Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Configure the connection to the Fortify SSC Server in Settings > General Settings > Fortify:
    • Server URL
    • Login/password. Token-based authentication is not supported yet.
       
  2. Activate some rules from the "Fortify" rule repositorys in the Quality Profile
     
  3. Configure the project to be analyzed:
    • By default project Project name (sonar.fortify.projectName) and version (sonar.fortify.projectVersion) must match the name and version defined in Fortify. They may be defined in the project's analysis properties or via the SonarQube interface.
    • Enable audit import on the projects you want to be scanned by Fortify: set the sonar.fortify.enable property to true.
       
  4. Run a SonarQube analysis. Something like the following should appear in the log:

    Code Block
    [INFO] [14:03:32.720] Fortify SSC Project: <Fortify project name>, version: <Fortify project version>
    [INFO] [14:03:35.643] Sensor Fortify Audit Context...
    [INFO] [14:03:35.643] Sensor Fortify Audit Context done: 0 ms
    [INFO] [14:03:35.643] Sensor Fortify Performance Indicators...
    [INFO] [14:03:36.701] Sensor Fortify Performance Indicators done: 1058 ms
    [INFO] [14:03:36.701] Sensor Fortify Issues...
    [INFO] [14:04:35.131] Loading 171 Fortify issues
    [INFO] [14:04:35.149] Sensor Fortify Issues done: 58448 ms
    Note
    titleSecurity note for SonarQube 3.4.0 to 3.6.3 included

    For the *.secured properties to be read during the project analysis, it is necessary to set the sonar.login and sonar.password properties to the credentials of a user that is:

    • System administrator
    • And project administrator on the project that is being analyzed
    Example:
    sonar-runner -Dsonar.login=admin -Dsonar.password=admin

...