fortify / fortify-ssc-parser-owasp-dependency-check Goto Github PK

Hello,

is the plugin (v1.4.1) supporting version 6 of the OWASP dep. checker ?
We're not sure which engine version is meant?

Hello,

I am planning to automate the usage of Dependency Check and its results to Fortify SSC portal since it will be one stop for both code analysis and software composition analysis. Currently, I can upload results of DC manually in SSC however I would like to know how I can automate it through a plugin from Jenkins. I tried to upload DC results file through "Fortify Assessment" step and didn't work out as it will explicitly look for FPR's

Additionally, during manual upload also, we have to enable the "Third Party Results" and how can we automate all these to upload DC result into SSC?

Thanks

Add a README.md file with:

• A generic description of the purpose of this project
• Where to download releases and beta versions
• (How to build from source)?
• How to install/use (and/or just refer to SSC documentation)

The following warning is shown when running ./gradlew distThirdParty --warning-mode=all:

> Task :generateLicenseReport
The runtime configuration has been deprecated for resolution. This will fail with an error in Gradle 7.0. Please resolve the runtimeClasspath configuration instead. Consult the upgrading guide for further information: https://docs.gradle.org/6.8.3/userguide/upgrading_version_5.html#dependencies_should_no_longer_be_declared_using_the_compile_and_runtime_configurations

This is caused by this issue: jk1/Gradle-License-Report#161 (comment)

Once this has been fixed in the plugin, the plugin version should be updated in our build.gradle.

Note that this applies to all parser plugins in the fortify-ps organization: https://github.com/fortify-ps?q=fortify-ssc-parser

Hi,

Shown with an error "Exception: An unexpected error occurred during scan processing: com.fortify.manager.exception.FMDALException: Unable to execute batch." while uploading JSON file regenerated by OWASP DC latest version i.e. 6.0.1

Thanks,
Mani

Hello @rsenden,

we have a quation about the parser and upload mechanismn.
If an application uses a vul. jar file and this information is found by OWASP scanner & uploaded to an SSC AppVersion.

What will happen if the jar is replaced by a newer version without a finding. So we're uploading an empty OWASP report to SCC AppVersion.

Our assumption would be that the finding is marked as removed (or physically deleted) in SSC. Is this right ?

Hi,

could you please add the references to the description of the issue?

OWASP -> 9.0.10