Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

(warning) This is documentation for upcoming version 2.0. Previous documentation is located at "Fortify Plugin (1.x)".

Wiki Markup
{iframe:src=http://update.sonarsource.org/plugins/fortify-confluence.html|width=700|height=250300|frameborder=0}
Your browser does not support iframes.
{iframe}

...

This plugin imports Fortify SSC rules descriptions and reports into SonarQube:

  • Import the Fortify Security Rating, value between 1 and 5
  • Import the number of issues marked as critical, high, medium and low priority in Fortify
  • Link to the Fortify SSC web reportParse extracted rulepacks to have rule descriptions into SQ
  • Import vulnerability issues as SonarQube issues. Supported languages are ABAP, C#, C++, Cobol, Java, JavaScript, Python and VB.
  • Compute the Fortify Security Rating, value between 1 and 5
  • Compute the number of issues marked as critical, high, medium and low priority in Fortify
Info
titleThis The plugin is not autonomous nor server-lessdoes not trigger Fortify scans

As said stated in the description above, this plugin imports audit reports available in Fortify SSC Server. This means that the plugin:

  • does not trigger Fortify scans
  • needs a connection to the Fortify server to retrieve the results

As a consequence, Fortify scans must have been run before executing this plugin on SonarQube.

The plugin has been developed and tested with Fortify 2.50. Older versions might also work (feel free to tell us on the user mailing list if you managed to make it work in this case).
Note
titleMulti-module projects are currently supported only for Java projetcts

The Fortify plugin currently does not support multi-module for languages other than Java. You can watch and vote for the following JIRA ticket concerning this issue: SONARPLUGINS-2452

 

Here are some screenshots of from the plugin:



Installation

  1. Install the plugin through the Update Center or download it into the SONARQUBE_HOME/extensions/plugins directory
  2. Restart the SonarQube server

Usage

...

  • Server URL
  • Login/password. Token-based authentication is not supported yet.

...

  • By default project name (sonar.fortify.projectName) and version (sonar.fortify.projectVersion) must match the name and version defined in Fortify.
  • Enable audit import on the projects you want to be scanned by Fortify: set the sonar.fortify.enable property to true.

Run a SonarQube analysis. The following logs should appear:

Code Block
[INFO] [14:03:32.720] Fortify SSC Project: <Fortify project name>, version: <Fortify project version>
[INFO] [14:03:35.643] Sensor Fortify Audit Context...
[INFO] [14:03:35.643] Sensor Fortify Audit Context done: 0 ms
[INFO] [14:03:35.643] Sensor Fortify Performance Indicators...
[INFO] [14:03:36.701] Sensor Fortify Performance Indicators done: 1058 ms
[INFO] [14:03:36.701] Sensor Fortify Issues...
[INFO] [14:04:35.131] Loading 171 Fortify issues
[INFO] [14:04:35.149] Sensor Fortify Issues done: 58448 ms

...

titleSecurity note for SonarQube 3.4.0 to 3.6.3 included

For the *.secured properties to be read during the project analysis, it is necessary to set the sonar.login and sonar.password properties to the credentials of a user that is:

  • System administrator
  • And project administrator on the project that is being analyzed
Example:
sonar-runner -Dsonar.login=admin -Dsonar.password=admin

 

Image Removed
Image Removed
Image Removed

Change Log

JIRA Issues
anonymoustrue
titleVersion 1.1
height60
renderModestatic
width900
columnstype;key;summary;priority
urlhttp://jira.codehaus.org/sr/jira.issueviews:searchrequest-xml/temp/SearchRequest.xml?fixfor=18706&pid=11911&sorter/field=priority&sorter/order=DESC&tempMax=1000

 

JIRA Issues
anonymoustrue
titleVersion 1.0
height60
renderModestatic
width900
columnstype;key;summary;priority
urlhttp://jira.codehaus.org/sr/jira.issueviews:searchrequest-xml/temp/SearchRequest.xml?fixfor=18705&pid=11911&sorter/field=priority&sorter/order=DESC&tempMax=1000

Include Page
Include - Plugin Installation
Include - Plugin Installation

Usage

Import Fortify rules into SonarQube

SonarQube server loads rule definitions from Fortify rulepacks. Rulepacks are :

  • XML files implemented by end-users to define custom rules.
  • BIN files provided by HP. They are encrypted XML files.

The SonarQube plugin is able to load the XML files, so BIN files must be beforehand manually uncompressed. Paths to the XML files (or to their parent directory) must be set in the property "sonar.fortify.rulepackPaths" of conf/sonar.properties. Value is a comma-separated list of absolute paths to XML files or to directories containing XML files. As a consequence SonarQube server must be restarted each time a rulepack is updated in Fortify.

Example

sonar.fortify.rulepackPaths=/path/to/fortify/rulepacks,/path/to/rulepack.xml

When server is restarted, the Fortify rules are listed in the "Quality Profiles" page.

Uncompress Rulepacks

The following command extracts XML files from BIN files :

java -cp rulepack-uncompress-2.0.jar:/path/to/Fortify/Core/lib/fortify-crypto-1.0.jar org.sonar.fortify.uncompress.CLI /path/to/rulepacks/dir

Note that the parameter is the path to the directory containing BIN files. Related XML files are extracted in the same directory by default. The output directory can be customized by setting a second parameter on the command-line :

java -cp rulepack-uncompress-2.0.jar:/path/to/Fortify/Core/lib/fortify-crypto-1.0.jar org.sonar.fortify.uncompress.CLI /path/to/rulepacks/dir /path/to/output/dir

Note that Fortify rules are only imported in SonarQube when appropriate SonarQube language plugin is installed. Here is the conversion table between Fortify language and SonarQube language:

FortifySonarQube
javajava
abapabap
actionscriptflex
cfmlUnsupported
cppcpp
dotnetcs
configurationxml
contentweb
jspweb
pythonpy
objcUnsupported
phpphp
sqlUnsupported
vbvb

 

Configure and run analysis

The SCA command-line, named "sourceanalyzer", must be executed before SonarQube analyzer. The generated report (FPR or VFDL file) is parsed to convert Fortify vulnerabilities to SonarQube issues. By nature SonarQube issues relate to rules that are activated in Quality profiles. For this reason don't forget to activate the Fortify rules in the selected Quality Profiles. Note that severity of rules are taken from Fortify report so the severity configured in quality profile is ignored.

The path to the Fortify report is set by the property "sonar.fortify.reportPath". Path is absolute or relative to the module base directory. If the property is missing then the plugin is disabled.

Example

  sonar-runner -Dsonar.fortify.reportPath=/path/to/project.fpr

Something like the following should appear in the log:

Code Block
10:20:44 10:20:35.588 INFO  - Sensor Fortify sensor...
10:20:44 10:20:35.589 INFO  - Process Fortify report...
10:20:45 10:20:37.318 INFO  - Process Fortify report done: 1729 ms
10:20:45 10:20:37.319 INFO  - Sensor Fortify sensor done: 1731 ms