Skip to content

Generic Fortify SSC parser plugin for CycloneDX SBOM. For Debricked, please use the Debricked-branded plugin available at https://github.com/fortify/fortify-ssc-parser-debricked-cyclonedx

License

Notifications You must be signed in to change notification settings

fortify/fortify-ssc-parser-generic-cyclonedx

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

53 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Fortify SSC Parser Plugin for CycloneDX-formatted results

Fortify Application Security provides your team with solutions to empower DevSecOps practices, enable cloud transformation, and secure your software supply chain. As the sole Code Security solution with over two decades of expertise and acknowledged as a market leader by all major analysts, Fortify delivers the most adaptable, precise, and scalable AppSec platform available, supporting the breadth of tech you use and integrated into your preferred toolchain. We firmly believe that your great code demands great security, and with Fortify, go beyond 'check the box' security to achieve that.

This Fortify SSC parser plugin allows for importing CycloneDX SBOM files into SSC. Two versions of this plugin are available:

  • fortify-ssc-parser-generic-cyclonedx.jar
    • Parser plugin compatible with all recent SSC versions
    • CycloneDX issues are displayed on the SSC Audit page only
  • fortify-ssc-22.2+-parser-generic-cyclonedx.jar
    • Parser plugin compatible with SSC 22.2 and above
    • CycloneDX issues are displayed on both SSC Audit page and SSC Open Source page

Given the limitations listed below, please check whether there is any more appropriate / product-specific parser plugin available before using this generic plugin. For example, although this generic parser plugin is able to import results in CycloneDX format generated by Debricked, it is better to use the Debricked-specific parser plugin.

Limitations

  • Actual results may vary depending on input
    For example, due to the flexibility of the CycloneDX specification:

    • Some CycloneDX input files may not include vulnerability data, which may result in failing or empty import
    • The plugin may be unable to calculate consistent, unique issue instance id's because the input file doesn't provide sufficient details to uniquely identify an issue
    • The plugin may not be able to determine Fortify Priority Order because the input file does not provide issue severity levels
    • The plugin may be unable to display appropriate issue category or description because the input file is lacking this information, or providing this information in a non-standard way
  • CycloneDX results from multiple tools cannot be uploaded to single SSC application version
    Being a generic format, you may have multiple tools generating CycloneDX files that you want to import into SSC. Due to limitations in the SSC parser framework, it is currently not possible to import CycloneDX files from different sources into a single SSC application version. Independent of which tool was actually used to generate the CycloneDX file, SSC will assume that all CycloneDX files originate from the same scan engine. SSC will try to merge these uploads, thereby basically marking all issues from a previously uploaded CycloneDX file as 'removed'.

Resources

Support

The only warranties for products and services of Open Text and its affiliates and licensors (“Open Text”) are as may be set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Open Text shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice.

The software is provided "as is" and is not supported through the regular OpenText Support channels. Support requests may be submitted through the GitHub Issues page for this repository. A (free) GitHub account is required to submit new issues or to comment on existing issues.

Support requests created through the GitHub Issues page may include bug reports, enhancement requests and general usage questions. Please avoid creating duplicate issues by checking whether there is any existing issue, either open or closed, that already addresses your question, bug or enhancement request. If an issue already exists, please add a comment to provide additional details if applicable.

Support requests on the GitHub Issues page are handled on a best-effort basis; there is no guaranteed response time, no guarantee that reported bugs will be fixed, and no guarantee that enhancement requests will be implemented. If you require dedicated support for this and other Fortify software, please consider purchasing OpenText Fortify Professional Services. OpenText Fortify Professional Services can assist with general usage questions, integration of the software into your processes, and implementing customizations, bug fixes, and feature requests (subject to feasibility analysis). Please contact your OpenText Sales representative or fill in the Professional Services Contact Form to obtain more information on pricing and the services that OpenText Fortify Professional Services can provide.


This document was auto-generated from README.template.md; do not edit by hand