Micro Focus

Fortify Jenkins Plugin

Software Version: 22.1

User Guide

Document Release Date: August 2022

Software Release Date: August 2022

User Guide

Legal Notices

Micro Focus

The Lawn

22-30 Old Bath Road

Newbury, Berkshire RG14 1QN

UK

https://www.microfocus.com

Warranty

The only warranties for products and services of Micro Focus and its affiliates and licensors (“Micro Focus”) are set forth in the

express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an

additional warranty. Micro Focus shall not be liable for technical or editorial errors or omissions contained herein. The

information contained herein is subject to change without notice.

Restricted Rights Legend

Confidential computer software. Except as specifically indicated otherwise, a valid license from Micro Focus is required for

possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software

Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard

commercial license.

Copyright Notice

Trademark Notices

All trademarks, service marks, product names, and logos included in this document are the property of their respective owners.

Documentation Updates

The title page of this document contains the following identifying information:

l

Software Version number

l

Document Release Date, which changes each time the document is updated

l

Software Release Date, which indicates the release date of this version of the software

This document was produced on August 31, 2022. To check for recent updates or to verify that you are using the most recent

edition of a document, go to:

https://www.microfocus.com/support/documentation

Micro Focus Fortify Jenkins Plugin (22.1)

Page 2 of 67

User Guide

Contents

Preface

5

Contacting Micro Focus Fortify Customer Support

For More Information

About the Documentation Set

Fortify Product Feature Videos

Change Log

6

Chapter 1: Introduction

Software Requirements

8

9

Related Documents

This topic describes documents that provide information about Micro Focus Fortify software

products.

Note: You can find the Micro Focus Fortify Product Documentation at

https://www.microfocus.com/support/documentation.

Micro Focus Fortify ScanCentral SAST

The following document provides information about Fortify ScanCentral SAST. Unless otherwise

noted, this document is available on the Micro Focus Product Documentation website at

https://www.microfocus.com/documentation/fortify-software-security-center.

Document / File Name

Description

Micro Focus Fortify ScanCentral SAST This document provides information about how to install,

Installation, Configuration, and Usage configure, and use Fortify ScanCentral SAST to streamline

Guide

the static code analysis process. It is written for anyone

who intends to install, configure, or use Fortify

Micro Focus Fortify Jenkins Plugin (22.1)

Page 11 of 67

User Guide

Chapter 1: Introduction

Document / File Name

Description

SC_SAST_Guide_<version>.pdf

ScanCentral SAST to offload the resource-intensive

translation and scanning phases of their Fortify Static

Code Analyzer process.

Micro Focus Fortify Software Security Center

The following document provides information about Fortify Software Security Center. Unless

otherwise noted, this document is available on the Micro Focus Product Documentation website at

https://www.microfocus.com/documentation/fortify-software-security-center.

Document / File Name

Description

Micro Focus Fortify Software

Security Center User Guide

This document provides Fortify Software Security Center

users with detailed information about how to deploy and use

Software Security Center. It provides all of the information

you need to acquire, install, configure, and use Software

Security Center.

SSC_Guide_<version>.pdf

It is intended for use by system and instance administrators,

database administrators (DBAs), enterprise security leads,

development team managers, and developers. Software

Security Center provides security team leads with a high-level

overview of the history and current status of a project.

Micro Focus Fortify Static Code Analyzer

The following documents provide information about Fortify Static Code Analyzer. Unless otherwise

noted, these documents are available on the Micro Focus Product Documentation website at

https://www.microfocus.com/documentation/fortify-static-code.

Document / File Name

Description

Micro Focus Fortify Static Code

Analyzer User Guide

This document describes how to install and use Fortify

Static Code Analyzer to scan code on many of the major

programming platforms. It is intended for people

responsible for security audits and secure coding.

SCA_Guide_<version>.pdf

Micro Focus Fortify Jenkins Plugin (22.1)

Page 12 of 67

User Guide

Chapter 1: Introduction

Document / File Name

Description

Micro Focus Fortify Static Code

Analyzer Custom Rules Guide

This document provides the information that you need to

create custom rules for Fortify Static Code Analyzer. This

guide includes examples that apply rule-writing concepts

to real-world security issues.

SCA_Cust_Rules_Guide_<version>.zip

Note: This document is included only with the

product download.

Micro Focus Fortify Jenkins Plugin (22.1)

Page 13 of 67

Chapter 2: Installation and Configuration

This chapter describes how to install and configure the Fortify Jenkins Plugin.

This section contains the following topics:

Installing the Fortify Jenkins Plugin

Preparing to Work with Fortify Software Security Center and Fortify ScanCentral SAST

Configuring Global Settings for the Fortify Jenkins Plugin

Using a File to Configure Global Settings for the Fortify Jenkins Plugin

Preparing Docker to Work with the Fortify Jenkins Plugin

Installing the Fortify Jenkins Plugin

To install the Fortify Jenkins Plugin, you must have Jenkins installed on your system. See the Micro

Focus Fortify Software System Requirements document for the supported Jenkins versions.

Note: These instructions describe a third-party product and might not match the specific,

supported version you are using. See your product documentation for the instructions for your

version.

To install the Fortify Jenkins Plugin:

1. From Jenkins, select Manage Jenkins > Manage Plugins.

2. On the Plugin Manager page, select the Available tab.

3.

In the Filter box, type Fortify.

4. Select the check box for the Fortify plugin, and then click either Install without restart or

Download and install after restart.

For more information about how to install Jenkins plugins, see the Jenkins website.

Verifying the Fortify Jenkins Plugin Installation

Note: These instructions describe a third-party product and might not match the specific,

supported version you are using. See your product documentation for the instructions for your

version.

To verify that the Fortify Jenkins Plugin is installed:

1. Open a browser window and navigate to the Jenkins server URL.

2. From the Jenkins menu, select Manage Jenkins > Manage Plugins.

Micro Focus Fortify Jenkins Plugin (22.1)

Page 14 of 67

User Guide

Chapter 2: Installation and Configuration

3. On the Plugin Manager page, select the Installed tab.

4. Verify that the list of installed plugins includes the Fortify plugin.

Preparing to Work with Fortify Software Security

Center and Fortify ScanCentral SAST

To perform either of the following tasks, you need to have an authentication token created in Fortify

Software Security Center. You use this authentication token to configure the Fortify Jenkins Plugin to

communicate with Fortify Software Security Center or Fortify ScanCentral SAST. The following table

describes the tasks and the token type needed to perform the task.

Task

Token Type

Upload local Fortify Static Code Analyzer scan

results to Fortify Software Security Center

CIToken

Perform a remote Fortify Static Code

ScanCentralCtrlToken

Analyzer analysis using Fortify ScanCentral SAST

(this includes the ability to upload the remote scan

results to Fortify Software Security Center)

Note: Use a token of type

CloudCtrlToken only with Fortify

Software Security Center versions

19.2.x or earlier.

Obtain an authentication token from your Fortify Software Security Center administrator or see the

Micro Focus Fortify Software Security Center User Guide in Fortify Software Security Center

Documentation for instructions.

Configuring Global Settings for the Fortify Jenkins

Plugin

Note: These instructions describe a third-party product and might not match the specific,

supported version you are using. See your product documentation for the instructions for your

version.

To configure your Jenkins server so that it can analyze your project and upload results to Fortify

Software Security Center using the Fortify Jenkins Plugin:

1. Open a browser window and navigate to the Jenkins server URL.

2. From the Jenkins menu, select Jenkins > Manage Jenkins > Configure System.

Micro Focus Fortify Jenkins Plugin (22.1)

Page 15 of 67

User Guide

Chapter 2: Installation and Configuration

3. To analyze (translate or scan) your project locally with Fortify Static Code Analyzer, you can

create a Jenkins environment variable to specify the location of the Fortify Static Code Analyzer

executable. Otherwise, the Fortify Jenkins Plugin looks for the executable on the system Path

variable.

You can use build tools that you have set up with the Jenkins Global Tool Configuration in the

Fortify Jenkins Plugin. Alternatively, you can create Jenkins environment variables to specify the

location of a required build tool executable.

The following table describes the environment variables you can create in Global properties.

Note: Do not use paths that end in /bin. The Fortify Jenkins Plugin looks for the location of

an executable in the following order: Jenkins Global Tool Configuration (Gradle and Maven

only), Jenkins environment variable, the PATH system environment variable, and lastly the

build's workspace.

Name

Value

Description

Specify the path where Fortify Static Code Analyzer is

installed. For example, the default location on Windows is

FORTIFY_

HOME

<sca_

install_

dir>

C:\Program Files\Fortify\Fortify_SCA_and_Apps_

.

<sca_version>

(Optional) Specify the path where Gradle is installed.

GRADLE_

HOME

<gradle_

install_

dir>

(Optional) Specify the path where Apache Maven is installed.

M2_HOME or <maven_

install_

dir>

MAVEN_

HOME

Note: The Fortify Maven Plugin must be installed. See

"Software Requirements" on page 9 for more information.

Micro Focus Fortify Jenkins Plugin (22.1)

Page 16 of 67

User Guide

Chapter 2: Installation and Configuration

4. To upload results from a local analysis to Fortify Software Security Center, scroll down to the

Fortify Assessment section, and then do the following in the Software Security Center

configuration section:

a. In the SSC URL box, type the Fortify Software Security Center server URL provided by your

Fortify Software Security Center administrator.

b. Provide a Fortify Software Security Center Authentication token by doing the following:

i. Click Add > Jenkins to open the Jenkins Credentials Provider dialog box.

ii. From the Kind menu select Fortify Connection Token.

Micro Focus Fortify Jenkins Plugin (22.1)

Page 17 of 67

User Guide

Chapter 2: Installation and Configuration

iii. Provide description information so you can easily identify the credential.

iv. In the Token box, type the decoded value of a Fortify Software Security Center

authentication token of type CIToken.

v. Click Add.

c. (Optional) To connect to Fortify Software Security Center with a proxy server, select Use

Jenkins proxy.

The Fortify Jenkins Plugin will use the proxy settings configured in the Jenkins Plugin

Manager when connecting to a Fortify Software Security Center server or a Fortify Rulepack

update server. The Jenkins Plugin Manager allows you to exclude servers from using a proxy

in case a proxy is only required for one server and not the other.

d. (Optional) To test the connection to Fortify Software Security Center, click Test

SSC connection.

e. From the Issue template list, select the appropriate issue template for your projects.

Fortify Software Security Center uses the selected issue template when it creates new

applications. The issue template optimizes the categorization, summary, and reporting of the

application version data.

