Micro Focus Fortify on Demand Connector Guide

How to set up and use the Micro Focus Fortify on Demand connector in RiskSense.

Overview

The RiskSense platform provides an API-based connector that integrates with Micro Focus’ Fortify on Demand (FoD), enabling customers to bring in their SAST and DAST findings from Fortify into RiskSense. This allows customers to gain visibility into their overall risk due to vulnerabilities in their source code/web applications and enable a simpler, more efficient way to manage those vulnerabilities.

User Prerequisites/Fortify on Demand Setup

Fortify on Demand is a cloud-based solution. RiskSense requires a user account with the following access to communicate with and pull data from Fortify on Demand.

  • Read access to scan results and their associated issues.
  • API access with Fortify on Demand API scope as ‘api-tenant’. Refer to the following link for more details: https://<fortify on demand instance url>/Docs/en/Content/API/API_Scopes.htm
  • Client Id and Client Secret with the following Fortify on Demand user Read Only user role. Refer to the following link for more details: https://<fortify on demand instance url >/Docs/en/Content/Administration/Settings/API/API_CreateKey.htm

Fortify on Demand Connector API Calls

During a connector run, the following API calls pull security vulnerabilities from Fortify on Demand into RiskSense.

API Type

Endpoint

Authentication

https://{{loginUrl}}/oauth/token

Fetch List of SDLC status

https://{{loginUrl}}/api/v3/lookup-items?type=SDLCStatusTypes

Fetch List of Applications

https://{{loginUrl}}/api/v3/applications

Fetch List of Releases

https://{{loginUrl}}/api/v3/releases?filters=sdlcStatusTypeId:<user value>

Fetch List of Vulnerabilities by Release Id

https://{{loginUrl}}/api/v3/releases/<releaseId>/vulnerabilities

Get Vulnerability detail for each Vulnerability

https://{{loginUrl}}/api/v3/releases/<releaseId>/vulnerabilities/<vulnId>/all-data

Get Vulnerability code detail for each SAST Findings

https://{{loginUrl}}/api/v3/releases/<releaseId>/vulnerabilities/<vulnId>/traces/<traceIndex>/<index>/snippet

Configuring the Fortify on Demand Connector in RiskSense

Navigate to the Automate > Integrations page.

Navigation - Automation - Integrations

Using the search bar in the upper-right corner of the Integrations page, type Fortify on Demand to find the connector.

Fortify on Demand - Search for Connector

Locate the Fortify on Demand card on the page and click Configuration.

Fortify on Demand - Configuration Button Location

In the new window under Connection, complete the required fields, as described below.

  • Name: The connector’s name.
  • URL: The API URL to access Fortify on Demand Instance. Refer to this link for more details https://<fortify on demand instance url>/Docs/en/index.htm#API/API_About.htm and input the API Root URL based on the datacenter.
  • Client Id: API Key retrieved from Fortify on Demand instance. Refer to the User Prerequisites/Setup section for API scope and role.
  • Client Secret: API Secret retrieved from Fortify on Demand instance. Refer to the User Prerequisites/Setup section for API scope and role.
  • SSL: Optional instance SSL certificate in base64 format.
  • Select Network: RiskSense network name (ingested data associated with this network).

Fortify on Demand - Connection Window

Click the Test Credentials button to ensure the credentials are correct and have the necessary access to make Fortify on Demand API calls.

Under Schedule, you can configure the desired schedule for the connector to retrieve results from the Fortify on Demand instance. Users can optionally turn on Enable auto URBA (Update Remediation by Assessment).

On marking the Create Assets that do not have vulnerabilities options, RiskSense will create applications with zero findings. This option will be selected by default, and the user can opt to turn it off.

Fortify on Demand - Schedule Section

Users have the option to ingest the selected applications from Fortify on Demand based on the SDLC status and Release created date fields.

  • Release SDLC Status: Clicking the All radio button allows the user to pull applications with all releases. To pull specific applications, click the Select Status radio button. Once selected, RiskSense makes a dynamic call to Fortify on Demand to fetch all associated releases. Users can select more than one release, as well.
  • Release Created Date: The user can ingest selected applications based on the release created date in Fortify on Demand Instance. Only one type can be selected.

Click the Save button to save the connector’s configuration and create the connector. Once saved, the connector is now visible on the Integrations page under Currently Configured Integrations.

Clicking the History button displays the connector details for each pull. The Sync button allows users to perform on-demand sync. The Edit button allows the user to edit the connector configuration. The Delete button allows the user to delete the connector.

Fortify on Demand - Configured Connector

Once files have been processed on the Uploads page, view the ingested data by navigating to the Applications and Application Findings pages.

Mapping Fortify on Demand fields in RiskSense

This table showcases the high-level mapping of Fortify on Demand fields in RiskSense. RiskSense pulls both DAST and SAST types of findings from Fortify.

RiskSense Fields

Fortify on Demand SAST Fields

Fortify on Demand DAST Fields

Scanner Reported Severity

items -> severityString

items -> severityString

Normalized Severity

The Fortify on Demand Severity scale: Critical, High, Medium, Low, Informational, and Best Practices

RiskSense converts this Severity scale into a scale from 0-10 using specific logic. Contact RiskSense Support for more information.

The Fortify on Demand Severity scale: Critical, High, Medium, Low, Informational, and Best Practices

RiskSense converts this Severity scale into a scale from 0-10 using specific logic. Contact RiskSense Support for more information.

Scanner Plugin

items -> checkId

items -> checkId

Application Name

Combinations of these fields forms the Application name

items -> applicationName +

items -> releaseName +

items -> sdlcStatusType

Combinations of these fields forms the Application name

items -> applicationName +

items -> releaseName +

items -> sdlcStatusType

Plugin Source Status

items -> status

items -> status

Finding Type

items-> "scantype" if this has value Static, then it is SAST

items-> "scantype" if this has value Dynamic, then it is DAST

Common Fields in RiskSense

The following fields in RiskSense are defined for Fortify on Demand, along with their default values.

  • The Scanner Name will be FortifyonDemandSAST or FortifyonDemandDAST based on the type of scan.
  • The Finding Type will be DAST/SAST based on the type of scan.