{jenkins-plugin-info:fortify-on-demand-uploader}

Fortify on Demand is a Software as a Service (SaaS) solution that enables your organization to easily and quickly build and expand a Software Security Assurance program. The Fortify on Demand Plugin enables users to upload code directly from Jenkins for Static Application Security Testing (SAST). This plugin features the following tasks:

    Run a static assessment for each build triggered by Jenkins.
    Monitor scan completion and poll for results. If the results do not meet the application security policy as set by the organization, the build can be marked as failed or unstable.
    
This plugin requires a Fortify on Demand account. For more information on Fortify on Demand and to request a free trial, go to https://software.microfocus.com/en-us/software/fortify-on-demand

This plugin is maintained by the Fortify on Demand team. If you have any issues, or enhancement requests or would like to contribute to the code please let us know through the GitHub Issues page.

Installation

Note: If your Jenkins server requires a proxy for web access, in the Jenkins Dashboard, select Jenkins > Manage Jenkins > Manage Plugins. Select the Advanced tab and configure your proxy settings.

  1. Select the Available tab.
  2. In the Filter search box, type “Fortify on Demand Uploader.” The plugin list refreshes with Fortify on Demand Uploader.
  3. Select the plugin and click Download now and install after restart.

Setup

Create an API Key Pair or a Personal Access Token in Fortify on Demand

The Fortify on Demand Plugin connects to Fortify on Demand through the Fortify on Demand API. Authentication requires an API key and secret pair or a personal access token.

Generate a Build Server Integration (BSI) Token in Fortify on Demand

Within Fortify on Demand, navigate to the application release that you wish to assess, and then to the Static Scan Setup page. Configure the static assessment settings and the BSI token will be automatically generated. Make sure to save the settings.

Note that this procedure requires a user role with the Start Static Scans-Configure permission.

Configure Global Authentication Settings

  1. In the Jenkins Dashboard, select Jenkins > Manage Jenkins > Configure System.
  2. In the Fortify on Demand section, provide your data center's domain URL and API root URL.
  3. Select the method of authentication:
  4. Click Test Connection. If the authentication is successful, a success message will appear.

Configure Fortify on Demand Static Assessment Tasks

The Fortify on Demand Plugin supports freestyle projects and pipelines.

Configure a Freestyle Project

The plugin adds the Fortify on Demand Static Assessment and Poll Fortify on Demand for Results post-build tasks.

  1. In a freestyle project, click Configure.
  2. In the Post-build Actions section, click Add post-build action and select Add Fortify on Demand Static Assessment.
  3. Complete the following fields:

    FieldDescription
    BSI TokenProvide the BSI token.
    Configure Personal Access Token (optional)Select this option to override the global authentication settings. Provide your account username, your personal access token, and the tenant ID.
    Entitlement PreferenceSelect the entitlement preference: Single Scan or Subscription.
    Purchase Entitlements (optional)Select the check box to purchase an entitlement if the feature is enabled.
    Bundled Assessment (optional)Select the check box to specify the assessment is a part of a bundled assessment.

    Prefer Remediation if Available (optional)

    Select the check box to run a remediation scan if one is available.
    Include all project filesSelect the check box to include all project files in the zip file.
  4. Click Add post-build action and select Poll Fortify on Demand for Results. Complete the following fields:

    FieldDescription
    BSI TokenProvide the BSI token.
    Configure Personal Access Token (optional)Select this option to override the global authentication settings. Provide your account username, your personal access token, and the tenant ID.
    Polling IntervalType the length of time in minutes between polling Fortify on Demand to check if the scan has completed.
    Action if Failing Security PolicySelect whether to take no action or mark the build as Failed or Unstable based on the application security policy as set by your organization.
  5. Save the settings.

Configure a Pipeline

The Fortify on Demand Plugin adds the fodStaticAssessment and fodPollResults tasks. Use the Snippet Generator to create code for these tasks.

Note: The Pipeline Plugin needs to installed.