Note: If no issue template is specified, Fortify Jenkins Plugin creates the application

version using the default issue template settings in Fortify Software Security Center.

f. (Optional) To specify the maximum number of issues to display per page in the results

breakdown table, type a number in the Maximum issues per page box.

Note: This setting controls the Issue Breakdown table view. The default is 50 issues per

page.

g. (Optional) To specify the maximum number of application versions to display in lists for a

Fortify Assessment post-build action configuration, type a number in the Maximum

application versions per list box.

Note: The default is 100 application versions per list. You can type or search for the

application name if the application that you want does not appear within the maximum

application versions listed.

h. (Optional) To specify how long to wait to connect to Fortify Software Security Center before

timing out, type the time in seconds the Connection timeout box. A value of 0 means no

timeout. The default is 10 seconds.

i. (Optional) To specify how long to wait for a response from Fortify Software Security Center

before timing out, type the time in seconds in the Read timeout box. A value of 0 means no

timeout. The default is 10 seconds.

j. (Optional) To specify how long to allow request data to be sent to Fortify Software Security

Center before timing out, type the time in seconds in the Write timeout box. A value of 0

means no timeout. The default is 10 seconds.

Micro Focus Fortify Jenkins Plugin (22.1)

Page 18 of 67

User Guide

Chapter 2: Installation and Configuration

5. To perform a Fortify Static Code Analyzer analysis on a remote system, do the following in the

Controller configuration section:

a. In the Controller URL box, type the ScanCentral Controller URL.

Note: If you specify a URL in the Software Security Center configuration section

(SSC URL), then the Fortify Jenkins Plugin automatically determines the ScanCentral

Controller URL from Fortify Software Security Center and you do not need to provide a

ScanCentral Controller URL.

The format for the ScanCentral Controller URL is:

<protocol>://<controller_host>:<port>/scancentral-ctrl (for example:

https://myControllerHost.com:8443/scancentral-ctrl).

b. Provide a Fortify Software Security Center Controller token by doing the following:

i. Click Add > Jenkins to open the Jenkins Credentials Provider dialog box.

ii. From the Kind menu select Fortify Connection Token.

iii. Provide description information so you can easily identify the credential.

iv. In the Token box, type the decoded value of a Fortify Software Security Center

authentication token of type ScanCentralCtrlToken.

v. Click Add.

c. (Optional) To test the connection to Fortify ScanCentral SAST, click Test Controller

connection.

6. To disable Fortify Static Code Analyzer scans on the local system, select the Disable local scans

check box.

Note: Fortify Static Code Analyzer translation on the local system is still allowed with this

setting selected.

7. Click Save.

Micro Focus Fortify Jenkins Plugin (22.1)

Page 19 of 67

User Guide

Chapter 2: Installation and Configuration

Using a File to Configure Global Settings for the

Fortify Jenkins Plugin

If you have the Jenkins Configuration as Code plugin installed and configured, you can set up a text-

based configuration for the Fortify Jenkins Plugin. The Fortify Jenkins Plugin entries belong in the

unclassified root element. For more about the Jenkins Configuration as Code project, see the

Jenkins documentation.

The following is an example Fortify Jenkins Plugin global configuration YAML file:

unclassified:

fortifyPlugin:

url: "https://MySscHost:8443/ssc"

sscTokenCredentialsId: "MySscHost_CIToken"

isProxy: false

projectTemplate: "Prioritized High Risk Issue Template"

breakdownPageSize: 50

connectTimeout: 10

readTimeout: 10

writeTimeout: 10

ctrlUrl: "https://MyControllerHost:8443/scancentral-ctrl"

ctrlTokenCredentialsId: "MyControllerHost_ScanCentralCtrlToken"

disableLocalScans: true

appVersionListLimit: 50

The following table describes the keys the Fortify Jenkins Plugin uses.

Key

Description

A Fortify Software Security Center URL.

url

The ID for a Jenkins credential of the type Fortify Connection

Token that contains the Fortify Software Security

Center authentication token of type CIToken.

sscTokenCredentialsId

Whether to use the Jenkins Plugin Manager proxy settings to

connect to Fortify Software Security Center and to update Fortify

isProxy

security content. The valid values are true and false.

A Fortify Software Security Center issue template.

projectTemplate

The maximum number of issues display per page in breakdown

table. The default is 50 issues per page.

breakdownPageSize

Micro Focus Fortify Jenkins Plugin (22.1)

Page 20 of 67

User Guide

Chapter 2: Installation and Configuration

Key

Description

Time in seconds to wait for a connection to be established with

before timing out.

connectTimeout

Time in seconds to wait for a response from Fortify

Software Security Center before timing out.

readTimeout

writeTimeout

ctrlUrl

Time in seconds for request data to be sent to Fortify

Software Security Center before timing out.

The Controller URL is required to perform a Fortify Static Code

Analyzer analysis on a remote system. You can leave this empty if

you specify a Fortify Software Security Center URL with the url

key.

Note: If a Fortify Software Security Center URL is specified

(with the url key), then the Fortify Jenkins Plugin uses the

Controller associated with Fortify Software Security Center

and any Controller URL specified here is ignored.

The ID for a Jenkins credential of the type Fortify Connection

Token that contains the decoded value of a Fortify

Software Security Center authentication token of type

ScanCentralCtrlToken.

ctrlTokenCredentialsId

Whether to disable local Fortify Static Code Analyzer scans from

being performed. By default, local scans are enabled. The valid

disableLocalScans

values are true and false.

The maximum number of application versions to display in lists

for a Fortify Assessment post-build action configuration. The

default is 100 application versions per list.

appVersionListLimit

Note: If you downgrade to a previous version of the Fortify Jenkins Plugin that does not support

the Jenkins Configure as Code plugin, you must remove the fortifyPlugin entries from the JCasC

YAML file.

Micro Focus Fortify Jenkins Plugin (22.1)

Page 21 of 67

User Guide

Chapter 2: Installation and Configuration

Preparing Docker to Work with the Fortify Jenkins

Plugin

If you run Jenkins in a Docker container, mount the Fortify Static Code Analyzer installation directory

in the container to make Fortify Static Code Analyzer executables accessible from Docker. The

following example command includes the flag to mount the installation directory in the container:

docker container run –p 8080:8080 –v /home/admin/Fortify/Fortify_SCA_and_Apps_22.1.0:/var/jenkins_

home/Fortify/Fortify_SCA_and_Apps_22.1.0 --name=Jenkins jenkins/jenkins –d

In the previous example, the value of FORTIFY_HOME is /var/jenkins_home/Fortify/Fortify_

SCA_and_Apps_22.1.0.

Micro Focus Fortify Jenkins Plugin (22.1)

Page 22 of 67

Chapter 3: Configuring Fortify Analysis with

Freestyle Projects

The Fortify Jenkins Plugin supports Freestyle and Multi-configuration projects. This section describes

how to add Fortify analysis as a post-build action for your job.

Note: The Fortify Jenkins Plugin also supports Jenkins Pipeline. For instructions, see "Configuring

Fortify Analysis with Pipeline Jobs" on page 39.

This section contains the following topics:

Creating a Post-Build Action to Translate and Scan Remotely

Creating a Post-Build Action to Translate Locally and Scan Remotely

Creating a Post-Build Action to Translate and Scan Locally

Creating a Post-Build Action to Upload Scan Results to Fortify Software Security Center

Creating a Post-Build Action to Translate and Scan

Remotely

To configure a post-build action to perform a complete analysis on a remote system:

1. From Jenkins, select an existing job to view or create a new job.

If you selected an existing job, click Configure on the job page.

2. In the Post-build Actions section, click Add post-build action, and then select

Fortify Assessment.

3. Select Remote translation & remote scan.

4. From the Application type list, select the type of project you want to analyze. The following

table provides instructions for each application type.

Application

Type

Description

.NET MSBuild

a. In the Solution or project file box, type a project or a solution file for

analysis.

Micro Focus Fortify Jenkins Plugin (22.1)

Page 23 of 67

User Guide

Chapter 3: Configuring Fortify Analysis with Freestyle Projects

Application

Type

Description

b. To exclude disabled projects from the translation, select the Exclude

disabled projects check box.

Note: This setting is only valid for Fortify ScanCentral SAST

versions 21.1.x or earlier.

Gradle

a. In the Build file box, type the name of the build file if it is different than

the default of build.gradle.

b. To include the test source set (for Java projects only) in the scan, select

the Include tests check box.

c. To skip the build invocation used to obtain all project dependencies,

select the Skip build check box.

Use this option if you have a build step earlier in the pipeline and do not

want to run the build again.

Note: This setting is only valid for Fortify ScanCentral SAST

versions 20.2.0 or later.

Maven

a. In the Build file box, type the name of the build file if it is different than

the default of pom.xml.

b. To include a test scope (for Java projects only) in the scan, select the

Include tests check box.

c. To skip the build invocation used to obtain all project dependencies,

select the Skip build check box.

Use this option if you have a build step earlier in the pipeline and do not

want to run the build again.

Note: This setting is only valid for Fortify ScanCentral SAST

versions 20.2.0 or later.

PHP

a. In the PHP version box, type the PHP version used in the project.

Python

a. In the Python version box, select the Python version used in the

project. The default version is 2.

b. In the Python virtual environment box, type the location (directory) of

the Python virtual environment.

Micro Focus Fortify Jenkins Plugin (22.1)

Page 24 of 67

User Guide

Chapter 3: Configuring Fortify Analysis with Freestyle Projects

Application

Type

Description

c. In the Python requirements file box, type the name of the Python

project requirements file used to install and collect dependencies.

Other

Use this option to translate and scan other languages.

5. (Optional) To specify Fortify Static Code Analyzer translation options, click Advanced, and then

specify translation options.

For descriptions of the available translation options, see the Micro Focus Fortify Static Code

Analyzer User Guide in Fortify Static Code Analyzer and Tools Documentation.

Note: Enclose each option and parameter in double quotes. For example, this option

excludes test files from the translation: "-exclude" "C:/ProjA/tests/*".

6. (Optional) To specify Controller settings, add Fortify Static Code Analyzer scan options, custom

Rulepacks, or a scan filter file, click Optional configuration. The following table describes the

optional configuration settings.

Field

Description

Sensor pool

Specify a sensor pool UUID defined in Fortify Software Security Center. By

default, Fortify ScanCentral SAST uses the default sensor pool as defined in

Fortify Software Security Center.

Notification

email

Specify the email address to which the Controller will send notifications.

