fortify安装使用手册范本

fortify sca使用手册一、简介FortifySCA（SoftwareConfigurationAnalysis）是一款功能强大的软件配置分析工具，用于帮助用户有效地管理和维护软件配置。

本手册旨在为使用者提供FortifySCA的详细使用说明，以帮助用户更好地掌握该工具的使用方法。

二、安装与配置1.安装FortifySCA：首先，您需要从Fortify官方网站下载并安装FortifySCA软件。

确保在安装过程中正确配置系统环境，以便顺利运行该工具。

2.配置数据库：在安装完成后，您需要配置FortifySCA与数据库的连接。

根据您的数据库类型（如MySQL、Oracle等），按照手册中的说明进行设置。

3.配置其他参数：根据您的需求，您可能需要调整FortifySCA的其他参数，如扫描范围、扫描时间等。

请参考手册中的相关说明进行设置。

三、使用方法1.扫描项目：使用FortifySCA扫描项目前，请确保您已经将项目中的所有文件纳入配置管理，并正确配置了相关参数。

执行扫描后，FortifySCA将分析项目中的代码，并生成报告。

2.查看报告：扫描完成后，FortifySCA将生成一份详细的报告，用于展示代码中的安全漏洞和潜在风险。

请仔细阅读报告，并根据报告中的建议进行相应的修复。

3.修复漏洞：根据FortifySCA的报告，您可以针对发现的漏洞进行修复。

修复完成后，请再次执行扫描，以确保漏洞已被完全修复。

四、常见问题及解决方法1.扫描结果不准确：可能的原因包括代码库中存在遗漏的文件或目录，或者某些文件格式不被FortifySCA支持。

解决方法是确保项目中的所有文件均已纳入配置管理，并检查文件格式是否符合FortifySCA的要求。

2.报告生成缓慢：可能的原因包括数据库性能问题或扫描范围过大。

解决方法是优化数据库配置，或适当缩小扫描范围以减少分析量。

五、维护与更新FortifySCA是一款持续优化的软件工具，我们建议您定期更新至最新版本，以获取更多功能和性能优化。

Author: Vikas JohariDate: 12 February 2020 Document Version: v0.1Installing SSC 19.2.0 withMSSQL 2017 in Easy Steps onWindows 2016Fortify SCA 19.xDeployment GuideContentsContents (2)Introduction (3)Installation of MS SQL 2017 (3)Installation of MS SQL 2017 Management Studio (10)Creating Database for SSC (11)Creating the Tables for Fortify Components (13)Download and install JDK 1.8.x (15)Download and Install Tomcat 9.0.x service for Windows (16)Deploying JDBC Driver (20)Deploying SSC war file (21)IntroductionThis document will guide Pre-Sales and Partners to install SSC 19.2.0 in MS Windows 2016 with MS SQL 2017 Server Edition Database.The Hardware and Software requirements are given in the link -https:///documentation/fortify-software-security-center/1920/Fortify_Sys_Reqs_19.2.0/index.htm#SSC/SSC_Reqs.htm%3FTocPath%3DFortify%2520Software %2520Security%2520Center%2520Server%2520Requirements%7C_____0Install Windows 2016 and apply all the required patches.Installation of MS SQL 2017Mount the MS SQL 2017 Server ISO and run the installer.Click on Installation.In the Installation screen, select “New SQL Server stand-alone installation or add …..” Enter the Product key and click Next,Accept the license agreement, then click Next.Enable – Use Microsoft Upgrade to check for the updates”, then click Next.Let it complete the task.Enable the following features –•Database Engine Service•Client Tools Connectivity•Client Tools Backwards CompatibilityClick Next,If you want to change the Instance name, then change it else click Next to continue.In the server configuration screen, make sure SQL Server Agent, SQL Server Database Engine Startup Type is Automatic.Click on Collection -> Customize.Select “SQL_Latin1_General_CP1_CS_AS” click OK.Click Next.In the Database Engine Configuration, select Mixed Mode, enter the Password of user “sa” and also add the Windows Administrator user as well. Click Next.Click Next in Ready to Install screen.Wait till installation to complete.Verify all the components as install, then click Close.Open SQL Server Configuration Manager and validate the TCP/IP is enabled and it is configured with correct IP Address.Installation of MS SQL 2017 Management StudioDownload MS SQL 2017 Management Studio from https:///en-us/sql/ssms/download-sql-server-management-studio-ssms?view=sql-server-2017 and install.Click InstallWait till installation to complete.Click CloseCreating Database for SSCStart MS SQL Server Management Studio.Select Authentication to “SQL Server Authentication”, enter Login name as “sa” and its password, then click Connect.In the Object Explorer, expand the server, right-click on the Database, select New Database.Enter the database name as “FortifyDB” and change the Path of Database and Log file as “C:\SQLDB” (optional).Click on "Options" in the left panel. In the Collection make sure "SQL_Latin1_General_CP1_CS_AS" is selected. This is a mandatory step else Seeds will not be uploaded in upcoming steps.Then Click OK.Validate the database has been created.Creating the Tables for Fortify ComponentsExtract “Fortify_19.2.0.zip" in a temporary folder named "C:\Fortify_Installer”Extract the “create-tables.sql” file from Fortify_SSC_Server_19.2.0.zip -> Fortify_19.2.0_Server_WAR_Tomcat.zip -> sql -> sqlserver.Open it in notepad++.Right Click on “FortifyDB” -> New Query.Paste the content of “create-tables.sql” into the Query and Execute.Verify that the Query executed successfully.Download and install JDK 1.8.xDownload and install JDK 1.8 