Uploading results to OpenText Application Security

To submit a scan request and upload the scan results to an application version in Application Security, you must have an authentication token of type ScanCentralCtrlToken. You can create an authentication token with the fortifyclient utility or in Application Security. You can reuse the token for future requests. The fortifyclient utility is provided with Application Security and the OpenText Application Security Tools installation. For more information about creating authentication tokens with the fortifyclient utility or in Application Security, see the OpenText™ Application Security User Guide.

There are two options for providing upload permission, which depend on the permissions you want to give to your Application Security users:

  • The user assigned a role that has Run ScanCentralSAST scans, View ScanCentralSAST, View application versions, and Upload analysis results permissions generates the token.

  • The user assigned a role that has the Run ScanCentralSAST scans and View ScanCentralSAST permissions (and does not have the Upload analysis results permission) generates the token and the Controller is configured with a OpenText ScanCentral SAST Controller service account.

    Use this option to upload the scan results to Application Security using the Controller service account.

    To configure a OpenText ScanCentral SAST Controller service account:

    1. In Application Security, create a OpenText ScanCentral SASTController service account that has the ScanCentralSAST Controller role.

      For instructions on how to create Application Security user accounts, see the OpenText™ Application Security User Guide.

    2. Open the <controller_install_dir>/tomcat/webapps/scancentral-ctrl/WEB-INF/classes/config.properties file in a text editor.

    3. Specify the credentials for the OpenText ScanCentral SAST Controller service account in the ssc_ctrl_account_username and ssc_ctrl_account_password properties.

    4. Save and close the config.properties file.

    5. To apply the change, restart the Controller.

The Run ScanCentralSAST scans permission and the ScanCentralSAST Controller role are available in Application Security version 24.4.0 and later. To use an earlier version of Application Security, you must do one of the following:

  • Ensure that the account of the user that generates the token has a role that includes the Upload analysis results and View ScanCentralSAST permissions.

  • Configure the Controller (steps b-e in the previous procedure) with a OpenText ScanCentral SASTController service account created in Application Security that has a role that includes the View ScanCentralSAST, View application versions, and Upload analysis results permissions.

Examples of scan requests that upload scan results

The following example scan requests perform a remote translation and scan and upload the scan results:

scancentral -sscurl<ssc_url> -ssctoken<token> start ‑upload -versionid<app_version_id>
scancentral -sscurl<ssc_url> -ssctoken<token> start ‑upload -application <app_name> -version <app_version>

The following example scan request performs a local translation and remote scan and uploads the scan results:

scancentral -sscurl<ssc_url> -ssctoken<token> start ‑upload -versionid<app_version_id> -b <build_id> -scan

See also

Retrying Failed Uploads to Application Security

Global Options

Start Command Options

Submitting Remote Translation and Scan Requests

Submitting Remote Scan Only Requests