Fortify Professional Integration
The Fortify integration in OpenRMF® Professional allows you to import vulnerabilities found during static software scans into your system package.
Generate a Login Token
To use the Fortify integration you must have a login token. To get this, click the Administration menu. Then on the left click the Token Management menu option. Click the New button and then specify the token type, expiration date, and description for this token. Check the Fortify help for the type of token you require (i.e. CIToken). You must copy this token when presented to use it later as you cannot look this up later. Use this token for the integration setup for Fortify.
See the image below for direction on how to get to the page to generate a token.
Enabling the Integration
To enable the integration, go to the Integrations and Plugins page and click the Fortify option. The form shown below appears asking for the Root Fortify URL as well as the API token (generated from your profile) you can use to log in and import scan data. You can specify a maximum number if issues (vulnerabilities) to return when importing as well. Fortify itself has a default of 200 maximum. Set this to 0 if you want all issues returned.
Note that if the number of issues is very large, the CPU and memory as well as network traffic and speed may make the result take longer to load.
You can test the Fortify integration with the Test button before saving it. Please make sure the Test is successful before saving your integration information.
You can always return back and delete the integration as well. If you return to edit the integration you MUST include the password/token again as we do not transfer that back and forth to the Integration page.
If this is a self-signed certificate HTTPS site you can click the “Allow HTTPS Connection” option so it accepts the HTTPS connection. You may need to do this if on a private network, a disconnected network, or using a self-signed certificate or a custom certificate authority.
Now that the integration is setup, return back to your system package dashboard and see there is an Import option under the Other Technology button menu.
Adding Fortify Projects for Importing
To add projects to allow importing, once the integration is tested and saved you can click the List button on the bottom Available Fortify Projects table. For the projects you wish to use, click the Add button and they will be added to the available listing in the area above the table marked “Current Fortify Projects”.
To remove them from the available listing, click the red “X” next to the project. Note this does not remove any results imported. Just the availability to import again from that project.
Importing Vulnerabilities from Fortify
To view detailed information on importing vulnerability data please visit the Importing Technology Vulnerability Scans Help.