Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 13 Next »


This plugin imports Fortify SSC reports. Provided features include :

  • Import the Fortify Security Rating, value between 1 and 5.
  • Import the number of issues marked as critical, high, medium and low priority in Fortify
  • Link to the Fortify SSC web report
  • Import vulnerability issues as Sonar violations. Supported languages are ABAP, C#, C++, Cobol, Java, Javascript, Python and VB.


This plugin is not autonomous nor serverless


As said in the description above, this plugin only imports reports generated on a Fortify server. This means that:

  • the plugin does not trigger analyses on the Fortify server
  • the plugin needs a connection to the server to retrieve the results
As a consequence, analyses on the Fortify server must have been run before executing this plugin on Sonar in order to have results in the Sonar Web interface.


Here are some screenshots of the plugin:


  1. Configure the connection to the Fortify SSC Server in Configuration > General Settings > Fortify
    • Server URL
    • Login/password. Token-based authentication is not supported yet.
  2. Activate some Fortify rules in the Quality profile
  3. Configure the project to be analyzed
    • By default project name and version must match the name and version defined in Fortify. They can be changed in Project Settings.
    • Enable audit import on the projects that have been scanned by Fortify : set sonar.fortify.enable to true in Project Settings.
  4. Inspect project. The following logs should appear :

  • No labels