Highlighted
Super Contributor.
Super Contributor.
7295 views

Fortify CloudScan Plugin for Jenkins CI Available

Jump to solution

I wanted to let everyone know that I developed and published a Jenkins plugin for Fortify CloudScan. The plugin greatly simplifies the configuration of CloudScan jobs.

For those that do not know, Fortify CloudScan allows an organization to host their own internal cloud-based infrastructure of Static Code Analyzer (SCA) machines that are distributed scan jobs by a centralized controller and optionally integrated with Software Security Center (SSC). CloudScan is included with HP Fortify 4.30 and higher and was an optional component in previous versions of Fortify.

My organization recently rolled out CloudScan across our global R&D organization and every Fortify job in the company is leveraging the technology. If you've ever played with CloudScan, you'll know that the command to execute can get insanely huge, especially when SSC is involved. We needed something that would greatly simplify configuration, especially for build engineers without prior Fortify knowledge.

The plugin was just published today and will show up on the Jenkins update site later tonight.

Fortify CloudScan Plugin - Jenkins - Jenkins Wiki

jenkinsci/fortify-cloudscan-plugin · GitHub

Labels (1)
1 Solution

Accepted Solutions
Super Contributor.
Super Contributor.

Re: Fortify CloudScan Plugin for Jenkins CI Available

Jump to solution

As noted in the CloudScan plugin wiki, the plugin was originally created for v4.30 and updated and tested against 17.x which I do not believe supported specifying sensor pools at the time. So no, the plugin currently doesn't support what you're looking for. It hasn't been updated in several years so there is likely some other incompatibilities as well.

 

That said, I just committed code which should work. I don't have sensor pools created in my limited testing environment, so unable to test. But you're welcome to checkout and compile the code yourself and test in your environment.

 

https://github.com/jenkinsci/fortify-cloudscan-plugin

 

By the way, this is not an officially support plugin, rather a community effort. Enhancements and defects should be reported to https://issues.jenkins-ci.org.

 

 

View solution in original post

Tags (3)
7 Replies
Highlighted
Super Contributor.
Super Contributor.

Re: Fortify CloudScan Plugin for Jenkins CI Available

Jump to solution

An updated version of the plugin was pushed out yesterday. Lots of improvements since the initial release. If you haven't checked it out already and you use CloudScan with Jenkins, it may be worth investigating. Also welcome are pull requests and enhancement requests

Highlighted
Trusted Contributor.. Trusted Contributor..
Trusted Contributor..

Re: Fortify CloudScan Plugin for Jenkins CI Available

Jump to solution

Hi @sspringett ,

I am trying to use this plugin with 19.1.0 SSC and the plugin version in Jenkins is 19.1.29. I am able to perform cloudscan without checking the "Use SSC" option

However, if I check Use SSC option and I provide all the token values and the project ID, my cloudscan submission fails with Job rejected status

$ cmd /c cloudscan.bat -sscurl https://<server>/ssc -ssctoken XXXXX start -upload -versionid 95305222 -uptoken YYYYY -b Test -scan -autoheap
[FortifyCloudScan] Log files will be stored in "C:\windows\system32\config\systemprofile\AppData\Local\Fortify\cloudscan\log" directory. [FortifyCloudScan] Retrieving controller URL... [FortifyCloudScan] Verifying controller URL... [FortifyCloudScan] Controller at https://<server>:8443/cloud-ctrl is UP [FortifyCloudScan] No email address detected. No status emails will be sent for this job. [FortifyCloudScan] Retrieving SCA version... [FortifyCloudScan] Exporting MBS... [FortifyCloudScan] Compressing job files... [FortifyCloudScan] Restructuring SCA arguments... [FortifyCloudScan] Uploading job... [FortifyCloudScan] ErrorResponse: Job rejected; please see the Controller log for details.

Thanks

0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: Fortify CloudScan Plugin for Jenkins CI Available

Jump to solution

Take a look at the Cloud Controller log to see what is being reported there. The cloudCtrl.log is located in the CloudScan\tomcat\logs folder.

0 Likes
Highlighted
Trusted Contributor.. Trusted Contributor..
Trusted Contributor..

Re: Fortify CloudScan Plugin for Jenkins CI Available

Jump to solution

Thanks @ebell 

I see the pool-mapping error in the cloud controller and I cannot specify the pool UUID separately in the cloudscan plugin in Advanced Scan options since it puts the pool option after the scan parameter so it doesn't work. How can I set pool-mapping for a particular application version

/cloud-ctrl/rest/job] com.fortify.cloud.ctrl.service.PoolManagerServiceImpl - Failed to get pool mapping from SSC for job

[FortifyCloudScan] Removed SCA args (specified after -scan and ignored by cloudscan): -pool 00000000-0000-0000-0000-000000000002
[FortifyCloudScan] Uploading job...
[FortifyCloudScan] ErrorResponse:  Job rejected; please see the Controller log for details.

 

0 Likes
Highlighted
Trusted Contributor.. Trusted Contributor..
Trusted Contributor..

Re: Fortify CloudScan Plugin for Jenkins CI Available

Jump to solution

Now, I have created a new pool, added my application version and sensor to it as well. Restarted cloudscan controller but still same issue

0 Likes
Super Contributor.
Super Contributor.

Re: Fortify CloudScan Plugin for Jenkins CI Available

Jump to solution

As noted in the CloudScan plugin wiki, the plugin was originally created for v4.30 and updated and tested against 17.x which I do not believe supported specifying sensor pools at the time. So no, the plugin currently doesn't support what you're looking for. It hasn't been updated in several years so there is likely some other incompatibilities as well.

 

That said, I just committed code which should work. I don't have sensor pools created in my limited testing environment, so unable to test. But you're welcome to checkout and compile the code yourself and test in your environment.

 

https://github.com/jenkinsci/fortify-cloudscan-plugin

 

By the way, this is not an officially support plugin, rather a community effort. Enhancements and defects should be reported to https://issues.jenkins-ci.org.

 

 

View solution in original post

Tags (3)
Highlighted
Trusted Contributor.. Trusted Contributor..
Trusted Contributor..

Re: Fortify CloudScan Plugin for Jenkins CI Available

Jump to solution

Thanks @sspringett 

I reconstructed the cloudscan plugin and works as expected by targeting specific sensor pool. Lastly, just a question or an enhancement, is there a way where we can export the FPR from cloud worker to jenkins workspace?

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.