How do I explore fortify audit workbench from Software security centre? Can I get auditing capabilities in SSC like in audit workbench?
Static code analyzer (SCA) is a command line program run on a developer workstation or run on a development or test build server. You typically use SCA to scan the code (via sourceanalyzer or the sourceanalyzer.jar) and generate an Fortify Project Reports (FPR) file. Then you can open that FPR file with Audit Workbench or upload it to SSC, where you can track trends, risk posture, etc.
Audit Workbench (AWB) is installed on your desktop with the SCA; it is a graphical application that allows you to review the scan results, add audit data, apply filters, and run simple reports. The AWB only gives you the results of that particular scan. In contrast, the SSC provides the history of your applications and the other applications using the SSC (given the appropriate access permissions).
The SSC is a web-based repository of your FPR files and tool for managing our portfolio's application security. It is a java war installed into tomcat or your favorite application server. The reports on SSC are better suited to running centralized metrics. You can report on the results of a particular scan, or the history (what changed between the current scan and any earlier ones). If you want diff's, trends, history etc of SCA scans, use SSC to report Fortify issues and remediation over time. Trend reports and portfolio reports are available only on the SSC.
The same sourceanalyzer.exe (the SCA executable) is invoked by the Audit Workbench and by the various SCA plug-ins (maven, Jenkins, eclipse, Visual Studio, IntelliJ, XCode, etc). The SSC does not run the SCA. The SSC manages the FPR files that are output from the SCA and manage your audits of the issues that SCA finds. The SSC does not run the SCA. The SSC manages the FPR files that are output from the SCA.
Related
I was trying to integrate Fortify SCA with Jenkins pipeline script. Using Fortify SCA version 21.1.4,Scan Engine version 21.1.4 and installed fortify plugin version 21.2.37 in jenkins.
For that using 4 different stages:clean,translate,scan,upload to SSC. Jenkins generated fortify .fpr file is showing less vulnerability count, less executable LOC when compared with the report of Audit Workbench.
Please help with this issue
I'm new to .net application (non-web application) project and using jenkins for continuous build and release. I completed creating builds for my project and got the .exe and dll files. But i need to repackage it(create a msi) before deploying to servers. So can anyone give a stepwise information for rePackaging and tool to be used with jenkins for packaging. I want to automate this process in jenkins CI AND CD.
Jenkins is not capable to pack any applications directly.
It will always use an external tool via a plugin or installed by you.
In MSI case, you need an windows agent with an app that will receive the command in command line and produce your deliverable.
Applications:
Installshield (very old - paid)
visual studio (paid)
TFS (on premises or cloud) (paid)
MSIX (? I don't know much about it)
WIX (free)
Jenkins plugin here
Does Fortify Audit Workbench have any command-line options that would allow me to put it in a cron job and run it daily?
The scan takes over two hours, I would like it to run overnight and see the results in the morning.
Jason
Audit Workbench is the GUI front end for the underlying SCA engine (sourceanalyzer)
If you know how to scan your code though the commandline you can create a windows batch file or bash script to execute it.
The hardest part will be to come up with translation command. That is going to be language and project specific.
Your script should have a minimum of 3 steps
Clean
Translate
Scan
There is a fourth optional step to upload the scan results to your SSC instance. This step is utilizing the fortifyclient command.
References:
sourceanalyzer -h
HPE Security Fortify Static Code Analyzer User Guide, provides an overview of the scan process and examples depending on language and/or build tool.
HPE Security Fortify Software Security Center Installation and Configuration Guide chapter 10 talks about using the fortifyclient tool to communicate with SSC.
Without any further information, we cannot help you with the actual commands.
sourceanalyzer is the commandline tool
I run this (as a Windows batch file) as
sourceanalyzer -b 1234 devenv "VsSolution.sln" /REBUILD release
The other answers are correct, but there's an easier way. There's a Scan Wizard that creates a batch script for you. You point it at your project, answer some questions, and it creates a script. Check a box and it'll also upload to SSC.
Scan Wizard is located in /bin. It may also be in your Start menu, next to Audit Workbench.
Note: Sometimes I have to modify the script. But if you're able to scan using the Fortify button in Visual Studio, then the default script usually works.
Somebody knows how to connect SonarQube to TFS in order to get several metrics like CheckIns count per day? or is better generate the TFS metrics in JSON format and read JSON file from Sonar Plugin?
SonarQube is an open source platform providing continuous inspection of your code quality. Usually, SonarQube is used to integrate with TFS Build, and send the following data, which is gathered during a build under the governance of quality profiles and gates defined on the SonarQube server.
results of .Net and JavaScript code analysis
code clone analysis
code coverage data from tests
metrics for .Net and JavaScript
To integrate SonarQube with TFS Build, you need to map Build Definitions to SonarQube projects. Detailed steps you can follow the SonarQube Installation Guide.
If you want to gain insight into the progress you're making, you can use TFS Dashboards and reports.
If you want to know CheckIns count per day, you can check the history in TFS Web Access:
I am developing a Sitecore solution locally using TDS. Our source control and build server is Visual Studio Team Services (in the cloud). I would like to figure out a way to implement Continuous Integration and get builds to be automatically installed on an Integration server that is an Amazon VM (or it could be some other externally located server). I have the TDS build configuration set up to create a Sitecore Update Package. The build process works great. At the end of the build process I have the Sitecore Update Package sitting in a Drops folder in source control (TFS in the cloud). Now I can't figure out how to automate the process of getting that update package out of source control and downloading it to the Integration server and running the Sitecore command to install it.
In a perfect world you would use something along the lines of a fancy Microsoft Release Management to deploy it to the environment of choice. However, if you are like the majority of us mere mortals without the fancy tools - this should help: https://github.com/adoprog/Sitecore-Deployment-Helpers
With these pages you could just send a get request from TFS or use the logic to write a custom PowerShell post-build script. Hope this helps!
As you are using TFS you get to use Release Management for Visual Studio out of the box. This is a simple install but at this time is separate. I have an instance of RM running in a VM and attached to my VSO instance for running deployments.
I would expect this tool, which was bought by MS last year, would become more integrated in vNext.