Highlighted
Respected Contributor.. Respected Contributor..
Respected Contributor..
2036 views

Fortify Scanning Implementation Options?

Obviously, we can give Fortify SCA to all of our developers and ask them to scan their code, but we all know we can't trust them to do it consistently (and sometimes, not at all). We can also add a hook into the build server to have every automated build get scanned. I've got both of those options up and running, but I know there is more code out there that isn't being scanned. Some things don't go through the build server. Or the build server is only configured to scan Java code and not anything else.

Has anybody set anything up where they basically have Fortify run against every code repo in the source code repository? Maybe script something that pulls a repo branch down that has recent changes, runs it against Fortify, uploads the results, and moves on to the next repo branch? If so, can you describe your setup? Is this a good idea?

0 Likes
7 Replies
Highlighted
Honored Contributor.. Honored Contributor..
Honored Contributor..

We have one major CI pipeline.  This pipeline is configured to automatically build projects each time there is a checkin in BitBucket.  We also have some logic that says if a project compiles during the day then to initiate a seperate scan job for Fortify.  The Fortify job runs nightly for every repo that compiled during the day 7 days per week in it's own Fortify docker container.  The Fortify job also runs an SSC REST client I wrote which will create the projects in SSC if they don't already exist so that we don't have to manually create projects everytime a new repo is onboarded into our CI environment.  To limit load we also use cloudscan.  The Jenkins jobs do the translate and then send everything to cloudscan for scanning and uploading to SSC.  We also have other Jenkins environment and I run my own Jenkins environment and will set up jobs manually that aren't on our major CI environment but have a need to scan.  We do not use Development plugins or things of that nature since development teams traditionally won't use them.

Highlighted
Honored Contributor.
Honored Contributor.

Yes, developers never use the plugin. The strategy is automate all deployment process, eventually, break builds based in some policy after some time with Fortify running.


Data, or do not.
0 Likes
Highlighted
Respected Contributor.. Respected Contributor..
Respected Contributor..

It sounds like your CI pipeline doesn't initiate any Fortify scanning during builds, but you have another Jenkins instance that ensures that everything built in the last 24 hours gets scanned nightly?

And you have a completely separate Jenkins instance that does Fortify scans on applications not in the CI pipeline?

I, too, have scripts both in and out of the pipeline process to handle creating projects in SSC, however I struggle to find a good way of knowing what permissions to give each project. (I'm trying to limit access to projects to only the developers who support them) How do you handle this?

0 Likes
Highlighted
Respected Contributor.. Respected Contributor..
Respected Contributor..

Bump.

With the release of 19.1, scan times have drastically increased. My CI team wants to pull Fortify out of the CI process and run the scans another way.

I would love to hear about other solutions that others have implemented for automating their Fortify scans.

0 Likes
Highlighted
Respected Contributor.. Respected Contributor..
Respected Contributor..

Even I heard about increase in scanning time with SCA 19.10.

but I personally didn't observe this thing as we are using micro services.

0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

We've heard of some increased times especially with JAVA and JAVA derivatives. Here are some notes:

  • 19.1.x is more thorough and provides less false positives
  • HOA is enabled by default
  • Garbage collection could be an issue - ensure you are running 19.1.2 with the patch
  • If you are using nodes, we scan each node and whatever it connects to. There is a switch in the properties file where this functionality can be disabled - see documentation.
Highlighted
Respected Contributor.. Respected Contributor..
Respected Contributor..

Download Fortify Static Code Analyzer (SCA) 19.1.2 from below link.

Fortify Patch 19.1.2 Windows: https://softwaresupport.softwaregrp.com/doc/KM03492140

Fortify Patch 19.1.2 Linux: https://softwaresupport.softwaregrp.com/doc/KM03492129

 

For other platforms you can download the patches from below link.

https://softwaresupport.softwaregrp.com/document?doctype=patches 

 

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.