

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Fortify SSC/WebInspect API
I'd be interested in hearing how you are using the API's for these products and seeing any sample code you might have especially if you're doing any API activities via things like Jenkins.
Thanks,
Mike

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
We built a SSC connector to ThreadFix using SSC's SOAP API. Works really well and allows us to maintain SSC as the source of record for all Fortify issues, while using ThreadFix for vulnerabilities found from other tools, and without duplicating issues. Sources were donated back to the ThreadFix community.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Be aware that SSC is expanding into a REST API so your customer connectors may need adjustments in the future.
-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Yes, we're aware of that, but historically HP has been extremely difficult to deal with with regards to using the API. It's nearly impossible to integrate SSC's API in a supportable and open way.
Last year when we wrote the connector between ThreadFix and SSC, we could not use wsclient, rather we had to reinvent the wheel. Why? Because ThreadFix is open source and wsclient is not. The license header on wsclient sources simply states copyright HP... and nothing more. So we had to create our own open source implementation of wsclient - a complete waste of time simply because of licensing. Additionally, Fortify support could not provide any documentation on the SOAP API other than to use wsclient (which we could not). So we had to reverse engineer a lot of what wsclient actually did. Again, a complete and unnecessary waste of time.
On top of that we knew the Rest API was coming, we heard about it a few years ago in a Fortify user group, we've seen the URL defined in SSC's configuration in 4.0. And again, Fortify support could not tell us anything about the API. So our only option was to use the SOAP API and recreate the parts of wsclient that we needed.
If HP expects people to actually use their API's, they need to make it possible for them to do so. This starts with the ability to use and distribute an implementation of the API regardless of license, and the ability to supply adequate documentation on what the API does and how it's used.
If you can distribute this to Fortify product management, that would be helpful. Maybe it can lead to positive changes in the future.


- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
My biggest problem is the documentation to understand what options I have available using the API. I appreciate your comments. I'm hoping that the documentation will improve or that better support will be provided. Thanks for the response.