...

This page provides information on how to integrate WhiteSource Mend with the Fortify AVM application, and how to enable the integration to display information on the components' security vulnerabilities. The integration provides a dashboard that includes a summary view displaying the vulnerability assessment for the user’s Fortify deployment.

For more details about WhiteSource Mend integration with AVM applications, see Application Vulnerability Management (AVM) Platforms WhiteSource Mend Integration.

Prerequisites for Installing the AVM Agent for the Fortify AVM Platform 

• Fortify SSC version 18.20, Fortify SSC version 19.10, Fortify SSC version 20.2, Fortify SSC version 21.1. 

• A Fortify SSC user with administrator or Security Lead roles. Alternatively, the following are the minimum permissions needed for a Fortify SSC user to be able to operate the WhiteSource Mend Fortify Agent:

  • Add Application Versions: Users can add applications and application versions.

  • Edit Application Versions: Users can edit application version general settings and processing rules for application versions to which the user has access.

  • Manage Attribute Definitions: Users can add, edit, and delete attribute definitions.

  • Manage Issue View Templates: Manage Issue View Templates.

  • Upload Analysis Results: Users can upload analysis results to application versions to which the user has access. This permission requires the View Application Versions permission.

  • View Application Versions: Users can view applications, application versions and their associated items including events, artifacts, issues, process templates, issue templates, custom tags, personas, performance indicators, and attributes.

• WhiteSource Mend Parser Plugin (wss-fortify-parser-plugin-xx.xx.x.jar) must be added to Fortify SSC. See the Adding and Managing Parser Plugins section in the Fortify Software Security Center User Guide.

...

In Offline mode, it is possible to save the output of the vulnerability alerts into a zip file. Note that in Online mode, there is a process whereby the Agent extracts data from WhiteSource from Mend via HTTPS, and then WhiteSource Mend sends it to Fortify via HTTPS. The Offline mode option is useful in case there is no connectivity (or limited connectivity) with Fortify SSC.

By changing the configuration file to Offline mode, any execution of the WhiteSource Mend Fortify Agent will store the current configuration and metadata in a zip file named WS_<application-name>_@_<application-version>_@_<scan-date_time>.zip . The content of the file is defined according to Scan artifact uploading requirements of Fortify. The unzipped JSON file named WS_<application-name>_@_<application-version>_@_<scan-date_time>.json includes vulnerability alerts and related metadata. The output is located in the newly-created whitesource Mend directory, which can be found under the current working directory ($pwd or %cd%). This file can be manually uploaded later to a specific application within Fortify SSC from its Admin section when the WhiteSource Mend Fortify Parser has been properly installed. 

• <application-name> is the value set in the Whitesource Mend product/project tag AVM.application.name.

• <application-version> is the value set in the Whitesource Mend product/project tag AVM.application.version. If it is not set, the default value 1.0 is used.

...

The following example displays the initial Dashboard view, with 28 issues pending review on all WhiteSource Mend products/projects in Fortify that are displayed as Applications.
There are two Applications: aggregateModulesT 1.1 and aaa 1.1.  

...

Clicking on the Applications menu item of the main menu indicates the last scan by WhiteSourceMend. Clicking a specific version of an application displays its issues.

...

Clicking a specific issue displays its WhiteSource Mend information. The following displays the result of clicking the CVE-2018-3750 issue name, including details on the CVSS3 score: 

...

Effective Usage Analysis analysis will be visible only for customers that purchased Prioritize and scanned their projects and products in WhiteSourceMend.

The Effective Usage Analysis will be part of the Issue Name field for a specific vulnerability under the application.

...

The following table describes the connection between the EUA texts in Fortify and the Shields in WhiteSourceMend. For more information on the shields, refer to the Prioritize documentation.

...

• If the AVM Agent configuration file exists and is writeable, the security token will be written inside as a parameter.

• Otherwise, the security token will be written in the fortify_token.txt file that will be located inside the whitesource Mend directory under the current working directory. The file is regenerated each time anew.

...