{iframe:src=http://update.sonarsource.org/plugins/fortify.html|width=700|height=250|frameborder=0}
Your browser does not support iframes.
{iframe}

Description / Features

This plugin imports Fortify SSC reports into SonarQube:

As stated in the description above, this plugin imports audit reports available in Fortify SSC Server. This means that the plugin:

  • does not trigger Fortify scans
  • needs a connection to the Fortify server to retrieve the results
As a consequence, Fortify scans must have been run before executing this plugin on SonarQube.
The plugin has been developed and tested with Fortify 2.50. Older versions might also work (feel free to tell us on the user mailing list if you managed to make it work in this case).

The Fortify plugin currently does not support multi-module projects for languages other than Java. You can watch and vote for the JIRA ticket concerning this issue: SONARPLUGINS-2452

 

Here are some screenshots from the plugin:



Usage

  1. Configure the connection to the Fortify SSC Server in Settings > General Settings > Fortify:
  2. Activate some rules from the "Fortify" rule repositorys in the Quality Profile
     
  3. Configure the project to be analyzed:
  4. Run a SonarQube analysis. Something like the following should appear in the log:

    [INFO] [14:03:32.720] Fortify SSC Project: <Fortify project name>, version: <Fortify project version>
    [INFO] [14:03:35.643] Sensor Fortify Audit Context...
    [INFO] [14:03:35.643] Sensor Fortify Audit Context done: 0 ms
    [INFO] [14:03:35.643] Sensor Fortify Performance Indicators...
    [INFO] [14:03:36.701] Sensor Fortify Performance Indicators done: 1058 ms
    [INFO] [14:03:36.701] Sensor Fortify Issues...
    [INFO] [14:04:35.131] Loading 171 Fortify issues
    [INFO] [14:04:35.149] Sensor Fortify Issues done: 58448 ms

    For the *.secured properties to be read during the project analysis, it is necessary to set the sonar.login and sonar.password properties to the credentials of a user that is:

    • System administrator
    • And project administrator on the project that is being analyzed
    Example:
    sonar-runner -Dsonar.login=admin -Dsonar.password=admin

Change Log