HPE Security Fortify Jenkins Plugin Installation And Usage Guide 17.10
HPE_Jenkins_Plugin_Guide_17.10
User Manual:
Open the PDF directly: View PDF 
.
Page Count: 15
| Download | |
| Open PDF In Browser | View PDF |
HPE Security Fortify Jenkins Plugin Software Version: 17.10 Installation and Usage Guide Document Release Date: April 2017 Software Release Date: April 2017 Installation and Usage Guide Legal Notices Warranty The only warranties for Hewlett Packard Enterprise Development products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HPE shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice. Restricted Rights Legend Confidential computer software. Valid license from HPE required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The software is restricted to use solely for the purpose of scanning software for security vulnerabilities that is (i) owned by you; (ii) for which you have a valid license to use; or (iii) with the explicit consent of the owner of the software to be scanned, and may not be used for any other purpose. You shall not install or use the software on any third party or shared (hosted) server without explicit consent from the third party. Copyright Notice © Copyright 2014 - 2017 Hewlett Packard Enterprise Development LP Trademark Notices Adobe™ is a trademark of Adobe Systems Incorporated. Microsoft® and Windows® are U.S. registered trademarks of Microsoft Corporation. Documentation Updates The title page of this document contains the following identifying information: l Software Version number l Document Release Date, which changes each time the document is updated l Software Release Date, which indicates the release date of this version of the software To check for recent updates or to verify that you are using the most recent edition of a document, go to: https://www.protect724.hpe.com/community/fortify/fortify-product-documentation You will receive updated or new editions if you subscribe to the appropriate product support service. Contact your HPE sales representative for details. HPE Security Fortify Jenkins Plugin (17.10) Page 2 of 15 Installation and Usage Guide Contents Preface Contacting HPE Security Fortify Support For More Information About the Documentation Set 4 4 4 4 Change Log 5 HPE Security Fortify Jenkins Plugin Preparing Fortify Software Security Center to Work with the Jenkins Plugin Creating a Jenkins Token Type Generating a Fortify Software Security Center Authentication Token Installing the Jenkins Plugin Verifying the Jenkins Plugin Installation Configuring the Jenkins Plugin Configuring the Build Step to use the Jenkins Plugin Using the Jenkins Plugin with Continuous Builds Viewing Issues Configuring the Number of Issues Displayed on a Page 6 6 6 8 8 9 9 10 11 13 14 Send Documentation Feedback 15 HPE Security Fortify Jenkins Plugin (17.10) Page 3 of 15 Installation and Usage Guide Preface Preface Contacting HPE Security Fortify Support If you have questions or comments about using this product, contact HPE Security Fortify Technical Support using one of the following options. To Manage Your Support Cases, Acquire Licenses, and Manage Your Account https://support.fortify.com To Email Support fortifytechsupport@hpe.com To Call Support 1.844.260.7219 For More Information For more information about HPE Security software products: http://www.hpe.com/software/fortify About the Documentation Set The HPE Security Fortify Software documentation set contains installation, user, and deployment guides for all HPE Security Fortify Software products and components. In addition, you will find technical notes and release notes that describe new features, known issues, and last-minute updates. You can access the latest versions of these documents from the following HPE Security user community website: https://www.protect724.hpe.com/community/fortify/fortify-product-documentation You will need to register for an account. HPE Security Fortify Jenkins Plugin (17.10) Page 4 of 15 Installation and Usage Guide Change Log Change Log The following table lists changes made to this document. Revisions to this document are published between software releases only if the changes made affect product functionality. Software Release / Document Version Changes 17.10 Updated: Release date and version number 16.20 Updated: Made minor edits 16.10 Updated: Made minor edits HPE Security Fortify Jenkins Plugin (17.10) Page 5 of 15 HPE Security Fortify Jenkins Plugin The HPE Security Fortify Jenkins Plugin (Jenkins Plugin) is used in conjunction with HPE Security Fortify Software Security Center (Fortify Software Security Center), a collaborative system used to review and audit security analysis results. If you use a HPE Security Fortify Static Code Analyzer plugin such as Maven to scan your source code after each build, the Jenkins plugin automatically uploads the Fortify Project Results (FPR) file to a Fortify Software Security Center server and enables you to view the details within Jenkins. It also provides metrics for each build and an overview of the results, without the need to connect to Fortify Software Security Center. This document provides instructions on how to prepare Fortify Software Security Center to work with the Jenkins Plugin, and how to install, configure, and use the plugin. For information about Jenkins, see the Jenkins web site (http://jenkins-ci.org). Preparing Fortify Software Security Center to Work with the Jenkins Plugin To prepare Fortify Software Security Center to work with the Jenkins Plugin, you need to create a new Fortify Software Security Center token type for Jenkins, and then use the fortifyclient utility to generate a token of that type. The following topics provide instructions on how to perform these two tasks. Creating a Jenkins Token Type The Jenkins Plugin communicates with Fortify Software Security Center in several ways. Because Fortify Software Security Center web services are access-controlled, you must define a new authentication token type that authorizes the various web service requests that the Jenkins Plugin uses. To create this token type: 1. From your Fortify Software Security Center installation directory, navigate to the/WEB-INF/internal directory, and then open the serviceContext.xml file in a text editor. The is the directory in which Fortify Software Security Center was deployed. For example, for Tomcat, the is /webapps/ssc. HPE Security Fortify Jenkins Plugin (17.10) Page 6 of 15 Installation and Usage Guide HPE Security Fortify Jenkins Plugin 2. Add the following block of text to the file: 3. Save and close the serviceContext.xml file. 4. Restart Fortify Software Security Center. HPE Security Fortify Jenkins Plugin (17.10) Page 7 of 15 Installation and Usage Guide HPE Security Fortify Jenkins Plugin Generating a Fortify Software Security Center Authentication Token After you define a Jenkins token type, you must use the fortifyclient command-line utility to generate a token instance. In the following procedure, the Tools folder is located in the directory where the Fortify Software Security Center HPE_Security_Fortify_SSC_17.10_Server_WAR.zip was extracted. To generate a Fortify Software Security Center authentication token: 1. From the Tools/fortifyclient/bin directory, run the following: fortifyclient token -gettoken JenkinsToken -daysToLive 365 -url
AddProjectRequest AddProjectVersionRequest AddProjectAndVersionRequest GetAuthenticationTokenRequest ProjectListRequest ActiveProjectVersionListRequest ProjectVersionListRequest ProjectTemplateListRequest FPRUploadRequest AuditViewRequest PerformAuditActionRequest IssueListRequest GetProjectVersionIdentifiersRequest ProjectMetaDataDefinitionsListRequest AddProjectMetaDataDefinitionRequest UpdateProjectMetaDataDefinitionRequest ProjectMetaDataValuesListRequest ProjectMetaDataValueRequest GetSingleUseFPRUploadTokenRequest CreateAuditSessionRequest InvalidateAuditSessionRequest GroupingValuesRequest
InvalidateTokenRequest /ssc -user where JenkinsToken is the case-sensitive fortifyclient upload token specifier. Notes: l The Fortify Software Security Center URL provided to fortifyclient must include both the port number and the context path /ssc. The correct format for the Fortify Software Security Center URL is as follows: http:// : /ssc l The ability of fortifyclient to use the token to read or write information to or from Fortify Software Security Center depends on the account privileges of the Fortify Software Security Center user account specified with the -user option. The fortifyclient utility prompts for a password. 2. Type the password for user account specified. The fortifyclient utility returns a token of the general form: cb79c492-0a78-44e3-b26c-65c14df52e86. 3. Copy the returned token into a text file. For detailed information about the fortifyclient command-line utility, see the HPE Security Fortify Software Security Center User Guide. Installing the Jenkins Plugin To install the Jenkins Plugin, you must have Jenkins installed on your system. If you do not have Jenkins installed, download it from http://mirrors.jenkins-ci.org/war. See the HPE Security Fortify Software System Requirements document for the supported Jenkins versions. For more information about how to install and start Jenkins, see the following web sites: l l https://wiki.jenkins-ci.org/display/JENKINS/Installing+Jenkins https://wiki.jenkins-ci.org/display/JENKINS/Starting+and+Accessing+Jenkins HPE Security Fortify Jenkins Plugin (17.10) Page 8 of 15 Installation and Usage Guide HPE Security Fortify Jenkins Plugin To install the Jenkins Plugin: 1. Open a browser window and navigate to http:// :8080/. To start Jenkins locally, run java -Xmx1024m -XX:MaxPermSize=512m -jar /jenkins.war. 2. From Jenkins, select Manage Jenkins > Manage Plugins. 3. On the Plugin Manager page, click the Advanced tab. 4. Under Upload Plugin, click Choose File, and then locate and select the HPE_Security_ Fortify_Jenkins_Plugin_ .hpi file. 5. Click Upload. 6. Restart Jenkins. If you started Jenkins locally, press Ctrl+c in the command-line window to restart it. For more information about how to install Jenkins plugins, see the Jenkins Plugin site https://wiki.jenkins-ci.org/display/JENKINS/Plugins. Verifying the Jenkins Plugin Installation To verify that the Jenkins Plugin is installed: 1. 