Snyk open source vulnerability detection results are now available in Fortify SSC

Micro Focus Expert
Micro Focus Expert
3 1 1,458

We are excited to announce the integration of Snyk and Fortify Software Security Center (SSC) to improve how our joint customers consume and act on vulnerability data. 

Snyk open source vulnerability detection results are now available in Fortify Software Security Center.pngSnyk is known for finding and fixing known vulnerabilities and license violations in open source dependencies, while we at Fortify are known for our broad static and dynamic analysis capabilities, effectively pinpointing security vulnerabilities and code quality issues in an application’s custom code. Through the integration of Snyk with Fortify SSC, customers can now obtain a unified view of both their custom and open source security vulnerabilities. Combining the two gives management and stakeholders a more accurate view of the overall security posture of the application portfolio, and also naturally tracks that posture over time as vulnerabilities get fixed or introduced.

Below is the announcement video and a short demo:

Continuous visibility through CI pipelines

This integration allows Fortify SSC users to monitor the state of the open source vulnerabilities and license violations in their projects, track mitigation and receive alerts when new vulnerabilities are introduced.

To obtain continuous visibility into the applications open source vulnerabilities and license violations, users run a `snyk test` command inside the pipeline, and upload it to Fortify SSC via available APIs (see below for a technical how-to). As Snyk tests run quickly it is advisable to run the inline scan on every build.

Each finding includes information about the component affected as well as an issue description, severity score, transitive dependency path through which the issue was introduced, and whether the issue is upgradable or patchable with a Snyk Precision Patch. Link backs to Snyk’s advisory pages include even richer content, hand-curated explanations including code snippets outlining the vulnerability, CVSS score and vector, and other valuable metadata.

Here is how Snyk vulnerabilities and license violations manifest in the Fortify SSC Audit view:

Fortify scans for code vulnerabilities.png

Expanding a specific vulnerability reveals detailed information, including how this component was initially introduced in the application dependency tree, information about how to correct the vulnerability, and additional content:

Snyk integrates with Fortify Software Security Center.png

How to setup the integration

In order to enable the integration, you will need to install the Snyk plugin to SSC.

  1. Download the latest version of the Snyk plugin.
  2. Access Fortify SSC, and go to the Administration page.
  3. Navigate to Parsers, located under Plugins
  4. Upload the plugin.
  5. Once uploaded, click Enable.

In order to make use of the Snyk plugin, use the snyk CLI to generate a snyk report in JSON format (snyk test --json > scan.json).

This report can be pushed to SSC in two ways:

1). The web UI:

a. Package the scan results in a zip file:
echo "engineType=SNYK" > scan.info
zip -v scan.zip scan.json scan.info
b. Navigate to the SSC App page.
c. Choose Artifacts and then upload the Zip file.
d. Once the artifact is parsed, the results are displayed in the SSC app dashboard.

2). The SSC REST API:

  • . Get a token from the API:
    curl --noproxy -X POST -H "Content-Type: application/json" -u admin: -d '{"fileTokenType": "UPLOAD"}' http://:8180/ssc/api/v1/fileTokens

a. Use the resulting token to upload the file:
curl --noproxy localhost -X POST --form files=@"scan.json" "http://localhost:8180/ssc/upload/resultFileUpload.html?mat=<TOKEN>&entityId=<APP_ID>&engineType=SNYK"

For more information, feel free to contact the Fortify team today!

1 Comment
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

Interesting new capabilities!

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.