An option for acceptKey is missing.
If I run the step I'm asked to accept the key (Y/N) and after timeout the step fails !

Or is there a workaround to set this option ?

Describe your use-case which is not covered by existing documentation.

We are encountering an SSL handshake error trying to upload an fpr file to an SSC instance:

12:03:45  Running FortifyUpload step
12:03:47  Fortify Jenkins plugin v 22.2.39
12:03:47  Performing Fortify upload process
12:03:47  Using analysis results file: file:xxxx.fpr
12:03:47  Uploading analysis results file to SSC at https://xxx:8443/ssc to application 'XXX' and application version '1.0'
12:03:52  Error uploading to SSC: https://xxx:8443/ssc
12:03:52  javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
12:03:52  com.fortify.ssc.restclient.ApiException: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
12:03:52  	at com.fortify.plugin.jenkins.FortifyPlugin.runWithFortifyClient(FortifyPlugin.java:894)
12:03:52  	at com.fortify.plugin.jenkins.steps.FortifyUpload.createNewOrGetProject(FortifyUpload.java:744)
12:03:52  	at com.fortify.plugin.jenkins.steps.FortifyUpload.uploadToSSC(FortifyUpload.java:297)
12:03:52  	at com.fortify.plugin.jenkins.steps.FortifyUpload.performAndReturnIssueCount(FortifyUpload.java:225)
12:03:52  	at com.fortify.plugin.jenkins.steps.FortifyUpload$Execution.run(FortifyUpload.java:854)
12:03:52  	at com.fortify.plugin.jenkins.steps.FortifyUpload$Execution.run(FortifyUpload.java:841)
12:03:52  	at org.jenkinsci.plugins.workflow.steps.SynchronousNonBlockingStepExecution.lambda$start$0(SynchronousNonBlockingStepExecution.java:47)
12:03:52  	at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
12:03:52  	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
12:03:52  	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
12:03:52  	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
12:03:52  	at java.base/java.lang.Thread.run(Thread.java:834)
12:03:52  Caused by: com.fortify.ssc.restclient.ApiException: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
12:03:52  	at com.fortify.ssc.restclient.ApiClient.execute(ApiClient.java:930)
12:03:52  	at com.fortify.ssc.restclient.api.ProjectControllerApi.listProjectWithHttpInfo(ProjectControllerApi.java:202)

Where do i need to update the cacerts for the fortify plugin ?

Reference any relevant documentation, other materials or issues/pull requests that can be used for inspiration.

The Fortify SCA user guide suggests replacing the cacerts in the jre of the SCA install.

We tried that but that didnt work.

We also tried updating the cacerts of the java JDK that we are using on our agent but that didnt work either.

Jenkins and plugins versions report

Jenkins: 2.332.2
OS: Linux - 4.14.273-207.502.amzn2.x86_64

ace-editor:1.1
ant:1.13
antisamy-markup-formatter:2.7
apache-httpcomponents-client-4-api:4.5.13-1.0
authentication-tokens:1.4
authorize-project:1.4.0
aws-credentials:191.vcb_f183ce58b_9
aws-java-sdk-ec2:1.12.163-315.v2b_716ec8e4df
aws-java-sdk-minimal:1.12.163-315.v2b_716ec8e4df
bootstrap4-api:4.6.0-3
bootstrap5-api:5.1.3-6
bouncycastle-api:2.25
branch-api:2.1044.v2c007e51b_87f
caffeine-api:2.9.2-29.v717aac953ff3
checks-api:1.7.2
cloudbees-folder:6.714.v79e858ef76a_2
command-launcher:1.6
config-file-provider:3.9.0
configuration-as-code:1414.v878271fc496f
credentials:1087.v16065d268466
credentials-binding:1.27.1
cucumber-reports:5.7.0
dark-theme:156.v6cf16af6f9ef
dashboard-view:2.426.vb_93dcdb_b_0eb_0
display-url-api:2.3.6
docker-build-step:2.8
docker-commons:1.19
docker-workflow:1.28
dropdown-viewstabbar-plugin:1.7
durable-task:495.v29cd95ec10f2
ec2:1.68
echarts-api:5.3.0-2
extended-read-permission:3.2
extensible-choice-parameter:1.8.0
external-monitor-job:191.v363d0d1efdf8
font-awesome-api:6.0.0-1
fortify:21.2.37
gatling:1.3.0
git:4.11.0
git-client:3.11.0
git-server:1.10
gitlab-api:1.0.6
gitlab-branch-source:1.5.9
gradle:1.38
groovy:2.4
handlebars:3.0.8
handy-uri-templates-2-api:2.1.8-1.0
htmlpublisher:1.29
hudson-wsclean-plugin:1.0.8
jackson2-api:2.13.2-260.v43d711474c77
javadoc:217.v905b_86277a_2a_
javax-activation-api:1.2.0-2
javax-mail-api:1.6.2-5
jaxb:2.3.0.1
jdk-tool:1.5
jnr-posix-api:3.1.7-3
jquery:1.12.4-1
jquery-detached:1.2.1
jquery3-api:3.6.0-2
jsch:0.1.55.2
junit:1.58
lockable-resources:2.14
m2release:0.16.2
mailer:408.vd726a_1130320
matrix-auth:3.1
matrix-project:758.v7a_ea_491852f3
maven-plugin:3.18
momentjs:1.1.1
nested-view:1.24
node-iterator-api:1.5.1
nodejs:1.5.1
pam-auth:1.7
percentage-du-node-column:0.1.0
pipeline-build-step:2.16
pipeline-graph-analysis:188.v3a01e7973f2c
pipeline-input-step:446.vf27b_0b_83500e
pipeline-milestone-step:100.v60a_03cd446e1
pipeline-model-api:2.2075.vce74e77b_ce40
pipeline-model-definition:2.2075.vce74e77b_ce40
pipeline-model-extensions:2.2075.vce74e77b_ce40
pipeline-rest-api:2.23
pipeline-stage-step:291.vf0a8a7aeeb50
pipeline-stage-tags-metadata:2.2075.vce74e77b_ce40
pipeline-stage-view:2.23
plain-credentials:1.8
plugin-usage-plugin:2.2
plugin-util-api:2.16.0
popper-api:1.16.1-2
popper2-api:2.11.4-1
resource-disposer:0.18
role-strategy:3.2.0
saml:2.296.v0016349946db_
scm-api:595.vd5a_df5eb_0e39
script-security:1145.vb_cf6cf6ed960
snakeyaml-api:1.29.1
snyk-security-scanner:3.2.4
sonar:2.14
splunk-devops:1.9.9
splunk-devops-extend:1.9.9
ssh-credentials:1.19
sshd:3.226.vb_1769a_7fb_b_a_6
startup-trigger-plugin:2.9.3
structs:308.v852b473a2b8c
theme-manager:0.6
timestamper:1.17
token-macro:285.vff7645a_56ff0
trilead-api:1.57.v6e90e07157e1
update-sites-manager:2.0.0
variant:1.4
versioncolumn:2.2
view-job-filters:2.3
windows-slaves:1.8
workflow-aggregator:2.7
workflow-api:1143.v2d42f1e9dea_5
workflow-basic-steps:941.vdfe1b_a_132c64
workflow-cps:2686.v7c37e0578401
workflow-cps-global-lib:564.ve62a_4eb_b_e039
workflow-durable-task-step:1128.v8c259d125340
workflow-job:1174.vdcb_d054cf74a_
workflow-multibranch:711.vdfef37cda_816
workflow-scm-step:2.13
workflow-step-api:622.vb_8e7c15b_c95a_
workflow-support:817.v58126df57338
ws-cleanup:0.41

What Operating System are you using (both controller, and any agents involved in the problem)?

amazon linux

Reproduction steps

In a pipeline with multiple stages, let 'stage A' set the stage and build result to UNSTABLE (for instance because unstable() is called). When in a later 'stage B' a fortify analysis is done which ends with a call to the fortifyUpload step, the only way to query the outcome of this step currently is checking currentBuild.result == 'UNSTABLE' (see

This however will not do, because it is impossible to know whether it is stage A that set the status to UNSTABLE and the fortifyupload step didn't find any issues, or it actually was the fortifyUpload step that found issues and (again) set the status to UNSTABLE.

I have prepared a pull request introducing an extra flag to optionally make the fortifyUpload step throw an exception when issues are found. This exception can be caught and the pipeline author can react to it however he may seem fit.

Expected Results

My expected result is that as a pipeline author I can always determine whether there were fortify issues found.

Actual Results

My fortify analysis stage incorrectly reports there were issues when stage A already reported an UNSTABLE state.

Anything else?

No response

Version: Fortify Jenkins plugin v 20.2.34

I'm already setting the PATH and MAVEN_HOME environment correctly in all of my systems.
Jenkins master and slave can find the mvn binary with 'sh' command.
But the fortify-plugin can't find mvn binary.

Command sh

[Pipeline] sh
+ env
....
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/root/bin:/usr/share/maven/bin
MAVEN_HOME=/usr/share/maven
....

[Pipeline] sh
+ mvn -v
Apache Maven 3.6.0
Maven home: /usr/share/maven
Java version: 13, vendor: Oracle Corporation, runtime: /mnt/toolkit/jdk/jdk-13
Default locale: en_US, platform encoding: ANSI_X3.4-1968
OS name: "linux", version: "4.15.0-122-generic", arch: "amd64", family: "unix"

Command fortifyTranslate

[Pipeline] fortifyTranslate
Running FortifyTranslate step
Fortify Jenkins plugin v 20.2.34
Launching Fortify SCA translate command
Found executable: /home/Fortify/Fortify_SCA_and_Apps_20.1.2/bin/sourceanalyzer
Running Maven 3 translation
[Pipeline]
java.io.FileNotFoundException: ERROR: executable not found: mvn; make sure that either MAVEN_HOME environment variable is set or mvn is on the PATH or in workspace
	at com.fortify.plugin.jenkins.steps.FortifyStep.findExecutablePath(FortifyStep.java:112)
	at com.fortify.plugin.jenkins.steps.FortifyStep.getExecutable(FortifyStep.java:101)
	at com.fortify.plugin.jenkins.steps.FortifySCAStep.getExecutableForEnvVar(FortifySCAStep.java:108)
	at com.fortify.plugin.jenkins.steps.FortifySCAStep.getMavenExecutable(FortifySCAStep.java:97)
	at com.fortify.plugin.jenkins.steps.FortifyTranslate.perform(FortifyTranslate.java:357)
	at com.fortify.plugin.jenkins.steps.FortifyTranslate$Execution.run(FortifyTranslate.java:469)
	at com.fortify.plugin.jenkins.steps.FortifyTranslate$Execution.run(FortifyTranslate.java:455)
	at org.jenkinsci.plugins.workflow.steps.SynchronousNonBlockingStepExecution.lambda$start$0(SynchronousNonBlockingStepExecution.java:47)
	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at java.lang.Thread.run(Thread.java:748)

This is my pipeline source.

# k8s
podTemplate(
    containers: [
        ...
    ],
) {
    node(POD_LABEL) {
        container('agent') {
            stage('Fortify Translation (Maven)') {
                sh 'ls /usr/share/maven/'
                sh 'env'
                sh 'mvn -v'
            
                fortifyTranslate addJVMOptions: '', buildID: "testApp",
                    projectScanType: fortifyMaven3(mavenOptions: mavenTasks)
            }
        }
    }
}

Jenkins and plugins versions report

not connected to issue

What Operating System are you using (both controller, and any agents involved in the problem)?

any

Reproduction steps

In 22.1.38 version of plugin there are many unnessary dependencies in *.hpi (examples)

• openapi-generator-5.2.1.jar
• rhino-1.7.7.2.jar
• jackson-datatype-joda-2.10.1.jar
  and duplicated & conflicting dependencies:
  swagger-core-1.6.2.jar
  swagger-core-2.1.2.jar

Expected Results

• smaller *.hpi
• only nessesary dependencies
• not cause conflicts in Jenkins (ex. with gitlab-api plugin)

Actual Results

• 5 times larger *.hpi as previous version
• conflicts with gitlab-api plugin

Anything else?

No response

"FORTIFY_HOME=/tech/Fortify"
"PATH=/tech/nvm/versions/node/v11.9.0/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/tech/Fortify/bin:/tech/apache-ant-1.9.14/bin"

i reviewed the src code of SCAStep & Step, and put fortifySCA at /tech/Fortify/
and sourceanalyzer in /tech/Fortify/sourceanalyzer

but the plugin can not found executable in my docker container.
it will show error msg in v19 and use the sourceanalyzer in PATH, but for 20.0.1.33, it will throw new FILENOTFOUNDEXCEPTION.

[devops@73a08d678758 ene_feature_provisioning-service]$ stat /tech/Fortify/bin/sourceanalyzer
File: '/tech/Fortify/bin/sourceanalyzer'
Size: 236528 Blocks: 464 IO Block: 4096 regular file
Device: 31h/49d Inode: 321 Links: 1
Access: (0755/-rwxr-xr-x) Uid: ( 9001/ devops) Gid: ( 9001/ devops)
Access: 2020-07-22 14:26:14.000000000 +0800
Modify: 2020-07-22 14:26:14.000000000 +0800
Change: 2020-07-23 16:59:09.257453731 +0800
Birth: -

how to mitigate this one?

Hi, I upgrade jenkins to version 2.277.1 and found that the project's configuration can't saved, and when I uninstall fortify-plugin then the configuration can be saved. I search fortify-plugin from jenkins 2.277.1 can't find fortify plugin, but fortify on demand plugin. How should I do? Perhaps return to low version of jenkins?

Dependencies

Feature Request

Set a hpi.compatibleSinceVersion property to define the oldest compatible version.

https://www.jenkins.io/doc/developer/plugin-development/mark-a-plugin-incompatible/

Hi, I install and set up the last version of fortify plugin before, but I can't find the below page.
Can you tell me more information about how to apply it?

Jenkins and plugins versions report

Paste the output here

What Operating System are you using (both controller, and any agents involved in the problem)?

Windows

Reproduction steps

When I try to add credential of the type Fortify Connection Token I am not able to see a dropdown oprion for this

Expected Results

I should get Drop Down option for credential of the type Fortify Connection Token.

Actual Results

Not able to add credential of the type Fortify Connection Token.

Anything else?

No response

Are you interested in contributing a fix?

No response

The current version (19.1.29) is not populating vulnerabilities into Octane. This was also not working in version 18.20 but version 17.10 did have it working.

I'm trying to use the plugin to initiate a cloud scan in the following way:
fortifyRemoteAnalysis remoteAnalysisProjectType: fortifyMaven(buildFile: ''), uploadSSC: [appName: 'my-app-name', appVersion: 'my-version']

The generated command looks the following:
cloudscan -sscurl <my-ssc-url> -ssctoken start -bt mvn -upload -application my-app-name -version my-version -uptoken

It is missing the actual ssctoken and uptoken.
The command fails to execute correctly without those tokens. The tokens are configured correctly on the Manage Jenkins page.

Jenkins Fortify Plugin is already on the latest version but it caused a vulnerability related to log4j due to which we have to uninstall its usage of it.

Can I get an idea which log4j version is used by Fortify "https://plugins.jenkins.io/fortify/releases/" Version: 22.1.38?

I recently tried to use this plugin within my organization that uses SSC. In our workflow, we do a local translate and then a remote scan. We also download the .fpr to Jenkins. I'm using the "-block -f <file_name>.fpr" to cause the remote scan to block, wait for status complete, and download the .fpr. I don't see how to accomplish this with fortifyRemoteScan. Maybe I missing something. If it's not existing functionality it does not seem like much work to add.

How often do you release? Is this something I can contribute?

@young-s-park @akaryakina

Jenkins and plugins versions report

Jenkins: 2.332.3
OS: Linux - 4.18.0-305.25.1.el8_4.x86_64
Agent: jnlp 4.11 in debian based container
Plugin: fortify:22.1.38

Reproduction steps

1. setup an agent pod template with two containers: jnlp and with Fortify SCA
2. run next code in that agent:

container('fortify') {
    fortifyRemoteAnalysis remoteAnalysisProjectType: fortifyMaven(), 
                    remoteOptionalConfig: [notifyEmail: '[email protected]'],
                    uploadSSC: [appName: 'myapp', appVersion: '0.0.1']
}

Expected Results

it should run a /opt/fortify/bin/scancentral ..... command inside a fortify container, which actually has the scancentral binary

Actual Results

plugin tries to run the scancentral command inside a jnlp container and fails:

Running Fortify remote analysis step
Fortify Jenkins plugin v 22.1.38
Performing Fortify remote analysis
WARNING: Cannot find scancentral executable
Checking for cloudscan executable
[Pipeline] }
[Pipeline] // container
[Pipeline] }
[Pipeline] // stage
[Pipeline] }
[Pipeline] // node
[Pipeline] }
[Pipeline] // podTemplate
[Pipeline] End of Pipeline
java.lang.RuntimeException: Cannot find cloudscan executable
	at com.fortify.plugin.jenkins.steps.CloudScanStart.perform(CloudScanStart.java:242)
	at com.fortify.plugin.jenkins.steps.CloudScanStart$Execution.run(CloudScanStart.java:414)
	at com.fortify.plugin.jenkins.steps.CloudScanStart$Execution.run(CloudScanStart.java:399)
	at org.jenkinsci.plugins.workflow.steps.SynchronousNonBlockingStepExecution.lambda$start$0(SynchronousNonBlockingStepExecution.java:47)
	at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
	at java.base/java.lang.Thread.run(Thread.java:829)
Finished: FAILURE

Anything else?

I found a temporary way to avoid it: to create a universal agent image with both Fortify client and JNLP, and use it in a pod template, but I hope this bug will be fixed. Thank you.

We have a Jenkins environment that is not connected to the internet. I don't see any ".hpi" file that I can manually upload.

Hi, I am trying to use the fortify plugin in the pipeline syntax, here is my jenkinsfile, and I am getting the below error. I have followed the steps mentioned here
Any help would be appreciated. I checked the env variables and my FORTIFY_HOME is pointing to /tools/fortify/bin.

  agent {
    kubernetes {
      cloud 'kubernetes'
      label 'k8s-agent'
    }
  }
  
  tools { nodejs "nodejs-10.15.3" }
  options {
    timeout(time: 30, unit: 'MINUTES')
  }
  stages {
    stage('fortify scan'){
      steps {
        
        fortifyClean addJVMOptions: '', buildID: '${JOB_NAME}-${BUILD_NUMBER}', debug: true, logFile: '', maxHeap: '', verbose: true
        fortifyTranslate addJVMOptions: '', buildID: '${JOB_NAME}-${BUILD_NUMBER}', excludeList: '', logFile: './${JOB_NAME}-${BUILD_NUMBER}-translation.log', maxHeap: '', projectScanType: fortifyJava(javaAddOptions: '', javaClasspath: '', javaSrcFiles: '"packages/ui-components/src/**/*"', javaVersion: '1.8')
        fortifyScan addJVMOptions: '-64', addOptions: '', buildID: '${JOB_NAME}-${BUILD_NUMBER}', customRulepacks: '', logFile: './${JOB_NAME}-${BUILD_NUMBER}-scan.log', maxHeap: '8000', resultsFile: '${JOB_NAME}-${BUILD_NUMBER}-results.fpr'
        fortifyUpload appName: 'Demo', appVersion: 'Rel13', failureCriteria: '[fortify priority order]:critical OR high', filterSet: '', pollingInterval: '', resultsFile: ''
        //Generate pdf report from fpr report
        sh 'pwd'
        sh '/tools/fortify/bin/BIRTReportGenerator -template "Developer Workbook" -source ${JOB_NAME}-${BUILD_NUMBER}-results.fpr -output ${JOB_NAME}-${BUILD_NUMBER}-results.pdf -format PDF -showSuppressed -UseFortifyPriorityOrder'
      }
    }
  }
  
}

Fortify Jenkins plugin v 19.1.29
Launching Fortify SCA scan command
executable not found: sourceanalyzer
	home: /tools/fortify/bin
	path: null
	workspace: /home/jenkins/demo/workspace/demo-naga
[demo-naga] $ sourceanalyzer -Dcom.fortify.sca.ProjectRoot=/home/jenkins/demo/workspace/demo-naga/.fortify -b demo-naga-230 -Xmx8000M -64 -logfile ./demo-naga-230-scan.log -scan -f demo-naga-230-results.fpr```

Jenkins and plugins versions report

Jenkins: 2.361.4
OS: Linux - 4.18.0-372.26.1.el8_6.x86_64
---
Office-365-Connector:4.18.0
ace-editor:1.1
allure-jenkins-plugin:2.30.3
amazon-ecr:1.107.ve50d37906739
amazon-ecs:1.46
analysis-model-api:10.20.0
ansible:1.1
ansicolor:1.0.2
ant:481.v7b_09e538fcca
antisamy-markup-formatter:155.v795fb_8702324
apache-httpcomponents-client-4-api:4.5.13-138.v4e7d9a_7b_a_e61
authentication-tokens:1.4
authorize-project:1.4.0
aws-credentials:191.vcb_f183ce58b_9
aws-java-sdk:1.12.287-357.vf82d85a_6eefd
aws-java-sdk-cloudformation:1.12.287-357.vf82d85a_6eefd
aws-java-sdk-codebuild:1.12.287-357.vf82d85a_6eefd
aws-java-sdk-ec2:1.12.287-357.vf82d85a_6eefd
aws-java-sdk-ecr:1.12.287-357.vf82d85a_6eefd
aws-java-sdk-ecs:1.12.287-357.vf82d85a_6eefd
aws-java-sdk-efs:1.12.287-357.vf82d85a_6eefd
aws-java-sdk-elasticbeanstalk:1.12.287-357.vf82d85a_6eefd
aws-java-sdk-iam:1.12.287-357.vf82d85a_6eefd
aws-java-sdk-logs:1.12.287-357.vf82d85a_6eefd
aws-java-sdk-minimal:1.12.287-357.vf82d85a_6eefd
aws-java-sdk-sns:1.12.287-357.vf82d85a_6eefd
aws-java-sdk-sqs:1.12.287-357.vf82d85a_6eefd
aws-java-sdk-ssm:1.12.287-357.vf82d85a_6eefd
bitbucket:223.vd12f2bca5430
bitbucket-pullrequest-builder:1.5.0
blueocean:1.25.8
blueocean-autofavorite:1.2.5
blueocean-bitbucket-pipeline:1.25.8
blueocean-commons:1.25.8
blueocean-config:1.25.8
blueocean-core-js:1.25.8
blueocean-dashboard:1.25.8
blueocean-display-url:2.4.1
blueocean-events:1.25.8
blueocean-git-pipeline:1.25.8
blueocean-github-pipeline:1.25.8
blueocean-i18n:1.25.8
blueocean-jwt:1.25.8
blueocean-personalization:1.25.8
blueocean-pipeline-api-impl:1.25.8
blueocean-pipeline-editor:1.25.8
blueocean-pipeline-scm-api:1.25.8
blueocean-rest:1.25.8
blueocean-rest-impl:1.25.8
blueocean-web:1.25.8
bootstrap4-api:4.6.0-5
bootstrap5-api:5.2.1-3
bouncycastle-api:2.26
branch-api:2.1051.v9985666b_f6cc
build-failure-analyzer:2.4.0
build-monitor-plugin:1.13+build.202205140447
build-name-setter:2.2.0
build-timeout:1.25
caffeine-api:2.9.3-65.v6a_47d0f4d1fe
categorized-view:1.12
checks-api:1.8.0
chucknorris:1.4
claim:501.v3a_4f04704b_64
cloudbees-bitbucket-branch-source:791.vb_eea_a_476405b
cloudbees-folder:6.758.vfd75d09eea_a_1
command-launcher:90.v669d7ccb_7c31
commons-httpclient3-api:3.1-3
commons-lang3-api:3.12.0-36.vd97de6465d5b_
commons-text-api:1.10.0-27.vb_fa_3896786a_7
conditional-buildstep:1.4.2
config-file-provider:3.11.1
configuration-as-code:1569.vb_72405b_80249
console-badge:1.1
copyartifact:1.48
credentials:1189.vf61b_a_5e2f62e
credentials-binding:523.vd859a_4b_122e6
crowd2:3.2.1
dashboard-view:2.466.vdfefd95a_b_f8d
data-tables-api:1.12.1-4
display-url-api:2.3.6
docker-commons:1.21
docker-java-api:3.2.13-37.vf3411c9828b9
docker-plugin:1.2.10
docker-workflow:528.v7c193a_0b_e67c
durable-task:503.v57154d18d478
ec2:2.0.4
echarts-api:5.4.0-1
email-ext:2.92
embeddable-build-status:304.vdcf48d6b_d2eb
envinject:2.881.v37c62073ff97
envinject-api:1.199.v3ce31253ed13
favorite:2.4.1
folder-properties:1.2.1
font-awesome-api:6.2.1-1
forensics-api:1.16.0
fortify:22.1.38
git:4.14.1
git-client:3.13.0
git-parameter:0.9.18
git-server:99.va_0826a_b_cdfa_d
github:1.36.0
github-api:1.303-400.v35c2d8258028
github-branch-source:1696.v3a_7603564d04
gradle:2.1.1
h2-api:1.4.199
handlebars:3.0.8
handy-uri-templates-2-api:2.1.8-22.v77d5b_75e6953
htmlpublisher:1.31
http_request:1.16
instance-identity:116.vf8f487400980
ionicons-api:31.v4757b_6987003
jackson2-api:2.14.1-313.v504cdd45c18b
jacoco:3.3.2
jakarta-activation-api:2.0.1-2
jakarta-mail-api:2.0.1-2
javadoc:226.v71211feb_e7e9
javax-activation-api:1.2.0-5
javax-mail-api:1.6.2-8
jaxb:2.3.7-1
jdk-tool:63.v62d2fd4b_4793
jenkins-design-language:1.25.8
jjwt-api:0.11.5-77.v646c772fddb_0
jnr-posix-api:3.1.16-1
jquery:1.12.4-1
jquery3-api:3.6.1-2
jsch:0.1.55.61.va_e9ee26616e7
junit:1166.va_436e268e972
junit-attachments:101.v82f494a_00e9e
junit-realtime-test-reporter:90.v7dc2c937f9a_8
ldap:2.12
lockable-resources:1069.v726298f53f8c
log-parser:2.3.0
mailer:438.v02c7f0a_12fa_4
matrix-auth:3.1.5
matrix-project:785.v06b_7f47b_c631
maven-plugin:3.20
mercurial:1260.vdfb_723cdcc81
metrics:4.2.10-405.v60a_9cc74e923
mina-sshd-api-common:2.9.2-50.va_0e1f42659a_a
mina-sshd-api-core:2.9.2-50.va_0e1f42659a_a
momentjs:1.1.1
nested-view:1.26
nexus-artifact-uploader:2.14
nexus-jenkins-plugin:3.16.459.vcdf273b_29f8c
no-agent-job-purge:1.2
node-iterator-api:49.v58a_8b_35f8363
nodejs:1.5.1
nodelabelparameter:1.11.0
okhttp-api:4.9.3-108.v0feda04578cf
pam-auth:1.10
parameterized-trigger:2.45
pipeline-aws:1.43
pipeline-build-step:2.18
pipeline-github-lib:38.v445716ea_edda_
pipeline-graph-analysis:195.v5812d95a_a_2f9
pipeline-groovy-lib:621.vb_44ce045b_582
pipeline-input-step:466.v6d0a_5df34f81
pipeline-maven:1235.v2db_ddd9f797b
pipeline-milestone-step:101.vd572fef9d926
pipeline-model-api:2.2118.v31fd5b_9944b_5
pipeline-model-definition:2.2118.v31fd5b_9944b_5
pipeline-model-extensions:2.2118.v31fd5b_9944b_5
pipeline-npm:0.9.2
pipeline-rest-api:2.28
pipeline-stage-step:296.v5f6908f017a_5
pipeline-stage-tags-metadata:2.2118.v31fd5b_9944b_5
pipeline-stage-view:2.28
pipeline-utility-steps:2.14.0
plain-credentials:139.ved2b_9cf7587b
plugin-util-api:2.18.0
popper-api:1.16.1-3
popper2-api:2.11.6-2
postgresql-api:42.3.3
prism-api:1.29.0-1
pubsub-light:1.17
rebuild:1.34
remote-file:1.23
resource-disposer:0.20
run-condition:1.5
schedule-build:345.vc2d8f6ef9182
scm-api:621.vda_a_b_055e58f7
script-security:1218.v39ca_7f7ed0a_c
sectioned-view:1.25
snakeyaml-api:1.33-90.v80dcb_3814d35
sonar:2.15
sse-gateway:1.26
ssh-credentials:305.v8f4381501156
ssh-slaves:2.854.v7fd446b_337c9
ssh-steps:2.0.39.v831c5e6468b_c
sshd:3.270.vb_a_e71e64c287
stashNotifier:1.28
strict-crumb-issuer:2.1.0
structs:324.va_f5d6774f3a_d
swarm:3.38
terraform:1.0.10
throttle-concurrents:2.10
timestamper:1.21
token-macro:321.vd7cc1f2a_52c8
trilead-api:2.84.v72119de229b_7
uno-choice:2.6.4
variant:59.vf075fe829ccb
versioncolumn:87.v8fe7c090a_d3b
view-job-filters:2.3
warnings-ng:9.20.1
workflow-aggregator:590.v6a_d052e5a_a_b_5
workflow-api:1200.v8005c684b_a_c6
workflow-basic-steps:994.vd57e3ca_46d24
workflow-cps:3536.vb_8a_6628079d5
workflow-durable-task-step:1217.v38306d8fa_b_5c
workflow-job:1254.v3f64639b_11dd
workflow-multibranch:716.vc692a_e52371b_
workflow-scm-step:400.v6b_89a_1317c9a_
workflow-step-api:639.v6eca_cd8c04a_a_
workflow-support:839.v35e2736cfd5c
ws-cleanup:0.43

What Operating System are you using (both controller, and any agents involved in the problem)?

Jenkins server runs on RHEL 8.6

Reproduction steps

Set on JVM the -Dhttp.proxyUser, -Dhttp.proxyPassword and -Dhttp.nonProxyHosts
Set the proxy settings in Jenkins, proxy user, proxy password, non proxy hosts
Setup the plugin and test the connection to SSC

The URL to SSC should be bypassing the proxy by using the non proxy hosts setup

Expected Results

Test to SSC connection succeeds

Actual Results

With checkbox Use Jenkins proxy OFF
Result: Cannot connect to SSC server. java.io.IOException: Failed to authenticate with proxy

With checkbox Use Jenkins proxy ON
Cannot connect to SSC server. java.io.IOException: Unexpected response code for CONNECT: 503

Anything else?

Seems the plugin is not taking care of the non proxy host value and still tries to use the proxy value - but the proxy must not be used in this specific case for the SSC URL.

Running the following currently and need access to set the new read/write timeouts values so I can set them.

fortifyUpload appName: build.sscname, appVersion: branchName, resultsFile: appResultsFile

How do I set read/write timeouts values?

