Confused about Fortify Runtime Hybrid Analysis.

In the latest HP_Fortify_Runtime_Hybrid_Analysis_User_Guide (4.20) it says you should use Fortify SecurityScope to correlate Fortify & Webinspect findings. When checking how to get Fortify SecurityScope I read that it will be EOL shortly and that you should use Webinspect agent instead. But I can't find anywhere how to use it to correlate findings. Am I missing something?

Fortify SCA version 4.21

WebInspect version 10.20 (I think)

  • Verified Answer

    I was under the impression that you had to scan with SCA and upload to SSC, then scan the same project with WebInspect with the WebInspect agent (runtime) installed and configured on the application server.  Runtime is provided as a separate download and I was under the impression that the license for Fortify SCA/SSC would work with Runtime.  Once you scan with WebInspect (with runtime installed) and upload to SSC (same project as SCA) it's should correlate the results in SSC.  I tried this whole thing recently but when I tried to use Runtime on the tomcat server it had some issues, first licensing issues then what I believe were configuration issues with Runtime.

  • Thanks for reporting your experience back to the rest of us. Hopefully someone on the Fortify team can pick this up

  • This is likely one of the most useful things to do with WebInspect and SCA if it works properly.

  • Mike Eller is correct.  The SecurityScope product you saw mentioned is now the WebInspect Agent, new name, same capability with improvements.  Unlike when we sold SecurityScope, WebInspect Agent is free.

    Since both products were/are based on Fortify Runtime, you must download the Runtime installer for your web server's framework (.NET or Java) and during the installation process select the WebInspect Agent option.  This selection will then drop in the specific rule pack and a customized fortify.license file for WebInspect Agent, i.e. it is free.  If you own WebInspect and have a SAID for your purchase, then you should see both the WebInspect and Runtime installers available for download at the HP SSO portal (

    Sadly, as of the Fall 2014 release of WebInspect 10.30, much of the user guide literature for WebInspect Agent is non-existent.  Instead, one must download the materials for Runtime and mentally replace the word "Runtime" with WebInspect Agent" as far as the installation details.   :-/

    • Fortify docs area: 
    • Runtime version 4.21 sub-area:  Software Security Center v4.21

    To perform the Hybrid Correlation, it does require three analysis files combined inside a Fortify SSC Server's project.

    • SCA analysis of code
      • FPR file uploaded via AWB or direct to SSC
    • WebInspect scan of code hosted on web application
      • Uploaded via WebInspect Enterprise Publish action, or Export to SSC (FPR) option followed by manual upload
    • WebInspect Agent logs captured during the same WebInspect scan
      • Logs to FPR export, then manually import to SSC Project
  • What's the process to do this last step?

    WebInspect Agent logs captured during the same WebInspect scan

    • Logs to FPR export, then manually import to SSC Project
  • I deleted my install of Runtime after I did some testing so I can't see the file name or where it was.  In SSC the file that I uploaded was called event.log.fpr.  I can't remember where the file was located though but I believe it was either in the webserver directory or the runtime directory.  I don't think it was documented anywhere.  I'm in the process of setting up another demo server to do some testing and I'm going to install runtime and runs some scans on it.  It might take a bit but once I'm done I can let you know what I did, otherwise I'd try to search for the file name I see in my SSC server.  I also looked inside the fpr file that I uploaded to SSC, there's a version file, runtime.fvdl, runtime.fvdl.mac, and user_code_definition.txt.  You can try to search for any of these files and event.log.fpr.  Hopefully they haven't been renamed. 

  • I have been told that the current release for WebInspect 16.x now include the necessary WebInspect Agent log details within the WebInspect scan, so you do not need to manually retrieve the logs from the WebInspect Agent installation.

    This means that this following  step is no longer needed, as the data is held in the WebInspect scan FPR file being uploaded to SSC Server.


    • WebInspect Agent logs captured during the same WebInspect scan
      • Logs to FPR export, then manually import to SSC Project


  • Good news in modern versions of WebInspect (16.x and above?), is that the WebInspect Agent data is transferred and stored within the WebInspect scan.  This means that for Hybrid Correlation in SSC Server, you only need two artifacts.  One, the FPR from SCA. Second, the FPR export from WebInspect for a scan that ran against a WebInspect Agent enabled target.  You no longer need to collect logs manually from the WebInspect Agent's web server machine.