Highlighted
Respected Contributor.. Respected Contributor..
Respected Contributor..
1103 views

Rest API for Fortify SCA

Jump to solution
Is there any way I can enable or use rest API for Fortify SCA like we have rest apis available in Webinspect.
Basically we want to run Fortify SCA scan through rest API.
0 Likes
1 Solution
10 Replies
Highlighted
Established Member..
Established Member..

Re: Rest API for Fortify SCA

Jump to solution

Hi,

Yes try appending this resource to your ssc host /ssc/html/docs/api-reference/index.jsp# and see if you get the Swagger documentation returned. 

Additionally, if you login to SSC, next to your profile click the help button. You should see a link to the SSC API documentation.

Best regards, 

Ryan Brown 

0 Likes
Highlighted
Established Member..
Established Member..

Re: Rest API for Fortify SCA

Jump to solution
Sorry, read the question wrong and thought it specified SSC not SCA. Apologies.
0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: Rest API for Fortify SCA

Jump to solution

SCA has command line access for sourceanalyzer. I'm not seeing a need for API access as you can interact with SCA via CLI. Can you be more specific in what you are trying to accomplish?

0 Likes
Highlighted
Respected Contributor.. Respected Contributor..
Respected Contributor..

Re: Rest API for Fortify SCA

Jump to solution
Instead of installing SCA in multiple servers, if I can install SCA in a high end processor, then it will be easy for multiple application teams to just utilise the REST APIs of SCA to trigger scan. So based on demand team can request scan through REST API.
Same functionality is already provided by Webinspect.Teams don't want to take the headache of Fortify installation as it requires high end RAM and processors.
I am aware of Jenkins master slave architecture where Fortify can be installed in slave and master can call the slave any time. But we are not using Jenkins, so if REST APIs available for Fortify SCA then it would be easy for application teams to use Fortify.
I am aware of FOD but we don't want to expose our source code , we need on premise solution.

Thanks!!
0 Likes
Highlighted
Established Member..
Established Member..

Re: Rest API for Fortify SCA

Jump to solution

I agree, an API is preferable to CLI tools. Although I have scripts that use both depending on the context with various Fortify products. The API is going to be more robust in functionality. Do you have a support package? If so, it might be worth putting in a service ticket and specifying 'product technical question' under the service request type field. I'm sure their support staff can point you in the right direction of the Swagger documentation relatively quickly, if it's available. 

0 Likes
Highlighted
Respected Contributor.. Respected Contributor..
Respected Contributor..

Re: Rest API for Fortify SCA

Jump to solution
Just got reply from Microfocus support team that REST API is not available for SCA.
It would be great if they can provide this functionality.
Highlighted
Trusted Contributor.. Trusted Contributor..
Trusted Contributor..

Re: Rest API for Fortify SCA

Jump to solution

I am not sure how it might work. SCA is not a server, hence there cannot be any REST API to call (since there is no server to listen).

What you may want to try is CloudScan installation which does exactly what you want, i.e. offloads (to some point) scanning to a dedicated farm of scanning servers. If you run 19.1.0 you may also try to offload translation phase to CloudScan for Java, JavaScript, Ruby, Python or PHP. Still, some kind of client binaries will be required, as there is much more to do (like gathering source code, tracing the build options) than a simple API call.

Highlighted
Micro Focus Expert
Micro Focus Expert

Re: Rest API for Fortify SCA

Jump to solution
Here is a YouTube video showing how CloudScan works: https://www.youtube.com/watch?v=sALyxg0KJSc
Highlighted
Respected Contributor.. Respected Contributor..
Respected Contributor..

Re: Rest API for Fortify SCA

Jump to solution

Is it possible to trigger Fortify cloud scan from docker container?

And through SSC rest API, Can we initiate Fortify Cloud scan?

@ebell 

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.