Fortify

SCA scan

options

Specify Fortify Static Code Analyzer scan options. For descriptions of the

available scan options, see the Micro Focus Fortify Static Code Analyzer

User Guide in Fortify Static Code Analyzer and Tools Documentation.

Note: Enclose each option and parameter in double quotes. In the

following example, two analyzers are enabled and verbose status

messages are sent to the console for the scan: "-analyzers"

"controlflow,dataflow" "-verbose".

Custom

Specify custom rules files (*.xml) separated by spaces or a directory that

Rulepacks

contains custom rules.

Fortify

SCA scan

Specify the name of a filter file. You can use a file to filter out specific

vulnerability categories, rules, and vulnerability instances from the analysis.

Micro Focus Fortify Jenkins Plugin (22.1)

Page 25 of 67

User Guide

Chapter 3: Configuring Fortify Analysis with Freestyle Projects

Field

Description

filter file

For more information, see the Micro Focus Fortify Static Code Analyzer

User Guide in Fortify Static Code Analyzer and Tools Documentation.

7. To upload the scan results to Fortify Software Security Center:

a. Select the Upload Fortify SCA scan results to Fortify Software Security Center check

box.

b. Specify an application name and an application version from the list of existing applications

in Fortify Software Security Center. Provide both application name and application version.

To search for an application name or version, type any part of the name or version in the box,

and then click Search ( ). You can also leave the name or version box empty, and then click

Search. This provides a list of all application names or versions within the configured limit.

This search is case-insensitive.

Note: The number of application names and application versions displayed in both these

lists is limited by the maximum application versions per list value specified in the Fortify

Jenkins Plugin configuration.

8. Click Save.

Creating a Post-Build Action to Translate Locally and

Scan Remotely

To configure a post-build action to perform the translation phase on the local system and the scan

phase on a remote system:

1. From Jenkins, select an existing job to view or create a new job.

If you selected an existing job, click Configure on the job page.

2. In the Post-build Actions section, click Add post-build action, and then select

Fortify Assessment.

3. Select Local translation & remote scan.

4. To download Fortify security content before the scan:

a. Select the Update Fortify Security Content check box.

b. In the Update server URL box, type the URL for the Fortify Rulepack update server.

The default Fortify Rulepack update server URL is https://update.fortify.com. You can

download Fortify security content from Fortify Software Security Center by specifying a

Fortify Software Security Center URL in this box.

Note: To connect to the Fortify Rulepack update server or the Fortify Software Security

Center server with a proxy, you can use the proxy settings configured in Jenkins (see

Micro Focus Fortify Jenkins Plugin (22.1)

Page 26 of 67

User Guide

Chapter 3: Configuring Fortify Analysis with Freestyle Projects

"Configuring Global Settings for the Fortify Jenkins Plugin" on page 15).

c. (Optional) In the Locale box, select the locale for the Fortify security content.

The default is English.

d. To automatically accept the public key when you update Fortify security content from a

Fortify Software Security Center server, select the Accept public key for SSC server check

box.

5. In the Build ID box, type a unique identifier for the analysis.

6. (Optional) In the Maximum heap memory box, specify the maximum heap memory (in

megabytes) as an integer only.

For example, to specify 48 GB, type 49152. By default, Fortify Static Code Analyzer automatically

allocates memory based on the physical memory available on the system. If you specify an

amount of memory in this box, it overrides the default automatic memory allocation.

7. (Optional) In the Additional JVM options box, you can add JVM commands.

Note: Enclose each option and parameter in double quotes in boxes where you can specify

multiple values.

For example: "-build-label" "label" "-disable-source-bundling"

8. From the Application type list, select the type of application you want to analyze.

Note: The Fortify Jenkins Plugin looks for the location of the Gradle, Maven, devenv, and

MSBuild executables in the following order: Jenkins Global Tool Configuration (Gradle and

Maven only), Jenkins environment variable, the PATH system environment variable, and

lastly the build's workspace.

Application

Type

Description

.NET Devenv

a. In the Solution or project file box, type the solution or project file name

(or the path to the file).

b. (Optional) Specify any additional devenv options.

.NET MSBuild

a. In the Solution or project file box, type the solution or project file name

(or the path to the file).

b. (Optional) Specify any additional MSBuild options.

.NET source

code scan

a. In the .NET framework version box, specify the .NET framework version

used to compile the code.

b. (Optional) In the Libdirs box, specify a semicolon-separated list of

directories where referenced system or third-party DLLs are located.

Micro Focus Fortify Jenkins Plugin (22.1)

Page 27 of 67

User Guide

Chapter 3: Configuring Fortify Analysis with Freestyle Projects

Application

Type

Description

c. (Optional) In the Fortify SCA translation options box, specify any

additional Fortify Static Code Analyzer translation options. See the Micro

Focus Fortify Static Code Analyzer User Guide in Fortify Static Code

Analyzer and Tools Documentation for detailed information about the

available translation options.

d. In the Source files box, specify the source files to translate.

Gradle

a. Select whether to use a specific version of Gradle installed on the agent

or the Gradle Wrapper.

To use a version specific version of Gradle installed on the agent:

i. Select Invoke Gradle.

ii. From the Gradle version list, select a version.

Note: The Gradle version option is only available if at least one

Gradle version is configured with the Jenkins Global Tool

Configuration.

Make sure that you select a Gradle version that Fortify Static Code

Analyzer supports. For supported Gradle versions, see the Micro

Focus Fortify Software System Requirements document for your

version of Fortify Static Code Analyzer in Fortify Static Code

Analyzer and Tools Documentation.

To use the Gradle executable defined by the GRADLE_HOME

environment variable (see "Configuring Global Settings for the

Fortify Jenkins Plugin" on page 15 ), select (Default).

b. In the Gradle tasks box, type the Gradle tasks required for your project.

c. (Optional) In the Gradle options box, type the Gradle options required

for your project.

Java

Specify the Java source version, source path, class path, the source files, and

any additional Fortify Static Code Analyzer translation options. The only

required field is Source files. See the Micro Focus Fortify Static Code

Analyzer User Guide in Fortify Static Code Analyzer and Tools

Documentation for more detailed information about the Java translation

options.

Micro Focus Fortify Jenkins Plugin (22.1)

Page 28 of 67

User Guide

Chapter 3: Configuring Fortify Analysis with Freestyle Projects

Application

Type

Description

Maven

a. If you have at least one Maven version configured with the Jenkins Global

Tool Configuration, you can select a version from the Maven version list.

Select (Default) to use the Maven executable defined by the MAVEN_

HOME environment variable (see "Configuring Global Settings for the

Fortify Jenkins Plugin" on page 15 ).

Note: The Maven version option is only available if at least one

Maven version is configured with the Jenkins Global Tool

Configuration.

Make sure that you select a Maven version that Fortify Static Code

Analyzer supports. For supported Maven versions, see the Micro Focus

Fortify Software System Requirements document for your version of

Fortify Static Code Analyzer in Fortify Static Code Analyzer and Tools

Documentation.

b. If you did not run the build previously, then in the Maven options box,

type package. Otherwise, leave this box empty.

Note: The translation log is in the /target directory that is created

when the “package” runs from Maven. Any log file location specified

in the Fortify Jenkins Plugin is ignored when the Fortify Maven

Plugin performs the translation.

Other

a. (Optional) Provide all the Fortify Static Code Analyzer translation options

in the Fortify SCA translation options box. See the Micro Focus Fortify

Static Code Analyzer User Guide in Fortify Static Code Analyzer and

Tools Documentation for detailed information about the available

translation options.

b. Specify the source code to scan in the Includes list box.

Advanced

Select Advanced if you are familiar with the Fortify Static Code Analyzer

command-line interface or want to specify all the translation options without

any guidance. Specify all the Fortify Static Code Analyzer translation options

including source files. For detailed information about the translation options,

see the Micro Focus Fortify Static Code Analyzer User Guide in Fortify Static

Code Analyzer and Tools Documentation.

9. (Optional) To exclude files or directories from the translation, add them to the Exclude list box.

10. (Optional) Enable the debug or verbose logging options.

Micro Focus Fortify Jenkins Plugin (22.1)

Page 29 of 67

User Guide

Chapter 3: Configuring Fortify Analysis with Freestyle Projects

11. (Optional) To specify Controller settings, add Fortify Static Code Analyzer scan options, custom

Rulepacks, or a scan filter file, click Optional configuration. The following table describes the

optional configuration settings.

Field

Description

Sensor pool

Specify a sensor pool UUID defined in Fortify Software Security Center. By

default, Fortify ScanCentral SAST uses the default sensor pool as defined in

Fortify Software Security Center.

Notification

email

Specify the email address to which the Controller will send notifications.

Fortify

SCA scan

options

Specify Fortify Static Code Analyzer scan options. For descriptions of the

available scan options, see the Micro Focus Fortify Static Code Analyzer

User Guide in Fortify Static Code Analyzer and Tools Documentation.

Note: Enclose each option and parameter in double quotes. In the

following example, two analyzers are enabled and verbose status

messages are sent to the console for the scan: "-analyzers"

"controlflow,dataflow" "-verbose".

Custom

Specify custom rules files (*.xml) separated by spaces or a directory that

Rulepacks

contains custom rules.

Fortify

SCA scan

filter file

Specify the name of a filter file. You can use a file to filter out specific

vulnerability categories, rules, and vulnerability instances from the analysis.

For more information, see the Micro Focus Fortify Static Code Analyzer

User Guide in Fortify Static Code Analyzer and Tools Documentation.

12. To upload the scan results to Fortify Software Security Center:

a. Select the Upload Fortify SCA scan results to Fortify Software Security Center check

box.

b. Specify an application name and an application version from the list of existing applications

in Fortify Software Security Center. Provide both application name and application version.

To search for an application name or version, type any part of the name or version in the box,

and then click Search ( ). You can also leave the name or version box empty, and then click

Search. This provides a list of all application names or versions within the configured limit.

This search is case-insensitive.

Note: The number of application names and application versions displayed in both these

lists is limited by the maximum application versions per list value specified in the Fortify

Jenkins Plugin configuration.

13. Click Save.

Micro Focus Fortify Jenkins Plugin (22.1)

Page 30 of 67

User Guide

Chapter 3: Configuring Fortify Analysis with Freestyle Projects

Creating a Post-Build Action to Translate and Scan

Locally

To configure a post-build action to perform a complete analysis on the local system:

1. From Jenkins, select an existing job to view or create a new job.

If you selected an existing job, click Configure on the job page.

2. In the Post-build Actions section, click Add post-build action, and then select

Fortify Assessment.

