The Fortify Hosted SaaS solution is based on Fortify Scan Central SAST, Fortify ScanCentral DAST and, optionally, Fortify Source Components Analysis (Sonatype SCA) architectures.
A Fortify Source Components Analysis scan can be initiated by using:
- Sonatype IQ Server webapp
-
Sonatype IQ Server CLI
- download the latest nexus-iq-cli
https://help.sonatype.com/iqserver/product-information/download-and-compatibility - start a Sonatype SCA scan and upload results to IQ Server (https://help.sonatype.com/iqserver/integrations/nexus-iq-cli)
- This is an example with a Java application:
- nexus-iq-cli -i Application_to scan_name -s <Your IQ Server URL> -a <Your IQ Server User>:<Your IQ Server PWD> C:\Application_to scan
- This is an example with a Java application:
- download the latest nexus-iq-cli
-
Sonatype CI/CD integration plugins
- https://help.sonatype.com/iqserver/integrations/plugins-for-continuous-integration-platforms
Sonatype IQ Server can be integrated with Fortify SSC by following these steps:
-
Download the latest "sonatype-nexus-lifecycle-integration-with-ssc" integration
-
https://www.microfocus.com/marketplace/cyberres/content/sonatype-nexus-lifecycle-integration-with-ssc
- two components:
- integration service (SonatypeFortifyIntegration-4.x.x.jar)
- parser plugin (sonatype-plugin-4.x.x.jar)
- two components:
-
https://www.microfocus.com/marketplace/cyberres/content/sonatype-nexus-lifecycle-integration-with-ssc
-
Import and enable the parser plugin into Fortify SSC
- check the "InstallationGuide-22Oct2019.pdf" included into the "sonatype-nexus-lifecycle-integration-with-ssc" integration
-
Set up and run the integration service (pulling IQ Server scan results to Fortify SSC)
- check the "InstallationGuide-22Oct2019.pdf" included into the "sonatype-nexus-lifecycle-integration-with-ssc" integration
- set up the iqapplication.properties and the mapping.json’ files and locally run the “java -jar SonatypeFortifyIntegration-*.jar”:
- iqapplication.properties, values to change
- All IQServer and SSC' URLS/credentials
- CI_Token
- scheduling.job.cron=0 * * * * * - mapping.json (example)
[
{
"sonatypeProject": "richesAppId",
"sonatypeProjectStage": "build",
"fortifyApplication": "riches_MDS",
"fortifyApplicationVersion": "1"
}
] - run "java -jar SonatypeFortifyIntegration-4.x.x.jar"
- iqapplication.properties, values to change