Lieutenant Commander
Lieutenant Commander

Fortify Taxonomy via SSC API

I'm looking for a way to map a category to a taxonomy via the SSC REST API. For example, using the Fortify Taxonomy web site I can look up the weakness "Access Control: Database" and check its references to determine how it maps to the different taxonomies like "A5 Broken Access Control" (OWASP Top 10 2017).

Is there a way I can use the SSC API to do this?

I want to display the category and the associated taxonomies something like this...

Access Control:Database

OWASP->A5 Broken Access Control

STIG-> APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

CCI-> CCI-000213, CCI-001084, CCI-002165






Labels (1)
2 Replies
Captain Captain

The way that is structured it looks like you are try to create a POA&M?

Lieutenant Commander
Lieutenant Commander

Thanks for the reply. I'm not sure of the reasoning for this request. It's possible the information will used in POA&Ms but I'm not involved with that process. I was asked to quantify application vulnerabilities using additional classifications to STIG (i.e. CCI, OWASP, etc...). I think our RMF team may deal more with CCI's so I think this information may be useful to other teams.

I didn't see a direct way to accomplish this in the API. It would have been helpful to have an API to the Fortify Taxonomy information. I had to utilize several API resources to get the value of the "references" element of the "\issueDetails" resource. Then I had to parse the references string to determine how to associate the issue name to the different taxonomies.


The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.