Fortify
First time using Fortify? Please refer to the following documentation.
Introduction​
This integration enables the automatic import of issues (vulnerabilities) identified by Fortify into the Conviso Platform, allowing the user to leverage all the features of the Conviso Platform in managing these issues.
Requirements​
To integrate Fortify with the Conviso Platform, you will need the following:
-
Administrator-level user registered in Fortify:
- Ensure you have a Fortify account with administrator privileges.
-
API URL: The API URL address obtained from Fortify subscription, e.g.
192.168.1.15/ssc/api/v1.
Conviso Platform Setup​
After logging into the Conviso Platform, follow these steps:
- In the sidebar menu, click Integrations.
- Use the search bar to find Fortify.
- Click the Connect button.
- Enter the administrator credentials in the Username and Password fields.
- Enter the API URL as described above.
- Click Continue.
- Select which vulnerability severities you want to import from Fortify:
- Click Continue.
Once completed, the platforms will be connected and ready to synchronize data. You can now proceed to import your Fortify assets.
Importing Assets​
If everything goes right, you’ll be presented with the following screen. Click the Check connection button to confirm that the integration was performed correctly.
With the integration configured, you can now start importing your projects. To do so, click the Add project button.
Next, select the projects you want to import into the Conviso Platform and click Add.
After this, the import process will be initiated, and depending on the size of the project, this may take a few minutes.
After creating the integration, you can add more assets through the integration configuration page, which can be accessed in two ways:
- Through the Asset Management page as shown in the figure below:
- From the Integration Settings button in the Integrations section:
General Information on Operation​
In this section, we will address crucial information about the integration's operation. This includes details about the synchronization process, as well as the status mapping between the involved platforms.
Status Mapping​
When moving issues from one status to another, the Conviso platform will communicate and mark the issues in Fortify according to the following mapping:
| Conviso Platform | Fortify |
|---|---|
| Created | Not Set/Blank |
| Identified | Exploitable |
| False Positive | Not an Issue |
| Risk Accepted | Suspicious |
| Fixed | Removed |
| Suppressed | Suppressed |
The modifications are bidirectional, meaning that when changes are made in the Conviso Platform, these changes will be replicated to Fortify, and the same applies in reverse.
Note: The only exception to these status changes is for the FIXED status in the Conviso Platform. In the case of FIXED, it is not allowed for a user to move it to FIXED when the issue was opened by a scanner like Fortify. In this scenario, the tool itself should identify the changes and recognize that the issue has been removed. Therefore, in the next synchronization, those issues that are no longer identified by Fortify will be marked as FIXED in the Conviso Platform.
When changing the status in the Conviso Platform, these changes will be replicated immediately to Fortify. However, if a change is first made in Fortify, it will only be replicated to the Conviso Platform after a synchronization between the platforms is performed.
Synchronization​
To monitor or initiate a synchronization, you can follow the steps below:
- Go to the Assets page.
- Click on the name of the asset you want to sync.
- On the asset detail page, click on View All next to Integration, as shown in the image below:
- A new screen will appear with the option to start a sync and view the progress. Any errors encountered during syncing will also be displayed here.
Alternatively, refer to the Azure Pipelines documentation to automatically synchronize your assets.
