Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
vt Contributor.

Fortify SSC custom reports

I am just getting into the world of Fortify security scanning and in the process of establishing a workflow at our company. Existing reporting tools at SSC seem to be limited and there is a BIRT project for creating some custom reports. Questions:

1) How widely it is being used and will it not introduce more complicated issues on its own (keep up with versions, upgrades and Java issues)?

2) Is there any valuable alternative to BIRT and default reports?

3) Will BIRT project be recommended to be used by this community?

Thank you.

3 Replies
Respected Contributor.. markberrier Respected Contributor..
Respected Contributor..

Re: Fortify SSC custom reports

I agree that the built in reporting that Foritify offers is marginal at best. I've been using the software for many years and consider myself at an advanced skill level with the tool. 

Everytime I get an online survey that normally is generated from a Case number, I put in the comments of the survey the need for better reporting. Ad Hoc reporting would be best. Perhaps the more that we the users make this comment, the odds increase that someone will take notice and do something about it. We can only hope.

1. I've attempted to create my own custom BIRT reports.  Not very sucessful. There are not any tutorials out there so you will be finding your way in the dark.

2. None that I have found. Though, 18.1 SSC does offer a CSV export now which does allow some manipulation of the data but it still doesn't output the data my clients want to see. They are stuck with the packaged reports that come with the tool.

3. Unknown.

Super Contributor.. ellerm Super Contributor..
Super Contributor..

Re: Fortify SSC custom reports

My opinion is that the built in reports are only good if you really want to look at an individual project version.  Some of the things I care about are total unreviewed issues for EVERY project, number of scan warnings/errors for a given project, and vulnerability reports for projects without all the extra garbage included in the default reports.  For much of what I do I use Tableau.  This seems to be the easiest way to get good data.  Either way you need to have a fundamental understanding on how the data is structured in the DB for both BIRT and Tableau. 

Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

Re: Fortify SSC custom reports

One of the main issues with custom SSC reports is that they access the SSC database directly; the SSC database schema is not documented and may change between product versions, potentially causing custom reports to break. SSC contains some BIRT report libraries containing re-usable database queries and other BIRT elements that provide some level of abstraction from the database, but these libraries are mainly used for the SSC-provided reports and therefore again not documented.

As an alternative to custom reports (or direct database queries), you can utilize either the built-in CSV export, or the extensive SSC REST API. Although the REST API is less suited for optimized retrieval of large amounts of data, it can be very useful for many purposes including retrieval of reporting data.

As an example, Fortify Bug Tracker Utility uses the SSC REST API to retrieve vulnerability data for integration with 3rd-party systems. Among others, this utility provides a fully configurable CSV export feature (so possibly a good alternative if the SSC built-in CSV export doesn't suit your needs).

Of course, you can always contact your Fortify sales representative to inquire about Fortify Professional Services. Professional Services has extensive experience with developing custom (BIRT) reports and other customizations/integrations based on customer requirements.


The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.