Preparing Fortify Software Security Center to Work with the Fortify Jenkins Plugin
To perform the following tasks, you need to obtain an authentication token
Unique keys that enable users to automate actions within Fortify Software Security Center without using passwords. The user requests a token, authenticates to the Fortify Software Security Center server, and receives back a string that is permissioned for a small set of time-limited actions. Fortify Scan Analytics also generates authentication tokens that are required to configure a connection between Scan Analytics and Fortify Software Security Center. created in Fortify Software Security Center. You will use this authenticationIdentity verification, typically with passwords. Authentication precedes authorization. token to configure the Fortify Jenkins Plugin to communicate with Fortify Software Security Center or Fortify ScanCentralFortify ScanCentral is a set of components (the Controller, clients, and sensors) that enable users to better manage their resources by offloading the processor-intensive scanning phase of code analysis from their build machines to a cloud of machines provided for this purpose.. The following table describes the tasks and the token type needed to perform the task.
| Task | Token Type |
|---|---|
| Upload local Fortify Static Code AnalyzerA set of software security analyzers that scan source code for violations of security-specific coding rules and guidelines for a variety of languages. The rich data provided by the language technology enables the analyzers to pinpoint and prioritize violations so that fixes can be fast and accurate. scan results to Fortify Software Security Center |
CIToken |
| Perform a remote Fortify Static Code Analyzer analysis using Fortify ScanCentral (this includes the ability to upload the remote scan results to Fortify Software Security Center) |
ScanCentralCtrlToken Note: Do not use the CloudCtrlToken type in Fortify Software Security Center version 20.1.0 and later as it will be removed in a future release. |
You can generate the authentication token from either the Administration view in Fortify Software Security Center or from the command-line with the fortifyclientA command-line utility used to manage files and perform common automated tasks (such as analysis result uploads) on Fortify Software Security Center. utility.
Note: If you generate the token from Fortify Software Security Center, use the decoded token to configure the Fortify Jenkins Plugin.
The following instructions describe how to create the authentication token with the fortifyclient utility. For information about how to create an authentication token from Fortify Software Security Center, see the Micro Focus Fortify Software Security CenterA centralized system that helps application developers find, fix, and verify security vulnerabilities, to comply with application security standards and to meet audit, regulatory, customer, and partner requirements. Fortify Software Security Center combines results from Fortify Static Code Analyzer, Fortify WebInspect Enterprise, and other industry analyzers. User Guide.
To create an authentication token using the fortifyclient utility:
-
From the
<ssc_install_dir>/Tools/fortifyclient/bindirectory, run the following:fortifyclient token -gettoken <token_type> -url <ssc_url> -user <user_name> [-daysToLive <number_of_days>]
Note: Find the
Toolsfolder in the directory where the Fortify Software Security Center WAR file was extracted.where:
-
<token_type> is either:
CITokento upload locally-created FPRFortify project results. The Fortify Static Code Analyzer output file format. files to Fortify Software Security Center ScanCentralCtrlTokento offload the analysis to a remote system
<ssc_url>includes both the port number and the context path/ssc. For example,http://my.domain.com:8080/ssc.<user_name>is the Fortify Software Security Center user name of an account that has the required privileges to read or write information from or to Fortify Software Security Center.<number_of_days>is the number of days before the token expires. The default is 365.
You are prompted for a password.
-
-
Type the password for
<user_name>.The fortifyclient utility displays a token of the general form:
cb79c492-0a78-44e3-b26c-65c14df52e86. - Copy the returned token to use when you configure the Fortify Jenkins Plugin (see Configuring Global Settings for the Fortify Jenkins Plugin).