Having problems with your account or logging in?
A lot of changes are happening in the community right now. Some may affect you. READ MORE HERE
Highlighted
cromine Contributor.
Contributor.
5387 views

Jenkins Fortify Assessment without SSC

Jump to solution

Is it possible to view FPR results within Jenkins without uploading to SSC?

We have jobs configured to successfully clean, translate and scan maven builds within Jenkins. We also have the Jenkins plugin installed and it correctly identifies the FPR output files during Post-Build steps. We've left the Application Name and Application Version fields blank to skip the upload to SSC per documentation.

Output:

Fortify Jenkins plugin v 18.10
Using FPR: file:/jenkins/workspace/JOB_NAME/project-name.fpr
Local FPR: /jenkins/workspace/JOB_NAME/project-name.fpr
FPR uploading was skipped. Some of the required settings are not specified: Application Name='', Application Version='', serverUrl='null', authenticationToken=''

However, viewing the Fortify Assessment for the build does not show any results. Is it required to upload to SSC to see results in Jenkins?

From the Jenkins_Plugin_Guide_18.10.pdf:

"It also provides metrics for each build and an overview of the results, without the need to connect to Fortify Software Security Center."

Tags (3)
0 Likes
1 Solution

Accepted Solutions
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

Re: Jenkins Fortify Assessment without SSC

Jump to solution

Hi,

You must have a connection to SSC and upload the FPR to SSC in order to see the results in Jenkins.

I updated the documentation in version 18.20. This statement was changed slightly to make it more accurate: "It also provides metrics for each build and an overview of the results, without the need to log into Fortify Software Security Center."

In addition, the following information was added in a section called "Viewing Analysis Results" - "If you uploaded Fortify Static Code Analyzer results to Micro Focus Fortify Software Security Center, you can view a security vulnerability graph for your project and a summary of the issues from Jenkins."

 

0 Likes
6 Replies
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

Re: Jenkins Fortify Assessment without SSC

Jump to solution

Hi,

You must have a connection to SSC and upload the FPR to SSC in order to see the results in Jenkins.

I updated the documentation in version 18.20. This statement was changed slightly to make it more accurate: "It also provides metrics for each build and an overview of the results, without the need to log into Fortify Software Security Center."

In addition, the following information was added in a section called "Viewing Analysis Results" - "If you uploaded Fortify Static Code Analyzer results to Micro Focus Fortify Software Security Center, you can view a security vulnerability graph for your project and a summary of the issues from Jenkins."

 

0 Likes
Ravi Golla Contributor.
Contributor.

Re: Jenkins Fortify Assessment without SSC

Jump to solution

Hi,

When the scan is completed in Jenkins and report is uploaded, it asks for Manual approval of Artifacts in SSC. I dont want to approve it manually everytime as I want to automate it. Can you please suggest how can i do it ?? 

0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Jenkins Fortify Assessment without SSC

Jump to solution

Hi,

A manual approval may be required when there is a violation of one or more processing rule(s) configured for the Applicaiton Version (Project Version).

Based on on the approval request, appropriate action needs to be taken.

For more on processing rules, refer section  "Setting Analysis Results Processing Rules for Application Versions" in SSC User Guide.

Once its taken care, there will not be a need to manually intervene.

Regards,
Tejesh Chandra K H

0 Likes
dgarozzo Trusted Contributor.
Trusted Contributor.

Re: Jenkins Fortify Assessment without SSC

Jump to solution

Go to your application's Profile and then in to Processing Rules. Turn off the ones that require approval.

0 Likes
srchavali
Member.

Re: Jenkins Fortify Assessment without SSC

Jump to solution

Hey in my case even when i turned it off , it is still asking

0 Likes
cromine Contributor.
Contributor.

Re: Jenkins Fortify Assessment without SSC

Jump to solution

Karene - thank you for clarifying the SSC requirement and updating the documentation.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.