How to export vulnerabilities to GitHub Security from a local file system (i.e. not using SSC) about fortifyvulnerabilityexporter HOT 2 OPEN

We currently don't have an out-of-the-box solution for exporting vulnerability data from FPR files. Possibly we could add support for reading FPR files in FortifyVulnerabilityExporter, but given little demand for such a feature, best chance to get this implemented is by engaging Fortify Professional Services to implement this for you. Note that the FPR file format is not documented, so potentially such an integration could break if the FPR file format is changed in a future Fortify version.

Alternatively, you or Fortify Professional Services can build a custom script/utility to extract vulnerability data from the FPR file (either directly, or from an XML report generated by the Fortify ReportGenerator utility) and convert this data to the JSON format expected by GitHub.

from fortifyvulnerabilityexporter.

Thank you for your response. I have gone down the path of translating and creating a SARIF file which, I understand, is the format GitHub Security prefers. However, there appears to be some GitHub custom fields that are not getting mapped to the resulting SARIF file. With a couple of Fortify Actions available on GitHub, I had hoped that the custom mapping was done in the FortifyVulnerabilityExporter. It sounds like the tool I'm using (MS sarif-sdk multi-tool converter) may not be updated with the required GitHub fields. I'll look into using the XML report. Thanks again.

from fortifyvulnerabilityexporter.