Fortify Application Security provides your team with solutions to empower DevSecOps practices, enable cloud transformation, and secure your software supply chain. As the sole Code Security solution with over two decades of expertise and acknowledged as a market leader by all major analysts, Fortify delivers the most adaptable, precise, and scalable AppSec platform available, supporting the breadth of tech you use and integrated into your preferred toolchain. We firmly believe that your great code demands great security, and with Fortify, go beyond 'check the box' security to achieve that.
This Fortify SSC parser plugin allows for importing CycloneDX SBOM files into SSC. Two versions of this plugin are available:
fortify-ssc-parser-generic-cyclonedx.jar- Parser plugin compatible with all recent SSC versions
- CycloneDX issues are displayed on the SSC Audit page only
fortify-ssc-22.2+-parser-generic-cyclonedx.jar- Parser plugin compatible with SSC 22.2 and above
- CycloneDX issues are displayed on both SSC Audit page and SSC Open Source page
Given the limitations listed below, please check whether there is any more appropriate / product-specific parser plugin available before using this generic plugin. For example, although this generic parser plugin is able to import results in CycloneDX format generated by Debricked, it is better to use the Debricked-specific parser plugin.
-
Actual results may vary depending on input
For example, due to the flexibility of the CycloneDX specification:- Some CycloneDX input files may not include vulnerability data, which may result in failing or empty import
- The plugin may be unable to calculate consistent, unique issue instance id's because the input file doesn't provide sufficient details to uniquely identify an issue
- The plugin may not be able to determine Fortify Priority Order because the input file does not provide issue severity levels
- The plugin may be unable to display appropriate issue category or description because the input file is lacking this information, or providing this information in a non-standard way
-
CycloneDX results from multiple tools cannot be uploaded to single SSC application version
Being a generic format, you may have multiple tools generating CycloneDX files that you want to import into SSC. Due to limitations in the SSC parser framework, it is currently not possible to import CycloneDX files from different sources into a single SSC application version. Independent of which tool was actually used to generate the CycloneDX file, SSC will assume that all CycloneDX files originate from the same scan engine. SSC will try to merge these uploads, thereby basically marking all issues from a previously uploaded CycloneDX file as 'removed'.
- Usage: USAGE.md
- Releases: https://github.com/fortify/fortify-ssc-parser-generic-cyclonedx/releases
- Development releases may be unstable or non-functional. The
*-thirdparty.zipfile is for informational purposes only and does not need to be downloaded.
- Development releases may be unstable or non-functional. The
- Sample input files: sampleData
- Source code: https://github.com/fortify/fortify-ssc-parser-generic-cyclonedx
- Automated builds: https://github.com/fortify/fortify-ssc-parser-generic-cyclonedx/actions
- Contributing Guidelines: CONTRIBUTING.md
- Code of Conduct: CODE_OF_CONDUCT.md
- License: LICENSE.txt
- CycloneDX website: https://cyclonedx.org/
For general assistance, please join the Fortify Community to get tips and tricks from other users and the OpenText team.
OpenText customers can contact our world-class support team for questions, enhancement requests and bug reports. You can also raise questions and issues through your OpenText Fortify representative like Customer Success Manager or Technical Account Manager if applicable.
You may also consider raising questions or issues through the GitHub Issues page (if available for this repository), providing public visibility and allowing anyone (including all contributors) to review and comment on your question or issue. Note that this requires a GitHub account, and given public visibility, you should refrain from posting any confidential data through this channel.
This document was auto-generated from README.template.md; do not edit by hand