I want scan fortify SSC using GitHub Actions, you have any document and video
@FortifyUnplugged29 күн бұрын
Hello, I would be happy to help. Have you seen this video? It gives a great overview of GitHub actions for Fortify. kzbin.info/www/bejne/bF6Zi3qQl6t7etksi=DfdoNdMGN7CLJy9_
@amusunnyАй бұрын
This is FANTASTIC
@FortifyUnpluggedАй бұрын
Thank you! Glad you enjoyed it.
@Iam_tokyoАй бұрын
is there an api for fetching all applications in fortify ssc ?
@FortifyUnpluggedАй бұрын
Yes, you can see the API Reference documentation by clicking on the “?” icon in the upper right corner of SSC and clicking on the API Documentation link. Here you can learn about how to use the API. Then you can click on the API Reference link to see the swagger page and browse through the available endpoints. To get a list of all Applications (just Applications and not App Versions), you can do something like: curl -X 'GET' \ 'localhost:8180/ssc/api/v1/projects?start=0&limit=200&fulltextsearch=false' \ -H 'accept: application/json' If you want the Application Versions, it would be something like: curl -X 'GET' \ 'localhost:8180/ssc/api/v1/projectVersions?start=0&limit=200&fulltextsearch=false&includeInactive=false&myAssignedIssues=false&onlyIfHasIssues=false' \ -H 'accept: application/json'
@jyhee8612Ай бұрын
We used to position debricked as SCA for FoD and Sonatype as SCA for Fortify on-prem. So with Debricked integration with Fortify SSC made possible now, how are we going to position Debricked and Sonatype to customer?
@FortifyUnpluggedАй бұрын
While Debricked integrations are great, they are not yet at the same level in terms of enterprise scale as Sonatype's offering. That's the main difference: size/scale.
@jorgepinzon51992 ай бұрын
Login credential? I don´t understand, please help me.
@FortifyUnpluggedАй бұрын
Your question is a little vague, but if I were to guess, I would say the only place you would need login credentials when running a scan from an IDE plugin is if you want to upload the scan results to SSC. So the login credentials in this case would be your SSC username/password or a ToolsConnectToken from SSC.
@HarishKumar-lz2nw3 ай бұрын
Very informative. Thanks
@FortifyUnpluggedАй бұрын
Glad it was helpful!
@TheSuperJLA3 ай бұрын
list of errors and then jump cut at 3:25. classic
@FortifyUnplugged3 ай бұрын
Glad you enjoyed it 😂
@bobbymazumder87693 ай бұрын
When can you skip DAST and not SAST?
@FortifyUnplugged3 ай бұрын
Ideally...you wouldn't skip DAST.
@user-wu9sn6bc3s3 ай бұрын
What about dast Installation any video for that
@FortifyUnplugged3 ай бұрын
Check out our video, "Running Your First WebInspect DAST Scan" kzbin.info/www/bejne/bHKTqpWMgp56oMUsi=95ZBY7xHG7z2a0Ug Let me know if that's what you're looking for.
@user-jt7ye4bl3z3 ай бұрын
I'm soo Confused from where I start the installation like from where i install and setup lim server and other stuff , Bro Can you help me
@janwienand59363 ай бұрын
You can install the LIM server with the help of our guide: www.microfocus.com/documentation/fortify-core-documents/2320/LIM_Guide_23.2.0.pdf
@FortifyUnplugged3 ай бұрын
Thank you@@janwienand5936 for your reply!
@girupashankari43753 ай бұрын
This local account has been frozen due to too many failed login attempts. I couldn't login with admin and admin, my account is frozen, could you help me how we can unlock this.
@FortifyUnplugged3 ай бұрын
Please have a look at the following Fortify community post: community.microfocus.com/cyberres/fortify/f/discussions/514442/local-admin-account-frozen-after-setting-up-fortify-software-security-center
@MINECRAFTtugan3 ай бұрын
Bruh man thats a unusual accent for me
@FortifyUnplugged3 ай бұрын
That would be our good friend Diogo from Brazil!
