Continuous Integration issues: Git CI and Jenkins
We have HP Fortify for the past one year, now we are trying to integrate it with our Continuous Integration Dev process. The Integration tools used are git CI and Jenkins, the problem that we are facing is the scan time is too high and sometimes it takes 24 hours to complete a scan. As a result we can't make it mandatory part of deployment checks and it also consumes the CPU and memory on CI tools.
I am sure there are many people who would have done it. Are there any best practices that we need to follow to ensure we can implement it properly and reduce the scan time to few minutes? Any ideas on the Process improvements (Our releases happen daily)?
We have HP Fortify installed on-premise: SCA on a windows machine, SSC on a windows machine.
The technology stack we scan is diverse: Drupal, PHP, .NET, JAVA. Each release may not contain all of these technologies though.
It would be interesting to know why your scans are taking so long to complete:
- Are you scanning really large projects?
- Depending on the architecture of your application, you may be able to scan individual components if they have their own entry and exit points, instead of scanning the full application at once.
- Are your hardware specifications sufficient for running complex scans?
- Please check the Fortify documentation for SCA system requirements
- Do you see any errors or warnings while running the SCA translation or scan?
- Some warnings may have a direct impact on performance, like warnings about insufficient memory
- Other warnings may have an indirect impact on performance; warnings during the translation phase may result in increased scan times
- Are you using optimized scan settings?
- Are you assigning enough memory to the SCA process using the -Xmx setting?
- Are you using parallel mode, which may significantly reduce scan time if the hardware is capable enough?
- At the cost of reduced accuracy, you can use QuickScan mode or tune other scan parameters. For example, you could run a daily Quick Scan, and a weekly full scan.
- Please see the SCA Performance Guide included with the product documentation for more information
- Are the long scan times caused by specific technologies?
- Some languages, and higher-order code, may simply require more time for SCA translation and scan to complete
- Are you using the latest SCA version?
- We continuously improve our software; newer SCA versions may decrease scan time
- For example, SCA 17.10 includes a new, optimized parallel processing mode
- Work is underway to implement incremental scanning, which once completed in a future SCA version, should significantly reduce scan time for subsequent scans
If you have a need to run complex or long-running scans, we usually recommend to use dedicated build nodes for SCA scans. This allows for optimizing the build node hardware for running SCA scans, and also reduces the load on your existing build nodes, thereby reducing the impact of SCA scans on other build tasks.
Your HPE Security Fortify Professional Services team is always happy to discuss these recommendations in greater detail and help in optimizing your scan environment. Please contact your Professional Services team directly if you require any further assistance.