Uploading results to Fortify Software Security Center

To submit a scan request and upload the scan results to an application version in Fortify Software Security Center, you must have an authentication token of type ScanCentralCtrlToken. You can create an authentication token with the fortifyclient utility or in Fortify Software Security Center. You can reuse the token for future requests. The fortifyclient utility is provided with Fortify Software Security Center and the OpenText Application Security Tools installation. For more information about creating authentication tokens with the fortifyclient utility or in Fortify Software Security Center, see the OpenText™ Application Security User Guide.

There are two options for providing upload permission, which depend on the permissions you want to give to your Fortify Software Security Center users:

  • The user assigned a role that has Run ScanCentral SAST scans, View ScanCentral SAST, View application versions, and Upload analysis results permissions generates the token.

  • The user assigned a role that has the Run ScanCentral SAST scans and View ScanCentral SAST permissions (and does not have the Upload analysis results permission) generates the token and the Controller is configured with a Fortify ScanCentral SAST Controller service account.

    Use this option to upload the scan results to Fortify Software Security Center using the Controller service account.

    To configure a Fortify ScanCentral SAST Controller service account:

    1. In Fortify Software Security Center, create a Fortify ScanCentral SASTController service account that has the ScanCentral SAST Controller role.

      For instructions on how to create Fortify Software Security Center user accounts, see the OpenText™ Application Security User Guide.

    2. Open the <controller_install_dir>/tomcat/webapps/scancentral-ctrl/WEB-INF/classes/config.properties file in a text editor.

    3. Specify the credentials for the Fortify ScanCentral SAST Controller service account in the ssc_ctrl_account_username and ssc_ctrl_account_password properties.

    4. Save and close the config.properties file.

    5. To apply the change, restart the Controller.

The Run ScanCentral SAST scans permission and the ScanCentral SAST Controller role are available in Fortify Software Security Center version 24.4.0 and later. To use an earlier version of Fortify Software Security Center, you must do one of the following:

  • Ensure that the account of the user that generates the token has a role that includes the Upload analysis results and View ScanCentral SAST permissions.

  • Configure the Controller (steps b-e in the previous procedure) with a Fortify ScanCentral SASTController service account created in Fortify Software Security Center that has a role that includes the View ScanCentral SAST, View application versions, and Upload analysis results permissions.

Examples of scan requests that upload scan results

The following example scan requests perform a remote translation and scan and upload the scan results:

scancentral -sscurl <ssc_url> -ssctoken <token> start ‑upload -versionid <app_version_id>
scancentral -sscurl <ssc_url> -ssctoken <token> start ‑upload -application <app_name> -version <app_version>

The following example scan request performs a local translation and remote scan and uploads the scan results:

scancentral -sscurl <ssc_url> -ssctoken <token> start ‑upload -versionid <app_version_id> -b <build_id> -scan

See also

Retrying Failed Uploads to Fortify Software Security Center

Global Options

Start Command Options

Submitting Remote Translation and Scan Requests

Submitting Remote Scan Only Requests