Skip to content

Latest commit

 

History

History
114 lines (69 loc) · 4.97 KB

USAGE.md

File metadata and controls

114 lines (69 loc) · 4.97 KB

Fortify SSC Parser Plugin for PortSwigger BURP Suite - Usage

Introduction

Fortify Application Security provides your team with solutions to empower DevSecOps practices, enable cloud transformation, and secure your software supply chain. As the sole Code Security solution with over two decades of expertise and acknowledged as a market leader by all major analysts, Fortify delivers the most adaptable, precise, and scalable AppSec platform available, supporting the breadth of tech you use and integrated into your preferred toolchain. We firmly believe that your great code demands great security, and with Fortify, go beyond 'check the box' security to achieve that.

This Fortify SSC parser plugin allows for importing scan results from PortSwigger BURP Suite.

Plugin Installation

These sections describe how to install, upgrade and uninstall the parser plugin in SSC.

Install & Upgrade

Uninstall

  • In Fortify Software Security Center:
    • Navigate to Administration->Plugins->Parsers
    • Select the parser plugin that you want to uninstall
    • Click the DISABLE button
    • Click the REMOVE button

Obtain results

Please see the BURP Suite documentation for details on scanning applications and generating reports. Note that the SSC parser plugin requires the uploaded reports to be in XML format.

Upload results

Results can be uploaded through the SSC web interface, REST API, or SSC client utilities like FortifyClient or fcli. The SSC web interface, FortifyClient and most other Fortify clients require the raw results to be packaged into a zip-file; REST API and fcli allow for uploading raw results directly.

To upload results through the SSC web interface or most clients:

  • Create a scan.info file containing a single line as follows:
    engineType=BURP_XML
  • Create a zip file containing the following:
    • The scan.info file generated in the previous step
    • The raw results file as obtained from the target system (see Obtain results section above)
  • Upload the zip file generated in the previous step to SSC
    • Using any SSC client, for example FortifyClient or Maven plugin
    • Or using the SSC web interface
    • Similar to how you would upload an FPR file

Both SSC REST API and fcli provide options for specifying the engine type directly, and as such it is not necessary to package the raw results into a zip-file with accompanying scan.info file. For example, fcli allows for uploading raw scan results using a command like the following:

fcli ssc artifact upload -f <raw-results-file> --appversion MyApp:MyVersion --engine-type BURP_XML


This document was auto-generated from USAGE.template.md; do not edit by hand