I have the following to retrieve the Url to an application version. My question is how do I get token programmatically from the Jenkins plugin so i can pass it to my function? The access token has been entered into the plugin configuration already and is verified to be working within the normal steps such as fortifyScan etc.

import groovy.json.JsonSlurper
def getSscAppUrl(baseUrl, token, appName, appVersion, filterSet){
    def encodedtoken = token.bytes.encodeBase64().toString()
    def projectconnection = new URL( baseUrl + "/api/v1/projects?q=name:" + appName + "&fields=_href").openConnection() as HttpURLConnection
    projectconnection.setRequestProperty( 'Authorization', 'FortifyToken ' + encodedtoken)
    def appurl = new JsonSlurper().parseText(projectconnection.inputStream.text).data[0]._href
    def versionconnection = new URL( appurl + "/versions?q=name:" + appVersion + "&fields=id").openConnection() as HttpURLConnection
    versionconnection.setRequestProperty( 'Authorization', 'FortifyToken ' + encodedtoken)
    def id = new JsonSlurper().parseText(versionconnection.inputStream.text).data[0].id
    def url = baseUrl + "/html/ssc/version/" + id + "/fix/null/?filterSet=" + filterSet
    return url
}

Thanks.

I am currently Fortify Suite environment running with 20.1 version and same goes for the Jenkins plugin version. I am able to run jenkins job with "Invoke Fortify Assessment" in Post-Build Actions and FPR gets published to SSC and I am able to view results in Jenkins as a separate hyperlink

However, when I perform the same via a pipeline to have "fortifyUpload" step, FPR gets published to SSC but I am unable to view results in Jenkins. Fortify support mentioned this as a bug since we have special characters in our Fortify Project version.

How is it possible that "Build Step" works fine with special characters whereas "Pipeline Step" doesn't? Is it really a bug or my understanding is wrong? Please let me know

Dependencies

Feature Request

When the fortifyUpload request creates an application it uses the Issue Template defined in the Fortify Plugin (FortifyPlugin.DESCRIPTOR.getProjectTemplate()). The issue template defined here does not necessarily fit all applications built within our Jenkins instance (we have some high risk and some low risk). Would it be possible to override the issue template and pass it in to fortifyUpload in each pipeline.

Jenkins and plugins versions report

Fortify Plugin v21.1.36, but applies up-to and including master as well

What Operating System are you using (both controller, and any agents involved in the problem)?

Redhat Enterprise Linux 7.9 on both controller and agents

Reproduction steps

1. Create a repository or Jenkins workspace which contains a recursive symlink (e.g. a symlink to itself).
2. Run a build as normal to produce artifacts for Fortify to Scan
3. Run steps.fortifyUpload (optionally provide resultsFile, it doesn't matter)
4. Wait for timeout to occur because of recursive directory search

Expected Results

The file search in https://github.com/jenkinsci/fortify-plugin/blob/master/src/main/java/com/fortify/plugin/jenkins/RemoteService.java#L77 should search all available files for the FPR file and return accordingly.

Actual Results

Jenkins raises a FileSystemLoopException and fortifyUpload exits uncleanly.

Anything else?

Suggestion to prevent the search from traversing down recursive paths is to keep support for projects which utilize the recursive directory structure. Some packaging tools such as CPack have quirks where you need to artificially inflate the filepath to the source and build folders -- using an in-directory symlink (created by the pipeline) is a straightforward way to accomplish this.

We are receiving read timeout errors when during the upload step. The strange part is that on the SSC server the FPR upload is successfully and it is processed correctly once there. Note that this only occurs for larger FPRs with more issues.

com.fortify.ssc.restclient.ApiException: java.net.SocketTimeoutException: Read timed out
	at com.fortify.ssc.restclient.ApiClient.execute(ApiClient.java:846)
	at com.fortify.ssc.restclient.api.ArtifactOfProjectVersionControllerApi.uploadArtifactOfProjectVersionWithHttpInfo(ArtifactOfProjectVersionControllerApi.java:314)
	at com.fortify.ssc.restclient.api.ArtifactOfProjectVersionControllerApi.uploadArtifactOfProjectVersion(ArtifactOfProjectVersionControllerApi.java:298)
	at com.fortify.plugin.jenkins.fortifyclient.ApiClientWrapper.uploadFpr(ApiClientWrapper.java:498)
	at com.fortify.plugin.jenkins.fortifyclient.FortifyClient.uploadFPR(FortifyClient.java:155)
	at com.fortify.plugin.jenkins.steps.FortifyUpload$1.runWith(FortifyUpload.java:271)
	at com.fortify.plugin.jenkins.steps.FortifyUpload$1.runWith(FortifyUpload.java:268)
	at com.fortify.plugin.jenkins.steps.FortifyUpload.runWithFortifyClient(FortifyUpload.java:788)
	at com.fortify.plugin.jenkins.steps.FortifyUpload.uploadToSSC(FortifyUpload.java:267)
	at com.fortify.plugin.jenkins.steps.FortifyUpload.perform(FortifyUpload.java:194)
	at com.fortify.plugin.jenkins.steps.FortifyUpload$Execution.run(FortifyUpload.java:809)
	at com.fortify.plugin.jenkins.steps.FortifyUpload$Execution.run(FortifyUpload.java:798)
	at org.jenkinsci.plugins.workflow.steps.SynchronousNonBlockingStepExecution.lambda$start$0(SynchronousNonBlockingStepExecution.java:47)
	at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
	at java.util.concurrent.FutureTask.run(Unknown Source)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
	at java.lang.Thread.run(Unknown Source)
Caused by: java.net.SocketTimeoutException: Read timed out
	at java.net.SocketInputStream.socketRead0(Native Method)
	at java.net.SocketInputStream.socketRead(Unknown Source)
	at java.net.SocketInputStream.read(Unknown Source)
	at java.net.SocketInputStream.read(Unknown Source)
	at sun.security.ssl.InputRecord.readFully(Unknown Source)
	at sun.security.ssl.InputRecord.read(Unknown Source)
	at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
	at sun.security.ssl.SSLSocketImpl.readDataRecord(Unknown Source)
	at sun.security.ssl.AppInputStream.read(Unknown Source)
	at okio.Okio$2.read(Okio.java:139)
	at okio.AsyncTimeout$2.read(AsyncTimeout.java:211)
	at okio.RealBufferedSource.indexOf(RealBufferedSource.java:306)
	at okio.RealBufferedSource.indexOf(RealBufferedSource.java:300)
	at okio.RealBufferedSource.readUtf8LineStrict(RealBufferedSource.java:196)
	at com.squareup.okhttp.internal.http.Http1xStream.readResponse(Http1xStream.java:186)
	at com.squareup.okhttp.internal.http.Http1xStream.readResponseHeaders(Http1xStream.java:127)
	at com.squareup.okhttp.internal.http.HttpEngine.readNetworkResponse(HttpEngine.java:737)
	at com.squareup.okhttp.internal.http.HttpEngine.access$200(HttpEngine.java:87)
	at com.squareup.okhttp.internal.http.HttpEngine$NetworkInterceptorChain.proceed(HttpEngine.java:722)
	at com.squareup.okhttp.internal.http.HttpEngine.readResponse(HttpEngine.java:576)
	at com.squareup.okhttp.Call.getResponse(Call.java:287)
	at com.squareup.okhttp.Call$ApplicationInterceptorChain.proceed(Call.java:243)
	at com.squareup.okhttp.Call.getResponseWithInterceptorChain(Call.java:205)
	at com.squareup.okhttp.Call.execute(Call.java:80)
	at com.fortify.ssc.restclient.ApiClient.execute(ApiClient.java:842)

