Micro Focus Fortify Static Code Analyzer (SCA) pinpoints the root cause of security vulnerabilities in the source code, prioritizes the most serious issues, and provides detailed guidance on how to fix them so developers can resolve issues in less time with centralized software security management.
From open source component analysis to IDEs, build tools, and developer training, Fortify gives developers the tools to write secure code and optimize application security at every step of the software development cycle.
To import your data from this tool to the Kenna.AppSec module, you will need to leverage the MicroFocus SCA Connector under the Static Analysis tools.
The Connector is a mandatory full run connector as it is an XML connector.
What Types of Fortify Data does Cisco Vulnerability Management Support
-
SCA
-
OnDemand
This connector is a more generic Fortify / MicroFocus connector. Despite its label as MicroFocus SCA only it also supports Fortify OnDemand formats.
User Prerequisites/Connector Setup:
-
Given that the connector is an XML integration, the only requirement is the ability to export data (scan reports) from Fortify in XML format.
Configuring your Connector in Cisco Vulnerability Management
To set up the Fortify / MicroFocus SCA Connector, navigate to the Connectors tab in your Cisco Vulnerability Management deployment (you must be a Cisco Vulnerability Management Administrator to do so). On the Connectors page, select the Micro Focus icon.
Once you select the MicroFocus SCA Connector, the following screen will appear:
-
Enter a name for the connector, or leave it as “Fortify” if you wish.
-
Click Save and Verify.
-
If you’d like to set a connector level asset inactivity limit, you can do that at this time, or later. (We recommend 2-3x the scan cadence of your Scans).
What Fortify / SCA Items does Cisco Vulnerability Management Import?
Cisco Vulnerability Management will import all of the applications associated with the user leveraged for the connector. We will pull:
|
Fortify & MicroFocus Field |
Cisco Vulnerability Management Field |
Notes |
|---|---|---|
|
build_id |
Application identifier |
Search for Application identifier in Cisco Vulnerability Management by using the custom query box and typing application:"*" |
|
base_path > filename |
File |
Search for file in Cisco Vulnerability Management by using the custom query box and typing file:"*" |
|
instance . id |
External ID |
|
|
N/A |
Vulnerability Status |
Vulnerability status is Open or Closed. We do not map False Positives or Triage States. Open vulnerabilities are reported in application scan reports. Closed vulns are excluded from the report, and Cisco Vulnerability Management autocloses those vulnerabilities. |
|
name |
Vulnerability Name |
|
|
severity |
scanner_score |
|
|
CWE id |
CWE |
|
|
WASC ID |
WASC ID |
|
|
solution |
Solution |
|
|
description |
Description |
|
|
found_on |
Found On |
|
|
file_tags |
Tags |
These items are turned into Tags in Cisco Vulnerability Management |
The Connector does not pull in the following:
-
Custom Fields
Optional Settings
The following settings can be enabled on the backend for Fortify / MicroFocus SCA Connectors. To have these settings enabled, or for more information, please contact Support, or your Customer Success Engineer.
-
Exclude Informationals
-
When this option is enabled, Cisco Vulnerability Management will not import vulnerabilities that do not include a CVE, CWE, or WASC ID.
-
-
Skip Tags
-
This setting will allow you to NOT create any Tags within Cisco Vulnerability Management based on the scanner metadata.
-
-
Ignore Scanner Last Seen Time
-
If you do not want the asset last seen time in Cisco Vulnerability Management to be the scanner reported last seen time.
-
-
Tag Reset
-
This setting will assist in keeping your scanner metadata in sync with Cisco Vulnerability Management. Each time the connector is run, ALL tags within Cisco Vulnerability Management will be removed and the scanner tag metadata re-created.
-
If you have created any manual tags OR any tags were created off of metadata from other connectors that tag info will be removed and will be refreshed once those other connectors are rerun.
-
-
Custom Ordered Locators
-
Locators (IP, Netbios, FQDN, etc) can be reordered to better deduplicate vulnerabilities on the Connector level or the entire Platform level. For more information see the help article here.
-
Common Reasons for Connector Run Failures
-
Unexpected data returned
-
If Cisco Vulnerability Management receives data that is not in the expected format and we are unable to process it, the connector will fail.
-
-
If more than 1% of connector payloads fail to import cleanly, Cisco Vulnerability Management will auto-fail the Connector Run
Additional Assistance:
Please contact Support should you require any additional assistance with the Fortify / MicroFocus SCA Connector.
Comments
Please sign in to leave a comment.