Due to some maintenance issues, this service has been switched in read-only mode, you can find more information about the why

and how to migrate your plugin documentation in this blogpost

Skip to end of metadata
Go to start of metadata

Plugin Information

View Fortify CloudScan on the plugin site for more information.

Older versions of this plugin may not be safe to use. Please review the following warnings before using an older version:

This plug-in provides easy configuration of HP Fortify CloudScan jobs.

Usage Requirements

This plugin has been written for and tested against Fortify CloudScan 17.x

Description

Fortify CloudScan allows an organization to host their own internal cloud-based infrastructure of Static Code Analyzer (SCA) machines that are distributed jobs by a centralized controller and optionally integrated with Software Security Center (SSC). CloudScan is included with Fortify 4.30 and higher and was an optional component in previous versions of Fortify.

This plugin provides simple configuration of CloudScan jobs without sacrificing the flexibility of performing custom scan jobs.

Usage

Step 1 - Configure Fortify CloudScan global parameters

Add the URL to Fortify CloudScan and to Software Security Center (SSC). Using SSC is optional but recommended. When SSC is used, the controllers URL will be resolved from SSC. However, scans can also be sent directly to the controller without passing through SSC. When using SSC, a token will be required for authentication. This token is only used for displaying projects and project versions in the job configuration. The token should be assigned to a user with the ability to read all projects and versions from SSC.

Step 2 - Configure job to invoke Fortify CloudScan

Fill out the required Build ID field and optionally the other fields. When using SSC, the plugin can perform lookups for project version id's based on the selected project and version retrieved dynamically from SSC.

Selected the 'Advanced' button will provide configuration for commonly used advanced parameters. If custom parameters are required, use the 'Advanced Scan Arguments' textbox.

Version History

Version 1.5.2 (June 13, 2018)

  • Coming soon

Version 1.5.1 (April 27, 2018)

  • Updated to use modern version of Jenkins parent pom
  • Fixed pipeline support where plugin would not be an option in the generator
  • Requires Java 8

Version 1.5.0 (October 12, 2017)

  • Added support for -mt (labeled Parallel Analysis) and enabled by default
  • Removed legacy workers option

Version 1.4.1 (July 20, 2017)

  • Fixed no-default-rules option ordering

Version 1.4.0 (February 27, 2017)

  • Added support for Jenkins Pipeline

Version 1.3.1 (October 6, 2016)

  • Grouped memory settings and added support for autoheap and rmiWorkerMaxHeap
  • Corrected issue that dupicated scan arguments from the advanced tab

Version 1.3.0 (March 23, 2016)

  • Refactored the way cloudscan is executed
  • Supports master and slave nodes running Windows and non-Windows platforms
  • Fixed issue where environment wasn't being properly set prior to executing cloudscan

Version 1.2.0 (February 25, 2016)

  • Fixed defects in creating some Cloudscan arguments
  • Added support for specifying multiple rulepacks
  • Added support for retrieving rulepacks via URL

Version 1.1.1 (January 5, 2016)

  • Fixed defect affecting parameters with spaces

Version 1.1.0 (December 22, 2015)

  • Added environment setting of cloudscan process
  • Added additional validation

Version 1.0.0 (October 23, 2015)

  • Initial public release

2 Comments

  1. Unknown User (gvmanjunatha)

    Hi,

    I have tried to use the cloudscan plugin with Jenkins 2.89.3, encountering following error when the build invokes fortify build step.

    [WARNING] The requested profile "clean" could not be activated because it does not exist.
    $ cmd /c C:\Installs\HPE_Security\Fortify_SCA_and_Apps_17.20\bin\cloudscan.bat -version
    
    [FortifyCloudScan] Log files will be stored in "C:\Users\Administrator\AppData\Local\Fortify\cloudscan\log" directory.
    
    [FortifyCloudScan] CloudScan version:  17.20.0183
    $ cmd /c C:\Installs\HPE_Security\Fortify_SCA_and_Apps_17.20\bin\cloudscan.bat -sscurl http://<SSC_HOST>/ssc -ssctoken bec2d250-1aa9-4314-aa3f-c9503b69465a start -upload -versionid 14 -uptoken 308f7493-9dd3-4152-be06-0367c2e755e6 -b MR-2.14.0-SNAPSHOT -scan -autoheap -mt
    [FortifyCloudScan] Log files will be stored in "C:\Users\Administrator\AppData\Local\Fortify\cloudscan\log" directory.
    
    [FortifyCloudScan] Retrieving controller URL...
    
    [FortifyCloudScan] Verifying controller URL...
    [FortifyCloudScan] Controller at http://<CLD_CTRL_URL>:8080/cloud-ctrl is UP
    [FortifyCloudScan] No email address detected.  No status emails will be sent for this job.
    [FortifyCloudScan] Retrieving SCA version...
    
    [FortifyCloudScan] Exporting MBS...
    
    [FortifyCloudScan] Error occurred while exporting mobile build session.
    [FortifyCloudScan] [error]: Unable to load build session with ID "MR-2.14.0-SNAPSHOT". See log file for more details.
    [FortifyCloudScan] 
    [FortifyCloudScan] Shutting down with errors. Please see log for details.
    Build step 'Invoke Fortify CloudScan' changed build result to FAILURE
    
    

    I have configured global settings and configured the job specific settings as part of build step. Please advise on how to resolve this issue.

    Thanks,

    Manju

  2. Unknown User (sspringett)

    Ensure the SCA clean and translation steps occur prior to executing the CloudScan plugin build step and that they occur on the same Jenkins node.