Відео

Hello, I would be happy to help. Have you seen this video? It gives a great overview of GitHub actions for Fortify. ua-cam.com/video/6-6ZGZbFHDw/v-deo.htmlsi=DfdoNdMGN7CLJy9_

Thank you! Glad you enjoyed it.

Yes, you can see the API Reference documentation by clicking on the “?” icon in the upper right corner of SSC and clicking on the API Documentation link. Here you can learn about how to use the API. Then you can click on the API Reference link to see the swagger page and browse through the available endpoints. To get a list of all Applications (just Applications and not App Versions), you can do something like: curl -X 'GET' \ 'localhost:8180/ssc/api/v1/projects?start=0&limit=200&fulltextsearch=false' \ -H 'accept: application/json' If you want the Application Versions, it would be something like: curl -X 'GET' \ 'localhost:8180/ssc/api/v1/projectVersions?start=0&limit=200&fulltextsearch=false&includeInactive=false&myAssignedIssues=false&onlyIfHasIssues=false' \ -H 'accept: application/json'

While Debricked integrations are great, they are not yet at the same level in terms of enterprise scale as Sonatype's offering. That's the main difference: size/scale.

Your question is a little vague, but if I were to guess, I would say the only place you would need login credentials when running a scan from an IDE plugin is if you want to upload the scan results to SSC. So the login credentials in this case would be your SSC username/password or a ToolsConnectToken from SSC.

Glad it was helpful!

Glad you enjoyed it 😂

Ideally...you wouldn't skip DAST.

Check out our video, "Running Your First WebInspect DAST Scan" ua-cam.com/video/6A0ybVM9Gjc/v-deo.htmlsi=95ZBY7xHG7z2a0Ug Let me know if that's what you're looking for.

You can install the LIM server with the help of our guide: www.microfocus.com/documentation/fortify-core-documents/2320/LIM_Guide_23.2.0.pdf

Thank you@@janwienand5936 for your reply!

Please have a look at the following Fortify community post: community.microfocus.com/cyberres/fortify/f/discussions/514442/local-admin-account-frozen-after-setting-up-fortify-software-security-center

That would be our good friend Diogo from Brazil!

Noted. Thanks for your feedback, I will put this on our list of potential future videos.

I will look into this for you and get back to you. Thanks for your comment.

What is DVA?

In the case of an external database, you only need to change the IP address in the database configuration in the web interface setup (see 12:36)

Thank you so much@@janwienand5936 for your reply!

I will look into this and get back to you!

I will look into this and get back to you!

This can be found in the Download or Support Center. You must download the Fortify_xx.x.zip (e.g. Fortify_23.2.0.zip) file.

Fortify on Demand is a secure tenant-based environment, meaning each customer receives their own unique tenant. This tenant segregates their application testing data from all other tenants. You can learn more about Fortify on Demand here: www.microfocus.com/media/data-sheet/fortify_on_demand_ds.pdf

@@FortifyUnplugged it's still a "trust me" solution.

Thanks for the feedback! I suggest that you have a closer look to the /projectVersions list option and filter for your application. Otherwise I can recommend to use our fcli. There is also another video on our channel about this: ua-cam.com/video/sCMbU_s7hME/v-deo.htmlsi=MhALhHxM7HvgeVD_

Hello! Have you tried to run it without thet -bt option? Here's an example: scancentral package -o myPackage.zip. Please have a look at our documentation for all other details: www.microfocus.com/documentation/fortify-software-security-center/2320/SC_SAST_Help_23.2.0/index.htm#scan-requests/gen-package.htm

@@FortifyUnplugged Tried with & without -bt option. Getting same error. "Unable to identify the Controller URL. Specify either the -url option or the -sscurl and -ssctoken options." "scancentral package -hv 7.1 -o myPackage.zip" & "scancentral.bat package -bt none -hv 7.4 -o mypayload.zip"

This question is a little vague. Do you want to set up Fortify Static Code Analyzer on an Amazon EC2 instance? Or do you want the entire Fortify ecosystem (SSC/ScanCentral/etc)? I’m not too familiar with EC2, but I believe it’s just like a regular VM. If you are asking about installing Fortify Static Code Analyzer, it’s just like installing it on any VM. You just need to connect to your instance, transfer the linux installer to that instance, and run it. Then you should be able to run Static Code Analyzer as usual. Hope that helps!

Hi, thanks for your comment. We need a little more information to provide you with assistance, please reach out to our Fortify Support team here: www.microfocus.com/en-us/contact-support/stackb

Thank you for your comment. This video is not meant to be a lecture but a general awareness of the OWASP Top 10 and what it is.

