Using Maven to Scan Source Code for Security Vulnerabilities with HP Fortify

Overview

 This is a brief tour of running security scans via HP's 16.20 version of Fortify.

The reports are of file type .fpr. After a scan the desktop (native fat client) creates .txt files with the configuration used for the scan. These are parameters that were used in the current scan and provide a starting point for customization.

Software Prerequisites - Maven Plugin for Fortify

Without the Fortify Maven Plugin installed, the following error occurs:

[ERROR] Plugin com.hpe.security.fortify.maven.plugin:sca-maven-plugin:16.20 or one of its dependencies could not be resolved: Could not find artifact com.hpe.security.fortify.maven.plugin:sca-maven-plugin:jar:16.20 in central (https://repo.maven.apache.org/maven2)

To resolve this issue install the Fortify maven plugin into the local Maven repository.

Unzip the following file found under the Fortify installation directory:

plugins\maven\maven-plugin-src.zip

Then execute the following command to intall the Maven Fortify into the local Maven repository.

mvn install

If using Jenkins, then make sure the Jenkins user has executed the 'mvn install' command; to make the plugin available to jobs.

Fortify 'Runtime' for the Maven Plugin

The following indicates the Fortify binaries are not on the system PATH variable.

      
[ERROR] Command exited with code 127.
/bin/sh: 1: sourceanalyzer: not found

Add the following to the Jenkins job configuration

export PATH=$PATH:/opt/HPE_Security/Fortify_SCA_and_Apps_16.20/bin          
        

If you are seeing the error: [INFO] Executing Command: /bin/sh -c cd /root/.jenkins/workspace/fortify-e2-app-name && sourceanalyzer @/root/.jenkins/workspace/fortify-app-name/target/fortify/sca-translate-app-name-pom.txt Error occurred during initialization of VM Could not reserve enough space for 18014398509428736KB object heap

Add this is as part of the job configuration:

export SCA_VM_OPTS=-Xmx8000M
        

Generating a Report

While generationg the report the following is given if you do not have execute 'translate' before 'scan'.

"Unable to load build session with ID ""

To avoid this run translate before scan
	
		for example:
		
17146  mvn com.hpe.security.fortify.maven.plugin:sca-maven-plugin:16.20:translate
17150  mvn com.hpe.security.fortify.maven.plugin:sca-maven-plugin:16.20:scan

		and to find the Fortify Scan resuls issue something like:
		
17147  find . -type f -name "*.fpr"
17148  ll
17149  ll reading-interface/target/fortify/		
            

Excluding Directories from a Fortify Scan

Use the following -D parameter with the Maven command, to exclude directories from the Fortify scan:

    -Dfortify.sca.exclude=non-production-code     
            

Fortify Workbench (Manual) Merge Process

Start withe the previous scan and merge with a new scan.

 

  1. Load the previous scan.
  2. Tool -> Merge Arudit Reports
  3. Keep Existing Template
  4. select 'Yes' on view issues
  5. Filter Set -> change to 'Security Audit View'
  6. See the tabs for any issues found; critical, high, medium

Only Scan Certain Maven Modules

This is not so much a Fortify Maven tip as much as a plain Maven tip.  If only certain POM modules need scanning, then use the --projects Maven parameter.

The next example shows only scanning the 'generated-code' and 'widget' modules of a Maven project.

mvn --projects generated-code,widget com.hpe.security.fortify.maven.plugin:sca-maven-plugin:16.20:scan
            

Don't forget to 'translate' before you run the above command.

Automation

 

Jenkins Integration

	http://stackoverflow.com/questions/31771796/fortify-integration-with-maven-install
            

Resources

 

                http://stackoverflow.com/questions/10752483/generating-fortify-report-in-maven

                http://stackoverflow.com/questions/26647756/maven-fortify-plugin-unable-to-load-build-session-with-id-xxxxx-see-log-fil