Jenkins Plugin for Fortify SCA/SSC to automatically upload projects (2019)

Jenkins Plugin for Fortify SCA/SSC to automatically upload projects (2019)

Jenkins Plugin for Fortify SCA/SSC to automatically upload projects (2019)

Set up the new Jenkins plugin for Fortify SCA (static on-premise scans) for your pipeline builds. Learn how to set up a pipeline with Fortify tasks (clean, scan, translate, update, or upload).

Micro Focus® Fortify Static Code Analyzer (SCA) pinpoints the root cause of security vulnerabilities in the source code, prioritizes the most serious issues, and provides detailed guidance on how to fix them so developers can resolve issues in less time with centralized software security management.

Fortify Software Security Center (SSC) is a centralized management repository that provides security managers and program administrators with visibility into their entire application security testing program. In addition to the new Fortify Jenkins plugin, SSC updates include:
- SSC scan processing now up to 30% faster
- Automated machine assisted predictions w/ Audit Assistant
- Integrated security training in SSC with Secure Code Warrior

Jenkins is the leading open source automation server, Jenkins provides hundreds of plugins to support building, deploying and automating any project. Learn more: https://jenkins.io/

LEARN MORE about Fortify: https://software.microfocus.com/en-us

LEARN MORE about how Micro Focus was named a leader in the 2019 Gartner MQ for Application Security Testing: https://software.microfocus.com/en-us

SUBSCRIBE TO FORTIFY UNPLUGGED:    / @fortifyunplugged  

CONTACT US: https://www.microfocus.com/en-us/prod


Content

3.89 -> Hi, my name is Jimmy Rabon. I'm the Fortify product manager and I'm here
7.98 -> today to show the new Fortify Jenkins plugin and specifically highlight the
12.509 -> new native pipeline support that we've added if you go to Jenkins and manage
18.9 -> Jenkins and manage plugins you'll be able to search for the word Fortify on
27.119 -> the available tab so simply type Fortify here and if you don't I already have it
31.47 -> installed it will show up and allow you to install it directly from the
35.52 -> marketplace. All the code is open sourced and hosted in github now and it is
40.14 -> distributed exclusively through the Jenkins marketplace. Once it is installed
45.48 -> you will come here and you'll see the Fortify plugin has been installed in
51.27 -> the specific version that we've installed here once it's installed we
55.62 -> just have a couple basic configuration steps so if we go to manage Jenkins and
60.57 -> configure system you will see I've created a Fortify home environment
66.659 -> variable to tell Jenkins where Fortify is installed
71.939 -> that's the Static Code Analyzer (SCA) product that's going to run the scan. And in at
77.009 -> the bottom here you'll see Fortify assessment we need to tell it where
80.79 -> Software Security Center's URL is, where are we going to be uploading the result
84.81 -> file if we're going to be doing build failure where is that information coming
88.53 -> from this is the token that you create in Software Security Center you can do
94.439 -> that by coming to administration users and token and if you click new you'll
100.409 -> see we have a Jenkins token type you can select right and if you do that you will
108.6 -> get a copy of your decoded token value that you can use with the Jenkins
112.92 -> plug-in do take note of this it's only presented to you one time though it is
117.03 -> easy to delete or create a new token if you need to so if we go back to Jenkins
123.299 -> once that's set you can click advanced and test connection see that the
128.849 -> connection is successful we are using the default issue template the
132.48 -> prioritized risk that is the you know default temple
135.97 -> that must give you a familiar with but you can use any custom template if you'd
139.75 -> like and if we go back let's go to our let's go back to our main dashboard in
147.28 -> Jenkins and look at a sample project that I've configured so if we look here
154.83 -> pipeline here is our pipeline script and here are specific Fortify tasks. So how
161.56 -> did I know how to write these specifically I use the pipeline syntax
166.24 -> generator I can choose any of the Fortify steps clean scan translate
172.3 -> update or upload all of them have input boxes to select your options and then
177.4 -> when we click generate code it will generate the appropriate code that we
181.48 -> need to paste in to the syntax file so if we were to look at one of these tasks
185.8 -> you know we can put in our test application version the name of our
191.35 -> result file write anything that we wanted to do in terms of build failure
196.18 -> if we wanted to say something like you know category you know is path manipulation
201.519 -> alright and this works with anything in the SSC search criteria so
207.16 -> you'll see here you you can go to SSC and basically if you can search for it
212.38 -> an application version then you can paste that search value here and that
216.85 -> will query the result end point and see if that if that issue is present and
222.04 -> therefore failed the build. So once you've done that you can say generate pipeline
226.33 -> script and there you go that's what you need for Fortify upload and you can do
231.7 -> the same thing for the other steps so if we're gonna go back to our test project
237.73 -> you'll see that I've done my clean my update of the rule packs the translation
243.73 -> options to turn the code into intermediate files the scan options and
247.78 -> the upload options including that I want to fail this build if any path
251.829 -> manipulation vulnerabilities are present we also can select the the polling
257.739 -> interval I chose one minute that can be adjusted depending on how large these
262.15 -> artifacts that are in terms of how long it takes SSC to process
267.61 -> so if we go ahead and let's take a look at kicking this project off so if we go
275.5 -> ahead and build now we'll take a quick look at the console output and we will
287.199 -> grab that right here okay so we've done our clean step, we've
294.31 -> done our updating step we are going on our translation step and now we're
298.24 -> running our scan step once that finishes it will upload the results to Software
303.52 -> Security Center and then it will wait one minute before searching for the
308.56 -> existence of those issues this will take about two minutes to finish but if we
314.139 -> want we can go ahead and come in here and if we look at the build history we
325.99 -> will be able to see that these builds were marked as unstable due to console
329.229 -> output and then if you look at the console output of those previous builds
332.469 -> you'll see the existence of path manipulation. If we are go back to our
339.039 -> current build you can see that the fpr has been uploaded successfully you know
344.409 -> we can come into SSC we can take a look at our test project here and look at any
352.24 -> artifacts and you can see that we have completed this scan right here I'm sorry
359.11 -> this is stuff well not real quick sorry clicked on the wrong one there we
363.699 -> go so if we go to artifacts will see that SCA scan was completed successfully
368.5 -> this is our current timestamp and Jenkins is just waiting to process the
377.229 -> issue and then run the search query for you and then mark the build as unstable
382.569 -> if that if that condition is actually met so everything that we've done upload
388.569 -> clean translate all is done through the pipeline syntax so you can see here it's
394.539 -> retrieving the build statistics for SSC in just a second we will have the
398.86 -> conclusion of our build which will let us know that there are a
403.96 -> few issues in the path manipulation
409.259 -> category that we wanted to mark the build is unstable so here we go about to
414.939 -> process and finish that and you can see here that this build has four
419.74 -> vulnerabilities that have met the build condition and the build is marked as
422.53 -> unstable if the developer wants to view the issues in Jenkins they can come in
429.37 -> here to Fortify assessment this is a this uses our API to display deep links
434.68 -> to those issues so they can go through and click on the high categories and
439.629 -> you'll see the particular issues in question those are deep links that you
443.469 -> can use to click in to SSC, or you could just browse to SSC manually but that
448.99 -> hopefully that is helpful while you're setting up the new Fortify
452.5 -> Jenkins plugin specifically with your pipeline builds. Thank you very much

Source: https://www.youtube.com/watch?v=cjEwDmTsxII