This plugin imports Fortify SSC reports into SonarSonarQubeTM:
- Import the Fortify Security Rating, value between 1 and 5
- Import the number of issues marked as critical, high, medium and low priority in Fortify
- Link to the Fortify SSC web report
As said in the description above, this plugin imports audit reports available in Fortify SSC Server. This means that the plugin:
As a consequence, Fortify scans must have been run before executing this plugin on SonarSonarQubeTM.
The plugin has been developed and tested with Fortify 2.50. Older versions might also work (feel free to tell us on the user mailing list if you managed to make it work in this case).
Here are some screenshots of the plugin:
- Install the Fortify plugin through the Update Center or download it into the SONAR SONARQUBE_HOME/extensions/plugins directory
- Restart the Sonar SonarQubeTM server
- Configure the connection to the Fortify SSC Server in Settings > Configuration > General Settings > Fortify:
- Server URL
- Login/password. Token-based authentication is not supported yet.
- Activate some Fortify rules in the Quality Profile
- Configure the project to be analyzed:
- By default project name and version must match the name and version defined in Fortify. They can be changed in Project Settings.
- Enable audit import on the projects that have been scanned by Fortify: set
truein Project Settings.
Run a Sonar SonarQubeTM analysis. The following logs should appear:
[INFO] [14:03:32.720] Fortify SSC Project: <Fortify project name>, version: <Fortify project version> [INFO] [14:03:35.643] Sensor Fortify Audit Context... [INFO] [14:03:35.643] Sensor Fortify Audit Context done: 0 ms [INFO] [14:03:35.643] Sensor Fortify Performance Indicators... [INFO] [14:03:36.701] Sensor Fortify Performance Indicators done: 1058 ms [INFO] [14:03:36.701] Sensor Fortify Issues... [INFO] [14:04:35.131] Loading 171 Fortify issues [INFO] [14:04:35.149] Sensor Fortify Issues done: 58448 ms
Note title Security note for Sonar SonarQube 3.4+
*.securedproperties to be read during the project analysis, it is necessary to set the '
sonar.login' and '
sonar.password' properties to the credentials of a user that is:
- System administrator
- And project administrator on the project that is being analyzed
sonar-runner -Dsonar.login=admin -Dsonar.password=admin