For general information & instructions on the use of Remote Providers within ThreadFix, please refer to the Remote Providers parent page. For information on REST API functionality for Remote Providers, please refer to the following: Remote Providers API
Finding Status Processing
The following list indicates how finding statuses from Fortify are marked within ThreadFix when ingesting a scan:
Not an issue or Suppressed - False Positive
Exploitable or Need more information - Open
Hidden - not ingested into ThreadFix
| Info |
|---|
When there is no scan data to import, a “No scans were found” message will display as the Last Import Attempt Status. |
API Usage
Get Artifacts for Project:
| Code Block |
|---|
/projectVersion/{{projectId}}/artifacts?fields=lastScanDate,status&start=0&limit=0&q=status:"PROCESS_COMPLETE" |
Using the lastScanDate for the completed artifacts, ThreadFix compares this date to the current Fortify SSC scan date imported into ThreadFix. This also becomes the Scan Date of the ThreadFix scan.
Get Project Version
| Code Block |
|---|
/projectVersion/{{projectId}} |
ThreadFix uses the currentState.metricEvaluationDate to check if there are updates to the current state of the project, and a new artifact has not been loaded. This becomes the Updated Date of the ThreadFix scan.
FPR Download
If we determined based on the calls above that a new artifact was run or there are new updates to import we make the following call:
| Code Block |
|---|
/download/currentStateFPRDownload.html |
This page will be updated at a future time with more details on the Remote Provider integration with this specific scanning tool.
Table of Contents
| Table of Contents |
|---|