Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 24 Next »

Description / Features

This plugin imports Fortify SSC reports into SonarQube:

  • Import the Fortify Security Rating, value between 1 and 5
  • Import the number of issues marked as critical, high, medium and low priority in Fortify
  • Link to the Fortify SSC web report
  • Import vulnerability issues as SonarQubeissues. Supported languages are ABAP, C#, C++, Cobol, Java, JavaScript, Python and VB.

This plugin is not autonomous nor server-less

Icon

As said in the description above, this plugin imports audit reports available in Fortify SSC Server. This means that the plugin:

  • does not trigger Fortify scans
  • needs a connection to the Fortify server to retrieve the results
As a consequence, Fortify scans must have been run before executing this plugin on SonarQube.
The plugin has been developed and tested with Fortify 2.50. Older versions might also work (feel free to tell us on the user mailing list if you managed to make it work in this case).

Multi-module projects are currently supported only for Java projetcts

Icon

The Fortify plugin currently does not support multi-module for languages other than Java. You can watch and vote for the following JIRA ticket concerning this issue: SONARPLUGINS-2452

 

Here are some screenshots of the plugin:



Installation

  1. Install the plugin through the Update Center or download it into the SONARQUBE_HOME/extensions/plugins directory
  2. Restart the SonarQube server

Usage

  1. Configure the connection to the Fortify SSC Server in Settings > Configuration > General Settings > Fortify:
    • Server URL
    • Login/password. Token-based authentication is not supported yet.
  2. Activate some Fortify rules in the Quality Profile
  3. Configure the project to be analyzed:
    • By default project name and version must match the name and version defined in Fortify. They can be changed in Project Settings.
    • Enable audit import on the projects that have been scanned by Fortify: set sonar.fortify.enable to true in Project Settings.

    Run a SonarQube analysis. The following logs should appear:

    Security note for SonarQube 3.4+

    Icon

    For the *.secured properties to be read during the project analysis, it is necessary to set the sonar.login and sonar.password properties to the credentials of a user that is:

    • System administrator
    • And project administrator on the project that is being analyzed
    Example:
    sonar-runner -Dsonar.login=admin -Dsonar.password=admin

     



Change Log

com.atlassian.confluence.macro.MacroExecutionException: JIRA project does not exist or you do not have permission to view it.

  • No labels