Fortify SSC Doesn't Update Audit Issues - jenkins

All,
I have a Jenkins server setup which automatically runs Fortify and uploads it to SSC. Unfortunately, SSC seems to have stopped updating.
I can see the artifact in the artifacts table and I have to manually approve it, as always, due to a "missing external metadata" issue. However, when I go to "audit issues", the issue count isn't update. If I download the project file, the appropriate number of issues is shown in the desktop application.
Does anyone have ideas?

What version of SSC are you using?
Are you giving SSC enough time to update its metrics. There are certain actions that require SSC to recalculate metrics. Normally the recalculations are done at midnight. There is an indicator that an update needs to be done (and can be triggered manually).
In the HTML SSC interface (introduced in 4.40) you will see two yellow arrows in a circle (thing of a refresh icon). That is letting you know recalculations need to be done. This is also a button that can be pressed to kick it off now.
In the older flash UI, when looking at the details page of a project version, there can be a Refresh button, if this is visible it means a recalculation needs to be done, either at the scheduled time or can be triggered manually.
Side Note
To get around the "missing external metadata" issue, you need to update the rulepacks on the SSC Server. You can do this in the Rulepacks section of the Admin area.

Related

Project Summary missing from Fortify Audit Workbench 18.20.1071

Question:
Does anyone know how to fix this aside from completely reinstalling the entire Fortify software suite?
Background:
Audit Workbench was up then my PC restarted. Now the Project summary does not show (nor does the code preview).
What I have tried so far:
I tried resetting the display and restarting my PC but it does not bring the Audit Workbench module back.
Previous Fix:
Before when I had this issue, I had to get Fortify completely reinstalled to get it fixed. Because this is on a Government Pc, it will take a while to get it reinstalled. I need this for my job.
Edit: Best Path Forward (Until bug is fixed):
When I open the for through the application (start menu, Fortify SCA folder, Audit Workbench, choose for file), it shows the module. For some reason, a forced restart causes Fortify to not show the module when opening the FPRs directly from the file system.
The other thing is that you cannot pin Audit Workbench to the taskbar which makes this bug more annoying than it should be. I will make a script that I can pin to the taskbar to open the Audit Workbench without going through the start menu every time.
Edit: Found temporary solution
I did a bit of testing and whenever I open the FPR with Audit Workbench, I need to open 2 windows, 1 immediately after the other, to get the project summary back. The first one I open will not show the Project Summary but the 2nd one will. It only shows the pane on the 2nd window for some reason.
Check question for "Path Forward"

TFS 2013 audit get latest version commands

We're using TFS 2013. I'm interested to know if it's possible to see which developers are performing a 'Get Latest Version' command from various projects. tbl_command shows Get commands, but this doesn't tell me what was gotten. Is this available somewhere?
If I were you, I would open up the SQL Transaction inspection tool and see any sql transactions that are happening (this will take some trial and error to tune the filters to find what transactions you are looking for). Then when you find the table that is being queried specifically for a "Get Latest Version" and not just a regular "Get", then just as a sql table trigger that fires an INSERT trigger into another table that keeps track of Who, What, When, and Where this is happening. I'm sorry I cannot give you the details of what transaction this is happening, but I've done this methodology to find transactions when I need to keep track of when developers were adding LABELS to TFSVC branches and now I can know when they are sneaking in labels anywhere in my TFS system.
Every time a developer performs a get-latest, the server updates its Workspace tracking tables. Through these, you can track exactly which workspace mappings and which version of each element in the workspace mapping has been served to a user through TFVC commands.
A user can delete their workspace from the server, after which this information is lost however.
If you want to use this data for audit purposes, it may not be enough.
Files downloaded through tf vc view commands are not stored in the workspace cache, even though that command can be used to download individual files. Individual file downloads through the Web UI are also not tracked in any workspace cache.
Each file downloaded result in a HTTP call on the TFS application tier and those logs should provide data on which files were downloaded by which user.
If you don't have all the logs and haven't configured high retention on the tbl_command, then you should consider that each user with access permissions potentially has downloaded all files they have the permissions for.

How to start another build on CodeClimate after the initial build fails?

Here's the first fail build. I forgot to configure file. So I added it again and recommit. Now it won't fire again.
Do I have to get a CI (using Travis CI) to first successfully test it first?
You can press the refresh button in the top right corner on your repo.
Support got back to me and told me it was a problem on their end.
Sorry that your repository got stuck in that weird "limbo" state.
Currently, we don't automatically install our webhook for open-source
repositories and without that we don't see any subsequent commits if
the first analysis errors. Our dev team plans to improve this
experience, but in the meantime, I'd recommend installing our webhook.
This hook is what notifies us of certain events happening in your
repository including commits made to your default branch.
To get that installed you'll need to run through steps 5-7 in this
help doc here: https://docs.codeclimate.com/docs/github#pull-requests.

How to have SonarQube block code on failure of ci build?

We are standing up a CI pipeline using Jenkins and we are using SonarQube to run static analysis. We have set up quality gates and now we are failing builds, when the gates are not met. When we fail a build the code is still put into sonarQube. So if a developer tries to promote twice the second build will 'pass'.
Example:
Gate is no new critical issues.
The Developer checks in code with 1 new critical issue.
The build fails on static analysis (SonarQube has the rule flagged and a blocker).
The Developer checks in code again (no code changes).
the static analysis's passes because the critical issue is not 'new'.
Is there a way to revert back to the previous version on a failure, or better yet to run the analysis against the most current non-failing run?
Notes: Version - Sonarqube 5.1.2
You've asked how to keep committed code from being reflected in the SonarQube platform.
I don't recommend trying to suppress the analysis of committed code because then your quality measures don't reflect the state of your code base. Imagine that someone is making a decision about whether HEAD is releasable based on what they see in the SonarQube UI. If you're keeping "bad" code from showing up, then... what's the point of analyzing at all? Just use a photo editor to construct the "perfect" dashboard, and serve that gif whenever someone hits http://sonarqube.myco.com:9000.
Okay, that may be an extreme reaction, but you get my point. The point of SonarQube analysis is to show you what's right and wrong with your code. Having a commit show up in the SonarQube UI should not be an honor you "earn" by committing "worthy" code. It should be the baseline expectation. Like following the team's coding conventions and using an SCM.
But this rant doesn't address your problem, which is the fact that your current quality gate is based on last_analysis. On that time scale "new critical issues" is an ephemeral measure, and you're loosing the ability to detect new critical issues because they're "new" one minute and "old" the next. For that reason, I advise you to change your time scale. Instead of looking at "new" versus last analysis, compare to last version, last month (over 30 days), or last year (over 365 days). Then you'll always be able to tell what's "new" versus the accepted baseline.

How to use JIRA for traking project issues

I installed JIRA 6.4. I also Crerated Project and Issue in it. I assigned Issue to some user. Now If Administrator wants to monitor isssue status, he can see progress. But how does the asignee i.e the person working on issue update issue status. Actually I am very new to JIRA. Or is there any other plugin for it
Depending on the workflow you have configured for the project, the assignee should see action buttons on the issue that they can click to progress status; e.g. "Resolve Issue" or "Close Issue". These are known as "Transitions" in the workflow and configure how issues can move between certain states.
If you're also using the JIRA Agile add-on, you can create a "Rapid Board" that allows assignees to drag and drop issues between states to create a "Work in Progress" board.
This is just a starter, it's best to run through the tutorials from Atlassian, they will take into account the various project setups that may apply to you.
Also, if you're just getting up and running with JIRA, it may be advisable to upgrade to JIRA Core 7 (or JIRA Software if you require the extra features) as it has project templates/workflows that will make getting up and running a lot quicker.

Resources