- Configure the connection to the Fortify SSC Server in Settings > General Settings > Fortify:
- Server URL
- Login/password. Token-based authentication is not supported yet.
- Activate some Fortify rules in the Quality Profile
- Configure the project to be analyzed:
- By default project name and version must match the name and version defined in Fortify. They can be changed in Project Settings.
- Enable audit import on the projects that have been scanned by Fortify: set
truein Project Settings.
Run a SonarQube analysis. The following logs should appear:
[INFO] [14:03:32.720] Fortify SSC Project: <Fortify project name>, version: <Fortify project version> [INFO] [14:03:35.643] Sensor Fortify Audit Context... [INFO] [14:03:35.643] Sensor Fortify Audit Context done: 0 ms [INFO] [14:03:35.643] Sensor Fortify Performance Indicators... [INFO] [14:03:36.701] Sensor Fortify Performance Indicators done: 1058 ms [INFO] [14:03:36.701] Sensor Fortify Issues... [INFO] [14:04:35.131] Loading 171 Fortify issues [INFO] [14:04:35.149] Sensor Fortify Issues done: 58448 ms
Note title Security note for SonarQube 3.4+.0 to 3.6.2 included
*.securedproperties to be read during the project analysis, it is necessary to set the
sonar.passwordproperties to the credentials of a user that is:
- System administrator
- And project administrator on the project that is being analyzed
sonar-runner -Dsonar.login=admin -Dsonar.password=admin