Jenkins and plugins versions report

Jenkins: 2.332.2
OS: Windows Server 2019 - 10.0
---
TestComplete:2.8.1
ace-editor:1.1
analysis-model-api:10.10.0
ant:475.vf34069fef73c
antisamy-markup-formatter:2.7
apache-httpcomponents-client-4-api:4.5.13-1.0
authentication-tokens:1.4
bootstrap4-api:4.6.0-4
bootstrap5-api:5.1.3-6
bouncycastle-api:2.26
branch-api:2.1046.v0ca_37783ecc5
caffeine-api:2.9.3-65.v6a_47d0f4d1fe
checks-api:1.7.3
cloudbees-folder:6.714.v79e858ef76a_2
cobertura:1.17
code-coverage-api:2.0.4
command-launcher:1.6
config-file-provider:3.9.0
configuration-as-code:1429.v09b_044a_c93de
credentials:1087.1089.v2f1b_9a_b_040e4
credentials-binding:523.vd859a_4b_122e6
dashboard-view:2.432.va_712ce35862d
data-tables-api:1.11.4-4
display-url-api:2.3.6
docker-commons:1.19
durable-task:496.va67c6f9eefa7
echarts-api:5.3.2-1
email-ext:2.88
font-awesome-api:6.0.0-1
forensics-api:1.12.0
fortify:21.2.37
git:4.11.1
git-client:3.11.0
git-server:1.10
github:1.34.3
github-api:1.303-400.v35c2d8258028
github-branch-source:1598.v91207e9f9b_4a_
gradle:1.38
handlebars:3.0.8
htmlpublisher:1.30
ivy:2.1
jackson2-api:2.13.2.20220328-273.v11d70a_b_a_1a_52
jacoco:3.3.1
javax-activation-api:1.2.0-3
javax-mail-api:1.6.2-6
jaxb:2.3.0.1
jdk-tool:1.5
jjwt-api:0.11.2-71.v2722b_b_06a_2a_f
jquery-detached:1.2.1
jquery3-api:3.6.0-3
jsch:0.1.55.2
junit:1.60
lockable-resources:2.14
mailer:414.vcc4c33714601
mapdb-api:1.0.9.0
matrix-auth:3.1.1
matrix-project:758.v7a_ea_491852f3
momentjs:1.1.1
okhttp-api:4.9.3-105.vb96869f8ac3a
pipeline-build-step:2.18
pipeline-github-lib:36.v4c01db_ca_ed16
pipeline-graph-analysis:195.v5812d95a_a_2f9
pipeline-input-step:448.v37cea_9a_10a_70
pipeline-milestone-step:101.vd572fef9d926
pipeline-model-api:2.2077.vc78ec45162f1
pipeline-model-definition:2.2077.vc78ec45162f1
pipeline-model-extensions:2.2077.vc78ec45162f1
pipeline-rest-api:2.24
pipeline-stage-step:293.v200037eefcd5
pipeline-stage-tags-metadata:2.2077.vc78ec45162f1
pipeline-stage-view:2.24
plain-credentials:1.8
plugin-util-api:2.16.0
popper-api:1.16.1-3
popper2-api:2.11.5-1
prism-api:1.26.0-2
resource-disposer:0.19
scm-api:608.vfa_f971c5a_a_e9
script-security:1158.v7c1b_73a_69a_08
snakeyaml-api:1.30.1
ssh-credentials:277.v95c2fec1c047
sshd:3.228.v4c9f9e652c86
structs:318.va_f3ccb_729b_71
subversion:2.15.4
timestamper:1.17
token-macro:293.v283932a_0a_b_49
trilead-api:1.57.v6e90e07157e1
variant:1.4
warnings-ng:9.12.0
workflow-aggregator:2.7
workflow-api:1144.v61c3180fa_03f
workflow-basic-steps:948.v2c72a_091b_b_68
workflow-cps:2689.v434009a_31b_f1
workflow-cps-global-lib:570.v21311f4951f8
workflow-durable-task-step:1130.v8fd69d0b_8857
workflow-job:1180.v04c4e75dce43
workflow-multibranch:712.vc169a_1387405
workflow-scm-step:399.v9b_8f4da_65061
workflow-step-api:625.vd896b_f445a_f8
workflow-support:819.v37d707a_71d9b_
ws-cleanup:0.42

What Operating System are you using (both controller, and any agents involved in the problem)?

Windows Server 2019

Reproduction steps

1. Create a new Jenkins job
2. Add a Post-build Action and select Fortify Assessment
3. Select local translation & local scan
4. Choose Application Type = Java
5. Select Java Source Version = 11
6. Fill in a value for Source Files
7. Check the box for "Run Fortify SCA Scan"
8. Click Save
9. Go back into the job configuration

Expected Results

The Java Source Version should show the previously selected "11" value.

Actual Results

The Java Source Version has reverted to showing "8". If the configuration is saved at this point, the "8" is saved with it, overwriting the correct value of "11". The only way to keep the configuration correct is to remember to change the Java Source Version every time the job is modified.

Anything else?

The underlying XML configuration file for the job does actually get the correct selection saved, and the job runs SCA correctly with the saved value, but the frontend does not properly re-select it when the job is modified.

What feature do you want to see added?

Currently the fortify assessment credentials are stored globally, however i want to provide these at runtime so i can use a credential that is folder scoped.

e.g.

current:

fortifyUpload appName: "cerebro_${GIT_REPO_NAME}", 
                        appVersion: "${APP_VERSION}", 
                        failureCriteria: '[fortify priority order]:critical',
                        resultsFile: "${GIT_REPO_NAME}.fpr",
                        timeout: "3"

desired:

fortifyUpload appName: "cerebro_${GIT_REPO_NAME}", 
                        appVersion: "${APP_VERSION}",
                        serverURL: "myServerURL",
                        token: "credentialID",
                        failureCriteria: '[fortify priority order]:critical',
                        resultsFile: "${GIT_REPO_NAME}.fpr",
                        timeout: "3"

Upstream changes

No response

Currently it is not possible to configure this plugin with JCASC.
https://github.com/jenkinsci/configuration-as-code-plugin/blob/master/docs/PLUGINS.md

I am getting below error, when am trying to upload fortify .fpr file to ssc:- https://fortifyssc.*******.com from Jenkins build configuration.

serverjava.lang.OutOfMemoryError: Java heap space

System where Jenkins is installed RAM size 32GB. and the project report am trying to upload to SSC is a simple project as per document it required 16GM RAM, and the project is simple ANT build.

Not sure what need to be done further to fix this, is there any setting in Jenkins i can specify RAM & CPU size?

What i got from google is Jenkins will take by default available space. Please find attached screenshot of log, and system configuration.

Any suggestion is appreciated,

Thanks & Regards.
Abir Das.

From the documentation, it looks like fortify-plugin support SSC REST API.
We are trying to automate version creation in SSC when we trigger job in Jenkins we want to create new project version as a copy of existing project version in SSC.
Will fortify-plugin allow us to do that?
Thank you

Jenkins and plugins versions report

Hi,

After installed the latest plugin we observe that the plugin is sending connection to ssc even there is no scanning job.

Is this a normal behaviour? Based on our observation the previous plugin v22 doesn't have this behaviour.

Thanks and regards,
Janice

What Operating System are you using (both controller, and any agents involved in the problem)?

Jenkins Version 2.426.3
Fortify SSC v23.1
Jenkins Plugin version 23.1.40

Reproduction steps

Create a pipeline to upload scan result to ssc and observe the network connection.

Expected Results

The plugin should not establish any connection to SSC if there is no scan result to be uploaded.

Actual Results

The plugin is trying to establish connection when the pipeline is not trigger.

Anything else?

No response

Are you interested in contributing a fix?

No response

Version report

Jenkins and plugins versions report:

Jenkins:2.289.2.3-rolling
Fortify Jenkins Plugin:  v21.1.36 & v20.1.33

The places where we set the PATH variable are as follows.

• In the groovy script.
• The Agent environment variables in Jenkins.
• The Agent environment variables in ~/.bash_profile

Also we tried to set FORTIFY_HOME from global properties. The plugin didn't find "sourceanalyzer" command.

Whenever we set the PATH variable from "global property" to "fortify/bin", then it can find "sourceanalyzer". When we make this setting, our other jobs in Jenkins do not work.

