Question about auto creation of SSC project version while using fortify-plugin

[helenlevich]

From the documentation, it looks like fortify-plugin support SSC REST API.
We are trying to automate version creation in SSC when we trigger job in Jenkins we want to create new project version as a copy of existing project version in SSC.
Will fortify-plugin allow us to do that?
Thank you

[thezim]

Not sure if you found what you were looking for already but yes it can create the version if it does not exist. The account that is connecting just needs the permission Add Application Versions.

[UncleIS]

Hi! I believe that the question is about more than just the version creation: create new project version as a copy of existing project version in SSC. This is required to have the audit state copied from a version that has been already audited to the newly created one, to avoid the necessity to start everything from scratch.

I'm looking for this option too, but have not found it in any of the steps so far. Would appreciate if you could clarify this.

Thanks!

[akaryakina]

Hmm, right now there's no way to do it from the plugin, however... The audits are saved inside of your fpr file that you can download from SSC. If you manually download the fpr, you can use the fortifyUpload task that would upload it to the newly created version (this should only happen the first time app version is created), and that would carry all the audits over. The only difficulty is automating that fpr download (which can be done by the fortifyclient command line utility if you have SCA_and_Apps installed). I would probably need more information about your setup and your expectations step-by-step to help you develop the correct pipeline.

[UncleIS]

I would probably need more information about your setup and your expectations step-by-step to help you develop the correct pipeline.

Thanks for the reply! Here is what we would like to do with our multibranch projects in Jenkins:

• We perform a scan of a base branch and perform the audit using Fortify UI
• With every subsequent base branch build, the results of the previous audit are to be propagated, so that we would need to only audit the issues that are newly introduced and could fail the pipeline using the search functionality of fortifyUpload functionality - this part is already working as long as we keep the version the same across the builds
• When starting a build of a non-base branch (say, a PR), we need to copy the state of the most recent build of the base branch, so that the audit for this build could be started not from scratch, but from the point the base is on at the point of the build
• Ideally, when the PR is merged, it would be nice to merge the results of its audit back into the base, so that we could avoid the necessity to audit them once again

In general, the workflow that we envision would be similar to the one provided by Sonar plugin, where we only need to specify the branch / PR name, and the plugin would create the diffs and manage the results transparently (or not, depending on how transparency is defined) depending on what branch / PR name is specified.

[gayathrisandra]

Hi @UncleIS , @akaryakina ,
i am also looking to automate new version creation for existing fortify application, can you help me on this?

[UncleIS]

Hi, @gayathrisandra !

The plugin creates new versions, as long as the only thing that is required is to create it and upload scan results. In case you need a more intelligent approach, API can be used to code as complex logic as you need.

This is what we did actually:

1. When we build a PR, we check if the target version the PR is intended for exists. If it does, we create a new version with an API call, initialize it with the data from the target version (copy data from target to the current version), and then scan the code locally and upload the scan result to the newly created version. Thus, we have all the audit results submitted previously available in the new version, so that devs have a starting point to work from.
2. When a PR is closed, we merge all the audit data from the PR into the target version, and also deactivate the PR version to clean up.

It would be nice to have at least a part of it as a plugin functionality, though: being able to merge the results from one version to another would simplify things a lot!

[gayathrisandra]

Thank You @UncleIS, Can you please share the API to create new version by using existing application version if there is any inbuilt.

[UncleIS]

Hi, @gayathrisandra.

We POST ​/projectVersions endpoint to create a project version.

Once the version is created, we PUT ​/projectVersions​/{id} to commit it (in Fortify SSC terms): once created, the project version is not usable right away.

After that, we POST ​/projectVersions​/action​/copyCurrentState in order to copy the audit information from one version to another.

Our Fortify SSC installation provides a Swagger UI that can be used to investigate the capabilities and to select the right endpoints for your purpose, especially considering how much data you might need to provide to some of them. Have a look at your installation's API reference to find out about these and other endpoints (there are quite a lot).

Sometimes it was helpful to use browser web developer tools while clicking through the UI to capture the exact requests that the UI formed.

Hope this helps!

Best regards,
Boris

[gayathrisandra]

@UncleIS Thanks Boris. Its really helpful.