Track security vulnerabilities
This topic describes how to track and analyze security vulnerabilities discovered in your code using Fortify, SonarQube, or other static code analysis tools. After setting this up, you can track and manage your vulnerabilities in the Issues module.
You can view security vulnerabilities in your code using the following integrations:
|Fortify||If you set up a security testing integration with Fortify, each pipeline run triggers a security assessment of your application's code. ALM Octane displays vulnerabilities if the pipeline run on Jenkins was successful, and the security assessment for the pipeline run is finished. For configuration details, see Set up an integration with Fortify.|
|SonarQube||If you set up a security testing integration with SonarQube, ALM Octane displays the discovered vulnerabilities. For configuration details, see Set up an integration with SonarQube.|
|Other static code analysis tools||If you are using a static code analysis tool other than Fortify, you can use ALM Octane's REST API to inject security vulnerability issues detected by the tool into ALM Octane. For details, see Add vulnerability issues into ALM Octane.|
This enables you to quickly identify and correct security vulnerabilities introduced into the code.
Tip: If you do not see vulnerability data, your role may not be permitted to access this information. For security purposes, administrators can block users from viewing or editing vulnerability data. For details, see Roles and permissions.
The following are prerequisites for working with security vulnerabilities:
To collect vulnerabilities, the pipeline type must be Security. You can see a pipeline's type in the pipeline's Details tab.
After setting up one of the above integrations to inject vulnerabilities into ALM Octane, you can view vulnerability details in the Issues module.
In the Vulnerabilities tab, you can select a vulnerability and view the following details in the right pane:
|Preview||Includes defects that were opened on this vulnerability, and comments on the vulnerability.|
|Report||Provides relevant details to help you resolve the vulnerability.|
|Related users||Users whose commits are likely to have caused the vulnerability, together with the relevant commit message, file, and linked item. A commit is linked to a vulnerability if it touched the same file.|
Besides the Issues modules, vulnerabilities are exposed in ALM Octane in the following areas:
In each pipeline run, in the Vulnerabilities tab, you can see details about the vulnerabilities discovered on that pipeline run.
You can create Summary Graphs based on the Vulnerabilities item type. This enables you to track risky releases or commits based on their vulnerabilities, filter vulnerabilities by owner or grouped by severity, and more.
Tip: To track risky features (or other items in the backlog), create a custom graph based on the Feature entity. In the filter, select the Has open vulnerabilities field.
|Open Vulnerabilities field: Backlog items||
In the Backlog grid you can add an Open Vulnerabilities column. This shows the number of vulnerabilities per work item with a status other than Closed or Not an issue, helping you focus on the significant vulnerabilities. You can click on values in the tooltip to access vulnerability details, filtered by severity.
Note: There are two types of relations between a defect and a vulnerability:
In the Defects grid, the Open Vulnerabilities field indicates the first type.
|Open Vulnerabilities field: Commits||
In the Commits tabs, such as in the Team Backlog module, you can add an Open Vulnerabilities field showing the number of vulnerabilities related to the commit. You can also see the number of vulnerabilities on the Commit details display. Click the number to drill to the related vulnerability details.
Tip: You can create a cross-filter using this field, and filter for vulnerabilities with specific severities. This enables you to create useful widgets. For example, you can create a widget showing all commits that have vulnerabilities with High severity, and group them by feature.
|Has Open Vulnerabilities field: Features||In the Features grid you can add a column called Has Open Vulnerabilities, which shows if a feature has any descendants with vulnerabilities. Click the tooltip to view details of all vulnerabilities, or those with a specific severity.|
Vulnerability entities should remain relevant only for a short period of time. After reviewing a vulnerability, create a relevant defect to fix in your code, or dismiss and close the issue.
What can you do with a vulnerability?
|If you are a...||Recommended action|
|Build or CI owner||
Assign a user to investigate or fix a security issue.
|Committer to this pipeline run||Click Vulnerabilities related to me to find any security issues that your committed changes may have introduced. This filter shows only vulnerabilities found on files that were included in your commits. You can then assign yourself to investigate these issues.|
|User investigating a vulnerability||
Click the vulnerability ID to open it and view more details.
If you are working with Fortify, and the Fortify server is available, ALM Octane shows additional information from the security assessment that can help you fix the issue. For example, the explanation of the issue, and the suggested recommendations.
|User who investigated a vulnerability||
If you found the problem that needs to be addressed, use the Report Defect button to create a defect from the selected vulnerability. The important details from the vulnerability are automatically included in the defect.
|User handling a vulnerability||
The Status (Remote) and Analysis (Remote) fields on each vulnerability show the status and analysis data that are received by ALM Octane from your static code analysis tool. These fields are read-only.
You can update the Status (Local) and Analysis (Local) fields to track your work on a vulnerability in ALM Octane. Note that these values are not synchronized with the status analysis tool, but remain in ALM Octane only.
Note: The Status (Local) and Analysis (Local) fields do not impact the Open vulnerability fields in the Backlog and Feature tabs. Open vulnerability is calculated based on the remote fields only.
Updated and missed vulnerabilities
What happens when a vulnerability is updated?
If you are using Fortify or the Rest API to inject vulnerabilities into ALM Octane, ALM Octane shows updates to the vulnerability.
For example, if a vulnerability's status changes in Fortify, ALM Octane shows its updated status. If you set an analysis in Fortify Software Security Center (SSC) and reran the pipeline, this analysis appears in ALM Octane as Analysis (Remote).
What happens when a vulnerability is missed by the pipeline?
ALM Octane show vulnerabilities that are discovered via a pipeline job. This means that if you run a sub-job directly from Jenkins and a vulnerability is added to SSC, it is not detected by the main pipeline in ALM Octane. However, if you update your code and then run the pipeline, this missed vulnerability is detected, and ALM Octane labels it as a Missed Vulnerability.
These vulnerabilities do not contain commit details in ALM Octane because they were not detected on creation, but they are displayed in ALM Octane so you will be aware of them and not overlook potential problems in your code.