Tuesday 26 July 2016

How to configure Fortify SCA with Jenkin Build Server and Fortify SSC?

Software’s Required:

Centos 7 Machine with Minimum 8 GB RAM
Fortify Source Code Analyzer 16.1
Jenkin
Apache Maven 3.3.9
JDK 8

Fortify Plugin for Jenkin (Available with Fortify installer zip file)





How to configure  JAVA 8 on Centos 7?

1. Check whether there are any java versions installed on Centos 7 machine. If yes, un-install all.

rpm -aq | grep -i jdk

Output

java-1.8.0-openjdk-1.8.0.65-3.b17.el7.x86_64
java-1.7.0-openjdk-1.7.0.91-2.6.2.3.el7.x86_64
java-1.7.0-openjdk-headless-1.7.0.91-2.6.2.3.el7.x86_64
java-1.8.0-openjdk-headless-1.8.0.65-3.b17.el7.x86_64

Remove open jdk using below commands

sudo yum remove java-1.8.0-openjdk-1.8.0.65-3.b17.el7.x86_64
sudo yum remove java-1.7.0-openjdk-1.7.0.91-2.6.2.3.el7.x86_64
sudo yum remove java-1.7.0-openjdk-headless-1.7.0.91-2.6.2.3.el7.x86_64
sudo yum remove java-1.8.0-openjdk-headless-1.8.0.65-3.b17.el7.x86_64


Download JDK 8


wget --no-cookies --no-check-certificate --header "Cookie: gpw_e24=http%3A%2F%2Fwww.oracle.com%2F; oraclelicense=accept-securebackup-cookie" http://download.oracle.com/otn-pub/java/jdk/8u60-b27/jdk-8u60-linux-x64.rpm


Make the Java RPM executable
chmod +x jdk-8u60-linux-x64.rpm


Install java 8
rpm -Uvh jdk-8u60-linux-x64.rpm


Check the Java is install correctly
java -version

Output:
java version "1.8.0_60"
Java(TM) SE Runtime Environment (build 1.8.0_60-b27)
Java HotSpot(TM) 64-Bit Server VM (build 25.60-b23, mixed mode)


SET JAVA_HOME and update PATH

vi ~/.bash_profile


Add below values
export  JAVA_HOME=/usr/java/jdk1.8.0_60/

export PATH=$JAVA_HOME/bin/:$PATH

sh ~/.bash_profile


Check the Java version once again
java -version

Output:
java version "1.8.0_60"
Java(TM) SE Runtime Environment (build 1.8.0_60-b27)
Java HotSpot(TM) 64-Bit Server VM (build 25.60-b23, mixed mode)


***** Java is Configured Successfully *****



How to configure Apache Maven 3.3.9 on Centos 7 ? 


Download maven 3.3.9


wget http://www-us.apache.org/dist/maven/maven-3/3.3.9/binaries/apache-maven-3.3.9-bin.tar.gz

Extract zip file

tar -xvf apache-maven-3.3.9-bin.tar.gz




set M2_HOME and update  PATH for Maven

vi ~/.bash_profile

export M2_HOME=/softwares/apache-maven-3.3.9
export M2=$M2_HOME/bin
export PATH=$M2:$PATH
sh ~/.bash_profile

vi ~/.bash_profile

Check the maven is installed correctly.
mvn -version
Maven home: /softwares/apache-maven-3.3.9
Java version: 1.8.0_60, vendor: Oracle Corporation
Java home: /usr/java/jdk1.8.0_60/jre
Default locale: en_IE, platform encoding: UTF-8
OS name: "linux", version: "3.10.0-327.el7.x86_64", arch: "amd64", family: "unix"


***** Maven  is Configured Successfully *****



# How to install JENKINS on Centos 7 ##

Install Jenkin

sudo wget -O /etc/yum.repos.d/jenkins.repo http://pkg.jenkins-ci.org/redhat/jenkins.repo
sudo rpm --import https://jenkins-ci.org/redhat/jenkins-ci.org.key
sudo yum install jenkins

Note -Fortify  Source Code Analyzer requires more memory to scan the code.   Change the default allocated Jenkin Memory Memory

vi  /etc/sysconfig/jenkins

JENKINS_JAVA_OPTIONS="-Djava.awt.headless=true -Xmx9000M -Xms800M -Xss192M”



Start Jenkin




sudo /etc/init.d/jenkins restart  

systemctl restart jenkins.service  

Open Firewall port   



  firewall-cmd --zone=public --add-port=8080/tcp --permanent  firewall-cmd --reload



Jenkin URL

http://<Centos_7_IP_ADDR>:8080/

Get the initial password and set admin user password
cat /var/lib/jenkins/secrets/initialAdminPassword

Click on Install All Suggested Plugins.



How to Install Fortify SSC Plugin for Jenkin on Centos 7?

Refer HPE_Jenkins_Plugin_Guide_16.10.PDF for more information



How to Install GIT on Centos 7?


sudo yum install git

Change user to jenkins
sudo su jenkins -s /bin/bash

Generate SSH key for Git
ssh-keygen -t rsa
Display ssh git key
cat /var/lib/jenkins/.ssh/id_rsa.pub

Login to Git Server from Browser
Go to Profiles -- > Manage Accounts -> SSH Keys and Add key

Try to clone the git project manually using jenkin account. This will add Git server key in known host. This will also make sure that git is configured correctly.


How to Install Fortify SCA 16.10 on  Centos 7


Login as root user from command prompt.
Go to Fortify installed directory

Make the Fortify installation file executable
chmod +x HP_Fortify_SCA_and_Apps_16.10_linux_x64.run

Install Fortify
./ HP_Fortify_SCA_and_Apps_16.10_linux_x64.run

Note – Default Fortify installation Directory is /opt/HP_Fortify/HP_Fortify_SCA_and_Apps_16.10

Also, need to specify fortify license path during installation

During installation it will ask for Fortify license file path and update server. The update server location is  https://update.fortify.com



At the end of installation, it will ask for completing software/rule pack update. Say Yes.


Check whether fortify path is added in the profile file

vi ~/.bash_profile
export PATH="$PATH:/opt/HP_Fortify/HP_Fortify_SCA_and_Apps_16.10/bin"


Run the below command to check Fortify is installed correctly

sourceanalyzer -version
HPE Security Fortify Static Code Analyzer 16.10.0095 (using JVM 1.8.0_72)



All Software configurations are completed now

Lets create a Jenkin job to test it


Cd /var/lib/jenkins/
Mkdir scripts

Login to Jenkin Server using Web URL

Click on Create new job with FreeStyle Project

Go to Build and Click on Add Build Step – Choose Execute Shell.

Copy below to shell


Please not that you can use Fortify maven plugin instead of following scripts. But, Fortify maven plugin will be scanning only JAVA code. 



# Get the aliases and functions
if [ -f ~/.bashrc ]; then
        . ~/.bashrc
fi

# User specific environment and startup programs

PATH=$PATH:$HOME/bin

export PATH
export  JAVA_HOME=/usr/java/jdk1.8.0_60
export PATH=$JAVA_HOME/bin/:$PATH
export M2_HOME=/softwares/apache-maven-3.3.9
export M2=$M2_HOME/bin/
export PATH=$M2:$PATH

export PATH="$PATH:/opt/HP_Fortify/HP_Fortify_SCA_and_Apps_16.10/bin"



#Clean maven directory
rm -rf ~/.m2/repository/

#Checkout the project
git clone <<git repo URL>>




#Build project
cd /var/lib/jenkins/workspace/<<Project_DIR>>
mvn clean
mvn install
mvn clean

# Copy all jars from m2 folder
mkdir /var/lib/jenkins/workspace/<<Project DIR>>/jars
find ~/.m2 -name '*.jar' -exec cp {} /var/lib/jenkins/<<Project DIR>>/jars/ \;

#Remove unwanted jars



#Copy Fortify build script


cd /var/lib/jenkins/workspace/<<ProjectDIR>>

cp /var/lib/jenkins/scripts/Fortify.sh  /var/lib/jenkins/workspace/<<>PROJECTDIR>

sh Fortify.sh



Fortify.sh file will look something like this




#!/bin/sh
# Generated for the following languages:
#          Java
#          Java Bytecode
#          Python
#          SQL
#          XML
# ###########################################################################
# DEBUG - if set to true, runs SCA in debug mode
# SOURCEANALYZER - the name of the SCA executable
# FPR - the name of analysis result file
# BUILDID - the SCA build id
# ARGFILE - the name of the argument file that's extracted and passed to SCA
# BYTECODE_ARGFILE - the name of the argument file for Java Bytecode translation that's extracted and passed to SCA
# MEMORY - the memory settings for SCA
# LAUNCHERSWITCHES - the launcher settings that are used to invoke SCA
# OLDFILENUMBER - this defines the file which contains the number of files within the project, it is automatically generated
# FILENOMAXDIFF - this is the percentage of difference between the number of files which will trigger a warning by the script
# ###########################################################################

DEBUG=false
SOURCEANALYZER=sourceanalyzer
FPR="Fortify.fpr"
BUILDID="controller"
ARGFILE="Fortify.sh.args"
BYTECODE_ARGFILE="Fortifycontroller.sh.bytecode.args"
MEMORY="-Xmx7372M -Xms400M -Xss24M "

LAUNCHERSWITCHES=""
OLDFILENUMBER=Fortify.sh.fileno
FILENOMAXDIFF=10
ENABLE_BYTECODE=false

