Professional Documents
Culture Documents
HP Fortify Jenkins Plugin Guide 4.40
HP Fortify Jenkins Plugin Guide 4.40
Legal Notices
Warranty
The only warranties for HP products and services are set forth in the express warranty statements
accompanying such products and services. Nothing herein should be construed as constituting an
additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
The information contained herein is subject to change without notice.
Copyright Notice
© Copyright 2014 - 2015 Hewlett Packard Enterprise Development LP
Documentation Updates
The title page of this document contains the following identifying information:
l Software Version number
l Document Release Date, which changes each time the document is updated
l Software Release Date, which indicates the release date of this version of the software
To check for recent updates or to verify that you are using the most recent edition of a document, go to:
https://protect724.hp.com/welcome
You will receive updated or new editions if you subscribe to the appropriate product support service. Contact
your HP sales representative for details.
Contents
Preface 4
Contacting HP Fortify Support 4
For More Information 4
About the HP Fortify Software Security Center Documentation Set 4
Change Log 5
Preface
Contacting HP Fortify Support
If you have questions or comments about using this product, contact HP Fortify Technical Support
using one of the following options.
To Manage Your Support Cases, Acquire Licenses, and Manage Your Account
https://support.fortify.com
To Email Support
fortifytechsupport@hp.com
To Call Support
650.735.2215
Change Log
The following table lists the changes made to this guide.
Software Release-
Version Change
<bean id="jenkinsToken"
class="com.fortify.manager.security.ws.AuthenticationTokenSpec">
<property name="key" value="JenkinsToken"/>
<property name="maxDaysToLive" value="365"/>
<property name="actionPermitted">
<list value-type="java.lang.String">
<value>AddProjectRequest</value>
<value>AddProjectVersionRequest</value>
<value>AddProjectAndVersionRequest</value>
<value>GetAuthenticationTokenRequest</value>
<value>ProjectListRequest</value>
<value>ActiveProjectVersionListRequest</value>
<value>ProjectVersionListRequest</value>
<value>ProjectTemplateListRequest</value>
<value>FPRUploadRequest</value>
<value>AuditViewRequest</value>
<value>PerformAuditActionRequest</value>
<value>IssueListRequest</value>
<value>GetProjectVersionIdentifiersRequest</value>
<value>ProjectMetaDataDefinitionsListRequest</value>
<value>AddProjectMetaDataDefinitionRequest</value>
<value>UpdateProjectMetaDataDefinitionRequest</value>
<value>ProjectMetaDataValuesListRequest</value>
<value>ProjectMetaDataValueRequest</value>
<value>GetSingleUseFPRUploadTokenRequest</value>
<value>CreateAuditSessionRequest</value>
<value>InvalidateAuditSessionRequest</value>
<value>GroupingValuesRequest</value>
</list>
</property>
<property name="terminalActions">
<list value-type="java.lang.String">
<value>InvalidateTokenRequest</value>
</list>
</property>
</bean>
Notes:
l The Software Security Center URL provided to fortifyclient must include both the port
number and the context path /ssc/. The correct format for the SSC URL is as follows:
http://<host_ID>:<port_number>/ssc/
l The ability of fortifyclient to use the token to read or write information to or from SSC
depends on the account privileges of the SSC user account specified by the -user
parameter.
Note: There is no need to specify a value in the Issue breakdown page size box at this time. You
can always change this setting later. This setting controls the Issue Breakdown table view. The
default is 50 issues per page.
FilterSet Filter set to be used when reading the FPR. If no value is specified,
the default filter is used.
SSC, by default, has two filter sets: Security Auditor View and
Quick View. Quick View is the default filter set. However, the exact
filter set configuration is determined by the project template used to
create the project.
Fail condition and NVS calculation depend on the issues filtered by
the filter set. For example, if some “Critical Exposure” filter is
applied to the project issues (and issues quantity shows 0), then fail
condition “sees” no reason to set this build as “unstable” and NVS is
set to 0. The graph summary also shows 0.
Project Name Project name used when uploading FPR files to SSC. Leaving this
field blank disables the upload.
Enable this plugin and save the configuration. The next time you
visit this configuration page, a menu populated with all the available
project names is displayed.
Alternatively, run the following command to list all available
projects and their corresponding project IDs:
# fortifyclient listprojects -url <ssc_url>/ssc -user
<your_login>
Project Version Project version used when uploading to SSC. Leaving this field
blank disables the upload.
Project Version is always used in conjunction with Project Name.
To upload an FPR file to SSC:
l Project Version and Project Name must be specified.
Upload Wait Time Click Auto Job Assignment to access this box. Because the
FPR upload process to SSC is asynchronous, the WebService
function call is returned while SSC is still processing the upload
request. Therefore, the plugin waits for a specified number of
minutes before running the Normalized Vulnerability Scope (NVS)
calculation.
Valid values are 0-60.
5. Click Save.
Note: Configure your build procedure to do this automatically. You can specify the path to
your FPR file with the FPR Filename setting on the Job Configuration page, see
"Configuring the Build Step to Use for the Jenkins plugin" on page 10.
where:
CFPO = Number of critical vulnerabilities (unless marked as “Not an Issue”)
HFPO = Number of high vulnerabilities (unless marked as “Not an Issue”)
MFPO = Number of medium vulnerabilities (unless marked as “Not an Issue”)
LFPO = Number of low vulnerabilities (unless marked as “Not an Issue”)
and:
PABOVE = Exploitable
P3 = Suspicious
P2 = Bad practice
P1 = Reliability issue
The total issues count is not very useful. For example, if application A has 0 critical issues and 10
low issues, the total issues value is 10. If application B has five critical issues and no low issues,
the total issues value is 5. These values might mislead you to think that application B is better
than A, when it is not.
The NVS calculated for the two applications present a different picture (simplified equation):
application “A” NVS = 0*10 + 10*0.1 = 1
application “B” NVS = 5*10 + 0*0.1 = 50
5. Click the HP Fortify Assessment link in the column of project options on the left.
The interactive List of HP Fortify SSC issues page displays the Summary and Issue breakdown
by Priority Order tables.
The Summary table shows the difference in the number of issues in different categories between the
two most recent builds. A blue arrow next to a value indicates that the number in that category has
decreased, and a red arrow indicates that the number in that category has increased.
The Issues breakdown by Priority Order table shows detailed information about the issues for the
specified location and category in each priority folder. Wait for the table to load. If the data load takes
too long, you might need to refresh the browser window (F5).
By default, you see the critical issues first. To see all issues, click the All tab.
Note: The more issues a page shows, the longer it takes to load. HP Fortify recommends that you
not use the All tab for large projects.
Viewing Issues
To see only those issues that were introduced in the latest build of your code, click the Show New
Issues link at the top of the table.
The first and the second columns show the file name and a line number of the finding and the full path to
this file. The last column displays the category of each vulnerability.
By default, issues are sorted by primary location. To organize them by category, click the Category
column header.
To see more details about or to audit a specific issue, click its file name in the first column. The link
takes you directly to the details of that issue on the SSC server. If you are not logged in to SSC, you
are prompted to log in.