I was trying to integrate Fortify SCA with Jenkins pipeline script. Using Fortify SCA version 21.1.4,Scan Engine version 21.1.4 and installed fortify plugin version 21.2.37 in jenkins.
For that using 4 different stages:clean,translate,scan,upload to SSC. Jenkins generated fortify .fpr file is showing less vulnerability count, less executable LOC when compared with the report of Audit Workbench.
Please help with this issue
Related
I have Coverity building with Jenkins and the report can be viewed in Synopsys Coverity's web interface. How can I get a report to be in my Jenkins output?
I have looked at other posts and found plugin documentation saying it was deprecated back in 2018.
EDIT:
There is an updated version of the plug-in, found documentation at https://synopsys.atlassian.net/wiki/spaces/INTDOCS/overview?homepageId=622607
I am using Version 2.3.1
I am building a Devops pipeline , where in I am trying to include an extra code review plugin which supports C, C++ and C#. In my pipeline, I already have Sonarqube 6.5 running and it also has the FXCop plugin activated.
So, Sonarqube runs tests at source code level and FXCop runs tests at binary level. Now, I am trying to find out another code review plugin which could be plugged to Sonarqube (Plugin has to run tests at source code level, not binary level).
I thought of choosing StyleCop but it has to be downloaded in my laptop. So, I had to neglect that.
Tried using Source Meter, which is another plugin that runs review tests at source code level but it is not compatible with 6.5 version of Sonarqube (only supported till Sonarqube 4.5 version).
And now, I am running out of plugins which could do the job. Could anyone suggest a plugin that could both be plugged with Sonarqube 6.5 and run source code level review tests?
NOTE: (Should support C, C++ and C#)
You could try SonarQube plug-in for PVS-Studio static source code analyzer for C/C++/C#.
How do I explore fortify audit workbench from Software security centre? Can I get auditing capabilities in SSC like in audit workbench?
Static code analyzer (SCA) is a command line program run on a developer workstation or run on a development or test build server. You typically use SCA to scan the code (via sourceanalyzer or the sourceanalyzer.jar) and generate an Fortify Project Reports (FPR) file. Then you can open that FPR file with Audit Workbench or upload it to SSC, where you can track trends, risk posture, etc.
Audit Workbench (AWB) is installed on your desktop with the SCA; it is a graphical application that allows you to review the scan results, add audit data, apply filters, and run simple reports. The AWB only gives you the results of that particular scan. In contrast, the SSC provides the history of your applications and the other applications using the SSC (given the appropriate access permissions).
The SSC is a web-based repository of your FPR files and tool for managing our portfolio's application security. It is a java war installed into tomcat or your favorite application server. The reports on SSC are better suited to running centralized metrics. You can report on the results of a particular scan, or the history (what changed between the current scan and any earlier ones). If you want diff's, trends, history etc of SCA scans, use SSC to report Fortify issues and remediation over time. Trend reports and portfolio reports are available only on the SSC.
The same sourceanalyzer.exe (the SCA executable) is invoked by the Audit Workbench and by the various SCA plug-ins (maven, Jenkins, eclipse, Visual Studio, IntelliJ, XCode, etc). The SSC does not run the SCA. The SSC manages the FPR files that are output from the SCA and manage your audits of the issues that SCA finds. The SSC does not run the SCA. The SSC manages the FPR files that are output from the SCA.
I tries one scenario to integrate these tools, but it giving unbelievable output. What I did:
I did not configure or install PMD in Hudson.
I configured PMD in my parent pom.
I run goals (clean site) the in Hudson job, but it running only last sub project.
I check log in console, it has:
some svn update log
Parsing POMs
and directly generating reports for last sub project.
I have same svn checkout workspace in Eclipse, it working and generating reports for all parent and child projects. Actually, after verify in Eclipse only, I try to verify in Hudson.
And after try to configure PMD in Hudson, but I did not find any help online to do that.
We are using jenkins and maven, artifactory and sonar (which contains PMD, Checkstyle, Findbugs and others).
I didn't set it up however there are plugins for (nearly) everything:
Jenkins Artifactory Plugin
Jenkins Maven Plugin
Jenkins Sonar Plugin
But it is possible to do it your way and use PMD "directly". Hava a look here...
I am trying to have a build scripts that can create the WARs for my Talend jobs using Ant or Maven based build scripts that can be run from command line and eventually be integrated into a continuous integration system like Hudson. There are ways to integrate Ant/Maven scripts in the Talend Enterprise edition 5.2.1 , however I am trying to achieve this using the community edition. Any suggestions?
You can export jobs to WAR (or ZIP, or whatever you want) by using the command line export tool. Are you aware of this?