Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-62118

Exception in nga log when do fortify SCA scan from jenkins and no vulnerbilities showing in ALM Octane pipeline

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      nga.log

      Hello

      It's a jenkins pipeline which has one stage with fortify SCA scan related steps, the fpr files uploaded to SSC successfully, i can see the issues list in Jenkins as well. But in ALM Octane, i dont see the vulnerbilites showing up. The pipeline is Security type, and i set the max number of vulnerbilites per pipeline run with 500.

      Could you please help on this? Thanks!

      Best Regards,

      Tracy

       

       

        Attachments

          Activity

          Hide
          onentwoo nir yom tov added a comment -

          Hi, first , see here matrix of plugin support , octane plugin and fortify SSC plugin - and check if u'r version is there:

            fortify ssc 18.10 fortify ssc 19.1.29 fortify ssc 19.2.30
          octane plugin 6.0.5 beta works all works all works for Pipeline only
          octane plugin 5.9.4 beta work without Pipeline work with Pipeline doesn't work
          octane plugin 5.9.3 beta work without Pipeline work without Pipeline doesn't work
          Show
          onentwoo nir yom tov added a comment - Hi, first , see here matrix of plugin support , octane plugin and fortify SSC plugin - and check if u'r version is there:   fortify ssc 18.10 fortify ssc 19.1.29 fortify ssc 19.2.30 octane plugin 6.0.5 beta works all works all works for Pipeline only octane plugin 5.9.4 beta work without Pipeline work with Pipeline doesn't work octane plugin 5.9.3 beta work without Pipeline work without Pipeline doesn't work
          Hide
          daniels Daniel Shmaya added a comment -

          Looks like the vulnerabilities calculated (filtered out) from the actual result of the remote ssc return empty list.

          This could happen when there is some baseline (the time that the pipeline was created or became security pipeline), and since then there were no new issues detected.

          Meaning it look like issues exist but they are not calculated (as relevant) for the pipeline and so it return empty list.

          Show
          daniels Daniel Shmaya added a comment - Looks like the vulnerabilities calculated (filtered out) from the actual result of the remote ssc return empty list. This could happen when there is some baseline (the time that the pipeline was created or became security pipeline), and since then there were no new issues detected. Meaning it look like issues exist but they are not calculated (as relevant) for the pipeline and so it return empty list.
          Hide
          tracy_1984 tracy he added a comment -

          Hello,

          My octane plugin version is 6.2 and fortify ssc plugin version is 19.2.30.

           

          Hi Daniel,

          I found that if i upload from jenkins pipeline with new SSC app & version, it will show the vunerabilities in Octane. This makes me confusing. About the baseline, pipeline creation or became security pipeline, i got it, but which time it's comparing to? is it the time of issue created in Fortify SSC?

           

          Best Regards,

          Tracy

          Show
          tracy_1984 tracy he added a comment - Hello, My octane plugin version is 6.2 and fortify ssc plugin version is 19.2.30.   Hi Daniel, I found that if i upload from jenkins pipeline with new SSC app & version, it will show the vunerabilities in Octane. This makes me confusing. About the baseline, pipeline creation or became security pipeline, i got it, but which time it's comparing to? is it the time of issue created in Fortify SSC?   Best Regards, Tracy
          Hide
          daniels Daniel Shmaya added a comment -

          Hi Tracy, the time that compared to the baseline is the time we get from SSC vulnerability (converted to UTC), so if you got new vulnerabilities, they are for sure created after the security pipeline was created / configured as security.

          Show
          daniels Daniel Shmaya added a comment - Hi Tracy, the time that compared to the baseline is the time we get from SSC vulnerability (converted to UTC), so if you got new vulnerabilities, they are for sure created after the security pipeline was created / configured as security.

            People

            Assignee:
            daniels Daniel Shmaya
            Reporter:
            tracy_1984 tracy he
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated: