fortifyExecuteScan¶
This BETA step executes a Fortify scan on the specified project to perform static code analysis and check the source code for security flaws.
Description¶
This step executes a Fortify scan on the specified project to perform static code analysis and check the source code for security flaws.
The Fortify step triggers a scan locally on your Jenkins within a docker container so finally you have to supply a docker image with a Fortify SCA and Java plus Maven or alternatively Python installed into it for being able to perform any scans.
DISCLAIMER: The step has not yet been tested on a wide variaty of projects, and is therefore considered of BETA quality.
Usage¶
We recommend to define values of step parameters via config.yml file. In this case, calling the step is reduced to one simple line.
Calling the step can be done either via the Jenkins library step or on the command line.
Jenkins pipelines¶
fortifyExecuteScan script: this
Command line¶
piper fortifyExecuteScan
Outputs¶
| Output type | Details |
|---|---|
| influx | measurement fortify_data
|
Parameters¶
Overview¶
Details¶
apiEndpoint¶
Fortify SSC endpoint used for uploading the scan results and checking the audit state
| Scope | Details |
|---|---|
| Aliases | fortifyApiEndpoint |
| Type | string |
| Mandatory | no |
| Default | /api/v1 |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
artifactUrl¶
Path/URL pointing to an additional artifact repository for resolution of additional artifacts during the build
| Scope | Details |
|---|---|
| Aliases | - |
| Type | string |
| Mandatory | no |
| Default | $PIPER_artifactUrl (if set) |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
authToken¶
The FortifyToken to use for authentication
| Scope | Details |
|---|---|
| Aliases | - |
| Type | string |
| Mandatory | yes |
| Default | $PIPER_authToken (if set) |
| Secret | yes |
| Configuration scope |
|
| Resource references | none |
autoCreate¶
Whether Fortify project and project version shall be implicitly auto created in case they cannot be found in the backend
| Scope | Details |
|---|---|
| Aliases | - |
| Type | bool |
| Mandatory | no |
| Default | false |
| Possible values | - true- false |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
autodetectClasspath¶
Whether the classpath is automatically determined via build tool i.e. maven or pip or not at all
| Scope | Details |
|---|---|
| Aliases | - |
| Type | bool |
| Mandatory | no |
| Default | true |
| Possible values | - true- false |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
buildDescriptorFile¶
Path to the build descriptor file addressing the module/folder to be scanned. Defaults are for buildTool=maven: ./pom.xml, buildTool=pip: ./setup.py.
| Scope | Details |
|---|---|
| Aliases | - |
| Type | string |
| Mandatory | no |
| Default | $PIPER_buildDescriptorFile (if set) |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
buildTool¶
Scan type used for the step which can be 'maven', 'pip'
| Scope | Details |
|---|---|
| Aliases | - |
| Type | string |
| Mandatory | no |
| Default | maven |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
commitId¶
Set the Git commit ID for identifying artifacts throughout the scan.
| Scope | Details |
|---|---|
| Aliases | - |
| Type | string |
| Mandatory | no |
| Default | $PIPER_commitId (if set) |
| Secret | no |
| Configuration scope |
|
| Resource references | commonPipelineEnvironment: reference to: git/commitId |
commitMessage¶
Set the Git commit message for identifying pull request merges throughout the scan.
| Scope | Details |
|---|---|
| Aliases | - |
| Type | string |
| Mandatory | no |
| Default | $PIPER_commitMessage (if set) |
| Secret | no |
| Configuration scope |
|
| Resource references | commonPipelineEnvironment: reference to: git/commitMessage |
considerSuspicious¶
Whether suspicious issues should trigger the check to fail or not
| Scope | Details |
|---|---|
| Aliases | - |
| Type | bool |
| Mandatory | no |
| Default | true |
| Possible values | - true- false |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
containerCommand¶
Jenkins-specific: Used for proper environment setup.
Kubernetes only: Allows to specify start command for container created with dockerImage parameter to overwrite Piper default (/usr/bin/tail -f /dev/null).
| Scope | Details |
|---|---|
| Aliases | - |
| Type | string |
| Mandatory | no |
| Default | |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
containerShell¶
Jenkins-specific: Used for proper environment setup.
Allows to specify the shell to be executed for container with containerName.
| Scope | Details |
|---|---|
| Aliases | - |
| Type | string |
| Mandatory | no |
| Default | |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
deltaMinutes¶
The number of minutes for which an uploaded FPR artifact is considered to be recent and healthy, if exceeded an error will be thrown
| Scope | Details |
|---|---|
| Aliases | - |
| Type | int |
| Mandatory | no |
| Default | 5 |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
dockerEnvVars¶
Jenkins-specific: Used for proper environment setup.
