How to configure Fortify SCA with Jenkin Build Server and Fortify SSC?

Software’s Required:

Centos 7 Machine with Minimum 8 GB RAM

Fortify Source Code Analyzer 16.1

Jenkin

Apache Maven 3.3.9

JDK 8

Fortify Plugin for Jenkin (Available with Fortify installer zip file)

How to configure  JAVA 8 on Centos 7?

1. Check whether there are any java versions installed on Centos 7 machine. If yes, un-install all.

rpm -aq | grep -i jdk

Output

java-1.8.0-openjdk-1.8.0.65-3.b17.el7.x86_64

java-1.7.0-openjdk-1.7.0.91-2.6.2.3.el7.x86_64

java-1.7.0-openjdk-headless-1.7.0.91-2.6.2.3.el7.x86_64

java-1.8.0-openjdk-headless-1.8.0.65-3.b17.el7.x86_64

Remove open jdk using below commands

sudo yum remove java-1.8.0-openjdk-1.8.0.65-3.b17.el7.x86_64

sudo yum remove java-1.7.0-openjdk-1.7.0.91-2.6.2.3.el7.x86_64

sudo yum remove java-1.7.0-openjdk-headless-1.7.0.91-2.6.2.3.el7.x86_64

sudo yum remove java-1.8.0-openjdk-headless-1.8.0.65-3.b17.el7.x86_64

Download JDK 8

wget --no-cookies --no-check-certificate --header "Cookie: gpw_e24=http%3A%2F%2Fwww.oracle.com%2F; oraclelicense=accept-securebackup-cookie" http://download.oracle.com/otn-pub/java/jdk/8u60-b27/jdk-8u60-linux-x64.rpm

Make the Java RPM executable

chmod +x jdk-8u60-linux-x64.rpm

Install java 8

rpm -Uvh jdk-8u60-linux-x64.rpm

Check the Java is install correctly

java -version

Output:

java version "1.8.0_60"

Java(TM) SE Runtime Environment (build 1.8.0_60-b27)

Java HotSpot(TM) 64-Bit Server VM (build 25.60-b23, mixed mode)

SET JAVA_HOME and update PATH

vi ~/.bash_profile

Add below values

export  JAVA_HOME=/usr/java/jdk1.8.0_60/

export PATH=$JAVA_HOME/bin/:$PATH

sh ~/.bash_profile

Check the Java version once again

java -version

Output:

java version "1.8.0_60"

Java(TM) SE Runtime Environment (build 1.8.0_60-b27)

Java HotSpot(TM) 64-Bit Server VM (build 25.60-b23, mixed mode)

***** Java is Configured Successfully *****

How to configure Apache Maven 3.3.9 on Centos 7 ? 

Download maven 3.3.9

wget http://www-us.apache.org/dist/maven/maven-3/3.3.9/binaries/apache-maven-3.3.9-bin.tar.gz

Extract zip file

tar -xvf apache-maven-3.3.9-bin.tar.gz

set M2_HOME and update  PATH for Maven

vi ~/.bash_profile

export M2_HOME=/softwares/apache-maven-3.3.9

export M2=$M2_HOME/bin

export PATH=$M2:$PATH

sh ~/.bash_profile

vi ~/.bash_profile

Check the maven is installed correctly.

mvn -version

Maven home: /softwares/apache-maven-3.3.9

Java version: 1.8.0_60, vendor: Oracle Corporation

Java home: /usr/java/jdk1.8.0_60/jre

Default locale: en_IE, platform encoding: UTF-8

OS name: "linux", version: "3.10.0-327.el7.x86_64", arch: "amd64", family: "unix"

***** Maven  is Configured Successfully *****

# How to install JENKINS on Centos 7 ##

Install Jenkin

sudo wget -O /etc/yum.repos.d/jenkins.repo http://pkg.jenkins-ci.org/redhat/jenkins.repo

sudo rpm --import https://jenkins-ci.org/redhat/jenkins-ci.org.key

sudo yum install jenkins

Note -Fortify  Source Code Analyzer requires more memory to scan the code.   Change the default allocated Jenkin Memory Memory

vi  /etc/sysconfig/jenkins

JENKINS_JAVA_OPTIONS="-Djava.awt.headless=true -Xmx9000M -Xms800M -Xss192M”

Start Jenkin

sudo /etc/init.d/jenkins restart  

systemctl restart jenkins.service  

Open Firewall port   

  firewall-cmd --zone=public --add-port=8080/tcp --permanent  firewall-cmd --reload

Jenkin URL

http://<Centos_7_IP_ADDR>:8080/

Get the initial password and set admin user password

cat /var/lib/jenkins/secrets/initialAdminPassword

Click on Install All Suggested Plugins.

