3

I am asked to integrate the code audit tool HP Fortify in our development process, but the main constraint about it is that the whole code should not be scanned every time: only the classes impacted by the last backlog item should be analyzed.

We are using Jenkins and SonarQube, so I gave a look at the plugins available but couldn't find anything matching the requirements: do not scan the whole code everytime.

Would you know any tool or HP Fortify configuration that could suit what I need?

schroeder
  • 123,438
  • 55
  • 284
  • 319
MedAl
  • 225
  • 1
  • 6
  • 1
    It does a lot of global analysis, so splitting at the class level is probably going to be tricky. – Tom Hawtin - tackline Apr 18 '17 at 15:14
  • You can't do that with Fortify – niilzon Apr 21 '17 at 08:29
  • Note that developers can manually select a subset of the entities to scan. But it's not recommended most of the time. Can be very useful to only scan an Util class for example, before commiting to the repo for a "global" scan – niilzon Apr 21 '17 at 08:38

2 Answers2

1

It can't be done with that tools. I have the same "problem" as you using exactly the same tools.

Anyway, from a security point of view is not a problem. In my opinion to scan only certain part of code could lead you to not detect certain errors. I'll try to explain it later. Another story is to show incrementally new issues detected on SonarQube. That can be done and I think is what you really need.

Suppose you already have incremental vulnerability scanning running. Maybe you have a vulnerability in a class that is not detected because the class is not used yet. Then another commit use that class and the security vulnerability could take place but if you scan incrementally only commit by commit you'll never discover that vulnerability because your scanner is going to scan only that part of code without getting into "already scanned old code".

I think is better to scan always all code but only showing new issues detected on SonarQube.

OscarAkaElvis
  • 5,185
  • 3
  • 17
  • 48
  • I see what you mean, but the real issue for my case is that I have to make it fast enough for developers to scan their last backlog item before pushing it. The whole project contains millions of lines, we cannot afford scanning all the classes "quickly before pushing", unfortunately. I guess your answer imply that what I need is not feasable in the actual state of the art. I'll try to get a fix for that :) – MedAl Apr 21 '17 at 08:56
  • 1
    see my comment on the question - in some cases it is possible for the devs to do a local scan on selected packages / classes (I guess you use the IDE plugin). Useful for stuff that has no big dependencies, like some Util classes and their Unit Tests – niilzon Apr 21 '17 at 11:12
  • @niilzon I'm using both the IDE plugin and the Jenkins plugin. Thanks for the precision, that could make a temporary solution for util classes, as you suggest – MedAl Apr 21 '17 at 12:20
1

As others have mentioned, Fortify and most scan tools don't just scan the delta of files changed. They scan the entire code base.

With Fortify, it's a resource intensive tool by nature. And if you code base is sizeable, you'll need a strong machine to cut through it quickly. I suggest the following...

Assuming you have access to AWS or Azure, spin up two images. One is a medium-light strength image, which will hold Fortify portal and reporting. This one can stay up 24 hours. Secondly, then spin up another very strong image, which will only be active during scans.

To do this, use Jenkins to make API calls to spin up the scanning machine image just before you start the scan.

If it has good computing power, even with large code bases, it shouldn't take more than a couple hours to scan.

Once the scan is complete, it'll send the results over to the main portal/reporting server and you can again use the API calls to shut that instance down. This is to keep your costs down.

Lastly, we have to talk about Fortify vs. Sonarqube. My personal take is that you should use both. After pouring over results from both, Fortify picks up more vulnerability related items. Sonarqube picks up more syntax/logic related issues, with some vulnerability stuff mixed in.

In my experience, they compliment each other nicely.

Hope that helps, if you have further questions, send me a PM or ask it here.

Good luck!

mumbles
  • 380
  • 1
  • 2
  • 12