Micro Focus Fortify on Demand Connector Guide
Summary: How to set up and use the Micro Focus Fortify on Demand connector in Ivanti Neurons RBVM/ASPM/VULN KB.
Overview
The Ivanti Neurons RBVM/ASPM/VULN KB platform provides an API-based connector that integrates with Micro Focus’ Fortify on Demand (FoD), enabling customers to bring in their SAST and DAST findings from Fortify into Neurons RBVM/ASPM/VULN KB. This allows customers to gain visibility into their overall risk due to vulnerabilities in their source code/web applications and enable a simpler, more efficient way to manage those vulnerabilities.
User Prerequisites/Fortify on Demand Setup
Fortify on Demand is a cloud-based solution. Neurons RBVM/ASPM/VULN KB requires a user account with the following access to communicate with and pull data from Fortify on Demand.
-
Read access to scan results and their associated issues.
-
API access with Fortify on Demand API scope as ‘api-tenant’. Refer to the following link for more details: https://<fortify on demand instance url>/Docs/en/Content/API/API_Scopes.htm
-
Client Id and Client Secret with the following Fortify on Demand user Read Only user role. Refer to the following link for more details: https://<fortify on demand instance url >/Docs/en/Content/Administration/Settings/API/API_CreateKey.htm
Fortify on Demand Connector API Calls
During a connector run, the following API calls pull security vulnerabilities from Fortify on Demand into Neurons RBVM/ASPM/VULN KB.
API Type |
Endpoint |
---|---|
Authentication |
https://{{loginUrl}}/oauth/token |
Fetch List of SDLC status |
https://{{loginUrl}}/api/v3/lookup-items?type=SDLCStatusTypes |
Fetch List of Applications |
https://{{loginUrl}}/api/v3/applications |
Fetch List of Releases |
https://{{loginUrl}}/api/v3/releases?filters=sdlcStatusTypeId:<user value> |
Fetch List of Vulnerabilities by Release Id |
https://{{loginUrl}}/api/v3/releases/<releaseId>/vulnerabilities |
Get Vulnerability detail for each Vulnerability |
https://{{loginUrl}}/api/v3/releases/<releaseId>/vulnerabilities/<vulnId>/all-data |
Get Vulnerability code detail for each SAST Findings |
https://{{loginUrl}}/api/v3/releases/<releaseId>/vulnerabilities/<vulnId>/traces/<traceIndex>/<index>/snippet |
Configuring the Fortify on Demand Connector in Neurons RBVM/ASPM/VULN KB
Navigate to the Automate > Integrations page.
Using the search bar in the upper-right corner of the Integrations page, type Fortify on Demand to find the connector.
Locate the Fortify on Demand card on the page and click Configuration.
In the new window under Connection, complete the required fields, as described below.
-
Name: The connector’s name.
-
URL: The API URL to access Fortify on Demand Instance. Refer to this link for more details https://<fortify on demand instance url>/Docs/en/index.htm#API/API_About.htm and input the API Root URL based on the datacenter.
-
Client Id: API Key retrieved from Fortify on Demand instance. Refer to the User Prerequisites/Setup section for API scope and role.
-
Client Secret: API Secret retrieved from Fortify on Demand instance. Refer to the User Prerequisites/Setup section for API scope and role.
-
SSL: Optional instance SSL certificate in base64 format.
-
Select Network: Neurons RBVM/ASPM/VULN KB network name (ingested data associated with this network).
Click the Test Credentials button to ensure the credentials are correct and have the necessary access to make Fortify on Demand API calls.
Under Schedule, you can configure the desired schedule for the connector to retrieve results from the Fortify on Demand instance. Users can optionally turn on Enable auto URBA (Update Remediation by Assessment).
On marking the Create Assets that do not have vulnerabilities options, Neurons RBVM/ASPM/VULN KB will create applications with zero findings. This option will be selected by default, and the user can opt to turn it off.
Users have the option to ingest the selected applications from Fortify on Demand based on the SDLC status and Release created date fields.
-
Release SDLC Status: Clicking the All radio button allows the user to pull applications with all releases. To pull specific applications, click the Select Status radio button. Once selected, Neurons RBVM/ASPM/VULN KB makes a dynamic call to Fortify on Demand to fetch all associated releases. Users can select more than one release, as well.
-
Release Created Date: The user can ingest selected applications based on the release created date in Fortify on Demand Instance. Only one type can be selected.
Click the Save button to save the connector’s configuration and create the connector. Once saved, the connector is now visible on the Integrations page under Currently Configured Integrations.
Clicking the History button displays the connector details for each pull. The Sync button allows users to perform on-demand sync. The Edit button allows the user to edit the connector configuration. The Delete button allows the user to delete the connector.
Once files have been processed on the Uploads page, view the ingested data by navigating to the Applications and Application Findings pages.
Mapping Fortify on Demand fields in Neurons RBVM/ASPM/VULN KB
This table showcases the high-level mapping of Fortify on Demand fields in Neurons RBVM/ASPM/VULN KB. Neurons RBVM/ASPM/VULN KB pulls both DAST and SAST types of findings from Fortify.
Neurons RBVM/ASPM/VULN KB Fields |
Fortify on Demand SAST Fields |
Fortify on Demand DAST Fields |
---|---|---|
Scanner Reported Severity |
items -> severityString |
items -> severityString |
Normalized Severity |
The Fortify on Demand Severity scale: Critical, High, Medium, Low, Informational, and Best Practices Neurons RBVM/ASPM/VULN KB converts this Severity scale into a scale from 0-10 using specific logic. Contact Neurons RBVM/ASPM/VULN KB Support for more information. |
The Fortify on Demand Severity scale: Critical, High, Medium, Low, Informational, and Best Practices Neurons RBVM/ASPM/VULN KB converts this Severity scale into a scale from 0-10 using specific logic. Contact Neurons RBVM/ASPM/VULN KB Support for more information. |
Scanner Plugin |
items -> checkId |
items -> checkId |
Application Name |
Combinations of these fields forms the Application name items -> applicationName + items -> releaseName + items -> sdlcStatusType |
Combinations of these fields forms the Application name items -> applicationName + items -> releaseName + items -> sdlcStatusType |
Plugin Source Status |
items -> status |
items -> status |
Finding Type |
items-> "scantype" if this has value Static, then it is SAST |
items-> "scantype" if this has value Dynamic, then it is DAST |
Common Fields in Neurons RBVM/ASPM/VULN KB
The following fields in Neurons RBVM/ASPM/VULN KB are defined for Fortify on Demand, along with their default values.
-
The Scanner Name will be FortifyonDemandSAST or FortifyonDemandDAST based on the type of scan.
-
The Finding Type will be DAST/SAST based on the type of scan.