Fortify Application Security provides your team with solutions to empower DevSecOps practices, enable cloud transformation, and secure your software supply chain. As the sole Code Security solution with over two decades of expertise and acknowledged as a market leader by all major analysts, Fortify delivers the most adaptable, precise, and scalable AppSec platform available, supporting the breadth of tech you use and integrated into your preferred toolchain. We firmly believe that your great code demands great security, and with Fortify, go beyond 'check the box' security to achieve that.
This Fortify SSC parser plugin allows for importing CycloneDX SBOM files into SSC. Two versions of this plugin are available:
fortify-ssc-parser-generic-cyclonedx.jar- Parser plugin compatible with all recent SSC versions
- CycloneDX issues are displayed on the SSC Audit page only
fortify-ssc-22.2+-parser-generic-cyclonedx.jar- Parser plugin compatible with SSC 22.2 and above
- CycloneDX issues are displayed on both SSC Audit page and SSC Open Source page
Given the limitations listed below, please check whether there is any more appropriate / product-specific parser plugin available before using this generic plugin. For example, although this generic parser plugin is able to import results in CycloneDX format generated by Debricked, it is better to use the Debricked-specific parser plugin.
-
Actual results may vary depending on input
For example, due to the flexibility of the CycloneDX specification:- Some CycloneDX input files may not include vulnerability data, which may result in failing or empty import
- The plugin may be unable to calculate consistent, unique issue instance id's because the input file doesn't provide sufficient details to uniquely identify an issue
- The plugin may not be able to determine Fortify Priority Order because the input file does not provide issue severity levels
- The plugin may be unable to display appropriate issue category or description because the input file is lacking this information, or providing this information in a non-standard way
-
CycloneDX results from multiple tools cannot be uploaded to single SSC application version
Being a generic format, you may have multiple tools generating CycloneDX files that you want to import into SSC. Due to limitations in the SSC parser framework, it is currently not possible to import CycloneDX files from different sources into a single SSC application version. Independent of which tool was actually used to generate the CycloneDX file, SSC will assume that all CycloneDX files originate from the same scan engine. SSC will try to merge these uploads, thereby basically marking all issues from a previously uploaded CycloneDX file as 'removed'.
These sections describe how to install, upgrade and uninstall the parser plugin in SSC.
- Obtain the plugin binary jar file; either:
- Download from the repository release page: https://github.com/fortify/fortify-ssc-parser-generic-cyclonedx/releases
- Build the plugin from source: https://github.com/fortify/fortify-ssc-parser-generic-cyclonedx/CONTRIB.md
- If you already have another version of the plugin installed, first uninstall the previously installed version of the plugin by following the steps under Uninstall below
- In Fortify Software Security Center:
- Navigate to Administration->Plugins->Parsers
- Click the
NEWbutton - Accept the warning
- Upload the plugin jar file
- Enable the plugin by clicking the
ENABLEbutton
- In Fortify Software Security Center:
- Navigate to Administration->Plugins->Parsers
- Select the parser plugin that you want to uninstall
- Click the
DISABLEbutton - Click the
REMOVEbutton
Please refer to the documentation of the product from which you want to obtain results in CycloneDX format on how to obtain a CycloneDX SBOM in JSON format.
Results can be uploaded through the SSC web interface, REST API, or SSC client utilities like FortifyClient or fcli. The SSC web interface, FortifyClient and most other Fortify clients require the raw results to be packaged into a zip-file; REST API and fcli allow for uploading raw results directly.
To upload results through the SSC web interface or most clients:
- Create a
scan.infofile containing a single line as follows:
engineType=CYCLONEDX - Create a zip file containing the following:
- The scan.info file generated in the previous step
- The raw results file as obtained from the target system (see Obtain results section above)
- Upload the zip file generated in the previous step to SSC
- Using any SSC client, for example FortifyClient or Maven plugin
- Or using the SSC web interface
- Similar to how you would upload an FPR file
Both SSC REST API and fcli provide options for specifying the engine type directly, and as such it is not necessary to package the raw results into a zip-file with accompanying scan.info file. For example, fcli allows for uploading raw scan results using a command like the following:
fcli ssc artifact upload -f <raw-results-file> --appversion MyApp:MyVersion --engine-type CYCLONEDX
This document was auto-generated from USAGE.template.md; do not edit by hand