Share this page
Micro Focus Fortify SCA
Use the Micro Focus Fortify SCA bundled plugin to analyze an application's source code for security issues.
Static Code Analyzer (SCA) identifies the root causes of software security vulnerabilities and delivers accurate, risk-ranked results with line-of-code remediation guidance.
Prerequisites
To use the Micro Focus Fortify SCA plugin, you need Fortify SCA and the tools that it uses, such as Microsoft Visual Studio, installed on the same machine as the PulseUno agent. Configure them correctly for the named user account under which Common Tomcat is running.
Note: Fortify SCA may not work if Common Tomcat runs as a Windows service under the LocalSystem account.
Create server configuration file
The Micro Focus Fortify SCA plugin's server configuration file is required and is located in:
${dataDir}/conf/experts/com.serena.starlight/hpfortify/hpfortify-pulse-expert.properties
| Property | Description |
|---|---|
| sourceAnalyzerPath |
Specifies one of the following:
For example: C:\\Program Files\\HP_Fortify\\HP_Fortify_SCA_and_Apps_<version>\\bin\\sourceanalyzer.exe |
| reportGeneratorExecutablePath |
Specifies the full path to the Fortify SCA report generator, for example: C:\\Program Files\\HP_Fortify\\HP_Fortify_SCA_and_Apps_<version>\\bin\\ReportGenerator.bat |
| visualStudioExecutablePath |
Specifies the full path to Microsoft Visual Studio, for example: C:\\Program Files (x86)\\Microsoft Visual Studio <version>\\Common7\\IDE\\devenv.exe |
Example server configuration file:
sourceAnalyzerPath=C:\\Program Files\\HP_Fortify\\HP_Fortify_SCA_and_Apps_4.30\\bin\\sourceanalyzer.exe
reportGeneratorExecutablePath=C:\\ProgramFiles\\HP_Fortify\\HP_Fortify_SCA_and_Apps_4.30\\bin\\ReportGenerator.bat
visualStudioExecutablePath=C:\\Program Files (x86)\\Microsoft Visual Studio 10.0\\Common7\\IDE\\devenv.exeConfigure plugin settings
When you add the Micro Focus Fortify SCA plugin to a chain, specify the plugin's configuration details.
To configure the plugin step:
-
Enter a name for this step in the chain.
-
For Translation Phase, select a custom translation option:
-
Yes. Use a custom translation string. In the Custom translation options field, enter a string that includes only translation phase options. Do not include the '-b' option.
-
No. Select translation options:
Translator type Option Description Java sources Sources include pattern Enter patterns for Java sources, for example:
src/**/ *.java
Default pattern: **/*.java
Classpath
Enter a Java class path. The format is the same as javac (colon or semi-colon separated list of paths).
Use the sourceanalyzer Ant task classpath attribute.
Resolution source path Enter a path to a Java resolution sources directory. Sources are used for resolution, not analysis.
Use the sourceanalyzer Ant task sourcepath attribute.
Java version
Specify the JDK version the Java code is written for.
Use the sourceanalyzer Ant task source attribute.
Visual Studio projects Project/solution file path Enter the relative path to a solution file. Microsoft Visual Studio Enter the full path to Visual Studio, for example:
C:\Program Files (x86)\Microsoft Visual Studio <version>\Common7\IDE\devenv.com
C/C++ source files Include pattern Specify the names of source files. Enter include patterns, separating each entry with a comma, for example:
**/*.cpp,main.cpp
Path to C++ compiler executable Enter the path to C++ compiler executable. Other sources Include pattern
Enter include patterns for other sources. Separate each entry with a comma, for example:
**/ *.sql.,*.php
-
-
(Optional) For Analysis Phase, enter additional rulepack files or directories, one per line. You can specify an absolute path or the path relative to the stream/branch root. Use the sourceanalyzer Ant task rules attribute.
To use custom analyze options instead, select Yes and specify a custom options string for sourceanalyzer executable. Include analyze phase options only.
-
To create a PDF file of the report, select Generate PDF report and enter the path of a report template file. You can specify an absolute path or the path relative to the stream/branch root. Leave empty to use the default template.
Use the ReportGenerator utility's template option.
Tip: Instead of generating a report file, you can use the Micro Focus Fortify SSC plugin to send scan results to Micro Focus Fortify Software Security Center. For details, see Micro Focus Fortify SSC.
-
To capture findings to PulseUno, keep the option Create findings from FPR file selected.
If you're running both Fortify SCA and Fortify SSC plugins in the same chain, we recommend clearing this option to avoid duplicating findings in PulseUno.
-
(Optional) Select Use advanced options to specify additional SCA options:
Option Description Fortify SCA sourceanalyzer path Enter the path to Fortify SCA sourceanalyzer executable, for example:
C:\Program Files\Fortify\Fortify_SCA_and_Apps_<version>\bin\sourceanalyzer.exe
Fortify SCA ReportGenerator path
Enter the path to the Fortify SCA ReportGenerator utility, for example:
C:\Program Files\Fortify\Fortify_SCA_and_Apps_<version>\bin\ReportGenerator.bat
-
(Optional) Expand Control options and define the following settings:
Enable step. Leave this option selected to enable the step to run.
Clearing this option deactivates the step. Disabled steps are displayed crossed out in the list of chain steps.
Fail the step. Specify the conditions for failing the step, such as certain findings criteria and/or console log entries.
Mark step as unstable. Specify the conditions for making the step unstable, such as certain findings criteria and/or console log entries.
-
(Optional) Enter the variables to be passed to other steps down the chain. For details, see Publish output variables.
See also:
