Nexus Fortify SSC

Get the Sonatype Nexus Lifecycle integration with SSC on the Fortify Marketplace.

Table of Contents

Service Compatibility

Prerequisites

  • Nexus IQ server 126 or later
    • Administrator role in IQ to enable all functionality of the integration service
  • Fortify SSC 20.2.2 or later
    • Administrator role in SSC to enable universal access to see and create new applications

Older versions may work but are not guaranteed.


Architecture Overview

The integration has two main parts. Both of them are included in the installation bundle

  • IQ - Fortify parser plugin
  • IQ - Fortify integration service


IQ - Fortify Parser Plugin Installation

  1. Go to your SSC installation and click on ADMINISTRATION
  2. Then go to Plugins > Parsers
  3. Click on NEW
     
  4. You will find the following warning. Click on OK

  5. In the next screen select BROWSE and select the plugin JAR file
  6. By default, SSC disables any newly loaded plugin. Click on the Sonatype plugin and enable it.
  7. Finally, click on OK to close the warning.

Congratulations! The Sonatype parser plugin is installed and enabled


IQ - Fortify Integration Service Installation


Both servers must be up and running in order to successfully export data from the Nexus IQ server to Fortify SSC. Other versions of the servers may work, but they are not officially supported.

Service configuration

The integration services have multiple configurations used to access the Nexus IQ and Fortify SSC servers and fine-tune their behavior.

For this purpose, we have a file named iqapplication.properties. Those configurations are described in detail in this section. Also, you can find useful comments in the configuration file itself.


ParameterMandatoryDefaultDescription and notesExample
iqserver.urlyesN/ABase URL where your Nexus IQ instance is runninghttp://127.0.0.1:8070
iqserver.usernameyesN/ANexus IQ usernameadmin
iqserver.passwordyesN/ANexus IQ passwordadmin123
sscserver.urlyesN/ABase URL where your Fortify SSC instance is running

http://127.0.0.1:8080/ssc

sscserver.tokenyesN/A

CIToken generated by SSC for an Administrator User

ODA0NWYzMTUtMzNmOS00ZDY

2LTlkODYtY2RlMDA5YWU1ODQ5

server.portyesN/APort where the integration service will be listening for requests8182
loadfile.locationno.work

The directory will be generated in the working directory

/home/sonatype/work
priority.criticalno8Minimum threat level for being considered critical8
priority.highno4Minimum threat level for being considered high4
priority.mediumno2Minimum threat level for being considered medium2
mapping.filenomapping.jsonMapping file to be used as input for the batch process/home/sonatype/external_mapping.json
overwritenofalseUnsuppress issues in SSC that does not have a waiver associatedtrue|false
iq.report.typenopolicy

Possible values: raw, vulnerabilities, policy

raw|vulnerabilities|policy
scheduling.job.cronno0 0/360 6 * * ?By default, this job will run at 6 AM and then every 6 hours# Run every three hours
scheduling.job.cron= 0 0 0/3 1/1 * ?
scheduling.waiver.suppression.delayno30Time in seconds to run the issue suppression/unsuppresion job

# Run every hour

3600

scheduling.waiver.suppression.retriesno10Maximum retries before the job discard unprocessed artifacts24

Running the integration service

  • Using a command line, go to the Integration directory. E.g. /home/sonatype/IntegrationService
  • Start the integration using this command: ./start.sh
  • The visual guide shows a quick example of unpacking and running the service.

Synchronization scheduler

This service has a built-in scheduler that understands cron-like expressions. By default, it runs every six hours, but that can be configured using the scheduling.job.cron property. It is required to configure a mappings file (defined in the mapping.file property) to provide the parameters for the projects you want to synchronize in a scheduled fashion.

The mappings file has the following structure

[
  {
    "sonatypeProject": "sample-application",
    "sonatypeProjectStage": "build",
    "fortifyApplication": "sample-application",
    "fortifyApplicationVersion": "1.0",
    "overwrite": true
  }
]


This is a small table explaining each parameter

ParameterMandatoryDescription
sonatypeProjectyesName of the project that already exists in Nexus IQ
sonatypeProjectStageyesProject stage in Nexus IQ
fortifyApplicationyesTarget application name in Fortify SSC
fortifyApplicationVersionyesTarget application version in Fortify SSC
overwritenoUnsuppressed issues in SSC that do not have a waiver associated. If this value is not present we take the value from the properties file


Synchronization endpoint

It may happen that you want to synchronize an IQ project that is not already present in your mappings file, or you simply want to trigger a synchronization on demand. For those cases the integration exposes an endpoint to manually trigger these synchronizations. This is the endpoint definition:

Endpoint GET /startScanLoad

ParameterMandatoryDescription
sonatypeProjectyesName of the project that already exists in Nexus IQ
sonatypeProjectStageyesProject stage in Nexus IQ
fortifyApplicationyesTarget application name in Fortify SSC
fortifyApplicationVersionyesTarget application version in Fortify SSC
overwritenoUnsuppressed issues in SSC that do not have a waiver associated. If this value is not present we take the value from the properties file


saveMappingnoTake the current request and save it as a mapping. The mapping will be saved only if the synchronization is executed successfully

If one of the mandatory parameters is missing in the request, the integration will perform synchronization using all the values found in the mappings file (like in the scheduled job).

In this specific case, even if the saveMapping is true, the request won't be saved since we do not have a full mapping to save.

Frequently Asked Questions

What is a waiver comment?

Sometimes in SSC you may encounter a comment like the one shown in the next image.

This scenario happens when you had a waived issue in your IQ server, and then the waiver was removed. To get rid of this comment you can go to your IQ instance, reevaluate the report and run another synchronization.


Why do the violations reported in the IQ Server report differ from the ones reported by SSC?

The SSC integration only reports "Security" related violations. Other violations such as those related to "License", "Architecture" and "Other" are not included in the SSC report.