Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This plugin imports Fortify SSC reports into SonarSonarQube:

  • Import the Fortify Security Rating, value between 1 and 5
  • Import the number of issues marked as critical, high, medium and low priority in Fortify
  • Link to the Fortify SSC web report
  • Import vulnerability issues as Sonar violationsSonarQube issues. Supported languages are ABAP, C#, C++, Cobol, Java, JavaScript, Python and VB.
Info
titleThis plugin is not neither autonomous nor server-less

As said stated in the description above, this plugin imports audit reports available in Fortify SSC Server. This means that the plugin:

  • does not trigger Fortify scans
  • needs a connection to the Fortify server to retrieve the results
As a consequence, Fortify scans must have been run before executing this plugin on SonarSonarQube.
The plugin has been developed and tested with Fortify 2.50. Older versions might also work (feel free to tell us on the user mailing list if you managed to make it work in this case).
Note
titleMulti-module projects are currently supported only for Java projetcts

The Fortify plugin currently does not support multi-module projects for languages other than Java. You can watch and vote for the following JIRA ticket concerning this issue: SONARPLUGINS-2452

...

Here are some screenshots of from the plugin:



Installation

  1. Install the Fortify plugin through the Update Center or download it into the SONAR_HOME/extensions/plugins directory
  2. Restart the Sonar server

Include Page
Include - Plugin Installation
Include - Plugin Installation

Usage

  1. Configure the connection to the Fortify SSC Server in Configuration Settings > General Settings > Fortify:
    • Server URL
    • Login/password. Token-based authentication is not supported yet.
      Image Added 
  2. Activate some Fortify rules rules from the "Fortify" rule repositorys in the Quality Profile
     
  3. Configure the project to be analyzed:
    • By default project name and version must match the name and version defined in Fortify. They can be changed in Project Settings. By default, the Fortify plugin will try to match the value of sonar.projectName and sonar.projectVersion with the name and version of a project in your Fortify server. If they don't match, you can use sonar.fortify.projectName and sonar.fortify.projectVersion to configure the correct values.
    • Enable audit import on the projects that have been you want to be scanned by Fortify: set the sonar.fortify.enable property to true in Project Settings.
    Inspect project. The following logs should appear
    • Image Added 
  4. Run a SonarQube analysis. Something like the following should appear in the log:

    Code Block
    [INFO] [14:03:32.720] Fortify SSC Project: <Fortify project name>, version: <Fortify project version>
    [INFO] [14:03:35.643] Sensor Fortify Audit Context...
    [INFO] [14:03:35.643] Sensor Fortify Audit Context done: 0 ms
    [INFO] [14:03:35.643] Sensor Fortify Performance Indicators...
    [INFO] [14:03:36.701] Sensor Fortify Performance Indicators done: 1058 ms
    [INFO] [14:03:36.701] Sensor Fortify Issues...
    [INFO] [14:04:35.131] Loading 171 Fortify issues
    [INFO] [14:04:35.149] Sensor Fortify Issues done: 58448 ms
    Image Removed
    Note
    Image Removed
    Image Removed
    titleSecurity note for SonarQube 3.4.0 to 3.6.3 included

    For the *.secured properties to be read during the project analysis, it is necessary to set the sonar.login and sonar.password properties to the credentials of a user that is:

    • System administrator
    • And project administrator on the project that is being analyzed
    Example:
    sonar-runner -Dsonar.login=admin -Dsonar.password=admin

Change Log

JIRA Issues
anonymoustrue
titleRelease 1.Version 1.1
height60
renderModestatic
width900
columnstype;key;summary;priority
urlhttp://jira.codehaus.org/sr/jira.issueviews:searchrequest-xml/temp/SearchRequest.xml?fixfor=18706&pid=11911&sorter/field=priority&sorter/order=DESC&tempMax=1000

 

JIRA Issues
anonymoustrue
titleVersion 1.0
height60
renderModestatic
width900
columnstype;key;summary;priority
urlhttp://jira.codehaus.org/sr/jira.issueviews:searchrequest-xml/temp/SearchRequest.xml?fixfor=18705&pid=11911&sorter/field=priority&sorter/order=DESC&tempMax=1000