Nexus Fortify SSC
Get the Sonatype Lifecycle integration with SSC on the Fortify Marketplace.
Table of Contents
- Service Compatibility
- Architecture Overview
- IQ - Fortify Parser Plugin Installation
- IQ - Fortify Integration Service Installation
- Frequently Asked Questions
Service Compatibility
Prerequisites
- IQ Server 126 or later
- Administrator role in IQ to enable all functionality of the integration service
- Fortify SSC 20.2.2 or later
- Administrator role in SSC to enable universal access to see and create new applications
Older versions may work but are not guaranteed.
Architecture Overview
The integration has two main parts. Both of them are included in the installation bundle
- IQ - Fortify parser plugin
- IQ - Fortify integration service
IQ - Fortify Parser Plugin Installation
- Go to your SSC installation and click on ADMINISTRATION
- Then go to Plugins > Parsers
- Click on NEW
- You will find the following warning. Click on OK
- In the next screen select BROWSE and select the plugin JAR file
- By default, SSC disables any newly loaded plugin. Click on the Sonatype plugin and enable it.
- Finally, click on OK to close the warning.
Congratulations! The Sonatype parser plugin is installed and enabled
IQ - Fortify Integration Service Installation
Both servers must be up and running in order to successfully export data from Lifecycle to Fortify SSC. Other versions of the servers may work, but they are not officially supported.
Service configuration
The integration services have multiple configurations used to access Lifecycle and Fortify SSC servers and fine-tune their behavior.
For this purpose, we have a file named iqapplication.properties. Those configurations are described in detail in this section. Also, you can find useful comments in the configuration file itself.
| Parameter | Mandatory | Default | Description and notes | Example |
|---|---|---|---|---|
| iqserver.url | yes | N/A | Base URL where your IQ Server instance is running | http://127.0.0.1:8070 |
| iqserver.username | yes | N/A | IQ Server username | admin |
| iqserver.password | yes | N/A | IQ Server password | admin123 |
| sscserver.url | yes | N/A | Base URL where your Fortify SSC instance is running | |
| sscserver.token | yes | N/A | CIToken generated by SSC for an Administrator User | ODA0NWYzMTUtMzNmOS00ZDY 2LTlkODYtY2RlMDA5YWU1ODQ5 |
| server.port | yes | N/A | Port where the integration service will be listening for requests | 8182 |
| loadfile.location | no | .work | The directory will be generated in the working directory | /home/sonatype/work |
| priority.critical | no | 8 | Minimum threat level for being considered critical | 8 |
| priority.high | no | 4 | Minimum threat level for being considered high | 4 |
| priority.medium | no | 2 | Minimum threat level for being considered medium | 2 |
| mapping.file | no | mapping.json | Mapping file to be used as input for the batch process | /home/sonatype/external_mapping.json |
| overwrite | no | false | Unsuppress issues in SSC that does not have a waiver associated | true|false |
| iq.report.type | no | policy | Possible values: raw, vulnerabilities, policy | raw|vulnerabilities|policy |
| scheduling.job.cron | no | 0 0/360 6 * * ? | By default, this job will run at 6 AM and then every 6 hours Deprecated in version 4.3.0 Starting in version 4.3.0, scheduling job will continuesly run. The time to wait between every cycle can be configured by the property | # Run every three hours scheduling.job.cron= 0 0 0/3 1/1 * ? |
| scheduling.waiver.suppression.delay | no | 30 | Time in seconds to run the issue suppression/unsuppresion job. Since 4.3.0 Starting in version 4.3.0, waivers will be retried in increments, up to 5 minutes. The value set for this property will not guarantee supression being tried every 30 seconds. Every individual synchronization will now wait in incrementals of 30 seconds, 1 minute, 2 minutes, 4 minutes and then afterwards 5 minutes until retry count is exhausted. This configuration still is relevant for how often the tasks are checked to see if they should be retried. | # Run every hour 3600 |
| scheduling.waiver.suppression.retries | no | 72 | Maximum retries before the job discard unprocessed artifacts | 72 |
| synchronisation.mapping.thread.count | no | 4 | Number of mappings being processed in parallel | 4 |
| synchronisation.details.thread.count | no | 32 | Number of threads to be used for fetching vulnerability details and remediations for components. | 32 |
| loadfile.cache | no | true | Whether or not to keep the cached files in the work folder | false |
| synchronize.projects.continuously | no | true | Since 4.3.0 Whether or not to run the synchronization in the background continuously. If set to false, other means of synchonization can be used, such as triggering the full cycle manually, executing on demand synchronizations or using webhooks from the IQ Server. | true |
| scheduling.fixed.rate.minutes | no | 1 | Since 4.3.0 Duration between full synchronizations if syncProjectsContinuously is true. If a full synchronization takes longer than the value entered here, it will immediatly run again. | 1 |
Running the integration service
- Using a command line, go to the Integration directory. E.g. /home/sonatype/IntegrationService
- Start the integration using this command: ./start.sh
- The visual guide shows a quick example of unpacking and running the service.
