Has anyone integrated Bamboo with HPE/Micro Focus Fortify? Edited

I'm wondering if anyone has integrated their Bamboo deployment with HP Fortify static code analyzer? If yes do you have any suggestions, best practices or sites with helpful information? We are a Java development shop and have a little PL/SQL too. We build our Java code with Maven. Thank you in advanced for any help you can offer.

3 answers

This widget could not be displayed.
Minh Tran Atlassian Team Apr 05, 2018

Hi @Chris Flynn, I haven't used HP Fortify static code analyzer before. Does HP Fortify static code analyzer provide a CLI tool for running? 

HP Fortify has a Maven Plugin that we used for the integration. We still have not taken on the challenge of failing the Bamboo build if HP Fortify finds any defects, but hopefully this new HP Fortify Bamboo Plugin will help with that functionality.

 

https://marketplace.atlassian.com/plugins/com.fortify.plugins.atlassian.bamboo.sca.bamboo-fortify-sca-plugin/server/overview

Minh Tran Atlassian Team Apr 06, 2018

@Chris Flynn Does HP Fortify generate any kind of reports when having any defects?

Hi @Minh Tran, You should watch the little video that comes with the plugin, it is pretty informative.

The HP Fortify scan does produce a FPR file with the scan results.

Minh Tran Atlassian Team Apr 08, 2018

Ok cool. So in that case, you can base on the scan results file to generate a JUnit Report xml file then you can use JUnit Report Parser task to parse it

You can check it out it here:

https://confluence.atlassian.com/bamboo/junit-parser-289277056.html

https://confluence.atlassian.com/bamboo/junit-parsing-in-bamboo-289277357.html

 

With this way, you can configure Bamboo to fail when there is a defect

Hi @Minh Tran -- just to follow up, I don't think the FPR file produced by the Fortify scan is in the JUnit xml format. Thank you for the help though.

This widget could not be displayed.

Hi @Chris Flynn,

It looks like the fortify code analyser can be accessed via command line. This means that you can just use a script task to invoke this tool and achieve what you want.

Their documentation explains how to achieve this. A basic command sequence can be like this.

  • builds the code using
sourceanalyzer -b <build ID> <sourcecode>
  • scans the build with
sourceanalyzer -b <build ID> -scan -f <test>.fpr
  •  Upload to server
fortifyclient.bat -url SSCServerUrl -authtoken XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX uploadFPR -file BuildID.fpr -project "MyProject" -version "MyProject v1.0.0"

Hope that helps. 

Thank you for the help. Since we use Maven to build our applications we are able to take advantage of the HP Fortify Maven Plugin. The only thing missing is the ability to fail the build due to the scan results. However, looking at the new HP Fortify Bamboo plugin it appears the plugin has resolved this problem. So we should be all set now.

Thanks again for the help.

This widget could not be displayed.

Glad you figured it out :)

Suggest an answer

Log in or Sign up to answer
Atlassian Summit 2018

Meet the community IRL

Atlassian Summit is an excellent opportunity for in-person support, training, and networking.

Learn more
Community showcase
Posted yesterday in New to Jira

Are you planning to trial, or are currently trialling Jira Software? - We want to talk to you!

Hello! I'm Rayen, a product manager at Atlassian. My team and I are working hard to improve the trial experience for Jira Software Cloud. We are interested in   talking to 20 people planning t...

64 views 1 0
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you