@ikherhaal4 ай бұрын
I would like to see a working example of "pulling in" a token. The step by step version, from a swagger file. I simply don't know how to do it.
@FortifyUnplugged3 ай бұрын
Noted. Thanks for your feedback, I will put this on our list of potential future videos.
@BrokeGuy954 ай бұрын
How to populate data with Analysis Type "DVA" . In any file I only get SCA or WebInspect
@FortifyUnplugged3 ай бұрын
I will look into this for you and get back to you. Thanks for your comment.
@BrokeGuy954 ай бұрын
How to populate data for analysis type DVA
@FortifyUnplugged3 ай бұрын
What is DVA?
@alejandrocortes8134 ай бұрын
Thank you very much for the information shared, however I would like to know what additional aspects should be taken into account in the configuration when the database to be configured for the SSC application is located on another server. I would greatly appreciate this information.
@janwienand59363 ай бұрын
In the case of an external database, you only need to change the IP address in the database configuration in the web interface setup (see 12:36)
@FortifyUnplugged3 ай бұрын
Thank you so much@@janwienand5936 for your reply!
@hebrux4 ай бұрын
How do you resolve these scans if there is a failure?
@FortifyUnplugged3 ай бұрын
I will look into this and get back to you!
@victorrocha224 ай бұрын
Any examples on how to create quality gates, as in setting builds with critical or high issues to fail?
@FortifyUnplugged3 ай бұрын
I will look into this and get back to you!
@hugogomez31614 ай бұрын
where can i get the zips fortify_scanCentral_controler?
@FortifyUnplugged3 ай бұрын
This can be found in the Download or Support Center. You must download the Fortify_xx.x.zip (e.g. Fortify_23.2.0.zip) file.
@reefhound99025 ай бұрын
Why in hell would I upload my confidential and proprietary project files to some destination where I have no control over? That right there is the biggest security hole of all.
@FortifyUnplugged4 ай бұрын
Fortify on Demand is a secure tenant-based environment, meaning each customer receives their own unique tenant. This tenant segregates their application testing data from all other tenants. You can learn more about Fortify on Demand here: www.microfocus.com/media/data-sheet/fortify_on_demand_ds.pdf
@reefhound99024 ай бұрын
@@FortifyUnplugged it's still a "trust me" solution.
@mamadoubobodiallo15755 ай бұрын
Hello, good job. Please how can I list the versions of a desired Application
@FortifyUnplugged4 ай бұрын
Thanks for the feedback! I suggest that you have a closer look to the /projectVersions list option and filter for your application. Otherwise I can recommend to use our fcli. There is also another video on our channel about this: kzbin.info/www/bejne/qXSwk4iVqJybg6csi=MhALhHxM7HvgeVD_
@AfaanNaqvi6 ай бұрын
Thanks for the video. I am an individual macOS developer trying to run my Google Workspace Application (.js and .html code files only) through the PWC CASA Portal, and I get the following error when I try the "scancentral package -bt none -o myPackage.zip" "Unable to identify the Controller URL. Specify either the -url option or the -sscurl and -ssctoken options." I do not have (or do not know) what my Controller URL is or should be. I just followed the download, installation, and step by step packaging instructions per the PWC CASA portal, and there is not reference there to any URL. The instructions did also not have any information related to -sscurl or -ssctoken Any help would be much appreciated.
@FortifyUnplugged4 ай бұрын
Hello! Have you tried to run it without thet -bt option? Here's an example: scancentral package -o myPackage.zip. Please have a look at our documentation for all other details: www.microfocus.com/documentation/fortify-software-security-center/2320/SC_SAST_Help_23.2.0/index.htm#scan-requests/gen-package.htm
@navnathsatav4 ай бұрын
@@FortifyUnplugged Tried with & without -bt option. Getting same error. "Unable to identify the Controller URL. Specify either the -url option or the -sscurl and -ssctoken options." "scancentral package -hv 7.1 -o myPackage.zip" & "scancentral.bat package -bt none -hv 7.4 -o mypayload.zip"
@pavankumar.m10366 ай бұрын
How to setup fortify in ec2 Linux instance
@FortifyUnplugged4 ай бұрын
This question is a little vague. Do you want to set up Fortify Static Code Analyzer on an Amazon EC2 instance? Or do you want the entire Fortify ecosystem (SSC/ScanCentral/etc)? I’m not too familiar with EC2, but I believe it’s just like a regular VM. If you are asking about installing Fortify Static Code Analyzer, it’s just like installing it on any VM. You just need to connect to your instance, transfer the linux installer to that instance, and run it. Then you should be able to run Static Code Analyzer as usual. Hope that helps!
