Reputation: 323
How to fail a TFS build based on Fortify scan results
From a PowerShell query, how can I get the count of new critical or high vulnerabilities from a Fortify security scan of .NET code? The query should not include any findings already on the SSC server that were documented as "not an issue" or "suppressed".
We have Team Foundation Server 2017u2. As part of our build and release process we execute HP/Micro Focus Fortify security scans and upload the results to the Fortify SSC server. We are trying to make the build/release fail whenever the scanner detects new critical or high findings in the code. We use the Micro Focus Fortify plugin for TFS to configure the scan step and upload to SSC: (Fortify TFS plugin). We added a PowerShell task afterward to attempt to query for findings and fail the build if needed.
The examples and suggestions we've found use the FPRUtility to query the .fpr file generated from our current scan. However, this current scan does not include any previously entered content from developers documenting false positives or suppressed issues. This results in our builds always failing.
I tried looking through the REST API docs but, while Swagger makes it easy to see the parameters and contracts, I can't find any good documentation stating what all the different controllers are or how I need to orchestrate a series of calls to get the data I want.
Upvotes: 4
Views: 2938
Answers (1)
Reputation: 323
I found the answer I needed. After the scan and upload to SSC completes, you call the issues REST API from your PowerShell script in this format:
[host:port]/ssc/api/v1/projectVersions/[versionid]/issues?q=[fortify+priority+order]:high+OR+[fortify+priority+order]:critical&qm=issues
So a simplified PowerShell script to do this in a TFS build step looks like:
$jsonResults = Invoke-RestMethod -Method Get -Uri "https://{host:port}/ssc/api/v1/projectVersions/{projectVersionNumberHere}/issues?q=[fortify+priority+order]:high+OR+[fortify+priority+order]:critical&qm=issues"
$undocumentedFindings = $jsonResults.data | where {$_.primaryTag -eq $null}
if ($undocumentedFindings.Count -gt 0)
{
Write-Error "Fortify detected $undocumentedFindings.Count undocumented critical and high vulnerabilities. These findings must be remediated or documented before the build can continue."
}
Upvotes: 1
Related Questions
- Run unit tests which fail during TFS-Build
- TFS 2017 - how to fail build when published Tests fail
- How to make TFS build result be "Partially Succeeded" when there are build warnings?
- TFS Build - Treat compiler warnings as errors?
- Discard build in case of failure
- Fail / Pass a check-in
- How to check if Build failed in Finally
- TFS 2010 RC: How to fail a build for low code coverage?
- Can't make the TFS build fail after custom logic runs
- How to fail TFS build based on FXCop warning