If you are an on-prem customer, you should be able to contact your Fortify admin to get a fortify.license file. If you are an FoD customer, you should reach out to your TAM.

Yes, you can use SCA with Java 17. But it shouldn't matter what version of Java you use, as SCA ships with its own JRE and will use that. SCA 23.1 shipped with Java 11. SCA 23.2 will ship with Java 17.

Noted. Thanks for your suggestion.

Thanks for watching!

Hello, I'm not quite sure what you're asking. Could you elaborate a little more? Thanks.

Fcli does not provide a single command to do that. Here is an example in powershell how that could be achieved: #list applications and parse to powershell object $rawJson = fcli ssc appversion list -o json $convertedJson = ConvertFrom-Json ($rawJson -join “”) foreach($appversion in $convertedJson){ fcli ssc appversion-vuln count --appversion=$appversion.Id } If you want to aggregate issue counts you could also assign the output of the second fcli command to a variable and do that. Note that the “ssc appversion-vuln” command is replaced by “ssc vulnerabilities” in 2.0.0

The short answer is "no". The longer answer is as follows: The Fortify Static Code Analyzer process is split between a translation phase and a scan phase. For iOS apps, the translation phase has to take place on a Mac. The reason for this is that the way Fortify performs translation for iOS is tightly coupled to Xcode, and Xcode is only available on Mac. The subsequent scan phase is platform-independent.

Which tool are you using?

SSC for Android@@FortifyUnplugged

Thank you for your feedback. It is a common observation with static code analysis to see false positives mixed with the real issues, however, Fortify is one of the most in depth and capable SAST products in the market. It is possible if the scan is misconfigured or lacks the full code stack that results could appear to be not as valuable. Could you perhaps share specifics of your scan configurations and non-satisfactory results? We would love to help you realize the full potential of Fortify to identify and resolve code vulnerabilities. Our new Audit Assistant and AI tech are proven to reduce false positives--in some testing we've seen as high as 80-100% reductions.

@@FortifyUnplugged So you have to change Audit Assitant, because its rubbish

This is pretty complex and will require a more detailed explanation. Please reach out to our support team for assistance: www.microfocus.com/en-us/support

Yes as long as you are using Postman, we support environment collections.

@@FortifyUnplugged how to input the environment and global variable into the WIE?

WIE doesn't support Postman, only ScanCentral DAST and WebInspect. You should migrate to ScanCentral DAST when you get a chance. Thanks.

It is not possible to generate a PDF report using the Jenkins Plugin. You can use one the follow strategies: Generate a PDF Report on Sofware Security Center, Generate a PDF Report using the FPRUtility (Fortify SCA Command Line tool). You can also view a list of issue opening your job in Jenkins and clicking Fortify Assessment on the left. The interactive List of Fortify SSC issues page displays the Summary and Issues breakdown by Priority Order tables and the links will point you back to your project on SSC.

Hello, thanks for reaching out. Please reach out to our support team and they will be able to offer you assistance with this. Thanks. www.microfocus.com/en-us/support/Fortify%20WebInspect

ScanCentral SAST support two modes of operation: offloading scanning only (with local translation) and offloading both translation and scanning. For iOS projects, only the local translation model is supported. So, you'll have to do translation locally, on a machine that has both Xcode and Fortify SCA, and then you can offload the scanning phase via ScanCentral. References: The languages for which we can/cannot offload translation: www.microfocus.com/documentation/fortify-core-documents/2310/Fortify_Sys_Reqs_23.1.0/index.htm#ScanCentral/CSSensorTrans.htm Translation iOS projects locally: www.microfocus.com/documentation/fortify-static-code-analyzer-and-tools/2310/SCA_Help_23.1.0/index.htm#TranslatingMobileCode/Translating_AppleiOS.htm Offloading scanning to ScanCentral: www.microfocus.com/documentation/fortify-software-security-center/2310/SC_SAST_Help_23.1.0/index.htm#Submit_Job.htm

I'd recommend looking into the log files for the prunsrv.exe that is used to register the service. By default these logs should be stored in %SystemRoot%\System32\LogFiles\Apache. Another possibility is that the service was installed but the user did not refresh the services.msc view, it doesn’t refresh on its own. If the logs don't help its probably best to contact support.

Glad you enjoyed it, thanks for watching! Let us know if you have any suggested topics for our next video.

