-
Notifications
You must be signed in to change notification settings - Fork 2
Home
Harshad Sathe edited this page Jun 5, 2017
·
17 revisions
This simple parser allows for Fortify SSC 17.X to parse Black Duck Hub security vulnerability files. The parsing allows for automating generation of Fortify SSC Issues. This implementation leverages some internal Fortify plugin architecture. Certain manual steps must be done as a one time setup and additional manual steps per process.
- Download the jar from the Github Releases: https://github.com/blackducksoftware/hub-fortify-parser/releases
- Copy the blackduck-plugin-x.jar file to $USER_HOME .fortify\plugin-framework\plugins.
- The plugin is invoked automatically, when the BlackDuck HUB-Fortify SSC integration service uploads the security vulnerabilities using the Fortify Upload API.
- After blackduck-plugin-1.0.1, additional columns have been added to the security vulnerability report, in order to fix the duplicate ID issue and also for detailed security information to be displayed on Fortify UI. This limits the parser to process the file format before blackduck-plugin-2.0.0.
This is a gradle project, dependencies need Fortify jars that can be found in the /WEB-INF/lib directory within the Fortify tomcatforSSC folder.
- Open the build.gradle file and find the version of the fortify jars. They will be the 'fortify-public' and 'model' jars. They can be found in your Fortify installation in the ..\WEB-INF\lib folder.
- Install the fortify jars into your local repository.
- Run gradle clean assemble
- This will create a /build/ folder with the blackduck-pluigin-x.jar. It will also create a target/libs folder that will separate the provided and compile jars. The compile folder will contain a univocity-parsers-x.jar that needs to be placed on the Fortify class path.
- Fortify does not allow for the uploading of CSV. Workaround:
- Create scan.info and add engineType=BLACKDUCK
- security.csv file(with additional columns added)
- Zip the above files
- Upload the Zip