3. Select Local translation & local scan.

4. To download Fortify security content before the scan:

a. Select the Update Fortify Security Content check box.

b. In the Update server URL box, type the URL for the Fortify Rulepack update server.

The default Fortify Rulepack update server URL is https://update.fortify.com. You can

download Fortify security content from Fortify Software Security Center by specifying a

Fortify Software Security Center URL in this box.

Note: To connect to the Fortify Rulepack update server or the Fortify Software Security

Center server with a proxy, you can use the proxy settings configured in Jenkins (see

"Configuring Global Settings for the Fortify Jenkins Plugin" on page 15).

c. (Optional) In the Locale box, select the locale for the Fortify security content.

The default is English.

d. To automatically accept the public key when you update Fortify security content from a

Fortify Software Security Center server, select the Accept public key for SSC server check

box.

5. In the Build ID box, type a unique identifier for the analysis.

6. (Optional) In the Results file box, type a name for the Fortify Project Results (FPR) file. For

example, MyProjectA.fpr.

Note: You do not need to specify the .fpr file extension.

If you do not provide a results file name:

l

If you are running a Fortify Static Code Analyzer scan, scan results are written to scan.fpr in

the workspace.

Note: If this file already exists, it will be overwritten.

l

If you are not running a Fortify Static Code Analyzer scan and you are uploading results to

Fortify Software Security Center, the Fortify Jenkins Plugin searches "./**/*.fpr" in the

workspace for the most recently modified FPR file .

Micro Focus Fortify Jenkins Plugin (22.1)

Page 31 of 67

User Guide

Chapter 3: Configuring Fortify Analysis with Freestyle Projects

7. (Optional) In the Maximum heap memory box, specify the maximum heap memory (in

megabytes) as an integer only.

For example, to specify 48 GB, type 49152. By default, Fortify Static Code Analyzer automatically

allocates memory based on the physical memory available on the system. If you specify an

amount of memory in this box, it overrides the default automatic memory allocation.

8. (Optional) In the Additional JVM options box, you can add JVM commands.

Note: Enclose each option and parameter in double quotes in boxes where you can specify

multiple values.

For example: "-build-label" "label" "-disable-source-bundling"

9. From the Application type list, select the type of application you want to analyze.

Note: The Fortify Jenkins Plugin looks for the location of the Gradle, Maven, devenv, and

MSBuild executables in the following order: Jenkins Global Tool Configuration (Gradle and

Maven only), Jenkins environment variable, the PATH system environment variable, and

lastly the build's workspace.

Application

Type

Description

.NET Devenv

a. In the Solution or project file box, type the solution or project file name

(or the path to the file).

b. (Optional) Specify any additional devenv options.

.NET MSBuild

a. In the Solution or project file box, type the solution or project file name

(or the path to the file).

b. (Optional) Specify any additional MSBuild options.

.NET source

code scan

a. In the .NET framework version box, specify the .NET framework version

used to compile the code.

b. (Optional) In the Libdirs box, specify a semicolon-separated list of

directories where referenced system or third-party DLLs are located.

c. (Optional) In the Fortify SCA translation options box, specify any

additional Fortify Static Code Analyzer translation options. See the Micro

Focus Fortify Static Code Analyzer User Guide in Fortify Static Code

Analyzer and Tools Documentation for detailed information about the

available translation options.

d. In the Source files box, specify the source files to translate.

Micro Focus Fortify Jenkins Plugin (22.1)

Page 32 of 67

User Guide

Chapter 3: Configuring Fortify Analysis with Freestyle Projects

Application

Type

Description

Gradle

a. Select whether to use a specific version of Gradle installed on the agent

or the Gradle Wrapper.

To use a version specific version of Gradle installed on the agent:

i. Select Invoke Gradle.

ii. From the Gradle version list, select a version.

Note: The Gradle version option is only available if at least one

Gradle version is configured with the Jenkins Global Tool

Configuration.

Make sure that you select a Gradle version that Fortify Static Code

Analyzer supports. For supported Gradle versions, see the Micro

Focus Fortify Software System Requirements document for your

version of Fortify Static Code Analyzer in Fortify Static Code

Analyzer and Tools Documentation.

To use the Gradle executable defined by the GRADLE_HOME

environment variable (see "Configuring Global Settings for the

Fortify Jenkins Plugin" on page 15 ), select (Default).

b. In the Gradle tasks box, type the Gradle tasks required for your project.

c. (Optional) In the Gradle options box, type the Gradle options required

for your project.

Java

Specify the Java source version, source path, class path, the source files, and

any additional Fortify Static Code Analyzer translation options. The only

required field is Source files. See the Micro Focus Fortify Static Code

Analyzer User Guide in Fortify Static Code Analyzer and Tools

Documentation for more detailed information about the Java translation

options.

Maven

a. If you have at least one Maven version configured with the Jenkins Global

Tool Configuration, you can select a version from the Maven version list.

Select (Default) to use the Maven executable defined by the MAVEN_

HOME environment variable (see "Configuring Global Settings for the

Fortify Jenkins Plugin" on page 15 ).

Note: The Maven version option is only available if at least one

Micro Focus Fortify Jenkins Plugin (22.1)

Page 33 of 67

User Guide

Chapter 3: Configuring Fortify Analysis with Freestyle Projects

Application

Type

Description

Maven version is configured with the Jenkins Global Tool

Configuration.

Make sure that you select a Maven version that Fortify Static Code

Analyzer supports. For supported Maven versions, see the Micro Focus

Fortify Software System Requirements document for your version of

Fortify Static Code Analyzer in Fortify Static Code Analyzer and Tools

Documentation.

b. If you did not run the build previously, then in the Maven options box,

type package. Otherwise, leave this box empty.

Note: The translation log is in the /target directory that is created

when the “package” runs from Maven. Any log file location specified

in the Fortify Jenkins Plugin is ignored when the Fortify Maven

Plugin performs the translation.

Other

a. (Optional) Provide all the Fortify Static Code Analyzer translation options

in the Fortify SCA translation options box. See the Micro Focus Fortify

Static Code Analyzer User Guide in Fortify Static Code Analyzer and

Tools Documentation for detailed information about the available

translation options.

b. Specify the source code to scan in the Includes list box.

Advanced

Select Advanced if you are familiar with the Fortify Static Code Analyzer

command-line interface or want to specify all the translation options without

any guidance. Specify all the Fortify Static Code Analyzer translation options

including source files. For detailed information about the translation options,

see the Micro Focus Fortify Static Code Analyzer User Guide in Fortify Static

Code Analyzer and Tools Documentation.

10. (Optional) To exclude files or directories from the translation, add them to the Exclude list box.

11. (Optional) Enable the debug or verbose logging options.

12. (Optional) To specify a custom location for the Fortify Static Code Analyzer log file, type a file

name (or a full path) in the Log file location box.

By default, the log file is written to the workspace in /.fortify/sca<version>/log.

Micro Focus Fortify Jenkins Plugin (22.1)

Page 34 of 67

User Guide

Chapter 3: Configuring Fortify Analysis with Freestyle Projects

13. To run a scan, select the Run Fortify SCA scan check box, and then specify the scan settings:

a. (Optional) In the Custom Rulepacks box, specify custom rules.

Specify custom rules files (*.xml) separated by spaces or a directory that contains custom

rules.

b. (Optional) Specify any additional scan options.

For detailed information about the scan options, see the Micro Focus Fortify Static Code

Analyzer User Guide in Fortify Static Code Analyzer and Tools Documentation.

Note: Enclose each option and parameter in double quotes.

In the following example, two analyzers and quick scan mode are enabled for the scan:

"-analyzers" "controlflow,dataflow" "-quick".

c. (Optional) Enable the debug or verbose logging options.

d. (Optional) To specify a custom location for the Fortify Static Code Analyzer log file, type a file

name (or a full path) in the Log file location box.

By default, the log file is written to the workspace in /.fortify/sca<version>/log.

14. To upload the scan results to Fortify Software Security Center, select the Upload Fortify

SCA scan results to Fortify Software Security Center check box, and then specify the upload

settings:

a. Specify an application name and an application version.

Always specify both application name and application version. If you have a successful

connection to a Fortify Software Security Center server, you can search for an existing

application version. To search for an application name or version, type any part of the name

or version in the box, and then click Search ( ). You can also leave the name or version box

empty, and then click Search. This provides a list of all application names or versions within

the configured limit. This search is case-insensitive.

Note: The number of application names and application versions displayed in both these

lists is limited by the maximum application versions per list value specified in the Fortify

Jenkins Plugin configuration.

You can type an application name and version that does not exist in Fortify Software Security

Center. Fortify Jenkins Plugin will create it upon a successful build.

b. (Optional) Specify a filter set to use when retrieving scan results for display in Jenkins. If left

blank, the Fortify Jenkins Plugin uses the default filter set configured in Fortify

Software Security Center.

Note: If you specify an application version in the previous step that does not yet exist in

Fortify Software Security Center, then the Filter set list will be empty. You can configure

a filter set on the next job run.

The failure criteria and the Normalized Vulnerability Score (NVS) calculation depend on the

issues filtered by the filter set. For example, if a Quick View filter is applied to the project

issues (and no critical or high issues are found), then the failure criteria determines that there

Micro Focus Fortify Jenkins Plugin (22.1)

Page 35 of 67

User Guide

Chapter 3: Configuring Fortify Analysis with Freestyle Projects

is no reason to set this build to unstable and the NVS is set to zero. The graph summary also

shows zero.

c. (Optional) To trigger a build status of unstable based on the scan results, type a search

query in the Build failure criteria box.

For example, the following search query causes the build to fail if any critical issues exist in

the scan results:

[fortify priority order]:critical

See the Micro Focus Fortify Software Security Center User Guide in Fortify Software Security

Center Documentation for a description of the search query syntax.

d. (Optional) To specify how long to poll Fortify Software Security Center to determine if FPR

processing is finished, type the time (in minutes) in the Timeout box.

If no value or a value of 0 is specified, polling continues until FPR processing finishes or stops

due to errors. The valid values are 0–10080.

e. (Optional) To specify the frequency that the Fortify Jenkins Plugin polls Fortify

Software Security Center to check FPR processing is finished, do the following:

i. Click Advanced settings.

ii. In the Polling interval box, specify an interval (in minutes).

The valid values are 1–60 and the default value is 1 minute.

Note: The Fortify Jenkins Plugin will poll until the processing is complete or the amount

of time specified for Timeout is reached. The Polling Interval must be less than the

Timeout value.

The Fortify Jenkins Plugin runs the NVS calculation after the FPR is processed.

Important! If the FPR processing requires approval, then this step will not complete until

the approval is granted through Fortify Software Security Center.

15. Click Save.

Creating a Post-Build Action to Upload Scan Results

to Fortify Software Security Center

To configure a post-build action that only uploads existing scan results to Fortify Software Security

Center:

1. From Jenkins, select an existing job to view or create a new job.

If you selected an existing job, click Configure on the job page.

2. In the Post-build Actions section, click Add post-build action, and then select Fortify

Assessment.

3. Select Upload existing Fortify SCA scan results to Fortify Software Security Center.

Micro Focus Fortify Jenkins Plugin (22.1)

Page 36 of 67

User Guide

Chapter 3: Configuring Fortify Analysis with Freestyle Projects

4. (Optional) In the Results file box, type the name of the Fortify Project Results (FPR) file that you

want to upload.

You can specify a file name or an absolute path. If a file is not specified, the Fortify Jenkins Plugin

searches "./**/*.fpr" in the build's workspace for the most recently modified FPR file.

Note: You can also upload third-party artifacts in a ZIP file. For detailed instructions about

preparing the ZIP file, see the Micro Focus Fortify Software Security Center User Guide in

Fortify Software Security Center Documentation for a how to upload scan artifacts.

5. Specify an application name and an application version.

Always specify both application name and application version. If you have a successful

connection to a Fortify Software Security Center server, you can search for an existing

application version. To search for an application name or version, type any part of the name or

version in the box, and then click Search ( ). You can also leave the name or version box empty,

and then click Search. This provides a list of all application names or versions within the

configured limit. This search is case-insensitive.

Note: The number of application names and application versions displayed in both these

lists is limited by the maximum application versions per list value specified in the Fortify

Jenkins Plugin configuration.

You can type an application name and version that does not exist in Fortify Software Security

Center. Fortify Jenkins Plugin will create it upon a successful build.

6. (Optional) Specify a filter set to use when retrieving scan results for display in Jenkins. If left

blank, the Fortify Jenkins Plugin uses the default filter set configured in Fortify Software Security

Center.

Note: If you specify an application version in the previous step that does not yet exist in

Fortify Software Security Center, then the Filter set list will be empty. You can configure a

filter set on the next job run.

The failure criteria and the Normalized Vulnerability Score (NVS) calculation depend on the

issues filtered by the filter set. For example, if a Quick View filter is applied to the project issues

(and no critical or high issues are found), then the failure criteria determines that there is no

reason to set this build to unstable and the NVS is set to zero. The graph summary also shows

zero.

7. (Optional) To trigger a build status of unstable based on the scan results, type a search query in

the Build failure criteria box.

For example, the following search query causes the build to fail if any critical issues exist in the

scan results:

[fortify priority order]:critical

See the Micro Focus Fortify Software Security Center User Guide in Fortify Software Security

Center Documentation for a description of the search query syntax.

Micro Focus Fortify Jenkins Plugin (22.1)

Page 37 of 67

User Guide

Chapter 3: Configuring Fortify Analysis with Freestyle Projects

8. (Optional) To specify how long to poll Fortify Software Security Center to determine if FPR

processing is finished, type the time (in minutes) in the Timeout box.

If no value or a value of 0 is specified, polling continues until FPR processing finishes or stops due

to errors. The valid values are 0–10080.

9. (Optional) To specify the frequency that the Fortify Jenkins Plugin polls Fortify Software Security

Center to check FPR processing is finished, do the following:

a. Click Advanced settings.

b. In the Polling interval box, specify an interval (in minutes).

The valid values are 1–60 and the default value is 1 minute.

Note: The Fortify Jenkins Plugin will poll until the processing is complete or the amount of

time specified for Timeout is reached. The Polling Interval must be less than the Timeout

value.

The Fortify Jenkins Plugin runs the NVS calculation after the FPR is processed.

Important! If the FPR processing requires approval, then this step will not complete until the

approval is granted through Fortify Software Security Center.

10. Click Save.

Micro Focus Fortify Jenkins Plugin (22.1)

Page 38 of 67

Chapter 4: Configuring Fortify Analysis with

Pipeline Jobs

The Fortify Jenkins Plugin supports both Declarative and Scripted Pipeline syntax. The advantage of

using Jenkins Pipeline is that you can check your script into source control, and you can have multiple

Fortify Static Code Analyzer translation or upload requests (for example) within the same Jenkinsfile

script. See the Jenkins documentation for additional information about pipelines.

This section contains the following topics:

Pipeline Steps to Translate and Scan Remotely

Pipeline Steps to Translate Locally and Scan Remotely

Pipeline Steps to Translate and Scan Locally

39

46

49

Pipeline Steps to Translate and Scan Remotely

There are two Pipeline steps available to perform the analysis remotely. The following table lists these

Fortify Jenkins Plugin Pipeline steps. Each section describes the parameters and contains examples.

Task

Pipeline Step

Set options for remote translation and scan. This step is optional and "fortifyRemoteArguments

if used should precede a fortifyRemoteAnalysis step.

Send a project to a remote system for analysis.

Step" on page 41

"fortifyRemoteAnalysis

Step" on page 41

Micro Focus Fortify Jenkins Plugin (22.1)

Page 39 of 67

User Guide

Chapter 4: Configuring Fortify Analysis with Pipeline Jobs

The following is an example Jenkinsfile that sends a Java project that uses Gradle to a remote system

for analysis. After the remote analysis is complete, the Controller uploads the scan results to Fortify

Software Security Center.

node {

stage('Fortify Remote Arguments') {

fortifyRemoteArguments transOptions: '-Xmx4G',

scanOptions: '"-analyzers" "dataflow"'

}

stage('Fortify Remote Analysis') {

fortifyRemoteAnalysis remoteAnalysisProjectType: fortifyGradle(),

remoteOptionalConfig: [notifyEmail: 'joe@xyzCo.com',

customRulepacks: 'MyRules.xml'],

uploadSSC: [appName: 'MyJavaApp', appVersion: '3.1']

}

The following Declarative Pipeline script has the same functionality as the previous example:

pipeline {

agent any

stages {

stage('Fortify Remote Arguments') {

steps {

fortifyRemoteArguments transOptions: '-Xmx4G',

scanOptions: '"-analyzers" "dataflow"'

}

stage('Fortify Remote Analysis') {

steps {

fortifyRemoteAnalysis remoteAnalysisProjectType: fortifyGradle(),

remoteOptionalConfig: [notifyEmail: 'joe@xyzCo.com',

customRulepacks: 'MyRules.xml'],

uploadSSC: [appName: 'MyJavaApp', appVersion: '3.1']

}

Micro Focus Fortify Jenkins Plugin (22.1)

Page 40 of 67

User Guide

Chapter 4: Configuring Fortify Analysis with Pipeline Jobs

fortifyRemoteArguments Step

Use this step to specify Fortify Static Code Analyzer translation and scan options in a settings file for

remote analysis. This step is optional. To start a remote analysis, follow this step with a

fortifyRemoteAnalysis step (see "fortifyRemoteAnalysis Step" below).

Parameter

Description

Optional (String). Specifies any additional Fortify Static Code Analyzer

translation options. Enclose each option and parameter in double quotes.

transOptions

Optional (String). Specifies any additional Fortify Static Code Analyzer scan

options. Enclose each option and parameter in double quotes.

scanOptions

fortifyRemoteArguments Example

The following example specifies 4 GB for the translation and excludes SQL. Only Control Flow and

Dataflow analyzers are used and the default Rulepacks are not processed for the scan phase.

node {

stage('Fortify Remote Arguments') {

fortifyRemoteArguments transOptions: '"-Xmx4G"

"-disable-language" "sql"',

scanOptions: '"-analyzers" "controlflow,dataflow"

"-no-default-rules"'

}

fortifyRemoteAnalysis Step

Use this step to send a project to a remote system for analysis (translation and scan). To add

additional translation or scan options for the analysis, precede this step with the

fortifyRemoteArguments step (see "fortifyRemoteArguments Step" above).

Parameter

Description

Default Value

Required (String). The

(none)

RemoteAnalysisProjectType

project type is one of the

following: fortifyGradle,

fortifyMaven,

fortifyMSBuild,

fortifyPHP,

fortifyPython, or

Micro Focus Fortify Jenkins Plugin (22.1)

Page 41 of 67

User Guide

Chapter 4: Configuring Fortify Analysis with Pipeline Jobs

Parameter

Description

Default Value

fortifyOther.

Gradle Parameters

Optional (String). Specifies

the build file name.

buildFile

build.gradle

false

Optional (boolean). Specifies

whether to include a test

source set.

includeTests

skipBuild

Optional (boolean). Specifies

whether to skip the build

invocation used to obtain all

project dependencies.

false

Use this option if you have a

build step earlier in the

pipeline and do not want to

run the build again.

Note: This setting is

only valid for Fortify

ScanCentral SAST

versions 20.2.0 or later.

Maven Parameters

Optional (String). Specifies

the build file name.

buildFile

pom.xml

false

Optional (boolean). Specifies

whether to include a test

scope.

includeTests

skipBuild

Optional (boolean). Specifies

whether to skip the build

invocation used to obtain all

project dependencies.

false

Use this option if you have a

build step earlier in the

Micro Focus Fortify Jenkins Plugin (22.1)

Page 42 of 67

User Guide

Chapter 4: Configuring Fortify Analysis with Pipeline Jobs

Parameter

Description

Default Value

pipeline and do not want to

run the build again.

Note: This setting is

only valid for Fortify

ScanCentral SAST

versions 20.2.0 or later.

MSBuild Parameters

Required (String). Specifies

the project or solution file to

analyze.

(none)

dotnetProject

Optional (boolean). Specifies

whether to exclude disabled

projects in the solution from

the analysis.

excludeDisabledProjects

false

Note: This parameter is

only valid for Fortify

ScanCentral SAST

versions 21.1.x or

earlier.

PHP Parameters

Optional (Number). Specifies The default version defined

the PHP version used in the by Fortify Static Code

phpVersion

project.

Analyzer. For example, in

Fortify Static Code Analyzer

version 21.1.0, the default

PHP version is 7.4. See the

Micro Focus Fortify Static

Code Analyzer User Guide in

Fortify Static Code Analyzer

and Tools Documentation

for specific version

information.

Micro Focus Fortify Jenkins Plugin (22.1)

Page 43 of 67

User Guide

Chapter 4: Configuring Fortify Analysis with Pipeline Jobs

Parameter

Description

Default Value

Python Parameters

Optional (String). Specifies

the Python version used in

the project. The valid values

are 2 and 3. This parameter

is ignored if you also provide

pythonVersion

2

the pythonVirtualEnv

parameter.

