Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-61116

FOD-Octane Integration - no Vulnerabilities shown

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Critical Critical
    • hp-application-automation-tools-plugin
    • ALM Octane On Premise - 15.0.20.60
      Jenkins 2.204.2
      Micro Focus Application Automation Tools Plugin 6.1
      FOD Plugin 5.0.1

      Followed instructions from https://admhelp.microfocus.com/octane/en/15.0.20/Online/Content/AdminGuide/how-setup-FoD-integration.htm?Highlight=fortify

      Pipeline Job successfully uploads to FOD and finds NEW vulnerabilities but nothing is shown in Octane for the pipeline. Waited to see if polling of FOD updates them but nothing appears.

      Is there any way of debugging this to see if polling of FOD results is happening?

        1. image-2020-02-24-09-01-01-035.png
          image-2020-02-24-09-01-01-035.png
          39 kB
        2. FOD-Config.PNG
          FOD-Config.PNG
          26 kB
        3. FOD.png
          FOD.png
          42 kB
        4. nga2.log
          1.24 MB
        5. scan-summary.PNG
          scan-summary.PNG
          29 kB
        6. 51667_scandata.fpr
          2.40 MB
        7. nga.log
          1.22 MB

          [JENKINS-61116] FOD-Octane Integration - no Vulnerabilities shown

          Kevin Lee created issue -
          Paul-Adrian Tofan made changes -
          Assignee Original: Maria Narcisa Galan [ narcisamgalan ] New: Radi Berkovich [ radislavb ]
          nir yom tov made changes -
          Assignee Original: Radi Berkovich [ radislavb ] New: nir yom tov [ onentwoo ]

          nir yom tov added a comment - - edited

          Hi, some question here

          1. I see that octane plugin is 6.1 - what is the FOD plugin ver ?
          2. Is the pipeline set to be type 'security' ?
          3. Are the vulnerabilities that were found have later date (introduce date) than the pipeline creation ? (vulnerabilities that exist before the pipeline creation wont be injected)
          4. Is it possible to submit jenkins log ? found in:  <Jenkins url>/userContent/nga/logs/nga.log
          5. Also, please tell me if u'r jenkins job is a simple one or pipeline as a code ?

          Thanx

          Nir

          nir yom tov added a comment - - edited Hi, some question here I see that octane plugin is 6.1 - what is the FOD plugin ver ? Is the pipeline set to be type 'security' ? Are the vulnerabilities that were found have later date (introduce date) than the pipeline creation ? (vulnerabilities that exist before the pipeline creation wont be injected) Is it possible to submit jenkins log ? found in:  <Jenkins url>/userContent/nga/logs/nga.log Also, please tell me if u'r jenkins job is a simple one or pipeline as a code ? Thanx Nir
          Kevin Lee made changes -
          Attachment New: nga.log [ 50338 ]
          Kevin Lee made changes -
          Attachment New: 51667_scandata.fpr [ 50339 ]
          Kevin Lee made changes -
          Attachment New: scan-summary.PNG [ 50340 ]

          Kevin Lee added a comment -

          Thanks Nir,

          1. FOD Plugin version 5.0.1
          2. Pipeline is "End to End" and "Security" - can it be more than one tag?
          3. Yes vulnerabilities found in commit to repository (see attached) after pipeline was created.
          4. Attached
          5. It is Jenkinsfile Pipeline in GitHub - commit to repository starts Jenkins/Octane Pipeline and FOD upload!

          It is for customer demo. I can leave VM up for a while if you want to look (pm for login details: kevin.lee@microfocus.com)

          Kevin

          Kevin Lee added a comment - Thanks Nir, FOD Plugin version 5.0.1 Pipeline is "End to End" and "Security" - can it be more than one tag? Yes vulnerabilities found in commit to repository (see attached) after pipeline was created. Attached It is Jenkinsfile Pipeline in GitHub - commit to repository starts Jenkins/Octane Pipeline and FOD upload! It is for customer demo. I can leave VM up for a while if you want to look (pm for login details: kevin.lee@microfocus.com) Kevin
          Kevin Lee made changes -
          Attachment New: nga2.log [ 50345 ]

          Kevin Lee added a comment -

          Tried running the same build in a Freestyle Jenkins Job (set Octane Pipeline to Security only) - now there is Authentication error in log (see nga2.log). Don't know why this is the case as the Pipeline uploads and runs the Scan in FOD successfully?

          I have tried both API Key and Personal Access Token authentication with the same result.

           

          Kevin

          Kevin Lee added a comment - Tried running the same build in a Freestyle Jenkins Job (set Octane Pipeline to Security only) - now there is Authentication error in log (see nga2.log). Don't know why this is the case as the Pipeline uploads and runs the Scan in FOD successfully? I have tried both API Key and Personal Access Token authentication with the same result.   Kevin

            onentwoo nir yom tov
            akevinlee Kevin Lee
            Votes:
            1 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated: