Description / Features

This plugin imports Fortify SSC reports. Provided features include:

• Import the Fortify Security Rating, value between 1 and 5.
• Import the number of issues marked as critical, high, medium and low priority in Fortify
• Link to the Fortify SSC web report
• Import vulnerability issues as Sonar violations. Supported languages are ABAP, C#, C++, Cobol, Java, JavascriptJavaScript, Python and VB.

Here are some screenshots of the plugin:

Configuration

Installation

1. Install the Fortify plugin through the Update Center or download it into the SONAR_HOME/extensions/plugins directory
2. Restart the Sonar server

Usage

1. Configure the connection to the Fortify SSC Server in Configuration > General Settings > Fortify:
   
   • Server URL
   • Login/password. Token-based authentication is not supported yet.
2. Activate some Fortify rules in the Quality profileProfile
3. Configure the project to be analyzed:
   
   • By default project name and version must match the name and version defined in Fortify. They can be changed in Project Settings.
   • Enable audit import on the projects that have been scanned by Fortify: set sonar.fortify.enable to true in Project Settings.

4. Inspect project. The following logs should appear:

   Code Block

   [INFO] [14:03:32.720] Fortify SSC Project: <Fortify project name>, version: <Fortify project version> [INFO] [14:03:35.643] Sensor Fortify Audit Context... [INFO] [14:03:35.643] Sensor Fortify Audit Context done: 0 ms [INFO] [14:03:35.643] Sensor Fortify Performance Indicators... [INFO] [14:03:36.701] Sensor Fortify Performance Indicators done: 1058 ms [INFO] [14:03:36.701] Sensor Fortify Issues... [INFO] [14:04:35.131] Loading 171 Fortify issues [INFO] [14:04:35.149] Sensor Fortify Issues done: 58448 ms

   
   
   

Change Log