Fortify 360 Plugin

Skip to end of metadata
Go to start of metadata

Fortify 360 FPR post-processing and uploading to Fortify 360 Server

Plugin Information

Plugin ID fortify360 Changes In Latest Release
Since Latest Release
Latest Release
Latest Release Date
Required Core
Dependencies
3.81 (archives)
Apr 08, 2013
1.323
Source Code
Issue Tracking
Maintainer(s)
Subversion
Open Issues
n/a (id: samn)
Usage Installations 2014-May 294
2014-Jun 289
2014-Jul 305
2014-Aug 315
2014-Sep 312
2014-Oct 326
2014-Nov 319
2014-Dec 320
2015-Jan 329
2015-Feb 331
2015-Mar 354
2015-Apr 361

Note:

  1. This plugin is not maintained by Fortify
  2. Plugin version 2.0+ only supports Fortify 360 Server v2.5 or later. If you are using Fortify 360 Server 2.1 or older, please stay with plugin version 1.4

Features

  • Upload the FPR to Fortify 360 Server
  • Run Javascript to perform job assignment (assign a vulnerability to a particular user)
  • Plot Normalized Vulnerabilities Score (NVS) against each build (on Windows/Linux/Mac only)
  • Consider a build as UNSTABLE if major vulnerabilities were found (on Windows/Linux/Mac only)

Installation & Setup

The easiest way to setup is to include Fortify into your PATH environment.If you don't want to add Fortify into your PATH, then setup as follows:

For master node:

You don't need to install Fortify on the master node, you just need to copy the following 4 jars from a Fortify installation and setup the path in global config

  • wsclient.jar
  • wsobjects.jar
  • common.jar
  • common13.jar

For slave node:

Since we need to run "reportGenerator", you need to install Fortify on the slave node. If we can't find "reportGenerator" we will skip plotting the NVS chart, other features are not affected.

We will try to locate "reportGenerator" in the following order:

  1. FORTIFY_HOME environment variable (if exists)
  2. PATH environment variable
  3. the Fortify path of the master node

Global Config

Project Config

Charts

How it works

- The plugin uses "reportGenerator", which is installed with Fortify 360, to generate XML report to retrieve FPR summary data.

- Starting from v2.0, it will use WS call to upload FPR to Fortify 360 Server directly. Before v2.0, it uses "fortifyclient" to upload FPR to Fortify 360 Server.

Assumption

We assume the FPRs are stored inside the workspace (which can be a remote slave machine), not the Build RootDir (which is in the master machine).

Contact

samngms [at] gmail [dot] com

Changelog

Version 3.90 (Jun 28, 2013)

  • Supports Fortify SSC version 3.90

Version 3.81 (April 8, 2013)

  • Supports Fortify SSC version 3.70 and 3.80

Version 3.6 (Nov 28, 2012)

  • Supports Fortify SSC version 3.60

Version 2.4 (May 26, 2012)

  • Supports Fortify SSC version 3.40 and 3.50 

Version 2.3 (Dec 24, 2011)

  • Supports Fortify 360 version up to 3.30
  • Sort ProjectList pull down list in config page (thanks to Gonzalez)

Version 2.2 (June 13, 2011)

  • Supports Fortify360 version 3.0.0 and 3.1.0

Version 2.1 (Oct 11, 2010)

  • Bug fixed: the project selection pulldown menu doesn't work if the URL contains context path

Version 2.0 (Sep 3, 2010)

  • New Feature: Job Assignment Script (perform vulnerability assignment by Javascript)
  • Most fields are validated
  • Will populate Project IDs to a pull-down menu

Version 1.4 (May 24, 2010)

  • Support Master/Slave
  • Bug fixed: help pages URLs are now correct in Hudson with URL context prefix

Version 1.3 (April 6, 2010)

  • The NVS equation for SCA 5.8 was wrong. Fixed in v1.3

Version 1.2 (April 5, 2010)

  • Support SCA 5.8 FPO when calculating NVS. The plugin will assume Critical/High/Medium/Low if your "sourceanalyzer -version" is 5.8.x or higher and assume Hot/Warning/Info if it is 5.7.x or earlier
  • Since ReportGenerator is only available on Windows/Linux/Mac, if you are not using one of those platforms, the plugin can't calculate NVS but at least now it will be able to upload FPR to F360 Server

Labels

plugin-report plugin-report Delete
plugin-external plugin-external Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.
  1. Mar 18, 2010

    Marc Lustig says:

    where exactly is the fpr-file supposed to be placed? I tried to specify an abso...

    where exactly is the fpr-file supposed to be placed?

    I tried to specify an absolute path in field "FPR Filename", but it failed.

    1. Apr 05, 2010

      Sam NG says:

      You should put the FPR under Hudson workspace. When you define FPR filename, yo...

      You should put the FPR under Hudson workspace.

      When you define FPR filename, you don't need to provide path, we will search the filename inside the Hudson workspace. And by default we will assume the FPR filename same as the Hudson project name.

  2. Apr 23, 2012

    fduser says:

    So, does the FPR have to be checked in with the project, or can it be put in the...

    So, does the FPR have to be checked in with the project, or can it be put in the project separately?

  3. May 12, 2012

    spyhunter99 says:

    If I already have a fortify generated report, how can i use your plugin to analy...

    If I already have a fortify generated report, how can i use your plugin to analyze the results? Do the results somehow get translated into a findbugs format?

  4. Oct 03, 2012

    dickschoeller says:

    We've just started using the Fortify 360 plugin.  It looks like it is going...

    We've just started using the Fortify 360 plugin.  It looks like it is going to be pretty helpful.  One thing I was curious about, has any thought been given to integrating it with the Static Code Analysis Plugins?  We would really like to be able to direct our developers to one or two dashboard views to keep track of ally kinds of quality metrics and trends.

  5. Oct 22, 2012

    rhondadoane says:

    What is the ETA to support Fortify 3.6?  Or do you have any tips on configu...

    What is the ETA to support Fortify 3.6?  Or do you have any tips on configuration that I can do to extend the current plugin to support 3.6 version. 

    Any help would be most appreciated. 

  6. Dec 13, 2012

    riemers says:

    I've noticed that if the Fortitfy server is behaving badly or not respoding, it ...

    I've noticed that if the Fortitfy server is behaving badly or not respoding, it does not timeout while uploading to fortify. This process then stalls untill i restart my jenkins. (i cannot manually stop the build from within jenkins itself)

    Update: this happens when fortify is too busy (no more threads/100% cpu) so there is no timeout for the upload call in the plugin which will hang your job.

  7. Jan 05

    anuj123 says:

    Is there a plan to release a supporting plugin for Fortify 4.1. ?

    Is there a plan to release a supporting plugin for Fortify 4.1. ?