New Ranks & Badges For The Community!
Notice something different? The ranks and associated badges have gone "Star Fleet". See what they all mean HERE
Highlighted
Commander
Commander
3989 views

Download vulnerabilities definitions (name, description and recommendations)

Hello, 

I am trying to download the list of Fortify vulnerabilities list from Fortify Mysql DB.

I have not found an API for doing this...

I am looking at db tables  and I have found a view named ruleview that contains description and recommendation for each vulnerability.

Anyway there are only descriptions and recommendations, but entries are not linked to another table that contains the names of security errors, the programming language and the category of the vulnerability. 

I have not found in the db this kind of information (maybe I miss some table, thare are about 200 tables), is there a way to obtain the list of security errors with name, category, language, description and recommendation? 

Thanks very much! 

 

 

0 Likes
3 Replies
Highlighted
Micro Focus Expert
Micro Focus Expert

Which system are you attempting to integrate with?  I assume you are seeking to transfer the Issues out of SSC and to a bug tracker of some sort.  There are several bug tracker systems supported out-of-the-box with SSC, and more that can be done using various plugins.  There is also a Fortify BugTrackerUtility (CLI) on our Marketplace.  Lastly, the SSC USer Guide has an Appendix section devoted to creating your own custom bug tracker connection.

 


-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify
0 Likes
Highlighted
Commander
Commander

Hi Hans,

Thanks for the answer, but unfortunately it is not what I am looking for...

I am not trying to export issues into another system, but to export the list of rules (all the rules that are defined to this link:

https://vulncat.fortify.com/en) .

This is a request of our customer, in order to give its developer a sort of "ruleset" with the checks that Fortify apply.

So, I am not trying to expot all the issues of a scanned application, but all the rules (with name, description, recommendation) that are used by Fortify during the scans.

The "ruleview" view in the db gives only id, description and recommendation, but I am not able to discover what is the name of each rule by id (it seems that is an information that is not saved into the db, maybe into the rulepack ? )

 

 

 

0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

In that case that VulnCat link is your only resource.  The attack logic and related details are proprietary.


-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.