Absent Member.
Absent Member.
9364 views

How do you get the Fortify API to upload an FPR file?

Using the Fortify REST API, we need to upload an FPR file that we have pushed from WebInspect using its API to the Fortify server.  I was attempting to use the File Upload method in the Fortify API, however I have been unable to find the correct syntax. I can get the file upload token but cannot upload an FPR file using the URL provided. What other data needs to be provided to the API for this to work?  We've tried to use artifact fields with the -d flag as well as the -F flag for form fields. 

With the upload file method, we get the HTTP status 406: The resource identified by this request is only capable of generating responses with characteristics not acceptable according ot the request "accept" headers.  (Even after removing the Accept header from the curl statement we are using, we still get the same result).

I tried to Post the FPR as an artifact as well but the API does not support this. Any help with this appreciated.

Labels (1)
0 Likes
11 Replies
Vice Admiral
Vice Admiral

Looking at what happens when you upload an FPR in the HTML5 4.4x UI with Chrome dev tools, it looks like you'll have to do a multipart request for the upload.

First, the file upload token is obtained by POSTing to /api/v1/fileTokens with payload: {"fileTokenType": "UPLOAD"}

HTTPie command example: http POST http://localhost:8080/ssc/api/v1/fileTokens fileTokenType=UPLOAD --auth admin

That should give a response like this:

{

    "data": {

        "fileTokenType": "UPLOAD",

        "token": "8e0726d9-170c-444d-8328-9fe313267887"

    },

    "responseCode": 201

}

Then you can start the upload, POST to /upload/resultFileUpload.html?mat=<data.token from above request> with multipart body including entityId=<project version_id> and files[]=<your FPR>

HTTPie command example: http -f POST http://localhost:8080/ssc/upload/resultFileUpload.html?mat=8e0726d9-170c-444d-8328-9fe313267887 entityId=110 files[]@WebGoat5.0.fpr

Hope that helps.

-Josh

Fortify L3 Support Engineer

Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class

Thanks Josh.  I'm going to try this shortly.

0 Likes
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class

Hi Josh -

Just realized that this can't be right, as you are referring to SSC in your URL...not HPFOD...

Plus, it would be strange that FoD is using the same technique as SSC, given their published API.

I would assume there would be an actual FOD API for uploading an FPR.

Am I missing something?

Thanks in advance,

Mark

0 Likes
Vice Admiral
Vice Admiral

Nothing in the question mentioned FoD, and the tags suggest it is about SSC, so that's what my answer is for.

-Josh

0 Likes
Absent Member.
Absent Member.

Hi Josh,

I tried to use the format as you suggested but am getting an internal error has occurred showing code 10003.

My command is being done in a linux bash file with a curl command as follows:

curl -H "Cache-Control: no-cache" \

-H  "Authorization: FortifyToken <Token>" \

-H "Content-Type: application/json;charset=UTF-8" \

-X POST http://localhost:8080/ssc/upload/resultFileUpload.html?mat=<FileUploadToken> \

-F "fileURL=<locationof file>"

I tried using the files[] and entityID options as well and got the same results.

0 Likes
Vice Admiral
Vice Admiral

You shouldn't specify the Content-Type manually, curl will do the right thing when using -F. Also, you need to specify -F"entityId=<project version id>" and -F"file=@path/to/your/fpr.fpr" (with the @ sign)

Full example with raw curl to upload WebGoat5.0.fpr from the current directory:

curl -X "POST" "http://localhost:8080/ssc/upload/resultFileUpload.html?mat=8e0726d9-170c-444d-8328-9fe313267887" -F "entityId=2" -F "file=@WebGoat5.0.fpr"

-Josh

Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class

Lol.  Sorry Josh.  You are absolutely correct.  I read it incorrectly.

0 Likes
Absent Member.
Absent Member.

I tried that but now I get the error: Project version is not commited or does not exist. 

0 Likes
Vice Admiral
Vice Admiral

Well, that's a bit of progress at least, shows that it's hitting the right API endpoint.

That error could mean that you're supplying a project version ID that doesn't exist (or perhaps, that your user doesn't have permissions on), or that the project version identified by the entityId you supplied is not committed.

...If the project version was one you created yourself through the REST API, it's pretty easy for them to be in the uncommitted state. I think you have to make more than one request if you have required attributes in order to get a committed, usable project version.

First request: create (POST) the project version

Second request: set (PUT) required attributes on project version from request 1

Third request: update (PUT) project version from request 1 to set committed=true

Hope that helps.

-Josh

Absent Member.
Absent Member.

Hi Josh,

That was helpful. I've got the API to work now, but I was trying to create a new project from the API. however I keep getting the error code -20209 saying tha t the post request was incorrectly formatted.  Any suggestions on how to resolve this issue?

0 Likes
Cadet 1st Class
Cadet 1st Class

Hi Josh,

I'm using python and trying to create the request by defining the headers, body etc. I am able to get the file token for upload, but I am unsure on how to create the request for the file upload.

Should entityId=<proj version id> be included in the body of the request?

Should I open the file in binary and send it?

Should I still have the first authentication token I got, on my header?

I converted your example curl request to python's requests module and I'm sure I have it right

I'm getting a 200 response but with the following body:

An internal error has occurred. Please contact your Fortify System Administrator.

Any help would be much appreciated, thank you

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.