@jtwcollins7 ай бұрын
Using SCA 19.2.0, I'm seeing the build succeed, however the translation phase does not begin.
@FortifyUnplugged6 ай бұрын
Hi, thanks for your comment. We need a little more information to provide you with assistance, please reach out to our Fortify Support team here: www.microfocus.com/en-us/contact-support/stackb
@Weaver18127 ай бұрын
What are the degree/credentials held by these presenters? I have a challenge listening to a customer support person and a marketer lecture engineers on security and would like clarity around that.
@FortifyUnplugged6 ай бұрын
Thank you for your comment. This video is not meant to be a lecture but a general awareness of the OWASP Top 10 and what it is.
@user-ov9xl7fi7c7 ай бұрын
Hi sir, How can I get the license file of Fortify Security assistant? I want to run fortify locally in my branch. Do you recommend any other solution to run?
@FortifyUnplugged6 ай бұрын
If you are an on-prem customer, you should be able to contact your Fortify admin to get a fortify.license file. If you are an FoD customer, you should reach out to your TAM.
@tetidemalaga7 ай бұрын
can we use SCA with java 17?
@FortifyUnplugged6 ай бұрын
Yes, you can use SCA with Java 17. But it shouldn't matter what version of Java you use, as SCA ships with its own JRE and will use that. SCA 23.1 shipped with Java 11. SCA 23.2 will ship with Java 17.
@user-et5my2gf2l7 ай бұрын
Great job 👏 also appreciate if you provide a demo on how to integrate LDAP with software security center
@FortifyUnplugged6 ай бұрын
Noted. Thanks for your suggestion.
@jopadjr8 ай бұрын
47th...Thanks
@FortifyUnplugged8 ай бұрын
Thanks for watching!
@geraldortiz89708 ай бұрын
Is there an example to scan an API via script?
@FortifyUnplugged8 ай бұрын
Hello, I'm not quite sure what you're asking. Could you elaborate a little more? Thanks.
@dakshgoyal52628 ай бұрын
How to view the vulnerability count of all the applications at once which includes critical, high, medium and low
@FortifyUnplugged8 ай бұрын
Fcli does not provide a single command to do that. Here is an example in powershell how that could be achieved: #list applications and parse to powershell object $rawJson = fcli ssc appversion list -o json $convertedJson = ConvertFrom-Json ($rawJson -join “”) foreach($appversion in $convertedJson){ fcli ssc appversion-vuln count --appversion=$appversion.Id } If you want to aggregate issue counts you could also assign the output of the second fcli command to a variable and do that. Note that the “ssc appversion-vuln” command is replaced by “ssc vulnerabilities” in 2.0.0
@Saikrishna-wp9jf9 ай бұрын
is it possible to scan the ios code using fortify in windows machine
@FortifyUnplugged8 ай бұрын
The short answer is "no". The longer answer is as follows: The Fortify Static Code Analyzer process is split between a translation phase and a scan phase. For iOS apps, the translation phase has to take place on a Mac. The reason for this is that the way Fortify performs translation for iOS is tightly coupled to Xcode, and Xcode is only available on Mac. The subsequent scan phase is platform-independent.
@CanalRenaultClio9 ай бұрын
Fortify SCA just the stupid thing ever seen bunch of fake issues being reported, I can't believe someone believes that increases security any project.
@FortifyUnplugged9 ай бұрын
Which tool are you using?
