Skip to content

fortify/fortify-ssc-parser-sarif

Repository files navigation

Fortify SSC Parser Plugin for SARIF

Fortify Application Security provides your team with solutions to empower DevSecOps practices, enable cloud transformation, and secure your software supply chain. As the sole Code Security solution with over two decades of expertise and acknowledged as a market leader by all major analysts, Fortify delivers the most adaptable, precise, and scalable AppSec platform available, supporting the breadth of tech you use and integrated into your preferred toolchain. We firmly believe that your great code demands great security, and with Fortify, go beyond 'check the box' security to achieve that.

This Fortify SSC parser plugin allows for importing SARIF (Static Analysis Results Interchange Format) files.

Limitations

  • SARIF 2.1.0 only
    The plugin should be able to parse any SARIF files that adhere to the SARIF 2.1.0 specification. Other versions of the specification are currently not supported.

  • Only basic issue information
    At the moment, the plugin only parses and displays basic issue information. Future versions of the plugin may display more information like code flows, thread flows, web requests, web responses, ...

  • Actual results may vary depending on input
    For example, due to the flexibility of the SARIF specification:

    • The plugin may be unable to calculate consistent, unique issue instance id's because the input file doesn't provide sufficient details to uniquely identify an issue
    • The plugin may not be able to determine Fortify Priority Order because the input file does not provide issue severity levels
    • The plugin may be unable to determine Fortify Priority Order because the input file uses custom properties to specify issue severity
    • The plugin may be unable to display appropriate issue category or description because the input file is lacking this information, or providing this information in a non-standard way
  • SARIF results from multiple tools cannot be uploaded to single SSC application version
    Being a generic format, you may have multiple tools generating SARIF files that you want to import into SSC. Due to limitations in the SSC parser framework, it is currently not possible to import SARIF files from different sources into a single SSC application version. Independent of which tool was actually used to generate the SARIF file, SSC will assume that all SARIF files originate from the same scan engine. SSC will try to merge these uploads, thereby basically marking all issues from a previously uploaded SARIF file as 'removed'.

Resources

Support

The only warranties for products and services of Open Text and its affiliates and licensors (“Open Text”) are as may be set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Open Text shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice.

The software is provided "as is" and is not supported through the regular OpenText Support channels. Support requests may be submitted through the GitHub Issues page for this repository. A (free) GitHub account is required to submit new issues or to comment on existing issues.

Support requests created through the GitHub Issues page may include bug reports, enhancement requests and general usage questions. Please avoid creating duplicate issues by checking whether there is any existing issue, either open or closed, that already addresses your question, bug or enhancement request. If an issue already exists, please add a comment to provide additional details if applicable.

Support requests on the GitHub Issues page are handled on a best-effort basis; there is no guaranteed response time, no guarantee that reported bugs will be fixed, and no guarantee that enhancement requests will be implemented. If you require dedicated support for this and other Fortify software, please consider purchasing OpenText Fortify Professional Services. OpenText Fortify Professional Services can assist with general usage questions, integration of the software into your processes, and implementing customizations, bug fixes, and feature requests (subject to feasibility analysis). Please contact your OpenText Sales representative or fill in the Professional Services Contact Form to obtain more information on pricing and the services that OpenText Fortify Professional Services can provide.


This document was auto-generated from README.template.md; do not edit by hand