Add documentation section for BitBucket integration

[rsenden]

Although support for generating BitBucket reports has been added some time ago, there is no mention of this feature in the documentation. For now, please see the following resources for more information:

• Sample pipeline showing how BitBucket reports can be generated and published using FortifyVulnerabilityExporter: https://bitbucket.org/fortifysoftware/bb-sample-eightball/src/main/bitbucket-pipelines-cmds.yml.
• The Fortify BitBucket Pipe also supports report generation and publishing: https://bitbucket.org/fortifysoftware/fortify-scan
• Sample pipeline utilizing the Fortify BitBucket Pipe: https://bitbucket.org/fortifysoftware/bb-sample-eightball/src/main/bitbucket-pipelines-pipe.yml

[regicsolutions]

This is for Bitbucket Cloud/Bitbucket Pipelines. I was looking for either direct Bitbucket Server support for Code Insights where I can post a report and its results as documented here: https://developer.atlassian.com/server/bitbucket/how-tos/code-insights/ having Jenkins post the report back to the Bitbucket Server pull request would also work, are there any samples for Jenkins?

[rsenden]

This is for Bitbucket Cloud/Bitbucket Pipelines. I was looking for either direct Bitbucket Server support for Code Insights where I can post a report and its results as documented here: https://developer.atlassian.com/server/bitbucket/how-tos/code-insights/ having Jenkins post the report back to the Bitbucket Server pull request would also work, are there any samples for Jenkins?

I currently don't have any plans for adding support for Bitbucket Server due to other priorities and because BitBucket Server seems to be End of Life according to https://www.atlassian.com/software/bitbucket/enterprise. However, you can try creating a custom FortifyVulnerabilityExporter configuration file for generating Bitbucket Server Code Insights reports; if necessary Fortify Professional Services may be able to assist with this.

Documentation for generating arbitrary JSON content using FortifyVulnerabilityExporter is available here: https://github.com/fortify/FortifyVulnerabilityExporter#json-export. Since Bitbucket Server Code Insights reports seem to be quite similar to Bitbucket Cloud Code Insights reports, you can use the existing Bitbucket Cloud configuration files as a starting point:

• For Fortify on Demand:
  • https://github.com/fortify/FortifyVulnerabilityExporter/blob/main/config/FoDToBitBucket.yml
  • https://github.com/fortify/FortifyVulnerabilityExporter/blob/main/FortifyVulnerabilityExporter-plugin-to-json/src/main/resources/pluginConfig/json-bitbucket-fod-sast.yml
• For Fortify SSC:
  • https://github.com/fortify/FortifyVulnerabilityExporter/blob/main/config/SSCToBitBucket.yml
  • https://github.com/fortify/FortifyVulnerabilityExporter/blob/main/FortifyVulnerabilityExporter-plugin-to-json/src/main/resources/pluginConfig/json-bitbucket-ssc-sast.yml

You would basically create a new YAML file that combines the contents of both configuration files listed above for either FoD or SSC, and then adjust the output format to match the required Bitbucket Server Code Insights JSON report and annotation format. You can then use curl commands to upload the report and annotations to BitBucket Server, similar to how this is done for Bitbucket Cloud: https://bitbucket.org/fortifysoftware/bb-sample-eightball/src/b89962305fe55c291bc378c451491e140ee832a6/bitbucket-pipelines-cmds.yml#lines-15

[rsenden]

BitBucket documentation has been added in latest commits