Track security vulnerabilities
This topic describes how to track, analyze, and fix security vulnerabilities discovered in your code.
If you set up security testing integration, a pipeline run triggers a security assessment of your application's code, and ALM Octane displays the newly found vulnerabilities in the pipeline run.
This enables you to quickly identify and correct security vulnerabilities introduced into the code.
For details, see Set up security testing integration.
To view vulnerabilities on a pipeline run, the following conditions must be met:
- The pipeline was created as part of the Fortify on Demand integration. For details, see Set up security testing integration.
- The pipeline run on Jenkins was successful.
- The Fortify on Demand security assessment for this pipeline run is finished.
In the Pipelines > Pipelines page, you can see the number of new vulnerabilities found by Fortify on Demand following the latest pipeline run. Click the number to open the Vulnerabilities tab for that pipeline run.
In each pipeline run, in the Vulnerabilities tab, you can see details about the new vulnerabilities discovered on that pipeline run.
Note: The Vulnerabilities tab is available only for pipelines with the Security type. You can see a pipeline's type in the pipeline's Details tab.
If your pipeline run was successful and was followed by a static code analysis looking for security issues, the Vulnerabilities tab displays the new vulnerabilities found on this run.
Vulnerability entities should remain relevant only for a short period of time. After reviewing a vulnerability, create a relevant defect to fix in your code, or dismiss and close the issue.
What can I do with a vulnerability?
As a build or CI owner:
Assign a user to investigate or fix a security issue.
As a committer to this pipeline run:
Click Vulnerabilities related to me to find any security issues that your committed changes may have introduced. This filter shows only vulnerabilities found on files that were included in your commits. You can then assign yourself to investigate these issues.
As a user investigating a vulnerability:
Click the vulnerability's ID to open it and view more details. If the Fortify on Demand server is currently available, ALM Octane shows additional information from the security assessment that can help you fix the issue. For example, the explanation of the issue, and the suggested recommendations.
As a user who investigated a vulnerability:
If you found the problem that needs to be addressed, use the Report Defect button to create a defect from the selected vulnerability. The important details from the vulnerability are automatically included in the defect.
Anyone handling a vulnerability:
Update the vulnerability's Status to reflect what you did.