Absent Member.
Absent Member.

Jenkins Configuration with Fortify Steps


I am new to fortify, trying to configure fortify with Jenkins. I followed HP_Fortify_Jenkins_Plugin_TN_4 30.pdf and created a Job in Jenkins and executed. Its failing.

I feel I am missing some steps.

Can anyone help me on this how to setup fortify with Jenkins. Do I need to write any ANT script for fortify? If anyone knows please provide me the detail steps.

Labels (1)
6 Replies
Cadet 1st Class
Cadet 1st Class

Hi Chiranjeevi,

What exactly is failing?

Because, first you have to make sure the sourceanalyzer is working fine and generating the corresponding .fpr.

If your project is Java, there is a maven plugin to help build and scan the project.

When you setup properly the plugin, it's possible to see the list of projects and versions.

Can you see the whole list of project and versions on the "HP Fortify Assessment" section inside the jenkins job?

Absent Member.
Absent Member.

I am using JAVA/J2EE and TIBCO projects. We have Jenkins build & deploy setup with ANT.

I followed the document but it’s still failing. Can you please give me the detail steps.





The overall process you want to follow is illustrated in the diagram below.


In terms of actual implementation and integration into your build environment, this will depend on the build system used. There are detailed Ant implementation notes in the SCA Users guide. If you're using Maven, refer to this:

https://protect724.hp.com/community/fortify/blog/2015/01/07/sca-maven-plugin-managing-source-dependencies b

For a lot of my projects, I create a freestyle build in Jenkins. I then add multiple build steps in the job configuration. This may call out to the various Ant targets or Maven goals. I'll have a build step to clean, sca clean, sca translate, and sca scan.

Cadet 1st Class
Cadet 1st Class

My setup is a little different, I will try to describe the steps I did.

We use Pipeline Jenkins plugin, so the Job responsible to build the project still the same.

  • Install the fortify_sca_and_apps on your jenkins machine.    
  • Add a new job, after the build, to run the source analyzer.
    • You can get more details on how to make it with ant in HP_Fortify_SCA_User_Guide_4.30.pdf page 57
  • To configure the Jenkins Plugin:
    • First, create a new token type on SSC server
      • tomcatForSSC/webapps/ssc/WEBINF/internal/serviceContext.xml
      • Copy and paste the code block from HP_Fortify_Jenkins_Plugin_TN_4.30.pdf
      • you have to stop and start SSC server
    • create a new token using this new type
      • fortifyclient token -gettoken JenkinsToken -daysToLive 365 -url <ssc_url>/ssc -user <user_with_appropriate_credentials>
  • Ask the Jenkins administrator to install the plugin (fortifyJenkins.hpi) that comes with Fortify 4.30 media.
  • Before use the actions provided by this plugin, the Jenkins administrator needs to configure with the follow parameters (in Jenkins->Manage Jenkins->Configure System)
    • SSC URL: <ssc_url>/ssc
    • Authentication Token: the token previously generated
    • Project Template: set your preferred project template

Captura de Tela 2015-09-17 às 11.37.24.png

  • Now, in the same Job that runs the sourceAnalyzer, go to the Post Build Actions section, and add a new of type: HP Fortify Assessment
    • FPR Filename: define the path where the sourceanalyzer put the resulting fpr (in my case I left this field blank, so the plugin finds in the current directory and subdirectories)
    • Fail Condition: In my case, any issue critical or high will fail the job.
      • [fortify priority order]:critical [fortify priority order]:high
    • Project Name: this select box, will be filled with projects from your SSC
    • Project Version: the same, but for versions related to the selected Project Name

Captura de Tela 2015-09-17 às 11.50.55.png

I hope this help you.

Cadet 1st Class Cadet 1st Class
Cadet 1st Class

How can I restrict the number of issues.

Absent Member.
Absent Member.

Thank you very much for your information. I will follow the steps and get back to you in 2-3 days.

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.