Version report

Jenkins and plugins versions report:

Jenkins version: 2.235.5
Forify plugin version : 20.2.34
SSC version: 20.2.0.0149

• What Operating System are you using (both controller, and any agents involved in the problem)?

We got below error when click the hyperlink in Fortify Assessment.

Unexpected error has occurred. Please contact your administratorJun 3, 2021 5:33:17 PM
TypeError: Cannot read property 'traceNodes' of undefined

Got error URL link:
https://fortifyssc.sample.com:8443/ssc/html/ssc/version/10001/fix/26/?projectName=WEATHERFORECAST-API&projectVersionName=1.0&issue=B97D5FD6B9BD8340DF4AD9FF52658746&engineType=SCA

We try to remove engineType=SCA from URL, and it work without error.
Working URL:
https://fortifyssc.sample.com:8443/ssc/html/ssc/version/10001/fix/26/?projectName=WEATHERFORECAST-API&projectVersionName=1.0&issue=B97D5FD6B9BD8340DF4AD9FF52658746

Reproduction steps

• Step 1...
• Step 2...

Results

Expected result:

open URL link to Fortify web console.

Actual result:

Unexpected error has occurred. Please contact your administrator Jun 3, 2021 5:33:17 PM
TypeError: Cannot read property 'traceNodes' of undefined

However, it says "Found executable: /opt/jenkins/fortify/Fortify_SCA_and_Apps_19.1.2/bin/sourceanalyzer" also (see below), so FORTIFY_HOME is set properly. Since this is a post-build step, there is no good way to set a path or alias.
Note that I snipped off some project-specific names for clarity.

It is possible to work around this by adding an alias in e.g. /usr/bin but that is not feeling like a good approach in linux.

16:32:08 Fortify Jenkins plugin v 20.1.33
16:32:08 Launching Fortify SCA translate command
16:32:08 Found executable: /opt/jenkins/fortify/Fortify_SCA_and_Apps_19.1.2/bin/sourceanalyzer
16:32:08 Running Maven 3 translation
16:32:08 Found executable: /usr/bin/mvn
16:32:08 [] $ /opt/jenkins/fortify/Fortify_SCA_and_Apps_19.1.2/bin/sourceanalyzer -Dcom.fortify.sca.ProjectRoot=/var/lib/jenkins/workspace//.fortify -b -debug -verbose /usr/bin/mvn -f /pom.xml
16:32:09 Fortify Static Code Analyzer 19.1.2.0007 (using JRE 1.8.0_181)
16:32:11 [INFO] Scanning for projects...

16:32:12 [INFO] Executing Command: /bin/sh -c cd /var/lib/jenkins/workspace/ && sourceanalyzer -Xmx91168317850 -Xss16M @/var/lib/jenkins/workspace//target/fortify/sca-translate--pom.txt
16:32:12 [ERROR] Command exited with code 127.
16:32:12 /bin/sh: 1: sourceanalyzer: not found

I'm unable to get the Fortify plugin to scan C++ Visual Studio solutions properly. The translation step is not finding the system VS dependencies (string, iostream, etc) or other dependencies in the project. Can you assist?

Jenkins and plugins versions report

Jenkins: 2.361.1
OS: Linux - 4.18.0-305.62.1.el8_4.x86_64
---
ace-editor:1.1
active-directory:2.26
antisamy-markup-formatter:2.7
apache-httpcomponents-client-4-api:4.5.13-138.v4e7d9a_7b_a_e61
authentication-tokens:1.4
bootstrap5-api:5.2.1-3
bouncycastle-api:2.26
branch-api:2.1046.v0ca_37783ecc5
build-user-vars-plugin:1.9
caffeine-api:2.9.3-65.v6a_47d0f4d1fe
checks-api:1.7.5
cloudbees-disk-usage-simple:178.v1a_4d2f6359a_8
cloudbees-folder:6.758.vfd75d09eea_a_1
command-launcher:90.v669d7ccb_7c31
commons-lang3-api:3.12.0-36.vd97de6465d5b_
commons-text-api:1.9-19.v8df45c678366
configuration-as-code:1512.vb_79d418d5fc8
credentials:1189.vf61b_a_5e2f62e
credentials-binding:523.vd859a_4b_122e6
cucumber-reports:5.7.3
display-url-api:2.3.6
docker-commons:1.21
docker-workflow:521.v1a_a_dd2073b_2e
durable-task:500.v8927d9fd99d8
echarts-api:5.4.0-1
extended-read-permission:3.2
font-awesome-api:6.2.0-3
fortify:22.1.38
git:4.12.1
git-client:3.12.1
git-server:99.va_0826a_b_cdfa_d
google-oauth-plugin:1.0.7
gradle:1.40
handlebars:3.0.8
htmlpublisher:1.31
http_request:1.16
instance-identity:116.vf8f487400980
ionicons-api:28.va_f3a_84439e5f
jackson2-api:2.13.3-285.vc03c0256d517
jakarta-activation-api:2.0.1-2
jakarta-mail-api:2.0.1-2
javax-activation-api:1.2.0-5
javax-mail-api:1.6.2-8
jaxb:2.3.6-2
jdk-tool:55.v1b_32b_6ca_f9ca
jquery-detached:1.2.1
jquery3-api:3.6.1-2
jsch:0.1.55.61.va_e9ee26616e7
junit:1150.v5c2848328b_60
kubernetes:3718.ve44878b_12184
kubernetes-client-api:5.12.2-193.v26a_6078f65a_9
kubernetes-credentials:0.9.0
kubernetes-credentials-provider:1.199.v4a_1d1f5d074f
lockable-resources:2.18
mailer:438.v02c7f0a_12fa_4
matrix-auth:3.1.5
matrix-project:785.v06b_7f47b_c631
metrics:4.2.10-389.v93143621b_050
mina-sshd-api-common:2.9.1-44.v476733c11f82
mina-sshd-api-core:2.9.1-44.v476733c11f82
momentjs:1.1.1
oauth-credentials:0.5
openshift-client:1.0.37
parameterized-trigger:2.45
pipeline-build-step:2.18
pipeline-graph-analysis:195.v5812d95a_a_2f9
pipeline-groovy-lib:612.v84da_9c54906d
pipeline-input-step:451.vf1a_a_4f405289
pipeline-milestone-step:101.vd572fef9d926
pipeline-model-api:2.2114.v2654ca_721309
pipeline-model-definition:2.2114.v2654ca_721309
pipeline-model-extensions:2.2114.v2654ca_721309
pipeline-rest-api:2.24
pipeline-stage-step:296.v5f6908f017a_5
pipeline-stage-tags-metadata:2.2114.v2654ca_721309
pipeline-stage-view:2.24
pipeline-utility-steps:2.13.0
plain-credentials:139.ved2b_9cf7587b
plugin-util-api:2.18.0
popper2-api:2.11.6-2
prometheus:2.0.11
promoted-builds:892.vd6219fc0a_efb
rebuild:1.34
role-strategy:562.v44e9a_e828d0e
scm-api:621.vda_a_b_055e58f7
script-security:1183.v774b_0b_0a_a_451
snakeyaml-api:1.32-86.ve3f030a_75631
ssh-credentials:305.v8f4381501156
sshd:3.249.v2dc2ea_416e33
structs:324.va_f5d6774f3a_d
token-macro:308.v4f2b_ed62b_b_16
trilead-api:2.72.v2a_3236754f73
variant:59.vf075fe829ccb
windows-slaves:1.8.1
workflow-aggregator:590.v6a_d052e5a_a_b_5
workflow-api:1192.v2d0deb_19d212
workflow-basic-steps:994.vd57e3ca_46d24
workflow-cps:2802.v5ea_628154b_c2
workflow-cps-global-lib:588.v576c103a_ff86
workflow-durable-task-step:1199.v02b_9244f8064
workflow-job:1239.v71b_b_a_124a_725
workflow-multibranch:716.vc692a_e52371b_
workflow-scm-step:400.v6b_89a_1317c9a_
workflow-step-api:639.v6eca_cd8c04a_a_
workflow-support:838.va_3a_087b_4055b

What Operating System are you using (both controller, and any agents involved in the problem)?

