Fortify SSC plugin

The XL Release Fortify SSC enables XL Release to work with reports and metrics from a Fortify Software Security Center(SSC) server.

Important: You must set up a connection to Fortify SSC server before adding Fortify tasks or tiles. For information, see Set up a Fortify SSC server.

Note: In the release flow editor, Fortify SSC tasks have a red border.

Features

  • Create a Fortify Check Compliance task.
  • Add a Fortify SSC version summary tile to a release dashboard.
  • Add a Fortify SSC application compliance tile to a release dashboard.

Requirements

The Fortify SSC plugin requires the following:

  • Fortify SSC server running and accessible via HTTP(s).
  • An application and version must be created. A FPR artifact uploaded and processed in the version.

Set up a connection to a Fortify SSC server

To set up a connection to a Fortify SSC server:

  1. In the top navigation bar, click Settings.
  2. Click Shared configuration.
  3. Under configurations, beside Fortify SSC: Server, click add button.
  4. In the Title field, enter a name for the configuration.
  5. In the URL field, enter the address of the server.
  6. If required, enter authentication details and proxy details.
  7. To test the connection, click Test.
  8. To save the configuration, click Save.

Create Fortify SSC server

Add a Fortify Check Compliance task

The Fortify Check Compliance task creates a gate in the release flow, that fails if the Minimum Security Rating is not reached in the specified project name and version.

To add a Fortify Check Compliance task:

  1. In the release flow tab of a Release template, add a task of type Fortify > Check Compliance.
  2. Click the added task to open it.
  3. In the Server field, select the configured Fortify server. Note: For information, see Set up a Fortify SSC server.
  4. In the Project Name and Project Version fields, add the project and version you want to check for compliance.
  5. In the Minimum Security Rating field, add the minimum rating that is required for the project to pass compliance. The Minimum Security Rating defaults to 5.

Fortify Check Compliance task

Add a Fortify SSC version summary tile to a release dashboard

The Fortify Summary tile type creates a dashboard tile that displays metrics on the selected project and version.

To add a Fortify SSC version summary tile to a release dashboard:

  1. In the top navigation bar, click Dashboards.
  2. Select the dashboard where you want to add the new tile. Note: If you have not created a dashboard yet, you can do so by clicking the Add dashboard button in the top right of the screen.
  3. In the top right of the screen, click Configure dashboard.
  4. In the top right of the screen, click Add tiles.
  5. Hover over Fortify SSC version summary, and click Add.
  6. On the dashboard, hover over the new Fortify SSC version summary tile, and click configure.
  7. In the Title field, enter a name for the tile.
  8. In the Server field, enter the name of the Fortify SSC server you want to connect with.
  9. In the Project name field, enter the project that you want to display metrics on.
  10. In the Application field, enter the application that you want to display metrics on.
  11. In the Version field, enter the version that you want to display metrics on.
  12. Click Save.

Fortify Summary tile

Add a Fortify SSC application compliance tile to a release dashboard

The Fortify Check Compliance task type creates a gate in the release flow, that fails if the Minimum Security Rating is not reached in the specified project name and version.

To add a Fortify SSC application compliance tile to a release dashboard:

  1. In the top navigation bar, click Dashboards.
  2. Select the dashboard where you want to add the new tile. Note: If you have not created a dashboard yet, you can do so by clicking the Add dashboard button in the top right of the screen.
  3. In the top right of the screen, click Configure dashboard.
  4. In the top right of the screen, click Add tiles.
  5. Hover over Fortify SSC application compliance, and click Add.
  6. On the dashboard, hover over the new Fortify SSC application compliance tile, and click configure.
  7. In the Title field, enter a name for the tile.
  8. In the Server field, enter the name of the Fortify SSC server that you want to connect with.
  9. In the Time period field, select the period of time to display data on.
  10. In the Application field, enter the application to display metrics on.
  11. In the Security standards field, select the security standards to display.
  12. In the Versions field, enter the versions to display metrics on. Note: Version filters follow semantic versioning. A custom regex can also be used, provided that it is python compatible.
  13. Click Save.

Fortify Check Compliance task

Release notes

XL Release Fortify SSC plugin 9.0.0

  • Added compatibility with XL Release 9.0.0

XL Release Fortify plugin 8.5.0

  • Added the Fortify SSC application compliance tile

XL Release Fortify plugin 8.2.0

  • Added compatibility with XL Release 8.2.0