Fortify Tooling User Guide

 

Introduction

The fortify-tools container is located within a shared repository in OCIR and requires a JWT to be able to access.  The variable WF_JWT will need to be set to a valid MAT

You will want to choose one of three ways to use the Fortify SCA tooling:

Integration	Description
Using the Fortify Tools Standalone to Scan a Project	This is for using the tooling without integration in GitLab CI or Jenkins CI.
Using the Fortify Tools In GitLab CI to Scan a Project	This is for using the tooling against a project that whose code is hosted in GitLab and whose CI engine is GitLab CI.
Using the Fortify Tools In Jenkins CI to Scan a Project	This is for using the tooling against a project that whose code is hosted in GitLab and whose CI engine is Jenkins CI.

Using the Fortify Tools Standalone to Scan a Project

Simple Usage

Run the Fortify Tools in a container

docker run -t --rm -v <path to project source root directory>:/var/fortify/src phx.ocir.io/oraclegbudevcorp/cn-shared/sdaas/governance/fortify-tools:latest

View Fortify Scan Results

Use Fortify Audit Workbench desktop application (https://confluence.oraclecorp.com/confluence/display/SSAD/Fortify+Download+Instructions) to view the resultant FPR analysis file named "mybuild.fpr" in the project source root directory.

Advanced Usage

Create a Fortify scan configuration file

If you need to change the set of source files to scan or change the scan class path (in the case of Java files), place a Fortify scan configuration file in the root directory of the project source code and name the file "fortifycfg".  See the Fortify Scan Configuration File Reference.

Run the Fortify Tools in a container

docker run -t --rm -v <path to project source root directory>:/var/fortify/src -v <path to Maven repository for Maven-based projects - e.g. ~/.m2/repository>:/var/fortify/mvnrepo phx.ocir.io/oraclegbudevcorp/cn-shared/sdaas/governance/fortify-tools:latest

View Fortify Scan Results

Use Fortify Audit Workbench desktop application (https://confluence.oraclecorp.com/confluence/display/SSAD/Fortify+Download+Instructions) to view the resultant FPR analysis file whose path is given by the "outputfile" configuration in the Fortify Scan Configuration File.

Using the Fortify Tools In GitLab CI to Scan a Project

Instrument the GitLab CI Build Configuration

Augment the .gitlab-ci.yml CI build configuration file in the root directory of the project source code. Two stages are required to properly set up credentials.  The source_security_analysis_prep (--prep) stage will set up the publish_user credentials per gitlab project branch level and add it to respective gitlab project ci variables for the security-scan analysis stage to use and get it removed credentials after security-scan stage successful completed. 

Additions to .gitlab-ci.yml

stages:   - <any stage before scan>   - security-scan-prep   - security-scan   - <stages after scan     source_security_analysis_prep:   stage: security-scan-prep   image: phx.ocir.io/oraclegbudevcorp/cn-shared/sdaas/governance/fortify-tools:latest   tags:     - barnyard   script:     - /opt/fortify-tools/go.sh --prep   source_security_analysis:   stage: security-scan   image: phx.ocir.io/oraclegbudevcorp/cn-shared/sdaas/governance/fortify-tools:latest   tags:     - barnyard   script:     - /opt/fortify-tools/go.sh   artifacts:     paths:       - mybuild.fpr       - mybuild.fpr.lite     expire_in: 1 day

Add an "analyze-source-security" entry to the "stages" block in .gitlab-ci.yml.  You can place the stage definition nearby to the existing stage where you build the code and perform other static code analyses (e.g. FindBugs, PMD, etc...).

(Optional) Create a Fortify scan configuration file

If you need to change the set of source files to scan or change the scan class path (in the case of Java files), place a Fortify scan configuration file in the root directory of the project source code and name the file "fortifycfg".  See the Fortify Scan Configuration File Reference.

Trigger a GitLab CI project build

View Fortify Scan Results

There are several different ways to view the scan results:

• Log on to Fortify SSC at https://cloudfort.us.oracle.com:8081/ssc

  • Use your Oracle SSO (email) credentials.  You will only see Fortify projects for which there are corresponding GitLab projects for which you are registered as a member (or group member) in GitLab.

    Note: It is expected that the user will see the reports of gitlab projects for which scans have been run post SAML authentication migration. In case you are unable to view the reports of a specific project for which you are registered as a member(or group member) in Gitlab, please re-run the scan for that specific project.

• Use the Fortify Audit Workbench desktop application (https://confluence.oraclecorp.com/confluence/display/SSAD/Fortify+Download+Instructions) to view the resultant FPR analysis file available in the build artifacts for the triggered and successfully completed build.
• Use a browser to view the "issuesdelta.html" file available in the build artifacts for the triggered and successfully completed build.  It shows only any newly introduced issues from this build as compared to a prior build that was also successfully scanned with the Fortify tooling.

In addition to the standard FPR report, "mybuild.fpr.lite" is also generated - this file contains a JSON array with details on each of the issues found during the scan.

