Overview

The Black Duck Fortify on Demand (FoD) integration is a command line tool that exports Black Duck project-version vulnerability information into a FoD application release in PDF format.

Where can I get the latest release?

Download the latest release from the release page.

Requirements

• Black Duck versions 4.8.x or higher.
• Java Development Kit versions 1.8 or higher.

Invoking the integration tool

Usage

The syntax for invoking the integration tool is:

$ java -jar hub-fod-[VERSION].jar [OPTIONS: parameter=value]

Example

$ java -jar hub-fod-1.1.2.jar --hub.url=https://myhub.domain.com --hub.username=joe --hub.project=MyProject --hub.project.version=3.4.5 --fod.username=joseph --fod.tenant.id=acme

Alternatively, you can run the jar file and answer the questions:

$ java -jar hub-fod-1.1.2.jar

Parameters

Some parameters are required and others are optional.  Parameter values can be provided either as invocation parameters, or they can be stored in an application properties configuration file in the same directory as the jar file. If you don't provide a required parameter, you are prompted for it. Parameter values can be provided. Although some parameters are optional, you are prompted for required parameters. Alternatively, these parameters can be stored in an application.properties configuration file in the same directory as the jar file.

Required parameters

The following parameters are required:

• hub.url

• Black Duck authentication:

  • either hub.username and hub.password, or

  • hub.apiToken

• hub.project

• hub.project.version

• Fortify authentication:

  • either fod.username and fod.password, or

  • fod.client.id and fod.client.secret

• fod.tenant.id

Optional parameters

The following parameters are optional:

• hub.vulnerability.filters: Comma-delimited string of the vulnerability remediation status to filter the report. Possible values are:
  • NEW
  • NEEDS REVIEW
  • REMEDIATION REQUIRED
  • REMEDIATION COMPLETE
  • MITIGATED
  • PATCHED
  • IGNORED
  • DUPLICATE
• fod.application.id
• fod.release.id
  The values fod.application.id and fod.release.id are IDs, not names. If you don't know the IDs, the program prompts you with names.
  
  
• proxy.host
• proxy.username
• proxy.password
• proxy.port
• proxy.ignore.hosts
  
  The following parameters have the specified default values:
  
  
• fod.baseurl=https:/ams.fortify.com
• fod.api.baseurl=https://api.ams.fortify.com
• output.folder=vuln-out
• output.html.filename=VulnerabilityReport.html
• output.pdf.filename=BlackDuckVulnerabilityReport.pdf
• hub.timeout=120
• logging.file=hub-fod-application.log
• report.notes= Blank by default; add custom notes here to be prepended to the summary notes of the FoD report.
• --verbose, --v: Verbose mode.

Application mapping

To map Black Duck project versions to Fortify on Demand application releases, the Black Duck-FoD integration prompts the user to choose the Fortify on Demand application and release the first time it is run on a Black Duck project version. The integration then stores the mapping in the Black Duck Project Version Notes field in the format fod.app.release=[releaseid]. This allows the integration to run without prompting for subsequent runs. If this mapping is deleted in Black Duck, the integration prompts you for the mapping.

Black Duck Fortify on Demand Release Notes

Version 1.1.2

New features

• Supports Black Duck versions 4.8.x.
• Supports Black Duck API token authentication.
• Supports self-signed Black Duck certificates.
• Supports Google Analytics-based phone home.

Version 1.1.1

New features

• Upgraded  Hub-Common.

Version 1.1.0

New features

• Upgraded to Hub-Common version 12.0.1.
• Added the ability to authenticate to Fortify On Demand by API client key and secret.

Resolved issues

• Resolved an issue wherein the last component in the report may be missing last component in the report

Version 1.0.0

• First release of product.