Adding a Fortify Static Code Analyzer Assessment task

Use the Fortify Static Code Analyzer Assessment task to run Fortify Static Code Analyzer as a build step. After you run the build and the scan is complete, the scan results are available as a Fortify Project Results (FPR) file. You can publish the FPR and Fortify Static Code Analyzer log files as build artifacts. To review the scan results, download the FPR artifact and open it in either Fortify Audit Workbench or Fortify Software Security Center. You can also configure the task to upload the FPR to an existing Fortify Software Security Center server for enterprise vulnerability management.

To configure a Fortify Static Code Analyzer Assessment task:

  1. In an Azure DevOps project, navigate to your existing build pipeline.

  2. Click Edit.

  3. Add the Fortify Static Code Analyzer Assessment task.

  4. Provide the general information described in the following table.

    Field Description
    Display name Type a name for the task.
    Fortify SCA license file

    (Optional) Provide the path to a Fortify license file. If specified, it overwrites the fortify.license file on the build agent where Fortify Static Code Analyzer is currently installed. This path must be the location of a Fortify license file that is different than where Fortify Static Code Analyzer is already installed.

    The user running the agent should have the proper permission to write to the Fortify Static Code Analyzer installation directory.

    Build ID for Fortify SCA Type a unique identifier for the scan.
    Update Fortify Security Content (Optional) Select whether to update your installed Fortify Security Content by downloading the latest Fortify Secure Coding Rulepacks and metadata from the Fortify Rulepack update server.
    Run SCA clean (Optional) Select whether to remove any temporary files from a previous scan for the specified build ID.
    Enable verbose logging (Optional) Select whether to send verbose status messages to the console and to the log file.
    Enable debug logging (Optional) Select whether to include debug information in the log file, which is useful for Customer Support to help troubleshoot issues.

  5. To run translation, configure the following settings under Translation Options:

    1. Select the Run Fortify SCA translation check box.

    2. From the Application type list, select the type of project you want to analyze.

      The configuration settings dynamically change based on your selection.

    3. Specify the information required to translate the application.

      Application Type Description
      .NET

      In the Projects for Fortify SCA analysis box, type the relative path to the solution or project file name.

      Java

      Specify the classpath, source version, sourcepath, source files, build tool options, source files (this can be a build file), and any other additional files to include in the scan.

      Other Specify any build tool options, source files, and any other additional files to include in the scan.

    4. (Optional) In the Additional Fortify SCA translation options box, specify any additional Fortify Static Code Analyzer translation options. For example, the following option excludes test files from the translation:

      -exclude **tests/**

      See OpenText™ Fortify Static Code Analyzer User Guide in Fortify Static Code Analyzer and Tools Documentation for more information about translation options.

  6. To run a scan, configure the following settings under Scan Options:

    1. Select the Run Fortify SCA scan check box.

    2. From the Scan type list, select whether you want to perform a local scan or a remote scan using Fortify ScanCentral SAST.

    3. (Optional) In the Additional Fortify SCA scan options box, specify any additional scan options.

    4. (Optional) In the Custom Rulepacks box, specify custom rules.

      Specify custom rules files (*.xml or *.bin) separated by spaces or specify a directory that contains custom rules.

    5. If you selected a scan type of ScanCentral in step b, then in the Fortify SSC service connection box, specify an Azure DevOps service connection to Fortify Software Security Center. For more information, see Requirements for Fortify Static Code Analyzer Tasks.

    6. To upload the scan results to Fortify Software Security Center, do the following:

      1. Select the Upload results to SSC check box.

      2. If you have not already done so, in the Fortify SSC service connection box, specify an Azure DevOps service connection to Fortify Software Security Center. For more information, see Requirements for Fortify Static Code Analyzer Tasks.

      3. Specify an application version that exists in Fortify Software Security Center by providing one of the following:

        • An application name and an application version name.

        • A Fortify Software Security Center application version ID.

        If you provide both application name and version and an application ID, the extension uses the application ID for the upload regardless of the selected application version type.

      4. (Optional) To connect to Fortify Software Security Center with a proxy server, specify the proxy information.

        Use the following syntax for the Proxy URL: <protocol>://<address>:<port>

      5. (Optional) To trigger a build failure based on the scan results, type a search query in the Build failure criteria box.

        For example, the following search query causes the build to fail if any critical issues exist in the scan results:

        [fortify priority order]:critical

        See OpenText™ Fortify Software Security Center User Guide in Fortify Software Security Center Documentation for a description of the search query syntax.

        By default, the task returns a warning when the build failure criteria is met. To fail the build instead, select FAIL from the Task results when build failure criteria is met list.

      6. (Optional) To specify how long to poll Fortify Software Security Center to determine if FPR processing is finished, type the time in minutes in the Polling timeout box.

        If no value or a value of 0 is specified, polling continues until FPR processing finishes or stops due to errors. The valid values are 0–10080.

      7. (Optional) To specify how frequently to poll Fortify Software Security Center to determine if the FPR processing is finished, in the Polling interval box, specify an interval (in minutes).

        The valid values are 1–60 and the default value is 1 minute.

        8. If the FPR processing requires approval, then this step will not complete until approval is granted through Fortify Software Security Center.

        As an alternative to uploading scan results to Fortify Software Security Center, you can add a standard Azure DevOps Publish Pipeline Artifact build step to collect the scan results and log files.

      To ensure that you obtain scan log files when you publish artifacts, make sure that you select the Continue on error check box in the task configuration. Otherwise, if the assessment fails, the artifact collection task does not start.