Fortify SSC

Use the Fortify SSC bundled plugin to upload Fortify SCA scan results to Fortify Software Security Center (SSC).

Prerequisites

Review these considerations before using the Fortify SSC plugin:

  • This plugin works together with the Fortify SCA plugin. When you run a local Fortify SCA scan, you can then use the Fortify SSC plugin to pick up the scan results and upload them to Fortify Software Security Center.

    For details about the Fortify SCA plugin, see Fortify SCA.

  • If the processing of the Fortify scan results requires approval, make sure that the approval is granted through Fortify Software Security Center before you run the chain. Otherwise, the plugin step cannot complete.

Back to top

Configure the plugin

When you add the Fortify SSC plugin to a chain, specify the plugin configuration details.

To configure the Fortify SSC step:

  1. Add the Fortify SSC step to a chain, as described in Create chains.

  2. Enter the plugin configuration details:

    Field Description
    Title (Optional) Rename the plugin step.
    Fortify Software Security Center URL

    Enter the Fortify Software Security Center server URL. You can set it as a global variable, for example:

    {{FORTIFY_SSC_URL}}

    For details, see Define chain and global variables.

    After the chain runs, the link to the Fortify SSC server is included on the chain run page.
    Application name Enter the name of the application under which to store the scan results in Fortify Software Security Center.
    Application version

    Enter the version number associated with the application. If the version doesn't exist, the plugin creates it.

    To use the build number as the application version, set it as a variable:

    {{chainnum}}

    For details about built-in variables, see Use variables in chains.
    Results file location (.fpr)

    Enter the local path to the Fortify Project Results (FPR) file generated by the Fortify SCA plugin.

    Leave empty to pick up the latest FPR file in the agent's workspace.
    Filter set

    (Optional) To filter the scan results based on a filter set, specify the ID of the filter set.

    Leave empty to use the default filter set defined in Fortify Software Security Center.
    Use advanced options

    Provide the authentication tokens created in Fortify Software Security Center. For each token, enter the decoded token string:

    • CIToken. Enables you to upload scan results to Fortify Software Security Center.

    • ScanCentralCtrlToken or UnifiedLoginToken. (Optional) Enables you to capture scan results and display them as findings in PulseUno.

    Optionally, set the status check and timeout:

    • Check status every (in minutes). Specify how often to poll Fortify Software Security Center to check if FPR processing is completed, in minutes. Default: every minute.

    • Check timeout (in minutes). Specify how long to wait for FPR processing to complete before timing out, in minutes. The minimum timeout is 5 minutes. Default: 60 minutes.
    Control options

    (Optional) Define the control options for the plugin step:

    • Enable step. By default, the step is enabled to run. Clear this option if you need to deactivate the step.

      Disabled steps are skipped when the chain runs.

    • Fail the step. Specify the conditions for failing the step, such as unit test failures, findings criteria, and/or console log entries.

    • Mark step as unstable. Specify the conditions for making the step unstable, such as unit test failures, findings criteria, and/or console log entries.
    Output variables (Optional) Specify the output variables to be passed to other steps down the chain. For details, see Publish output variables.

  3. Save the chain.

Back to top

See also: