Build better code and secure your software. Use the Micro Focus Fortify VSTS build tasks in your continuous integration builds to identify vulnerabilities in your source code.
Fortify Static Code Analyzer (SCA) is the most comprehensive set of software security analyzers that search for violations of security-specific coding rules and guidelines in a variety of languages. The SCA language technology provides rich data that enables the analyzers to pinpoint and prioritize violations so that fixes are fast and accurate. SCA produces analysis information that helps you deliver more secure software, and makes security code reviews more efficient, consistent, and complete. Its design allows you to quickly incorporate new third-party and customer-specific security rules.
Fortify on Demand delivers application security as a service, providing customers with the security testing, vulnerability management, expertise, and support needed to easily create, supplement, and expand a Software Security Assurance program. Fortify on Demand static assessments consist of a Fortify SCA scan performed and audited by our team of security experts. Fortify on Demand dynamic assessments mimic real-world hacking techniques and attacks using both automated and manual techniques to provide comprehensive analysis of complex Web applications and services. Featuring Fortify WebInspect for automated dynamic scanning, Fortify on Demand provides a full-service experience, complete with macro creation for authentication and a full audit of results by our experts to remove false positives and improve overall quality.
Fortify WebInspect is the industry leading Web application dynamic security assessment solution designed to thoroughly analyze today’s complex Web applications and Web services for security vulnerabilities. It delivers broad technology coverage, fast scanning capabilities, extensive vulnerability knowledge, and accurate Web application scanning results. Fortify WebInspect gives security professionals and security novices alike the power and knowledge to quickly identify and validate critical, high-risk security vulnerabilities in applications running in development, QA, or production.
Use the Fortify VSTS build tasks in your continuous integration builds to identify security issues in your source code.
Fortify Static Code Analyzer Installation
The Fortify Install task will automatically install and configure SCA. Users are required to prepare the VSTS agent which will run the SCA scan task with any dependencies needed to successfully build their software.
This task can:
Fortify Static Code Analyzer Assessment
The Fortify Static Code Analyzer Assessment task enables you to run SCA as a build step and passes all parameters required to perform a scan. Once the scan is complete, the scan results are available as a Fortify Project Results (FPR) file. The FPR and SCA logs can be published as build artifacts. To review the scan results, download this artifact and open it in either Fortify Audit Workbench (AWB) or Fortify Software Security Center (SSC). You can also configure the task to upload the FPR to an existing SSC server for enterprise vulnerability management.
Fortify on Demand Static Assessment
The Fortify on Demand Static Assessment task automatically submits a static scan request and uploads code to Fortify on Demand as a build step. Users can define scan settings, including scan and audit preferences, open-source component analysis, and specify third-party libraries to include. Once the scan is completed, results are made available through the Fortify on Demand portal and users are notified based on their subscription settings.
Fortify on Demand Dynamic Assessment
The Fortify on Demand Dynamic Assessment task automatically submits a dynamic scan request to Fortify on Demand as a build step. You must configure the dynamic scan settings, including the URL for the machine on which the newly-built and deployed application is hosted, in the Fortify on Demand portal. Once the scan is completed, results are made available through the Fortify on Demand portal and users are notified based on their subscription settings.
Fortify WebInspect Dynamic Assessment
The Fortify WebInspect Dynamic Assessment task automatically submits a dynamic scan request to Fortify WebInspect as a build step. Fortify WebInspect scans your Web application or Web services for vulnerabilities based on the settings specified in the Scan Settings file.
To configure the Fortify VSTS extension, you must have a good understanding of Fortify SCA and experience using SCA in standalone environments. Fortify VSTS extension can be used with SCA version 16.11 and later. For details, see the Fortify Static Code Analyzer User Guide.
To run SCA scans in your build definitions, you must first set up a build agent pool of pre-configured agents with all the prerequisites for building the application. To prepare your agent for the build, install the required build software based on the source code of your target application, and then confirm that you can build your application on the agent.
Option A - using built-in defaults
Use the Fortify Static Code Analyzer Install build task to install SCA on the target agent(s). Perform this operation once per agent (or when upgrading). Fortify recommends that you create a build definition dedicated to setting up agents. This build step must be targeted to each agent you plan to enable within your build pool. Both the installer executable and the fortify.license file must be available via an addressable file path on the agent.
Option B - custom installation
If you want want more control over your installation, you can run the SCA installer yourself on agent machines.
However you choose to install SCA, you may need to restart the agent from a new command window or restart the agent service so any changes to the executable PATH environment are visible to the agent.
Run your SCA Scan
• Add the Fortify Static Code Analyzer Assessment build step and configure it to run the scan. (For details, see the Fortify Static Code Analyzer User Guide.)
• After the application type is selected, the fields below dynamically change based on the selection.
• Choose your scan type (local or Fortify CloudScan) and fill in the required fields (For Fortify CloudScan users using auth tokens, see Troubleshooting section.).
If you export SCA logs, make sure that you select the Continue on error check box in the "Fortify Static Code Analyzer Assessment" task configuration. Otherwise, if the assessment fails, the artifact collection task does not start.
Unable to find sourceanalyzer
The agent running the scan must have SCA as part of the execution path. The SCA installer by default adds itself to the path.
If you see this error, make sure that the SCA installation location is part of the OS execution path. You may need to restart your agent to pick up changes made to the OS path.
Devenv is not found
To scan .NET projects using the Run Fortify SCA task, the agent must have a full installation of Visual Studio and devenv must be in the OS execution path. One way to do this is to launch the Developer Command Prompt and run the agent's configureAgent or runAgent scripts from there to connect to VSTS.
Unable to connect to SSC for uploadMake sure that your application name, version name, and service endpoint are correctly configured.
If your SSC is configured to use HTTPS, make sure that the JDK keystore within the SCA installation is configured to accept the SSC server certificate. To contact Fortify product support, go to the Micro Focus Software Support https://softwaresupport.softwaregrp.com website.
CloudScan does not work with token authentication
Manually obtain CloudCtrlToken and paste it into endpoint password in VSTS (UnifiedLoginToken cannot be used).
Create an API key pair or a personal access token
The extension connects to Fortify on Demand through the Fortify on Demand API. Authentication requires an API key and secret pair or a personal access token.
Run a Fortify on Demand static assessment
Generate a Build Server Integration (BSI) token
Within Fortify on Demand, navigate to the application release that you wish to assess, and then to the Static Scan Setup page. Configure the static assessment settings and the BSI token will be automatically generated. Make sure to save the settings.
Note that this procedure requires a user role with the Start Static Scans-Configure permission.
Configure Fortify on Demand static assessment task
Run a Fortify on Demand dynamic assessment
Configure dynamic scan settings in Fortify on Demand
Within Fortify on Demand, navigate to the application release that you wish to assess and then to the Dynamic Scan Setup page. Provide the required information for Fortify on Demand to perform a dynamic assessment, including the application's URL, assessment type, and authentication details. Make sure to save the settings and confirm that the Setup Status is marked as Valid.
Note that this procedure requires a user role with Start Dynamic Scans-Configure permission.
Configure Fortify on Demand dynamic assessment task
VSO agent is running an outdated version of node.js
Error message: const tl = require('vsts-task-lib/task'); ^^^^^ SyntaxError: Use of const in strict mode.
Cause: The version of 'node.exe' in the VSO agent folder is earlier than 5.0. To confirm the version of node installed for the agent, search for 'node.exe' in the VSO agent folder, then run '[path to node.exe]\node -v'.
Solution: Manually update the node in the VSO agent folder to version 5.0 or later.
For additional questions about Fortify on Demand, please contact a technical account manager.
Fortify WebInspect Dynamic Assessment
On the Run Fortify WebInspect Dynamic Assessment Build Definition, do the following:
For more information about the WebInspect API, refer to the API documentation at http://<hostname>:<port>/webinspect/api on the agent where WebInspect is installed. If you used the default settings when configuring the Fortify WebInspect API, you would type http://localhost:8083/webinspect/api.
Troubleshooting Fortify WebInspect