-
Notifications
You must be signed in to change notification settings - Fork 15
Jenkins integration
Note: Screenshots have not yet been updated to reflect the name and version change from FoDBugTrackerUtility 1.1 to FortifyBugTrackerUtility 2.0, although the general concepts will still be the same.
By combining the Fortify on Demand Uploader Plugin for Jenkins and FortifyBugTrackerUtility, it is possibly to set up an automated process in Jenkins for invoking an FoD scan and submitting the relevant vulnerabilities to your bug tracker once the scan has been completed. This page describes one of the possible methods for setting up this use case.
Prerequisites:
- Fortify on Demand Uploader Plugin installed in Jenkins (see https://wiki.jenkins-ci.org/display/JENKINS/Fortify+On+Demand+Uploader+Plugin)
- Parameterized Trigger Plugin installed in Jenkins (see https://wiki.jenkins-ci.org/display/JENKINS/Parameterized+Trigger+Plugin)
- FortifyBugTrackerPlugin installed on the relevant Jenkins node(s)
In general, the process will look like this:
- Run a normal build
- Invoke FoD Uploader Plugin to start an FoD scan and wait until the scan has been completed
- Using Parameterized Trigger Plugin, invoke a generic, parameterized job to run FortifyBugTrackerUtility
Once all prerequisites have been installed and configured, we will create a new, parameterized Jenkins job that invokes FortifyBugTrackerUtility to submit vulnerabilities to the bug tracker. This parameterized job defines various parameters used for invoking FortifyBugTrackerUtility, for example FoD and bug tracker connection details, the FoD Release Id, and the target bug tracker project identifier.
The job will have a single 'Execute Shell' or 'Execute Windows batch command' build step. This build step can do some processing on the job parameters if necessary, and then invoke FortifyBugTrackerUtility with the correct parameters.
An example job definition can be found here: Jenkins-Config-RunFoDToJiraBugTrackerUtility.pdf.
Now that we have the generic job for submitting vulnerabilities to our bug tracker, we can configure our regular build as follows:
- Run a normal build.
- Run 'Fortify Uploader Plugin' as a post-build action to upload the source code to FoD and start a scan. Important: The FoD Uploader Plugin will need to be configured to wait for the scan to be completed. With the current version of the Uploader Plugin, you will need to configure a polling interval in the global plugin settings.
- Run 'Trigger parameterized build on other projects' as a post build action (after 'Fortify Uploader Plugin') to invoke the generic FortifyBugTrackerUtility job that we set up previously.
An example job definition can be found here: Jenkins-Config-EightBall.pdf.