Fortify Scanning Implementation Options?
Obviously, we can give Fortify SCA to all of our developers and ask them to scan their code, but we all know we can't trust them to do it consistently (and sometimes, not at all). We can also add a hook into the build server to have every automated build get scanned. I've got both of those options up and running, but I know there is more code out there that isn't being scanned. Some things don't go through the build server. Or the build server is only configured to scan Java code and not anything else.
Has anybody set anything up where they basically have Fortify run against every code repo in the source code repository? Maybe script something that pulls a repo branch down that has recent changes, runs it against Fortify, uploads the results, and moves on to the next repo branch? If so, can you describe your setup? Is this a good idea?
We have one major CI pipeline. This pipeline is configured to automatically build projects each time there is a checkin in BitBucket. We also have some logic that says if a project compiles during the day then to initiate a seperate scan job for Fortify. The Fortify job runs nightly for every repo that compiled during the day 7 days per week in it's own Fortify docker container. The Fortify job also runs an SSC REST client I wrote which will create the projects in SSC if they don't already exist so that we don't have to manually create projects everytime a new repo is onboarded into our CI environment. To limit load we also use cloudscan. The Jenkins jobs do the translate and then send everything to cloudscan for scanning and uploading to SSC. We also have other Jenkins environment and I run my own Jenkins environment and will set up jobs manually that aren't on our major CI environment but have a need to scan. We do not use Development plugins or things of that nature since development teams traditionally won't use them.
Yes, developers never use the plugin. The strategy is automate all deployment process, eventually, break builds based in some policy after some time with Fortify running.
Data, or do not.
It sounds like your CI pipeline doesn't initiate any Fortify scanning during builds, but you have another Jenkins instance that ensures that everything built in the last 24 hours gets scanned nightly?
And you have a completely separate Jenkins instance that does Fortify scans on applications not in the CI pipeline?
I, too, have scripts both in and out of the pipeline process to handle creating projects in SSC, however I struggle to find a good way of knowing what permissions to give each project. (I'm trying to limit access to projects to only the developers who support them) How do you handle this?
With the release of 19.1, scan times have drastically increased. My CI team wants to pull Fortify out of the CI process and run the scans another way.
I would love to hear about other solutions that others have implemented for automating their Fortify scans.
We've heard of some increased times especially with JAVA and JAVA derivatives. Here are some notes:
- 19.1.x is more thorough and provides less false positives
- HOA is enabled by default
- Garbage collection could be an issue - ensure you are running 19.1.2 with the patch
- If you are using nodes, we scan each node and whatever it connects to. There is a switch in the properties file where this functionality can be disabled - see documentation.
Download Fortify Static Code Analyzer (SCA) 19.1.2 from below link.
Fortify Patch 19.1.2 Windows: https://softwaresupport.softwaregrp.com/doc/KM03492140
Fortify Patch 19.1.2 Linux: https://softwaresupport.softwaregrp.com/doc/KM03492129
For other platforms you can download the patches from below link.