Environment variables to set in the container, e.g. [http_proxy: "proxy:8080"].
| Scope | Details |
|---|---|
| Aliases | - |
| Type | map[string]string |
| Mandatory | no |
| Default | |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
dockerImage¶
Jenkins-specific: Used for proper environment setup.
Name of the docker image that should be used. If empty, Docker is not used and the command is executed directly on the Jenkins system.
| Scope | Details |
|---|---|
| Aliases | - |
| Type | string |
| Mandatory | no |
| Default | |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
dockerName¶
Jenkins-specific: Used for proper environment setup.
Kubernetes only: Name of the container launching dockerImage. SideCar only: Name of the container in local network.
| Scope | Details |
|---|---|
| Aliases | - |
| Type | string |
| Mandatory | no |
| Default | |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
dockerOptions¶
Jenkins-specific: Used for proper environment setup.
Docker options to be set when starting the container.
| Scope | Details |
|---|---|
| Aliases | - |
| Type | []string |
| Mandatory | no |
| Default | |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
dockerPullImage¶
Jenkins-specific: Used for proper environment setup.
Set this to 'false' to bypass a docker image pull. Usefull during development process. Allows testing of images which are available in the local registry only.
| Scope | Details |
|---|---|
| Aliases | - |
| Type | bool |
| Mandatory | no |
| Default | false |
| Possible values | - true- false |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
dockerVolumeBind¶
Jenkins-specific: Used for proper environment setup.
Volumes that should be mounted into the docker container.
| Scope | Details |
|---|---|
| Aliases | - |
| Type | map[string]string |
| Mandatory | no |
| Default | |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
dockerWorkspace¶
Jenkins-specific: Used for proper environment setup.
Kubernetes only: Specifies a dedicated user home directory for the container which will be passed as value for environment variable HOME.
| Scope | Details |
|---|---|
| Aliases | - |
| Type | string |
| Mandatory | no |
| Default | |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
exclude¶
A list of directories/files to be excluded from the scan. Wildcards can be used, e.g., '**/Test.java'. If translate is set, this will ignored.
| Scope | Details |
|---|---|
| Aliases | - |
| Type | []string |
| Mandatory | no |
| Default | $PIPER_exclude (if set) |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
filterSetTitle¶
Title of the filter set to use for analysing the results
| Scope | Details |
|---|---|
| Aliases | - |
| Type | string |
| Mandatory | no |
| Default | SAP |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
fortifyCredentialsId¶
Jenkins-specific: Used for proper environment setup.
Jenkins 'Secret text' credentials ID containing token to authenticate to Fortify SSC.
| Scope | Details |
|---|---|
| Aliases | - |
| Type | string |
| Mandatory | yes |
| Default | |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
fprDownloadEndpoint¶
Fortify SSC endpoint for FPR downloads
| Scope | Details |
|---|---|
| Aliases | fortifyFprDownloadEndpoint |
| Type | string |
| Mandatory | no |
| Default | /download/currentStateFprDownload.html |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
fprUploadEndpoint¶
Fortify SSC endpoint for FPR uploads
| Scope | Details |
|---|---|
| Aliases | fortifyFprUploadEndpoint |
| Type | string |
| Mandatory | no |
| Default | /upload/resultFileUpload.html |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
githubApiUrl¶
Set the GitHub API URL.
| Scope | Details |
|---|---|
| Aliases | - |
| Type | string |
| Mandatory | no |
| Default | https://api.github.com |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
githubToken¶
GitHub personal access token as per https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line
| Scope | Details |
|---|---|
| Aliases | - |
| Type | string |
| Mandatory | no |
| Default | $PIPER_githubToken (if set) |
| Secret | yes |
| Configuration scope |
|
| Resource references | none |
githubTokenCredentialsId¶
Jenkins-specific: Used for proper environment setup.
Jenkins 'Secret text' credentials ID containing token to authenticate to GitHub.
| Scope | Details |
|---|---|
| Aliases | - |
| Type | string |
| Mandatory | yes |
| Default | |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
globalSettingsFile¶
Path to the mvn settings file that should be used as global settings file.
| Scope | Details |
|---|---|
| Aliases | maven/globalSettingsFile |
| Type | string |
| Mandatory | no |
| Default | $PIPER_globalSettingsFile (if set) |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
m2Path¶
Path to the location of the local repository that should be used.
| Scope | Details |
|---|---|
| Aliases | maven/m2Path |
| Type | string |
| Mandatory | no |
| Default | $PIPER_m2Path (if set) |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
memory¶
The amount of memory granted to the translate/scan executions
| Scope | Details |
|---|---|
| Aliases | - |
| Type | string |
| Mandatory | no |
| Default | -Xmx4G -Xms512M |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
modulePath¶
Allows providing the path for the module to scan
| Scope | Details |
|---|---|
| Aliases | - |
| Type | string |
| Mandatory | no |
| Default | ./ |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
mustAuditIssueGroups¶
Comma separated list of issue groups that must be audited completely
| Scope | Details |
|---|---|
| Aliases | - |
| Type | string |
| Mandatory | no |
| Default | Corporate Security Requirements, Audit All |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
owner¶
Set the GitHub organization.
| Scope | Details |
|---|---|
| Aliases | githubOrg |
| Type | string |
| Mandatory | no |
| Default | $PIPER_owner (if set) |
| Secret | no |
| Configuration scope |
|
| Resource references | commonPipelineEnvironment: reference to: github/owner |
pollingMinutes¶
The number of minutes for which an uploaded FPR artifact''s status is being polled to finish queuing/processing, if exceeded polling will be stopped and an error will be thrown
| Scope | Details |
|---|---|
| Aliases | - |
| Type | int |
| Mandatory | no |
| Default | 30 |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
projectName¶
The project used for reporting results in SSC
| Scope | Details |
|---|---|
| Aliases | fortifyProjectName |
| Type | string |
| Mandatory | no |
| Default | {{list .GroupID .ArtifactID | join "-" | trimAll "-"}} |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
projectSettingsFile¶
Path to the mvn settings file that should be used as project settings file.
| Scope | Details |
|---|---|
| Aliases | maven/projectSettingsFile |
| Type | string |
| Mandatory | no |
| Default | $PIPER_projectSettingsFile (if set) |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
pullRequestMessageRegex¶
Regex used to identify the PR-XXX reference within the merge commit message
| Scope | Details |
|---|---|
| Aliases | - |
| Type | string |
| Mandatory | no |
| Default | .*Merge pull request #(\\d+) from.* |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
pullRequestMessageRegexGroup¶
The group number for extracting the pull request id in 'pullRequestMessageRegex'
| Scope | Details |
|---|---|
| Aliases | - |
| Type | int |
| Mandatory | no |
| Default | 1 |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
pullRequestName¶
The name of the pull request branch which will trigger creation of a new version in Fortify SSC based on the master branch version
| Scope | Details |
|---|---|
| Aliases | - |
| Type | string |
| Mandatory | no |
| Default | $PIPER_pullRequestName (if set) |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
pythonAdditionalPath¶
A list of additional paths which can be used in buildTool: 'pip' for customization purposes
| Scope | Details |
|---|---|
| Aliases | - |
| Type | []string |
| Mandatory | no |
| Default | - ./lib- . |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
pythonInstallCommand¶
Additional install command that can be run when buildTool: 'pip' is used which allows further customizing the execution environment of the scan
| Scope | Details |
|---|---|
| Aliases | - |
| Type | string |
| Mandatory | no |
| Default | {{.Pip}} install --user . |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
pythonRequirementsFile¶
The requirements file used in buildTool: 'pip' to populate the build environment with the necessary dependencies
| Scope | Details |
|---|---|
| Aliases | - |
| Type | string |
| Mandatory | no |
| Default | $PIPER_pythonRequirementsFile (if set) |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
pythonRequirementsInstallSuffix¶
The suffix for the command used to install the requirements file in buildTool: 'pip' to populate the build environment with the necessary dependencies
| Scope | Details |
|---|---|
| Aliases | - |
| Type | string |
| Mandatory | no |
| Default | $PIPER_pythonRequirementsInstallSuffix (if set) |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
pythonVersion¶
Python version to be used in buildTool: 'pip'
| Scope | Details |
|---|---|
| Aliases | - |
| Type | string |
| Mandatory | no |
| Default | python3 |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
quickScan¶
Whether a quick scan should be performed, please consult the related Fortify documentation on JAM on the impact of this setting
| Scope | Details |
|---|---|
| Aliases | - |
| Type | bool |
| Mandatory | no |
| Default | false |
| Possible values | - true- false |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
reportDownloadEndpoint¶
Fortify SSC endpoint for Report downloads
| Scope | Details |
|---|---|
| Aliases | fortifyReportDownloadEndpoint |
| Type | string |
| Mandatory | no |
| Default | /transfer/reportDownload.html |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
reportTemplateId¶
Report template ID to be used for generating the Fortify report
| Scope | Details |
|---|---|
| Aliases | - |
| Type | int |
| Mandatory | no |
| Default | 18 |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
reportType¶
The type of report to be generated
| Scope | Details |
|---|---|
| Aliases | - |
| Type | string |
| Mandatory | no |
| Default | PDF |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
reporting¶
Influences whether a report is generated or not
| Scope | Details |
|---|---|
| Aliases | - |
| Type | bool |
| Mandatory | no |
| Default | false |
| Possible values | - true- false |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
repository¶
Set the GitHub repository.
