Fortify SSC/WebInspect API
We built a SSC connector to ThreadFix using SSC's SOAP API. Works really well and allows us to maintain SSC as the source of record for all Fortify issues, while using ThreadFix for vulnerabilities found from other tools, and without duplicating issues. Sources were donated back to the ThreadFix community.
Be aware that SSC is expanding into a REST API so your customer connectors may need adjustments in the future.
-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify
Yes, we're aware of that, but historically HP has been extremely difficult to deal with with regards to using the API. It's nearly impossible to integrate SSC's API in a supportable and open way.
Last year when we wrote the connector between ThreadFix and SSC, we could not use wsclient, rather we had to reinvent the wheel. Why? Because ThreadFix is open source and wsclient is not. The license header on wsclient sources simply states copyright HP... and nothing more. So we had to create our own open source implementation of wsclient - a complete waste of time simply because of licensing. Additionally, Fortify support could not provide any documentation on the SOAP API other than to use wsclient (which we could not). So we had to reverse engineer a lot of what wsclient actually did. Again, a complete and unnecessary waste of time.
On top of that we knew the Rest API was coming, we heard about it a few years ago in a Fortify user group, we've seen the URL defined in SSC's configuration in 4.0. And again, Fortify support could not tell us anything about the API. So our only option was to use the SOAP API and recreate the parts of wsclient that we needed.
If HP expects people to actually use their API's, they need to make it possible for them to do so. This starts with the ability to use and distribute an implementation of the API regardless of license, and the ability to supply adequate documentation on what the API does and how it's used.
If you can distribute this to Fortify product management, that would be helpful. Maybe it can lead to positive changes in the future.
My biggest problem is the documentation to understand what options I have available using the API. I appreciate your comments. I'm hoping that the documentation will improve or that better support will be provided. Thanks for the response.