Fortify Taxonomy via SSC API

penTester8888 · ‎2019-09-24

I'm looking for a way to map a category to a taxonomy via the SSC REST API. For example, using the Fortify Taxonomy web site I can look up the weakness "Access Control: Database" and check its references to determine how it maps to the different taxonomies like "A5 Broken Access Control" (OWASP Top 10 2017).

Is there a way I can use the SSC API to do this?

I want to display the category and the associated taxonomies something like this...

Access Control:Database

OWASP->A5 Broken Access Control

STIG-> APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

CCI-> CCI-000213, CCI-001084, CCI-002165

CWE->566

markberrier · ‎2019-09-27

The way that is structured it looks like you are try to create a POA&M?

penTester8888 · ‎2019-09-27

Thanks for the reply. I'm not sure of the reasoning for this request. It's possible the information will used in POA&Ms but I'm not involved with that process. I was asked to quantify application vulnerabilities using additional classifications to STIG (i.e. CCI, OWASP, etc...). I think our RMF team may deal more with CCI's so I think this information may be useful to other teams.

I didn't see a direct way to accomplish this in the API. It would have been helpful to have an API to the Fortify Taxonomy information. I had to utilize several API resources to get the value of the "references" element of the "\issueDetails" resource. Then I had to parse the references string to determine how to associate the issue name to the different taxonomies.

Automation