How to Install Fortify SSC Plugin for Jenkin on Centos 7?

Refer HPE_Jenkins_Plugin_Guide_16.10.PDF for more information

How to Install GIT on Centos 7?

sudo yum install git

Change user to jenkins

sudo su jenkins -s /bin/bash

Generate SSH key for Git

ssh-keygen -t rsa

Display ssh git key

cat /var/lib/jenkins/.ssh/id_rsa.pub

Login to Git Server from Browser

Go to Profiles -- > Manage Accounts -> SSH Keys and Add key

Try to clone the git project manually using jenkin account. This will add Git server key in known host. This will also make sure that git is configured correctly.

How to Install Fortify SCA 16.10 on  Centos 7

Login as root user from command prompt.

Go to Fortify installed directory

Make the Fortify installation file executable

chmod +x HP_Fortify_SCA_and_Apps_16.10_linux_x64.run

Install Fortify

./ HP_Fortify_SCA_and_Apps_16.10_linux_x64.run

Note – Default Fortify installation Directory is /opt/HP_Fortify/HP_Fortify_SCA_and_Apps_16.10

Also, need to specify fortify license path during installation

During installation it will ask for Fortify license file path and update server. The update server location is  https://update.fortify.com

At the end of installation, it will ask for completing software/rule pack update. Say Yes.

Check whether fortify path is added in the profile file

vi ~/.bash_profile

export PATH="$PATH:/opt/HP_Fortify/HP_Fortify_SCA_and_Apps_16.10/bin"

Run the below command to check Fortify is installed correctly

sourceanalyzer -version

HPE Security Fortify Static Code Analyzer 16.10.0095 (using JVM 1.8.0_72)

All Software configurations are completed now

Lets create a Jenkin job to test it

Cd /var/lib/jenkins/

Mkdir scripts

Login to Jenkin Server using Web URL

Click on Create new job with FreeStyle Project

Go to Build and Click on Add Build Step – Choose Execute Shell.

Copy below to shell

Please not that you can use Fortify maven plugin instead of following scripts. But, Fortify maven plugin will be scanning only JAVA code. 

# Get the aliases and functions if [ -f ~/.bashrc ]; then         . ~/.bashrc fi # User specific environment and startup programs PATH=$PATH:$HOME/bin export PATH export  JAVA_HOME=/usr/java/jdk1.8.0_60 export PATH=$JAVA_HOME/bin/:$PATH export M2_HOME=/softwares/apache-maven-3.3.9 export M2=$M2_HOME/bin/ export PATH=$M2:$PATH export PATH="$PATH:/opt/HP_Fortify/HP_Fortify_SCA_and_Apps_16.10/bin" #Clean maven directory rm -rf ~/.m2/repository/ #Checkout the project git clone <<git repo URL>> #Build project cd /var/lib/jenkins/workspace/<<Project_DIR>> mvn clean mvn install mvn clean # Copy all jars from m2 folder mkdir /var/lib/jenkins/workspace/<<Project DIR>>/jars find ~/.m2 -name '*.jar' -exec cp {} /var/lib/jenkins/<<Project DIR>>/jars/ \; #Remove unwanted jars #Copy Fortify build script cd /var/lib/jenkins/workspace/<<ProjectDIR>> cp /var/lib/jenkins/scripts/Fortify.sh  /var/lib/jenkins/workspace/<<>PROJECTDIR> sh Fortify.sh