Red Hat's ubi8 image

Reproduction steps

FORTIFY_HOME is set to /opt/Fortify/bin
withEnv(['PATH+FORTIFY=/opt/Fortify/bin']) {
fortifyClean buildID: fortify_project
}

Expected Results

step is executed

Actual Results

Running FortifyClean step
Fortify Jenkins plugin v 22.1.38
Launching Fortify SCA clean command
......
java.io.FileNotFoundException: ERROR: executable not found: sourceanalyzer; make sure that either FORTIFY_HOME environment variable is set or sourceanalyzer is on the PATH or in workspace
	at com.fortify.plugin.jenkins.steps.FortifyStep.findExecutablePath(FortifyStep.java:104)
	at com.fortify.plugin.jenkins.steps.FortifyStep.getExecutable(FortifyStep.java:93)
	at com.fortify.plugin.jenkins.steps.FortifySCAStep.getSourceAnalyzerExecutable(FortifySCAStep.java:94)
	at com.fortify.plugin.jenkins.steps.FortifyClean.perform(FortifyClean.java:67)
	at com.fortify.plugin.jenkins.steps.FortifyClean$Execution.run(FortifyClean.java:149)
	at com.fortify.plugin.jenkins.steps.FortifyClean$Execution.run(FortifyClean.java:134)
	at org.jenkinsci.plugins.workflow.steps.SynchronousNonBlockingStepExecution.lambda$start$0(SynchronousNonBlockingStepExecution.java:47)
	at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
	at java.base/java.lang.Thread.run(Thread.java:829)

Anything else?

This is similar to issue #49. I can only get this to work if I copy the files to the workspace. It does not respect the FORTIFY_HOME or PATH settings.

The access to the bin directory is:

drwxrwxrwx.  2 1001 1001    4096 Oct 14 07:48 bin

The access to the files in the bin directory:

-rwxrwxrwx. 1 1001 1001  237985 May 13 23:50 sourceanalyzer
-rwxrwxrwx. 1 1001 1001    2304 May 13 23:50 SCAState
-rwxrwxrwx. 1 1001 1001       0 May 13 23:50 update.ini
-rwxrwxrwx. 1 1001 1001    1492 May 13 23:50 scapostinstall
-rwxrwxrwx. 1 1001 1001    1834 May 13 23:50 iidmigrator
-rwxrwxrwx. 1 1001 1001    1774 May 13 23:50 fortifyupdate
-rwxrwxrwx. 1 1001 1001    1758 May 13 23:50 fortifyclient
-rwxrwxrwx. 1 1001 1001 7589347 May 13 23:50 autoupdate-linux.run
-rwxrwxrwx. 1 1001 1001 9135950 May 13 23:50 autoupdate-linux-x64.run
-rwxrwxrwx. 1 1001 1001    1459 May 13 23:50 auditworkbench
-rwxrwxrwx. 1 1001 1001    1812 May 13 23:50 ScanWizard
-rwxrwxrwx. 1 1001 1001    2159 May 13 23:50 ReportGenerator
-rwxrwxrwx. 1 1001 1001    2209 May 13 23:50 FPRUtility
-rwxrwxrwx. 1 1001 1001    1466 May 13 23:50 CustomRulesEditor
-rwxrwxrwx. 1 1001 1001    2427 May 13 23:50 BIRTReportGenerator
-rwxrwxrwx. 1 1001 1001    2369 May 13 23:58 scancentral
-rwxrwxrwx. 1 1001 1001    2629 May 13 23:58 pwtool
-rwxrwxrwx. 1 1001 1001    2212 May 13 23:58 packagescanner

By calling java.io.File.isFile in a pipeline script to /opt/Fortify/bin/sourceanalyzer it returns false. Which seems to be related to unix environment

I know sourceanalyzer is accessible as I can call it directly with sh '/opt/Fortify/bin/sourceanalyzer' and it executes.

I have narrowed it down to File.isFile() in FindExecutableRemoteService.invoke and PathUtils.locateFileInPath not returning the expected result of true. I have seen forums regarding an issue in the jdk, it would appear that there is a workaround of changing it to !file.isDirectory() which will resolve the issue. I tested calling !File.isDirectory in pipeline script in my environment.

See this blog post for details. Prototype will eventually be removed from Jenkins core. To prepare for this transition, this plugin must be migrated away from Prototype. The blog post contains instructions on how to find and eliminate usages of Prototype. In this plugin, the following usages of Prototype have been identified. This may not be an exhaustive list:

./src/main/webapp/refresh-projects.js:38:    new Ajax.Request(url, {
./src/main/webapp/refresh-projects.js:105:    new Ajax.Request(url, {
./src/main/webapp/refresh-projects.js:146:    paramList.split(',').each(function(name) {
./src/main/webapp/refresh-projects.js:170:    new Ajax.Request(url, {
./src/main/webapp/refresh-projects.js:237:    new Ajax.Request(url, {
./src/main/webapp/refresh-issues.js:25:                 new Ajax.Request(urlLink, {
./src/main/webapp/refresh-issues.js:65:            new Ajax.Request(contextUrl+"/checkUpdates?stamp="+stamp,{
./src/main/webapp/refresh-issues.js:68:                    var update = rsp.getResponseHeader('go');
./src/main/webapp/refresh-issues.js:82:            new Ajax.Request(contextUrl+"/ajaxStats",{
./src/main/webapp/refresh-issues.js:95:            new Ajax.Request(contextUrl+"/ajaxIssues",{
./src/main/webapp/refresh-issues.js:108:            new Ajax.Request(url,{
./src/main/webapp/refresh-issues.js:125:               var request = new Ajax.Request(contextUrl+"/ajaxIssues?firstTime=yes",{
./src/main/resources/com/fortify/plugin/jenkins/ChartAction/floatingBox.jelly:26:            new Ajax.Request("${action.urlName}/checkUpdates?stamp="+stamp,{
./src/main/resources/com/fortify/plugin/jenkins/ChartAction/floatingBox.jelly:29:                    var update = rsp.getResponseHeader("go");

CC @akaryakina

Following the instructions at https://github.com/jenkinsci/fortify-plugin/blob/master/docs/DEVELOPER.md, the build fails:

$ git clone https://github.com/jenkinsci/fortify-plugin.git
   ...
$ cd fortify-plugin/
$ git checkout v20.2.34
   ...
$ mvn package -Dssc.url=http://localhost:2020/ssc
[INFO] Scanning for projects...
[WARNING] The POM for org.jenkins-ci.tools:maven-hpi-plugin:jar:2.2 is missing, no dependency information available
[WARNING] Failed to build parent project for org.jenkins-ci.plugins:fortify:hpi:20.2.34
[INFO]
[INFO] -------------------< org.jenkins-ci.plugins:fortify >-------------------
[INFO] Building Fortify 20.2.34
[INFO] --------------------------------[ hpi ]---------------------------------
...
[INFO] --- maven-resources-plugin:3.0.2:resources (default-resources) @ fortify ---
[INFO] Using 'UTF-8' encoding to copy filtered resources.
[INFO] Copying 31 resources
[INFO]
[INFO] --- maven-compiler-plugin:3.6.1:compile (default-compile) @ fortify ---
[INFO] Changes detected - recompiling the module!
[INFO] Compiling 53 source files to C:\WORK\Development\Java\workspace\fortify-plugin\target\classes
[INFO] -------------------------------------------------------------
[ERROR] COMPILATION ERROR :
[INFO] -------------------------------------------------------------
[ERROR] java.nio.file.NoSuchFileException: C:\WORK\Development\Java\workspace\fortify-plugin\target\classes\META-INF\annotations\hudson.Extension
[INFO] 1 error
[INFO] -------------------------------------------------------------
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------