Periodically, during the development cycle, run a pipeline on Jenkins that includes a Fortify on Demand Upload step. After this step uploads the application's code to Fortify on Demand, a security assessment of your code begins.

If the pipeline run is successful, ALM Octane polls the Fortify on Demand server. When the assessment is complete, ALM Octane retrieves the newly found vulnerabilities and displays them in the pipeline run.

To begin, you need to create a script that scans your code for security issues, and generates an .fpr file. Fortify SSC analyzes the .fpr file and generates data on vulnerabilities in your code. After you configure the integration as described below, this data is sent to ALM Octane via Jenkins.

The integration requires two plugins: one to integrate between Jenkins and Fortify SSC, and one to integrate between ALM Octane and Jenkins. After you set up the plugins, run a pipeline in Jenkins that includes a Security Fortify Assessment step, which uploads an .fpr file to SSC for assessment. When the assessment is complete, Jenkins pushes the newly found vulnerabilities to ALM Octane, and they are displayed in the pipeline run.

Start by setting up Jenkins to integrate with Fortify on Demand and setting up ALM Octane to integrate with Jenkins:

1. Set up your Fortify on Demand account. For details, see https://software.microfocus.com/en-us/software/fortify-on-demand.

   Define an application whose code you want Fortify on Demand to assess.

   We recommend that you run the first security assessment on your code manually and audit it with security experts, before integrating with ALM Octane.

   Obtain the URL and API keys required to access the Fortify on Demand server using API. The keys must permit reading vulnerabilities.

2. Set up Jenkins to upload your code to Fortify on Demand.

   1. Install and configure the Fortify on Demand Uploader plugin on your Jenkins server.

   2. Create a Fortify on Demand Upload step on Jenkins to upload your application's code to Fortify on demand for assessment. In the build step information (BSI) fields, configure the application and release that you used to define your application in your Fortify on Demand account.

   For details, see https://wiki.jenkins.io/display/JENKINS/Fortify+On+Demand+Uploader+Plugin.

3. Set up ALM Octane integration with your Jenkins server. For details, see Set up CI/CD integration.

Before you begin, you need to have set up the Fortify plugin as described in Fortify Jenkins Plugin (On-Premise). After that, perform the following:

1. To enable communication between ALM Octane and SSC, obtain an authentication token from SSC as described in the Fortify Software Security Center API documentation > How to Authenticate. This is used by the ALM Octane Jenkins plugin to authenticate to SSC.

   Note: The token is created by converting the SSC server login user name and password to Base64 encoding.

2. Set up the ALM Octane integration with your Jenkins server. For details, see Set up CI/CD integration.

   When configuring the Jenkins plugin, in the Parameters section add a parameter called FORTIFY_SSC_TOKEN that contains the SSC authentication token.

3. For each of the projects you want to scan, create a job in Jenkins that includes a Security Fortify Assessment step to upload the .fpr file to SSC for assessment. Enter the application name and version information as defined for your project in SSC.

By default, ALM Octane checks Fortify on Demand every 2 minutes for 48 hours to see if the scan is finished. If there are more than 100 vulnerabilities, ALM Octane retrieves none.

All these limits can be configured using the following configuration parameters:

• FORTIFY_POLLING_TIMEOUT_HOURS
• FORTIFY_POLLING_DELAY_MINUTES
• FORTIFY_UPPER_LIMIT_OF_ISSUES

By default, the maximum number of vulnerability issues that can be injected for each individual pipeline run is 100. This can be modified using the VULNERABILITIES_PER_PIPELINE_RUN_LIMIT parameter.