Super Contributor.. ellerm Super Contributor..
Super Contributor..
4793 views

Fortify SSC/WebInspect API

I'd be interested in hearing how you are using the API's for these products and seeing any sample code you might have especially if you're doing any API activities via things like Jenkins.

Thanks,

Mike

Labels (3)
0 Likes
4 Replies
sspringett Super Contributor.
Super Contributor.

Re: Fortify SSC/WebInspect API

We built a SSC connector to ThreadFix using SSC's SOAP API. Works really well and allows us to maintain SSC as the source of record for all Fortify issues, while using ThreadFix for vulnerabilities found from other tools, and without duplicating issues. Sources were donated back to the ThreadFix community.

0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Fortify SSC/WebInspect API

Be aware that SSC is expanding into a REST API so your customer connectors may need adjustments in the future.


-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify
0 Likes
sspringett Super Contributor.
Super Contributor.

Re: Fortify SSC/WebInspect API

Yes, we're aware of that, but historically HP has been extremely difficult to deal with with regards to using the API. It's nearly impossible to integrate SSC's API in a supportable and open way.

Last year when we wrote the connector between ThreadFix and SSC, we could not use wsclient, rather we had to reinvent the wheel. Why? Because ThreadFix is open source and wsclient is not. The license header on wsclient sources simply states copyright HP... and nothing more. So we had to create our own open source implementation of wsclient - a complete waste of time simply because of licensing. Additionally, Fortify support could not provide any documentation on the SOAP API other than to use wsclient (which we could not). So we had to reverse engineer a lot of what wsclient actually did. Again, a complete and unnecessary waste of time.

On top of that we knew the Rest API was coming, we heard about it a few years ago in a Fortify user group, we've seen the URL defined in SSC's configuration in 4.0. And again, Fortify support could not tell us anything about the API. So our only option was to use the SOAP API and recreate the parts of wsclient that we needed.

If HP expects people to actually use their API's, they need to make it possible for them to do so. This starts with the ability to use and distribute an implementation of the API regardless of license, and the ability to supply adequate documentation on what the API does and how it's used.

If you can distribute this to Fortify product management, that would be helpful. Maybe it can lead to positive changes in the future.

0 Likes
Super Contributor.. ellerm Super Contributor..
Super Contributor..

Re: Fortify SSC/WebInspect API

My biggest problem is the documentation to understand what options I have available using the API.  I appreciate your comments.  I'm hoping that the documentation will improve or that better support will be provided.  Thanks for the response. 

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.