2. 3. 4. Open a browser window and navigate to http:// :8080. From the Jenkins menu, select Manage Jenkins > Manage Plugins. On the Plugin Manager page, click the Installed tab. Check to make sure that HPE Security Fortify Jenkins Plugin is included in the list of installed plugins. Configuring the Jenkins Plugin To configure the Jenkins Plugin for use with Fortify Software Security Center: 1. Open a browser window and navigate to http:// :8080. 2. From the Jenkins menu, select Jenkins > Manage Jenkins > Configure System. 3. In the HPE Security Fortify Assessment section, do the following: a. In the URL box, type the Fortify Software Security Center server URL for which you configured the Jenkins token type. The correct format for the Fortify Software Security Center URL is: http:// : /ssc. b. In the Authentication Token box, type the authentication token generated for the Fortify Software Security Center server. 4. Click Advanced Settings, and then click Test Connection. The Jenkins Plugin populates the Issue Template list with available Fortify Software Security Center issue templates. Fortify Software Security Center uses the selected issue template when it creates new applications. HPE Security Fortify Jenkins Plugin (17.10) Page 9 of 15 Installation and Usage Guide HPE Security Fortify Jenkins Plugin The issue template optimizes the categorization, summary, and reporting of the application version data. 5. From the Issue Template list, select the appropriate issue template for your projects. 6. Click Save. Note: There is no need to specify a value in the Issue breakdown page size box at this time. You can always change this setting later. This setting controls the Issue Breakdown table view. The default is 50 issues per page. Configuring the Build Step to use the Jenkins Plugin To configure the build step to use the Jenkins Plugin: 1. From Jenkins, select the job to view or create a new job. 2. On the job page, click Configure. 3. On the configuration page that opens for the job, in the Post-build Actions section, select HPE Security Fortify Assessment. 4. In the HPE Security Fortify Assessment section, provide or change values for the properties and actions listed in the following table. Note: You can use job parameters in the HPE Security Fortify Assessment properties in the following formats: $param and ${param}. Action or Property Description FPR Filename The FPR name to publish (for example, audit.fpr). If no value is specified, the Jenkins Plugin searches "./**/*.fpr" files in the workspace with the latest modified date. FilterSet Filter set to use when reading the FPR. If no value is specified, the default filter is used. Fortify Software Security Center has two filter sets: Security Auditor View and Quick View. Quick View is the default filter set. However, the issue template used to create the project determines the exact filter set configuration. The fail condition and the Normalized Vulnerability Score (NVS) calculation depend on the issues filtered by the filter set. For example, if a “Critical Exposure” filter is applied to the project issues (and no issues are found), then the fail condition determines that there is no reason to set this build to “unstable” and NVS is set to zero. The graph summary also shows zero. Fail Condition A build is considered unstable if the fail condition is met. For example, to get the unstable build where there is an SQL injection issue in the High folder, use the following search string for the fail HPE Security Fortify Jenkins Plugin (17.10) Page 10 of 15 Installation and Usage Guide HPE Security Fortify Jenkins Plugin Action or Property Description condition: [fortify priority order]:high category:SQL Injection This search string syntax is the same as that used for the Fortify Software Security Center search and filter capabilities. Application Name Application name used when uploading FPR files to Fortify Software Security Center. Leave this field blank to disable the upload. Always use Application Name and Application Version together. To upload an FPR file to Fortify Software Security Center: l Specify both Application Name and Application Version. l Specify the Fortify Software Security Center URL and the authentication token (see "Configuring the Jenkins Plugin" on page 9). Note: If an application with the specified name does not exist on Fortify Software Security Center, Fortify Software Security Center creates it for a successful build. Application Version Application version used when uploading to Fortify Software Security Center. Leave this field blank to disable the upload. Always specify Application Name and Application Version together. Upload Wait Time To access this box, click Auto Job Assignment. Because the FPR upload to Fortify Software Security Center is asynchronous, the WebService function call is returned while Fortify Software Security Center is still processing the upload request. Therefore, the Jenkins Plugin waits for a specified number of minutes before it runs the NVS calculation. The valid values are 0-60. 