PROJECTROOT0="/var/lib/jenkins/workspace/<<ProjectDIR>>"
if [ ! -d "$PROJECTROOT0" ]; then
   echo  "ERROR: This script is being run on a different machine than it was"
   echo  "       generated on or the targeted project has been moved. This script is "
   echo  "       configured to locate files at"
   echo  "          $PROJECTROOT0"
   echo  "       Please modify the \$PROJECTROOT0 variable found"
   echo  "       at the top of this script to point to the corresponding directory"
   echo  "       located on this machine."
   exit
fi

if [ $DEBUG = true ]; then export LAUNCHERSWITCHES="-debug $LAUNCHERSWITCHES"; fi
echo Extracting Arguments File


grep "# ARGS" $0 | grep -v grep | cut -d" " -f3- | sed -e s#PROJECTROOT0_MARKER#"$PROJECTROOT0"#g   > $ARGFILE

grep "# BYTECODE_ARGS" $0 | grep -v grep | cut -d" " -f3- | sed -e s#PROJECTROOT0_MARKER#"$PROJECTROOT0"#g   > $BYTECODE_ARGFILE

if [ -s $BYTECODE_ARGFILE ]; then
ENABLE_BYTECODE=true
fi
# ###########################################################################
echo Cleaning previous scan artifacts
$SOURCEANALYZER $MEMORY $LAUNCHERSWITCHES -b $BUILDID -clean
if [ $? = 1 ] ; then
echo Sourceanalzyer failed, exiting
exit
fi
# ###########################################################################
echo Translating files
$SOURCEANALYZER $MEMORY $LAUNCHERSWITCHES -b $BUILDID @$ARGFILE
if [ $? = 1 ] ; then
echo Sourceanalzyer failed, exiting
exit
fi
# ###########################################################################
if [ $ENABLE_BYTECODE = true ]; then
echo Translating Java bytecode files
$SOURCEANALYZER $MEMORY $LAUNCHERSWITCHES -b $BUILDID @$BYTECODE_ARGFILE
if [ $? = 1 ] ; then
echo Sourceanalzyer failed, exiting
exit
fi
fi
# ###########################################################################
echo Testing Difference between Translations
FILENUMBER=`$SOURCEANALYZER -b $BUILDID -show-files | wc -l`

if [ ! -f $OLDFILENUMBER ]; then
            echo It appears to be the first time running this script, setting $OLDFILENUMBER to $FILENUMBER
            echo $FILENUMBER > $OLDFILENUMBER
else
            OLDFILENO=`cat $OLDFILENUMBER`
            DIFF=`expr $OLDFILENO "*" $FILENOMAXDIFF`
            DIFF=`expr $DIFF /  100`

            MAX=`expr $OLDFILENO + $DIFF`
            MIN=`expr $OLDFILENO - $DIFF`

            if [ $FILENUMBER -lt $MIN ] ; then SHOWWARNING=true; fi
            if [ $FILENUMBER -gt $MAX ] ; then SHOWWARNING=true; fi

            if [ -n "$SHOWWARNING" ] && [ "$SHOWWARNING" = true ] ; then
                        echo "WARNING: The number of files has changed by over $FILENOMAXDIFF%, it is recommended"
                        echo "         that this script is regenerated with the ScanWizard"
            fi

            echo $MAX $MIN $DIFF
fi;

# ###########################################################################
echo Starting scan
$SOURCEANALYZER $MEMORY $LAUNCHERSWITCHES -b $BUILDID -scan -f $FPR
if [ $? = 1 ] ; then
echo Sourceanalzyer failed, exiting
exit
fi
# ###########################################################################
echo Finished

# ARGS "-source"
# ARGS "1.8"
# ARGS "-Dcom.fortify.sca.fileextensions.sql=PLSQL"
# ARGS "-cp"
# ARGS "PROJECTROOT0_MARKER/jars/*.jar
# ARGS "-exclude" "PROJECTROOT0_MARKER/**/*.class"
# ARGS "PROJECTROOT0_MARKER"



 Add post-build-action

  • -       HPE Fortify Security Assesment
  • -       Keep FPR name blank. It will take the resent one from jenkin workspace.
  • -       Choose application name and application version


Note - Also, add post build action to clean the workspace.


Click on Build now. FPR Should be uploaded to Fortify SSC Server






3 comments:

  1. Thank you for your advice. Which tools would you recomend for security testing i java programing language?

    hp fortify static code analyzer

    ReplyDelete
  2. Aeldra, I recommend to use multiple tools. Minimum 2 tools required. The security vulnerability database is really huge. Different provider have different suit of test cases. There would be always variation in the result. We need to upgrade tools frequently

    ReplyDelete
  3. Hey,I have read this article,but when I install jdk with your article on my server have some problems.Its source has a problem.I have successfully run jenkins on my server,It's wonderful for you to change these defects.

    ReplyDelete