Fortify Software Security Center
Fortify Software Security Center (SSC) is an application security tool that scans your applications to identify vulnerabilities. You can bring applications, application version, dynamic code, and static code data from Fortify SSC into Brinqa to gain a unified view of your attack surface, thus strengthening your cybersecurity posture.
This document details the information you must provide for the connector to authenticate with Fortify SSC and how to obtain that information from Fortify SSC. See create a data integration for step-by-step instructions on setting up the integration.
Required connection settings
When setting up a data integration, select Fortify Software Security Center from the Connector drop-down. If you cannot find the connector in the drop-down, make sure that you have installed it first. You must provide the following information to integrate Fortify SSC with Brinqa:
-
Server URL: Your organization's Fortify SSC Server URL. The default URL format is
https://<servername>/
. -
Username and Password: The username and password associated with the Fortify SSC account, which must have, at the very least, the View-Only role assigned to it.
Create a new Fortify SSC user
To create a new user in Fortify SSC with the necessary roles to retrieve data from the Fortify SSC API, follow these steps:
-
Log in to your organization's Fortify SSC portal as an administrator.
-
Navigate to Administration > Users > Local Users.
-
Click Add.
The Create New User dialog displays.
-
Enter a username, password, email address, and first and last name.
-
Assign the View-Only role to the user.
-
Complete any additional fields as required, and then click Save.
If you do not have permissions to create new Fortify SSC users, contact your Fortify SSC administrator. For additional information, see Fortify SSC documentation.
Additional settings
The Fortify SSC connector contains additional options for specific configuration:
-
Page size: The maximum number of records to get per API request. The default setting is 100. It is not recommended to go over 100.
-
Parallel requests: The maximum number of parallel API requests. The default setting is 4.
-
Maximum retries: The maximum number of times that the integration attempts to connect to the Fortify SSC API before giving up and reporting a failure. The default setting is 5.
-
Skip certificate verification: Select this option to allow for untrusted certificates.
Types of data to retrieve
The Fortify SSC connector can retrieve the following types of data from the Fortify SSC API:
Table 1: Data retrieved from Fortify SSC
Connector Object | Required | Maps to Data Model |
---|---|---|
Application | Yes | Application |
Application Version | Yes | Code Project |
Dynamic Code Finding | Yes | Dynamic Code Finding |
Dynamic Code Finding Definition | Yes | Dynamic Code Finding Definition |
Static Code Finding | Yes | Static Code Finding |
Static Code Finding Definition | Yes | Static Code Finding Definition |
For detailed steps on how to view the data retrieved from Fortify SSC in the Brinqa Platform, see How to view your data.
Attribute mappings
Expand the sections below to view the mappings between the source and the Brinqa data model attributes.
Application
Table 2: Application attribute mappings
Source Field Name | Maps to Attribute |
---|---|
category | categories |
createdBy | Local variable |
creationDate | sourceCreatedDate |
description | description |
id | uid |
name | name |
Application Version
Table 3: Application Version attribute mappings
Source Field Name | Maps to Attribute |
---|---|
active | Local variable |
categories | categories |
createdBy | Local variable |
creationDate | sourceCreatedDate |
currentState.metricEvaluationDate | lastScanned |
description | description |
id | targets, uid |
mode | Local variable |
name | name |
owner | owner |
Dynamic Code Finding
Table 4: Dynamic Code Finding attribute mappings
Source Field Name | Maps to Attribute |
---|---|
issue.analyzer | Local variable |
issue.audited | Local variable |
issue.confidence | Local variable |
issue.foundDate | firstFound |
issue.folderGuid | Local variable |
issue.fullFileName | Local variable |
issue.hidden | Local variable |
issue.impact | Local variable |
issue.issueInstanceId | type |
issue.issueState | Local variable |
issue.issueStatus | providerStatus, sourceStatus, status |
issue.kingdom | Local variable |
issue.lastScanId | Local variable |
issue.likelihood | Local variable |
issue.primaryLocation | location |
issue.primaryRuleGuid | Local variable |
issue.primaryTag | tags |
issue.removed | Local variable |
issue.removedDate | Local variable |
issue.scanStatus | Local variable |
issue.severity | severity, severityScore, sourceSeverity |
issue.shortFileName | Local variable |
issue.suppressed | Local variable |
issueDetail.accuracy | Local variable |
issueDetail.assignedUser | Local variable |
issueDetail.attackPayload | Local variable |
issueDetail.brief | Local variable |
issueDetail.detail | Local variable |
issueDetail.method | Local variable |
issueDetail.probability | Local variable |
issueDetail.recommendation | recommendation |
issueDetail.requestBody | Local variable |
issueDetail.response | Local variable |
