Set up an integration with Fortify
This topic explains how to set up an integration with Micro Focus Fortify, bringing security testing into your development cycle.
What is Fortify?
Micro Focus Fortify is an application security testing service. It performs static code analysis on your application's code, assessing it for potential security vulnerabilities. It can be cloud-based or installed on premises.
Why integrate ALM Octane with Fortify?
Integrate ALM Octane with Fortify to bring security testing into your development cycle:
Identify security vulnerabilities soon after they are introduced into the code and correct them.
Raise developers' awareness, encouraging them to avoid introducing vulnerabilities.
Tip: If you are using a static code analysis tool other than Fortify, you can inject security vulnerability issues detected by the tool into ALM Octane using the ALM Octane REST API. For details, see Add vulnerability issues into ALM Octane.
How does the integration work?
Periodically, during the development cycle, run a pipeline on Jenkins that includes a Fortify on Demand Upload step. After this step uploads the application's code to Fortify on Demand, a security assessment of your code begins.
If the pipeline run is successful, ALM Octane polls the Fortify on Demand server. When the assessment is complete, ALM Octane retrieves the newly found vulnerabilities and displays them in the pipeline run.
To begin, you need to create a script that scans your code for security issues, and generates an .fpr file. Fortify SSC analyzes the .fpr file and generates data on vulnerabilities in your code. After you configure the integration as described below, this data is sent to ALM Octane via Jenkins.
The integration requires two plugins: one to integrate between Jenkins and Fortify SSC, and one to integrate between ALM Octane and Jenkins. After you set up the plugins, run a pipeline in Jenkins that includes a Security Fortify Assessment step, which uploads an .fpr file to SSC for assessment. When the assessment is complete, Jenkins pushes the newly found vulnerabilities to ALM Octane, and they are displayed in the pipeline run.
After reviewing the vulnerabilities, you can create a relevant defect to fix your code, or dismiss and close the issue. For details, see Track security vulnerabilities.
Important privacy note: If your Fortify data contains personally identifiable information (PII), contact your system administrators to check the geographical locations of the Fortify data farm and the ALM Octane server. If the two are located in different geographical locations, verify with your chief information security officer or privacy office that this integration complies with your regional regulations.
Start by setting up Jenkins to integrate with Fortify on Demand and setting up ALM Octane to integrate with Jenkins:
Set up your Fortify on Demand account. For details, see https://software.microfocus.com/en-us/software/fortify-on-demand.
Define an application whose code you want Fortify on Demand to assess.
We recommend that you run the first security assessment on your code manually and audit it with security experts, before integrating with ALM Octane.
Obtain the URL and API keys required to access the Fortify on Demand server using API. The keys must permit reading vulnerabilities.
Set up Jenkins to upload your code to Fortify on Demand.
Install and configure the Fortify on Demand Uploader plugin on your Jenkins server.
Create a Fortify on Demand Upload step on Jenkins to upload your application's code to Fortify on demand for assessment. In the build step information (BSI) fields, configure the application and release that you used to define your application in your Fortify on Demand account.
Set up ALM Octane integration with your Jenkins server. For details, see Set up CI servers.
Before you begin, you need to have set up the Fortify plugin as described in Fortify on Premise Jenkins Plugin. After that, perform the following:
To enable communication between ALM Octane and SSC, obtain an authentication token from SSC as described in the Fortify Software Security Center API documentation > How to Authenticate. This will be used by the ALM Octane Jenkins plugin to authenticate to SSC.
Set up the ALM Octane integration with your Jenkins server. For details, see Set up CI servers.
When configuring the Jenkins plugin, in the section Fortify Software Security Center Integration, enter the SSC authentication token.
For each of the projects you want to scan, create a job in Jenkins that includes a Security Fortify Assessment step to upload the .fpr file to SSC for assessment. Enter the application name and version information as defined for your project in SSC.
Note: This step is for Fortify on Demand only.
Add Fortify on Demand as a security tool in the DevOps settings page, so ALM Octane can retrieve the assessment results from the Fortify on Demand server:
In ALM Octane, click Settings > Spaces, select a workspace.
Select the DevOps > Security Tools tab.
Click + Connection.
Define a name for the connection and select the security tool (Fortify On Demand).
Enter the URL for your Fortify on Demand server, and the API keys required to access it.
Click Test Connection to make sure the configuration is correct.
Click Add to add the security tool to the list.
After a pipeline step uploads code to Fortify on Demand for assessment, ALM Octane will use this connection information to contact Fortify on Demand and retrieve the assessment results.
In the Pipelines > Pipelines page, add a new pipeline.
In the Type field, select Security.
For Fortify on Demand:
Select the Fortify on Demand Upload job defined earlier, or the root of a flow that includes it.
- Select the option This pipeline includes a Fortify on Demand job.
- Enter the Application and Release that you used when configuring the Jenkins Fortify on Demand Upload step. These details identify the application whose code Fortify on Demand is scanning.
Depending on your integration, the following then occurs:
Fortify on Demand: After this pipeline runs successfully, ALM Octane polls the Fortify on Demand server, waiting to retrieve the assessment results.
Fortify Software Security Center: The Jenkins plugin checks periodically if there are new scan results in the Software Security Center database. If there are, the new security data is injected to ALM Octane and is displayed on the corresponding pipeline run.
By default, ALM Octane checks Fortify on Demand every 2 minutes for 48 hours to see if the scan is finished. If there are more than 100 vulnerabilities, ALM Octane retrieves none.
All these limits can be configured using the following configuration parameters:
By default, the maximum number of vulnerability issues that can be injected for each individual pipeline run is 100. This can be modified using the VULNERABILITIES_PER_PIPELINE_RUN_LIMIT parameter.
For details, see Configuration parameters.