Is it possible to show Fortify scan result on Jenkins - plugins

Is there a way to display Fortify scan result on Jenkins?
I've seen only Jenkins plugin to run Fortify scanning and upload result to Fortify server but not the other way around.

Fortify has a plugin for Jenkins. It allows you to automatically upload results to Software Security Center after a build. The Jenkins plugin also integrates with Software Security Center to show the results of a scan in Jenkins. In your Fortify documentation set, look for a document called HP_Fortify_Jenkins_Plugin_TN_4.30.pdf.

I just found that on Google, you can import the Fortify results into a SonarCube instance:
http://www.sonarsource.com/products/plugins/integration/fortify/
And next, you can use the Sonar Web API to publish the results in Jenkins:
how to publish sonar result in jenkins server, or do we have sonar-report jenkins plugin
I hope it helps :)

You can use either Fortify Audit Workbench (AWB) or the Fortify Software Security Center (SSC) to review (aka audit) the issues (FPR file) generated in the Fortify sourceanalyzer.exe step in your Jenkins script. As an open source build and deployment tool, I do not see how Jenkins would be a suitable tool for auditing issues and posting bug reports. Please clarify your question to explain what you want to with the FPR file on the Jenkins server.

Yes: you need to invoke an external script (gradle?) and use FPRUtility command with "-query" parameter. You can test the queries using the "Advanced..." search in the audit workbench. If you do it after merging with the previous result (FPRUtility -merge ...) you can achieve an incremental scan.

Jenkins is CI/CD tool that help to upload the fortify results directly to the SSC(Software security center) after the build.
Integration of HP Fortify with Jenkins :
Step 1) Install Jenkins plugin on cloud server or you can directly access the cloud Jenkins server(if it is already installed on server).
step 2) Create the folder in Jenkins and configure the properties(making changes in configuration file on left side).
Step 3) Disable upload function in Jenkins (Means you can not provide the SSC link, while configuring the configuration file on left side), so that .FPR file will not uploaded automatically on SSC.
Step 4) Once the batch script or groovy script is successfully build , then you would be able to see the result on Jenkins console.
example:
Critical= 30
High= 20
Medium=10
Let me know if you have any question while integrating Jenkins with fortify -SSC.Thank you

I never used Fortify with Jenkins, but here is another alternative that you use with Jenkins, through a plugin. Read about it here: https://blog.probely.com/how-to-configure-jenkins-to-integrate-security-into-ci-cd-2b340728de56
You scan start a scan from Jenkins both in a freestyle and pipeline project.
Full disclosure: I'm highly affiliated with Probely, I'm the CTO :)

Related

How to analyze the code from GitHub repository in sonarqube

How to analyze the code from GitHub repository in sonarqube ?
Please suggest and provide the step by step procedure.
Github is a source repository. It's sort of like a database. It just sits there and waits for requests. In a way it doesn't really "do" anything. If you need to "do" something with it, like build executables or run SonarQube scans on the code, you have to utilize other resources like Travis or Jenkins to run scripts that will build the executables and run SonarQube scans.
Depending on what programming language your code is using, there are different tools for managing the running of the SonarQube scan. If your code is Java and you're using Maven, you can use the "sonar:sonar" goal, along with setting several properties, to run the scan. If you have something else, then use the "sonar-scanner" tool, also with setting several properties.
Note that the SonarQube scan is almost always run as part of the build process, because the SonarQube scan needs some of the artifacts produced by the build to produce its analysis reports. For instance, it is typical to run the SonarQube scan after the unit tests are run, so SonarQube can see the resulting code coverage.
At this point, I can't really give you a step-by-step procedure. There are many pieces you're going to have to assemble, and that will require some choices on your part.

How to Build a definition and publish test results for a Java project with maven, Junit and selenium on Visual Studios Team Services VSTS

I have an automation script that uses maven POM.xml to import all the dependencies needed from selenium and junit. The main test uses selenium to open a browser, verify some information, close the browser and the test ends.
When run as Junit it works fine: run as Junit test
When run as Maven Test it works fine as well: run as maven test
In both scenarios, the program opens the browser and navigates through the website as it should do for an automated test.
Now I need to integrate it to VSTS so I can visualize the overall pass/fail test on the VSTS dashboard but I'm not familiarized with this tool too much yet.
So far this is what I have managed to do:
Deploy an agent on my WindowsPC (I want to execute and deploy the project on an Azure VM or another azure instance later on) NOTE: this is the same pc I'm successfully running the program using eclipse as shown in the screenshoots above. https://learn.microsoft.com/en-us/vsts/build-release/actions/agents/v2-windows?view=vsts
Create a build definition on VSTS but when I queue the definition the build fails: build definition and the build fail.
I don't know why it can't find mt config.txt file since it is located on the same hosted agent in that same directory. I'll appreciate if someone is capable of guiding me through this process so I can run the program from the VSTS and visualize the overall tests that fail and pass on the VSTS dashboard.
UPDATE: I moved the config.txt file to the public directory and the build was successful(I still need to fix this issue because I do not want my work in a public folder).
Now the problem I have is that even though the build is successful and it looks like it is running my "3 tests", When I look at my pc, nothing is happening. it should open chrome and take a screenshot, then open Firefox and take another screenshot and finally open internet explorer and take another screenshot and save each test on different folders but it is only generating folders for chrome and internet explorer (but still those folders does not have the screenshot I'm asking, maybe because the browser is not being open on the computer.)
Here is the log: https://drive.google.com/open?id=1S_MhAUmzj8i9phPQiqS06s0_1cCRrbF0
test output report generated on my computer
test output on vsts
Look at the error message. The error message tells you precisely what the problem is: java.io.FileNotFoundException: Y:\Automation Team\CopaQA\Architecture\local\config.txt (The system cannot find the path specified)
You need to not rely on hard-coded paths.
You say you registered a build agent against your VSTS account... but did you change the agent queue for your build? If the agent queue is "Hosted", you're using Microsoft's hosted agent.
I don't know why it can't find mt config.txt file since it is located on the same hosted agent in that same directory.
It turns out that Java.IO. can't read files located on a shared network drive, I solved this by using the UNC path to that file (//"computername"/"directory"/"file.txt")
Now the problem I have is that even though the build is successful and
it looks like it is running my "3 tests", When I look at my pc,
nothing is happening.
It took me a little reading to realize that to perform UI tests my agent needs to be set up in INTERACTIVE MODE. it can be done following this guide: https://learn.microsoft.com/en-us/vsts/build-release/actions/agents/v2-windows?view=vsts

Using sln.DotSettings in TeamCity dotcover runner

I am using an NUnit 3 runner in a TeamCity 9.1.6 step. I've chosen "JetBrains dotCover" as the .NET Coverage tool, and now I'd like this step to use the xxx.sln.DotSettings file that we've put in source control and that we're sharing across devs in Visual Studio, rather than to duplicate settings to TeamCity Filters, Attribute Filters etc. Is this possible in TeamCity?
It is not possible from the box now. It is a great idea, could you create an issue here https://youtrack.jetbrains.com/
But there is a simple workaround:
you could parse dotSettins manually on the first step
publish configuration parameters using ##teamcity[setParameter name='ddd' value='fff'] TeamCity service message (see for details https://confluence.jetbrains.com/display/TCD9/Build+Script+Interaction+with+TeamCity)
use those configuration parameters in the appropriate fields for dotCover like %ddd%

Visual Studio Online / Azure stopping and starting web applications using Powershell

I'm using Visual Studio Online's build tools to deploy web applications from a single solution. I've occasionally been running into file locking issues.
Error: Web Deploy cannot modify the file 'Microsoft.CodeAnalysis.CSharp.dll' on the destination because it is locked by an external process.
After some Googling, I believe the "fix" is to stop the web applications before deployment on Azure and start it back up after. Sounds legit.
However, there does not seem to be a straight forward way to do this directly on VSO's build definitions. I've created an "Azure Powershell" build task, but it wants a PS1 file from the repository. It doesn't seem to let me just run Azure Powershell commands (e.g. Stop-AzureWebsite) from here. My team has created a work-around where we have a "run.ps1" that just executes the command you pass as a parameter, but none of us are satisfied by that.
What are we missing? There has got to be an easier way to do this without having a PS1 script checked into source control.
I solved this by installing Azure App Services - Start and Stop extension from Visual Studio Marketplace.
When installed, it will allow you to wrap the Deploy Website to Azure task in your Release definition with Azure AppServices Stop and Azure AppServices Start tasks, effectively eliminating the lock issues.
Check if you are using "/" on the "Web Deploy Package" path for folder separators instead of "\".
i.e. change
$(System.DefaultWorkingDirectory)/My Project/drop/MyFolder/MyFile.zip
for
$(System.DefaultWorkingDirectory)\My Project\drop\MyFolder\MyFile.zip
I noticed that was the only difference between the one I was getting the error and the others (the Restart step I added was not helping). Once I modified the path, I got it working.
Sounds crappy, but fixed my issue.
Did you use the Build Deployment Template that sets the correct msbuild parameters for you for your package? You can see how here. I would create a build using that template and see if you have the same issues. If so ping me on Twitter #DonovanBrown and I will see if I can figure what is going on.
As a rule it is good practice to have any scripts or commands required to deploy your software to be checked into source control as part of your build. They can then be easily run repeatedly with little configuration at the build level. This provides consistency and transparency.
Even better is to have deployment scripts output as part of the build and use a Release Management tool to control the actual deployment.
Regardless having configuration as code is a mantra that all Dev and Ops teams should live by.

Automatic installer deploy to remote server using TeamCity and MSBuild

I'm having a .net WPF project that compiles to a bunch of dlls. I also have another project that compiles all the dlls and creates an installator exe.
I am also using TeamCity to automatically do those tasks for me with a press of a button.
The problem is that I want to have a separate TeamCity build configuration intended to automatically copy the result installator exe to a number of remote machines, each having specific credentials. But, unfortunately, I don't get how do I do this.
I have found some articles on automatic deploying (like this http://www.troyhunt.com/2010/11/you-deploying-it-wrong-teamcity.html), but, obviously, they are very specific for web projects.
So, how should I correctly deploy my installator on build?
Your best bet is to research NAnt and make a simple task that will copy the TeamCity artifact (installer) out to the specified location.
All you would need to do is have TeamCity execute the specified NAnt task after the installer has been built.
http://nant.sourceforge.net/release/0.85/help/tasks/copy.html
Update
Also, check out this question for solutions on specifying the credentials for the copy task.
OK, I've found out that it's pretty easy to do this using the FtpUpload MSBuild community task. There, one can set up the credentials and all other stuff needed for uploading a file (or a set of files) via ftp.