Currently we are using SonarQube as a source code analyser. But now in our organisation they are planning to use HP Fortify SCA for source code analysis. We have integrated SonarQube with Jenkins but i don't know how to integrate HP Fortify with Jenkins. Googled for it but I'm not getting good solution. Can anyone please help me on this.
Fortify Jenkins Plugin
Use the Fortify Jenkins Plugin in your continuous integration builds to identify security issues in your source code with Micro Focus Fortify Static Code Analyzer. After the Fortify Static Code Analyzer analysis is complete, you can upload the results to a Micro Focus Fortify Software Security Center server. The Fortify Jenkins Plugin also enables you to view the analysis result details within Jenkins. It provides metrics for each build and an overview of the results, without requiring you to log into Fortify Software Security Center.
With the Fortify Jenkins Plugin, you can integrate Fortify Static Code Analyzer with the following build tools:
Gradle
Maven
MSBuild
Visual Studio (devenv)
You can also scan your source code directly without a build tool.
Source.
HPE Fortify does provide a Jenkins Plugin.
There is also a community member who has created a Jenkins plugin that his organization uses to integrate Jenkins and Cloudscan (https://marketplace.saas.hpe.com/fortify/content/fortify-cloudscan-jenkins-plugin).
Here is a good discussion on how one customer is integrating Jenkins and CloudScan in their company (the plugin's author).https://www.protect724.hpe.com/thread/22952
I would suggest to use maven for this. There is a plugin available for fortify for maven
Fortify integration with maven - install
You can use this plugin in your application pom.xml and execute the maven command from jenkins.
Integration of HP Fortify with Jenkins :
Step 1) Install Jenkins plugin on cloud server or you can direct access the cloud Jenkins server(if it is already installed on server).
step 2) Create a folder in Jenkins and configure the properties(making changes in configuration file on left side).
step 3) once configuration part is done .Post that you have to provide the cloud server link where fortify is installed(scar/ssc) and credentials.
Test the connection using "Test" button.
OR
If you have GitHub link, you can directly add the link in Jenkins and used them.
step 4) Now connection is established between Jenkins and fortify-SSC.
Jenkins : It is integration tools ,that provide continuous integration and continuous development(CI /CD).
GitHub: GitHub is raw code repository , where all the code is saved.
Let me know if you have any question while integrating Jenkins with fortify.Thank you
Related
I have installed sonar and jenkins. Now I want to add Sonarqube into Jenkins. But in the manage plugins, it doesn't show me the Sonarqube.the display I get
SonarQube is a standalone server. It offers a web user interface to visualize bugs, code smells and vulnerabilities. You cannot include this web-ui SonarQube in Jenkins.
However, you can trigger a scan as part of your Jenkins job. This scan can "send" its findings into a SonarQube installation - either hosted by your own (on-premise), or using the hosting offer at sonarcloud.io.
There are a couple of different ways to include the scanner in your job, but the setup is specific to your programming language and build tools (Maven, VisualStudio, command line, ...). Check the sonarcloud docs for the way, that fit's best to your situation.
I am trying to understand the CI/CD pipeline.
I know that there are different stages like getting the requirement (using JIRA), fetching the source code from SCM, building it (Maven, Ant, Gradle, NPM), Artifact archival (Nexus, JFrog, Artifactory), unit testing (JUnit), other testings and deployment.
I am missing some advanced steps like integrating tools like Code Quality check (SonarQube), Configuration Managment (Chef/Ansible), Deployment tools (Docker) and maybe more.
What would be a good example of a full Continuous Integration, Continuous Deployment and Continuous Delivery pipeline including the popular tools and plugins used with Jenkins for a Java, PHP, JavaScript or Node based project?
Thanks in advance.
We are running both: Klocwork for C++ and SonarQube for Java and C# projects as a CI process using Jenkins. Since the SonarQube dashboard is much better, I would like to publish Klocwork results on the SonarQube.
Is it possible using some kind of Jenkins plugin? Any other option?
There is a SonarQube plugin for Klocwork available on this updated page: www.emenda.com/klocwork-sonarqube-plugin
You will need to complete the request form on the web page in order to obtain the resource.
To publish Klockwork results in SonarQube you need not a Jenkins plugin but a SonarQube plugin. There appears to be one but I have no experience with it, and the screenshots on the site are quite old.
If you don't have any luck with it, another option would be to develop your own plugin. If you decide to go that route, you can post specific plugin development questions to the SonarQube Google Group.
from the last week i am working with jenkins, and its going good but at the end of R&D I have lost of confusion, these are questions which confusingto me.
How to do Continuous Integration with jenkins of Website?
hoe to view Testing analysis reports produced by sonarqube server to my local system?
what happens where all my developers will do commit and push at the same time on repository?
How to deploy my web application on targeted server using jenkins?
How to I use sonarqube to test my website ?
If you are building a .net website, install msbuild plugin in jenkins. Create a jenkins job, add a step checkout your website (git/svn - install required repo plugin). Schedule to run nightly or hourly depending on your needs.
Type in url for your sonarqube server and then you can view the reports.
This is not an issue if your developers are comitting simultaneously. Usually a CI tool such as Jenkins will take care of that.
This is called continuous deployment or continuous delivery. Something like Octopus Deploy can help you if you are deploying .net applications. You can use the tool octo.exe and pass the API key as parameter to deploy to a specific environment.
SonarQube is used as a quality gate for code analysis. It is not a test framework. Try to investigate on how to use selenium framework for automation testing.
I hope that I have answered your questions.
I am using Maven as a build tool and Jenkins as a CI tool. Currently I have a Jenkins job configured with a Maven build step.
I started using SonarQube and was wondering what is the advantage of using the Jenkins SonarQube plugin and configuring the SonarQube analysis as a post-build-action over simply adding sonar:sonar to the goals of my existing Maven build step.
Thanks and best regards,
Ronald
You can save a lot of configuration. So, if you use jenkins sonar plugin you can centralize database credentials and sonar credentials but if you make a decision about execute sonar:sonar in each jenkins job you will configure each with the same credentials.
I just found: Why use sonar plugin for Jenkins rather than simply use maven goal "sonar:sonar"?
And to add one reason: Using the Jenkins SonarQube plugins one can specify "Skip if triggered by SCM Changes". This is nice if you trigger your Jenkins job for each commit but only want to do a SonarQube analysis at a scheduled time, e.g. one per night.
And here is a summary of the the points made by "emelendez":
Centralize database credentials and sonar credentials Use jenkins
Use jenkins sonar plugin configuring SonarRunner for non Java projects
I've just changed to maven-sonar-plugin from the Jenkins SonarQube plugin to avoid divergence of information between the pom.xml and sonar-project.properties.
For example, developers elsewhere had bumped the project version number in the pom.xml, but they don't use the Jenkins builds and didn't care about the sonar-project.properties (or probably understand it). By switching to the maven plugin instead, the project version is defined once and referenced in the sonar property set within the pom.
The downside is that I no longer have the SonarQube link from the project's Jenkins page.
I'm not sure where the responsibility might be for adding this link back for projects using maven-sonar-plugin... The link is "owned" by the Jenkins SonarQube Plugin, but this is not being used here. Meanwhile the maven-sonar-plugin component is integrating with maven not Jenkins.
Something would need to observe the build and extract the SonarQube link which is emitted as a [INFO] ANALYSIS SUCCESSFUL, you can browse http://... line in the log.