Fortify SSC custom reports
I am just getting into the world of Fortify security scanning and in the process of establishing a workflow at our company. Existing reporting tools at SSC seem to be limited and there is a BIRT project for creating some custom reports. Questions:
1) How widely it is being used and will it not introduce more complicated issues on its own (keep up with versions, upgrades and Java issues)?
2) Is there any valuable alternative to BIRT and default reports?
3) Will BIRT project be recommended to be used by this community?
I agree that the built in reporting that Foritify offers is marginal at best. I've been using the software for many years and consider myself at an advanced skill level with the tool.
Everytime I get an online survey that normally is generated from a Case number, I put in the comments of the survey the need for better reporting. Ad Hoc reporting would be best. Perhaps the more that we the users make this comment, the odds increase that someone will take notice and do something about it. We can only hope.
1. I've attempted to create my own custom BIRT reports. Not very sucessful. There are not any tutorials out there so you will be finding your way in the dark.
2. None that I have found. Though, 18.1 SSC does offer a CSV export now which does allow some manipulation of the data but it still doesn't output the data my clients want to see. They are stuck with the packaged reports that come with the tool.
My opinion is that the built in reports are only good if you really want to look at an individual project version. Some of the things I care about are total unreviewed issues for EVERY project, number of scan warnings/errors for a given project, and vulnerability reports for projects without all the extra garbage included in the default reports. For much of what I do I use Tableau. This seems to be the easiest way to get good data. Either way you need to have a fundamental understanding on how the data is structured in the DB for both BIRT and Tableau.
One of the main issues with custom SSC reports is that they access the SSC database directly; the SSC database schema is not documented and may change between product versions, potentially causing custom reports to break. SSC contains some BIRT report libraries containing re-usable database queries and other BIRT elements that provide some level of abstraction from the database, but these libraries are mainly used for the SSC-provided reports and therefore again not documented.
As an alternative to custom reports (or direct database queries), you can utilize either the built-in CSV export, or the extensive SSC REST API. Although the REST API is less suited for optimized retrieval of large amounts of data, it can be very useful for many purposes including retrieval of reporting data.
As an example, Fortify Bug Tracker Utility uses the SSC REST API to retrieve vulnerability data for integration with 3rd-party systems. Among others, this utility provides a fully configurable CSV export feature (so possibly a good alternative if the SSC built-in CSV export doesn't suit your needs).
Of course, you can always contact your Fortify sales representative to inquire about Fortify Professional Services. Professional Services has extensive experience with developing custom (BIRT) reports and other customizations/integrations based on customer requirements.