Skip to content

fortify/fortify-ssc-parser-sarif

BranchesTags

Repository files navigation

Fortify SSC Parser Plugin for SARIF

Fortify Application Security provides your team with solutions to empower DevSecOps practices, enable cloud transformation, and secure your software supply chain. As the sole Code Security solution with over two decades of expertise and acknowledged as a market leader by all major analysts, Fortify delivers the most adaptable, precise, and scalable AppSec platform available, supporting the breadth of tech you use and integrated into your preferred toolchain. We firmly believe that your great code demands great security, and with Fortify, go beyond 'check the box' security to achieve that.

This Fortify SSC parser plugin allows for importing SARIF (Static Analysis Results Interchange Format) files.

Limitations

  • SARIF 2.1.0 only
    The plugin should be able to parse any SARIF files that adhere to the SARIF 2.1.0 specification. Other versions of the specification are currently not supported.

  • Only basic issue information
    At the moment, the plugin only parses and displays basic issue information. Future versions of the plugin may display more information like code flows, thread flows, web requests, web responses, ...

  • Actual results may vary depending on input
    For example, due to the flexibility of the SARIF specification:

    • The plugin may be unable to calculate consistent, unique issue instance id's because the input file doesn't provide sufficient details to uniquely identify an issue
    • The plugin may not be able to determine Fortify Priority Order because the input file does not provide issue severity levels
    • The plugin may be unable to determine Fortify Priority Order because the input file uses custom properties to specify issue severity
    • The plugin may be unable to display appropriate issue category or description because the input file is lacking this information, or providing this information in a non-standard way

  • SARIF results from multiple tools cannot be uploaded to single SSC application version
    Being a generic format, you may have multiple tools generating SARIF files that you want to import into SSC. Due to limitations in the SSC parser framework, it is currently not possible to import SARIF files from different sources into a single SSC application version. Independent of which tool was actually used to generate the SARIF file, SSC will assume that all SARIF files originate from the same scan engine. SSC will try to merge these uploads, thereby basically marking all issues from a previously uploaded SARIF file as 'removed'.

Resources

Support

For general assistance, please join the Fortify Community to get tips and tricks from other users and the OpenText team.

OpenText customers can contact our world-class support team for questions, enhancement requests and bug reports. You can also raise questions and issues through your OpenText Fortify representative like Customer Success Manager or Technical Account Manager if applicable.

You may also consider raising questions or issues through the GitHub Issues page (if available for this repository), providing public visibility and allowing anyone (including all contributors) to review and comment on your question or issue. Note that this requires a GitHub account, and given public visibility, you should refrain from posting any confidential data through this channel.

This document was auto-generated from README.template.md; do not edit by hand

About

SSC parser plugin for SARIF input files

Topics

fortify sarif fortify-ssc fortify-parser-plugin fortify-integration

Resources

Readme

License

View license

Code of conduct

Code of conduct
Activity
Custom properties

Stars

4 stars

Watchers

3 watching

Forks

2 forks
Report repository

Releases 12

fortify-ssc-parser-sarif v1.6.0 Latest
Apr 4, 2025
+ 11 releases

Packages

No packages published

Contributors 4

  •  
  •  
  •  
  •  

Languages