Description
The plugin is deprecated; Supporting it is not possible without support from HP.
You might want to take a look at the SonarQube plugin for ThreadFix - which is supposed to support Fortify.
This plugin imports Fortify SSC rules descriptions and SCA reports into SonarQube:
- Import vulnerability issues as SonarQube issues. Supported languages are ABAP, C#, C++, Cobol, Java, JavaScript, Python and VB.
- Parse custom XML rulepacks to have custom rule descriptions and related vulnerabilities imported into SQ
The plugin does not trigger Fortify scans
As stated in the description above, this plugin imports audit reports. As a consequence, Fortify scans must have been run before executing this plugin on SonarQube.
Sample Fortify vulnerability imported into SQ:
Installation
- Install the plugin through the Marketplace or download it into the SONARQUBE_HOME/extensions/plugins directory
- Restart the SonarQube server
Usage
Install all related language plugins
Fortify rules are only imported in SonarQube when appropriate SonarQube language plugin is installed. Here is the conversion table between Fortify language and SonarQube language:
Fortify | SonarQube |
---|---|
java | java |
abap | abap |
actionscript | flex |
cfml | Unsupported |
cpp | cpp |
dotnet | cs |
configuration | xml |
content | web |
jsp | web |
python | py |
objc | Unsupported |
php | php |
sql | Unsupported |
vb | vb |
[Optional] Import your custom Fortify rules into SonarQube
SonarQube server can load custom rule definitions from XML Fortify rulepacks.
Paths to the XML files (or to their parent directory) must be set in the property "sonar.fortify.rulepackPaths" of conf/sonar.properties. Value is a comma-separated list of absolute paths to XML files or to directories containing XML files. As a consequence SonarQube server must be restarted each time a rulepack is updated in Fortify.
Example
sonar.fortify.rulepackPaths=/path/to/fortify/rulepacks,/path/to/rulepack.xml
When server is restarted, the Fortify rules are listed in the "Quality Profiles" page.
Configure and run analysis
The SCA command-line, named "sourceanalyzer", must be executed before SonarQube analyzer. The generated report (FPR or VFDL file) is parsed to convert Fortify vulnerabilities to SonarQube issues. By nature SonarQube issues relate to rules that are activated in Quality profiles. For this reason don't forget to activate the Fortify rules in the selected Quality Profiles. Note that severity of rules are taken from Fortify report (instanceSeverity) so the severity configured in quality profile is ignored.
The path to the Fortify report is set by the property "sonar.fortify.reportPath". Path is absolute or relative to the module base directory. If the property is missing then the plugin is disabled.
Example
sonar-runner -Dsonar.fortify.reportPath=/path/to/project.fpr
Something like the following should appear in the log:
10:20:44 10:20:35.588 INFO - Sensor Fortify sensor... 10:20:44 10:20:35.589 INFO - Process Fortify report... 10:20:45 10:20:37.318 INFO - Process Fortify report done: 1729 ms 10:20:45 10:20:37.319 INFO - Sensor Fortify sensor done: 1731 ms