Synchronization scheduler
Before 4.3.0
This service has a built-in scheduler that understands cron-like expressions. By default, it runs every six hours, but that can be configured using the scheduling.job.cron property.
Since 4.3.0
This service by default syncronizes all entries found in the mapping file with a duration of 1 minute between each run. This behaviour can be changed by setting the synchronize.projects.continuously property to false or the duration between the cycles can be modified by using the scheduling.fixed.rate.minutes property. Modfying the synchronize.projects.continuously property has no affect on on demand synchronization requests.
It is required to configure a mappings file (defined in the mapping.file property) to provide the parameters for the projects you want to synchronize in a scheduled fashion.
The mappings file has the following structure
[
{
"sonatypeProject": "sample-application-publicId",
"sonatypeProjectStage": "build",
"fortifyApplication": "sample-application",
"fortifyApplicationVersion": "1.0",
"overwrite": true
}
]
This is a small table explaining each parameter
| Parameter | Mandatory | Description |
|---|---|---|
| sonatypeProject | yes | Public Id of the project that already exists in IQ Server |
| sonatypeProjectStage | yes | Project stage in IQ Server |
| fortifyApplication | yes | Target application name in Fortify SSC |
| fortifyApplicationVersion | yes | Target application version in Fortify SSC |
| overwrite | no | Unsuppressed issues in SSC that do not have a waiver associated. If this value is not present we take the value from the properties file |
Synchronization endpoint
It may happen that you want to synchronize an IQ project that is not already present in your mappings file, or you simply want to trigger a synchronization on demand. For those cases the integration exposes an endpoint to manually trigger these synchronizations. This is the endpoint definition:
Endpoint GET /startScanLoad
| Parameter | Mandatory | Description |
|---|---|---|
| sonatypeProject | yes | Public Id of the project that already exists in IQ Server |
| sonatypeProjectStage | yes | Project stage in IQ Server |
| fortifyApplication | yes | Target application name in Fortify SSC |
| fortifyApplicationVersion | yes | Target application version in Fortify SSC |
| overwrite | no | Unsuppressed issues in SSC that do not have a waiver associated. If this value is not present we take the value from the properties file |
| saveMapping | no | Take the current request and save it as a mapping. The mapping will be saved only if the synchronization is executed successfully |
If one of the mandatory parameters is missing in the request, the integration will perform synchronization using all the values found in the mappings file (like in the scheduled job).
In this specific case, even if the saveMapping is true, the request won't be saved since we do not have a full mapping to save.
One-time Project Synchronization endpoint
To synchronize a desired project adhoc, use this endpoint. It will synchronize the provided project in all stages immediatly. The mapping information for the provided project must exist in the mappings file.
Endpoint GET /startScanLoadSingleProject?sonatypeProject={sonatypeProjectPublicId}
| Parameter | Mandatory | Description |
|---|---|---|
| sonatypeProject | yes | Public Id of the project that already exists in IQ Server |
Frequently Asked Questions
What is a waiver comment?
Sometimes in SSC you may encounter a comment like the one shown in the next image.
This scenario happens when you had a waived issue in your IQ server, and then the waiver was removed. To get rid of this comment you can go to your IQ instance, reevaluate the report and run another synchronization.
Why do the violations reported in the IQ Server report differ from the ones reported by SSC?
The SSC integration only reports "Security" related violations. Other violations such as those related to "License", "Architecture" and "Other" are not included in the SSC report.