issueDetail.tips | Local variable |
issueDetail.vulnerableParameter | Local variable |
projectVersion.currentState.lastFprUploadDate | lastFound |
projectVersion.id | Local variable |
projectVersion.id() /issue.issueInstanceId/issue.fullFileName | uid |
projectVersion.project.id | targets |
Dynamic Code Finding Definition
Table 5: Dynamic Code Finding Definition attribute mappings
Source Field Name | Maps to Attribute |
---|---|
issue.issueInstanceId | uid |
issue.issueName | name |
issue.severity | severity, severityScore, sourceSeverity |
issueDetail.mappedCategory | categories |
issueDetail.recommendation | recommendation |
issueDetail.references | cweIds |
issueDetail.references | weaknesses |
issueDetail.references | references |
issueDetail.url | Local variable |
Static Code Finding
Table 6: Static Code Finding attribute mappings
Source Field Name | Maps to Attribute |
---|---|
issue.analyzer | Local variable |
issue.audited | Local variable |
issue.confidence | Local variable |
issue.foundDate | firstFound |
issue.folderGuid | Local variable |
issue.fullFileName | Local variable |
issue.hidden | Local variable |
issue.impact | Local variable |
issue.issueInstanceId | type |
issue.issueState | Local variable |
issue.issueStatus | providerStatus, sourceStatus, status |
issue.kingdom | Local variable |
issue.lastScanId | Local variable |
issue.likelihood | Local variable |
issue.primaryLocation | location |
issue.primaryRuleGuid | Local variable |
issue.primaryTag | tags |
issue.removed | Local variable |
issue.removedDate | Local variable |
issue.scanStatus | Local variable |
issue.severity | severity, severityScore, sourceSeverity |
issue.shortFileName | Local variable |
issue.suppressed | Local variable |
issueDetail.accuracy | Local variable |
issueDetail.assignedUser | Local variable |
issueDetail.attackPayload | Local variable |
issueDetail.brief | Local variable |
issueDetail.detail | Local variable |
issueDetail.method | Local variable |
issueDetail.primaryRuleGuid | Local variable |
issueDetail.probability | Local variable |
issueDetail.recommendation | recommendation |
issueDetail.requestBody | Local variable |
issueDetail.response | Local variable |
issueDetail.tips | Local variable |
issueDetail.vulnerableParameter | Local variable |
projectVersion.currentState.lastFprUploadDate | lastFound |
projectVersion.id | Local variable |
projectVersion.id() /issue.issueInstanceId/issue.fullFileName | uid |
projectVersion.project.id | targets |
Static Code Finding Definition
Table 7: Static Code Finding Definition attribute mappings
Source Field Name | Maps to Attribute |
---|---|
issue.issueInstanceId | uid |
issue.issueName | name |
issue.severity | severity, severityScore, sourceSeverity |
issueDetail.mappedCategory | categories |
issueDetail.recommendation | recommendation |
issueDetail.references | cweIds |
issueDetail.references | weaknesses |
issueDetail.references | references |
issueDetail.url | Local variable |
Operation options
The Fortify SSC connector supports the following operation options. See connector operation options for information about how to apply them.
Table 8: Fortify SSC connector operation options
Connector Object | Option | All Possible Values | Description | Example |
---|---|---|---|---|
Application, Dynamic Code Finding, Dynamic Code Finding Definition, Static Code Finding, Static Code Finding Definition | query | Any valid Fortify SSC API query | A query passed directly to the Fortify SSC API to limit the object(s) retrieved by the connector. For details on constructing valid queries, see the Fortify SSC documentation. | Key: query Value: project.name:Application_test+and+name:v01 . This key and value combination only retrieves the application Application_test with the version named v01 . |
APIs
The Fortify SSC connector uses the Fortify Software Security Center REST API. Specifically, it uses the following endpoints:
Table 9: Fortify SSC API Endpoints
Connector Object | API Endpoints |
---|---|
Application | GET /api/v1/projects |
Application Version | GET /api/v1/projectVersions |
Dynamic Code Finding | GET /api/v1/projectVersions/{projectVersionId}/issues |
GET /api/v1/issueDetails/{issueId} | |
Dynamic Code Finding Definition | GET /api/v1/projectVersions/{projectVersionId}/issues |
GET /api/v1/issueDetails/{issueId} | |
Static Code Finding | GET /api/v1/projectVersions/{projectVersionId}/issues |
GET /api/v1/issueDetails/{issueId} | |
Static Code Finding Definition | GET /api/v1/projectVersions/{projectVersionId}/issues |
GET /api/v1/issueDetails/{issueId} |
Changelog
The Fortify SSC connector has undergone the following changes:
Table 10: Fortify SSC connector changelog
This connector is part of a bundled release with other connectors from the same vendor. If a version shows "No change", it means that the connector version was updated for consistency as part of the bundle, but no functional changes were made to this specific connector. You can update to or skip this version without affecting your existing configuration.
Version | Description | Date Published |
---|---|---|
3.1.1 | Code clean up and general maintenance. | September 17th, 2025 |
3.1.0 | Initial Integration+ release. | September 12th, 2025 |