Track security vulnerabilities

This topic describes how to track, analyze, and fix security vulnerabilities discovered in your code using Fortify on Demand, or other static code analysis tools.

Overview

You can view security vulnerabilities in your code using the following integrations:

  • Fortify on Demand. If you set up a security testing integration with Fortify on Demand, each pipeline run triggers a security assessment of your application's code, and ALM Octane displays the newly found vulnerabilities in the pipeline run. For configuration details, see Set up Fortify on Demand integration.

  • Other static code analysis tools. If you are using a static code analysis tool other than Fortify on Demand, you can use ALM Octane's REST API to inject security vulnerability issues detected by the tool into ALM Octane. For details, see Add vulnerability issues into ALM Octane.

This enables you to quickly identify and correct security vulnerabilities introduced into the code.

Back to top

Prerequisites

  1. You can view vulnerabilities after performing one of the following: Set up Fortify on Demand integration, or Add vulnerability issues into ALM Octane.

  2. To view vulnerabilities on a pipeline run, your pipeline type must be Security. You can see a pipeline's type in the pipeline's Details tab.

  3. If you are working with Fortify on Demand, you can view vulnerabilities if the pipeline run on Jenkins was successful, and the security assessment for the pipeline run is finished.

Back to top

View security assessment results in ALM Octane

There are a number of places where you can see details on vulnerabilities in ALM Octane

  • In the Pipelines > Pipelines page, you can see the number of new vulnerabilities found following the latest pipeline run. Click the number to open the Vulnerabilities tab for that pipeline run.

  • In each pipeline run, in the Vulnerabilities tab, you can see details about the new vulnerabilities discovered on that pipeline run.

  • In the Backlog grid you can add a Vulnerabilities column. This shows the number of vulnerabilities per work item with a status other than Closed or Not an issue, helping you focus on the significant vulnerabilities. You can click on values in the tooltip to access vulnerability details.

  • In the Details view of a user story, defect, or quality story, you can add a Vulnerabilities field showing the number of vulnerabilities related to the item.

  • In the Features grid you can add a column called Has Vulnerabilities, which shows if a feature has any descendants with vulnerabilities. Click the tooltip to view details of all vulnerabilities, or those with a specific severity.

Back to top

Manage the discovered vulnerabilities

If your pipeline run was successful and was followed by a static code analysis looking for security issues, the Vulnerabilities tab displays the new vulnerabilities found on this run.

Vulnerability entities should remain relevant only for a short period of time. After reviewing a vulnerability, create a relevant defect to fix in your code, or dismiss and close the issue.

What can I do with a vulnerability?

  • As a build or CI owner:

    Assign a user to investigate or fix a security issue.

  • As a committer to this pipeline run:

    Click Vulnerabilities related to me to find any security issues that your committed changes may have introduced. This filter shows only vulnerabilities found on files that were included in your commits. You can then assign yourself to investigate these issues.

  • As a user investigating a vulnerability: 

    Click the vulnerability's ID to open it and view more details.

    If you are working with Fortify on Demand, and the Fortify on Demand server is available, ALM Octane shows additional information from the security assessment that can help you fix the issue. For example, the explanation of the issue, and the suggested recommendations.

  • As a user who investigated a vulnerability:

    If you found the problem that needs to be addressed, use the Report Defect button to create a defect from the selected vulnerability. The important details from the vulnerability are automatically included in the defect.

  • Anyone handling a vulnerability: 

    Update the vulnerability's Status to reflect what you did.

Back to top

See also: