Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.

(warning) This is documentation for upcoming version 2.0.

Wiki Markup
Your browser does not support iframes.
titleNew version of the plugin under development

The current version of the plugin does not allow to import rule definitions any longer. As a consequence, it is no more usable if you start from a fresh SQ installation (empty database). A new version will be released soon to fix this issue.

Description / Features

This plugin imports Fortify SSC rules descriptions and SCA reports into SonarQube:

  • Parse extracted rulepacks to have rule descriptions into SQ
  • Import vulnerability issues as SonarQube issues. Supported languages are ABAP, C#, C++, Cobol, Java, JavaScript, Python and VB.
  • Compute the Fortify Security Rating, value between 1 and 5
  • Compute the number of issues marked as critical, high, medium and low priority in Fortify
titleThis The plugin is does not autonomoustrigger Fortify scans

As stated in the description above, this plugin imports audit reports. This means that the plugin does not trigger Fortify scans. As a consequence, Fortify scans must have been run before executing this plugin on SonarQube.

The plugin has been developed and tested with Fortify 2.50. Older versions might also work (feel free to tell us on the user mailing list if you managed to make it work in this case).


Include Page
Include - Plugin Installation
Include - Plugin Installation


Import Fortify rules into SonarQube

SonarQube server loads rule definitions from Fortify rulepacks. Rulepacks are :

  • XML files implemented by end-users to define custom rules.
  • BIN files provided by HP. They are encrypted XML files.

The SonarQube plugin is able to load the XML files, so BIN files must be beforehand manually uncompressed. Paths to the XML files (or to their parent directory) must be set in the property "sonar.fortify.rulepackPaths" of conf/ Value is a comma-separated list of absolute paths to XML files or to directories containing XML files. As a consequence SonarQube server must be restarted each time a rulepack is updated in Fortify.



When server is restarted, the Fortify rules are listed in the "Quality Profiles" page.

Uncompress Rulepacks

The following command extracts XML files from BIN files :

java -cp rulepack-uncompress-2.0.jar:/path/to/Fortify/Core/lib/fortify-crypto-1.0.jar org.sonar.fortify.uncompress.CLI /path/to/rulepacks/dir

Note that the parameter is the path to the directory containing BIN files. Related XML files are extracted in the same directory by default. The output directory can be customized by setting a second parameter on the command-line :

java -cp rulepack-uncompress-2.0.jar:/path/to/Fortify/Core/lib/fortify-crypto-1.0.jar org.sonar.fortify.uncompress.CLI /path/to/rulepacks/dir /path/to/output/dir

Note that Fortify rules are only imported in SonarQube when appropriate SonarQube language plugin is installed. Here is the conversion table between Fortify language and SonarQube language:



Configure and run analysis


Code Block
10:20:44 10:20:35.588 INFO  - Sensor Fortify sensor...
10:20:44 10:20:35.589 INFO  - Process Fortify report...
10:20:45 10:20:37.318 INFO  - Process Fortify report done: 1729 ms
10:20:45 10:20:37.319 INFO  - Sensor Fortify sensor done: 1731 ms


Previous Documentation

Previous documentation for older versions is located at "Fortify Plugin (1.x)".