Fortify integration
This topic explains how to set up an integration with Fortify, bringing security testing into your development cycle.
Overview of Fortify integration
Fortify is an application security testing service. It performs static code analysis on your application's code, assessing it for potential security vulnerabilities. It can be cloud-based or installed on-premises.
Integrating with Fortify can bring security testing into your development cycle in the following ways:
-
Identifying security vulnerabilities soon after they are introduced into the code, so they can be corrected
-
Raising developers' awareness and helping them avoid introducing vulnerabilities
Tip: If you are using a static code analysis tool other than Fortify, you can inject security vulnerability issues detected by the tool into OpenText Core Software Delivery Platform using the OpenText Core SDP REST API. For details, see Add vulnerability issues.
Fortify integration tools
You can integrate with Fortify using the following tools.
Periodically, during the development cycle, run a pipeline on Jenkins that includes a Fortify on Demand Upload step. After this step uploads the application's code to Fortify on Demand, a security assessment of your code begins.
If the pipeline run is successful, OpenText Core SDP polls the Fortify on Demand server. When the assessment is complete, the newly found vulnerabilities are retrieved and displayed in the pipeline run.
To begin, create a script that scans your code for security issues, and generates an .fpr file. Fortify SSC analyzes the .fpr file and generates data on vulnerabilities in your code. After you configure the integration as described below, this data is sent to OpenText Core SDP via Jenkins.
The integration requires two plugins: one to integrate between Jenkins and Fortify SSC, and one to integrate between OpenText Core SDP and Jenkins. After you set up the plugins, run a pipeline in Jenkins that includes a Security Fortify Assessment step, which uploads an FPR file to SSC for assessment. When the assessment is complete, Jenkins pushes the newly found vulnerabilities to OpenText Core SDP, and they are displayed in the pipeline run.
After reviewing the vulnerabilities, you can create a relevant defect to fix your code, or dismiss and close the issue. For details, see Track security vulnerabilities.
Important privacy note: If your Fortify data contains personally identifiable information (PII), contact your system administrators to check the geographical locations of the Fortify data farm and the OpenText Core SDP server. If the two are located in different geographical locations, verify with your chief information security officer or privacy office that this integration complies with your regional regulations.
Integrate with Jenkins
This section describes how to set up the integration for Fortify on Demand and the Fortify Software Security Center.
Start by setting up Jenkins to integrate with Fortify on Demand and setting up OpenText Core SDP to integrate with Jenkins.
-
Set up your Fortify on Demand account, and make sure you have a valid Fortify Entitlement. For details, see https://www.opentext.com/products/fortify-on-demand.
Define an application whose code you want Fortify on Demand to assess.
We recommend that you run the first security assessment on your code manually and audit it with security experts, before integrating with OpenText Core SDP.
Obtain the URL and API keys required to access the Fortify on Demand server using API. The keys must permit reading vulnerabilities.
-
On your Jenkins server, install and configure the Fortify on Demand uploader plugin.
-
In Manage Jenkins > System, in the Fortify on Demand section, enter the FoD URL and API URL as described in the Fortify on Demand Jenkins Plugin documentation.
-
Enter the API Key and secret, and click Test Connection to verify that there is a connection between Jenkins and Fortify on Demand.
-
-
Create a Fortify on Demand Upload step on Jenkins to upload your application's code to Fortify on demand for assessment.
-
In the Source Code Management fields, enter the URL of the Git repository you want to scan, as defined in Fortify on Demand. If your primary branch in Git is main and not master, enter */main in the Branch specifier field.
-
Add a post-build action: Fortify on Demand Static Assessment. In Post-build actions > Applications and release, choose Applications and release options. Select the application and release that you used to define your application in your Fortify on Demand account.
-
In the Entitlement field, select a valid license. Save changes, then open the configuration again.
-
In Post-build actions > Applications and release, choose Release ID, and copy the release ID.
-
Add another post-build action: Poll Fortify on Demand for Results. Enter the release ID, and define the polling interval. Save changes.
-
-
Set up the integration with your Jenkins server. For details, see Set up CI/CD integration.
Before you begin, set up the Fortify Jenkins Plugin (On-Premise). You also need to set up the Fortify Assessment plugin to work with SSC.
After both plugins are configured, perform the following:
-
Set up the integration with your Jenkins server. For details, see Set up CI/CD integration.
When configuring the Jenkins plugin, in the Parameters section add a parameter called FORTIFY_SSC_TOKEN.
-
To create this token, convert the following string to Base64 encoding:
<SSC server login user>:<password>
-
Add a parameter in the following format:
FORTIFY_SSC_TOKEN:Basic <Base64 encoding of SSC user:password>
Note that Test Connection does not verify the accuracy of this token, but only of the connection to OpenText Core SDP.
-
-
To enable communication between Jenkins and SSC, obtain an authentication token from SSC as described in the Fortify Software Security Center documentation. This is used by the OpenText Core SDP Jenkins plugin to authenticate to SSC.
-
Create a CI token in SSC. This generates two keys: one that includes hyphens (-), and one that does not.
Copy the key with the hyphens.
-
In Jenkins management, access the Fortify Assessment > Authentication token field.
Add a Jenkins credentials provider whose type is Fortify Connection Token. Enter the above key (with hyphens) in the Token field.
-
Click Test SSC Connection to verify the credentials are working properly.
-
-
For each of the projects you want to scan, create a job in Jenkins that includes a Security Fortify Assessment step to upload the .fpr file to SSC for assessment.
-
Enter the application name and version information as defined for your project in SSC.
-
The path to the Results file must be a path that can be accessed by the Jenkins server
-
Create a pipeline
This section describes how to set up pipeline that integrates Fortify on Demand and the Fortify Software Security Center.
To set up a pipeline:
-
In the Pipelines > Pipelines page, add a new pipeline.
-
In the Type field, select Security.
Depending on your integration, the following then occurs:
-
Fortify on Demand: After this pipeline runs successfully, OpenText Core SDP polls the Fortify on Demand server, waiting to retrieve the assessment results.
-
Fortify Software Security Center: The Jenkins plugin checks periodically if there are new scan results in the Software Security Center database. If there are, the new security data is injected to OpenText Core SDP and is displayed on the corresponding pipeline run.
Configuration options
This section describes how to set the configuration options for Fortify on Demand and the Fortify Software Security Center.
By default, Fortify on Demand is checked every 2 minutes for 48 hours to see if the scan is finished. If there are more than 100 vulnerabilities, none are retrieved.
All these limits can be configured using the following configuration parameters:
- FORTIFY_POLLING_TIMEOUT_HOURS
- FORTIFY_POLLING_DELAY_MINUTES
- FORTIFY_UPPER_LIMIT_OF_ISSUES
By default, the maximum number of vulnerability issues that can be injected for each individual pipeline run is 100. This can be modified using the VULNERABILITIES_PER_PIPELINE_RUN_LIMIT parameter.
For details, see Configuration parameters.
See also: