Hi Chiranjeevi,

What exactly is failing?

Because, first you have to make sure the sourceanalyzer is working fine and generating the corresponding .fpr.

If your project is Java, there is a maven plugin to help build and scan the project.

When you setup properly the plugin, it's possible to see the list of projects and versions.

Can you see the whole list of project and versions on the "HP Fortify Assessment" section inside the jenkins job?

I am using JAVA/J2EE and TIBCO projects. We have Jenkins build & deploy setup with ANT.

I followed the document but it’s still failing. Can you please give me the detail steps.

Regards,

Chiranjeevi

Chiranjeevi,

The overall process you want to follow is illustrated in the diagram below.

In terms of actual implementation and integration into your build environment, this will depend on the build system used. There are detailed Ant implementation notes in the SCA Users guide. If you're using Maven, refer to this:

https://protect724.hp.com/community/fortify/blog/2015/01/07/sca-maven-plugin-managing-source-dependencies b

For a lot of my projects, I create a freestyle build in Jenkins. I then add multiple build steps in the job configuration. This may call out to the various Ant targets or Maven goals. I'll have a build step to clean, sca clean, sca translate, and sca scan.

My setup is a little different, I will try to describe the steps I did.

We use Pipeline Jenkins plugin, so the Job responsible to build the project still the same.

• Install the fortify_sca_and_apps on your jenkins machine.    
• Add a new job, after the build, to run the source analyzer.
  • You can get more details on how to make it with ant in HP_Fortify_SCA_User_Guide_4.30.pdf page 57
• To configure the Jenkins Plugin:
  • First, create a new token type on SSC server
    • tomcatForSSC/webapps/ssc/WEBINF/internal/serviceContext.xml
    • Copy and paste the code block from HP_Fortify_Jenkins_Plugin_TN_4.30.pdf
    • you have to stop and start SSC server
  • create a new token using this new type
    • fortifyclient token -gettoken JenkinsToken -daysToLive 365 -url <ssc_url>/ssc -user <user_with_appropriate_credentials>
• Ask the Jenkins administrator to install the plugin (fortifyJenkins.hpi) that comes with Fortify 4.30 media.
• Before use the actions provided by this plugin, the Jenkins administrator needs to configure with the follow parameters (in Jenkins->Manage Jenkins->Configure System)
  • SSC URL: <ssc_url>/ssc
  • Authentication Token: the token previously generated
  • Project Template: set your preferred project template

• Now, in the same Job that runs the sourceAnalyzer, go to the Post Build Actions section, and add a new of type: HP Fortify Assessment
  • FPR Filename: define the path where the sourceanalyzer put the resulting fpr (in my case I left this field blank, so the plugin finds in the current directory and subdirectories)
  • Fail Condition: In my case, any issue critical or high will fail the job.
    • [fortify priority order]:critical [fortify priority order]:high
  • Project Name: this select box, will be filled with projects from your SSC
  • Project Version: the same, but for versions related to the selected Project Name

I hope this help you.

Thank you very much for your information. I will follow the steps and get back to you in 2-3 days.