from https:///technetwork/java/javase/downloads/jdk8-downloads-2133151.htmlSet the “JAVA_HOME” System Environment Variables to “C:\Program Files\Java\jdk1.8.0_201”Download and Install Tomcat 9.0.x service for WindowsDownload and install “32-bit/64-bit Windows Service Installer” of tomcat Windows Service from https:///download-90.cgiClick NextClick I Agree.Select the Options as above, then click Next.Make the changes as per the above screen, then click Next.Verify the JRE folder, click Next.Change the default install location, to “C:\Tomcat9”Note: This is a very important step, if the Tomcat install folder name has any spaces then SSC will give errors during the Vulnerability auditing.Click Install.Wait for the installation to complete. Click Finish.Start the Tomcat service and test the connection. By opening the port 8080 in the browser. Set the initial memory pool as 4096 and Maximum memory pool 4096 MB.In Log On, select “Local System account”, Then click OK.Optional: If SSC has to be running on a secure HTTP protocol then configure the tomcat to use HTTPS with a certificate and document the HTTPS port.Deploying JDBC DriverDownload the JDBC Driver v6.0 for MS SQL 2017 from https:///en-in/download/details.aspx?id=11774 , you can download "sqljdbc_6.0.8112.200_enu.tar.gz" file.Extract the downloaded file. Copy “sqljdbc42.jar” file to C:\Tomcat9\lib folder.Deploying SSC war fileCopy the ssc.war file to C:\Tomcat9\webapp folder. Then restart the tomcat service. Open the URL : http://ip:8080/ssc in Chrome.Click on ADMINISTRATORS link on the top right corner.It will ask to enter the Token.Open the init.token file from C:\Windows\System32\config\systemprofile\.fortify\ssc folder into notepad++.Note: In case of any issue in SSC installation process, you can open the ssc.log file in notepad++, it will be in "C:\Windows\System32\config\systemprofile\.fortify\ssc\logs" folder.Note: if you are using tomcat standalone version or running tomcat from the command line then the init.token will be in C:\Users\Administrator\.fortify\ssc folder. Similarly the logs file will found in"C:\Users\Administrator\.fortify\ssc\logs" folder.Copy the token key and past into ssc.Click SIGN IN.Note: This token will keep on changing until you complete the setup.Click Next.Click the UPLOAD button to select and upload the “fortify.license” file.Click Next and Create a folder named C:\GlobalSearchEnter the URL for Fortify SSC i.e. http://172.17.5.240:8080/ssc or :8080/ssc enable Global Search, enter “C:\GlobalSearch” in the text box click Next.Note: Do not use http://127.0.0.1:8080/ssc as SSC URL, it will create problems in later stages.Enter the DATABASE USERNAME as “sa” and its Password.In the JDBC URL asjdbc:sqlserver://172.17.5.240:1433;database=FortifyDB;sendStringParametersAsUnicode=false ORjdbc:sqlserver://127.0.0.1:1433;database=FortifyDB;sendStringParametersAsUnicode=false Test the connection.If test is successful then click Next.In the Seed, database BROWSE and select the file and click on SEED DATABASE in the below sequence – •Fortify_Process_Seed_Bundle-2019_Q3.zip•Fortify_Report_Seed_Bundle-2019_Q3.zip•Fortify_PCI_Basic_Seed_Bundle-2019_Q3.zip•Fortify_PCI_SSF_Basic_Seed_Bundle-2019_Q3.zipBrowse and select Fortify_Process_Seed_Bundle-2019_Q3.zip.Click SEED DATABASE.After the file was processed successfully, browse and select “Fortify_Report_Seed_Bundle-2019_Q3.zip”, then click SEED DATABASE.After the file was processed successfully, browse and select “Fortify_PCI_Basic_Seed_Bundle-2019_Q3.zip”, then click SEED DATABASE.Browse and select “Fortify_PCI_SSF_Basic_Seed_Bundle-2019_Q3.zip” After files are processed successfully, Click Next.Click Finish.Now you must Restart Tomcat service.Test the SSC ServerOpen the SSC Server URL (i.e. http://172.17.5.240:8080/ssc) and login as user “admin” with the password “admin”.SSC will ask you to change the password.Now Login as admin / new password.Click Administration.Conditional: if a Proxy setting is required to download rule packs then configure it in ADMINISTRATION -> Configuration -> Proxy.Click Rulepacks and then click on UPDATE FROM SERVER.In a few mins, all the Rules will be downloaded. Click CLOSE.Now SSC Server is ready to use.Note:This guide is not an official documentation by Micro Focus. Please read and refer to the official product documentation for additional information.< !! End of the Document !! >。

Fortify使⽤⼿册中国建设银⾏⽹上银⾏投资产品创新项⽬F o r t i f y使⽤⼿册总⾏信息技术管理部⼴州开发中⼼2008年6⽉修改记录本⽂档中所包含的信息属于机密信息，如⽆中国建设银⾏的书⾯许可，任何⼈都⽆权复制或利⽤。

?Copy Right 2008 by China Construction Bank ⽬录1、引⾔ (5)1.1⽬的 (5)1.2背景 (5)1.3定义 (5)1.4环境说明 (6)1.5提醒注意 (6)1.6相关要求 (7)２、安装FORTIFY (7)2.1进⼊F ORTIFY安装⽬录 (7)2.2输⼊LICENSE KEY:BAHODPERE9I9 (8)2.3选择ALL U SERS (9)2.4下⾯选项全部选中 (10)2.5选择N O选项 (11)３、使⽤FORTIFY (12)3.1进⼊源码⽬录执⾏SCA COMMANDLINE S CAN.BAT (12)3.2SCA COMMANDLINE S CAN.BAT的内容 (12)４、结果查询 (12)5、可能的问题 (14)6、结果分析 (15)6.1R ACE C ONDITION (15)6.2SQL I NJECTION (16)6.3C ROSS-S ITE S CRIPTING (16)6.4S YSTEM I NFORMATION L EAK (18)6.5HTTP R ESPONSE S PLITTING (18)1、引⾔1.1⽬的提⾼中⼼项⽬软件安全意识转达总⾏关于软件安全编码及测试的相关要求了解、学习fortify SCA的使⽤1.2背景⽹银投资产品创新项⽬⽂档。

1.3定义Fortify Source Code Analysis Suite是美国Fortify Software为软件开发企业提供的软件源代码安全漏洞扫描、分析和管理的⼯具。

使⽤该⼯具能弥补软件开发⼈员、安全⼈员和管理⼈员在源代码⽅⾯的安全知识不⾜，加速代码安全审计和⽅便软件安全风险的管理。

Fortify SCA源代码应用安全测试工具快速入门手册文档版本：v1.0发布日期：2022-11深圳市稳安技术有限公司*************************Fortify SCA源代码应用安全测试工具快速入门手册Fortify SCA（Static Code Analyzer）是Micro Focus公司旗下的一款静态应用程序安全性测试(SAST) 产品，可供开发团队和安全专家分析源代码，检测安全漏洞，帮助开发人员更快更轻松地识别问题并排定问题优先级，然后加以解决。

Fortify SCA支持27种编程语言：ABAP/BSP、Apex，、C/C++、C#、Classic ASP、COBOL、ColdFusion、CFML、Flex/ActionScript、Java、JavaScript、JSP、Objective C、PL/SQL、PHP、Python、T-SQL、、VBScript、VB6、XML/HTML、Ruby、Swift、Scala 、Kotlin 、Go，能够检测超过1051个漏洞类别，涵盖一百多万个独立的API。

一、安装Fortify SCA源代码应用安全测试工具1、创建华为云服务器ECS1.1、主机配置建议：1.2、操作系统支持：1.3、网络配置安全组规则配置要求：1.3.1、Linux系统：22端口(SSH登录管理)1.3.2、Windows系统：3389端口(Windows RDP)1.4、安装操作系统通过VNC或CloudShell远程登录平台服务器，根据需求选用合适的镜像安装操作系统。

1.5、代码编译环境准备以下几种语言扫描需要准备相应的编译环境，代码需要在可通过编译的情况下扫描：a)C#，，b)C/C++ on Windows or Linuxc)iPhone App用户需要根据代码安装相应的编译环境，并确保需要扫描的代码能够通过编译。

2、安装Fortify SCA2.1、上传安装包完成产品购买后，根据扫描主机的操作系统，从MicroFocus下载平台下载对应的安装文件压缩包，然后解压出安装文件上传至云服务器。

Micro FocusFortify Jenkins Plugin Software Version:18.20Installation and Usage GuideDocument Release Date:November2018Software Release Date:November2018Legal NoticesMicro FocusThe Lawn22-30Old Bath RoadNewbury,Berkshire RG141QNUKhttps://WarrantyThe only warranties for products and services of Micro Focus and its affiliates and licensors(“Micro Focus”)are set forth in the express warranty statements accompanying such products and services.Nothing herein should be construed as constituting an additional warranty.Micro Focus shall not be liable for technical or editorial errors or omissions contained herein.The information contained herein is subject to change without notice.Restricted Rights LegendConfidential computer software.Except as specifically indicated otherwise,a valid license from Micro Focus is required for possession,use or copying.Consistent with FAR12.211and12.212,Commercial Computer Software,Computer Software Documentation,and Technical Data for Commercial Items are licensed to the ernment under vendor's standard commercial license.Copyright Notice©Copyright2014-2018 Micro Focus or one of its affiliatesTrademark NoticesAdobe™is a trademark of Adobe Systems Incorporated.Microsoft®and Windows®are U.S.registered trademarks of Microsoft Corporation.UNIX®is a registered trademark of The Open Group.Documentation UpdatesThe title page of this document contains the following identifying information:l Software Version numberl Document Release Date,which changes each time the document is updatedl Software Release Date,which indicates the release date of this version of the softwareTo check for recent updates or to verify that you are using the most recent edition of a document,go to:https:///support-and-services/documentationContentsPreface4 Contacting Micro Focus Fortify Customer Support4 For More Information4 About the Documentation Set4Change Log5Fortify Jenkins Plugin6 Software Requirements6 Installing the Fortify Jenkins Plugin8 Verifying the Fortify Jenkins Plugin Installation8Preparing Fortify Software Security Center to Work with the Fortify Jenkins Plugin9 Configuring the Fortify Jenkins Plugin10 Configuring a Build Step to use the Fortify Jenkins Plugin11 Viewing Analysis ResultsSecurity Vulnerability Graph for Your Project15 Viewing Issues15 Configuring the Number of Issues Displayed on a PageSend Documentation Feedback18PrefaceContacting Micro Focus Fortify Customer SupportIf you have questions or comments about using this product,contact Micro Focus Fortify Customer Support using one of the following options.To Manage Your Support Cases,Acquire Licenses,and Manage Your Accounthttps://To Call Support1.844.260.7219For More InformationFor more information about Fortify software products:https:///solutions/application-securityAbout the Documentation SetThe Fortify Software documentation set contains installation,user,and deployment guides for all Fortify Software products and components.In addition,you will find technical notes and release notes that describe new features,known issues,and last-minute updates.You can access the latest versions of these documents from the following Micro Focus Product Documentation website:https:///support-and-services/documentationChange LogThe following table lists changes made to this document.Revisions to this document are published between software releases only if the changes made affect product functionality.Fortify Jenkins PluginUse the Fortify Jenkins Plugin in your continuous integration builds to identify security issues in your source code with Micro Focus Fortify Static Code Analyzer.After the Fortify Static Code Analyzer analysis is complete,you can optionally upload the results to a Micro Focus Fortify Software Security Center server.This also enables you to view the analysis result details within Jenkins.It also provides metrics for each build and an overview of the results,without the need to log into Fortify Software Security Center.With the Fortify Jenkins Plugin,you can integrate Fortify Static Code Analyzer with the following build tools:l Gradlel Mavenl MSBuildl Visual Studio(devenv)You can also scan your source code directly without a build tool.This document provides instructions on how to prepare Fortify Software Security Center to work with the Fortify Jenkins Plugin,and how to install,configure,and use the plugin.Software RequirementsThe Fortify Jenkins Plugin works with the software packages listed in the following table.Your specific requirements depend on the build tools you are using.This table also provides information to help you prepare for the configuration of your Bamboo plan.Installing the Fortify Jenkins PluginTo install the Fortify Jenkins Plugin,you must have Jenkins installed on your system.See the Micro Focus Fortify Software System Requirements document for the supported Jenkins versions.To install the Fortify Jenkins Plugin:1.From Jenkins,select Manage Jenkins>Manage Plugins.2.On the Plugin Manager page,click the Advanced tab.3.Under Upload Plugin,click Choose File,and then locate and select Fortify_Jenkins_Plugin_<version>.hpi.4.Click Upload.5.Restart Jenkins.For more information about how to install Jenkins plugins,see the Jenkins website. Verifying the Fortify Jenkins Plugin InstallationTo verify that the Fortify Jenkins Plugin is installed:1.Open a browser window and navigate to http://<jenkins_server_url>:8080.2.From the Jenkins menu,select Manage Jenkins> Manage Plugins.3.On the Plugin Manager page,click the Installed tab.4.Verify that Fortify Jenkins Plugin is included in the list of installed plugins.Preparing Fortify Software Security Center to Work with the Fortify Jenkins PluginTo upload Fortify Static Code Analyzer results to Fortify Software Security Center or to view Fortify Static Code Analyzer results from Jenkins,you need to have an authentication token of type CIToken created in Fortify Software Security Center.You will use this authentication token to configure the Fortify Jenkins Plugin to communicate with Fortify Software Security Center.You can generate the authentication token from either the Administration view in Fortify Software Security Center or from the command-line with the fortifyclient utility.The following instructions describe how to create the authentication token with the fortifyclient utility. For information about how to create an authentication token from Fortify Software Security Center, see the Micro Focus Fortify Software Security Center User Guide.To create an authentication token of type CIToken using the fortifyclient utility:1.From the<ssc_install_dir>/Tools/fortifyclient/bin directory,run the following:where:l<ssc_url>includes both the port number and the context path/ssc.For example,http://<hostname>>:<port>/ssc.l<user_name>is the Fortify Software Security Center username of an account that has therequired privileges to read or write information from or to Fortify Software Security Center.l<number_of_days>is the number of days before the token expires.The default is365.You are prompted for a password.2.Type the password for<user_name>.The fortifyclient utility displays a token of the general form:cb79c492-0a78-44e3-b26c-65c14df52e86.3.Copy the returned token to use when you configure the Fortify Jenkins Plugin(see"Configuringthe Fortify Jenkins Plugin"on the next page).Configuring the Fortify Jenkins PluginTo configure your Jenkins server so that it can analyze your project,update Fortify security content, and upload results to Fortify Software Security Center using the Fortify Jenkins Plugin:1.Open a browser window and navigate to http://<jenkins_server_url>:<port_number>.2.From the Jenkins menu,select Jenkins> Manage Jenkins> Configure System.3.To analyze your project with Fortify Static Code Analyzer or to update Fortify security content aspart of your build,create an environment variable to specify the location of the Fortify Static Code Analyzer executables.In Global properties,create the following environment variable:l Name:FORTIFY_HOMEl Value:<sca_install_dir>where<sca_install_dir>is the path where Fortify Static Code Analyzer is installed. Forexample,on Windows the default installation location is C:\ProgramFiles\Fortify\Fortify_SCA_and_Apps_18.20.4.To upload results to Fortify Software Security Center,scroll down to the Fortify Assessmentsection,and then do the following:a.In the SSC URL box,type the Fortify Software Security Center server URL.The correct format for the Fortify Software Security Center URL is:http://<host_IP>:<port>/ssc.b.To connect to Fortify Software Security Center with a proxy server,select Use Proxy for SSC,and then specify the proxy information.c.In the Authentication token box,type the authentication token generated for the FortifySoftware Security Center server.See"Preparing Fortify Software Security Center to Work with the Fortify Jenkins Plugin"onthe previous page.d.Click Advanced settings,and then click Test Connection.The Fortify Jenkins Plugin populates the Issue Template list with available FortifySoftware Security Center issue templates.Fortify Software Security Center uses the selectedissue template when it creates new applications.The issue template optimizes the categorization,summary,and reporting of the applicationversion data.e.From the Issue template list,select the appropriate issue template for your projects.5.Click Save.Configuring a Build Step to use the Fortify Jenkins PluginTo configure a build step for your project to use the Fortify Jenkins Plugin:1.From Jenkins,select an existing job to view or create a new job.The Fortify Jenkins Plugin supports Freestyle and Multi-configuration projects.If you selected an existing job,click Configure on the job page.2.In the Post-build Actions section,click Add post-build action,and then selectFortify Assessment.3.In the Build ID box,type a unique identifier for the scan.4.In the Results file box,type a name for the Fortify results file(FPR).For example,MyAudit.fpr.Specifying the results file name is optional.If you do not provide a name:l If you are running a Fortify SCA scan,the analysis results are written to scan.fpr in theworkspace.l If you are not running a Fortify SCA scan and you are uploading results to FortifySoftware Security Center,Fortify Jenkins Plugin searches"./**/*.fpr"in the workspace for the FPR file with the latest modified date.5.(Optional)In the Maximum heap memory box,specify the maximum heap memory as an integeronly.For example,to specify48 GB,type48000.By default,Fortify Static Code Analyzer enablesautomatic allocation of memory based on the physical memory available on the system.If you specify an amount of memory in this field,it overrides the default automatic memory allocation.6.(Optional)In the Additional JVM options box,you can add additional JVM commands.7.To download Fortify security content before the scan,select the Update Fortify SecurityContent check box,and specify the following:a.In the Update server URL box,type the URL for the Fortify Rulepack update server.The default Fortify Rulepack update server URL is https://.b.To connect to the Fortify Rulepack update server with a proxy server,select the Configureupdate server proxy check box,and then specify the proxy information.8.To remove any temporary files from a previous scan for the specified build ID,select the RunFortify SCA Clean check box.Fortify recommends that you run the clean phase before each translation unless,for example,you are translating several projects with the same build ID to perform one scan for all the projects and generate a single FPR file.9.To run translation,select the Run Fortify SCA translation check box,and then specify thetranslation settings.You might want to skip the translation if,for example,the security content has changed but the source code has not.If you do skip the translation,make sure that you do not run a FortifySCA clean.Select Advanced if you are familiar with the Fortify Static Code Analyzer command-lineinterface or you want to specify all the translation options without any guidance.Specify all the Fortify Static Code Analyzer translation options including source files,if needed.See the Micro Focus Fortify Static Code Analyzer User Guide for detailed information about the translation options.Select Basic to be prompted to provide the typical information to scan Java code or to run a Maven3,or a Gradle build to perform the translation.The configuration fieldsdynamically change based on your selection.For each of the basic translation configurations,you can exclude files or directories from thetranslation by including them in the Exclude list box.The following table provides instructions for each application type in the basic configuration.b.(Optional) Enable the debug or verbose options.c.(Optional) Specify a custom location for the Fortify Static Code Analyzer log file,specify a filename(or a full path)in the Log file location box.By default,the log file is written to the workspace in/.fortify/sca<version>/log.10.To run a scan,select the Run Fortify SCA scan check box,and then specify the scan settings:a.(Optional)In the Custom Rulepacks box,specify custom rules(XML files).b.(Optional)Specify any additional scan options.c.(Optional) Enable the debug or verbose options.d.(Optional) Specify a custom location for the Fortify Static Code Analyzer log file,specify a filename(or a full path)in the Log file location box.By default,the log file is written to the workspace in/.fortify/sca<version>/log.11.To upload the scan results to Fortify Software Security Center,select the Upload FortifySCA scan results to Fortify Software Security Center check box,and then specify the upload settings:a.(Optional) Specify a filter set to use when reading the FPR.If no value is specified,the FortifyJenkins Plugin uses the Quick View filter set.The fail condition and the Normalized Vulnerability Score(NVS)calculation depend on theissues filtered by the filter set.For example,if a“Critical Exposure”filter is applied to the project issues(and no issues are found),then the fail condition determines that there is no reason toset this build to“unstable”and NVS is set to zero.The graph summary also shows zero.b.To trigger a build failure based on scan results,type a search query in the Build failure criteriabox.For example,the following search query causes the build to fail if any critical issues exist in thescan results:See the Micro Focus Fortify Software Security Center User Guide for a description of thesearch query syntax.c.Specify an Application name and Application version.If you have a successful connection to a Fortify Software Security Center server,you can select an application name and version from the list.Always specify both application name andapplication version.d.To specify an amount of time to wait for the upload to Fortify Software Security Center,clickAuto Job Assignment.The Fortify Jenkins Plugin polls Fortify Software Security Center until the FPR is processed before it runs the NVS calculation.The valid values are0-60.12.Click Save.Viewing Analysis ResultsIf you uploaded Micro Focus Fortify Static Code Analyzer results to Micro Focus Fortify Software Security Center,you can view a security vulnerability graph for your project and a summary of the issues from Jenkins.Security Vulnerability Graph for Your ProjectThe project page displays a Normalized Vulnerability Score(NVS)graph.NVS is a normalized score that gives you a rough idea of the security vulnerability of your project.The Fortify Jenkins Plugin calculates the NVS with the following formula:NVS=((CFPO* 10) + (HFPO* 5)+ (MFPO * 1)+(LFPO * 0.1))*0.5+ ((P1*2)+ (P2* 4)+ (P3*16)+ (PABOVE *64))*0.5where:l CFPO=Number of critical vulnerabilities(unless audited as Not an Issue)l HFPO=Number of high vulnerabilities(unless audited as Not an Issue)l MFPO=Number of medium vulnerabilities(unless audited as Not an Issue)l LFPO=Number of low vulnerabilities(unless audited as Not an Issue)and:l PABOVE=Exploitablel P3=Suspiciousl P2=Bad practicel P1=Reliability issueThe total issues count is not very useful.For example,if Application A has0critical issues and10low issues,the total issue count is10.If Application B has five critical issues and no low issues,the total issue count is5.These values might mislead you to think that Application B is better than Application A, when it is not.The NVS calculated for the two example applications provides a different picture(simplified equation): l Application A:NVS=0*10+10*0.1=1l Application B:NVS=5*10+0*0.1=50Viewing IssuesTo see the issues for a Fortify Static Code Analyzer analysis that you have uploaded to Micro Focus Fortify Software Security Center,open your project and click Fortify Assessment on the left.The interactive List of Fortify SSC issues page displays the Summary and Issue breakdown by Priority Order tables.The Summary table shows the difference in the number of issues in different categories between the two most recent builds.A blue arrow next to a value indicates that the number in that category has decreased,and a red arrow indicates that the number in that category has increased.The Issues breakdown by Priority Order table shows detailed information about the issues for the specified location and category in each priority folder.Wait for the table to load.If the data load takes too long,you might need to refresh the browser window(F5).By default,you see the critical issues first.To see all issues,click the All tab.To see only those issues that were introduced in the latest build of your code,click the Show New Issues link at the top of the table.The first and the second columns show the file name and line number of the issue and the full path to this file.The last column displays the category of each vulnerability.By default,issues are sorted by primary location.To organize them by category,click the Category column header.To see more details about or to audit a specific issue,click the file name in the first column.The link takes you directly to the details for that issue on the Fortify Software Security Center server.If you are not logged in to Fortify Software Security Center,you are prompted to log in.Configuring the Number of Issues Displayed on a PageBy default,the page displays up to50issues.To navigate to all the issues,use Next>>and<<Previous on the top and bottom of the table.To increase the maximum number of issues displayed to100per page,from the50|100|All section at the bottom of the page,click100.To control the number of the issues shown on a page from the Configure System page:l In the Fortify Assessment section,click Advanced Settings,and then change the value in the Issue breakdown page size box.Send Documentation FeedbackIf you have comments about this document,you can contact the documentation team by email.If an email client is configured on this computer,click the link above and an email window opens with the following information in the subject line:Feedback on Installation and Usage Guide(Fortify Jenkins Plugin18.20)Just add your feedback to the email and click send.If no email client is available,copy the information above to a new message in a web mail client,and send your feedback to*****************************.We appreciate your feedback!。

validate, and manage software security activities. OpenText™ is responsible for provisioning Fortify Hosted on an AWS cloud platform and delivers ongoing infrastructure, application, and support service remotely. Fortify On-PremisesFortify offers the broadest set of software security testing products spanning the software lifecycle: remotely delivered, cloud-based application security as a service solution. Application security testing is performed and reviewed by application security experts using application testing technologies and manual techniques. All customers are provided access to our Technical Account Support Team. Fortify on Demand includes Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), Mobile Application SecurityTesting (MAST), and optionally Software Composition Analysis (SCA). Scan time is guaranteed by SLA. Fortify on Demand also includes software installation and upgrades, assessments (scan setup, tuning, results auditing, additional manual testing), technical support (TAM for Fortify on Demand), and toolchain integration (process and technical) for customers or professional services. Fortify on Demand enables teams to work in a fully SaaS-based environment.FORTIFY HOSTEDFortify Hosted enables Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), and optionally Software Composition Analysis (SCA)to be fully integrated into the Software Development Life Cycle (SDLC). It consists of a single tenant, cloud-based solution with a web-based user interface that enables you to configure, perform, and manage application security assessments. Because Fortify Hosted is a dedicated cloud environment, the scan time is dependent on your load. Fortify Hosted also includes Fortify software installation and upgrades, technical support (CSM), and Toolchain Integration (process and technical). Fortify Hosted enables you to secure your applications, API’s, and IaC on a cloud-based, single-tenant environment maintained by Fortify so you can focus on AppSec, not infrastructureFORTIFY ON-PREMISESSustain software resilience with our industry-leading software security testing products, Fortify Static Code Analyzer and Fortify WebInspect by OpenText™, which are built for modern applications through customer deployment. Fortify On-Premises solutions provide Static Application Security Testing (SAST) and Dynamic Application Security testing (DAST). The scan time is dependent on the hardware and load. Optional CSM technical support is available. Fortify software installation and upgrades, assessments (scan setup, tuning, result auditing, additional manual testing), and Toolchain Integration (process and technical) can be done by you or our Professional Services team. Fortify On-Premises enables teams to have absolute control over all aspects of the Fortify solution.System Requirements。

fortify使用方法【原创实用版3篇】目录（篇1）1.Fortify 的定义和作用2.Fortify 的使用方法3.Fortify 的优势和应用场景4.Fortify 的注意事项正文（篇1）Fortify 是一种用于加强和保护计算机系统和网络的安全工具。

它可以帮助企业和个人保护其重要的数据和信息，防止黑客攻击和网络犯罪。

下面将详细介绍 Fortify 的使用方法。

使用方法:1.下载和安装 Fortify要开始使用 Fortify，您需要先下载并安装该软件。

您可以从Fortify 的官方网站上下载最新版本的软件，并按照安装向导的指示进行安装。

2.配置 Fortify在安装完成后，您需要对 Fortify 进行一些基本的配置，以确保其正常工作。

例如，您需要设置 Fortify 的扫描范围和目标，以及选择要保护的文件和文件夹。

3.启动 Fortify一旦完成了配置，您可以启动 Fortify 并开始使用它。

Fortify 会自动扫描您的系统，并识别出可能存在的安全漏洞和风险。

4.修复安全漏洞如果 Fortify 发现了任何安全漏洞或风险，它会向您提供详细的报告和建议。

您可以根据这些建议来修复这些漏洞，以确保您的系统和数据受到充分的保护。

优势和应用场景:Fortify 具有多种优势，包括:1.高效性:Fortify 能够快速扫描您的系统，并在短时间内提供结果。

2.智能化:Fortify 使用人工智能技术，能够识别出可能存在的安全漏洞和风险，并向您提供建议。

3.灵活性:Fortify 可以适应各种不同的应用场景，包括企业网络和个人电脑。

注意事项:在使用 Fortify 时，有一些注意事项需要遵循，以确保其正常工作和安全性。

例如，您应该避免在 Fortify 正在扫描时关闭电脑，以免影响扫描结果。

此外，您还应该定期更新 Fortify 的软件版本，以确保其能够识别最新的安全漏洞和风险。

Fortify 是一种强大的安全工具，可以帮助企业和个人保护其系统和数据免受网络攻击和犯罪的威胁。

fortify使用方法（最新版3篇）目录（篇1）1.Fortify 的定义和作用2.Fortify 的使用方法3.Fortify 的优点和局限性正文（篇1）Fortify 是一种用于加强和保护计算机系统和网络的软件。

它可以通过加密和认证技术来确保数据的安全传输和存储，同时也可以防止黑客攻击和网络犯罪。

要使用 Fortify，首先需要在计算机或网络系统上安装 Fortify 软件。

安装完成后，可以通过以下步骤来设置和使用 Fortify：1.配置 Fortify：打开 Fortify 软件，根据提示输入计算机或网络系统的相关信息，如 IP 地址、端口号、用户名和密码等。

2.加密数据传输：在 Fortify 中设置加密算法和密钥，以确保数据在传输过程中不被窃取或篡改。

3.认证用户和设备：在 Fortify 中设置用户和设备的身份验证方式，如密码、数字证书或生物识别等，以确保只有授权用户和设备才能访问计算机或网络系统。

4.防范黑客攻击：在 Fortify 中设置防火墙和入侵检测系统，以防范黑客攻击和网络犯罪。

Fortify 的优点在于它可以提供全面的安全保护，包括数据加密、身份验证和防火墙等。

同时，Fortify 也具有易用性和可定制性强的优点，可以根据用户的需求进行设置和调整。

然而，Fortify 也存在一些局限性。

例如，它需要用户具有一定的技术水平才能进行设置和操作，对于计算机和网络系统的性能也会产生一定的影响。

此外，Fortify 并不能完全防止黑客攻击和网络犯罪，只能提高攻击的难度和成本。

总的来说，Fortify 是一种非常有用的计算机和网络安全保护工具，它可以为用户提供全面的安全保护。

目录（篇2）1.Fortify 的定义和作用2.Fortify 的使用方法3.Fortify 的优点和局限性正文（篇2）Fortify 是一种用于加强和保护计算机系统和网络的安全工具。

它可以帮助用户识别潜在的安全漏洞并提供相应的解决方案，以确保系统和网络的安全性和稳定性。