Optional (String). Specifies

the location (directory) of

the Python virtual

(none)

pythonVirtualEnv

environment.

Optional (String). Specifies

the Python project

requirements file used to

install and collect

pythonRequirementsFile

dependencies.

remoteOptionalConfig Parameters

Optional (String). Specifies

which sensor pool to submit

the job.

(none)

sensorPoolUUID

Optional (String). Specifies

the email address to which

the Controller will send

notifications.

notifyEmail

Optional (String). Specify

(none)

customRulepacks

custom rules files (*.xml)

separated by spaces or a

directory that contains

custom rules.

Optional (String). Specifies a (none)

file used to filter out specific

vulnerability categories,

filterFile

Micro Focus Fortify Jenkins Plugin (22.1)

Page 44 of 67

User Guide

Chapter 4: Configuring Fortify Analysis with Pipeline Jobs

Parameter

Description

Default Value

rules, and vulnerability

instances from the analysis.

For more information about

filter files, see the Micro

Focus Fortify Static Code

Analyzer User Guide in

Fortify Static Code Analyzer

and Tools Documentation .

uploadSSC Parameters

Required (String). Specifies

an existing application name

for which to store the results

in Fortify Software Security

Center.

(none)

appName

Required (String). Specifies

an existing application

version for which to store

the results in Fortify

appVersion

Software Security Center.

fortifyRemoteAnalysis Example

Specify a function name for the RemoteAnalysisProjectType parameter. The valid function names

are: fortifyGradle, fortifyMaven, fortifyMSBuild, fortifyPHP, fortifyPython, and

fortifyOther.

The following example uploads a Python 3 project to a remote system for translation and scan.

Controller notifications are emailed to joe@xyzCo.com. After the analysis is complete, the Fortify

Jenkins Plugin uploads the project to Fortify Software Security Center.

Micro Focus Fortify Jenkins Plugin (22.1)

Page 45 of 67

User Guide

Chapter 4: Configuring Fortify Analysis with Pipeline Jobs

node {

stage('Get Src Code') {

git credentialsId: '3e58c50d-cd4a-6e28-ff44-cb164dec13f2',

url: 'https://github.xyzCo.com/MyDept/projA.git'

}

stage('Fortify Remote Analysis') {

fortifyRemoteAnalysis

remoteAnalysisProjectType: fortifyPython: (pythonVersion: '3',

pythonRequirementsFile: 'C:\\projA\\requirements.txt',

pythonVirtualEnv: 'C:\\projA\\my_project'),

remoteOptionalConfig: [notifyEmail: 'joe@xyzCo.com'],

uploadSSC: [appName: 'ProjA', appVersion: '2.3Beta']

}

Pipeline Steps to Translate Locally and Scan

Remotely

The following table lists the available Fortify Jenkins Plugin Pipeline steps to perform local

translation, remote scan, and upload to Fortify Software Security Center. Each section describes the

parameters and contains examples.

Project Build Step

Pipeline Step

Run a local Fortify Static Code Analyzer clean

"fortifyClean Step" on page 53

Run a local Fortify Static Code Analyzer translation "fortifyTranslate Step" on page 54

Run a Remote Fortify Static Code Analyzer scan "fortifyRemoteScan Step" on page 48

Note: If any Fortify Jenkins Plugin Pipeline step in a script fails to execute, then the build fails.

You do have the option to implement your own exception-catch mechanism to ignore a step

failure.

Micro Focus Fortify Jenkins Plugin (22.1)

Page 46 of 67

User Guide

Chapter 4: Configuring Fortify Analysis with Pipeline Jobs

The following is an example Jenkinsfile that performs the Fortify Static Code Analyzer translation for

a Java project on the local system, uploads the project to a remote system for scanning, and then

uploads the scan results to Fortify Software Security Center:

node {

stage('Fortify Clean') {

fortifyClean buildID: 'MyJavaApp', logFile: 'MyJavaAppFortify.log'

}

stage('Fortify Translate') {

fortifyTranslate buildID: 'MyJavaApp',

logFile: 'MyJavaApp-translate.log',

projectScanType: fortifyJava(javaSrcFiles:

'src\\main\\java\\com\\projectA',

javaVersion: '11')

}

stage('Remote Fortify Scan Upload to SSC') {

fortifyRemoteScan buildID: 'MyJavaApp',

remoteOptionalConfig: [notifyEmail: 'joe@xyzCo.com',

scanOptions:"-analyzers" "controlflow"],

uploadSSC: [appName: 'JavaAppA', appVersion: '3']

}

The following Declarative Pipeline script has the same function as the previous example:

pipeline {

agent any

stages {

stage('Fortify Clean') {

steps {

fortifyClean buildID: 'MyJavaApp',

logFile: 'MyJavaAppFortify.log'

}

stage('Fortify Translate') {

steps {

fortifyTranslate buildID: 'MyJavaApp',

logFile: 'MyJavaApp-translate.log',

projectScanType: fortifyJava(javaSrcFiles:

'src\\main\\java\\com\\projectA', javaVersion: '11')

}

stage('Remote Fortify Scan Upload to SSC') {

steps {

fortifyRemoteScan buildID: 'MyJavaApp',

remoteOptionalConfig: [notifyEmail: 'joe@xyzCo.com',

scanOptions:"-analyzers" "controlflow"],

uploadSSC: [appName: 'JavaAppA', appVersion: '3']

}

Micro Focus Fortify Jenkins Plugin (22.1)

Page 47 of 67

User Guide

Chapter 4: Configuring Fortify Analysis with Pipeline Jobs

fortifyRemoteScan Step

Use this step to send a locally translated project to a remote system for the scan phase.

Default

Value

Parameter

Description

Required (String). A unique identifier for the analysis.

(none)

buildID

remoteOptionalConfig Parameters

Optional (String). Specifies the sensor pool to which to submit (none)

the job.

sensorPoolUUID

notifyEmail

scanOptions

Optional (String). Specifies the email address to which the

Controller will send notifications.

(none)

Optional (String). Fortify Static Code Analyzer scan options.

For descriptions of the available scan options, see the Micro

Focus Fortify Static Code Analyzer User Guide in Fortify Static

Code Analyzer and Tools Documentation.

(none)

Note: Enclose each option and parameter in double

quotes. In the following example, two analyzers and quick

scan mode are enabled for the scan: "-analyzers"

"controlflow,dataflow" "-quick".

Optional (String). Specify custom rules files (*.xml) separated (none)

by spaces or a directory that contains custom rules.

customRulepacks

filterFile

Optional (String). Specifies a file used to filter out specific

vulnerability categories, rules, and vulnerability instances from

the analysis. For more information about filter files, see the

Micro Focus Fortify Static Code Analyzer User Guide in Fortify

Static Code Analyzer and Tools Documentation.

(none)

uploadSSC Parameters

Required (String). Specifies an existing application name for

which to store the results in Fortify Software Security Center.

(none)

appName

Required (String). Specifies an existing application version for (none)

which to store the results in Fortify Software Security Center.

appVersion

Micro Focus Fortify Jenkins Plugin (22.1)

Page 48 of 67

User Guide

Chapter 4: Configuring Fortify Analysis with Pipeline Jobs

fortifyRemoteScan Example

The following example uploads a locally translated project with a build ID of MyAppA to the remote

system for scanning. After the scan is complete, the Fortify Jenkins Plugin uploads the project to

Fortify Software Security Center.

node {

stage('Remote Fortify Scan Upload to SSC') {

fortifyRemoteScan buildID: 'MyAppA',

remoteOptionalConfig: [notifyEmail: 'joe@xyzCo.com',

scanOptions:"-quick"],

uploadSSC: [appName: 'AppA', appVersion: 'version1']

}

Pipeline Steps to Translate and Scan Locally

The following table lists the available Fortify Jenkins Plugin Pipeline steps to update Fortify security

content, run a local translation, run a local scan, and upload analysis results to Fortify

Software Security Center. Each section describes the parameters and contains examples.

Project Build Step

Pipeline Step

Update Fortify security content to use for local translation and scan

"fortifyUpdate Step" on

page 51

Run a local Fortify Static Code Analyzer clean

Run a local Fortify Static Code Analyzer translation

Run a local Fortify Static Code Analyzer scan

"fortifyClean Step" on

page 53

"fortifyTranslate Step" on

page 54

"fortifyScan Step" on

page 59

Upload local Fortify Static Code Analyzer scan results to Fortify

Software Security Center

"fortifyUpload Step" on

page 61

Note: If any Fortify Jenkins Plugin Pipeline step in a script fails to execute, then the build fails.

You do have the option to implement your own exception-catch mechanism to ignore a step

failure.

Micro Focus Fortify Jenkins Plugin (22.1)

Page 49 of 67

User Guide

Chapter 4: Configuring Fortify Analysis with Pipeline Jobs

The following is an example Jenkinsfile that updates Fortify security content, performs a complete

Fortify analysis of a Java project, and then uploads the scan results to Fortify Software Security

Center:

node {

stage('Fortify Update') {

fortifyUpdate updateServerURL: 'https://update.fortify.com'

}

stage('Fortify Clean') {

fortifyClean buildID: 'MyJavaApp', logFile: 'MyJavaAppFortify.log'

}

stage('Fortify Translate') {

fortifyTranslate buildID: 'MyJavaApp',

logFile: 'MyJavaApp-translate.log',

projectScanType: fortifyJava(javaSrcFiles:

'src\\main\\java\\com\\projectA', javaVersion: '11')

}

stage('Fortify Scan') {

fortifyScan buildID: 'MyJavaApp', resultsFile: 'MyJavaApp.fpr'

customRulepacks: 'MyRules.xml', logFile: 'MyJavaApp-scan.log'

}

stage('Fortify Upload') {

fortifyUpload appName: 'JavaAppA', appVersion: '3',

resultsFile: 'MyJavaApp.fpr'

}

Micro Focus Fortify Jenkins Plugin (22.1)

Page 50 of 67

User Guide

Chapter 4: Configuring Fortify Analysis with Pipeline Jobs

The following Declarative Pipeline script has the same function as the previous example:

pipeline {

agent any

stages {

stage('Fortify Update') {

steps {

fortifyUpdate updateServerURL: 'https://update.fortify.com'

}

stage('Fortify Clean') {

steps {

fortifyClean buildID: 'MyJavaApp',

logFile: 'MyJavaAppFortify.log'

}

stage('Fortify Translate') {

steps {

fortifyTranslate buildID: 'MyJavaApp',

logFile: 'MyJavaApp-translate.log',

projectScanType: fortifyJava(javaSrcFiles:

'src\\main\\java\\com\\projectA', javaVersion: '11')

}

stage('Fortify Scan') {

steps {

fortifyScan buildID: 'MyJavaApp',

resultsFile: 'MyJavaApp.fpr'

customRulepacks: 'MyRules.xml',

logFile: 'MyJavaApp-scan.log'

}

stage('Fortify Upload') {

steps {

fortifyUpload appName: 'JavaAppA', appVersion: '3',

resultsFile: 'MyJavaApp.fpr'

}

fortifyUpdate Step

Use this step to update the local copy of the Fortify security content used by the Fortify translation

and scan steps. To connect to the Fortify Rulepack update server or the Fortify Software Security

Center server with a proxy, you can use the proxy settings configured in Jenkins.