| Scope | Details |
|---|---|
| Aliases | githubRepo |
| Type | string |
| Mandatory | no |
| Default | $PIPER_repository (if set) |
| Secret | no |
| Configuration scope |
|
| Resource references | commonPipelineEnvironment: reference to: github/repository |
script¶
Jenkins-specific: Used for proper environment setup.
The common script environment of the Jenkinsfile running. Typically the reference to the script calling the pipeline step is provided with the this parameter, as in script: this. This allows the function to access the commonPipelineEnvironment for retrieving, e.g. configuration parameters.
| Scope | Details |
|---|---|
| Aliases | - |
| Type | Jenkins Script |
| Mandatory | yes |
| Default | |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
serverUrl¶
Fortify SSC Url to be used for accessing the APIs
| Scope | Details |
|---|---|
| Aliases | - fortifyServerUrl- sscUrl (deprecated) |
| Type | string |
| Mandatory | yes |
| Default | $PIPER_serverUrl (if set) |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
spotAuditIssueGroups¶
Comma separated list of issue groups that are spot checked and for which spotCheckMinimum audited issues are enforced
| Scope | Details |
|---|---|
| Aliases | - |
| Type | string |
| Mandatory | no |
| Default | Spot Checks of Each Category |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
spotCheckMinimum¶
The minimum number of issues that must be audited per category in the Spot Checks of each Category folder to avoid an error being thrown
| Scope | Details |
|---|---|
| Aliases | - |
| Type | int |
| Mandatory | no |
| Default | 1 |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
src¶
A list of source directories to scan. Wildcards can be used, e.g., 'src/main/java/**/*'. If 'translate' is set, this will ignored. The default value for buildTool: 'maven' is ['/*.xml', '/.html', '/*.jsp', '/.js', '/src/main/resources//', '/src/main/java//'], for buildTool: 'pip' it is ['./*/'].
| Scope | Details |
|---|---|
| Aliases | - |
| Type | []string |
| Mandatory | no |
| Default | $PIPER_src (if set) |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
stashContent¶
Jenkins-specific: Used for proper environment setup.
Specific stashes that should be considered for the step execution.
| Scope | Details |
|---|---|
| Aliases | - |
| Type | []string |
| Mandatory | no |
| Default | - buildDescriptor- deployDescriptor- tests- opensourceConfiguration |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
translate¶
Options for translate phase of Fortify. Most likely, you do not need to set this parameter. See src, exclude. If 'src' and 'exclude' are set they are automatically used. Technical details: It has to be a JSON string of list of maps with required key 'src', and optional keys 'exclude', 'libDirs', 'aspnetcore', and 'dotNetCoreVersion'
| Scope | Details |
|---|---|
| Aliases | - |
| Type | string |
| Mandatory | no |
| Default | $PIPER_translate (if set) |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
updateRulePack¶
Whether the rule pack shall be updated and pulled from Fortify SSC before scanning or not
| Scope | Details |
|---|---|
| Aliases | - |
| Type | bool |
| Mandatory | no |
| Default | true |
| Possible values | - true- false |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
uploadResults¶
Whether results shall be uploaded or not
| Scope | Details |
|---|---|
| Aliases | - |
| Type | bool |
| Mandatory | no |
| Default | true |
| Possible values | - true- false |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
verbose¶
verbose output
| Scope | Details |
|---|---|
| Aliases | - |
| Type | bool |
| Mandatory | no |
| Default | false |
| Possible values | - true- false |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
versioningModel¶
The default project versioning model used for creating the version based on the build descriptor version to report results in SSC, can be one of 'major', 'major-minor', 'semantic', 'full'
| Scope | Details |
|---|---|
| Aliases | defaultVersioningModel (deprecated) |
| Type | string |
| Mandatory | no |
| Default | major |
| Possible values | - major- major-minor- semantic- full |
| Secret | no |
| Configuration scope |
|
| Resource references | none |