• sourceanalyzer isnan not found

    I am building a fortify scan image to be used in our CI setup for Jenkins, as we dont use a standalone node were doing docker based build steps. I first started installing fcli and it sub tools I need to be aible to communicate with the FortifySoftware…
  • Is there a way to print the total Lines of code for a fortify application

    Hi, Is there a way to print the total Lines of code for a fortify application ? In Fortify SSC , we could see Executable LOC but I want the total lines of code for an application in fortify Please suggest..
  • appplication-version-binary-files/upload API for DAST Controller

    Considering the DAST Controller API. Ultimately we want to upload a macro into a DAST scan or apply it to a scan that has yet to run. We can create an upload session for the macro just fine. This gives it an ID: /api/v2/application-version-binary…
  • Create a new application version by holding audit data of the existing application version and then upload .fpr file on Fortify SSC dynamically using REST API

    Hi, We are trying to automate the below task: Could you please help us what are the Apis we should call to perform these tasks. 1. Create a new application version by holding audit data of the existing application version. 2. Upload the .fpr file…
  • Uploading FPR using the Fortify Client isn't working randomly

    Fortify SCA version 22.1.2.004 We are utilizing the fortifyclient in order to upload fpr's to Fortify SSC. Currently for all existing Application Versions FPR files are uploading successfully to Fortify SSC (using the command) but new Application…
  • Can't use encrypted shared secrets in FIPS enable RHEL8 host

    I need to use encrypted shared secrets on the ScanCentral SAST components (Controller, Sensor, Client) so they can authenticate to the Fortify SSC during communications. I am only able to use plain-text shared secrets as instructed in the "Fortify ScanCentral…
  • Fortify scanning projects in bulk

    I have 100's of projects scanned in a short span of time. I use fortify on premise model. As of now, I make use of fortify scan wizard and scanning projects one by one. I have all the projects downloaded in a directory. Is it possible to scan all of…
  • local CLI alternatives to ReportGenerator or BIRTReportGenerator?

    Hello, I've been working for some time with processing local fortify results through fpr files. I've played with unpacking the actually FPR myself as well as using the ReportGenerator utility for processing results. Does Fortify offer any additional…
  • Multi Factor Authentication supported by WebInspect Enterprise

    Hi, I have a webSite that I need to scan using WebInspect, as part of scanning the website the user needs to click on a LOGIN button which lets the user use login.gov. Is there a way to support this scenario in WebInspect Enterprise version 18.20…
  • Determine programming language for SCA artifact

    Does anyone know of a way to report the programming language(s) used in the source of an application version for SSC 19.1.0? My organization has hundreds of application versions to track so I'm looking for a way to report this information via API. I found…
  • Automatic scanning through WebInspect's API is not working

    Hello. We are trying to perform an automatic scan through the WebInspect API, referring to the following. But this doesn't work. https://www.youtube.com/watch?v=uUrLPsFEfck When I POST the scan settings to the /scanner/scans endpoint, the Command Line…
  • Artifact download SSC API

    I'm trying to utilize SSC 19.1 API to download a FPR with sources using the following resource... /download/currentStateFprDownload.html?mat=9e9d912e-3282-9446-b632-05513bf2709b&includeSource=true&id= <Application_Version_Id> My expectation is that the…
  • Artifact rulepacks using SSC API

    Is there a way to determine the rulepacks used to build the SCA artifact in SSC? I am familiar with the command-line tool that provides this information but it would be preferable to utilize the API.
  • Properly and automatically propagating audit metadata in CI workflow

    Hi folks - I seek clarity on how Fortify can be best integrated into a CI based workflow. This is a follow up to the only other thread that discusses this topic: For context, my CI infrastructure automatically creates pipeline jobs for every branch and…
  • Integration of Fortify SCA with Windriver Workbench and diab compiler

    Has anyone succeeded in creating Fortify scan projects in Windriver Workbench (v3.x) using the diab compiler toolchain? I think maybe we're not understanding the linkage that must be established in the fortify properties file to properly refer to the…
  • Fortify Taxonomy via SSC API

    I'm looking for a way to map a category to a taxonomy via the SSC REST API. For example, using the Fortify Taxonomy web site I can look up the weakness "Access Control: Database" and check its references to determine how it maps to the different taxonomies…
  • Creating new application versions in SSC via API

    We are trying to create new application versions in SSC via the API. We can set up one project calling the API, but when trying to add a new version of that project, it errors out. Has anyone else managed to create multiple versions of a project via the…
  • Fortify API for issue groupings

    Using the 17.20 REST API, how can I list issues under their groupings for a projectVersion? For example, I want to list all the issues under the group, "OWASP Top 10 2017" with finding counts in the headings (like "A1 Injection - [2/2]" and issue information…
  • SSC Application Version Git Jenkins Automation Workflow FPR Merging

    My current setup: Git is organized with a develop branch as the main branch, and Feature branches as child branches off of develop. Feature branches are merged into the develop branch with a pull request. Jenkins build jobs invoke a Fortify scan of Git…
  • WIE REST API Authentication - Token due date configuration and own user?

    I have a few questions regarding the WIE REST API Authentication. - In order to call REST API endpoints you need to get first an Fortify Token. Is there an option how you can configure how long such a token is valid? Where do I find this settings and…
  • How to automate webinspect smart update?

    Dear all, I like to konw if there exists a possiblity that the smart update for WIE / WI can be fully automated without any user interaction (silent)? I have seen that there exists a utility "smartupdater.exe" in the program files folder but I don't know…
  • SCA as Docker

    We are doing DevOps with Docker. Terefore we like to use SCA as a docker image which also can be called from a Jenkins server via command line, maven or via the jenkins plugin. We like to know if already such docker images exists and if not if somebody…
  • SSC & Sonar Plugin - Access Denied Error "View jobs in queue"

    Dear all I try to use the Sonar Plugin 2.3 ( https://github.com/rsenden/fortify-integration-sonarqube-ssc ) together with a SSC 17.20. I followed the instructions on github for the installation and preparation of Sonar and SSC. During my sonar execution…
  • Fortify VSTS Plugin always defaults to Debug Build for SCA

    Hello, I'm currently using the Fortify VSTS Plugin to perform automated Fortify scans on .NET applications as part of our build process using the Fortify Static Code Analyzer Assessment task and I've noticed that when SCA executes devenv.exe to build…
  • Import/export LDAP Configuration in SSC 18.10

    I'm trying to include the LDAP configuration as part of the installation process without manually entering all the values in the administration page. Since the configuration wizard no longer exists, is there still a way to automatically import this information…