Azure DevOps and Fortify

Hi,

I want to use Fortify within my Azure DevOps (ADO) pipeline. However, I noticed that Fortify ONLY works on Self-Hosted agents and not Microsoft Agents because the actual software must be installed in the agent?

I can always run the installation in the pipeline, but I must confirm that Fortify must be installed to use Fortify Extension for ADO

Thank you

Tags:

  • Hello Mike,

    If you are planning to use "Fortify ScanCentral SAST Assessment" task then ScanCentral client will be installed on the Microsoft agent by the ScanCentral Controller. The ScanCental client, eg scancentral.zip, is located under the ScanCentral Controller's tomcat/client folder.

    If you are planning to use "Fortify Static Code Analyzer Assessment" task then SCA needs to be installed prior as the plugin will look for SCA the agent's system environment PATH. There is a "Fortify Static Code Analyzer Install" task that can be called to install SCA before running the "Fortify Static Code Analyzer Assessment" task.

    The Windows Agent needs to meet SCA and ScanCentral system requirements before continuing. Here are links to the SCA and ScanCental documenation including the Fortify Azure DevOps plugin.

    https://www.microfocus.com/documentation/fortify-static-code/
    https://www.microfocus.com/documentation/fortify-software-security-center/
    www.microfocus.com/.../

    If you any further questions or issues, please open a NEW case.

    Thank you,
    Richard Pinaroc
    Fortify Technical Support
    Micro Focus

  •  "Fortify ScanCentral SAST Assessment" is the task I am trying to use with DevOps. My company has a SSC and I added a generic service on DevOps that connects to my SSC though I get errors such as ....ssc/api/v1/cloudsystem failed

    I do not understand what I am doing wrong and the Docs brings me no where :(

  •  "Fortify ScanCentral SAST Assessment" is the task I am trying to use with DevOps. My company has a SSC and I added a generic service on DevOps that connects to my SSC though I get errors such as ....ssc/api/v1/cloudsystem failed

    I do not understand what I am doing wrong and the Docs brings me no where :(

  • I would check the Controller's scancentralCtrl.log to see if it able to communicate with SSC. Look for a line that shows that it was able to connect,

    eg

    2021-10-25 14:08:10,602 [INFO]  com.fortify.cloud.ctrl.spring.security.SscAuthenticationFilter - Using SSC remote IP ranges: <SSC_IP_ADDRESS>

    If the SSC's IP address is being rejected, then you will need to add SSC's ip address to the controller's Fortify_ScanCentral_Controller_21.1.0_x64\tomcat\webapps\scancentral-ctrl\WEB-INF\classes\config.properties to the following property,

    eg ssc_remote_ip=

    Please open a case if you are still having issues and provide the following information,

    SSC version

    ssc.log and ssc_audit.log

    Scancentral Controller version

    scancentralCtrl.log

    Thank you,

    Richard

  • There is no options in DevOps Fortify Task to add logs. I was able to add logs only locally. How would I add logs or is it by default enabled?

  • The Scancentral logs would be on the Controller and Sensor host machines. They would not be found in the pipeline or on the ADO agent. However, before running the pipeline job, there is a checkbox to "Enable System Diagnostics" to provided more pipeline debug output. If you review the Fortify task raw output will provide more info on what is happening in the pipeline but we will still need the logs for Scancentral.

    I would suggest that you open a case to better track this issue.

    Regards,

    Richard