Fortify Static Code Analyzer
Fortify Static Code Analyzer (SCA) is an application security tool that scans your code projects to identify vulnerabilities in your source code. You can bring code projects and static code data from Fortify SCA into Brinqa to centralize and streamline your vulnerability management process, thus enhancing your cybersecurity posture.
This document details the information you must provide for the connector to retrieve the Fortify SCA findings. See create a data integration for step-by-step instructions on setting up the integration.
Required connection settings
When setting up a data integration, select Fortify Static Code Analyzer from the Connector drop-down. If you cannot find the connector in the drop-down, make sure that you have installed it first. You must provide the following information:
-
Server: The connector requires that you create a data server for the machine where Fortify SCA is installed. Select the data server that you've created.
-
Data directory: The path to the Fortify SCA scan reports stored on your data server.
-
Max age: The maximum number of days that a file is retained. A value less than zero implies that the file never expires, while zero indicates that the file should not be retained.
-
Max files: The maximum number of files to retain. A value less than zero implies that there is no limit to the number of files to retain, while zero indicates that no files should be kept.
-
Include suppressed findings: Select this option if you want the connector to fetch suppressed findings, which are vulnerabilities hidden in the Fortify SCA scan reports.
-
Include removed findings: Select this option if you want the connector to fetch removed findings, which are vulnerabilities deleted from the Fortify SCA scan reports.
-
Rename or move the file after it's processed: Select this option if you want the connector to rename or move the file after it has been processed.
tipIf you enable this option, after a file has been ingested, the connector renames the file by appending
.processedto the file name. This ensures that the same file won't be ingested multiple times in subsequent sync operations.
Types of data to retrieve
The Fortify SCA connector can retrieve the following types of data:
Table 1: Data retrieved from Fortify SCA
| Connector Object | Required | Maps to Data Model |
|---|---|---|
| Code Project | Yes | Code Project |
| Static Code Finding | Yes | Static Code Finding |
| Static Code Finding Definition | Yes | Static Code Finding Definition |
The Fortify SCA connector does not currently support operation options for the types of data it retrieves.
For detailed steps on how to view the data retrieved from Fortify SCA in the Brinqa Platform, see How to view your data.
Attribute mappings
Click the tabs below to view the mappings between the source and the Brinqa data model attributes.
- Code Project
- Static Code Finding
- Static Code Finding Definition
Table 2: Code Project attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| Project name | Local variable |
| Project version ID | targets, uid |
Table 3: Static Code Finding attribute mappings
| Field name | Maps to Attribute |
|---|---|
| Abstract | results |
| Analyzer name | Local variable |
| Build ID | Local variable |
| Build label | Local variable |
| Class ID | Local variable |
| Confidence | Local variable |
| Date removed | Local variable |
| Enclosing class | Local variable |
| Engine version | Local variable |
| Explanation | results |
| Fortify LOC | Local variable |
| Function | Local variable |
| Impact | Local variable |
| Impact bias | Local variable |
| Integrity impact | Local variable |
| Last found | lastFound |
| Namespace | Local variable |
| Number of files | Local variable |
| Primary audience | Local variable |
| Recommendation | recommendation |
| Remediation effort | Local variable |
| Removed | Local variable |
| Report name | Local variable |
| Rule ID | type, uid |
| Scan time | Local variable |
| Snippet end line | path |
| Snippet file | path |
| Snippet ID | Local variable |
| Snippet label | Local variable |
| Snippet start line | path |
| Snippet text | Local variable |
| Source file | Local variable |
| Source line | Local variable |
| Source LOC | Local variable |
| Source path | Local variable |
| Suppressed | Local variable |
| Sys ID | uid |
| Tags | Tags |
| Total LOC | Local variable |
| Whitespace LOC | Local variable |
Table 4: Static Code Finding Definition attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| CWE | cweIds, weaknesses |
| Default severity | Local variable |
| Instance severity | severity, sourceSeverity, severityScore |
| Kingdom | Local variable |
| Recommendation | recommendation |
| Rule ID | type, uid |
| Rule pack version | Local variable |
| Subtype | Local variable |
| Tips | recommendation |
| Type | Local variable |
Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.
APIs
As the Fortify SCA connector is file-based, it doesn't rely on any API endpoints.
Changelog
The Fortify SCA connector has undergone the following changes:
3.0.4
- Fixed the NullPointerException error when retrieving Static Code Findings.
3.0.3
- Fixed an issue where attributes were missing on the Code Project and Static Code Finding objects.
3.0.2
- Fixed an issue where the connector was processing files as ".failed" rather than ".processed".
3.0.1
- Initial Integration+ release.