Parameter

Description

Default Value

Optional (String). Specifies the

updateServerURL

https://update.fortify.com

URL for the Fortify Rulepack update

Micro Focus Fortify Jenkins Plugin (22.1)

Page 51 of 67

User Guide

Chapter 4: Configuring Fortify Analysis with Pipeline Jobs

Parameter

Description

Default Value

server.

You can download Fortify security

content from Fortify

Software Security Center by

specifying a Fortify

Software Security Center URL as the

value for this parameter.

Optional (String). Specifies the

locale for the Fortify Rulepack. Use

one of the following locale codes:

locale

en

l

English: en

l

Chinese (Simplified): zh_CN

l

Chinese (Traditional): zh_TW

l

Portuguese (Brazil): pt_BR

l

Korean: ko

l

Spanish: es

acceptKey

Optional (boolean). Specifies

whether to accept the public key

when updating Fortify security

content from Fortify

false

Software Security Center.

fortifyUpdate Example

The following example updates the Fortify security content from the Fortify Rulepack update server

in Spanish:

node {

stage('Fortify Update') {

fortifyUpdate updateServerURL: 'https://update.fortify.com', locale: 'es'

}

Micro Focus Fortify Jenkins Plugin (22.1)

Page 52 of 67

User Guide

Chapter 4: Configuring Fortify Analysis with Pipeline Jobs

fortifyClean Step

Use this step to remove any temporary files from a previous scan for a specific build ID.

Parameter

Description

Default Value

Required (String). A unique

identifier for the scan.

(none)

buildID

Optional (int). The maximum heap

size for the JVM (-Xmx).

By default, Fortify Static Code

Analyzer automatically allocates

memory based on the physical

memory available on the system.

maxHeap

Optional (String). Specifies

additional JVM commands.

(none)

addJVMOptions

debug

Optional (boolean). Specifies

whether to include debug

information in the Fortify Support

log file.

false

Optional (boolean). Specifies

whether to send verbose status

messages to the console and to the

Fortify Support log file.

verbose

logFile

false

Optional (String). Specifies the log

file location and file name.

The default file name is sca.log and

the default location is in the

workspace directory.

fortifyClean Example

The following example removes all the temporary files for the MyJavaApp build ID:

node {

stage('Fortify Clean') {

fortifyClean buildID: 'MyJavaApp', logFile: 'MyJavaAppFortify.log'

}

Micro Focus Fortify Jenkins Plugin (22.1)

Page 53 of 67

User Guide

Chapter 4: Configuring Fortify Analysis with Pipeline Jobs

fortifyTranslate Step

Use this step to translate the project source code on the local system.

Parameter

Description

Default Value

General Parameters

Required (String). A

unique identifier for the

analysis.

(none)

buildID

Required. (String). The

project scan type is one

of the following:

(none)

projectScanType

fortifyAdvanced,

fortifyDevenv,

fortifyDotnetSrc,

fortifyGradle,

fortifyJava,

fortifyMaven3,

fortifyMSBuild, or

fortifyOther.

Optional (String).

Specifies a list of

directories or files to

exclude from translation.

(none)

excludeList

maxHeap

Optional (int). The

maximum heap size for

the JVM (-Xmx).

By default, Fortify Static Code

Analyzer automatically allocates

memory based on the physical

memory available on the system.

Optional (String).

Additional JVM

commands.

(none)

addJVMOptions

debug

Optional (boolean).

Specifies whether to

include debug

false

information in the Fortify

Micro Focus Fortify Jenkins Plugin (22.1)

Page 54 of 67

User Guide

Chapter 4: Configuring Fortify Analysis with Pipeline Jobs

Parameter

Description

Default Value

Support log file.

Optional (boolean).

verbose

false

Specifies whether to send

verbose status messages

to the console and to the

Fortify Support log file.

Optional (String).

logFile

The default file name is sca.log and

Specifies the log file

location and file name.

the default location is the workspace

directory.

fortifydevenv and fortifyMSBuild Parameters

Required (String).

Specifies a solution or a

project file.

(none)

dotnetProject

Optional (String).

(none)

dotnetAddOptions

Specifies any additional

Fortify Static Code

Analyzer options for

translating .NET code.

fortifyDotnetSrc Parameters

Required (int). Specifies

the .NET framework

version.

(none)

dotnetFrameworkVersion

Required (String).

Specifies the location of

the .NET source files.

dotnetSrcFiles

dotnetLibdirs

Optional (String).

Specifies a semicolon-

separated list of

directories where

referenced system or

third-party DLLs are

located.

Micro Focus Fortify Jenkins Plugin (22.1)

Page 55 of 67

User Guide

Chapter 4: Configuring Fortify Analysis with Pipeline Jobs

Parameter

Description

Default Value

Optional (String).

Specifies any additional

devenv or MSBuild

options required for your

project.

(none)

dotnetAddOptions

fortifyMaven3 Parameters

Optional (String).

mavenInstallationName

(Default)

Specifies the version of

Maven using a name that

you configured with the

Jenkins Global Tool

Configuration.

Uses the Maven executable defined

by the MAVEN_HOME environment

variable.

Optional (String).

(none)

mavenOptions

Specifies any additional

Maven options required

for your project.

fortifyGradle Parameters

Optional (String).

gradleInstallationName

(Default)

Specifies the version of

Gradle using a name that

you configured with the

Jenkins Global Tool

Configuration.

Uses the Gradle executable defined

by the GRADLE_HOME environment

variable.

Optional (boolean).

Specifies whether to use

a Wrapper.

useWrapper

false

Required (String).

Specifies the Gradle tasks

required for your project.

(none)

gradleTasks

gradleOptions

Optional (String).

(none)

Specifies any additional

Gradle options required

for your project.

Micro Focus Fortify Jenkins Plugin (22.1)

Page 56 of 67

User Guide

Chapter 4: Configuring Fortify Analysis with Pipeline Jobs

Parameter

Description

Default Value

fortifyJava Parameters

Required (String).

Specifies the location of

the Java source files.

(none)

javaSrcFiles

javaVersion

Optional (String).

The default version defined by

Specifies the JDK version Fortify Static Code Analyzer. For

for which the Java code is example, in Fortify Static Code

written.

Analyzer version 20.2.0, the default

JDK version is 1.8. See the Micro

Focus Fortify Static Code Analyzer

User Guide in Fortify Static Code

Analyzer and Tools Documentation

for specific version information.

Optional (String).

Specifies the class path

as a colon- or semicolon-

separated list of

(none)

javaClasspath

directories to use for

analyzing Java source

code.

Optional (String).

(none)

javaAddOptions

Specifies any additional

Fortify Static Code

Analyzer options for

translating Java code.

fortifyOther Parameters

Required (String).

Specifies the location of

the source files.

(none)

otherIncludesList

Optional (String).

otherOptions

Specifies any additional

Fortify Static Code

Analyzer options

required for your project.

Micro Focus Fortify Jenkins Plugin (22.1)

Page 57 of 67

User Guide

Chapter 4: Configuring Fortify Analysis with Pipeline Jobs

Parameter

Description

Default Value

fortifyAdvanced Parameters

Required (String).

Specifies all the Fortify

Static Code Analyzer

options that are

(none)

advOptions

necessary to translate the

project.

fortifyTranslate Examples

Specify a function name for the projectScanType parameter. The valid function names are:

fortifyAdvanced(), fortifyDevenv(), fortifyDotnetSrc(), fortifyGradle(),

fortifyJava(), fortifyMaven3(), fortifyMSBuild(), and fortifyOther().

The following example translates a Java project and excludes some files from the translation:

node {

stage('Fortify Translate') {

fortifyTranslate buildID: 'MyJavaApp',

excludeList: '"src\\main\\java\\com\\projectA\\command\\Config.java"

"src\\main\\java\\com\\projectA\\command\\Test*.java"',

logFile: 'MyJavaApp-translate.log',

projectScanType: fortifyJava(javaSrcFiles:

'src\\main\\java\\com\\projectA',javaVersion: '1.8')

}

The following example uses Maven to translate a Java project:

node {

stage('Fortify Translate') {

fortifyTranslate buildID: 'MyJavaApp',

excludeList: '"src\\main\\java\\com\\projectA\\command\\Config.java"

"src\\main\\java\\com\\projectA\\command\\Test*.java"',

logFile: 'MyJavaApp.log', maxHeap: '4800',

projectScanType: fortifyMaven3(mavenOptions: 'package')

}

Micro Focus Fortify Jenkins Plugin (22.1)

Page 58 of 67

User Guide

Chapter 4: Configuring Fortify Analysis with Pipeline Jobs

The following example uses MSBuild to translate a .NET solution:

node {

stage('Fortify Translate') {

fortifyTranslate buildID: 'MyDotNetApp', ,

logFile: 'MyJavaApp.log', maxHeap: '4800',

projectScanType: fortifyMSBuild(dotnetProject: 'MyDotNetApp.sln',

dotnetAddOptions: '/t:rebuild')

}

The following example translates a Python 3 project:

node {

stage('Fortify Translate') {

fortifyTranslate buildID: 'MyPythonApp',

excludeList: '"src\\**\\Test*.py"',

logFile: 'MyPythonApp-translate.log',

projectScanType: fortifyAdvanced(advOptions: '"-python-version" "3"

"-python-path" "C:\\Python33\\lib\\site-packages"

"src\\main\\pythonApp" ')

}

The following example translates a JavaScript application:

node {

stage ('Fortify Translate') {

fortifyTranslate buildID: 'JS_App',

logFile: 'JS_App-translate.log', projectScanType:

fortifyOther(otherIncludesList: ‘./**/*.js’)

}

fortifyScan Step

Use this step to run a scan on all the translated files with the specific build ID.

