Skip to main content

Nexus Fortify SSC

Note

Get the Sonatype Lifecycle integration with SSC on the Fortify Marketplace.

Table of Contents

  • Service Compatibility

  • Architecture Overview

  • IQ - Fortify Parser Plugin Installation

  • IQ - Fortify Integration Service Installation

  • Frequently Asked Questions

Service Compatibility

Prerequisites

  • IQ Server 126 or later

    • Administrator role in IQ to enable all functionality of the integration service

  • Fortify SSC 20.2.2 or later

    • Administrator role in SSC to enable universal access to see and create new applications

Older versions may work but are not guaranteed.

Architecture Overview

126657005.png

The integration has two main parts. Both of them are included in the installation bundle

  • IQ - Fortify parser plugin

  • IQ - Fortify integration service

IQ - Fortify Parser Plugin Installation

  1. Go to your SSC installation and click on ADMINISTRATION

  2. Then go to Plugins > Parsers

  3. Click on NEW

    126657012.png
  4. You will find the following warning. Click on OK

    126657011.png
  5. In the next screen select BROWSE and select the plugin JAR file

    126657010.png
  6. By default, SSC disables any newly loaded plugin. Click on the Sonatype plugin and enable it.

    126657009.png
  7. Finally, click on OK to close the warning.

    126657008.png

Congratulations! The Sonatype parser plugin is installed and enabled

126657007.png

IQ - Fortify Integration Service Installation

Both servers must be up and running in order to successfully export data from Lifecycle to Fortify SSC. Other versions of the servers may work, but they are not officially supported.

Service configuration

The integration services have multiple configurations used to access Lifecycle and Fortify SSC servers and fine-tune their behavior.

For this purpose, we have a file named iqapplication.properties. Those configurations are described in detail in this section. Also, you can find useful comments in the configuration file itself.

Parameter

Mandatory

Default

Description and notes

Example

iqserver.url

yes

N/A

Base URL where your IQ Server instance is running

http://127.0.0.1:8070

iqserver.username

yes

N/A

IQ Server username

admin

iqserver.password

yes

N/A

IQ Server password

admin123

sscserver.url

yes

N/A

Base URL where your Fortify SSC instance is running

http://127.0.0.1:8080/ssc

sscserver.token

yes

N/A

CIToken generated by SSC for an Administrator User

ODA0NWYzMTUtMzNmOS00ZDY

2LTlkODYtY2RlMDA5YWU1ODQ5

server.port

yes

N/A

Port where the integration service will be listening for requests

8182

loadfile.location

no

.work

The directory will be generated in the working directory

/home/sonatype/work

priority.critical

no

8

Minimum threat level for being considered critical

8

priority.high

no

4

Minimum threat level for being considered high

4

priority.medium

no

2

Minimum threat level for being considered medium

2

mapping.file

no

mapping.json

Mapping file to be used as input for the batch process

/home/sonatype/external_mapping.json

overwrite

no

false

Unsuppress issues in SSC that does not have a waiver associated

true|false

iq.report.type

no

policy

Possible values: raw, vulnerabilities, policy

raw|vulnerabilities|policy

scheduling.job.cron

no

0 0/360 6 * * ?

By default, this job will run at 6 AM and then every 6 hours

Deprecated in version 4.3.0

Starting in version 4.3.0, scheduling job will continuesly run. The time to wait between every cycle can be configured by the property scheduling.fixed.rate.minutes

# Run every three hours

scheduling.job.cron=0 0 0/3 1/1 * ?

scheduling.waiver.suppression.delay

no

30

Time in seconds to run the issue suppression/unsuppresion job.

Since 4.3.0

Starting in version 4.3.0, waivers will be retried in increments, up to 5 minutes. The value set for this property will not guarantee supression being tried every 30 seconds. Every individual synchronization will now wait in incrementals of 30 seconds, 1 minute, 2 minutes, 4 minutes and then afterwards 5 minutes until retry count is exhausted. This configuration still is relevant for how often the tasks are checked to see if they should be retried.

# Run every hour

3600

scheduling.waiver.suppression.retries

no

72

Maximum retries before the job discard unprocessed artifacts

72

synchronisation.mapping.thread.count

no

4

Number of mappings being processed in parallel

4

synchronisation.details.thread.count

no

32

Number of threads to be used for fetching vulnerability details and remediations for components.

32

loadfile.cache

no

true

Whether or not to keep the cached files in the work folder

false

synchronize.projects.continuously

no

true

Since 4.3.0

Whether or not to run the synchronization in the background continuously. If set to false, other means of synchonization can be used, such as triggering the full cycle manually, executing on demand synchronizations or using webhooks from the IQ Server.

true

scheduling.fixed.rate.minutes

no

1

Since 4.3.0

Duration between full synchronizations if syncProjectsContinuously is true. If a full synchronization takes longer than the value entered here, it will immediatly run again.

1

Running the integration service

  • Using a command line, go to the Integration directory. E.g. /home/sonatype/IntegrationService

  • Start the integration using this command: ./start.sh

  • The visual guide shows a quick example of unpacking and running the service.

Synchronization scheduler

Before 4.3.0

This service has a built-in scheduler that understands cron-like expressions. By default, it runs every six hours, but that can be configured using the scheduling.job.cronproperty.

Since 4.3.0

This service by default syncronizes all entries found in the mapping file with a duration of 1 minute between each run. This behaviour can be changed by setting the synchronize.projects.continuouslyproperty to false or the duration between the cycles can be modified by using the scheduling.fixed.rate.minutes property. Modfying the synchronize.projects.continuously property has no affect on on demand synchronization requests.

It is required to configure a mappings file (defined in the mapping.file property) to provide the parameters for the projects you want to synchronize in a scheduled fashion.

The mappings file has the following structure

                     [
  {
    "sonatypeProject": "sample-application-publicId",
    "sonatypeProjectStage": "build",
    "fortifyApplication": "sample-application",
    "fortifyApplicationVersion": "1.0",
    "overwrite": true
  }
]

                  

This is a small table explaining each parameter

Parameter

Mandatory

Description

sonatypeProject

yes

Public Id of the project that already exists in IQ Server

sonatypeProjectStage

yes

Project stage in IQ Server

fortifyApplication

yes

Target application name in Fortify SSC

fortifyApplicationVersion

yes

Target application version in Fortify SSC

overwrite

no

Unsuppressed issues in SSC that do not have a waiver associated. If this value is not present we take the value from the properties file

Synchronization endpoint

It may happen that you want to synchronize an IQ project that is not already present in your mappings file, or you simply want to trigger a synchronization on demand. For those cases the integration exposes an endpoint to manually trigger these synchronizations. This is the endpoint definition:

Endpoint GET /startScanLoad

Parameter

Mandatory

Description

sonatypeProject

yes

Public Id of the project that already exists in IQ Server

sonatypeProjectStage

yes

Project stage in IQ Server

fortifyApplication

yes

Target application name in Fortify SSC

fortifyApplicationVersion

yes

Target application version in Fortify SSC

overwrite

no

Unsuppressed issues in SSC that do not have a waiver associated. If this value is not present we take the value from the properties file

saveMapping

no

Take the current request and save it as a mapping. The mapping will be saved only if the synchronization is executed successfully

Note

If one of the mandatory parameters is missing in the request, the integration will perform synchronization using all the values found in the mappings file (like in the scheduled job).

In this specific case, even if the saveMapping is true, the request won't be saved since we do not have a full mapping to save.

One-time Project Synchronization endpoint

To synchronize a desired project adhoc, use this endpoint. It will synchronize the provided project in all stages immediatly. The mapping information for the provided project must exist in the mappings file.

Endpoint GET /startScanLoadSingleProject?sonatypeProject={sonatypeProjectPublicId}

Parameter

Mandatory

Description

sonatypeProject

yes

Public Id of the project that already exists in IQ Server

Frequently Asked Questions

What is a waiver comment?

Sometimes in SSC you may encounter a comment like the one shown in the next image.

126657006.png

This scenario happens when you had a waived issue in your IQ server, and then the waiver was removed. To get rid of this comment you can go to your IQ instance, reevaluate the report and run another synchronization.

Why do the violations reported in the IQ Server report differ from the ones reported by SSC?

The SSC integration only reports "Security" related violations. Other violations such as those related to "License", "Architecture" and "Other" are not included in the SSC report.