Micro Focus Fortify SCA

Use the Micro Focus Fortify SCA bundled plugin to analyze an application's source code for security issues.

Static Code Analyzer (SCA) identifies the root causes of software security vulnerabilities and delivers accurate, risk-ranked results with line-of-code remediation guidance.

Prerequisites

To use the Micro Focus Fortify SCA plugin, you need Fortify SCA and the tools that it uses, such as Microsoft Visual Studio, installed on the same machine as the PulseUno agent. Configure them correctly for the named user account under which Common Tomcat is running.

Note: Fortify SCA may not work if Common Tomcat runs as a Windows service under the LocalSystem account.

Back to top

Create server configuration file

The Micro Focus Fortify SCA plugin's server configuration file is required and is located in:

${dataDir}/conf/experts/com.serena.starlight/hpfortify/hpfortify-pulse-expert.properties

Property Description
sourceAnalyzerPath

Specifies one of the following:

  • The full path to Fortify SCA sourcecodeanalyzer executable.
  • A wrapper script that sets extra parameters such as memory size.

For example:

C:\\Program Files\\HP_Fortify\\HP_Fortify_SCA_and_Apps_<version>\\bin\\sourceanalyzer.exe

reportGeneratorExecutablePath

Specifies the full path to the Fortify SCA report generator, for example:

C:\\Program Files\\HP_Fortify\\HP_Fortify_SCA_and_Apps_<version>\\bin\\ReportGenerator.bat

visualStudioExecutablePath

Specifies the full path to Microsoft Visual Studio, for example:

C:\\Program Files (x86)\\Microsoft Visual Studio <version>\\Common7\\IDE\\devenv.exe

Example server configuration file:

Copy code
sourceAnalyzerPath=C:\\Program Files\\HP_Fortify\\HP_Fortify_SCA_and_Apps_4.30\\bin\\sourceanalyzer.exe
reportGeneratorExecutablePath=C:\\ProgramFiles\\HP_Fortify\\HP_Fortify_SCA_and_Apps_4.30\\bin\\ReportGenerator.bat 
visualStudioExecutablePath=C:\\Program Files (x86)\\Microsoft Visual Studio 10.0\\Common7\\IDE\\devenv.exe

Back to top

Configure plugin settings

When you add the Micro Focus Fortify SCA plugin to a chain, specify the plugin's configuration details.

To configure the plugin step:

  1. Enter a name for this step in the chain.

  2. For Translation Phase, select a custom translation option:

    • Yes. Use a custom translation string. In the Custom translation options field, enter a string that includes only translation phase options. Do not include the '-b' option.

    • No. Select translation options:

      Translator type Option Description
      Java sources Sources include pattern

      Enter patterns for Java sources, for example:

      src/**/ *.java

      Default pattern: **/*.java

      Classpath

      Enter a Java class path. The format is the same as javac (colon or semi-colon separated list of paths).

      Use the sourceanalyzer Ant task classpath attribute.

      Resolution source path

      Enter a path to a Java resolution sources directory. Sources are used for resolution, not analysis.

      Use the sourceanalyzer Ant task sourcepath attribute.

      Java version

      Specify the JDK version the Java code is written for.

      Use the sourceanalyzer Ant task source attribute.

      Visual Studio projects Project/solution file path Enter the relative path to a solution file.
      Microsoft Visual Studio

      Enter the full path to Visual Studio, for example:

      C:\Program Files (x86)\Microsoft Visual Studio <version>\Common7\IDE\devenv.com

      C/C++ source files Include pattern

      Specify the names of source files. Enter include patterns, separating each entry with a comma, for example:

      **/*.cpp,main.cpp

      Path to C++ compiler executable Enter the path to C++ compiler executable.
      Other sources

      Include pattern

      Enter include patterns for other sources. Separate each entry with a comma, for example:

      **/ *.sql.,*.php

  3. (Optional) For Analysis Phase, enter additional rulepack files or directories, one per line. You can specify an absolute path or the path relative to the stream/branch root. Use the sourceanalyzer Ant task rules attribute.

    To use custom analyze options instead, select Yes and specify a custom options string for sourceanalyzer executable. Include analyze phase options only.

  4. To create a PDF file of the report, select Generate PDF report and enter the path of a report template file. You can specify an absolute path or the path relative to the stream/branch root. Leave empty to use the default template.

    Use the ReportGenerator utility's template option.

    Tip: Instead of generating a report file, you can use the Micro Focus Fortify SSC plugin to send scan results to Micro Focus Fortify Software Security Center. For details, see Micro Focus Fortify SSC.

  5. To capture findings to PulseUno, keep the option Create findings from FPR file selected.

    If you're running both Fortify SCA and Fortify SSC plugins in the same chain, we recommend clearing this option to avoid duplicating findings in PulseUno.

  6. (Optional) Select Use advanced options to specify additional SCA options:

    Option Description
    Fortify SCA sourceanalyzer path

    Enter the path to Fortify SCA sourceanalyzer executable, for example:

    C:\Program Files\Fortify\Fortify_SCA_and_Apps_<version>\bin\sourceanalyzer.exe

    Fortify SCA ReportGenerator path

    Enter the path to the Fortify SCA ReportGenerator utility, for example:

    C:\Program Files\Fortify\Fortify_SCA_and_Apps_<version>\bin\ReportGenerator.bat

  7. (Optional) Expand Control options and define the following settings:

    • Enable step. Leave this option selected to enable the step to run.

      Clearing this option deactivates the step. Disabled steps are displayed crossed out in the list of chain steps.

    • Fail the step. Specify the conditions for failing the step, such as certain findings criteria and/or console log entries.

    • Mark step as unstable. Specify the conditions for making the step unstable, such as certain findings criteria and/or console log entries.

  8. (Optional) Enter the variables to be passed to other steps down the chain. For details, see Publish output variables.

Back to top

See also: