Skip to main content

Fortify Static Code Analyzer

Fortify Static Code Analyzer (SCA) is an application security tool that scans your code projects to identify vulnerabilities in your source code. You can bring code projects and static code data from Fortify SCA into Brinqa to centralize and streamline your vulnerability management process, thus enhancing your cybersecurity posture.

This document details the information you must provide for the connector to retrieve the Fortify SCA findings. See create a data integration for step-by-step instructions on setting up the integration.

Required connection settings

When setting up a data integration, select Fortify Static Code Analyzer from the Connector dropdown. If you cannot find the connector in the dropdown, make sure that you have installed it first. You must provide the following information:

  • Server: The connector requires that you create a data server for the machine where Fortify SCA is installed. Select the data server that you've created.

  • Data directory: The path to the Fortify SCA scan reports stored on your data server.

  • Max age: The maximum number of days that a file is retained. A value less than zero implies that the file never expires, while zero indicates that the file should not be retained.

  • Max files: The maximum number of files to retain. A value less than zero implies that there is no limit to the number of files to retain, while zero indicates that no files should be kept.

  • Include suppressed findings: Select this option if you want the connector to fetch suppressed findings, which are vulnerabilities hidden in the Fortify SCA scan reports.

  • Include removed findings: Select this option if you want the connector to fetch removed findings, which are vulnerabilities deleted from the Fortify SCA scan reports.

  • Rename or move the file after it's processed: Select this option if you want the connector to rename or move the file after it has been processed.

    tip

    If you enable this option, after a file has been ingested, the connector renames the file by appending .processed to the file name. This ensures that the same file won't be ingested multiple times in subsequent sync operations.

Types of data to retrieve

The Fortify SCA connector can retrieve the following types of data:

Table 1: Data retrieved from Fortify SCA

Connector ObjectRequiredMaps to Data Model
Code ProjectYesCode Project
Static Code FindingYesStatic Code Finding
Static Code Finding DefinitionYesStatic Code Finding Definition
info

The Fortify SCA connector does not currently support operation options for the types of data it retrieves.

For detailed steps on how to view the data retrieved from Fortify SCA in the Brinqa Platform, see How to view your data.

Attribute mappings

Expand the sections below to view the mappings between the source and the Brinqa data model attributes.

Code Project

Table 2: Code Project attribute mappings

Source Field NameMaps to Attribute
Project nameLocal variable
Project version IDtargets, uid
Static Code Finding

Table 3: Static Code Finding attribute mappings

Field nameMaps to Attribute
Abstractresults
Analyzer nameLocal variable
Build IDLocal variable
Build labelLocal variable
Class IDLocal variable
ConfidenceLocal variable
Date removedLocal variable
Enclosing classLocal variable
Engine versionLocal variable
Explanationresults
Fortify LOCLocal variable
FunctionLocal variable
ImpactLocal variable
Impact biasLocal variable
Integrity impactLocal variable
Last foundlastFound
NamespaceLocal variable
Number of filesLocal variable
Primary audienceLocal variable
Recommendationrecommendation
Remediation effortLocal variable
RemovedLocal variable
Report nameLocal variable
Rule IDtype, uid
Scan timeLocal variable
Snippet end linepath
Snippet filepath
Snippet IDLocal variable
Snippet labelLocal variable
Snippet start linepath
Snippet textLocal variable
Source fileLocal variable
Source lineLocal variable
Source LOCLocal variable
Source pathLocal variable
SuppressedLocal variable
Sys IDuid
TagsTags
Total LOCLocal variable
Whitespace LOCLocal variable
Static Code Finding Definition

Table 4: Static Code Finding Definition attribute mappings

Source Field NameMaps to Attribute
CWEcweIds, weaknesses
Default severityLocal variable
Instance severityseverity, sourceSeverity, severityScore
KingdomLocal variable
Recommendationrecommendation
Rule IDtype, uid
Rule pack versionLocal variable
SubtypeLocal variable
Tipsrecommendation
TypeLocal variable
info

Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.

APIs

As the Fortify SCA connector is file-based, it doesn't rely on any API endpoints.

Changelog

The Fortify SCA connector has undergone the following changes:

Table 5: Fortify SCA connector changelog

note

This connector is part of a bundled release with other connectors from the same vendor. If a version shows "No change", it means that the connector version was updated for consistency as part of the bundle, but no functional changes were made to this specific connector. You can update to or skip this version without affecting your existing configuration.

VersionDescriptionDate Published
3.1.1Code clean up and general maintenance.September 17th, 2025
3.1.0No change.September 12th, 2025
3.0.6No change.August 5th, 2025
3.0.5Fixed a typo in the Connector Store where "Fortify Static Code Analyzer" was incorrectly spelled as "Analyser."February 6th, 2025
3.0.4Fixed the NullPointerException error when retrieving Static Code Findings.June 19th, 2024
3.0.3Fixed an issue where attributes were missing on the Code Project and Static Code Finding objects.May 20th, 2024
3.0.2Fixed an issue where the connector was processing files as .failed rather than .processed.April 8th, 2024
3.0.1Initial Integration+ release.January 22nd, 2024
Last updated on