Parameter

Description

Default Value

Required (String). A unique

identifier for the scan.

(none)

buildID

Micro Focus Fortify Jenkins Plugin (22.1)

Page 59 of 67

User Guide

Chapter 4: Configuring Fortify Analysis with Pipeline Jobs

Parameter

Description

Default Value

Optional (number). The maximum By default, Fortify Static Code

maxHeap

heap size for the JVM (-Xmx).

Analyzer automatically allocates

memory based on the physical

memory available on the system.

Optional (String). Specifies

additional JVM commands.

(none)

addJVMOptions

resultsFile

Optional (String). Specifies a name

for the Fortify results file (FPR).

scan.fpr

For example, MyProjectA.fpr.

Optional (String). Specifies custom (none)

rules (XML files).

customRulepacks

addOptions

Optional (String). Specifies any

additional scan options. Enclose

each option and parameter in

double quotes.

(none)

Optional (boolean). Specifies

whether to include debug

information in the Fortify Support

log file.

false

debug

Optional (boolean). Specifies

whether to send verbose status

messages to the console and to the

Fortify Support log file.

false

verbose

Optional (String). Specifies the log

file location and file name.

logFile

The default file name is sca.log and

the default location is the workspace

directory.

fortifyScan Example

The following example scans the previously-translated project with the MyJavaApp build ID:

node {

stage('Fortify Scan') {

fortifyScan buildID: 'MyJavaApp', resultsFile: 'MyJavaApp.fpr'

Micro Focus Fortify Jenkins Plugin (22.1)

Page 60 of 67

User Guide

Chapter 4: Configuring Fortify Analysis with Pipeline Jobs

customRulepacks: 'MyRules.xml', logFile: 'MyJavaApp-scan.log'

}

fortifyUpload Step

Use this step to upload the scan results (FPR) to Micro Focus Fortify Software Security Center. The

information to connect to Fortify Software Security Center is obtained from the Fortify Assessment

section in the Jenkins global settings (see "Configuring Global Settings for the Fortify Jenkins Plugin"

on page 15). After the upload is complete, you can view the results in Jenkins (see "Viewing Scan

Results" on page 64). To connect to the Fortify Software Security Center server with a proxy, you can

use the proxy settings configured in Jenkins.

Parameter

Description

Default Value

Required (String). Specifies the application

name for which to store the results in Fortify

Software Security Center.

(none)

appName

Required (String). Specifies the application

version for which to store the results in Fortify

Software Security Center.

(none)

appVersion

resultsFile

Optional (String). Specifies a name for the FPR If you ran a Fortify Static

Code Analyzer scan, the

file. For example, MyProjectA.fpr.

default file is scan.fpr,

otherwise the Fortify

Note: You can also upload third-party

artifacts in a ZIP file. For detailed

Jenkins Plugin searches

"./**/*.fpr" in the

workspace for the FPR

file with the latest

modified date.

instructions about preparing the ZIP file,

see the Micro Focus Fortify Software

Security Center User Guide in Fortify

Software Security Center Documentation

for a how to upload scan artifacts.

Optional (String). Specifies the ID of a filter set The default filter set

to use when retrieving scan results for display configured in Fortify

filterSet

in Jenkins.

Software Security

Center.

The filter set ID for Quick View is 32142c2d-

3f7f-4863-a1bf-9b1e2f34d2ed and the

filter set ID for Security Auditor View is

a243b195-0a59-3f8b-1403-d55b7a7d78e6.

Micro Focus Fortify Jenkins Plugin (22.1)

Page 61 of 67

User Guide

Chapter 4: Configuring Fortify Analysis with Pipeline Jobs

Parameter

Description

Default Value

Optional (String). Specifies a search query to

use on the scan results to trigger a build status

(none)

failureCriteria

of unstable. For example, [fortify

priority order]:critical. The

fortifyUpload step returns the number of

issues that satisfy the failure criteria. A return

value of zero indicates no matches were found

and the build status is not marked as unstable.

Optional (int). Specifies the time (in minutes)

to poll Fortify Software Security Center to

check if FPR processing is finished. If no value

or a value of 0 is specified, polling continues

until FPR processing finishes or stops due to

an error. The valid values are 0–10080.

(none)

timeout

Optional (int). Specifies the interval (in

minutes) at which the Fortify Jenkins Plugin

polls Fortify Software Security Center to check

if FPR processing is finished. The valid values

are 0–60.

pollingInterval

1

Note: The Fortify Jenkins Plugin will poll

until the processing is complete or the

amount of time specified for timeout is

reached. The pollingInterval must be

less than the timeout value.

Important! If the FPR processing requires

approval, then this step will not complete

until the approval is granted through

Fortify Software Security Center.

Micro Focus Fortify Jenkins Plugin (22.1)

Page 62 of 67

User Guide

Chapter 4: Configuring Fortify Analysis with Pipeline Jobs

fortifyUpload Examples

The following example uploads the Fortify scan results for the MyJavaApp project to version 3 of the

MyJavaApp application on Fortify Software Security Center. The upload will abort if not completed

within 15 minutes. The Fortify Jenkins Plugin will poll SSC every minute (default) to determine if the

FPR processing is complete.

node {

stage('Fortify Upload') {

fortifyUpload appName: 'MyJavaApp', appVersion: '3',

resultsFile: 'MyJavaApp.fpr', timeout: '15'

}

The following example uploads the Fortify scan results to version 1.2 of the MyJavaCode application

on Fortify Software Security Center. The pipeline script reports if there are any issues in the scan

results with a critical Fortify Priority Order.

node {

stage('ReportCriticals') {

steps {

script {

def criticalCount = fortifyUpload(appName: 'MyJavaCode', appVersion: '1.2',

failureCriteria: '[fortify priority order]:Critical')

if (criticalCount > 0) {

echo "Detected ${criticalCount} critical vulnerabilities"

}

Micro Focus Fortify Jenkins Plugin (22.1)

Page 63 of 67

Chapter 5: Viewing Scan Results

When you perform the Fortify analysis on the local system and if you uploaded Micro Focus Fortify

Static Code Analyzer results to Micro Focus Fortify Software Security Center, you can view a security

vulnerability graph for your project and a summary of the issues from Jenkins.

Note: When an analysis is performed on a remote system and you uploaded the Fortify Static

Code Analyzer results to Fortify Software Security Center, you can view the results in Fortify

Software Security Center.

This section contains the following topics:

Security Vulnerability Graph for your Project

Configuring the Number of Issues Displayed on a Page

Security Vulnerability Graph for your Project

The project page displays a Normalized Vulnerability Score (NVS) graph. The NVS is a normalized

score that gives you an estimate of the security vulnerability of your project.

The Fortify Jenkins Plugin calculates the NVS with the following formula:

NVS = ((CFPO * 10) + (HFPO * 5) + (MFPO * 1) + (LFPO * 0.1)) * 0.5 +

((P1 * 2) + (P2 * 4) + (P3 * 16) + (PABOVE *64)) * 0.5

where:

l

CFPO = Number of critical vulnerabilities (unless audited as Not an Issue)

l

HFPO = Number of high vulnerabilities (unless audited as Not an Issue)

l

MFPO = Number of medium vulnerabilities (unless audited as Not an Issue)

l

LFPO = Number of low vulnerabilities (unless audited as Not an Issue)

Micro Focus Fortify Jenkins Plugin (22.1)

Page 64 of 67

User Guide

Chapter 5: Viewing Scan Results

and:

l

PABOVE = Exploitable

l

P3 = Suspicious

l

P2 = Bad practice

l

P1 = Reliability issue

The total issues count is not especially useful. For example, if Application A has no critical issues and

ten low issues, the total issue count is ten. If Application B has five critical issues and no low issues,

the total issue count is five. These values might mislead you to think that Application B is less

vulnerable than Application A, when it is not.

The NVS calculated for the two example applications provides a different picture (simplified

equation):

l

Application A: NVS = 0*10 + 10*0.1 = 1

l

Application B: NVS = 5*10 + 0*0.1 = 50

Viewing Issues

To see the issues for a Fortify Static Code Analyzer analysis that you have uploaded to Micro Focus

Fortify Software Security Center, open your job in Jenkins and click Fortify Assessment on the left.

The interactive List of Fortify SSC issues page displays the Summary and Issues breakdown by

Priority Order tables.

The Summary table shows the difference in the number of issues in different categories between the

two most recent builds. A blue arrow next to a value indicates that the number in that category has

decreased, and a red arrow indicates that the number in that category has increased.

Micro Focus Fortify Jenkins Plugin (22.1)

Page 65 of 67

User Guide

Chapter 5: Viewing Scan Results

The Issues breakdown by Priority Order table shows detailed information about the issues for the

specified location and category in each priority folder. Wait for the table to load. If the data load takes

longer than expected, you might need to refresh the browser window.

By default, you see the critical issues first. To see all issues, select the All tab.

Note: The more issues a page shows, the longer it takes to load. Fortify recommends that you not

use the All tab for large projects.

The first and the second columns show the file name and line number of the issue and the full path to

this file. The last column displays the category of each vulnerability.

By default, issues are sorted by primary location. To organize them by category, click the Category

column header.

To see more details about or to audit a specific issue, click the file name in the first column. The link

takes you directly to the details for that issue on the Fortify Software Security Center server. If you

are not logged in to Fortify Software Security Center, you are prompted to log in.

Configuring the Number of Issues Displayed on a

Page

By default, the page displays up to 50 issues. To navigate to all the issues, use Next>> and

<<Previous on the top and bottom of the table. To increase the maximum number of issues displayed

to 100 per page, from the 50 | 100 | All section at the bottom of the page, click 100.

To control the number of the issues shown on a page from the Configure System page:

l

In the Fortify Assessment section, change the value in the Maximum issues per page box.

Micro Focus Fortify Jenkins Plugin (22.1)

Page 66 of 67

Send Documentation Feedback

If you have comments about this document, you can contact the documentation team by email.

Note: If you are experiencing a technical issue with our product, do not email the documentation

team. Instead, contact Micro Focus Fortify Customer Support at

https://www.microfocus.com/support so they can assist you.

If an email client is configured on this computer, click the link above to contact the documentation

team and an email window opens with the following information in the subject line:

Feedback on User Guide (Fortify Jenkins Plugin 22.1)

Just add your feedback to the email and click send.

If no email client is available, copy the information above to a new message in a web mail client, and

send your feedback to fortifydocteam@microfocus.com.

We appreciate your feedback!

Micro Focus Fortify Jenkins Plugin (22.1)

Page 67 of 67