If you are trying to connect SSC to anything JIRA 9.x, then the issue is that JIRA changed the API functions when they went from 8.x to 9.x. SSC JIRA integration currently only knows the 8.x API functions. We verified this discrepancy between 8.x and 9.x and confirmed SSC will not integrate with JIRA 9.x. That being said, we identified the changes needed and are going to try to commit those changes for 23.2. There are two scenarios: 1) If no issues are found, then this will likely go into the 23.2 release, however, 2) if any issues are identified that break functionality with the new APIs, then this will not be in 23.2 and it will be targeted for a future release. If you are using JIRA 8.x and the above is not the issue, then we will need to investigate the issue you are having integrating JIRA with SSC.

Generally speaking, the exact same issues can be seen in Audit Workbench and Fortify SSC, although differences may occur as a result of filter settings. Based on the question, we can't be sure what's going on. One thing that might be the case: Audit Workbench by default opens with the "quick view" filter that hides all issues except the critical ones and a selection of the high risk ones. By changing this (dropdown in the top-left corner) to "security auditor", you'll get to see all issues which may help reconciliate what you see with SSC. Also, you mention that you were looking at a scan of the directory in SSC and at a scan of a single file in AWB. Many things that Fortify SCA detects are the result of combining information from multiple files; that includes privacy violation issues. So, it also could be the case that Fortify simply didn't find the issue in the single file scan.

The installer now is a command line tool with a json/yaml settings file, the GUI version was retired 4 releases ago (current version is 23.1). For more complete information on the installation process, please refer to the ScanCentral DAST Configuration doc here: www.microfocus.com/documentation/fortify-ScanCentral-DAST/2310/SC_DAST_Help_23.1.0/index.htm#DynSetup/DynScan_Setup_OV.htm

can you make vieo Installation and configuration Fortify Unplugged 4,37 N người đăng ký Đã đăng ký can you make vieo Installation and configuration scancentral Dast use ConfigurationToolCLI ? @@FortifyUnplugged

It is possible to update the installation yaml/json settings file and rerun the installation tool to add TLS certificates after the initial installation.

You might have been using an older version of Fortify. We have upgraded the analyzers to fully support .NET 6 and 7. What version is being used?

JIRA stopped supporting basic password authentication sometime ago. The only way to authenticate to FoD-JIRA is by creating API token and using that token value in the password field, that should work. Let me know if you have any further questions.

@@FortifyUnplugged Thanks so much! Can you confirm.. this API token is the token to be gerated in JIRA? Also, if we have https in the url, can this still be integrated?

@@harithaguda3715 Here's a little more information. I assume token-based authentication will also work if JIRA is behind SSO (depending on type of the SSO solution & configuration). I usually test the utility against fortifybugtrackerutility.atlassian.net/jira, which I guess also uses a form of SSO, and this worked fine in the past. If Atlassian is in the domain, that is JIRA cloud. FoD integrates fine with JIRA cloud other than maybe not supporting all of the types of custom fields. Where we are more concerned is staying current with Jira Server. Jira Server has made changes to how issues are created and how the createmeta endpoint is used. I found this article which gives a great explanation. Code changes are certainly needed to support newer versions of JIRA Seever from the FoD side. I imagine your utility will also need some changes to support it as well. Please reach out if you need any more details. developer.atlassian.com/server/jira/platform/jira-rest-api-examples/#jira-versions-8-4-and-later

Glad you liked it! Thanks for watching.

As far as i can tell the tokens have to be configured in the global configuration as described in our documentation here: www.microfocus.com/documentation/fortify-jenkins-plugin/221/Jenkins_Plugin_Help_22.1/index.htm#InstallConfig/ConfigPlugin.htm?TocPath=Installation%2520and%2520Configuration%257C_____3

I cant really give useful insights without seeing the initial request. Most likely a problem with one of the user provided values. I would recommend reaching out to someone on our support team: www.microfocus.com/en-us/contact-support/stackb

The Jenkins Plugin will create the Application/Version if it doesn’t exist in SSC prior to doing the upload. Hope that helps!

​@@FortifyUnplugged It's not creating application from pipeline. As per fortify plugin documents, application auto creates when scanned using freestyle jenkins job but not from pipeline job.

@@mahammadazeem726 It should work for pipeline Jobs as well. You can use the FortifyUpload Step, which should be used for pipelines for Local Scans. If your pipeline is configured for Remote Scans, this will not work. But that’s the same for Freestyle Jobs.

@@FortifyUnplugged yes, our pipeline is configured for remote scans. 1) Anyway to get the apps created automatically via pipeline job (any switch/argument to be passed for fortify scan step/ upgrade fortify plugin etc) ? 2) For freestyle jobs also this won't work ?