Track security vulnerabilities
This topic describes how to track, analyze, and fix security vulnerabilities discovered in your code using Fortify, SonarQube, or other static code analysis tools.
You can view security vulnerabilities in your code using the following integrations:
Fortify. If you set up a security testing integration with Fortify, each pipeline run triggers a security assessment of your application's code, and ALM Octane displays the vulnerabilities found in the pipeline run. For configuration details, see Set up an integration with Fortify.
SonarQube. If you set up a security testing integration with SonarQube, ALM Octane displays the vulnerabilities found in the pipeline run. For configuration details, see Set up an integration with SonarQube.
Other static code analysis tools. If you are using a static code analysis tool other than Fortify, you can use ALM Octane's REST API to inject security vulnerability issues detected by the tool into ALM Octane. For details, see Add vulnerability issues into ALM Octane.
This enables you to quickly identify and correct security vulnerabilities introduced into the code.
Tip: If you do not see vulnerability data, your role may not be permitted to access this information. For security purposes, administrators can block users from viewing or editing vulnerability data. For details, see Assign roles and permissions.
To view vulnerabilities on a pipeline run, your pipeline type must be Security. You can see a pipeline's type in the pipeline's Details tab.
If you are working with Fortify, you can view vulnerabilities if the pipeline run on Jenkins was successful, and the security assessment for the pipeline run is finished.
There are a number of places where you can see details on vulnerabilities in ALM Octane:
In the Pipelines > Pipelines page, you can see the number of vulnerabilities found following the latest pipeline run. Click the number to open the Vulnerabilities tab for that pipeline run.
In each pipeline run, in the Vulnerabilities tab, you can see details about the vulnerabilities discovered on that pipeline run.
You can create Summary Graphs based on the Vulnerabilities item type. This enables you to track risky releases or commits based on their vulnerabilities, filter vulnerabilities by owner or grouped by severity, and more.
Tip: To track risky features (or other items in the backlog), create a custom graph based on the Feature entity. In the filter, select the Has open vulnerabilities field.
In the Backlog grid you can add an Open Vulnerabilities column. This shows the number of vulnerabilities per work item with a status other than Closed or Not an issue, helping you focus on the significant vulnerabilities. You can click on values in the tooltip to access vulnerability details, filtered by severity.
In the Details view of a user story, defect, or quality story, you can add an Open Vulnerabilities field showing the number of vulnerabilities related to the item.
In the Commits tabs, such as the one in the Team Backlog module, you can add an Open Vulnerabilities field showing the number of vulnerabilities related to the commit. You can also see the number of vulnerabilities on the Commit details display. Click the number to drill to the related vulnerability details.
Tip: You can create a cross-filter using this field, and filter for vulnerabilities with specific severities. This enables you to create useful widgets, for example you might create a widget showing all commits that have vulnerabilities with High severity, and group them by feature.
In the Features grid you can add a column called Has Open Vulnerabilities, which shows if a feature has any descendants with vulnerabilities. Click the tooltip to view details of all vulnerabilities, or those with a specific severity.
If your pipeline run was successful and was followed by a static code analysis looking for security issues, the Vulnerabilities tab displays the vulnerabilities found on this run.
Vulnerability entities should remain relevant only for a short period of time. After reviewing a vulnerability, create a relevant defect to fix in your code, or dismiss and close the issue.
What can I do with a vulnerability?
As a build or CI owner:
Assign a user to investigate or fix a security issue.
As a committer to this pipeline run:
Click Vulnerabilities related to me to find any security issues that your committed changes may have introduced. This filter shows only vulnerabilities found on files that were included in your commits. You can then assign yourself to investigate these issues.
As a user investigating a vulnerability:
Click the vulnerability's ID to open it and view more details.
If you are working with Fortify, and the Fortify server is available, ALM Octane shows additional information from the security assessment that can help you fix the issue. For example, the explanation of the issue, and the suggested recommendations.
As a user who investigated a vulnerability:
If you found the problem that needs to be addressed, use the Report Defect button to create a defect from the selected vulnerability. The important details from the vulnerability are automatically included in the defect.
Anyone handling a vulnerability:
The Status (Remote) and Analysis (Remote) fields on each vulnerability show the status and analysis data that are received by ALM Octane from your static code analysis tool. These fields are read-only.
You can update the Status (Local) and Analysis (Local) fields to track your work on a vulnerability in ALM Octane. Note that these values are not synchronized with the status analysis tool, but remain in ALM Octane only.
Note: The Status (Local) and Analysis (Local) fields do not impact the Open vulnerability fields in the Backlog and Feature tabs. Open vulnerability is calculated based on the remote fields only.
Updated and missed vulnerabilities
What happens when a vulnerability's status is updated?
If you using either Fortify Software Security Center (SSC) or the Rest API to inject vulnerabilities into ALM Octane, ALM Octane show updates to vulnerability statuses. If a new vulnerability is discovered and its status then changes in SSC, ALM Octane shows the updated status.
What happens when a vulnerability is missed by the pipeline?
ALM Octane show vulnerabilities that are discovered via a pipeline job. This means that if you run a sub-job directly from Jenkins and a vulnerability is added to SSC, it is not detected by the main pipeline in ALM Octane. However, if you update your code and then run the pipeline, this missed vulnerability is detected, and ALM Octane labels it as a Missed Vulnerability.
These vulnerabilities do not contain commit details in ALM Octane because they were not detected on creation, but they are displayed in ALM Octane so you will be aware of them and not overlook potential problems in your code.