Using the Fortify Tools In Jenkins CI to Scan a Project

Instrument the Jenkins CI Build Configuration

Augment the "node" block in the Jenkinsfile CI build configuration file in the root directory of the project source code.  You can place the stage nearby to the existing stage where you build the code and perform other static code analyses (e.g. FindBugs, PMD, etc...).

Additions to Jenkinsfile

podTemplate(label:'cloudplatformpod1', inheritFrom: 'dind', containers: [       containerTemplate(name: 'fortify-tools', image: 'phx.ocir.io/oraclegbudevcorp/cn-shared/sdaas/governance/fortify-tools:latest', ttyEnabled: true, command: 'cat'),     ]) { ... container ('fortify-tools') {         stage('Security Analysis') {           println "Job '${env.JOB_NAME} [${env.BUILD_NUMBER}]'"           sh "JOB_NAME=${env.JOB_NAME} BRANCH_NAME=${env.BRANCH_NAME} /opt/fortify-tools/go.sh --prep"           withCredentials([[$class: 'UsernamePasswordMultiBinding', credentialsId: 'fortifypublish', usernameVariable: 'FORTIFY_PUBLISH_USER', passwordVariable: 'FORTIFY_PUBLISH_PASSWORD']]) {             sh "JOB_NAME=${env.JOB_NAME} BRANCH_NAME=${env.BRANCH_NAME} FORTIFY_PUBLISH_USER=${env.FORTIFY_PUBLISH_USER} FORTIFY_PUBLISH_PASSWORD=${env.FORTIFY_PUBLISH_PASSWORD} /opt/fortify-tools/go.sh"           }           step([$class: 'ArtifactArchiver', artifacts: 'mybuild.fpr', fingerprint: true])         }       }

Note that the "node" image must be identified as having a "Mounted workspace" in the slave listings at Docker#CGBUDockerImagesforBuildSlaves.

(Optional) Create a Fortify scan configuration file

If you need to change the set of source files to scan or change the scan class path (in the case of Java files), place a Fortify scan configuration file in the root directory of the project source code and name the file "fortifycfg".  See the Fortify Scan Configuration File Reference.

Trigger a Jenkins CI project build

View Fortify Scan Results

There are several different ways to view the scan results:

• Log on to Fortify SSC at https://cloudfort.us.oracle.com:8081/ssc

  • Use your Oracle SSO (email) credentials.  You will only see Fortify projects for which there are corresponding GitLab projects for which you are registered as a member (or group member) in GitLab. 

    Note: It is expected that the user will see the reports of gitlab projects for which scans have been run post SAML authentication migration. In case you are unable to view the reports of a specific project for which you are registered as a member(or group member) in Gitlab, please re-run the scan for that specific project.

• Use the Fortify Audit Workbench desktop application (https://confluence.oraclecorp.com/confluence/display/SSAD/Fortify+Download+Instructions) to view the resultant FPR analysis file available in the build artifacts for the triggered and successfully completed build.
• Use a browser to view the "issuesdelta.html" file available in the build artifacts for the triggered and successfully completed build.  It shows only any newly introduced issues from this build as compared to a prior build that was also successfully scanned with the Fortify tooling.

In addition to the standard FPR report, "mybuild.fpr.lite" is also generated - this file contains a JSON array with details on each of the issues found during the scan.

Fortify Scan Configuration File Reference

Here is an example Fortify scan configuration file: (NOTE: Below configuration can only support Java and Python source code to scan)

Example Fortify Scan Configuration File

{   "variables" :     [       {"name" : "PROJECTDIR", "value" : {"type" : "projectdir"}},       {"name" : "MAVENREPODIR", "value" : {"type" : "localmavenrepodir"}}     ],   "noextension-type" : "PYTHON",   "classpath" :     [       {"pattern" : "${PROJECTDIR}/**/*.jar"},       {"pattern" : "${MAVENREPODIR}/**/*.jar"}     ],   "pythonpath" :     [       {"pattern" : "${PROJECTDIR}/**/*.py"}     ],   "source" :     [       {"pattern" : "${PROJECTDIR}/**/*.java"},       {"pattern" : "${PROJECTDIR}/**/*.py"},       {"pattern" : "${PROJECTDIR}/main"}     ],   "outputfile" : "${PROJECTDIR}/mybuild.fpr" }

Support for new languages in fortify scan

Fortify can support below languages to scan.

C language 

In order to invoke C source code, below configuration file (fortifycfg) has to be present in the root directory of the project.

Example Fortify Scan Configuration File

{ "variables" :    [ {"name": "PROJECTDIR", "value" : {"type" :"projectdir"}}    ], "cpath" :     [   {"pattern" : "${PROJECTDIR}/**/*.c"}     ], "outputfile" : "${PROJECTDIR}/mybuild.fpr" }

CPP Language

In order to invoke CPP source code, below configuration file (fortifycfg) has to be present in the root directory of the project.

