Use the Fortify SCA bundled plugin to locally analyze an application's source code for security issues.
Fortify Static Code Analyzer (SCA) identifies the root causes of software security vulnerabilities and delivers accurate, risk-ranked results with line-of-code remediation guidance.
To run the Fortify SCA plugin, you need Fortify SCA and the tools that it uses, such as Microsoft Visual Studio, installed on the same machine as the PulseUno agent. Configure them correctly for the named user account under which Common Tomcat is running.
Note: Fortify SCA may not work if Common Tomcat runs as a Windows service under the LocalSystem account.
Configure the plugin
When you add the Fortify SCA plugin to a chain, specify the plugin configuration details.
To configure the Fortify SCA step:
Add the Fortify SCA step to a chain, as described in Create chains.
(Optional) Rename the plugin step.
For Translation Phase, select a custom translation option:
Yes. Use a custom translation string. In the Custom translation options field, enter a string that includes only translation phase options. Do not include the '-b' option.
No. Select translation options:
Translator type Option Description Java sources Sources include pattern
Enter patterns for Java sources, for example:
Default pattern: **/*.java
Enter a Java class path. The format is the same as javac (colon or semi-colon separated list of paths).
Use the sourceanalyzer Ant task classpath attribute.
Resolution source path
Enter a path to a Java resolution sources directory. Sources are used for resolution, not analysis.
Use the sourceanalyzer Ant task sourcepath attribute.
Specify the JDK version the Java code is written for.
Use the sourceanalyzer Ant task source attribute.
Visual Studio projects Project/solution file path Enter the relative path to a solution file. Microsoft Visual Studio
Enter the full path to Visual Studio, for example:
C:\Program Files (x86)\Microsoft Visual Studio <version>\Common7\IDE\devenv.com
C/C++ source files Include pattern
Specify the names of source files. Enter include patterns, separating each entry with a comma, for example:
Path to C++ compiler executable Enter the path to C++ compiler executable. Other sources
Enter include patterns for other sources. Separate each entry with a comma, for example:
(Optional) For Analysis Phase, enter additional rulepack files or directories, one per line. You can specify an absolute path or the path relative to the stream/branch root. Use the sourceanalyzer Ant task rules attribute.
To use custom analyze options instead, select Yes and specify a custom options string for sourceanalyzer executable. Include analyze phase options only.
To create a PDF file of the report, select Generate PDF report and enter the path of a report template file. You can specify an absolute path or the path relative to the stream/branch root. Leave empty to use the default template.
Use the ReportGenerator utility's template option.
Tip: Instead of generating a report file, you can use the Fortify SSC plugin to send scan results to Fortify Software Security Center. For details, see Fortify SSC.
To capture findings to PulseUno, keep the option Create findings from FPR file selected.
Note: If you're running both Fortify SCA and Fortify SSC plugins in the same chain, we recommend clearing this option to avoid duplicating findings in PulseUno.
(Optional) Select Use advanced options to specify additional SCA options:
Option Description Fortify SCA sourceanalyzer path
Enter the path to Fortify SCA sourceanalyzer executable, for example:
Fortify SCA ReportGenerator path
Enter the path to the Fortify SCA ReportGenerator utility, for example:
(Optional) Define the control options for the plugin step:
Enable step. By default, the step is enabled to run. Clear this option if you need to deactivate the step.
Disabled steps are skipped when the chain runs.
Fail the step. Specify the conditions for failing the step, such as unit test failures, findings criteria, and/or console log entries.
Mark step as unstable. Specify the conditions for making the step unstable, such as unit test failures, findings criteria, and/or console log entries.
(Optional) Specify the output variables to be passed to other steps down the chain. For details, see Publish output variables.