Skip to main content

Fortify Software Security Center

Fortify Software Security Center (SSC) is an application security tool that scans your applications to identify vulnerabilities. You can bring applications, application version, dynamic code, and static code data from Fortify SSC into Brinqa to gain a unified view of your attack surface, thus strengthening your cybersecurity posture.

This document details the information you must provide for the connector to authenticate with Fortify SSC and how to obtain that information from Fortify SSC. See create a data integration for step-by-step instructions on setting up the integration.

Required connection settings

When setting up a data integration, select Fortify Software Security Center from the Connector drop-down. If you cannot find the connector in the drop-down, make sure that you have installed it first. You must provide the following information to integrate Fortify SSC with Brinqa:

  • Server URL: Your organization's Fortify SSC Server URL. The default URL format is https://<servername>/.

  • Username and Password: The username and password associated with the Fortify SSC account, which must have, at the very least, the View-Only role assigned to it.

Create a new Fortify SSC user

To create a new user in Fortify SSC with the necessary roles to retrieve data from the Fortify SSC API, follow these steps:

  1. Log in to your organization's Fortify SSC portal as an administrator.

  2. Navigate to Administration > Users > Local Users.

  3. Click Add.

    The Create New User dialog displays.

  4. Enter a username, password, email address, and first and last name.

  5. Assign the View-Only role to the user.

  6. Complete any additional fields as required, and then click Save.

    New Fortify SSC user dialog

note

If you do not have permissions to create new Fortify SSC users, contact your Fortify SSC administrator. For additional information, see Fortify SSC documentation.

Additional settings

The Fortify SSC connector contains additional options for specific configuration:

  • Page size: The maximum number of records to get per API request. The default setting is 100. It is not recommended to go over 100.

  • Parallel requests: The maximum number of parallel API requests. The default setting is 4.

  • Maximum retries: The maximum number of times that the integration attempts to connect to the Fortify SSC API before giving up and reporting a failure. The default setting is 5.

  • Skip certificate verification: Select this option to allow for untrusted certificates.

Types of data to retrieve

The Fortify SSC connector can retrieve the following types of data from the Fortify SSC API:

Table 1: Data retrieved from Fortify SSC

Connector ObjectRequiredMaps to Data Model
ApplicationYesApplication
Application VersionYesCode Project
Dynamic Code FindingYesDynamic Code Finding
Dynamic Code Finding DefinitionYesDynamic Code Finding Definition
Static Code FindingYesStatic Code Finding
Static Code Finding DefinitionYesStatic Code Finding Definition
info

For detailed steps on how to view the data retrieved from Fortify SSC in the Brinqa Platform, see How to view your data.

Attribute mappings

Expand the sections below to view the mappings between the source and the Brinqa data model attributes.

Application

Table 2: Application attribute mappings

Source Field NameMaps to Attribute
categorycategories
createdByLocal variable
creationDatesourceCreatedDate
descriptiondescription
iduid
namename
Application Version

Table 3: Application Version attribute mappings

Source Field NameMaps to Attribute
activeLocal variable
categoriescategories
createdByLocal variable
creationDatesourceCreatedDate
currentState.metricEvaluationDatelastScanned
descriptiondescription
idtargets, uid
modeLocal variable
namename
ownerowner
Dynamic Code Finding

Table 4: Dynamic Code Finding attribute mappings

Source Field NameMaps to Attribute
issue.analyzerLocal variable
issue.auditedLocal variable
issue.confidenceLocal variable
issue.foundDatefirstFound
issue.folderGuidLocal variable
issue.fullFileNameLocal variable
issue.hiddenLocal variable
issue.impactLocal variable
issue.issueInstanceIdtype
issue.issueStateLocal variable
issue.issueStatusproviderStatus, sourceStatus, status
issue.kingdomLocal variable
issue.lastScanIdLocal variable
issue.likelihoodLocal variable
issue.primaryLocationlocation
issue.primaryRuleGuidLocal variable
issue.primaryTagtags
issue.removedLocal variable
issue.removedDateLocal variable
issue.scanStatusLocal variable
issue.severityseverity, severityScore, sourceSeverity
issue.shortFileNameLocal variable
issue.suppressedLocal variable
issueDetail.accuracyLocal variable
issueDetail.assignedUserLocal variable
issueDetail.attackPayloadLocal variable
issueDetail.briefLocal variable
issueDetail.detailLocal variable
issueDetail.methodLocal variable
issueDetail.probabilityLocal variable
issueDetail.recommendationrecommendation
issueDetail.requestBodyLocal variable
issueDetail.responseLocal variable
issueDetail.tipsLocal variable
issueDetail.vulnerableParameterLocal variable
projectVersion.currentState.lastFprUploadDatelastFound
projectVersion.idLocal variable
projectVersion.id() /issue.issueInstanceId/issue.fullFileNameuid
projectVersion.project.idtargets
Dynamic Code Finding Definition

Table 5: Dynamic Code Finding Definition attribute mappings

Source Field NameMaps to Attribute
issue.issueInstanceIduid
issue.issueNamename
issue.severityseverity, severityScore, sourceSeverity
issueDetail.mappedCategorycategories
issueDetail.recommendationrecommendation
issueDetail.referencescweIds
issueDetail.referencesweaknesses
issueDetail.referencesreferences
issueDetail.urlLocal variable
Static Code Finding

Table 6: Static Code Finding attribute mappings

Source Field NameMaps to Attribute
issue.analyzerLocal variable
issue.auditedLocal variable
issue.confidenceLocal variable
issue.foundDatefirstFound
issue.folderGuidLocal variable
issue.fullFileNameLocal variable
issue.hiddenLocal variable
issue.impactLocal variable
issue.issueInstanceIdtype
issue.issueStateLocal variable
issue.issueStatusproviderStatus, sourceStatus, status
issue.kingdomLocal variable
issue.lastScanIdLocal variable
issue.likelihoodLocal variable
issue.primaryLocationlocation
issue.primaryRuleGuidLocal variable
issue.primaryTagtags
issue.removedLocal variable
issue.removedDateLocal variable
issue.scanStatusLocal variable
issue.severityseverity, severityScore, sourceSeverity
issue.shortFileNameLocal variable
issue.suppressedLocal variable
issueDetail.accuracyLocal variable
issueDetail.assignedUserLocal variable
issueDetail.attackPayloadLocal variable
issueDetail.briefLocal variable
issueDetail.detailLocal variable
issueDetail.methodLocal variable
issueDetail.primaryRuleGuidLocal variable
issueDetail.probabilityLocal variable
issueDetail.recommendationrecommendation
issueDetail.requestBodyLocal variable
issueDetail.responseLocal variable
issueDetail.tipsLocal variable
issueDetail.vulnerableParameterLocal variable
projectVersion.currentState.lastFprUploadDatelastFound
projectVersion.idLocal variable
projectVersion.id() /issue.issueInstanceId/issue.fullFileNameuid
projectVersion.project.idtargets
Static Code Finding Definition

Table 7: Static Code Finding Definition attribute mappings

Source Field NameMaps to Attribute
issue.issueInstanceIduid
issue.issueNamename
issue.severityseverity, severityScore, sourceSeverity
issueDetail.mappedCategorycategories
issueDetail.recommendationrecommendation
issueDetail.referencescweIds
issueDetail.referencesweaknesses
issueDetail.referencesreferences
issueDetail.urlLocal variable

Operation options

The Fortify SSC connector supports the following operation options. See connector operation options for information about how to apply them.

Table 8: Fortify SSC connector operation options

Connector ObjectOptionAll Possible ValuesDescriptionExample
Application,
Dynamic Code Finding,
Dynamic Code Finding Definition,
Static Code Finding,
Static Code Finding Definition
queryAny valid Fortify SSC API queryA query passed directly to the Fortify SSC API to limit the object(s) retrieved by the connector. For details on constructing valid queries, see the Fortify SSC documentation.Key: query Value: project.name:Application_test+and+name:v01. This key and value combination only retrieves the application Application_test with the version named v01.

APIs

The Fortify SSC connector uses the Fortify Software Security Center REST API. Specifically, it uses the following endpoints:

Table 9: Fortify SSC API Endpoints

Connector ObjectAPI Endpoints
ApplicationGET /api/v1/projects
Application VersionGET /api/v1/projectVersions
Dynamic Code FindingGET /api/v1/projectVersions/{projectVersionId}/issues
GET /api/v1/issueDetails/{issueId}
Dynamic Code Finding DefinitionGET /api/v1/projectVersions/{projectVersionId}/issues
GET /api/v1/issueDetails/{issueId}
Static Code FindingGET /api/v1/projectVersions/{projectVersionId}/issues
GET /api/v1/issueDetails/{issueId}
Static Code Finding DefinitionGET /api/v1/projectVersions/{projectVersionId}/issues
GET /api/v1/issueDetails/{issueId}

Changelog

The Fortify SSC connector has undergone the following changes:

Table 10: Fortify SSC connector changelog

note

This connector is part of a bundled release with other connectors from the same vendor. If a version shows "No change", it means that the connector version was updated for consistency as part of the bundle, but no functional changes were made to this specific connector. You can update to or skip this version without affecting your existing configuration.

VersionDescriptionDate Published
3.1.1Code clean up and general maintenance.September 17th, 2025
3.1.0Initial Integration+ release.September 12th, 2025