Fortify 360 FPR post-processing and uploading to Fortify 360 Server
- This plugin is not maintained by Fortify
- Plugin version 2.0+ only supports Fortify 360 Server v2.5 or later. If you are using Fortify 360 Server 2.1 or older, please stay with plugin version 1.4
- Upload the FPR to Fortify 360 Server
- Plot Normalized Vulnerabilities Score (NVS) against each build (on Windows/Linux/Mac only)
- Consider a build as UNSTABLE if major vulnerabilities were found (on Windows/Linux/Mac only)
Installation & Setup
The easiest way to setup is to include Fortify into your PATH environment.If you don't want to add Fortify into your PATH, then setup as follows:
You don't need to install Fortify on the master node, you just need to copy the following 4 jars from a Fortify installation and setup the path in global config
Since we need to run "reportGenerator", you need to install Fortify on the slave node. If we can't find "reportGenerator" we will skip plotting the NVS chart, other features are not affected.
We will try to locate "reportGenerator" in the following order:
- FORTIFY_HOME environment variable (if exists)
- PATH environment variable
- the Fortify path of the master node
How it works
- The plugin uses "reportGenerator", which is installed with Fortify 360, to generate XML report to retrieve FPR summary data.
- Starting from v2.0, it will use WS call to upload FPR to Fortify 360 Server directly. Before v2.0, it uses "fortifyclient" to upload FPR to Fortify 360 Server.
We assume the FPRs are stored inside the workspace (which can be a remote slave machine), not the Build RootDir (which is in the master machine).
samngms [at] gmail [dot] com
Version 2.1 (Oct 11, 2010)
- Bug fixed: the project selection pulldown menu doesn't work if the URL contains context path
Version 2.0 (Sep 3, 2010)
- Most fields are validated
- Will populate Project IDs to a pull-down menu
Version 1.4 (May 24, 2010)
- Support Master/Slave
- Bug fixed: help pages URLs are now correct in Hudson with URL context prefix
Version 1.3 (April 6, 2010)
- The NVS equation for SCA 5.8 was wrong. Fixed in v1.3
Version 1.2 (April 5, 2010)
- Support SCA 5.8 FPO when calculating NVS. The plugin will assume Critical/High/Medium/Low if your "sourceanalyzer -version" is 5.8.x or higher and assume Hot/Warning/Info if it is 5.7.x or earlier
- Since ReportGenerator is only available on Windows/Linux/Mac, if you are not using one of those platforms, the plugin can't calculate NVS but at least now it will be able to upload FPR to F360 Server