Fork us on GitHub
×
Find plugins

Fortify on Demand Uploader2.0.8Minimum Jenkins requirement: 1.625.3ID: fortify-on-demand-uploader

Installs: 97
Last released: 11 days ago

Maintainers
Ryan Black
Michael Marshall
Pete Beegle
Matt Gibbs
Dependencies
No dependencies found

Plugin Information

This plugin provides a post build action for submitting code to HPE Security Fortify on Demand for security assessment. 

Features

Fortify on Demand is HPE Security’s cloud-based application security testing service. This plugin enables Fortify on Demand customers to upload code for Static Application Security Testing (SAST) directly from Jenkins.

This plugin features:

  • Fortify on Demand static security assessment for each build triggered by Jenkins
  • Assessment Options:
    • Standard assessment consisting of a scan by Fortify SCA followed by a manual review of the results to remove false positives
    • Express assessment that does a less thorough security check of the application in a shorter period of time
    • Automatically audited assessment that replaces the manual audit with automatic false positive suppression using Fortify Scan Analytics
    • Open Source scan to identify third-party components and provide information on known vulnerabilities, along with recommended versions and licensing information
    • Include, or exclude, identified third-party libraries from assessment results
  • Option to output more parsable log entries, or a detailed assessment results table
  • Option to poll for results and mark the build as ‘Unstable’ if it does not meet the organization's security policy

This plugin requires a Fortify on Demand account. For more details and to request a free trial, go to http://hpe.com/software/fortifyondemand  

Setup

 
1. Generate API Key

Jenkins connects to your Fortify on Demand tenant via the Fortify on Demand API. To create an API key, login to the Fortify on Demand Portal and select Administration->Settings->API. Then, add a new API key with role "Start Scans." Make a note of the API Key and the secret code that is displayed.

2. Install Plugin

From the Jenkins Dashboard, go to Manage Jenkins-> Manage Plugins. In the Available tab and search for “Fortify on Demand Uploader”. Select the plugin and the click on Download and install after restart.

3. Global Configuration

From the Jenkins Dashboard, go to Manage Jenkins-> Configure System. Under Fortify on Demand enter the API Key and secret code from Step 1 above. In advanced settings enter the URL that you use for accessing Fortify on Demand. The Test Connection button may be used to validate your settings. If your Jenkins server requires a proxy for web access configure it under Plugin Manager -> Advanced -> HTTP Proxy Configuration.

4. Project Configuration

For each project that requires a Fortify on Demand Security assessment and click Configure. Add Build Step Fortify on Demand Upload and configure the parameters following the help text provided.

The project will now be configured to run a Fortify on Demand assessment for each build triggered by Jenkins.

5. View Results

If the upload is successful the results will be available in the Fortify on Demand portal.

Fortify on Demand allows organizations to specify an application security policy based on a combination of the applications risk rating and the criticality of any vulnerabilities found. If the application meets the organization's security policy the build will be marked as stable. If it does not it will be marked as unstable.

6. Troubleshooting

Diagnostic information for each build is available from Console Output.

Additional Considerations For Maven Users

For the most complete assessment of your application it is important to ensure all dependencies for deployment are satisfied. Maven provides a simple means of outputting these libraries by the maven-dependency-plugin. The section, <excludeGroupIds> may be used to ensure test framework code, for example, is not included.

Example POM Section:

POM Plugins Entry
<plugin>
  <groupId>org.apache.maven.plugins</groupId>
  <artifactId>maven-dependency-plugin</artifactId>
  <version>2.6</version>
  <executions>
    <execution>
      <id>copy-dependencies</id>
      <phase>prepare-package</phase>
      <goals>
        <goal>copy-dependencies</goal>
      </goals>
      <configuration>
        <outputDirectory>target/classes/lib</outputDirectory>
        <overWriteIfNewer>true</overWriteIfNewer>
        <excludeGroupIds>
          junit,org.easymock,${project.groupId}
        </excludeGroupIds>
      </configuration>
    </execution>
    <execution>
      <phase>generate-sources</phase>
      <goals>
        <goal>sources</goal>
      </goals>
    </execution>
  </executions>
  <configuration>
    <verbose>true</verbose>
    <detail>true</detail>
    <outputDirectory>${project.build.directory}</outputDirectory>
  </configuration>
</plugin>

...


