This Fortify SSC parser plugin allows for importing scan results from OWASP Dependency Check.
- Downloads:
Beta versions may be unstable or non-functional. The*-licenseReport.zipand*-dependencySources.zipfiles are for informational purposes only and do not need to be downloaded.- Release versions: https://bintray.com/package/files/fortify-ps/binaries/fortify-ssc-parser-owasp-dependency-check-release?order=desc&sort=fileLastModified&basePath=&tab=files
- Beta versions: https://bintray.com/package/files/fortify-ps/binaries/fortify-ssc-parser-owasp-dependency-check-beta?order=desc&sort=fileLastModified&basePath=&tab=files
- Sample input files: sampleData
- GitHub: https://github.com/fortify-ps/fortify-ssc-parser-owasp-dependency-check
- Automated builds: https://travis-ci.com/fortify-ps/fortify-ssc-parser-owasp-dependency-check
- OWASP Dependency Check website: https://owasp.org/www-project-dependency-check/
The following sections describe how to install and use the plugin. For generic information about how to install and use SSC parser plugins, please see the Fortify SSC documentation.
- Obtain the plugin binary jar file
- Either download from Bintray (see Related Links)
- Or by building yourself (see Information for plugin developers)
- If you already have another version of the plugin installed, first uninstall the plugin by following the steps in Plugin Uninstall
- In Fortify Software Security Center:
- Navigate to Administration->Plugins->Parsers
- Click the
NEWbutton - Accept the warning
- Upload the plugin jar file
- Enable the plugin by clicking the
ENABLEbutton
- In Fortify Software Security Center:
- Navigate to Administration->Plugins->Parsers
- Select the parser plugin that you want to uninstall
- Click the
DISABLEbutton - Click the
REMOVEbutton
Please see the OWASP Dependency Check documentation for details on scanning applications and generating reports. Note that the SSC parser plugin requires the uploaded reports to be in JSON format.
SSC web interface (manual upload):
- Navigate to the Artifacts tab of your application version
- Click the
UPLOADbutton - Click the
ADD FILESbutton, and select the JSON file to upload - Enable the
3rd party resultscheck box - Select the
OWASP_DEPCHECKtype
SSC clients (FortifyClient, Maven plugin, ...):
- Generate a scan.info file containing a single line as follows:
engineType=OWASP_DEPCHECK - Generate a zip file containing the following:
- The scan.info file generated in the previous step
- The JSON file containing scan results
- Upload the zip file generated in the previous step to SSC
- Using any SSC client, for example FortifyClient
- Similar to how you would upload an FPR file
The following sections provide information that may be useful for developers of this parser plugin.
This project uses Lombok. In order to have your IDE compile this project without errors, you may need to add Lombok support to your IDE. Please see https://projectlombok.org/setup/overview for more information.
It is strongly recommended to build this project using the included Gradle Wrapper scripts; using other Gradle versions may result in build errors and other issues.
The Gradle build uses various helper scripts from https://github.com/fortify-ps/gradle-helpers; please refer to the documentation and comments in included scripts for more information.
All commands listed below use Linux/bash notation; adjust accordingly if you are running on a different platform. All commands are to be executed from the main project directory.
./gradlew tasks --all: List all available tasks- Build: (plugin binary will be stored in
build/libs)./gradlew clean build: Clean and build the project./gradlew build: Build the project without cleaning./gradlew dist: Build distribution zip
- Version management:
./gradlew printProjectVersion: Print the current version./gradlew startSnapshotBranch -PnextVersion=2.0: Start a new snapshot branch for an upcoming2.0version./gradlew releaseSnapshot: Merge the changes from the current branch to the master branch, and create release tag
./fortify-scan.sh: Run a Fortify scan; requires Fortify SCA to be installed
Note that the version management tasks operate only on the local repository; you will need to manually push any changes (including tags and branches) to the remote repository.
The various version-related Gradle tasks assume the following versioning methodology:
- The
masterbranch is only used for creating tagged release versions - A branch named
<version>-SNAPSHOTcontains the current snapshot state for the upcoming release - Optionally, other branches can be used to develop individual features, perform bug fixes, ...
- However, note that the Gradle build may be unable to identify a correct version number for the project
- As such, only builds from tagged versions or from a
<version>-SNAPSHOTbranch should be published to a Maven repository
Travis-CI builds are automatically triggered when there is any change in the project repository,
for example due to pushing changes, or creating tags or branches. If applicable, binaries and related
artifacts are automatically published to Bintray using the bintrayUpload task:
- Building a tagged version will result in corresponding release version artifacts to be published
- Building a branch named
<version>-SNAPSHOTwill result in corresponding beta version artifacts to be published - No artifacts will be deployed for any other build, for example when Travis-CI builds the
masterbranch
See the Related Links section for the relevant Travis-CI and Bintray links.
See LICENSE.TXT