Jenkins, it may be worth investigating. Also welcome are pull requests and enhancement requests

  • Hi  ,

    I am trying to use this plugin with 19.1.0 SSC and the plugin version in Jenkins is 19.1.29. I am able to perform cloudscan without checking the "Use SSC" option

    However, if I check Use SSC option and I provide all the token values and the project ID, my cloudscan submission fails with Job rejected status

    $ cmd /c cloudscan.bat -sscurl https://<server>/ssc -ssctoken XXXXX start -upload -versionid 95305222 -uptoken YYYYY -b Test -scan -autoheap
    [FortifyCloudScan] Log files will be stored in "C:\windows\system32\config\systemprofile\AppData\Local\Fortify\cloudscan\log" directory. [FortifyCloudScan] Retrieving controller URL... [FortifyCloudScan] Verifying controller URL... [FortifyCloudScan] Controller at https://<server>:8443/cloud-ctrl is UP [FortifyCloudScan] No email address detected. No status emails will be sent for this job. [FortifyCloudScan] Retrieving SCA version... [FortifyCloudScan] Exporting MBS... [FortifyCloudScan] Compressing job files... [FortifyCloudScan] Restructuring SCA arguments... [FortifyCloudScan] Uploading job... [FortifyCloudScan] ErrorResponse: Job rejected; please see the Controller log for details.

    Thanks

  • Take a look at the Cloud Controller log to see what is being reported there. The cloudCtrl.log is located in the CloudScan\tomcat\logs folder.

  • Thanks  

    I see the pool-mapping error in the cloud controller and I cannot specify the pool UUID separately in the cloudscan plugin in Advanced Scan options since it puts the pool option after the scan parameter so it doesn't work. How can I set pool-mapping for a particular application version

    /cloud-ctrl/rest/job] com.fortify.cloud.ctrl.service.PoolManagerServiceImpl - Failed to get pool mapping from SSC for job

    [FortifyCloudScan] Removed SCA args (specified after -scan and ignored by cloudscan): -pool 00000000-0000-0000-0000-000000000002
    [FortifyCloudScan] Uploading job...
    [FortifyCloudScan] ErrorResponse:  Job rejected; please see the Controller log for details.

     

  • Now, I have created a new pool, added my application version and sensor to it as well. Restarted cloudscan controller but still same issue

  • Verified Answer

    As noted in the CloudScan plugin wiki, the plugin was originally created for v4.30 and updated and tested against 17.x which I do not believe supported specifying sensor pools at the time. So no, the plugin currently doesn't support what you're looking for. It hasn't been updated in several years so there is likely some other incompatibilities as well.

     

    That said, I just committed code which should work. I don't have sensor pools created in my limited testing environment, so unable to test. But you're welcome to checkout and compile the code yourself and test in your environment.

     

    https://github.com/jenkinsci/fortify-cloudscan-plugin

     

    By the way, this is not an officially support plugin, rather a community effort. Enhancements and defects should be reported to https://issues.jenkins-ci.org.

     

     

Reply
  • Verified Answer

    As noted in the CloudScan plugin wiki, the plugin was originally created for v4.30 and updated and tested against 17.x which I do not believe supported specifying sensor pools at the time. So no, the plugin currently doesn't support what you're looking for. It hasn't been updated in several years so there is likely some other incompatibilities as well.

     

    That said, I just committed code which should work. I don't have sensor pools created in my limited testing environment, so unable to test. But you're welcome to checkout and compile the code yourself and test in your environment.

     

    https://github.com/jenkinsci/fortify-cloudscan-plugin

     

    By the way, this is not an officially support plugin, rather a community effort. Enhancements and defects should be reported to https://issues.jenkins-ci.org.

     

     

Children