<plugin>
  <groupId>org.apache.maven.plugins</groupId>
  <artifactId>maven-source-plugin</artifactId>
  <executions>
    <execution>
      <id>attach-sources</id>
      <goals>
        <goal>jar</goal>
      </goals>
    </execution>
  </executions>
</plugin>

Known Limitations

  • The plugin requires that Jenkins is running on Java 1.7
  • the plugin requires an internet connection to Fortify on Demand and a valid Fortify on Demand license.

Change Log

Version 2.0.6 (1-6-2017)
  • Fixed bug that causes plugin to crash configuration pages when incomplete information was saved.
Version 2.0 (4-28-2016)
  • Fixed bug when that causes plugin to crash when particular proxy configurations cause authentication to fail.
  • Finalized update to FoD API V3
Version 1.10 (4-28-2016)

*Bug Fix:* This release addresses a rare issue in which release information may not be retrieved for certain applications.

  • Corrected encoding issue for application names which can prevent release information calls from working properly
  • Additional validation for global polling interval
  • Removed unsupported language level settings for .NET and Java
Version 1.09 (4-25-2016)
  • Code changes to resolve distributed Jenkins defect (credit to Ruud Senden)
  • Minor language support changes in preparation for potential new mobile assessment types
Version 1.08 (4-15-2016)
  • Added support for Jenkins proxy configuration
  • Added connection configuration test button that validates reachability of the portal and tests credentials
Version 1.07 (4-6-2016)
  • Added option to include/exclude identified third-party libraries from analysis results
  • Changed order, and description, of advanced options for consistency with the Fortify on Demand portal
  • Polling for results is no longer default. Applications set to poll will reflect your organization's security policy in Jenkins via build stability.
  • Minor branding changes
Version 1.06

*Bug Fix:* This release addresses a bug where the Assessment Type may not correctly set under certain conditions

  • Assessment Type no longer has a suggested default selection; the user must choose the proper type for enabled entitlement
  • Added .NET as a supported language to Sonatype help text
Version 1.05

Upgrade Note: - please ensure you reconfigure any existing builds so that the filer filter may be set by the plugin; this functionality has changed with this version.

  • Added support for all language/assessment types except MBS and C/C++, which require pre-processing with Fortify SCA prior to submission to Fortify on Demand
  • Files selected for upload are automatically set based on language type and Fortify on Demand requirements; users may opt to package all files, including extraneous types like media, under advanced options. Using the automated default is highly encouraged
  • The result report link added with the Detailed Reports option now refers to the Overview page in the Customer Portal
Version 1.04

Upgrade Note: - please ensure you reconfigure any existing builds so that Assessment Type may be set by the plugin as this field is new with this version.

  • Static-related assessment types may be selected at upload, defaults to "Static Assessment"
  • API calls for information lookup are now more resilient with retries, and have additional logging of any issues, e.g. lack of assessment entitlement
Version 1.03
  • Star rating and total issue count display in the standard log results
  • Detailed build log table output includes a deep link to the FoD customer portal for the application release, issue counts by criticality, and Fortify on Demand star rating
  • Minor code cleanup for readability
Version 1.02
  • Minor branding changes
  • Updated UI API token secret validation due to changed 5.0 portal format
Version 1.01
  • Initial release

Feedback Welcome

This plugin is maintained by the Fortify on Demand team. If you have any problems, questions, or enhancement requests or would like to contribute to the code please let us know via GitHub Issues.

ArchivesGet past versions
Labels
Open Issues

See here for any open issues for this plugin.