Thursday, September 27, 2018

Fortify scan with sourceanalyzer using Jenkins - Unable to load build session with ID "sample_id"

Are you running fortify scan through sourceanalyzer for MSBuild? Are you running it with Jenkins? Jenkins node is running with Windows? May be following a process describe here.

Following steps working fine if you are running with powershell or cmd, but not working when you run with Jenkins? Scan is failing on scan step?
sourceanalyzer -b fortify_sample -clean
sourceanalyzer -b fortify_sample msbuild Fortify.Samples.sln /t:ReBuild
sourceanalyzer -b fortify_sample -scan -f result.fpr
Saying-

[error]: Unable to load build session with ID " fortify_sample". See log file for more details.

Provable solution:
Please check the output of the MSBuild step. There will be some .txt file generated for the build step. Please check the location of the files generated. If the files are not generated, that means there are some permission issue of the user under which Jenkins service or agent service is running.

In my case the issue was my Jenkins service was running under local system and it was trying to write to C:\Windows\system32\config\systemprofile\AppData.

I changed service running user id to a service account and started working fine.

How to run fortify scan for dotnet solution using MSBuild

It's simply a 4 stage process.

Step 1: Clear previous scan build
sourceanalyzer -b build_id  -clean
Here build id is an unique string that represent identification of a particular scan in the system (in our case the system is fortify-jenkins-node) where it is run. Ideally this is unique to a solution file e.g.
sourceanalyzer -b appointment_api -clean
Step 2: Analize solution
sourceanalyzer -b build_id msbuild mysolution.sln /t:ReBuild
e.g.
sourceanalyzer -b fortify_sample msbuild Fortify.Samples.sln /t:ReBuild
Step 3: Generate report
sourceanalyzer -b build_id -scan -f result.fpr
e.g.
sourceanalyzer -b fortify_sample -scan -f result.fpr
This will run the scan in local system. We can run scan in fortify server, we need to use a different command in that case, which is cloudscan.

Step 4: Upload report
This step upload report (*.fpr) file to fortify server. This step is needed if we are running local scan. If we are running cloud scan then its not needed.
fortifyclient -url http://fortify.nextgen.com/ssc -authtoken "xxxxxx-xxxxxxxxx-xxxxxxxx-xxxx-xxxxxx" uploadFPR -file result.fpr -project "Application_name" -version 9.9
Here
  • URL is URL for fortify server, the system from where this command is run, should have access to fortify server
  • authtoken is a token type "uploadFPR" which we can get it generated from fortify server. If we dont have one, can contact to AppSec for the same
  • Application_name is name of the application that is created in fortify server for current application. Ideally one solution will have one application in fortify server
  • Version is version number of the application in fortify server.
e.g.

fortifyclient -url http://fortify.myserver.com/ssc -authtoken "038bff7e-7e8c-4007-9aXX-748XXXX1a" uploadFPR -file result.fpr -project "fortify_sample" -version 1.0