Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-62118

Exception in nga log when do fortify SCA scan from jenkins and no vulnerbilities showing in ALM Octane pipeline

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • hp-application-automation-tools-plugin
    • Jenkins version: 2.222.3
      plugin version: 6.2
      Octane version: 15.0
      Fortify SSC 19
      Fortify SCA 19

      nga.log

      Hello

      It's a jenkins pipeline which has one stage with fortify SCA scan related steps, the fpr files uploaded to SSC successfully, i can see the issues list in Jenkins as well. But in ALM Octane, i dont see the vulnerbilites showing up. The pipeline is Security type, and i set the max number of vulnerbilites per pipeline run with 500.

      Could you please help on this? Thanks!

      Best Regards,

      Tracy

       

       

        1. image-2020-04-30-15-43-28-133.png
          image-2020-04-30-15-43-28-133.png
          69 kB
        2. nga.log
          3 kB

          [JENKINS-62118] Exception in nga log when do fortify SCA scan from jenkins and no vulnerbilities showing in ALM Octane pipeline

          nir yom tov added a comment -

          Hi, first , see here matrix of plugin support , octane plugin and fortify SSC plugin - and check if u'r version is there:

            fortify ssc 18.10 fortify ssc 19.1.29 fortify ssc 19.2.30
          octane plugin 6.0.5 beta works all works all works for Pipeline only
          octane plugin 5.9.4 beta work without Pipeline work with Pipeline doesn't work
          octane plugin 5.9.3 beta work without Pipeline work without Pipeline doesn't work

          nir yom tov added a comment - Hi, first , see here matrix of plugin support , octane plugin and fortify SSC plugin - and check if u'r version is there:   fortify ssc 18.10 fortify ssc 19.1.29 fortify ssc 19.2.30 octane plugin 6.0.5 beta works all works all works for Pipeline only octane plugin 5.9.4 beta work without Pipeline work with Pipeline doesn't work octane plugin 5.9.3 beta work without Pipeline work without Pipeline doesn't work

          Daniel Shmaya added a comment -

          Looks like the vulnerabilities calculated (filtered out) from the actual result of the remote ssc return empty list.

          This could happen when there is some baseline (the time that the pipeline was created or became security pipeline), and since then there were no new issues detected.

          Meaning it look like issues exist but they are not calculated (as relevant) for the pipeline and so it return empty list.

          Daniel Shmaya added a comment - Looks like the vulnerabilities calculated (filtered out) from the actual result of the remote ssc return empty list. This could happen when there is some baseline (the time that the pipeline was created or became security pipeline), and since then there were no new issues detected. Meaning it look like issues exist but they are not calculated (as relevant) for the pipeline and so it return empty list.

          tracy he added a comment -

          Hello,

          My octane plugin version is 6.2 and fortify ssc plugin version is 19.2.30.

           

          Hi Daniel,

          I found that if i upload from jenkins pipeline with new SSC app & version, it will show the vunerabilities in Octane. This makes me confusing. About the baseline, pipeline creation or became security pipeline, i got it, but which time it's comparing to? is it the time of issue created in Fortify SSC?

           

          Best Regards,

          Tracy

          tracy he added a comment - Hello, My octane plugin version is 6.2 and fortify ssc plugin version is 19.2.30.   Hi Daniel, I found that if i upload from jenkins pipeline with new SSC app & version, it will show the vunerabilities in Octane. This makes me confusing. About the baseline, pipeline creation or became security pipeline, i got it, but which time it's comparing to? is it the time of issue created in Fortify SSC?   Best Regards, Tracy

          Daniel Shmaya added a comment -

          Hi Tracy, the time that compared to the baseline is the time we get from SSC vulnerability (converted to UTC), so if you got new vulnerabilities, they are for sure created after the security pipeline was created / configured as security.

          Daniel Shmaya added a comment - Hi Tracy, the time that compared to the baseline is the time we get from SSC vulnerability (converted to UTC), so if you got new vulnerabilities, they are for sure created after the security pipeline was created / configured as security.

            daniels Daniel Shmaya
            tracy_1984 tracy he
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: