Has anyone integrated Bamboo with HPE/Micro Focus Fortify?

Chris Flynn
Contributor
October 12, 2017

I'm wondering if anyone has integrated their Bamboo deployment with HP Fortify static code analyzer? If yes do you have any suggestions, best practices or sites with helpful information? We are a Java development shop and have a little PL/SQL too. We build our Java code with Maven. Thank you in advanced for any help you can offer.

3 answers

1 vote
Jeyanthan I
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
April 7, 2018

Hi @Chris Flynn,

It looks like the fortify code analyser can be accessed via command line. This means that you can just use a script task to invoke this tool and achieve what you want.

Their documentation explains how to achieve this. A basic command sequence can be like this.

  • builds the code using
sourceanalyzer -b <build ID> <sourcecode>
  • scans the build with
sourceanalyzer -b <build ID> -scan -f <test>.fpr
  •  Upload to server
fortifyclient.bat -url SSCServerUrl -authtoken XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX uploadFPR -file BuildID.fpr -project "MyProject" -version "MyProject v1.0.0"

Hope that helps. 

Chris Flynn
Contributor
April 7, 2018

Thank you for the help. Since we use Maven to build our applications we are able to take advantage of the HP Fortify Maven Plugin. The only thing missing is the ability to fail the build due to the scan results. However, looking at the new HP Fortify Bamboo plugin it appears the plugin has resolved this problem. So we should be all set now.

Thanks again for the help.

Sridhar Mudhagouni
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
February 11, 2019

Hi Chris,

I am new to Fortify and trying to integrate with Bamboo, so my question is very basic, during the setup process, I have Fortify SCA and Applications installed on a Windows machine and my Bamboo is running on RHEL7 server with more than 1000 plans, so wondering do i need to installed SCA on Bamboo or do I need to install a seperate Bamboo on SCA windows server ?

I have installed Fortify SCA plugin, but it needs sce executable? confused ???

Thanks,

 

Sri

Like Chris Flynn likes this
Chris Flynn
Contributor
February 11, 2019

This might be a good question for the expert, but I think you would want to install a Bamboo Remote Agent on the Fortify Windows Machine. The Bamboo Fortify Plugin needs to know the location of your Fortify installation on the Windows machine, since it uses that installation to run Fortify scans. It should be a pretty straightforward configuration.

By using the Fortify Plugin for Bamboo it also sets a requirement for that plan that the agent it uses has to have the "Fortify" capability so it should automatically find that Windows machine Agent (assuming the Fortify installation is auto discovered during the remote agent installation.

This link has good information to start the Bamboo Remote Agent as a Windows Service:

https://confluence.atlassian.com/bamboo/additional-remote-agent-options-436044733.html#

This is the basic instructions for a remote agent:

https://confluence.atlassian.com/bamboo/bamboo-remote-agent-installation-guide-289276832.html

 

Let me know if you have any other questions or if I was not clear on some point. Good luck!

Sridhar Mudhagouni
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
February 12, 2019

Thanks Chris, I did install Bamboo Agent on the Windows machine and created a Bamboo plan but looks like i have some failures related to Fortify scan -clean

Thanks again for a quick respoonse

Sridhar Mudhagouni

Like Chris Flynn likes this
Chris Flynn
Contributor
February 13, 2019

@Sridhar Mudhagouni I'm sure you have this covered already, but make sure your Windows build server and the Bamboo server can communicate over the needed ports.

https://confluence.atlassian.com/bamkb/troubleshooting-remote-agents-216957427.html

Frederic Coene
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
March 13, 2019

Hi Sridhar,

I went through a similar process recently and although documentation of the "Fortify App for Bamboo" plugin states it creates a Bamboo local server capability (and SCA needs to be installed on the Bamboo server), this seems to be no longer true and it actually can be used with Bamboo remote agents.

Rgds,

F

 

0 votes
Jeyanthan I
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
April 7, 2018

Glad you figured it out :)

Chris Flynn
Contributor
May 8, 2018

@Jeyanthan IThank you

Like Jeyanthan I likes this
0 votes
Minh Tran
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
April 5, 2018

Hi @Chris Flynn, I haven't used HP Fortify static code analyzer before. Does HP Fortify static code analyzer provide a CLI tool for running? 

Chris Flynn
Contributor
April 6, 2018

HP Fortify has a Maven Plugin that we used for the integration. We still have not taken on the challenge of failing the Bamboo build if HP Fortify finds any defects, but hopefully this new HP Fortify Bamboo Plugin will help with that functionality.

 

https://marketplace.atlassian.com/plugins/com.fortify.plugins.atlassian.bamboo.sca.bamboo-fortify-sca-plugin/server/overview

Minh Tran
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
April 6, 2018

@Chris Flynn Does HP Fortify generate any kind of reports when having any defects?

Chris Flynn
Contributor
April 6, 2018

Hi @Minh Tran, You should watch the little video that comes with the plugin, it is pretty informative.

The HP Fortify scan does produce a FPR file with the scan results.

Minh Tran
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
April 8, 2018

Ok cool. So in that case, you can base on the scan results file to generate a JUnit Report xml file then you can use JUnit Report Parser task to parse it

You can check it out it here:

https://confluence.atlassian.com/bamboo/junit-parser-289277056.html

https://confluence.atlassian.com/bamboo/junit-parsing-in-bamboo-289277357.html

 

With this way, you can configure Bamboo to fail when there is a defect

Chris Flynn
Contributor
May 8, 2018

Hi @Minh Tran -- just to follow up, I don't think the FPR file produced by the Fortify scan is in the JUnit xml format. Thank you for the help though.

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events