Software Requirements
The Fortify Jenkins Plugin works with the software packages listed in the following table. Your specific requirements depend on the build tools you are using. This table also provides information to help you prepare to add Fortify Static Code Analyzer
A set of software security analyzers that scan source code for violations of security-specific coding rules and guidelines for a variety of languages. The rich data provided by the language technology enables the analyzers to pinpoint and prioritize violations so that fixes can be fast and accurate. analysis to your jobs.
| Software | Version | Notes |
|---|---|---|
| Micro Focus Fortify Static Code Analyzer | 18.20 or later |
To scan your project locally with Fortify Static Code Analyzer, you must either have the path to the Fortify Static Code Analyzer installation directory so you can specify it in the configuration or make sure that the PATH environment variable Note: Performing remote analysis requires Fortify Static Code Analyzer version 19.2.0 or later. |
| Micro Focus Fortify Software Security CenterA centralized system that helps application developers find, fix, and verify security vulnerabilities, to comply with application security standards and to meet audit, regulatory, customer, and partner requirements. Fortify Software Security Center combines results from Fortify Static Code Analyzer, Fortify WebInspect Enterprise, and other industry analyzers. (Optional) |
18.20 or later |
To upload scan results to Fortify Software Security Center, to trigger a build failure based on scan results, and to see results in Jenkins, make sure that you have:
To perform a remote analysis, make sure that you have:
|
| Micro Focus Fortify ScanCentralFortify ScanCentral is a set of components (the Controller, clients, and sensors) that enable users to better manage their resources by offloading the processor-intensive scanning phase of code analysis from their build machines to a cloud of machines provided for this purpose. (Optional) |
19.2.0 or later |
To perform a Fortify Static Code Analyzer analysis on a remote system using Fortify ScanCentral, make sure that you have properly configured Fortify ScanCentral and you have the ScanCentral Controller
Note: If you plan to upload remote scan results to Fortify Software Security Center, then you do not need to provide a ScanCentral Controller URL. The Fortify Jenkins Plugin automatically determines the ScanCentral Controller that is associated with Fortify Software Security Center. Fortify ScanCentral supports offloading project translation for .NET applications in C# and VB.NET (.NET Core, .NET Standard, C#, ASP.NET), ABAP, Apex, Classic ASP, ColdFusion, Java (including Gradle and Maven projects), JavaScript, PHP, PL/SQL, Python, Ruby, T-SQL, TypeScript, and Visual Basic. Note: Translation of .NET requires the following:
|
| Maven | 3.x |
To integrate the scan with Maven, you must install the Fortify Maven plugin, which is available when you install Fortify SCA and Apps. Fortify recommends that you use the same Fortify Maven Plugin version as the Fortify Static Code Analyzer version and that you install the source version of the Fortify Maven Plugin rather than the binary version. You must install the Fortify Maven Plugin for the same user who is running Jenkins. If you use a proxy, then you need to configure proxy settings for the Fortify Maven Plugin. For information, see the Settings Reference at https://maven.apache.org. For more information about build integration |
| MSBuild |
4.x, 12.0, 14.0, 15.x, 16.4 |
Fortify Static Code Analyzer version 20.1.0 and later support MSBuild 16.4. |
| Visual Studio (devenv) | 2015, 2017, 2019 |
Fortify Static Code Analyzer version 20.1.0 and later support Visual Studio 2019. |