Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.
Wiki Markup
Your browser does not support iframes.
titleNew version of the plugin under development

The current version of the plugin does not allow to import rule definitions any longer. As a consequence, it is no more usable if you start from a fresh SQ installation (empty database). A new version will be released soon to fix this issue.

Description / Features

This plugin imports Fortify SSC rules descriptions and SCA reports into SonarQube:

  • Import vulnerability issues as SonarQube issues. Supported languages are ABAP, C#, C++, Cobol, Java, JavaScript, Python and VB.
  • Compute the Fortify Security Rating, value between 1 and 5
  • Import Compute the number of issues marked as critical, high, medium and low priority in Fortify
  • Link to the Fortify SSC web report
  • Import vulnerability issues as SonarQube issues. Supported languages are ABAP, C#, C++, Cobol, Java, JavaScript, Python and VB.
titleThis plugin is neither autonomous nor server-lessThe plugin does not trigger Fortify scans

As stated in the description above, this plugin imports audit reports available in Fortify SSC Server. This means that the plugin:

  • does not trigger Fortify scans
  • needs a connection to the Fortify server to retrieve the results

As a consequence, Fortify scans must have been run before executing this plugin on SonarQube.

The plugin has been developed and tested with Fortify 2.50. Older versions might also work (feel free to tell us on the user mailing list if you managed to make it work in this case).
titleMulti-module projects are currently supported only for Java projetcts

The Fortify plugin currently does not support multi-module projects for languages other than Java. You can watch and vote for the JIRA ticket concerning this issue: SONARPLUGINS-2452


Here are some screenshots from the plugin:


Include Page
Include - Plugin Installation
Include - Plugin Installation




  • Server URL
  • Login/password. Token-based authentication is not supported yet.
    Image Removed 


  •  By default, the Fortify plugin will try to match the value of sonar.projectName and sonar.projectVersion with the name and version of a project in your Fortify server. If they don't match, you can use sonar.fortify.projectName and sonar.fortify.projectVersion to configure the correct values.
  • Enable audit import on the projects you want to be scanned by Fortify: set the sonar.fortify.enable property to true.
    Image Removed 


and run analysis

The SCA command-line, named "sourceanalyzer", must be executed before SonarQube analyzer. The generated report (FPR or VFDL file) is parsed to convert Fortify vulnerabilities to SonarQube issues. By nature SonarQube issues relate to rules that are activated in Quality profiles. For this reason don't forget to activate the Fortify rules in the selected Quality Profiles. Note that severity of rules are taken from Fortify report so the severity configured in quality profile is ignored.

The path to the Fortify report is set by the property "sonar.fortify.reportPath". Path is absolute or relative to the module base directory. If the property is missing then the plugin is disabled.


  sonar-runner -Dsonar.fortify.reportPath=/path/to/project.fpr

Something like the following should appear in the log:

Change Log

JIRA Issues
titleVersion 1.1


JIRA Issues
titleVersion 1.0

Code Block


[INFO] [14:03:32.720] Fortify SSC Project: <Fortify project name>, version: <Fortify project version>
[INFO] [14:03:35.643] Sensor Fortify Audit Context...
[INFO] [14:03:35.643] Sensor Fortify Audit Context done: 0 ms
[INFO] [14:03:35.643] Sensor Fortify Performance Indicators...
[INFO] [14:03:36.701] Sensor Fortify Performance Indicators done: 1058 ms
[INFO] [14:03:36.701] Sensor Fortify Issues...
[INFO] [14:04:35.131] Loading 171 Fortify issues
[INFO] [14:04:35.149] Sensor Fortify Issues done: 58448 ms


titleSecurity note for SonarQube 3.4.0 to 3.6.3 included

For the *.secured properties to be read during the project analysis, it is necessary to set the sonar.login and sonar.password properties to the credentials of a user that is:

  • System administrator
  • And project administrator on the project that is being analyzed
sonar-runner -Dsonar.login=admin -Dsonar.password=admin
10:20:44 10:20:35.588 INFO  - Sensor Fortify sensor...
10:20:44 10:20:35.589 INFO  - Process Fortify report...
10:20:45 10:20:37.318 INFO  - Process Fortify report done: 1729 ms
10:20:45 10:20:37.319 INFO  - Sensor Fortify sensor done: 1731 ms

Previous Documentation

Previous documentation for older versions is located at "Fortify Plugin (1.x)".