Versions Compared

Old Version 15

changes.mady.by.user Michelle Friedman

Saved on

compared with

New Version Current

changes.mady.by.user Michelle Friedman

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Table of Contents
maxLevel3

Overview

This page provides information on how to integrate Mend with the Fortify AVM application, and how to enable the integration to display information on the components' security vulnerabilities. The integration provides a dashboard that includes a summary view displaying the vulnerability assessment for the user’s Fortify deployment.

For more details about Mend integration with AVM applications, see Application Vulnerability Management (AVM) Platforms Mend Integration.

Prerequisites for Installing the AVM Agent for the Fortify AVM Platform 

  • Fortify SSC version 18.20, Fortify SSC version 19.10, Fortify SSC version 20.2, Fortify SSC version 21.1. 

  • A Fortify SSC user with administrator or Security Lead roles. Alternatively, the following are the minimum permissions needed for a Fortify SSC user to be able to operate the Mend Fortify Agent:

    • Add Application Versions: Users can add applications and application versions.

    • Edit Application Versions: Users can edit application version general settings and processing rules for application versions to which the user has access.

    • Manage Attribute Definitions: Users can add, edit, and delete attribute definitions.

    • Manage Issue View Templates: Manage Issue View Templates.

    • Upload Analysis Results: Users can upload analysis results to application versions to which the user has access. This permission requires the View Application Versions permission.

    • View Application Versions: Users can view applications, application versions and their associated items including events, artifacts, issues, process templates, issue templates, custom tags, personas, performance indicators, and attributes.

  • Mend Parser Plugin (wss-fortify-parser-plugin-xx.xx.x.jar) must be added to Fortify SSC. See the Adding and Managing Parser Plugins section in the Fortify Software Security Center User Guide.

Installing and Running the AVM Agent for Fortify

Instructions and the parameters required for the configuration and running of the AVM Agent can be found here.

However, the following parameters are specifically relevant for Fortify:

  • avm.name must be set to fortify

  • The avm.user and avm.pass are used to access the Fortify API. The avm.apikey configuration parameter could be used to access the Fortify API as well. To retrieve the Fortify security token, use a third party tool or run the AVM agent with user and password for the first time. (For how to retrieve the Fortify security token with the AVM agent, see Appendix on this page).

Generating Offline Reports for Fortify (Optional)

In Offline mode, it is possible to save the output of the vulnerability alerts into a zip file. Note that in Online mode, there is a process whereby the Agent extracts data from Mend via HTTPS, and then Mend sends it to Fortify via HTTPS. The Offline mode option is useful in case there is no connectivity (or limited connectivity) with Fortify SSC.

By changing the configuration file to Offline mode, any execution of the Mend Fortify Agent will store the current configuration and metadata in a zip file named WS_<application-name>_@_<application-version>_@_<scan-date_time>.zip . The content of the file is defined according to Scan artifact uploading requirements of Fortify. The unzipped JSON file named WS_<application-name>_@_<application-version>_@_<scan-date_time>.json includes vulnerability alerts and related metadata. The output is located in the newly-created Mend directory, which can be found under the current working directory ($pwd or %cd%). This file can be manually uploaded later to a specific application within Fortify SSC from its Admin section when the Mend Fortify Parser has been properly installed. 

  • <application-name> is the value set in the Mend product/project tag AVM.application.name.

  • <application-version> is the value set in the Mend product/project tag AVM.application.version. If it is not set, the default value 1.0 is used.

Uploading an Offline Request File to Fortify

Upload via the command line: 

Execute the AVM Agent with the -requestFiles flag specifying the path to the WS_<application-name>_@_<application-version>_@_<scan-date_time>.zip file(s) you created in the above section. In order to send more than one file, separate the file names with commas.

Code Block
java -jar /path/to/jar/whitesource-avm-agent-*.jar -requestFiles <full-file-path1>[,<full-file-path2>]

Viewing the Output in Fortify SSC

Initial Dashboard View

The following example displays the initial Dashboard view, with 28 issues pending review on all Mend products/projects in Fortify that are displayed as Applications.
There are two Applications: aggregateModulesT 1.1 and aaa 1.1.  

...

Drilling Down

Clicking on the Applications menu item of the main menu indicates the last scan by Mend. Clicking a specific version of an application displays its issues.

...

This example shows the result of clicking 1.1 of the AggregateModulesT Application. It displays more information including the issue names (i.e., vulnerabilities), and the primary location (the specific library). 

...

Clicking a specific issue displays its Mend information. The following displays the result of clicking the CVE-2018-3750 issue name, including details on the CVSS3 score: 

...

Grouping by File Name

You have the option of grouping according to the vulnerability name (Issue name) as displayed in the following screenshot:

...

Filtering by Severity

You have the option to filter the vulnerabilities severity ('criticality' in Fortify SSC) as displayed in the following screenshot:

...

Generating and Viewing Reports

To initiate a report, click the + New Report button in the Reports section:

...

The following is a sample report that can be downloaded in a pdf/xls/doc format:

...

You have the option to export the data in the report by moving to the Data Reports section and exporting the vulnerabilities report as a csv file:

...

 Viewing Effective Usage Analysis Data 

Effective Usage Analysis analysis will be visible only for customers that purchased Prioritize and scanned their projects and products in Mend.

The Effective Usage Analysis will be part of the Issue Name field for a specific vulnerability under the application.

...

The following table describes the connection between the EUA texts in Fortify and the Shields in Mend. For more information on the shields, refer to the Prioritize documentation.

...

Fortify

...

Mend

...

Effective

...

Red Shield

...

Indirect Risk

...

Green Shield

...

Undetermined

...

Yellow Shield

...

other

...

Grey Shield

Appendix

Using a Security Token with Fortify

As an alternative to accessing the AVM system with the help of users and passwords, the AVM Agent can use a security token. As Fortify SSC requires a few native API calls with a login and password to generate such a security token, the AVM agent can be used to generate such a security token instead.

As soon as the AVM Agent runs with a user and password, it will retrieve and preserve the security token which can be reused the next time by the AVM agent to access Fortify SSC without having to provide a login and password.
The generated security token is saved according to the following rules:

  • If the AVM Agent configuration file exists and is writeable, the security token will be written inside as a parameter.

  • Otherwise, the security token will be written in the fortify_token.txt file that will be located inside the Mend directory under the current working directory. The file is regenerated each time anew.

NOTE: Fortify SSC security has an expiration date that is set by server configurations. Usually, the token expires in 90 days. Therefore, each 90 days the AVM Agent should be run with user and password to regenerate the token.

The format for the generated token record is:

# =========generated  automatically by avm agent ======

# expiration   date xx-ddd-yyyy

avm.apikey=adsfadfadfasdfasdfasdfsadf

The information about successful token generation can be found in the AVM Agent logs.
A warning will be displayed if the AVM Agent was not able to write it to the configuration file or to generate the fortify_token.txt file.

For example: java -jar wss.avm-agent.jar -avm.user XXXX -avm.pass YYYY  (generates a token and continues) 

NOTE: Using password and user name overwrites the existing token in the avm.apiKey (from config or CLI)

...

If the user defines user/password, AVM ignores the token from config/CLI and generates a new token 

...

It is possible to use -avm.api.key without a user and password

...

This page is available at: https://docs.mend.io/bundle/integrations/page/setting_up_fortify_application_vulnerability_management__avm__platform.html