Using Maven to Scan Source Code for Security Vulnerabilities with HP Fortify

Overview

 This is a brief tour of running security scans via HP's 16.20 version of Fortify.

The reports are of file type .fpr. After a scan the desktop (native fat client) creates .txt files with the configuration used for the scan. These are parameters that were used in the current scan and provide a starting point for customization.

Software Prerequisites - Maven Plugin for Fortify

From the intallation directory ($HPE_Security-Fortify_SCA_and_Apps_16.20) unzip the 'plugins\maven\maven-plugin-src.zip' file.

Install with 'mvn install'.

Fortify 'Runtime' for the Maven Plugin

The following indicates the Fortify binaries are not on the system PATH variable.

      
[ERROR] Command exited with code 127.
/bin/sh: 1: sourceanalyzer: not found

Add the following to the Jenkins job configuration

export PATH=$PATH:/opt/HPE_Security/Fortify_SCA_and_Apps_16.20/bin          
        

If you are seeing the error: [INFO] Executing Command: /bin/sh -c cd /root/.jenkins/workspace/fortify-e2-app-name && sourceanalyzer @/root/.jenkins/workspace/fortify-app-name/target/fortify/sca-translate-app-name-pom.txt Error occurred during initialization of VM Could not reserve enough space for 18014398509428736KB object heap

Add this is as part of the job configuration:

export SCA_VM_OPTS=-Xmx8000M
        

Generating a Report

While generationg the report the following is given if you do not have execute 'translate' before 'scan'.

"Unable to load build session with ID ""

To avoid this run translate before scan
	
		for example:
		
17146  mvn com.hpe.security.fortify.maven.plugin:sca-maven-plugin:16.20:translate
17150  mvn com.hpe.security.fortify.maven.plugin:sca-maven-plugin:16.20:scan

		and to find the Fortify Scan resuls issue something like:
		
17147  find . -type f -name "*.fpr"
17148  ll
17149  ll reading-interface/target/fortify/		
            

Excluding Directories from a Fortify Scan

Use the following -D parameter with the Maven command, to exclude directories from the Fortify scan:

    -Dfortify.sca.exclude=non-production-code     
            

Fortify Merge Process

 

  1. start withe the prevois sprint scan and merge with the new scan
  2. Tool -> Merge Arudit Reports
  3. Keep Existig Template
  4. select yes on view issues
  5. Filter Set -> change to 'Secutity Audit View'
  6. See the tabs for any issues found; critical, high, medium

Only Scan Certain Maven Modules

This is not so much a Fortify Maven tip as much as a plain Maven tip.  If only certain POM modules need scanning, then use the --projects Maven parameter.

The next example shows only scanning the 'generated-code' and 'widget' modules of a Maven project.

mvn --projects generated-code,widget com.hpe.security.fortify.maven.plugin:sca-maven-plugin:16.20:scan
            

Don't forget to 'translate' before you run the above command.

Automation

 

Jenkins Integration

	http://stackoverflow.com/questions/31771796/fortify-integration-with-maven-install
            

Resources

 

                http://stackoverflow.com/questions/10752483/generating-fortify-report-in-maven

                http://stackoverflow.com/questions/26647756/maven-fortify-plugin-unable-to-load-build-session-with-id-xxxxx-see-log-fil