Dependency-Track can automatically publish results to Fortify Software Security Center (SSC) providing a consolidated view of security-centric code findings and vulnerable component findings.
Dependency-Track accomplishes this in the following ways:
- Fortify SSC integration is configured in Dependency-Track
- Dependency-Track pushes findings to Fortify SSC on a periodic basis (configurable)
- A plugin for Fortify SSC parses Dependency-Track findings
Requirements:
- Dependency-Track v3.4.0 or higher
- Fortify SSC 17.20 or higher
- Download and install Dependency-Track plugin for Fortify SSC
Dependency-Track Configuration #
Global configuration
Dependency-Track requires the use of a CIToken. Refer to the Fortify SSC documentation for more information.
Per-project configuration
Dependency-Track includes the ability to specify configuration properties on a per-project basis. This feature is used to map projects in Dependency-Track to applications in Fortify SSC.
| Attribute | Value |
|---|---|
| Group Name | integrations |
| Property Name | fortify.ssc.applicationId |
| Property Value | The application version ID in SSC |
| Property Type | STRING |
Fortify SSC Configuration #
Step 1: Navigate to parsers
Step 2: Install the plugin
Step 3: Verify plugin is installed
Step 4: Enable plugin
Step 5: Verify plugin is enabled
At this point the plugin is installed and ready to accept payloads from Dependency-Track. Once Dependency-Track pushes a payload to SSC, it will be displayed among the projects artifacts and the results will be filterable within the audit view.
