JIRA to SSC plugin
Does a JIRA plugin exist that will allow me to push findings into SSC where it can be added to reporting/tracking or do we have to recreate the wheel and write one from scratch using the API?
We know it is possible to have a bi-directional connection with an external tool. Burp Suite has their plugin that allows to push bugs to SSC or have bugs pushed from SSC. If someone knows of a comparable plugin for JIRA, i would appreciate it.
There is a built-in plugin for JIRA in SSC, but it seems to be one-way, publishing SSC Issues into JIRA. you must first enable it in the SSC Configuration screens, then you can select the specific Bug Tracker for each Application container in SSC. The plugin files are located within the unZipped files from your SSC WAR Zip file, where you located the original ssc.war file and SQL scripts.
There is also a secondary tool on our MArketplace which permits expanded connections with Bug Trackers, both built-in ones and others. See the link below.
- SSC docs: https://www.microfocus.com/documentation/fortify-software-security-center/
- Bug Tracker details for SSC: https://www.microfocus.com/documentation/fortify-software-security-center/1820/SSC_Help_18.20/index.htm#SSC_UG/Using_Bug_Tracking.htm
- Related Forum article: https://community.microfocus.com/t5/Fortify-User-Discussions/Automatic-Jira-creation/td-p/1599574
- Secondary tool for Bug Tracker integrations: https://marketplace.microfocus.com/fortify/content/fortify-bugtracker-utility
-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify
thanks for answering. I am able to push findings from SSC into JIRA but that isn't what I want.
Since SSC lacks the capacity to manually create findings, which we have a need for due to things like CMS vulnerabilities and/or 3rd party software notices, I will be creating them within JIRA.
From there, I was looking for a plugin (Parser might be a better word to use) that would import the JIRA finding into SSC. Reason being, I could still create a singular vuln report for dev teams or to store as a audit artifact. more reasons: centralized database for custom BIRT reporting, doing work within one analyst console before sending bugs off to HP ALM (QC), etc. etc. you get the picture.
There is so much reporting and customization in my SSC that it doesnt migrate to bug trackers readily and it means that i have to manually sync findings across differing systems.
Did you check this tool available in Github: http://github.com/fod-dev/FoDBugTrackerUtility
I used it to sync vulnerabities in two way, send it from SSC to JIRA, and them from JIRA to SSC, also, closing tickets opened to respond vulnerabilities found. I'm not sure about it is you need, but, let us know!!!
Data, or do not.
thanks for the response but I cannot use the bugtracker utility you gave me because, 1) i'm on-premise not FoD and 2) i'm on 18.20 and any attempts to load plugs have to be Jar files and those JAR files have to be below 20MB, meaning the old tracker utility won't work either. thanks again tho!
I use this plugin in on-prem environment, no problem. I don't know why MF call it with this name.
This 20MB limit can be change in some place, maybe in Tomcat.
Data, or do not.