Fortify.sh file will look something like this

#!/bin/sh # Generated for the following languages: #          Java #          Java Bytecode #          Python #          SQL #          XML # ########################################################################### # DEBUG - if set to true, runs SCA in debug mode # SOURCEANALYZER - the name of the SCA executable # FPR - the name of analysis result file # BUILDID - the SCA build id # ARGFILE - the name of the argument file that's extracted and passed to SCA # BYTECODE_ARGFILE - the name of the argument file for Java Bytecode translation that's extracted and passed to SCA # MEMORY - the memory settings for SCA # LAUNCHERSWITCHES - the launcher settings that are used to invoke SCA # OLDFILENUMBER - this defines the file which contains the number of files within the project, it is automatically generated # FILENOMAXDIFF - this is the percentage of difference between the number of files which will trigger a warning by the script # ########################################################################### DEBUG=false SOURCEANALYZER=sourceanalyzer FPR="Fortify.fpr" BUILDID="controller" ARGFILE="Fortify.sh.args" BYTECODE_ARGFILE="Fortifycontroller.sh.bytecode.args" MEMORY="-Xmx7372M -Xms400M -Xss24M " LAUNCHERSWITCHES="" OLDFILENUMBER=Fortify.sh.fileno FILENOMAXDIFF=10 ENABLE_BYTECODE=false PROJECTROOT0="/var/lib/jenkins/workspace/<<ProjectDIR>>" if [ ! -d "$PROJECTROOT0" ]; then    echo  "ERROR: This script is being run on a different machine than it was"    echo  "       generated on or the targeted project has been moved. This script is "    echo  "       configured to locate files at"    echo  "          $PROJECTROOT0"    echo  "       Please modify the \$PROJECTROOT0 variable found"    echo  "       at the top of this script to point to the corresponding directory"    echo  "       located on this machine."    exit fi if [ $DEBUG = true ]; then export LAUNCHERSWITCHES="-debug $LAUNCHERSWITCHES"; fi echo Extracting Arguments File grep "# ARGS" $0 | grep -v grep | cut -d" " -f3- | sed -e s#PROJECTROOT0_MARKER#"$PROJECTROOT0"#g   > $ARGFILE grep "# BYTECODE_ARGS" $0 | grep -v grep | cut -d" " -f3- | sed -e s#PROJECTROOT0_MARKER#"$PROJECTROOT0"#g   > $BYTECODE_ARGFILE if [ -s $BYTECODE_ARGFILE ]; then ENABLE_BYTECODE=true fi # ########################################################################### echo Cleaning previous scan artifacts $SOURCEANALYZER $MEMORY $LAUNCHERSWITCHES -b $BUILDID -clean if [ $? = 1 ] ; then echo Sourceanalzyer failed, exiting exit fi # ########################################################################### echo Translating files $SOURCEANALYZER $MEMORY $LAUNCHERSWITCHES -b $BUILDID @$ARGFILE if [ $? = 1 ] ; then echo Sourceanalzyer failed, exiting exit fi # ########################################################################### if [ $ENABLE_BYTECODE = true ]; then echo Translating Java bytecode files $SOURCEANALYZER $MEMORY $LAUNCHERSWITCHES -b $BUILDID @$BYTECODE_ARGFILE if [ $? = 1 ] ; then echo Sourceanalzyer failed, exiting exit fi fi # ########################################################################### echo Testing Difference between Translations FILENUMBER=`$SOURCEANALYZER -b $BUILDID -show-files | wc -l` if [ ! -f $OLDFILENUMBER ]; then             echo It appears to be the first time running this script, setting $OLDFILENUMBER to $FILENUMBER             echo $FILENUMBER > $OLDFILENUMBER else             OLDFILENO=`cat $OLDFILENUMBER`             DIFF=`expr $OLDFILENO "*" $FILENOMAXDIFF`             DIFF=`expr $DIFF /  100`             MAX=`expr $OLDFILENO + $DIFF`             MIN=`expr $OLDFILENO - $DIFF`             if [ $FILENUMBER -lt $MIN ] ; then SHOWWARNING=true; fi             if [ $FILENUMBER -gt $MAX ] ; then SHOWWARNING=true; fi             if [ -n "$SHOWWARNING" ] && [ "$SHOWWARNING" = true ] ; then                         echo "WARNING: The number of files has changed by over $FILENOMAXDIFF%, it is recommended"                         echo "         that this script is regenerated with the ScanWizard"             fi             echo $MAX $MIN $DIFF fi; # ########################################################################### echo Starting scan $SOURCEANALYZER $MEMORY $LAUNCHERSWITCHES -b $BUILDID -scan -f $FPR if [ $? = 1 ] ; then echo Sourceanalzyer failed, exiting exit fi # ########################################################################### echo Finished # ARGS "-source" # ARGS "1.8" # ARGS "-Dcom.fortify.sca.fileextensions.sql=PLSQL" # ARGS "-cp" # ARGS "PROJECTROOT0_MARKER/jars/*.jar # ARGS "-exclude" "PROJECTROOT0_MARKER/**/*.class" # ARGS "PROJECTROOT0_MARKER"

 Add post-build-action

• -       HPE Fortify Security Assesment
• -       Keep FPR name blank. It will take the resent one from jenkin workspace.
• -       Choose application name and application version

Note - Also, add post build action to clean the workspace.

Click on Build now. FPR Should be uploaded to Fortify SSC Server