@CanalRenaultClio9 ай бұрын
SSC for Android@@FortifyUnplugged
@FortifyUnplugged6 ай бұрын
Thank you for your feedback. It is a common observation with static code analysis to see false positives mixed with the real issues, however, Fortify is one of the most in depth and capable SAST products in the market. It is possible if the scan is misconfigured or lacks the full code stack that results could appear to be not as valuable. Could you perhaps share specifics of your scan configurations and non-satisfactory results? We would love to help you realize the full potential of Fortify to identify and resolve code vulnerabilities. Our new Audit Assistant and AI tech are proven to reduce false positives--in some testing we've seen as high as 80-100% reductions.
@CanalRenaultClio5 ай бұрын
@@FortifyUnplugged So you have to change Audit Assitant, because its rubbish
@sureshkamble15269 ай бұрын
How i can compare between two scans report of same application two find closed vulnerabilities in DAST scan? WebInspect may generate reports with non-comparable data, especially when dealing with network attacks or other types of vulnerabilities that are not directly related to the web application itself. Network attack data may include information about network configurations, firewall rules, or other network-specific details that are not relevant to tracking web application vulnerabilities. Does webinspect provides any automated approach to find the closed vulnerblity from tool side between scans
@FortifyUnplugged9 ай бұрын
This is pretty complex and will require a more detailed explanation. Please reach out to our support team for assistance: www.microfocus.com/en-us/support
@MrFaqih319 ай бұрын
Can we scan API collection that have environment?
@FortifyUnplugged9 ай бұрын
Yes as long as you are using Postman, we support environment collections.
@MrFaqih318 ай бұрын
@@FortifyUnplugged how to input the environment and global variable into the WIE?
@FortifyUnplugged8 ай бұрын
WIE doesn't support Postman, only ScanCentral DAST and WebInspect. You should migrate to ScanCentral DAST when you get a chance. Thanks.
@ashokvaddevalli9 ай бұрын
how to generate report as pdf in jenkins?
@FortifyUnplugged9 ай бұрын
It is not possible to generate a PDF report using the Jenkins Plugin. You can use one the follow strategies: Generate a PDF Report on Sofware Security Center, Generate a PDF Report using the FPRUtility (Fortify SCA Command Line tool). You can also view a list of issue opening your job in Jenkins and clicking Fortify Assessment on the left. The interactive List of Fortify SSC issues page displays the Summary and Issues breakdown by Priority Order tables and the links will point you back to your project on SSC.
@sureshkamble15269 ай бұрын
How I can find closed vulnerabilities between two scan? and how can automate finding closed defects between two scans? WebInspect may generate reports with non-comparable data, especially when dealing with network attacks or other types of vulnerabilities that are not directly related to the web application itself. Network attack data may include information about network configurations, firewall rules, or other network-specific details that are not relevant to tracking web application vulnerabilities.
@FortifyUnplugged9 ай бұрын
Hello, thanks for reaching out. Please reach out to our support team and they will be able to offer you assistance with this. Thanks. www.microfocus.com/en-us/support/Fortify%20WebInspect
@ciprianflorisdinu1509 ай бұрын
Thanks for the video. How can I scan an iOS project with scancentral? Do I need a SCA installation on a MacOS machine? Also, what should be the command in order to run the scan?
@FortifyUnplugged9 ай бұрын
ScanCentral SAST support two modes of operation: offloading scanning only (with local translation) and offloading both translation and scanning. For iOS projects, only the local translation model is supported. So, you'll have to do translation locally, on a machine that has both Xcode and Fortify SCA, and then you can offload the scanning phase via ScanCentral. References: The languages for which we can/cannot offload translation: www.microfocus.com/documentation/fortify-core-documents/2310/Fortify_Sys_Reqs_23.1.0/index.htm#ScanCentral/CSSensorTrans.htm Translation iOS projects locally: www.microfocus.com/documentation/fortify-static-code-analyzer-and-tools/2310/SCA_Help_23.1.0/index.htm#TranslatingMobileCode/Translating_AppleiOS.htm Offloading scanning to ScanCentral: www.microfocus.com/documentation/fortify-software-security-center/2310/SC_SAST_Help_23.1.0/index.htm#Submit_Job.htm
@lucas593410 ай бұрын
When i finished the worker service bat, its completed successfuly, but the FortifyWorkerService dont apears in windows services. :(
@FortifyUnplugged8 ай бұрын
I'd recommend looking into the log files for the prunsrv.exe that is used to register the service. By default these logs should be stored in %SystemRoot%\System32\LogFiles\Apache. Another possibility is that the service was installed but the user did not refresh the services.msc view, it doesn’t refresh on its own. If the logs don't help its probably best to contact support.
@shahabali95710 ай бұрын
It was a very useful session. Thanks both of you Joanna and Andrew! (y)
@FortifyUnplugged9 ай бұрын
Glad you enjoyed it, thanks for watching! Let us know if you have any suggested topics for our next video.
@csv007in10 ай бұрын
Our product Jira instance is behind SSO and hence the plugin is not able to connect with our Jira. Any pointer to make this work?
@FortifyUnplugged9 ай бұрын
If you are trying to connect SSC to anything JIRA 9.x, then the issue is that JIRA changed the API functions when they went from 8.x to 9.x. SSC JIRA integration currently only knows the 8.x API functions. We verified this discrepancy between 8.x and 9.x and confirmed SSC will not integrate with JIRA 9.x. That being said, we identified the changes needed and are going to try to commit those changes for 23.2. There are two scenarios: 1) If no issues are found, then this will likely go into the 23.2 release, however, 2) if any issues are identified that break functionality with the new APIs, then this will not be in 23.2 and it will be targeted for a future release. If you are using JIRA 8.x and the above is not the issue, then we will need to investigate the issue you are having integrating JIRA with SSC.
@harithaguda371510 ай бұрын
I have executed scan for a directory and uploaded fpr in SSC where I could see privacy violation for a file. Later I have executed scan for that particular file and opened fpr in Auditworkbench, there this violation type is not listed. Can you please guide what am I missing here.
@FortifyUnplugged9 ай бұрын
Generally speaking, the exact same issues can be seen in Audit Workbench and Fortify SSC, although differences may occur as a result of filter settings. Based on the question, we can't be sure what's going on. One thing that might be the case: Audit Workbench by default opens with the "quick view" filter that hides all issues except the critical ones and a selection of the high risk ones. By changing this (dropdown in the top-left corner) to "security auditor", you'll get to see all issues which may help reconciliate what you see with SSC. Also, you mention that you were looking at a scan of the directory in SSC and at a scan of a single file in AWB. Many things that Fortify SCA detects are the result of combining information from multiple files; that includes privacy violation issues. So, it also could be the case that Fortify simply didn't find the issue in the single file scan.
@ev4sec10 ай бұрын
Im having issues with the docker DAST config tool utility. Does this wizard you used for configuring SCD work for 23.1+? What is the package called that contains that tool?
@FortifyUnplugged9 ай бұрын
The installer now is a command line tool with a json/yaml settings file, the GUI version was retired 4 releases ago (current version is 23.1). For more complete information on the installation process, please refer to the ScanCentral DAST Configuration doc here: www.microfocus.com/documentation/fortify-ScanCentral-DAST/2310/SC_DAST_Help_23.1.0/index.htm#DynSetup/DynScan_Setup_OV.htm
@dienkhai66597 ай бұрын
can you make vieo Installation and configuration Fortify Unplugged 4,37 N người đăng ký Đã đăng ký can you make vieo Installation and configuration scancentral Dast use ConfigurationToolCLI ? @@FortifyUnplugged
@ev4sec10 ай бұрын
Can I follow through with dast config tool with current SSC implementation on http and reconfigure SSC to use an SSL cert later?
@FortifyUnplugged9 ай бұрын
It is possible to update the installation yaml/json settings file and rerun the installation tool to add TLS certificates after the initial installation.
@HCShuffle10 ай бұрын
I cant wait till my company gets another package that can properly scan a .net 6 app. half of the time the fortify analyzer fails to run breaking our build. When it does run it are 99% false positives.
@FortifyUnplugged9 ай бұрын
You might have been using an older version of Fortify. We have upgraded the analyzers to fully support .NET 6 and 7. What version is being used?