5. Click Save. Using the Jenkins Plugin with Continuous Builds To use the Jenkins Plugin with continuous builds: 1. Place the FPR that resulted from a source code scan into the workspace directory for the project. On Windows systems, the default directory is C:\Users\ \.jenkins\jobs\ \workspace. Note: Configure your build procedure to do this automatically. You can specify the path to your FPR file with the FPR Filename setting on the Job Configuration page. For more information, see "Configuring the Build Step to use the Jenkins Plugin" on the previous page. 2. From Jenkins, select Build Now. HPE Security Fortify Jenkins Plugin (17.10) Page 11 of 15 Installation and Usage Guide HPE Security Fortify Jenkins Plugin 3. To read progress messages from the Jenkins Plugin, in the Build History box, select the build link, and then, on the page, select Console Output. 4. After the build completes successfully (after you see the Finished: SUCCESS message), return to the project page. The project page displays the Normalized Vulnerability Score (NVS) graph. NVS is a normalized score that gives you a rough idea of the security vulnerability of your project. The plugin calculates the NVS with the following formula: where: l CFPO = Number of critical vulnerabilities (unless audited as Not an Issue) l HFPO = Number of high vulnerabilities (unless audited as Not an Issue) l MFPO = Number of medium vulnerabilities (unless audited as Not an Issue) l LFPO = Number of low vulnerabilities (unless audited as Not an Issue) and: l PABOVE = Exploitable l P3 = Suspicious l P2 = Bad practice l P1 = Reliability issue The total issues count is not very useful. For example, if Application A has 0 critical issues and 10 low issues, the total issue count is 10. If Application B has five critical issues and no low issues, the total issue count is 5. These values might mislead you to think that Application B is better than Application A, when it is not. The NVS calculated for the two example applications provides a different picture (simplified equation): l Application A: NVS = 0*10 + 10*0.1 = 1 l Application B: NVS = 5*10 + 0*0.1 = 50 5. Click HPE Security Fortify Assessment on the left. The interactive List of HPE Security Fortify SSC issues page displays the Summary and Issue breakdown by Priority Order tables. HPE Security Fortify Jenkins Plugin (17.10) Page 12 of 15 Installation and Usage Guide HPE Security Fortify Jenkins Plugin The Summary table shows the difference in the number of issues in different categories between the two most recent builds. A blue arrow next to a value indicates that the number in that category has decreased, and a red arrow indicates that the number in that category has increased. The Issues breakdown by Priority Order table shows detailed information about the issues for the specified location and category in each priority folder. Wait for the table to load. If the data load takes too long, you might need to refresh the browser window (F5). By default, you see the critical issues first. To see all issues, click the All tab. Note: The more issues a page shows, the longer it takes to load. HPE recommends that you not use the All tab for large projects. Viewing Issues To see only those issues that were introduced in the latest build of your code, click the Show New Issues link at the top of the table. The first and the second columns show the file name and line number of the issue and the full path to this file. The last column displays the category of each vulnerability. By default, issues are sorted by primary location. To organize them by category, click the Category column header. To see more details about or to audit a specific issue, click the file name in the first column. The link takes you directly to the details for that issue on the Fortify Software Security Center server. If you are not logged in to Fortify Software Security Center, you are prompted to log in. HPE Security Fortify Jenkins Plugin (17.10) Page 13 of 15 Installation and Usage Guide HPE Security Fortify Jenkins Plugin Configuring the Number of Issues Displayed on a Page By default, the page displays up to 50 findings. To navigate to all findings, use Next>> and <
Source Exif Data:File Type : PDF File Type Extension : pdf MIME Type : application/pdf PDF Version : 1.4 Linearized : Yes Author : Hewlett Packard Enterprise Development LP Create Date : 2017:01:26 16:39:47-08:00 Modify Date : 2017:03:03 13:04:26-08:00 Subject : Language : en-us XMP Toolkit : Adobe XMP Core 5.4-c006 80.159825, 2016/09/16-03:31:08 Format : application/pdf Creator : Hewlett Packard Enterprise Development LP Description : Title : HPE Security Fortify Jenkins Plugin Installation and Usage Guide Metadata Date : 2017:03:03 13:04:26-08:00 Keywords : Producer : madbuild Document ID : uuid:bdadbca7-a399-4f15-821c-8e0381b4ebfb Instance ID : uuid:48b6bfc5-ecec-469b-9f3b-3ab5d736114f Page Layout : SinglePage Page Mode : UseOutlines Page Count : 15EXIF Metadata provided by EXIF.tools