Track security vulnerabilities

Track and analyze security vulnerabilities discovered in your code using Fortify, SonarQube, or other static code analysis tools.

Overview

Vulnerability is a code weakness or flaw that can potentially compromise your product's security.

You can view security vulnerabilities in your code using the following integrations.

Integration	Method
Fortify	If you set up a security testing integration with Fortify, each pipeline run triggers a security assessment of your application's code. Vulnerabilities are shown if the pipeline run on Jenkins was successful, and the security assessment for the pipeline run is finished. For configuration details, see Fortify integration.
SonarQube	If you set up a security testing integration with SonarQube, the discovered vulnerabilities are displayed. For configuration details, see SonarQube integration.
Other static code analysis tools	If you are using a static code analysis tool other than Fortify, you can use the REST API to inject security vulnerability issues detected by the tool. For details, see Add vulnerability issues.

Integration

Method

Fortify

If you set up a security testing integration with Fortify, each pipeline run triggers a security assessment of your application's code.

Vulnerabilities are shown if the pipeline run on Jenkins was successful, and the security assessment for the pipeline run is finished. For configuration details, see Fortify integration.

SonarQube

If you set up a security testing integration with SonarQube, the discovered vulnerabilities are displayed. For configuration details, see SonarQube integration.

Other static code analysis tools

If you are using a static code analysis tool other than Fortify, you can use the REST API to inject security vulnerability issues detected by the tool. For details, see Add vulnerability issues.

This helps you identify and correct security vulnerabilities introduced into the code.

After setting up integration with a code analysis tool, you can track and manage your vulnerabilities in the Issues module.

Tip: If you do not see vulnerability data, your role may not be permitted to access this information. For security purposes, administrators can block users from viewing or editing vulnerability data. For details, see Roles and permissions.

Prerequisites

The following are prerequisites for working with security vulnerabilities:

To view vulnerabilities, do one of the following:
- Set up the Fortify integration. For details, see Fortify integration.
- Set up the SonarQube integration. For details, see SonarQube integration
- Add vulnerability issues. For details, see Add vulnerability issues.
To collect vulnerabilities, ensure that the pipeline type is Security. You can see a pipeline's type in the pipeline's Details tab.

View security assessment results

After setting up one of the above integrations to inject vulnerabilities, view the details of the vulnerabilities in the Issues module.

In the Vulnerabilities tab, you can select a vulnerability and view the following details.

Area	Description
Preview	Includes defects that were opened on this vulnerability, and comments on the vulnerability.
Report	Provides relevant details to help you resolve the vulnerability.
Related users	Users whose commits are likely to have caused the vulnerability, together with the relevant commit message, file, and linked item. A commit is linked to a vulnerability if it touched the same file.

View vulnerabilities

Apart from the Issues modules, vulnerabilities are exposed in the following areas.

Area	Details
Pipeline runs	In each pipeline run, the Vulnerabilities tab displays details about the vulnerabilities discovered on that pipeline run.
Summary graphs	Create Summary Graphs based on the Vulnerabilities item type. This enables you to track risky releases or commits based on their vulnerabilities, filter vulnerabilities by owner or grouped by severity, and more. Tip: To track risky features (or other items in the backlog), create a custom graph based on the Feature entity. In the filter, select the Has open vulnerabilities field.
Open Vulnerabilities field: Backlog items	In the Backlog grid, add the Open Vulnerabilities column. This shows the number of vulnerabilities per work item with a status other than `Closed` or `Not an issue`, and helps you focus on the significant vulnerabilities. Click the values in the tooltip to access vulnerability details, filtered by severity. Note: There are two types of relations between a defect and a vulnerability: A vulnerability was found in the code that was changed as part of a defect fix. A defect was reported in order to fix an open vulnerability. In the Defects grid, the Open Vulnerabilities field indicates the first type.
Open Vulnerabilities field: Commits	In the Commits tabs, such as in the Team Backlog module, add the Open Vulnerabilities field to show the number of vulnerabilities related to the commit. Click the number to drill to the related vulnerability details. Tip: Create a cross-filter using this field, and filter for vulnerabilities with specific severities. This enables you to create useful widgets. For example, you can create a widget showing all commits that have vulnerabilities with High severity, and group them by feature.
Has Open Vulnerabilities field: Features	In the Features grid, add the Has Open Vulnerabilities column which shows if a feature has any descendants with vulnerabilities. Click the tooltip to view details of all vulnerabilities, or those with a specific severity.

Manage vulnerabilities

Vulnerability entities should remain relevant only for a short period of time. After reviewing a vulnerability, create a relevant defect to fix in your code, or dismiss and close the issue.

Take the following action depending on the following.

If you are a...	Recommended action
Build or CI owner	Assign a user to investigate or fix a security issue.
Committer to this pipeline run	Click the Vulnerabilities related to me button to find any security issues that your committed changes may have introduced. This filter shows only vulnerabilities found on files that were included in your commits. You can then assign yourself to investigate these issues.
User investigating a vulnerability	Click the vulnerability ID to open it and view more details. If you are working with Fortify, and the Fortify server is available, additional information is displayed about the security assessment that can help you fix the issue. For example, the explanation of the issue, and the suggested recommendations.
User who investigated a vulnerability	If you found the problem that needs to be addressed, click the Report Defect button to create a defect from the selected vulnerability. The important details from the vulnerability are automatically included in the defect.
User handling a vulnerability	The Status (Remote) and Analysis (Remote) fields on each vulnerability show the status and analysis data that are received from your static code analysis tool. These fields are read-only. You can update the Status (Local) and Analysis (Local) fields to track your work on a vulnerability. Note that these values are not synchronized with the analysis tool. Note: The Status (Local) and Analysis (Local) fields do not impact the Open vulnerability fields in the Backlog and Feature tabs. Open vulnerability is calculated based on the remote fields only.

Updated and missed vulnerabilities

The following occurs when a vulnerability is updated or missed.

Vulnerability	Description
Updated	If you are using Fortify or the REST API to inject vulnerabilities, updates to the vulnerability are shown. For example, if a vulnerability's status changes in Fortify, the updated status is displayed. If you set an analysis in Fortify Software Security Center (SSC) and rerun the pipeline, this analysis displays as Analysis (Remote).
Missed	The vulnerabilities that are shown are those discovered through a pipeline job. If you run a sub-job directly from Jenkins and a vulnerability is added to the SSC, it is not detected by the main pipeline. However, if you update your code and then run the pipeline, this missed vulnerability is detected, and it is labeled as a Missed Vulnerability. These vulnerabilities do not contain commit details, because they were not detected on creation, but they are displayed so that you are aware of them and do not overlook potential problems in your code.

Vulnerability

Description

Updated

If you are using Fortify or the REST API to inject vulnerabilities, updates to the vulnerability are shown.

For example, if a vulnerability's status changes in Fortify, the updated status is displayed. If you set an analysis in Fortify Software Security Center (SSC) and rerun the pipeline, this analysis displays as Analysis (Remote).

Missed

The vulnerabilities that are shown are those discovered through a pipeline job. If you run a sub-job directly from Jenkins and a vulnerability is added to the SSC, it is not detected by the main pipeline. However, if you update your code and then run the pipeline, this missed vulnerability is detected, and it is labeled as a Missed Vulnerability.

These vulnerabilities do not contain commit details, because they were not detected on creation, but they are displayed so that you are aware of them and do not overlook potential problems in your code.