@harithaguda371510 ай бұрын
Hi, I have integrated the jira but not able to validate it. It is throwing the error to check the jira url and credentials. My proxy details are correct. My jira is behind an SSO . Please suggest how can I resolve the issue
@FortifyUnplugged10 ай бұрын
JIRA stopped supporting basic password authentication sometime ago. The only way to authenticate to FoD-JIRA is by creating API token and using that token value in the password field, that should work. Let me know if you have any further questions.
@harithaguda371510 ай бұрын
@@FortifyUnplugged Thanks so much! Can you confirm.. this API token is the token to be gerated in JIRA? Also, if we have https in the url, can this still be integrated?
@FortifyUnplugged10 ай бұрын
@@harithaguda3715 Here's a little more information. I assume token-based authentication will also work if JIRA is behind SSO (depending on type of the SSO solution & configuration). I usually test the utility against fortifybugtrackerutility.atlassian.net/jira, which I guess also uses a form of SSO, and this worked fine in the past. If Atlassian is in the domain, that is JIRA cloud. FoD integrates fine with JIRA cloud other than maybe not supporting all of the types of custom fields. Where we are more concerned is staying current with Jira Server. Jira Server has made changes to how issues are created and how the createmeta endpoint is used. I found this article which gives a great explanation. Code changes are certainly needed to support newer versions of JIRA Seever from the FoD side. I imagine your utility will also need some changes to support it as well. Please reach out if you need any more details. developer.atlassian.com/server/jira/platform/jira-rest-api-examples/#jira-versions-8-4-and-later
@StonebrookRecords10 ай бұрын
Amazing video. Wow.
@FortifyUnplugged10 ай бұрын
Glad you liked it! Thanks for watching.
@sagargoyal874610 ай бұрын
I am running scan central from Jenkins and getting the error that uptoken not found. I have generated the upload token from the SSC but could not found in which file should I keep that token so that I don't get this error.
@FortifyUnplugged10 ай бұрын
As far as i can tell the tokens have to be configured in the global configuration as described in our documentation here: www.microfocus.com/documentation/fortify-jenkins-plugin/221/Jenkins_Plugin_Help_22.1/index.htm#InstallConfig/ConfigPlugin.htm?TocPath=Installation%2520and%2520Configuration%257C_____3
@akanchhagupta273210 ай бұрын
Hi, I used the command to create the application but got the error. Can you suggest a solution? {"message":"An internal error has occurred. Please contact your Fortify System Administrator.","responseCode":500,"errorCode":-10100}
@FortifyUnplugged10 ай бұрын
I cant really give useful insights without seeing the initial request. Most likely a problem with one of the user provided values. I would recommend reaching out to someone on our support team: www.microfocus.com/en-us/contact-support/stackb
@mahammadazeem72611 ай бұрын
hi @fortify unplugged Does Jenkins pipeline/plugin automatically create application in Fortify while uploading the scan results (.fpr) file if doesn't exists or application must be created before uploading the result or is there any setting we can define to automatically create this application from Jenkins CI to upload the .fpr file ? Please advice
@FortifyUnplugged11 ай бұрын
The Jenkins Plugin will create the Application/Version if it doesn’t exist in SSC prior to doing the upload. Hope that helps!
@mahammadazeem72610 ай бұрын
@@FortifyUnplugged It's not creating application from pipeline. As per fortify plugin documents, application auto creates when scanned using freestyle jenkins job but not from pipeline job.
@FortifyUnplugged9 ай бұрын
@@mahammadazeem726 It should work for pipeline Jobs as well. You can use the FortifyUpload Step, which should be used for pipelines for Local Scans. If your pipeline is configured for Remote Scans, this will not work. But that’s the same for Freestyle Jobs.
@mahammadazeem7269 ай бұрын
@@FortifyUnplugged yes, our pipeline is configured for remote scans. 1) Anyway to get the apps created automatically via pipeline job (any switch/argument to be passed for fortify scan step/ upgrade fortify plugin etc) ? 2) For freestyle jobs also this won't work ?