Highlighted
Contributor.. Contributor..
Contributor..
9328 views

Jenkins Fortify Assessment without SSC

Jump to solution

Is it possible to view FPR results within Jenkins without uploading to SSC?

We have jobs configured to successfully clean, translate and scan maven builds within Jenkins. We also have the Jenkins plugin installed and it correctly identifies the FPR output files during Post-Build steps. We've left the Application Name and Application Version fields blank to skip the upload to SSC per documentation.

Output:

Fortify Jenkins plugin v 18.10
Using FPR: file:/jenkins/workspace/JOB_NAME/project-name.fpr
Local FPR: /jenkins/workspace/JOB_NAME/project-name.fpr
FPR uploading was skipped. Some of the required settings are not specified: Application Name='', Application Version='', serverUrl='null', authenticationToken=''

However, viewing the Fortify Assessment for the build does not show any results. Is it required to upload to SSC to see results in Jenkins?

From the Jenkins_Plugin_Guide_18.10.pdf:

"It also provides metrics for each build and an overview of the results, without the need to connect to Fortify Software Security Center."

Tags (3)
0 Likes
1 Solution

Accepted Solutions
Highlighted
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

Hi,

You must have a connection to SSC and upload the FPR to SSC in order to see the results in Jenkins.

I updated the documentation in version 18.20. This statement was changed slightly to make it more accurate: "It also provides metrics for each build and an overview of the results, without the need to log into Fortify Software Security Center."

In addition, the following information was added in a section called "Viewing Analysis Results" - "If you uploaded Fortify Static Code Analyzer results to Micro Focus Fortify Software Security Center, you can view a security vulnerability graph for your project and a summary of the issues from Jenkins."

 

View solution in original post

0 Likes
8 Replies
Highlighted
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

Hi,

You must have a connection to SSC and upload the FPR to SSC in order to see the results in Jenkins.

I updated the documentation in version 18.20. This statement was changed slightly to make it more accurate: "It also provides metrics for each build and an overview of the results, without the need to log into Fortify Software Security Center."

In addition, the following information was added in a section called "Viewing Analysis Results" - "If you uploaded Fortify Static Code Analyzer results to Micro Focus Fortify Software Security Center, you can view a security vulnerability graph for your project and a summary of the issues from Jenkins."

 

View solution in original post

0 Likes
Highlighted
Contributor.. Contributor..
Contributor..

Hi,

When the scan is completed in Jenkins and report is uploaded, it asks for Manual approval of Artifacts in SSC. I dont want to approve it manually everytime as I want to automate it. Can you please suggest how can i do it ?? 

0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

Hi,

A manual approval may be required when there is a violation of one or more processing rule(s) configured for the Applicaiton Version (Project Version).

Based on on the approval request, appropriate action needs to be taken.

For more on processing rules, refer section  "Setting Analysis Results Processing Rules for Application Versions" in SSC User Guide.

Once its taken care, there will not be a need to manually intervene.

Regards,
Tejesh Chandra K H

0 Likes
Highlighted
Respected Contributor.. Respected Contributor..
Respected Contributor..

Go to your application's Profile and then in to Processing Rules. Turn off the ones that require approval.

0 Likes
Highlighted
Contributor.
Contributor.

Hey in my case even when i turned it off , it is still asking

0 Likes
Highlighted
Contributor.. Contributor..
Contributor..

Karene - thank you for clarifying the SSC requirement and updating the documentation.

0 Likes
Highlighted
New Member.

Has Someone done any testing using fortify for .Net applications with Jenkins? I'm having problems building the application. The errors are:

[error]: No valid input files were specified.
[error]: Unable to load build session with ID "fortify_build".
[error]: Unable to load build session with ID "fortify_build".

0 Likes
Highlighted
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

Hi Alain,

It would be better for you to get an answer to your question if you create a new question. As it is - it looks like a comment and doesn't show that no one has responded.

This problem (error) you are reporting has occurred when the Jenkins build process is running Sourceanaylzer as “local system” account. If the same solution is run using a user account, the translate step works correctly.

Another possible cause of the error is in the fortify.properties file & fortify-sca.properties file - the paths used must be written with forward slashes (/example/path) for the Windows installation. If you enter <C:\path\to\working\dir> the backslashes escape the colon causing the working directory to not be written.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.