Dependency-Track can automatically publish results to Fortify Software Security Center (SSC) providing a consolidated view of security-centric code findings and vulnerable component findings.
Dependency-Track accomplishes this in the following ways:
- Fortify SSC integration is configured in Dependency-Track
- Dependency-Track pushes findings to Fortify SSC on a periodic basis (configurable)
- A plugin for Fortify SSC parses Dependency-Track findings
- Dependency-Track v3.4.0 or higher
- Fortify SSC 17.20 or higher
- Download and install Dependency-Track plugin for Fortify SSC
Dependency-Track requires the use of a
CIToken. Refer to the Fortify SSC documentation for more information.
Dependency-Track includes the ability to specify configuration properties on a per-project basis. This feature is used to map projects in Dependency-Track to applications in Fortify SSC.
|Property Value||The application version ID in SSC|
Fortify SSC Configuration
Step 1: Navigate to parsers
Step 2: Install the plugin
Step 3: Verify plugin is installed
Step 4: Enable plugin
Step 5: Verify plugin is enabled
At this point the plugin is installed and ready to accept payloads from Dependency-Track. Once Dependency-Track pushes a payload to SSC, it will be displayed among the projects artifacts and the results will be filterable within the audit view.