  1. In a pipeline, click Configure.
  2. In the Pipeline section, click Pipeline Syntax.
    The Snippet Generator appears.
  3. Select fodStaticAssessment in the Sample Step list.
  4. Complete the following fields:

    FieldDescription
    BSI TokenProvide the BSI token.
    Configure Personal Access Token (optional)Select this option to override the global authentication settings. Provide your account username, your personal access token, and the tenant ID.
    Entitlement PreferenceSelect the entitlement preference: Single Scan or Subscription.
    Purchase Entitlements (optional)Select the check box to purchase an entitlement if the feature is enabled.
    Bundled Assessment (optional)Select the check box to specify the assessment is a part of a bundled assessment.

    Prefer Remediation if Available (optional)

    Select the check box to run a remediation scan if one is available.
    Include all project filesSelect the check box to include all project files in the zip file.
  5. Click Generate Pipeline Script. Copy the code and add it to your pipeline script.
  6. Select fodPollResults in the Sample Step list.
  7. Complete the following fields:

    FieldDescription
    BSI TokenProvide the BSI token.
    Configure Personal Access Token (optional)Select this option to override the global authentication settings. Provide your account username, your personal access token, and the tenant ID.
    Polling IntervalType the length of time in minutes between polling Fortify on Demand to check if the scan has completed.
    Action if Failing Security PolicySelect whether to take no action or mark the build as Failed or Unstable based on the application security policy as set by your organization.
  8. Click Generate Pipeline Script. Copy the code and add it to your pipeline script.
  9. Save the settings.

Run the Build

Run the build. Diagnostic information is available in the console output. The console output will display a success message if the assessment was successfully submitted. The Fortify on Demand Scans page will display an in-progress scan for the release.

Additional Considerations For Maven Users

For the most complete assessment of your application it is important to ensure all dependencies for deployment are satisfied. Maven provides a simple means of outputting these libraries by the maven-dependency-plugin. The section, <excludeGroupIds> may be used to ensure test framework code, for example, is not included.

Example POM Section:

<plugin>
  <groupId>org.apache.maven.plugins</groupId>
  <artifactId>maven-dependency-plugin</artifactId>
  <version>2.6</version>
  <executions>
    <execution>
      <id>copy-dependencies</id>
      <phase>prepare-package</phase>
      <goals>
        <goal>copy-dependencies</goal>
      </goals>
      <configuration>
        <outputDirectory>target/classes/lib</outputDirectory>
        <overWriteIfNewer>true</overWriteIfNewer>
        <excludeGroupIds>
          junit,org.easymock,${project.groupId}
        </excludeGroupIds>
      </configuration>
    </execution>
    <execution>
      <phase>generate-sources</phase>
      <goals>
        <goal>sources</goal>
      </goals>
    </execution>
  </executions>
  <configuration>
    <verbose>true</verbose>
    <detail>true</detail>
    <outputDirectory>${project.build.directory}</outputDirectory>
  </configuration>
</plugin>

...


<plugin>
  <groupId>org.apache.maven.plugins</groupId>
  <artifactId>maven-source-plugin</artifactId>
  <executions>
    <execution>
      <id>attach-sources</id>
      <goals>
        <goal>jar</goal>
      </goals>
    </execution>
  </executions>
</plugin>

Known Limitations

Change Log

Version 3.0.12 (4-05-2019)

The Jenkins Plugin now supports pipelines. The fodStaticAssessment and fodPollResults tasks have been added; they mirror the Fortify on Demand post-build actions in freestyle projects.

Version 3.0.11 (3-22-2019)
Version 3.0.1 (10-9-2017)

Upgrade Note: - please be aware that builds will need to be reconfigured with the BSI Url/Token.

Version 2.0.6 (1-6-2017)
Version 2.0 (4-28-2016)
Version 1.10 (4-28-2016)

*Bug Fix:* This release addresses a rare issue in which release information may not be retrieved for certain applications.

Version 1.09 (4-25-2016)
Version 1.08 (4-15-2016)
Version 1.07 (4-6-2016)
Version 1.06

*Bug Fix:* This release addresses a bug where the Assessment Type may not correctly set under certain conditions

Version 1.05

Upgrade Note: - please ensure you reconfigure any existing builds so that the filer filter may be set by the plugin; this functionality has changed with this version.

Version 1.04

Upgrade Note: - please ensure you reconfigure any existing builds so that Assessment Type may be set by the plugin as this field is new with this version.

Version 1.03
Version 1.02
Version 1.01