Example Fortify Scan Configuration File

{ "variables" :    [ {"name": "PROJECTDIR", "value" : {"type" :"projectdir"}}    ], "cpppath" :     [   {"pattern" : "${PROJECTDIR}/**/*.cpp"}     ], "outputfile" : "${PROJECTDIR}/mybuild.fpr" }

PHP Language

In order to invoke PHP source code, below configuration file (fortifycfg) has to be present in the root directory of the project.

Example Fortify Scan Configuration File

{ "variables" :    [ {"name": "PROJECTDIR", "value" : {"type" :"projectdir"}}    ], "phppath" :     [   {"pattern" : "${PROJECTDIR}/**/*.php"}     ], "outputfile" : "${PROJECTDIR}/mybuild.fpr" }

Fortify configuration file to scan multiple languages

To scan multiple languages together, fortify configuration file can be combined with particular language attributes.

For example, to invoke Java and C source code, below configuration file (fortifycfg) has to be present in the root directory of the project.

Example Fortify Scan Configuration File

{     "variables": [                   {"name": "PROJECTDIR","value": {"type": "projectdir"}},                   {"name": "MAVENREPODIR","value": {"type": "localmavenrepodir"}}                  ],     "classpath": [                   {"pattern": "${PROJECTDIR}/**/*.jar"},                   {"pattern": "${MAVENREPODIR}/**/*.jar"}                  ],     "cpath": [                {"pattern": "${PROJECTDIR}/**/*.c"}              ],     "source": [               {"pattern": "${PROJECTDIR}/**/*.java"}              ],     "outputfile": "${PROJECTDIR}/mybuild.fpr" }

Exceptions/Restrictions 

(NOTE: Considered C language as example here.)

• If multiple path patterns are provided in the fortifycfg file as below, then it will analyze all the files present in both the path.
• Example Fortify Scan Configuration File

  {     "variables": [{"name": "PROJECTDIR","value": {"type": "projectdir"}}                   ], "cpath": [{"pattern": "${PROJECTDIR}/**/*.c"},           {"pattern": "${PROJECTDIR}/**/**/*.c"}              ],     "outputfile": "${PROJECTDIR}/mybuild.fpr" }

Fortify Quick Scan

If issue count is more then 10000 then, fortify tools can go for quick scan and captures only Critical and High priority issues.

Once partner fix those critical and high priority issues and issue count goes less then 10000, fortify scan go for the normal scan.

The contents of the file is JSON.

The configuration file contains a JSON object with the following properties:

Property	Value Description
Property	Value Description
variables	This JSON array contains variables that can be used for string substitutions in the other parts of the configuration. The array entries are JSON objects, each with a "name" property that has a string value and a "value" property. The "value" property is a JSON object with a "type" property that has a string value and is one of: projectdir - The value "/var/fortify/src" localmavenrepodir - The value "/var/fortify/mvnrepo"
classpath	This JSON array contains the classpath for the Fortify SCA scanner. The array entries are JSON objects, each with a "pattern" property that has a string value which is a path pattern to Java Jar or Zip files. The pattern may contain variables in the form of "${<variable name>}". The pattern may also include "*" as a wildcard and "**" as a directory hierarchy wildcard.
pythonpath	This JSON array contains the pathon path for the Fortify SCA scanner. The array entries are JSON objects, each with a "pattern" property that has a string value which is a path pattern to dependency python modules. The pattern may contain variables in the form of "${<variable name>}". The pattern may also include "*" as a wildcard and "**" as a directory hierarchy wildcard.
cpath	This JSON array contains the C path for the Fortify SCA scanner. The array entries are JSON objects, each with a "pattern" property that has a string value which is a path pattern to C modules. The pattern may contain variables in the form of "${<variable name>}". The pattern may also include "*" as a wildcard and "**" as a directory hierarchy wildcard.
cpppath	This JSON array contains the CPP path for the Fortify SCA scanner. The array entries are JSON objects, each with a "pattern" property that has a string value which is a path pattern to CPP modules. The pattern may contain variables in the form of "${<variable name>}". The pattern may also include "*" as a wildcard and "**" as a directory hierarchy wildcard.
phppath	This JSON array contains the PHP path for the Fortify SCA scanner. The array entries are JSON objects, each with a "pattern" property that has a string value which is a path pattern to PHP modules. The pattern may contain variables in the form of "${<variable name>}". The pattern may also include "*" as a wildcard and "**" as a directory hierarchy wildcard.
source	This JSON array contains the source files for the Fortify SCA scanner. The array entries are JSON objects, each with a "pattern" property that has a string value which is a path pattern to source files. The pattern may contain variables in the form of "${<variable name>}". The pattern may also include "*" as a wildcard and "**" as a directory hierarchy wildcard.
noextension-type	Specifies the file type for source files that have no file extension. The supported values are: JAVA, PYTHON.
outputfile	This string contains the name of the FPR output file for the Fortify SCA scanner. Additional command line parameters can be specified here for example: "mybuild.fpr --Dcom.fortify.sca.EnableDOMModeling=true" The pattern may contain variables in the form of "${<variable name>}".