Track security vulnerabilities

This topic describes how to track and analyze security vulnerabilities discovered in your code using Fortify, SonarQube, or other static code analysis tools. After setting this up, you can track and manage your vulnerabilities in the Issues module.

Overview

You can view security vulnerabilities in your code using the following integrations:

Integration Method
Fortify If you set up a security testing integration with Fortify, each pipeline run triggers a security assessment of your application's code. ALM Octane displays vulnerabilities if the pipeline run on Jenkins was successful, and the security assessment for the pipeline run is finished. For configuration details, see Set up an integration with Fortify.
SonarQube If you set up a security testing integration with SonarQube, ALM Octane displays the discovered vulnerabilities. For configuration details, see Set up an integration with SonarQube.
Other static code analysis tools If you are using a static code analysis tool other than Fortify, you can use ALM Octane's REST API to inject security vulnerability issues detected by the tool into ALM Octane. For details, see Add vulnerability issues into ALM Octane.

This enables you to quickly identify and correct security vulnerabilities introduced into the code.

Tip: If you do not see vulnerability data, your role may not be permitted to access this information. For security purposes, administrators can block users from viewing or editing vulnerability data. For details, see Assign roles and permissions.

Back to top

Prerequisites

The following are prerequisites for working with security vulnerabilities:

  1. You can view vulnerabilities after performing one of the following: Set up an integration with Fortify, Set up an integration with SonarQube, or Add vulnerability issues into ALM Octane.

  2. To collect vulnerabilities, the pipeline type must be Security. You can see a pipeline's type in the pipeline's Details tab.

Back to top

View security assessment results in the Issues tab

After setting up one of the above integrations to inject vulnerabilities into ALM Octane, you can view vulnerability details in the Issues module.

In the Vulnerabilities tab, you can select a vulnerability and view the following details in the right pane:

Area Description
Preview Includes defects that were opened on this vulnerability, and comments on the vulnerability.
Report Provides relevant details to help you resolve the vulnerability.
Related users Users whose commits are likely to have caused the vulnerability, together with the relevant commit message, file, and linked item. A commit is linked to a vulnerability if it touched the same file.

Back to top

Locations for viewing vulnerabilities in ALM Octane

Besides the Issues modules, vulnerabilities are exposed in ALM Octane in the following areas:

Area Details
Pipeline runs

In each pipeline run, in the Vulnerabilities tab, you can see details about the vulnerabilities discovered on that pipeline run.

Summary graphs

You can create Summary Graphs based on the Vulnerabilities item type. This enables you to track risky releases or commits based on their vulnerabilities, filter vulnerabilities by owner or grouped by severity, and more.

Tip: To track risky features (or other items in the backlog), create a custom graph based on the Feature entity. In the filter, select the Has open vulnerabilities field.

Open Vulnerabilities field: Backlog items

In the Backlog grid you can add an Open Vulnerabilities column. This shows the number of vulnerabilities per work item with a status other than Closed or Not an issue, helping you focus on the significant vulnerabilities. You can click on values in the tooltip to access vulnerability details, filtered by severity.

Note: There are two types of relations between a defect and a vulnerability:

  1. A vulnerability was found in the code that was changed as part of a defect fix.

  2. A defect was reported in order to fix an open vulnerability.

In the Defects grid, the Open Vulnerabilities field indicates the first type.

Open Vulnerabilities field: Commits

In the Commits tabs, such as in the Team Backlog module, you can add an Open Vulnerabilities field showing the number of vulnerabilities related to the commit. You can also see the number of vulnerabilities on the Commit details display. Click the number to drill to the related vulnerability details.

Tip: You can create a cross-filter using this field, and filter for vulnerabilities with specific severities. This enables you to create useful widgets. For example, you can create a widget showing all commits that have vulnerabilities with High severity, and group them by feature.

Has Open Vulnerabilities field: Features In the Features grid you can add a column called Has Open Vulnerabilities, which shows if a feature has any descendants with vulnerabilities. Click the tooltip to view details of all vulnerabilities, or those with a specific severity.

Back to top

Manage the discovered vulnerabilities

Vulnerability entities should remain relevant only for a short period of time. After reviewing a vulnerability, create a relevant defect to fix in your code, or dismiss and close the issue.

What can you do with a vulnerability?

If you are a... Recommended action
Build or CI owner

Assign a user to investigate or fix a security issue.

Committer to this pipeline run Click Vulnerabilities related to me to find any security issues that your committed changes may have introduced. This filter shows only vulnerabilities found on files that were included in your commits. You can then assign yourself to investigate these issues.
User investigating a vulnerability

Click the vulnerability ID to open it and view more details.

If you are working with Fortify, and the Fortify server is available, ALM Octane shows additional information from the security assessment that can help you fix the issue. For example, the explanation of the issue, and the suggested recommendations.

User who investigated a vulnerability

If you found the problem that needs to be addressed, use the Report Defect button to create a defect from the selected vulnerability. The important details from the vulnerability are automatically included in the defect.

User handling a vulnerability

The Status (Remote) and Analysis (Remote) fields on each vulnerability show the status and analysis data that are received by ALM Octane from your static code analysis tool. These fields are read-only.

You can update the Status (Local) and Analysis (Local) fields to track your work on a vulnerability in ALM Octane. Note that these values are not synchronized with the status analysis tool, but remain in ALM Octane only.

Note: The Status (Local) and Analysis (Local) fields do not impact the Open vulnerability fields in the Backlog and Feature tabs. Open vulnerability is calculated based on the remote fields only.

Back to top

Updated and missed vulnerabilities

What happens when a vulnerability is updated?

If you are using Fortify or the Rest API to inject vulnerabilities into ALM Octane, ALM Octane shows updates to the vulnerability.

For example, if a vulnerability's status changes in Fortify, ALM Octane shows its updated status. If you set an analysis in Fortify Software Security Center (SSC) and reran the pipeline, this analysis appears in ALM Octane as Analysis (Remote).

What happens when a vulnerability is missed by the pipeline?

ALM Octane show vulnerabilities that are discovered via a pipeline job. This means that if you run a sub-job directly from Jenkins and a vulnerability is added to SSC, it is not detected by the main pipeline in ALM Octane. However, if you update your code and then run the pipeline, this missed vulnerability is detected, and ALM Octane labels it as a Missed Vulnerability.

These vulnerabilities do not contain commit details in ALM Octane because they were not detected on creation, but they are displayed in ALM Octane so you will be aware of them and not overlook potential problems in your code.

Back to top

See also: