This Fortify SSC parser plugin allows for importing scan results produced by GitLab Dependency Scanning (also known as Gemnasium).
*-thirdparty.zip
file is for informational purposes only and does not need to be downloaded.These sections describe how to install, upgrade and uninstall the plugin.
NEW
buttonENABLE
buttonDISABLE
buttonREMOVE
buttonPlease see the GitLab documentation for details on generated dependency scanning reports.
As a 3rd-party results zip bundle:
engineType=GEMNASIUM
As raw scan results:
UPLOAD
buttonADD FILES
button, and select the JSON file to upload3rd party results
check boxGEMNASIUM
typeNote that uploading raw scan results is only supported for manual uploads through the SSC web interface, and this functionality was removed in SSC 20.2 so no longer available in recent SSC versions. Please submit a feature request if you'd like to see this easier process for ad-hoc uploading of 3rd-party results restored, referencing Octane id #448174.
The following sections provide information that may be useful for developers of this utility.
This project uses Lombok. In order to have your IDE compile this project without errors, you may need to add Lombok support to your IDE. Please see https://projectlombok.org/setup/overview for more information.
It is strongly recommended to build this project using the included Gradle Wrapper scripts; using other Gradle versions may result in build errors and other issues.
The Gradle build uses various helper scripts from https://github.com/fortify-ps/gradle-helpers; please refer to the documentation and comments in included scripts for more information.
All commands listed below use Linux/bash notation; adjust accordingly if you are running on a different platform. All commands are to be executed from the main project directory.
./gradlew tasks --all
: List all available tasksbuild/libs
)
./gradlew clean build
: Clean and build the project./gradlew build
: Build the project without cleaning./gradlew dist distThirdParty
: Build distribution zip and third-party information bundle./fortify-scan.sh
: Run a Fortify scan; requires Fortify SCA to be installedThis project uses GitHub Actions workflows to perform automated builds for both development and production releases. All pushes to the main branch qualify for building a production release. Commits on the main branch should use Conventional Commit Messages; it is recommended to also use conventional commit messages on any other branches.
User-facing commits (features or fixes) on the main branch will trigger the release-please-action to automatically create a pull request for publishing a release version. This pull request contains an automatically generated CHANGELOG.md together with a version.txt based on the conventional commit messages on the main branch. Merging such a pull request will automatically publish the production binaries and Docker images to the locations described in the Related Links section.
Every push to a branch in the GitHub repository will also automatically trigger a development release to be built. By default, development releases are only published as build job artifacts. However, if a tag named dev_<branch-name>
exists, then development releases are also published to the locations described in the Related Links section. The dev_<branch-name>
tag will be automatically updated to the commit that triggered the build.
See LICENSE.TXT