Nexus Fortify SSC
Get the Sonatype Nexus Lifecycle integration with SSC on the Fortify Marketplace.
Table of Contents
- Service Compatibility
- Architecture Overview
- IQ - Fortify Parser Plugin Installation
- IQ - Fortify Integration Service Installation
- Frequently Asked Questions
Service Compatibility
Prerequisites
- Nexus IQ server 126 or later
- Administrator role in IQ to enable all functionality of the integration service
- Fortify SSC 20.2.2 or later
- Administrator role in SSC to enable universal access to see and create new applications
Older versions may work but are not guaranteed.
Architecture Overview
The integration has two main parts. Both of them are included in the installation bundle
- IQ - Fortify parser plugin
- IQ - Fortify integration service
IQ - Fortify Parser Plugin Installation
- Go to your SSC installation and click on ADMINISTRATION
- Then go to Plugins > Parsers
- Click on NEW
- You will find the following warning. Click on OK
- In the next screen select BROWSE and select the plugin JAR file
- By default, SSC disables any newly loaded plugin. Click on the Sonatype plugin and enable it.
- Finally, click on OK to close the warning.
Congratulations! The Sonatype parser plugin is installed and enabled
IQ - Fortify Integration Service Installation
Both servers must be up and running in order to successfully export data from the Nexus IQ server to Fortify SSC. Other versions of the servers may work, but they are not officially supported.
Service configuration
The integration services have multiple configurations used to access the Nexus IQ and Fortify SSC servers and fine-tune their behavior.
For this purpose, we have a file named iqapplication.properties. Those configurations are described in detail in this section. Also, you can find useful comments in the configuration file itself.
| Parameter | Mandatory | Default | Description and notes | Example |
|---|---|---|---|---|
| iqserver.url | yes | N/A | Base URL where your Nexus IQ instance is running | http://127.0.0.1:8070 |
| iqserver.username | yes | N/A | Nexus IQ username | admin |
| iqserver.password | yes | N/A | Nexus IQ password | admin123 |
| sscserver.url | yes | N/A | Base URL where your Fortify SSC instance is running | |
| sscserver.token | yes | N/A | CIToken generated by SSC for an Administrator User | ODA0NWYzMTUtMzNmOS00ZDY 2LTlkODYtY2RlMDA5YWU1ODQ5 |
| server.port | yes | N/A | Port where the integration service will be listening for requests | 8182 |
| loadfile.location | no | .work | The directory will be generated in the working directory | /home/sonatype/work |
| priority.critical | no | 8 | Minimum threat level for being considered critical | 8 |
| priority.high | no | 4 | Minimum threat level for being considered high | 4 |
| priority.medium | no | 2 | Minimum threat level for being considered medium | 2 |
| mapping.file | no | mapping.json | Mapping file to be used as input for the batch process | /home/sonatype/external_mapping.json |
| overwrite | no | false | Unsuppress issues in SSC that does not have a waiver associated | true|false |
| iq.report.type | no | policy | Possible values: raw, vulnerabilities, policy | raw|vulnerabilities|policy |
| scheduling.job.cron | no | 0 0/360 6 * * ? | By default, this job will run at 6 AM and then every 6 hours | # Run every three hours scheduling.job.cron= 0 0 0/3 1/1 * ? |
| scheduling.waiver.suppression.delay | no | 30 | Time in seconds to run the issue suppression/unsuppresion job | # Run every hour 3600 |
| scheduling.waiver.suppression.retries | no | 10 | Maximum retries before the job discard unprocessed artifacts | 24 |
| synchronisation.mapping.thread.count | no | 4 | Number of mappings being processed in parallel | 4 |
| synchronisation.details.thread.count | no | 32 | Number of threads to be used for fetching vulnerability details and remediations for components. | 32 |
| loadfile.cache | no | true | Whether or not to keep the cached files in the work folder | false |
Running the integration service
- Using a command line, go to the Integration directory. E.g. /home/sonatype/IntegrationService
- Start the integration using this command: ./start.sh
- The visual guide shows a quick example of unpacking and running the service.
Synchronization scheduler
This service has a built-in scheduler that understands cron-like expressions. By default, it runs every six hours, but that can be configured using the scheduling.job.cron property. It is required to configure a mappings file (defined in the mapping.file property) to provide the parameters for the projects you want to synchronize in a scheduled fashion.
The mappings file has the following structure
[
{
"sonatypeProject": "sample-application",
"sonatypeProjectStage": "build",
"fortifyApplication": "sample-application",
"fortifyApplicationVersion": "1.0",
"overwrite": true
}
]
This is a small table explaining each parameter
| Parameter | Mandatory | Description |
|---|---|---|
| sonatypeProject | yes | Name of the project that already exists in Nexus IQ |
| sonatypeProjectStage | yes | Project stage in Nexus IQ |
| fortifyApplication | yes | Target application name in Fortify SSC |
| fortifyApplicationVersion | yes | Target application version in Fortify SSC |
| overwrite | no | Unsuppressed issues in SSC that do not have a waiver associated. If this value is not present we take the value from the properties file |
Synchronization endpoint
It may happen that you want to synchronize an IQ project that is not already present in your mappings file, or you simply want to trigger a synchronization on demand. For those cases the integration exposes an endpoint to manually trigger these synchronizations. This is the endpoint definition:
Endpoint GET /startScanLoad
| Parameter | Mandatory | Description |
|---|---|---|
| sonatypeProject | yes | Name of the project that already exists in Nexus IQ |
| sonatypeProjectStage | yes | Project stage in Nexus IQ |
| fortifyApplication | yes | Target application name in Fortify SSC |
| fortifyApplicationVersion | yes | Target application version in Fortify SSC |
| overwrite | no | Unsuppressed issues in SSC that do not have a waiver associated. If this value is not present we take the value from the properties file |
| saveMapping | no | Take the current request and save it as a mapping. The mapping will be saved only if the synchronization is executed successfully |
If one of the mandatory parameters is missing in the request, the integration will perform synchronization using all the values found in the mappings file (like in the scheduled job).
In this specific case, even if the saveMapping is true, the request won't be saved since we do not have a full mapping to save.
Frequently Asked Questions
What is a waiver comment?
Sometimes in SSC you may encounter a comment like the one shown in the next image.
This scenario happens when you had a waived issue in your IQ server, and then the waiver was removed. To get rid of this comment you can go to your IQ instance, reevaluate the report and run another synchronization.
Why do the violations reported in the IQ Server report differ from the ones reported by SSC?
The SSC integration only reports "Security" related violations. Other violations such as those related to "License", "Architecture" and "Other" are not included in the SSC report.